MDM, EMM, and UEM for Apple Devices

Posted on February 20, 2019

Having lived and breathed device management for a long time, it's easy to forget how acronym-laden this space can be. Whether you’re a newcomer to device management and are still getting your bearings or an IT veteran just looking for a sanity check, in this article, we’re going to take a look at what differentiates three major forms of device management:

  1. Mobile device management (MDM)
  2. Enterprise mobility management (EMM)
  3. Unified endpoint management (UEM)

What is Mobile Device Management (MDM)?

At its most basic level, a mobile device management (MDM) solution is a central hub from which businesses make all of their devices fit their security and workplace requirements – without having to physically configure each device by hand. This is made possible by a remote management protocol that keeps a constant line of communication open between an MDM and all of the company devices that are registered to it.

This connection gives businesses all sorts of powerful capabilities, and it can perform them on every device in the company simultaneously.

Here are just a few things an MDM can do:

  • Distribute software and apps
  • Enforce basic and advanced security measures
  • Wipe sensitive data on lost devices
  • Deploy custom apps
  • And plenty more

For a more formal definition, we can look to Gartner, which defines mobile device management as “software that provides the following functions: software distribution, policy management, inventory management, security management and service management.”

The “security management” capability they mention is a big part of what makes some MDM solutions so powerful; by ensuring that company devices are always accounted for, only have authorized software installed, and have all the right security settings in place, businesses can rest assured that their devices offer a streamlined user experience and are protected from malicious activity.

This is especially true in the case of workplaces that have a bring-your-own-device (BYOD) policy in play. This popular practice lets employees use their personal mobile devices for work. On one hand, this saves the company money and the employees the stress of figuring out new tech. On the other, it requires finding the right balance between the device oversight that the company needs to keep its data safe and the personal privacy that employees need to feel comfortable using their personal devices at home and in the office. We’ll take a deeper look at BYOD at the end of this guide, but for now, let’s finish up our overview of mobile device management.

So, MDM solutions can give companies a lot of powerful capabilities to streamline their workflow and secure their devices. However, not all MDM solutions are created equally. Some solutions specialize in securing specific types of mobile devices and operating systems, like our MDM at Kandji, which specializes in Apple mobile device management.

Regardless of specializations, there are a few must-have features for any MDM. We’ll take a look at these next.

 

What are the Most Desirable MDM Features?

Some MDM solutions are more comprehensive than others, so it’s important to know what features are essential while you’re scouting out the right MDM for your business. We’ll list a few of these in this section to give you a good idea of the level of power you should expect from a good MDM.

As a start, you want a lot of device oversight options. This will let you check in on the status of your devices for any issues or security features in need of an update. Next come ease-of-use features – these will save your business time and money, like security options that let you meet compliance standards in one click or powerful data encryption abilities that guard your sensitive information against malicious activity.

Here are some more MDM features that you ought to look out for:

  • Centralized dashboard for easy device monitoring
  • Security settings and controls aligned to your device types
  • Codeless security configuration and management
  • Ability to enable tracking features for lost/stolen devices
  • Data encryption capabilities
  • Offline configuration status checks to prevent tampering
  • Ability to apply role-based controls to individual users

 

What is Enterprise Mobility Management (EMM)?

Enterprise mobility management is a solution (or combination of solutions) that’s designed to centralize the management, configuration, and security of devices used in an organization. If this sounds a lot like MDM, you’re on the right track. In fact, as we’ll cover in the next section, MDM is a crucial component of any EMM solution – which can be seen as a mash-up between four management strategies.

We’ll list these components below, along with a quick primer on what they do. You can think of the four management strategies as four cylinders in a car engine – they’re critical components and the engine (EMM solution) wouldn’t work without them, but they’re not the whole engine.

  1. Mobile Device Management (MDM): As we mentioned earlier, MDM solutions let you control the mobile devices in your business. These solutions let your IT security team remotely wipe or lock devices to prevent unauthorized users from accessing critical data, push updates and configuration profiles to devices, and plenty more. MDMs often use an “agent app,” which is installed on the device to allow admins to set policies and trigger other actions.
  2. Mobile Application Management (MAM): MAM solutions allow admins to set policies and rules for specific applications on an endpoint device – though the way these solutions are delivered may vary. As noted by TechTarget: “Some apps have specific MAM APIs built-in, while others rely on the device-level MAM APIs in most major mobile operating systems.”
  3. Mobile Content Management (MCM): These solutions control which applications on an endpoint device are able to access and transmit specific corporate datasets. This, essentially, creates a whitelist of approved apps and keeps any apps not on the whitelist from doing anything with sensitive data.
  4. Identity and Access Management (IAM): As the name implies, identity and access management solutions help control who can access an endpoint device and its apps, when and where they can access these resources, and how they access these resources. IAM solutions are critical for ensuring that only the right people can access the information stored on a device or database.

EMM platforms gather all of these mobility management tools into one solution to create a management infrastructure that meets the specific security needs of your business, keeping corporate data secure from breaches, leaks, or other vulnerabilities in the event that a device is lost or stolen.

 

How You Can Use Enterprise Mobility Management for Your Business

Because EMM leverages four powerful management strategies, it can achieve advanced security measures to do things like lock down sensitive business data, track or remotely wipe company devices, implement BYOD policies with a minimized risk of cybersecurity threats, and plenty more.

All-in-all, this can increase an enterprise’s security posture and streamline the workflow of employees, giving them more options to access the apps and data that they need to work on mobile devices. To give you a better idea of what EMM looks like in motion, here’s a quick breakdown of three ways it can be used:

  1. Increase Security for Mobile Devices in Your Organization: By leveraging MAM, MDM, MCM, and IAM tools in the mobility management platform, you can remotely control apps and data on mobile devices as well as restrict access to sensitive information. These security measures greatly improve the overall security of your business’ mobile devices by not only controlling the flow of information but giving you the chance to wipe it before it gets into the wrong hands.

 

  1. Enforce BYOD Policies: Many enterprises allow employees to use their own personal laptops, tablets, and smartphones for work, but this comes with some pretty serious security concerns if it isn’t done properly. Employees may download malware by visiting unsecured websites or opening a malicious link in a personal email account – exposing the company’s data and network. Using an EMM solution, you can enforce BYOD policies with the proper security mechanisms in place to avoid these common security risks. It should be noted, however, that the use of EMM on your employees’ devices needs to be clearly communicated before the installation of the local client – especially if the MDM portion of the solution could be used to delete data from the device or lock it down.

 

  1. Track Enterprise Devices: Enterprises invest significant resources in mobile devices, so it’s important to ensure that these devices are as safe from loss as possible. By using security parameter enforcement to enable device location features, enterprises can minimize the risk of a lost or stolen device becoming permanently lost. Additionally, by sharing device location information with law enforcement, enterprises can speed along device recovery and potentially stop a data breach if illegal activity is suspected. Without device location information, malicious actors would have an unlimited amount of time to crack a device’s protections – but with EMM, this can be prevented, the device can be found, and a crisis can be avoided.

 

What is Unified Endpoint Management (UEM)?

Unified endpoint management (UEM) is an ambitious management solution that’s designed to manage a wide range of IT devices – such as laptops, computers, and mobile devices – from a single platform or service. The goal is to save users more time and ensure more consistent endpoint management.

While the specific functions and features of unified management solutions vary from one vendor to the next, many UEM tools rely on mobile device management (MDM) software with application programming interfaces (APIs) to ensure that security endpoints are properly protected.

While a completely centralized management platform for your business’ devices might sound great in theory, successfully transitioning into a UEM strategy has proven difficult for most companies – at least so far. The research firm Gartner predicts that it will take another three to five years before most companies will be able to successfully make the jump.

There are a few reasons why. On one hand, the major tech companies like Microsoft, Google, and Apple are focusing the bulk of their efforts on building out their own ecosystems for the workplace rather than bridging their ecosystems with one another. Of course, what it takes to manage devices from Microsoft will be significantly different than devices from Apple or Google. And with each company using different operating system release cycles, methods of deployment, provisioning programs, and so much more, finding a way to bridge them together in a seamless UEM is a formidable task.

While a true UEM holds promise for some, the scope and demands of the integration work to bring all those pieces together might be beyond the capabilities of many companies.

 

How Can UEM Systems Improve Endpoint Management?

The big idea behind UEM is to give users a centralized resource for managing security endpoints across their entire business network. If achieved, this would save organizations a lot of time and energy, and it would ensure that all devices would be secure and up-to-date with the latest company or compliance requirements.

Let’s see what this would look like in action: Think about a business with 100 security endpoints across all of their computers, smartphones, and tablets. Normally, to check the security settings for a single device, the system admin (or whoever in the organization is responsible for enforcing cybersecurity compliance) would have to manually review the devices’ settings.

This could mean physically analyzing every device, or using a diagnostic tool to check them remotely. Either way, it would be incredibly tedious work, and until the check is completed, they would have no idea if any given device was properly secured or not.

If this is what the business’ security strategy rests on, then security inspections would need to be scheduled constantly to make sure employees aren’t circumventing certain settings for convenience’s sake – or to make sure that employees have not accidentally downloaded software that alters the device’s security settings in some way.

If each device check took just two minutes, that’s still more than three hours of work – and the check would have to be repeated constantly, at risk of leaving the devices vulnerable to being compromised.

This is where a UEM platform would really shine, displaying a dashboard for “at-a-glance” verification of device status – whether that device is offline, online and correctly configured, or online and not property-protected. Unlike the check we discussed above, this could be completed in seconds, not hours, and it would free up more time to focus on securing the most vulnerable assets on the network.

 

BYOD and Apple Devices

Whether your business would get the most out of an MDM, EMM, or UEM solution, if you currently use or plan on implementing a BYOD policy in the future, an Apple device management solution is key.

Apple devices are extraordinarily popular in the consumer market – so, many employees already have them. If these devices are being used for work purposes yet your device management solution isn’t configured for the Apple operating system, then the protection it provides isn’t up to snuff.

Why not? Mainly because configurations and APIs that would work for a Windows- or Linux-based OS may not work for an Apple OS (and vice versa). So, there needs to be a device management solution in the organization that can specifically address each device’s operating system, and the entire constellation of security vulnerabilities that they present.

Using a management platform that’s specialized for Apple devices is also necessary to use powerful platforms, such as the Apple MDM framework and Apple Business Manager, that MDM solutions must integrate with in order to execute all the necessary MDM functionalities. In this case, using a management platform that’s tailor-made for Apple is crucial if you want to get the most out of your devices and ensure that you’re secured from numerous user convenience features that run in the background and pose security risks.

Two of such features are the “Guest” users and folders, which may be great for families sharing a Mac computer, but for businesses, they’re a major Mac security risk. Additionally, the running of so-called “safe files” in Safari reduces input prompts to execute files that are marked as “safe” in an Apple security database, but attackers can leverage this automatic execution to carry out attacks by mimicking safe files. Disabling these features is often a necessity to ensure strong Apple security.

In sum: a device management solution that is specific to Apple OS devices is much more likely to have features to enable control over these Apple security concerns than a generic solution that lacks specialization.

When looking for an Apple device management solution, be sure to ask the solution provider how they control security settings for macOS, iOS, tvOS, or iPadOS devices – if their solution can do so at all. If the solution provider cannot provide easy Apple device security setting controls, it may be up to you to create and deploy custom code through the device management software distribution features. This manual coding solution is slow, inefficient, and prone to error.

Having a platform that can enable pre-built security settings for Apple devices greatly simplifies management of Apple devices and reduces the chances of errors in deploying security controls.

Ready to save hours of time managing your Apple devices? Request access to Kandji today.

 



Share post

The Latest in Apple Enterprise Management

Subscribe to blog

The Latest in Apple Enterprise Management

Subscribe for regular updates and guides written exclusively for Mac admins.

Tactical tips 2x per month