1 Introduction

A large number of people in companies are using smartphones for access to critical company data. These tools, called mobile device management (MDM), become more and more essential. It is a fast-growing market that rises rapidly from year to year. In 2012, the market value was over $500 million with more than one hundred software vendors, when in 2015, the market value was already $2 billion. The forecast until 2019 for the MDM market value has been announced with $3.94 billion [1]. Combined with an increasing number of mobile devices and a need for security, there is no end to the increasing market value insight. This paper focuses on management and security in Android phones. Although the MDM-solutions we show in this paper support other devices, Android is currently the most used operating system on the mobile market, as shown in Fig. 1. In order to not exceed the scope of this paper, the focus is on how to make other devices compliant and how to manage them. With regard to the general data protection regulation (GDPR), the introduction of an MDM solution is interesting for companies to ensure data protection compliance. Such a tool provides central management of a company’s policy for mobile phones allowing the restriction of functions for preventing improper use. Improper use would mean the risk of losing company data due to a lack of proper security settings and the risk of harmful installations by users, for instance, viruses or trojans on a company’s personal computer (PC).

Fig. 1
figure 1

Global market share held by the leading smartphone operating systems in sales to end users from 1st quarter 2009 to 1st quarter 2018 [2]

Due to the high amount of different mobile device management vendors and different feature descriptions, it is very difficult to select the proper MDM vendor. As shown by the statistics above, an MDM-solution cannot only focus on Android but has to offer support for other systems, as well. The question of which MDM system should be used arises in every organization that plans to introduce such a system. In 2017, Gartner Inc. released the magic quadrant for mobile device management software that is often used to make purchase decisions, as illustrated in Fig. 2. Although the magic quadrant shows leaders, visionaries, challengers, and niche players of the market and gives a certain overview, special circumstances in the small and medium market are not considered.

Fig. 2
figure 2

Gartner magic quadrant for MDM software Gartner Inc. [3]

While administrators today are using powerful tools for ensuring a PC´s security by group policies and antivirus software on Windows systems or powerful management of user rights on Linux machines, mobile devices in companies lack such tools. Furthermore, while critical server equipment to a company can be safely placed in special secured environments with access restrictions, people who use mobile devices usually are no administrators. Everyone with physical access to the devices has potential access to a company network when using corporate APNs. This becomes critical whenever a mobile device gets forgotten or lost. The only control of these devices can now be achieved using wireless communication, relying on infrastructure not controlled by the company [4].

2 Methodology

The purpose of this paper is to give an overview of one commercial and two freemium MDM-systems, their implementation, and central management through the cloud and for devices in the cloud, i.e., for staff members. The example use case covers the lock of the camera application on the mobile device as an example of restrictions. The steps for accomplishing this task should be a blueprint to be used for the implementation of other scenarios like restricting usage time, phone costs, or geo-blocking a company phone. This paper shows organizational aspects regarding security for a company when its staff accesses the corporate network with its own devices.

To evaluate the technical aspects of implementing MDM solutions, several criteria must be met by these. In the appendix, a table will give a decision base to a company’s management, which solution might fit best. This paper, on the other hand, cannot provide any recommendation for or against any of the analyzed MDM-systems due to various facts that need to be considered, for instance, costs, number of devices, support, personal preference of a graphical user interface (GUI) and so on. The change management part, however, will cover possible implementation strategies based on organizational development and the Technology-Organization-Environment-framework (TOE) [5], which will be adopted for the cloud-based MDM solutions. The evaluated systems are the two freemium solutions Miradore MDM and ManageEngine MDM, while Sophos MDM comes as a complete commercial solution. All systems offer an on-premise installation part with supporting routines stored in the cloud and cloud-based solutions only. We started with the on-premises installation for testing purposes and switched to the cloud solutions afterward. Since all solution providers intend to give up their on-premises part in the MDM-systems, this step seems to be logical, especially when on-premises-solutions cannot work without expensive infrastructures like Exchange/Sendmail-Server and a messaging system, in order to send out configuration profiles and compliance short message system (SMS) as shown at the end of the appendix. Furthermore, it needs to be mentioned that all solutions work with web browsers.

3 Related work-security and compliance in general-technological aspects

MDM is vital for ensuring that a company’s data are secured. According to M. Pierer, the concept of MDM systems can be categorized in the following areas [1]: definition of security policies, distribution of policies over the air, Controlling, maintaining and monitoring compliance, and reacting on policy breaches. In general, bringing one’s device-appliances (BYOD) with software installed by staff members themselves can be considered as a trend and driving force behind MDM and company policies [4]. On the other hand, almost all mobile devices require an account from the manufacturer to work correctly. That means one might upload data on cloud servers without noticing it [6]. This happens almost whenever using standard settings. All tested systems offer features to restrict settings in Android for implementing security profiles. The only problem was what happened if older devices would be used. The only system, or more precisely its agent, capable of managing an older Android version, was Sophos. This system offers plugins for multiple hardware manufacturers of devices. The downside, however, is the agent and the plugin for the specific device need to be installed. Both freemium systems offer only one client, yet at least support Samsung mobiles separately.

Due to the various Android systems from device to device, the restrictions possible by MDM vary as well. So, the criteria for the evaluated systems are not the number of possible restrictions, but a working environment, especially the setup process, management, and costs. Evaluated Systems were Sophos Mobile Device Management as a commercial system, Miradore, and Mobile Device Manager Plus, as freemium environments. The criteria catalog can be found in the appendix. The outcome, however, revealed that the commercial system, due to multiple plugins for many devices as well as a TCO over five years lower than a freemium system, would be the best choice.

Regarding manageability, application rollout, and restrictions, there is not that much difference in the features of the tested systems since, as already mentioned, these settings depend on the managed device and its Android system. For Samsung devices, Samsung KNOX in devices starting with Android 5 offers much more restrictions than Android steered devices without Samsung KNOX. The choice of what system to implement has to be based on the number of managed devices and the security needed. The need for additional server hardware regarding on-premises solutions, however, needs to be kept in mind while an outsourced cloud solution provides more flexibility and scalability. The tested freemium systems can only be used for a company when one pays for advanced features. If not, they are limited in the number of devices and restrictions for profiles.

The process of MDM requires the setup or registration, the adding of devices, and making them compliant. As a first step, an agent has to be installed on the device. This agent has to be acquired from the Google Play Store for Android devices or the solution provider as an APK-file. It is not recommended to download these agents from other sources since they might have been tampered with. Depending on the device, there might be plugins for communicating with the MDM. They are comparable to the hardware abstraction layers for Windows or specific kernels for Linux. As an example, Samsung smartphones and Sophos MDM require the Sophos Mobile Control Application, as well as the Sophos Samsung Plugin. Furthermore, communication between the MDM and the smartphone needs to be enabled. In companies, a static IP-address is being reserved for this purpose, and a contract with a mobile network operator for each own Access Point Name (APN) is concluded. The advantage is that any smartphone communicating over this APN can be integrated into one’s corporate network. No matter if a user chooses to bring his own device (BYOD) or one offered by the company, choosing your own device (CYOD) is a question of comfort only [6]. Of more importance is that every mobile device uses your corporate firewall and can access only resources in your network grant to him. After a device is compliant, management can be accomplished with policies according to the company’s needs. The deployment and management process (Fig. 3), from an enrollment of a mobile device to issuing security commands, is part of any MDM-solution.

Fig. 3
figure 3

The deployment and management process for the introduction of a MDM-soltion [7]

However, not all devices support every restriction, which depends on the mobile device and implementation of the Android system rather than on the MDM itself. So, there are various possibilities in restricting functions on a specific device, while other devices lack these. Mostly you might want restrictions on the access point name, so a user cannot change the Access Point Name-settings (APN) to bypass the corporate network. Other useful settings include the limitation of installable applications. So, you can lock the device on Google Play Store apps and prohibit all unknown sources. Even if a user tries to unlock unknown sources, he will not be able to do so. Furthermore, the Play Store could also be completely disabled.

The configuration of mobile devices is being done by the over the air-standard (OTA), supported in all MDM-solutions. This standard ensures the configuration of devices using any available channels like near field communication (NFC), Bluetooth, Wireless Fidelity (WiFi)/wireless local area network (WLAN), or the mobile network itself [1]. Almost any setting accessible via the Android system can be restricted. The most useful feature of MDM is the rollout of applications. That means you can do nearly anything like global policy objects (GPOs) in a Windows environment. So, you can keep every mobile device updated at the same level, all having the identical application versions, which makes support easier while preventing users from updating their apps on their own and test compatibility before the company approves an update. In the appendix, further details about restricting the use of applications will be shown.

For security reasons, if a device gets lost or is reset, MDM ensures, it can no longer access the corporate network, while management is done by a web browser from any location [6]. More important than the rollout of APKs are entire security profiles in preventing users from installing apps or taking configurations steps on the device by themselves. The profiles avoid modifications of the configuration, which a user should not be authorized to do. This also covers changing the APN, usage of SD-cards for storing company data, accessing WLANs, or the use of the camera. The latter being a beautiful feature in critical environments, where taking pictures is not allowed. Examples for this restriction are shown in the appendix, as well as the setup of the MDM-solutions.

4 The organizational aspect

According to literature, modern MDM solutions are cloud solutions. Even though they were not invented initially as such [4], they did develop in this direction [8] and are today mostly handled as such [9]. The relationship between technology, particularly modern usage of smartphones, and organizational change, has not been sufficiently explored in the literature. Some studies have revealed that a rapid introduction of technology could greatly affect institutional arrangements such as formal organizational processes, including human actions and social relations [10]. Organizations exist and operate within an environment that influences their shape, determines their structure, offers opportunities, and poses threats. Customers and competitors are paramount amongst these external factors.

An analysis of an enterprise’s environment must first determine if a change that is planned (introduction of an MDM solution) has an impact on the organizational environment, especially on the external environment. If this is not the case, only the inner organization environment is considered.

Although the introduction change of an MDM solution for a company could be seen, according to Butterfield “as a concrete discreet change with a general period of time and little emotional impact” [11], the introduction should not only follow a pure Systems Intervention Strategy (SIS), but tend to use this as a guideline for a Change process and should also be augmented by a realistic approach.

The TOE [4] framework is an organization-level theory that represents one segment of how firm contexts influence the adoption and implementation of innovations, as illustrated in Fig. 4.

Fig. 4
figure 4

The TOE framework [12]

According to Min et al., the Frameworks is based on the three aspects of an enterprise context: Technological, Organizational, and Environmental. These aspects have an impact on internet technology (IT) innovation-related decisions like MDM and the use of technological innovations in organizations [13].

The technological context includes any technology relevant to the company, technology already in use at the company, as well as the one being available in the marketplace, but not currently in use. The organizational context refers to the characteristics as well as the resources of a company, including linking structures between employees, intra-company communication processes, company size, and the number of available resources. The environmental context includes the format of the industry, the availability of technology service providers, and the regulatory environment [14]. The definitions of the aspects show that there are crucial general business issues that need to be considered. Because of that, an adaptation of the TOE framework was approached, as illustrated in Fig. 5.

Fig. 5
figure 5

The extended TOE framework [15]

As mentioned before, these aspects of the TOE can be seen as essential, as has been denoted by several studies. First, the advantage, i.e., the greater the perceived relative advantage of ES, the more likely it will be adopted [16, 17]. Secondly, compatibility, i.e., the greater the perceived compatibility is with current infrastructure, values, and beliefs, the more likely they will be adopted [16, 17]. Thirdly, the lower the perceived complexity is, the more likely it will be adopted [16, 17]. Furthermore, the ability to experiment with MDM encourages its adoption [16, 17]. Top management support can provide a motivating environment of innovation diffusion through oral notes [18]. The greater the top management’s support, the more likely it will be adopted [16, 17]. An organization and its decision-making management should make an effort to access and analyze possible changes in organizational culture, process, and work relationships [17] to avoid the negative impact that comes with an introduction of MDM solutions. Also, experience is seen as a critical aspect. The greater the expertise available in the organization, the more likely it will be adopted [16], especially the usage and experience with Mobile devices. When it comes to trust, the experience can be seen as an essential turning point. Trust is a core requirement of a positive relationship in various contexts [19], and competitive pressure can be seen as an effective motivator. Competition in the industry is generally recognized to influence IT adoption positively, which is also true for MDM [17]. The trading partner support, in other words, the Provider of the Device Management, also has a significant positive effect on the adoption [17]. Security is another trading partner-related concern which is not only about authenticity, authorization, and accountability but is more concerned with data protection, disaster recovery, and business continuity [19]. Because dealing with security concerns has always been a focus of most firms, MDM should not present unusual or additional challenges. In some instances, the restricted configuration or customization possibilities of MDM noticeable presented fewer security risks [18]. Also, as a part of the security aspect is the BYOD concept for firms. Security and privacy must be given, an integrated and integrative process encompassing the whole organization. The concept is already prevalent in many organizations worldwide, and a successful strategy can provide benefits for both employees and organizations. Seen from the viewpoint of an employee, it can increase mobility, flexibility, and ability to adopt the technology of choice. Moreover, it can lead to greater job satisfaction and an increase in employee productivity in organizations” [20]. Modern MDM is the primary key to allow your employees to bring their device, since through the separation of company and private data, employers and employees can participate of the benefits of using the device of their choice (in the defined limitations, like using a particular OS, etc.) and minimizing the hazards. Furthermore, a lack of usage of an MDM solution is the main reason for structural problems with BOYD [20]. As an alternative to the BOYD approach, Corporate Owned, Personal Enabled (COPE) is possible. This means the organization buys the mobile device, and the user can use the mobile device privately. Although the initial investment for the organization is high, the auditing and monitoring are inexpensive. Moreover, the familiarity of the mobile device to the end-user is given because end users tend to utilize their favorite mobile devices for business purposes. Therefore, productivity and efficiency can be increased [1]. In general, a combination of those initiatives is used in organizations. In departments, where sensitive data is stored extensively, it is advisable to choose the Corporate Owned Business Only (COBO) initiative.

Roll-Out: As for the SIS, the organizational requirements, security policies, and data protection issues must be considered first, which will be mainly related to security. Yet, these must be defined for each firm on a best practice base, depending on the organization’s complexity and company size. Organizations have to think about a roll-out strategy to enroll all mobile devices, which belong to them over a mobile device management system. Because of the direct impact of mobile end users, this phase is seen as the most critical one. However, the cooperation of each employee is necessary, without the collaboration of the users, the enrolment and application distribution cannot take place, and the control and maintenance is difficult.” [1].

5 Conclusion

Regarding technological aspects, Mobile Device Management can be considered a solution for enterprises to extend their security from classic internal networks to mobile devices, even when users bring their own devices (BYOD). Yet, it also plays an essential role when using COPE or COBO approach in firms for security reasons. MDM ensures these devices are compliant with corporate policies, like GPOs in Windows. That means a user cannot tamper with a device without being banned from the corporate network once a policy violation is being detected. Even for the management, it is made much more comfortable to update many mobile devices to current software version (APK-files), comparable to software distribution in Windows. A mobile device can be remotely controlled as well, monitored, and restricted in their functions to the desired level.

Regarding the Organizational aspect, we showed the relation of MDM solutions that are state of the art to the cloud and the relationship between technology modern usage of smartphones, and organizational change. Furthermore, the importance of the external and internal corporate environment was shown. Indeed, there is not a mere change of fixed timescales and limited emotional impact, but other organizational aspects are affected as well.

Since the relevance of TOE framework is found increasing in the recent literature for IT innovation-related decisions, the authors used the extended version of the Frameworks (extended by the aspect of business strategy) to analyze in the literature which aspects could be essential for an introduction and acceptance of an MDM solution.

Concerning the technological aspect, relative advantage, compatibility, complexity, organizational readiness, and compatibility were identified as essential. Also, the ability to experiment has been identified as an important aspect. In the Organizational aspect of the TOE, the top management support is seen as crucial for the acceptance, as well as experience. As for the environmental aspect, competitive pressure is seen as an effective motivator for adoption.

As for the last aspect, the business strategy was analyzed. Due to this analysis, it was shown that security is the main factor and is thus of the highest importance for firms. Hence, dealing with security concerns has always been a major focus.

In the course of evaluating an MDM solution, a company should define a strategic approach to the acquisition and use of hardware (BYOD, COPE, COBO, etc.)

In an MDM Rollout, any company needs to consider the organizational requirements, security policies, and data protection issues. The strategy for the enrolment of all mobile devices also has to be taken into account. Collaboration with employees is also seen as an essential factor for a rollout, due to the direct impact of mobile end users.

This study was based on literature research. Certainly, more thorough research on practical implementation could provide deeper insight and detect possible weaknesses in implementation.