Mobile Device Management (MDM)

Mobile device management (MDM) gives organisations central control over smartphones, tablets and portable devices. MDM ensures that mobile devices comply with security policies and protects corporate data regardless of where the device is located.

Back to Dictionary

What is mobile device management?

Mobile device management is about controlling and securing the mobile devices that employees use to access the organisation's data and systems. With the proliferation of smartphones and tablets, employees work from everywhere, and the organisation needs control over the devices connecting to the corporate network.

MDM solutions give the IT department the ability to configure devices centrally, enforce security policies, distribute apps and remotely wipe data when necessary. It is a natural extension of endpoint security to the mobile world.

MDM works closely with identity management (who has access from which device), encryption (protecting data on the device) and access control (conditional access based on device status).

Features

An MDM platform typically offers:

Device configuration: Automatic setup of email, VPN, Wi-Fi and security settings. New devices can be configured in minutes via autopilot or zero-touch enrolment.
Security policies: Requirements for PIN/password, disk encryption, automatic screen lock and MFA. Devices that do not meet the requirements can be blocked from corporate data.
App management: Distribution of approved apps, blocking of unwanted apps and centralised updating of existing apps.
Remote actions: Remote locking, remote wiping, location tracking and resetting of devices. Essential in the event of loss or theft.
Compliance reporting: Overview of which devices comply with policies and which deviate. Data can be sent to SIEM systems.

BYOD and containerisation

Bring Your Own Device (BYOD) is widespread but creates security challenges. Employees do not want the organisation to manage their personal phone, and the organisation does not want personal data on uncontrolled devices.

The solution is containerisation: work data and apps are isolated in a secure container on the device. The organisation manages only the container, not the private part of the phone. When an employee leaves, only the container is wiped.

Mobile Application Management (MAM) is a similar approach that focuses on managing individual apps rather than the entire device. Employees can use their own device while corporate apps are managed centrally with DLP policies that prevent data from being copied out of managed apps.

Regardless of the approach, security awareness is important. Employees must understand the risks of public Wi-Fi networks, sideloaded apps and missing updates. Patch management of mobile devices is just as important as for computers.

Regulations and standards

GDPR requires the protection of personal data on all devices, including mobile ones. MDM is a key technical measure for ensuring this. Be aware that MDM solutions on BYOD devices may themselves collect data subject to GDPR.

ISO 27001 and Annex A include control A.8.1 on user devices, which specifically covers mobile devices. An ISMS should define policies for mobile devices.

NIS2 and DORA require control over all devices that access critical systems. CIS 18 Controls 1 and 2 (asset and software inventory) also apply to mobile devices.

Frequently Asked Questions about Mobile Device Management (MDM)

What is the difference between MDM and EMM?

MDM (Mobile Device Management) focuses on managing the device itself. EMM (Enterprise Mobility Management) is broader and also includes management of apps (MAM), content (MCM) and identity. Modern UEM solutions (Unified Endpoint Management) bring everything together in one platform.

Can MDM be used for BYOD?

Yes, but it requires careful planning. MAM profiles (Mobile Application Management) can separate work data from personal data on the device. Employees are more willing to accept management when it only applies to work apps and data, not the entire device.

What happens if an employee loses their phone?

With MDM you can remotely lock the device, remotely wipe corporate data or wipe the entire device. You can also locate the device if location services are enabled. A swift response is essential to prevent data leaks.