Mobile Device Management (MDM) Primer
Device Configuration Overview
There are many factors that need to be considered before one can determine how their organizations' IT staff is going to configure and support the needs of their users.
- Some organizations allow the user to handle the entire configuration. If IT gets involved, at all, it is typically after the fact to add in their email or setup the VPN tunnels.
- A second way that organizations may setup the devices is to build the initial payloads, deploy the image out and allow the users full access to make changes as they see fit. From a security perspective, this "set it and forget it” scenario turns full control back over to the users to maintain, making support much more difficult.
- The third way (which is the target of this article) is to setup the device, from the ground up, and enroll it into one of the many MDM solutions on the market today.
User configured/owned device (The "No Management” option)
When an iOS device is manually configured, the end user enters settings such as account name, password, and various server settings on the device itself. These end users may be responsible for updates to the iOS, backups, security, etc.
Settings that end users can manually configure include:
- Microsoft Exchange ActiveSync accounts (supporting Exchange Server 2003, 2007 and 2010)
- Standards-based email, contacts, and calendars (IMAP, POP, CardDAV and CalDAV)
- VPN security settings (Cisco IPSec, L2TP, PPTP, SSL VPN)
- Wi-Fi networks SSID's and passwords (any standard 802.11x wireless network)
- Configuration of security settings (requirement of passcode, simple vs. complex passcode)
- Restrictions for certain apps and services (locking down Safari, YouTube, iTunes, installation of apps, deletion of apps, allowed content)
Reasons for Mobile Device Management
Organizations typically opt for a managed approach of devices to ease the job of IT departments. This also provides a consistent experience for end users. In a traditional sense, the managed approach used on desktop and laptop machines is known as Group Policy (GPO) on the Windows/Active Directory side, and Managed Preferences under OS X (MCX) on the Macintosh/Open Directory side.
MDM is a set of capabilities built into iOS 4 and above that allows a managed approach. It delivers a comprehensive set of tools that IT departments can use to wirelessly configure and update settings, monitor compliance with corporate policies, secure devices, guide users, provide consistency and even wipe or lock managed iOS devices.
IT departments can exercise tight controls over the devices, whether owned by the organization or by the individual, all based on the profile delivered to the device.
Figure 3 - Configuration Profiles