The year 2020 challenged every IT department. As employees access proprietary software and data in the cloud on both corporate-owned and personal devices at home and communicate with colleagues and clients and vendors on assorted wi-fi networks, IT administrators have had their work cut out for them just to keep company information safe. Many departments, suddenly locked out of the office, had to move fast to meet deadlines.
This meant that many companies had to make quick judgments about which applications were safe for their workers to use. For instance, Zoom, with its struggles with privacy and “zoombombing”, and other teleconference applications had to be assessed from a new angle. IT administrators everywhere found, and continue to find, creative solutions to such difficult problems under conditions that they could have scarcely anticipated only a year ago—chief among them being mobile device management (MDM). Our heavily remote working climate will no doubt persist throughout 2021 and beyond, which means that effective mobile device management (MDM) practices have become all the more critical for companies to employ.
For Microsoft users, this means that step one to securing your remote workplace is to decide between Microsoft’s Basic Mobility and Security and Intune.
Mobile Device Management Basics
It makes perfect sense that a company will want to protect its corporate-owned devices by blocking applications that compromise security, mandating PIN entry and two-factor authentication, and lock and wipe data from lost devices. Some companies are also inclined to mandate encryption standards, and to prevent employees from copying and pasting information from, say, a corporate Outlook account, to a private file-storage location. Luckily, there are tools out there that enable you to do that. While there are plenty of vendors to choose from, if you’re already an Office365 user the easiest thing is usually going to be sticking with the Microsoft ecosystem.
Any mobile device management software worth its salt ought to provide your business with a handful of functions. You might want the solution to be able to report to your IT department which devices fall short of your company’s compliance policies. Is a phone missing a software update? Does an Android phone have applications deemed unsafe? You might want to ensure restricted or conditional access until the problem is solved, and allow administrators to inform workers how to bring their devices up to company code. You might need to be able to give your IT staff remote control over devices when necessary, such as the ability to lock or wipe lost devices of corporate data, or to enable voluntary remote sessions, which has become all the more common and important with remote workforces.
From there, you can think about further integration possibilities (Microsoft’s Intune can be coupled with a mobile threat defense program, to notify administrators of which devices are vulnerable to intruders, for instance). These integrations help IT departments by consolidating the number of consoles and programs they must monitor. Likewise, you might want speedy device enrollment, so that you can cut down on the time consuming work that your IT staff would otherwise have to undertake during provisioning.
Basic Mobility and Security
Now that we have a sense of what an IT staff might want, let’s look at the actual options. First, there’s Basic Mobility and Security. The beauty of Basic Mobility and Security is that it’s already built into most 365 plans. And, it has fairly robust functionality on its own:
- It supports most major devices and operating systems (except for mac OS and iPad OS)
- You can manage device security settings such as PIN numbers and jailbreak detection; you can also manage a select number of device configuration settings (e.g. disabling the camera).
- Basic Mobility and Security supports limited conditional access controls, and does not support them at all on Windows 10.
- Admins can provision native email profiles, but not VPNs, WiFi networks.
- Admins can also remotely retire or wipe devices as needed.
That more or less sums up the capabilities. As you can probably imagine, there are plenty of circumstances in which this gives enterprises the control they need to ensure compliance and standardization while minimizing security risks. At the same time, it lacks capabilities for application management, managed web browsing, and touchless device enrollment.
Intune requires a separate plan (e.g. Enterprise Mobility and Security), but it expands significantly on the functionality offered by Basic Mobility and Security. With Intune, admins can:
- Manage iPad OS and Mac OS devices
- Set conditional access across any devices that aren’t in compliance with corporate device policies
- Provision native email, VPN, and WiFi profiles on devices.
- Manage users browsing and applications
- Perform zero-touch device enrollments
- Perform bitlocker key rotations (for Windows devices)
- Scan and restart Windows devices
- Remotely lock a device
- Locate iOS devices
This isn’t a comprehensive rundown of everything the solution can do, but it should give a clearer sense of the difference between your options here. If you’re not sure which is best for you (and we’ll give you some additional food for thought on that front below), it’s important to remember that the two are compatible. You can configure Basic Mobility and Security and then add Intune licenses later as needed.
Bring Your Own Device and Other Corporate Challenges
If the information above was enough to help you choose a solution—great! If not, there are a few other things to think about. For instance: does your company have plans to implement a BYOD (bring your own device policy) in the near future? Traditionally, BYOD policies have garnered some degree of suspicion from both relevant parties—employers want to be sure their data is protected and uncopyable, while employees remain concerned that their personal data will be visible to IT administrators. Solutions to these matters are available in the form of added security measures like application management and others. Here, you’ll need to make sure your MDM has the right features. If an employee-owned device is lost, your company might want the ability to clear the phone of corporate data, while preserving the employee’s personal data.
The restrictions imposed by the Covid-19 pandemic are bound to make BYOD a more common feature of the contemporary workplace. As offices stay shuttered and limit access to devices and facilities, common workplace contingencies, such as onboarding a new hire or replacing a corporate-owned laptop destroyed in a coffee spill, MDM programs may prove the simplest and most prudent way to grant employees critical access to company email, cloud storage, and software. In instances like these, however, Basic Mobility and Security probably doesn’t give you all of the functionality you actually need.
Fine-Tuning Your Mobile Device Management Practices
Innovations in MDM have enabled IT departments to complete the device enrollment process in a few minutes, compared to an hour or more without the help of this kind software. Still, larger companies might be stuck managing an extensive portfolio of dozens, hundreds, or even thousands of devices to monitor. Another benefit of Intune and other MDM services is that they enable customizable dashboards, but this can be a real hurdle to already busy IT departments, who stand to save a good deal of time in the long run from such comprehensive tools—but who face a real learning curve in creating the console best tailored to their needs. In such cases, it may be worth the investment to contract outside help to provide your administrators with the tools they need to keep your workers productive and your data safe.
There’s also the challenge of figuring out what your device management policies should actually be. Which applications will you want to restrict? Which software subscriptions do you need to enable? Do you want to incorporate a virus and malware-blocking program? What should conditional access look like to devices that remain noncompliant? How can you make Intune function alongside your firewall requirements? How can you educate your employees about using their devices effectively and responsibly, and keep them abreast of important policy changes or software updates? What should a functional, accessible company portal look like? In these necessary—but sometimes complex—cases, your company might save money by contracting nearshore IT services to manage, consult on, and execute major shifts in policy, keeping your company and its hard work safe and secure.