MDM, EMM, and UEM for Apple Devices

Posted on February 20, 2019

Having lived and breathed device management for a long time, it's easy to forget how acronym-laden this space can be. Whether you are new to device management and just getting your bearings, or an IT veteran looking for a sanity check, here is quick guide to tell the difference between mobile device management (MDM), enterprise mobility management (EMM), and the more recent variant, unified endpoint management (UEM).

What is Mobile Device Management (MDM)?

The general definition of mobile device management is, as noted by Gartner, “software that provides the following functions: software distribution, policy management, inventory management, security management and service management.” These functions are used to improve the security of mobile devices by ensuring that they:

  • Have the right software installed
  • Are accounted for/not missing
  • Are using the right security settings
  • Can be wiped clean of sensitive data in case of an emergency

Mobile device management platforms are crucial for security in modern businesses—especially those that use bring your own device (BYOD) policies that let employees use their personal mobile devices for work tasks.

However, not all MDM solutions are created equally. Some mobile device management solutions specialize in securing specific types of mobile devices and operating systems. For example, some solutions are specifically designed for Apple mobile device management.

What Are the Most Desirable MDM Features?

Here’s a short list of some of the most desirable things to look for in an MDM tool for your organization’s devices:

  • Centralized dashboard for easy device monitoring
  • Security settings and controls aligned to your device types
  • Codeless security configuration and management
  • Ability to enable tracking features for lost/stolen devices
  • Data encryption capabilities
  • Offline configuration status checks to prevent tampering
  • Ability to apply role-based controls to individual users

What is Enterprise Mobility Management (EMM)?

Enterprise mobility management is a solution (or combination of solutions) that is designed to centralize the management, configuration, and security of devices used in an organization.

EMM is sometimes conflated with mobile device management (MDM) or mobile application management (MAM). However, MDM and MAM are usually components of an EMM solution rather than the whole solution. To explain it another way, MDM and MAM are like the cylinders in a car engine—they’re critical components and the engine (EMM solution) wouldn’t work without them, but they’re not the whole engine.

Enterprise Mobility Management: Four Critical Components

  1. Mobile Device Management (MDM): MDM solutions allow you to control the mobile devices in an enterprise. These solutions can allow the IT security team to remotely wipe or lock devices to prevent unauthorized users from accessing critical data. MDMs often use an “agent app” that is installed on the device to allow admins to set policies and trigger other actions.

  2. Mobile Application Management (MAM): MAM solutions allow admins to set policies and rules for specific applications on an endpoint device—though the way these solutions are delivered may vary. As noted by TechTarget: “Some apps have specific MAM APIs built in, while others rely on the device-level MAM APIs in most major mobile operating systems.”

  3. Mobile Content Management (MCM): These solutions control which applications on an endpoint device are able to access and transmit specific corporate datasets. This, essentially, creates a list of approved apps and keeps any apps not on the list from doing anything with sensitive data.

  4. Identity and Access Management (IAM): As the name implies, identity and access management solutions help control who can access an endpoint device and its apps, when and where they can access these resources, and how they access these resources. IAM solutions are critical for ensuring that only the right people can access the information stored on a device or database.

EMM platforms gather all of these mobility management tools into one solution.

How You Can Use Enterprise Mobility Management for Your Business

So, how can you use a mobility management solution for enterprises? You can leverage EMM solutions to:

  1. Increase Security for Mobile Devices in Your Organization. By leveraging MAM, MDM, MCM, and IAM tools in the mobility management platform, you can remotely control apps and data on mobile devices as well as restrict access to sensitive information—increasing the overall security of mobile devices.

  2. Enforce BYOD Policies. Many enterprises allow employees to use their own personal laptops, tablets, and smartphones for work tasks. However, using personal devices for both work and personal tasks is inherently less secure than having a dedicated device. Employees may download malware by visiting unsecured websites or opening the wrong link in a personal email account—exposing the company’s data and network to risk. Using an EMM solution to enforce bring-your-own-device (BYOD) policies and rules helps to limit that risk. Though, the use of the EMM on the employee’s device does need to be clearly communicated to the employee before the installation of the local client—especially if the MDM portion of the solution may be used to delete data from the device or lock it down.

  3. Track Enterprise Devices. Enterprises invest significant resources in mobile devices. So, it’s important to ensure that these devices are as safe from loss as possible. By using security parameter enforcement to enable device location features, enterprises can minimize the risk of a lost or stolen device becoming permanently lost. Additionally, by sharing device location information with law enforcement, enterprises can speed along device recovery and potentially stop a data breach. Without device location information, thieves will have virtually unlimited time to crack the device’s protections.

These are just a few examples of how enterprise mobility tools could be used within your organization.

What is Unified Endpoint Management (UEM)?

A unified endpoint management solution is a tool designed to provide users with the ability to manage or control various IT devices (computers, laptops, smartphones, etc.) from a centralized platform or service—typically with the goal of ensuring that these security endpoints are properly protected for security or compliance reasons.

The specific functions and features of a unified management solution vary from one vendor to the next. For example, many unified management tools rely on mobile device management (MDM) software with application programming interfaces (APIs). However, the important thing is that UEM solutions are designed to help users save time and ensure more consistent endpoint management.

How Do UEM Systems Improve Endpoint Management?

Unified endpoint management systems give users a single, centralized resource for managing security endpoints across their entire business network. This is an enormous benefit for organizations that need to save time and effort on managing security for the assets on their network.

Consider, for example, a business with 100 security endpoints across all of their computers, smartphones, and tablets. Normally, to check the security settings for a single device, the system admin (or whoever in the organization is charged with enforcing cybersecurity compliance) would have to manually review the device’s settings in person or remotely using a diagnostic tool. They would have no idea if any given device was properly secured until they ran this check. So, this inspection would need to be scheduled constantly.

Why the frequent checks? Because employees may try to circumvent certain security settings for convenience’s sake. Or, they may accidentally manage to download software that alters the device’s security settings in some way. If each check took just two minutes, that’s still more than three hours of work each time.

A UEM platform dashboard could provide an “at-a-glance” verification of device status—whether that device is offline, online and correctly configured, or online and not property-protected. This helps focus efforts to protect security endpoints on only the most vulnerable assets on the network.

BYOD and Apple Devices

Whether you identify needs for an MDM, EMM, or UEM solution, one of the top reasons to use an Apple device management solution is if your company is using a BYOD policy. Apple devices are extraordinarily popular in the consumer market—so, many employees will have one. If your device management solution isn’t configured for the Apple operating system, then the protection it provides may not be up to snuff.

Configurations and APIs that would work for a Windows- or Linux-based OS may not work for an Apple OS (and vice versa). So, there needs to be device management solution in the organization that can specifically address each device’s operating system. Also, Apple has specific platforms, such as the Apple MDM framework and Apple Business Manager, that MDM solutions must integrate with in order to execute all the necessary MDM functionality.

Additionally, Apple devices have numerous features that run in the background that are designed to improve user convenience, but could be exploited to compromise the device. For example, “Guest” users and folders may be great for families sharing a Mac computer, but for businesses, they’re a major Mac security risk. Additionally, the running of so-called “safe files” in Safari reduces input prompts to execute files that are marked as “safe” in an Apple security database, but attackers can leverage this automatic execution to carry out attacks by mimicking safe files. Disabling these features is often a necessity to ensure strong Apple security.

A device management solution that is specific to Apple OS devices is much more likely to have features to enable control over these Apple security concerns than a generic solution that lacks specialization.

When looking for an Apple device management solution, be sure to ask the solution provider how they control security settings for macOS, iOS, tvOS, or iPadOS devices—if their solution can do so at all. If the solution provider cannot provide easy Apple device security setting controls, it may be up to you to create and deploy custom code through the device management software distribution features. This manual coding solution is slow, inefficient, and prone to error.

Having a platform that can enable pre-built security settings for Apple devices greatly simplifies management of Apple devices and reduces the chances of errors in deploying security controls.

Ready to save hours of time managing your Apple devices? Request access to Kandji today.

Share post
Subscribe to blog

The Latest in Apple Enterprise Management

Subscribe for regular updates and guides written exclusively for Mac admins.

Tactical tips 2x per month