Abstract
Mobile Device Management (MDM) in companies becomes more and more important due to security reasons. Since a mobile device—as the term expresses—is mobile, it cannot be controlled by a company and local administrators like stationary equipment. Most of today’s mobiles are operated by an Android system. Current MDM-solutions, as well as their implementation and impact on change management, will be discussed. This paper will not provide any recommendations for or against any MDM-system. Instead, the goal is to provide a general How-To, to illustrate what an MDM-system is capable of, especially when implemented as a cloud-based solution and how to make the best use of it for your company. As an example, one commercial and two open-source systems will be discussed.
Similar content being viewed by others
1 Introduction
A large number of people in companies are using smartphones for access to critical company data. These tools, called mobile device management (MDM), become more and more essential. It is a fast-growing market that rises rapidly from year to year. In 2012, the market value was over $500 million with more than one hundred software vendors, when in 2015, the market value was already $2 billion. The forecast until 2019 for the MDM market value has been announced with $3.94 billion [1]. Combined with an increasing number of mobile devices and a need for security, there is no end to the increasing market value insight. This paper focuses on management and security in Android phones. Although the MDM-solutions we show in this paper support other devices, Android is currently the most used operating system on the mobile market, as shown in Fig. 1. In order to not exceed the scope of this paper, the focus is on how to make other devices compliant and how to manage them. With regard to the general data protection regulation (GDPR), the introduction of an MDM solution is interesting for companies to ensure data protection compliance. Such a tool provides central management of a company’s policy for mobile phones allowing the restriction of functions for preventing improper use. Improper use would mean the risk of losing company data due to a lack of proper security settings and the risk of harmful installations by users, for instance, viruses or trojans on a company’s personal computer (PC).
Due to the high amount of different mobile device management vendors and different feature descriptions, it is very difficult to select the proper MDM vendor. As shown by the statistics above, an MDM-solution cannot only focus on Android but has to offer support for other systems, as well. The question of which MDM system should be used arises in every organization that plans to introduce such a system. In 2017, Gartner Inc. released the magic quadrant for mobile device management software that is often used to make purchase decisions, as illustrated in Fig. 2. Although the magic quadrant shows leaders, visionaries, challengers, and niche players of the market and gives a certain overview, special circumstances in the small and medium market are not considered.
While administrators today are using powerful tools for ensuring a PC´s security by group policies and antivirus software on Windows systems or powerful management of user rights on Linux machines, mobile devices in companies lack such tools. Furthermore, while critical server equipment to a company can be safely placed in special secured environments with access restrictions, people who use mobile devices usually are no administrators. Everyone with physical access to the devices has potential access to a company network when using corporate APNs. This becomes critical whenever a mobile device gets forgotten or lost. The only control of these devices can now be achieved using wireless communication, relying on infrastructure not controlled by the company [4].
2 Methodology
The purpose of this paper is to give an overview of one commercial and two freemium MDM-systems, their implementation, and central management through the cloud and for devices in the cloud, i.e., for staff members. The example use case covers the lock of the camera application on the mobile device as an example of restrictions. The steps for accomplishing this task should be a blueprint to be used for the implementation of other scenarios like restricting usage time, phone costs, or geo-blocking a company phone. This paper shows organizational aspects regarding security for a company when its staff accesses the corporate network with its own devices.
To evaluate the technical aspects of implementing MDM solutions, several criteria must be met by these. In the appendix, a table will give a decision base to a company’s management, which solution might fit best. This paper, on the other hand, cannot provide any recommendation for or against any of the analyzed MDM-systems due to various facts that need to be considered, for instance, costs, number of devices, support, personal preference of a graphical user interface (GUI) and so on. The change management part, however, will cover possible implementation strategies based on organizational development and the Technology-Organization-Environment-framework (TOE) [5], which will be adopted for the cloud-based MDM solutions. The evaluated systems are the two freemium solutions Miradore MDM and ManageEngine MDM, while Sophos MDM comes as a complete commercial solution. All systems offer an on-premise installation part with supporting routines stored in the cloud and cloud-based solutions only. We started with the on-premises installation for testing purposes and switched to the cloud solutions afterward. Since all solution providers intend to give up their on-premises part in the MDM-systems, this step seems to be logical, especially when on-premises-solutions cannot work without expensive infrastructures like Exchange/Sendmail-Server and a messaging system, in order to send out configuration profiles and compliance short message system (SMS) as shown at the end of the appendix. Furthermore, it needs to be mentioned that all solutions work with web browsers.
3 Related work-security and compliance in general-technological aspects
MDM is vital for ensuring that a company’s data are secured. According to M. Pierer, the concept of MDM systems can be categorized in the following areas [1]: definition of security policies, distribution of policies over the air, Controlling, maintaining and monitoring compliance, and reacting on policy breaches. In general, bringing one’s device-appliances (BYOD) with software installed by staff members themselves can be considered as a trend and driving force behind MDM and company policies [4]. On the other hand, almost all mobile devices require an account from the manufacturer to work correctly. That means one might upload data on cloud servers without noticing it [6]. This happens almost whenever using standard settings. All tested systems offer features to restrict settings in Android for implementing security profiles. The only problem was what happened if older devices would be used. The only system, or more precisely its agent, capable of managing an older Android version, was Sophos. This system offers plugins for multiple hardware manufacturers of devices. The downside, however, is the agent and the plugin for the specific device need to be installed. Both freemium systems offer only one client, yet at least support Samsung mobiles separately.
Due to the various Android systems from device to device, the restrictions possible by MDM vary as well. So, the criteria for the evaluated systems are not the number of possible restrictions, but a working environment, especially the setup process, management, and costs. Evaluated Systems were Sophos Mobile Device Management as a commercial system, Miradore, and Mobile Device Manager Plus, as freemium environments. The criteria catalog can be found in the appendix. The outcome, however, revealed that the commercial system, due to multiple plugins for many devices as well as a TCO over five years lower than a freemium system, would be the best choice.
Regarding manageability, application rollout, and restrictions, there is not that much difference in the features of the tested systems since, as already mentioned, these settings depend on the managed device and its Android system. For Samsung devices, Samsung KNOX in devices starting with Android 5 offers much more restrictions than Android steered devices without Samsung KNOX. The choice of what system to implement has to be based on the number of managed devices and the security needed. The need for additional server hardware regarding on-premises solutions, however, needs to be kept in mind while an outsourced cloud solution provides more flexibility and scalability. The tested freemium systems can only be used for a company when one pays for advanced features. If not, they are limited in the number of devices and restrictions for profiles.
The process of MDM requires the setup or registration, the adding of devices, and making them compliant. As a first step, an agent has to be installed on the device. This agent has to be acquired from the Google Play Store for Android devices or the solution provider as an APK-file. It is not recommended to download these agents from other sources since they might have been tampered with. Depending on the device, there might be plugins for communicating with the MDM. They are comparable to the hardware abstraction layers for Windows or specific kernels for Linux. As an example, Samsung smartphones and Sophos MDM require the Sophos Mobile Control Application, as well as the Sophos Samsung Plugin. Furthermore, communication between the MDM and the smartphone needs to be enabled. In companies, a static IP-address is being reserved for this purpose, and a contract with a mobile network operator for each own Access Point Name (APN) is concluded. The advantage is that any smartphone communicating over this APN can be integrated into one’s corporate network. No matter if a user chooses to bring his own device (BYOD) or one offered by the company, choosing your own device (CYOD) is a question of comfort only [6]. Of more importance is that every mobile device uses your corporate firewall and can access only resources in your network grant to him. After a device is compliant, management can be accomplished with policies according to the company’s needs. The deployment and management process (Fig. 3), from an enrollment of a mobile device to issuing security commands, is part of any MDM-solution.
However, not all devices support every restriction, which depends on the mobile device and implementation of the Android system rather than on the MDM itself. So, there are various possibilities in restricting functions on a specific device, while other devices lack these. Mostly you might want restrictions on the access point name, so a user cannot change the Access Point Name-settings (APN) to bypass the corporate network. Other useful settings include the limitation of installable applications. So, you can lock the device on Google Play Store apps and prohibit all unknown sources. Even if a user tries to unlock unknown sources, he will not be able to do so. Furthermore, the Play Store could also be completely disabled.
The configuration of mobile devices is being done by the over the air-standard (OTA), supported in all MDM-solutions. This standard ensures the configuration of devices using any available channels like near field communication (NFC), Bluetooth, Wireless Fidelity (WiFi)/wireless local area network (WLAN), or the mobile network itself [1]. Almost any setting accessible via the Android system can be restricted. The most useful feature of MDM is the rollout of applications. That means you can do nearly anything like global policy objects (GPOs) in a Windows environment. So, you can keep every mobile device updated at the same level, all having the identical application versions, which makes support easier while preventing users from updating their apps on their own and test compatibility before the company approves an update. In the appendix, further details about restricting the use of applications will be shown.
For security reasons, if a device gets lost or is reset, MDM ensures, it can no longer access the corporate network, while management is done by a web browser from any location [6]. More important than the rollout of APKs are entire security profiles in preventing users from installing apps or taking configurations steps on the device by themselves. The profiles avoid modifications of the configuration, which a user should not be authorized to do. This also covers changing the APN, usage of SD-cards for storing company data, accessing WLANs, or the use of the camera. The latter being a beautiful feature in critical environments, where taking pictures is not allowed. Examples for this restriction are shown in the appendix, as well as the setup of the MDM-solutions.
4 The organizational aspect
According to literature, modern MDM solutions are cloud solutions. Even though they were not invented initially as such [4], they did develop in this direction [8] and are today mostly handled as such [9]. The relationship between technology, particularly modern usage of smartphones, and organizational change, has not been sufficiently explored in the literature. Some studies have revealed that a rapid introduction of technology could greatly affect institutional arrangements such as formal organizational processes, including human actions and social relations [10]. Organizations exist and operate within an environment that influences their shape, determines their structure, offers opportunities, and poses threats. Customers and competitors are paramount amongst these external factors.
An analysis of an enterprise’s environment must first determine if a change that is planned (introduction of an MDM solution) has an impact on the organizational environment, especially on the external environment. If this is not the case, only the inner organization environment is considered.
Although the introduction change of an MDM solution for a company could be seen, according to Butterfield “as a concrete discreet change with a general period of time and little emotional impact” [11], the introduction should not only follow a pure Systems Intervention Strategy (SIS), but tend to use this as a guideline for a Change process and should also be augmented by a realistic approach.
The TOE [4] framework is an organization-level theory that represents one segment of how firm contexts influence the adoption and implementation of innovations, as illustrated in Fig. 4.
According to Min et al., the Frameworks is based on the three aspects of an enterprise context: Technological, Organizational, and Environmental. These aspects have an impact on internet technology (IT) innovation-related decisions like MDM and the use of technological innovations in organizations [13].
The technological context includes any technology relevant to the company, technology already in use at the company, as well as the one being available in the marketplace, but not currently in use. The organizational context refers to the characteristics as well as the resources of a company, including linking structures between employees, intra-company communication processes, company size, and the number of available resources. The environmental context includes the format of the industry, the availability of technology service providers, and the regulatory environment [14]. The definitions of the aspects show that there are crucial general business issues that need to be considered. Because of that, an adaptation of the TOE framework was approached, as illustrated in Fig. 5.
As mentioned before, these aspects of the TOE can be seen as essential, as has been denoted by several studies. First, the advantage, i.e., the greater the perceived relative advantage of ES, the more likely it will be adopted [16, 17]. Secondly, compatibility, i.e., the greater the perceived compatibility is with current infrastructure, values, and beliefs, the more likely they will be adopted [16, 17]. Thirdly, the lower the perceived complexity is, the more likely it will be adopted [16, 17]. Furthermore, the ability to experiment with MDM encourages its adoption [16, 17]. Top management support can provide a motivating environment of innovation diffusion through oral notes [18]. The greater the top management’s support, the more likely it will be adopted [16, 17]. An organization and its decision-making management should make an effort to access and analyze possible changes in organizational culture, process, and work relationships [17] to avoid the negative impact that comes with an introduction of MDM solutions. Also, experience is seen as a critical aspect. The greater the expertise available in the organization, the more likely it will be adopted [16], especially the usage and experience with Mobile devices. When it comes to trust, the experience can be seen as an essential turning point. Trust is a core requirement of a positive relationship in various contexts [19], and competitive pressure can be seen as an effective motivator. Competition in the industry is generally recognized to influence IT adoption positively, which is also true for MDM [17]. The trading partner support, in other words, the Provider of the Device Management, also has a significant positive effect on the adoption [17]. Security is another trading partner-related concern which is not only about authenticity, authorization, and accountability but is more concerned with data protection, disaster recovery, and business continuity [19]. Because dealing with security concerns has always been a focus of most firms, MDM should not present unusual or additional challenges. In some instances, the restricted configuration or customization possibilities of MDM noticeable presented fewer security risks [18]. Also, as a part of the security aspect is the BYOD concept for firms. Security and privacy must be given, an integrated and integrative process encompassing the whole organization. The concept is already prevalent in many organizations worldwide, and a successful strategy can provide benefits for both employees and organizations. Seen from the viewpoint of an employee, it can increase mobility, flexibility, and ability to adopt the technology of choice. Moreover, it can lead to greater job satisfaction and an increase in employee productivity in organizations” [20]. Modern MDM is the primary key to allow your employees to bring their device, since through the separation of company and private data, employers and employees can participate of the benefits of using the device of their choice (in the defined limitations, like using a particular OS, etc.) and minimizing the hazards. Furthermore, a lack of usage of an MDM solution is the main reason for structural problems with BOYD [20]. As an alternative to the BOYD approach, Corporate Owned, Personal Enabled (COPE) is possible. This means the organization buys the mobile device, and the user can use the mobile device privately. Although the initial investment for the organization is high, the auditing and monitoring are inexpensive. Moreover, the familiarity of the mobile device to the end-user is given because end users tend to utilize their favorite mobile devices for business purposes. Therefore, productivity and efficiency can be increased [1]. In general, a combination of those initiatives is used in organizations. In departments, where sensitive data is stored extensively, it is advisable to choose the Corporate Owned Business Only (COBO) initiative.
Roll-Out: As for the SIS, the organizational requirements, security policies, and data protection issues must be considered first, which will be mainly related to security. Yet, these must be defined for each firm on a best practice base, depending on the organization’s complexity and company size. Organizations have to think about a roll-out strategy to enroll all mobile devices, which belong to them over a mobile device management system. Because of the direct impact of mobile end users, this phase is seen as the most critical one. However, the cooperation of each employee is necessary, without the collaboration of the users, the enrolment and application distribution cannot take place, and the control and maintenance is difficult.” [1].
5 Conclusion
Regarding technological aspects, Mobile Device Management can be considered a solution for enterprises to extend their security from classic internal networks to mobile devices, even when users bring their own devices (BYOD). Yet, it also plays an essential role when using COPE or COBO approach in firms for security reasons. MDM ensures these devices are compliant with corporate policies, like GPOs in Windows. That means a user cannot tamper with a device without being banned from the corporate network once a policy violation is being detected. Even for the management, it is made much more comfortable to update many mobile devices to current software version (APK-files), comparable to software distribution in Windows. A mobile device can be remotely controlled as well, monitored, and restricted in their functions to the desired level.
Regarding the Organizational aspect, we showed the relation of MDM solutions that are state of the art to the cloud and the relationship between technology modern usage of smartphones, and organizational change. Furthermore, the importance of the external and internal corporate environment was shown. Indeed, there is not a mere change of fixed timescales and limited emotional impact, but other organizational aspects are affected as well.
Since the relevance of TOE framework is found increasing in the recent literature for IT innovation-related decisions, the authors used the extended version of the Frameworks (extended by the aspect of business strategy) to analyze in the literature which aspects could be essential for an introduction and acceptance of an MDM solution.
Concerning the technological aspect, relative advantage, compatibility, complexity, organizational readiness, and compatibility were identified as essential. Also, the ability to experiment has been identified as an important aspect. In the Organizational aspect of the TOE, the top management support is seen as crucial for the acceptance, as well as experience. As for the environmental aspect, competitive pressure is seen as an effective motivator for adoption.
As for the last aspect, the business strategy was analyzed. Due to this analysis, it was shown that security is the main factor and is thus of the highest importance for firms. Hence, dealing with security concerns has always been a major focus.
In the course of evaluating an MDM solution, a company should define a strategic approach to the acquisition and use of hardware (BYOD, COPE, COBO, etc.)
In an MDM Rollout, any company needs to consider the organizational requirements, security policies, and data protection issues. The strategy for the enrolment of all mobile devices also has to be taken into account. Collaboration with employees is also seen as an essential factor for a rollout, due to the direct impact of mobile end users.
This study was based on literature research. Certainly, more thorough research on practical implementation could provide deeper insight and detect possible weaknesses in implementation.
References
Pierer M (2016) Mobile device management mobility evaluation in small and medium-sized enterprises. Springer, Wiesbaden
Global market share held by the leading smartphone operating systems in sales to end users from 1st quarter 2009 to 1st quarter 2018. www.statista.com
Gartner magic quadrant for MDM software (Gartner Inc. 2017). p 4. https://techorchard.com/wp-content/uploads/2017/07/Gartner_MagicQuadrant_EMM_2017.pdf. Accessed 22 July 2018
Kersten H, Klett G (2012) Mobile device management. Hüthig Jehle Rehm, Heidelberg
Baker J (2011) The technology-organization-environment framework. Information systems theory: explaining and predicting our digital society, 2nd edn. Springer, New York, pp 231–246
Disterer G, Kleiner C (2014) Risiken mobiler Endgeräte. Mobile Endgeräte im Unternehmen, 1st edn. Springer, Wiesbaden, pp 5–13
Own screenshot from manageengine mobile devie manger plus V 9.0.0
Liu L, Moulic R, Shea D (2010) Cloud service portal for mobile device management. In: IEEE 7th international conference on e-business engineering, vol 474. https://doi.org/10.1109/ICEBE.2010.102
Alizadeh M, Hassan W (2013) Challenges and opportunities of mobile cloud computing. In: IEEE 9th international wireless communications and mobile computing conference. https://doi.org/10.1109/IWCMC.2013.6583636. Accessed 22 July 2018
Yeo R, Marquardt M (2015) Think before you act: organizing structures of action in technology-induced change. J Organ Change Manag 28(4):511–528. https://doi.org/10.1108/JOCM-12-2013-0247
Butterfield R (2013) Change–a personal view. Management Resource Centre. http://www.mrc-world.com/. Accessed 01 July 2018
DePietro R, Wiarda E, Fleischer M (1990) The context for change: organization, technology, and environment. In: Tornatzky LG, Fleischer M (eds) The process of technological innovation. Lexington Books, Lexington
Li M, Zhao D, Yu Y (2015) TOE drivers for cloud transformation: direct or trust-mediated? Asia Pac J Market Logist 27(2):226–248. https://doi.org/10.1108/APJML-03-2014-0040
Tornatzky LG, Eveland JD, Fleischer M (1990) Technological innovation as a process. In: The processes of technological innovation. Lexington Books. pp 27–50
Butterfield R, Maksuti S, Tauber M, et al (2016) Towards modelling a cloud application’s life cycle. In: 6th international conference on cloud computing and services science, pp 310–319. https://doi.org/10.5220/0005912403100319316
Ramdani B, Kawalek P, Lorenzo O (2009) Predicting SMEs’ adoption of enterprise systems. J Enterp Inform Manag 22(1/2):10–24. https://doi.org/10.1108/17410390910922796
Gangwar H, Date H, Ramaswamy R (2015) Understanding determinants of cloud computing adoption using an integrated TAM-TOE model. J Enterp Inf Manag. https://doi.org/10.1108/JEIM-08-2013-0065
Borgman H, Bahli B, Heier H, Schewski F (2013) Cloudrise exploring cloud computing adoption and governance with the TOE framework. In: 46th Hawaii international conference on system sciences. https://doi.org/10.1109/HICSS.2013.132
McKnight DH, Chervany L (2016) The meanings of trust. Technical Report MISR 96-04, Management Information Research Center, University of Minnesota, Minneapolis
Bello AG, Murray D, Armarego J (2017) A systematic approach to investigating how information security and privacy can be achieved in BYOD environments. Inf Comput Secur 25(4):475–492. https://doi.org/10.1108/ICS-03-2016-0025
Butterfield R (2015) Change management tools—a support booklet, prepared for the FH-Burgenland, Eisenstadt
Stricklen M, McHale T, Caminetsky M, Reddy V (2008) Mobile device management. https://patentimages.storage.googleapis.com/3b/ec/bf/cfe24b906ca78e/US20080070495A1.pdf. Accessed 02 Apr 2018
Funding
No fundings were received or used for this work.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
All Authors have declares that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
1.1 Relevant organizational models for the paper
As illustrated in Fig. 6 the model of an organization’s environment is shown.
As illustrated in Fig. 7 the three phases of the System Intervention Strategy model (SIS) are shown.
1.2 Technical information regarding setup—all illustrations are own screenshots from the mdm systems
The installation platform for all MDM-Systems was Windows Server 2016 standard edition with all available Microsoft-patches until April 2018.
Used versions at the time of this writing were:
-
1.
Miradore V 4.7.0 (www.miradore.com)
-
2.
Sophos V 8.0.5 (www.sophos.com)
-
3.
ManageEngine Mobile Device Manager plus V 9.0.0 (www.manageengine.com)
For every solution, the process consists of three steps. First the registration (for cloud solution only) or the on-premises setup of the MDM-solution itself, followed by the adding of devices, which means making them compliant and third the management of them. However, any on prem-installation cannot work without a company mail server and SMS-gateway for issuing compliance commands to the specific mobile device.
Once this is done, you need to scan a QR-Code on the device to finish the compliance process. Since the QR-code is generated by the servers hosting the MDM-solution and most e-mail-providers do not allow other source e-mail-addresses than registered, any home e-mail server from an internet provider will fail to send this compliance mail. So, you have to be an enterprise customer, in order to test MDM-solutions. For testing purposes, these prerequisites could not be fulfilled due to a lack of resources (especially money) for working on-premises installation. Anyway, since all of the solutions we had in mind for evaluation offer online setups as well, these platforms were tested in the cloud. Another issue was the IP-address. Since MDMs require static IP-addresses for evaluation at the time of this writing using a home internet service provider you get a dynamic IP-address each time you log in, especially the managing web server could not be found with a changing IP-address every time. Workarounds like dynDNS could have been used but would not change the behavior of the MDM-system in comparison to the cloud solutions, we have chosen for evaluation. So, the MDM-solutions had been registered at the homepages of the solution provider’s web pages.
Anyway, the on premises-installation is outlined in brief as follows. Please keep in mind, that once installed there is no difference in working on-prem or in the cloud regarding making your devices compliant a managing them. Furthermore, when using the cloud solution, you do not need a database system like Microsoft SQL-Server, which costs you additional license fees. You might think of using MySQL/Maria DB, but since these solutions are not natively developed for Windows—the system most enterprises are familiar with—the recommendation is using Microsoft SQL-Server. Furthermore, since Microsoft plans to transfer all services to the cloud by 2023, even MDM solution providers are focusing on the same path. Miradore says:
“This version is also the last release with the legacy mobile device management as we are gradually replacing the old mobile device management features with Miradore Online.”
Source: https://www.miradore.com/blog/miradore-421-release-news/.
Sophos offers an entire suite including malware-scanners, where MDM is only a part of it as illustrated in Fig. 8.
ManageEngine already is split in a cloud solution for managing mobile devices, while only the GUI can be installed on premises. That means, the future of MDM resides in the cloud, too, which makes sense, due to no additional configuration is needed. This appendix, therefore, focuses on the management and making Android devices compliant, once the MDM solution is set up. Anyway, the setup process is shown in brief for all suites.
1.2.1 Miradore
Miradore is installed along with the Miradore Management Suite, while asset management of mobile devices is done completely online in the cloud. Data, however, can be imported into the management suite. However, this system requires Android Version 5 or higher, in order to work. Versions below Android 5 cannot be restricted like required.
The platform was a virtual system called “hypersys0001” as illustrated in Fig. 9.
Due to a lack of money for a commercial SQL-server license, SQL-Server Express has been used. This system comes along with the setup of Miradore. However, for large enterprises, SQL-Server Express will not fit the requirements due to restrictions in database size and manageability regarding automated backups. Figure 10 illustrates the instance name of the testing environment.
The final settings of the entire MDM-solution are illustrated in Fig. 11.
After completion of the installation process, you can log in at the Miradore-webpage using a common web browser that you enter the following address: localhost/Miradore/Login/Login.aspx&ReturnUrl = %2fMiradore as illustrated in Fig. 12.
Like mentioned before, the on-premises solution won’t work, due to lack of enterprise e-mail servers, SMS-gateways, and web space to be reached without DynDNS. Therefore, the cloud solution has been used for compliance making and managing.
1.2.2 Miradore: making devices compliant
The enrollment process of a device is a straightforward procedure. You enter the devices phone number, as illustrated in Fig. 13, in order to add it to the system:
After that, you have to carry out the instructions below by downloading and installing the Miradore online client on the selected device as illustrated in Fig. 14.
When the device is located somewhere in a subsidiary thousands of kilometers away, as the screenshot says, the information is sent as e-mail and SMS as well - that’s the reason why the on-premises solution cannot work as already mentioned—except, we would buy such solutions, which was not necessary for giving an overview of the MDM-solution. Anyway, the person, to whom this device belongs can carry out the enrollment process without administrator intervention. Unless the device is enrolled it will not be compliant and can be handled appropriately by a corporate firewall, like not letting it participate in the corporate network. This means the person can not continue its work, until doing so.
1.2.3 Miradore: management
After the device is enrolled, it can be managed and participate on the corporate network. However, restrictions depending on the used Android version apply. One of our own test devices (an Archos C50 neon) could not be managed at all even it was compliant, due to Android Version 4.4.2. Support of Miradore admitted, what as mentioned above, that you require at least Android 5 or higher, in order to make full use of MDM as illustrated in Fig. 15, there are clients, that could not be managed due to a lack of a supported Android version.
Anyway, a device with Android 5 or higher can be managed and restricted by configuring profiles and policies just like GPOs in Windows. Rolling out APK-files compared to executables MSI-files in Windows can be accomplished as well as illustrated in Fig. 16.
Important for a company would be playing an alarm sound or much better, locking or wiping of a device, once it gets lost as illustrated in Figs. 17, 18 and 19.
Furthermore, as illustrated in Fig. 20, an example rollout of the opera mini application via the Miradore-MDM is given.
You can provide the APK-file itself or as a link to the Google, what means, that you can be sure to get the latest version, but you might risk incompatibility issues if you do not test the APK before being rolled out.
1.2.4 ManageEngine mobile device manager plus
On-premises installation of ManageEngine Mobile Device Manager plus is done straightforwardly without much administrator interaction. You only have to start the setup and optional enter support-information. First, you choose between a cloud solution or the on-premises version as illustrated in Fig. 21.
For evaluation, the on-premises solution has been chosen. The setup implements the local database and the web server, that can be started at localhost, port 9020 from the below link:
https://www.localhost:9020/mdmTab.do?actionToCall=listMdmRequests&source=leftree
After the initial configuration of NAT- and proxy-settings and a corporate or local firewall are configured to open the ports as illustrated in Fig. 22, you are ready to go.
1.2.5 ManageEngine mobile device manager plus: making devices compliant
The enrollment of devices was done with the cloud solution, due to no possible working configuration in the on-prem solution like mail-server and SMS-gateway, as mentioned at the Miradore-MDM-solution. How the solution works is illustrated in Fig. 23.
However, the enrollment is not very different from Miradore. The first step is to enter the device phone number and a group, where to put it in. That’s important for later profile rollout and management as illustrated in Fig. 24.
After that, you have to follow the steps SMSed or mailed to you by installing the ManageEngine APK. As you can see in the following screenshot, the steps are not very different from Miradore. You have to download an app and register it to the MDM-server provided in the link from step three. What to do is illustrated in Fig. 25.
After successful enrollment, your device is manageable by ManageEngine Mobile Device Manager plus as well using profiles and restrictions just like in Miradore as illustrated in Fig. 26.
As illustrated in Fig. 27 a few test devices are shwon, that had been enrolled in ManageEngine Mobile Device Manager plus:
1.2.6 ManageEngine mobile device management plus: management
Besides the fact, you can restrict almost anything with Miradore, as illustrated in Fig. 28 an example of remote controlling a device using ManageEngine Mobile Device Manager plus is given:
Like in Miradore even in ManageEngine Mobile Device Manager plus profiles and restrictions of a device are important. As illustrated in Fig. 29, you have various possibilities, in order to accomplish this.
As an example, the built-in camera has been disabled, by implementing a profile and distribute it to the device(s) as illustrated in Figs. 30, 31 and 32.
Furthermore, when you try to tamper with the device, a policy violation will be detected immediately, that results in either restricting the device from acces to your corporate network or in a complete device lock, by blacklisting it as illustrated in Fig. 33.
1.2.7 Sophos mobile device management
Sophos Mobile Device Management-Installation is done like ManageEngine by starting the setup process. After a prerequisites check, that includes free ports, internet connectivity to supporting sites, since the MDM works only if the connection to them is not restricted through a corporate or other firewall system and of course the IIS as illustrated in Fig. 34, the process can continue.
Most important is the setup of the database. Setup of Sophos includes Microsoft SQL-Server Express Edition, but like mentioned, for production environments at least a standard version of SQL-server is recommended. For evaluation purposes - and of course, due to lack of money for licensing - the free SQL-server was used as illustrated in Fig. 35.
The Instance: “hypersys0001\mssqlserver” with the database: “SMCDBv2” was chosen. However, like the other MDM-suites, even Sophos will not work on-prem without an SMS-gateway and properly configured e-mail server. Therefore, it was time to switch over to the cloud solution once again due to a lack of resources for implementing a local setup completely. Since mentioned above, a home environment most often cannot fulfill the requirements for an MDM-system. Anyone can do the following steps in the Sophos cloud test environment, that you can register directly at the manufacturer’s website:
https://secure2.sophos.com/de–de/products/mobile-control/free-trial.aspx
Anyway, if you fulfill the requirements, you still can choose a complete on-premises installation as illustrated in Fig. 36.
1.2.8 Sophos mobile device management: making devices compliant
Using Sophos, the rollout and compliance-process for devices do not differ much, too from the already mentioned MDM-solutions from Miardore and ManageEngine. Compliance of a device is made by two steps:
-
Step 1: you have to add a device as illustrated in Fig. 37.
-
Step 2: you enter its phone number and other identifications like, to whom it belongs, a corporate IP from a data guard system, mail-address, etc.. Off course these data must not be illustrated in Fig. 38 on the right side, due to privacy issues. However, the names of the fields are illustrated as well.
After that, you can send the enrollment e-mail as illustrated in Fig. 39.
Then you have to install once again an app. For Sophos Mobile Device Management, it is Sophos Mobile Control, then scan the QR-Code submitted to you and do the first sync. As illustrated in Fig. 40, the details are shown.
The device should be compliant briefly after that and can be managed including status reports as illustrated in Fig. 41.
1.2.9 Sophos mobile device management: management of devices
Sophos is capable of managing a device like the features in Miradore and ManageEngine since these features, in fact, are not part of the MDM-solution but represent features of a mobile device. So, if a device lacks a built-in camera, it can not be restricted. That leads once again to the examples of managing restrictions and rolling out profiles. The first step in restricting the camera is to create the profile:
In detail, once the profile is rolled out and a user tries to take a picture using the integrated camera of an Android device, the system will show an error, that a security policy has been violated, as illustrated in Fig. 42.
As mentioned, the camera example is just a part of the entire possibilities, that can be accomplished by MDM. In fact, you can restrict WLAN, Bluetooth, APNs, the Microphone, Web Browser, and Internet-Usage. So, in order to have a hardened device capable of using as a mobile phone only you might restrict it by locking to the country, disable any network functionality and SMS-usage, prevent it from making a master reset and in order not to access corporate data to be stored on an external SD-card you can disable it. Just like most PC systems MDM also have logs, what happened with the managed devices. As the following figure shows, there had been a compliance violation resolved:
Furthermore, as an example of much more detail of managed devices, you have the possibility to show profiles, installed apps, compliance status, and running tasks. All in all, as a conclusion to the technological aspects a company today would put itself on risk in losing data or opening security leaks to third parties when a mobile device gets lost or into false hands. So, using an MDM-system is absolutely vital for every company that allows its staff to access the corporate network via mobile devices. As illustrated in Fig. 43 an alert message from the MDM system is shown, while as illustrated in Fig. 44 the device status is being reported.
Sophos MDM pointed out to offer separate cloud endpoint protection with the ability to integrate the MDM solution. So as a company to make administration of all your PCs and mobile devices easy, this system might be the best choice, especially when protecting BYOD as a combination of MDM and endpoint protection. However, if your budget devices are limited, Miradore and ManageEngine would be your primary choice. The decision, what system will be picked has to be done at the management. Finally, as illustrated in Fig. 45 the communication flow for the Sophos MDM-system is shown. However, all other solutions work similar to it.
1.3 Discussion
An overview of central specifications of all evaluated MDM-systems is presented in table Table 1, while features with criteria and costs are presented in Table 2.
According to these tables, most restrictions are offered from ManageEngine. This is due to Android-settings on Samsung devices, especially the so-called Samsung KNOX standard. That’s the reason, why the freemium systems support at least Samsung devices as this de-facto standard. Otherwise, not all features to comply with company policies could be restricted on mobile devices.
Furthermore, it points out, that the commercial Sophos system is cheaper over a period of five years for smaller companies, while larger companies save money when using ManageEngine with 250 or more mobile devices. The lack of features in Sophos comes from the software being used as a professional tool, and not for playing games like changing wallpapers on targeted devices.
A little bit surprising is, that restriction features - although targeting Android - are not named and structured identically in the MDM systems. Sometimes they follow a very strange logic, especially Miradore and ManageEngine offer “features” you do not really need, while Sophos follows a clear logic. In reality, all of the MDM systems fit a company’s needs for restricting mobile devices.
As mentioned in the main essay, there is no preference for or against any of these systems, since it depends on the use cases, the budget and the individual preference for the layout of the GUIs. The headquarter of Sophos, however, is in the United Kingdom, which means, that after the BREXIT, it is not sure, on how the software will be maintained according to the GDPR in the future. Miradore comes from Sweden, what means the product definitely will be maintained under the GDPR, while ManageEngine from Canada mostly might target the US-market and not Europe.
Rights and permissions
About this article
Cite this article
Glowinski, K., Gossmann, C. & Strümpf, D. Analysis of a cloud-based mobile device management solution on android phones: technological and organizational aspects. SN Appl. Sci. 2, 42 (2020). https://doi.org/10.1007/s42452-019-1819-z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42452-019-1819-z