It's no easy task for an enterprise to maintain security and enforce standardized policies across a fleet of devices. The proliferation of endpoints and operating systems that employees use to connect to company networks makes protecting sensitive data incredibly complex, especially in remote environments. Challenges often come to the fore when a company seeks security certification, such asSOC 2oISO 27001And you realize that you can only pass an audit if you can gain greater visibility and control over your fleet.
In these situations, most companies turn to mobile device management (MDM) solutions to provide IT staff with centralized control over the fleet.
What is an MDM?
Simply put, MDM solutions make devices behave in specific ways according to predefined security policies so that companies can pass audits, prevent data breaches and comply with data security and privacy laws. Despite the word "mobile" in the name, MDM often extends to managing laptops, desktops, and tablets. There are many independent MDM providers and Microsoft and Apple proprietary MDMs.
Ultimately, most companies of a given size need an MDM solution (or potentially more than one) to accomplish things like remote wipes and set default settings for new devices.
The problem is that many companies assume that they can use MDM to solve all their device security issues. This is incorrect.Relying too heavily on MDM can create problems not only for security, but also for employee morale.
In this article, we'll look at the strengths and weaknesses of MDM and where it fits into a broader approach to endpoint security.
The pros and cons of MDM solutions
You know the expression, "when the only tool you have is a hammer, every problem looks like a nail?" In this analogy, MDM is the hammer: a blunt instrument that's good at solving some problems but can't handle more nuance. problems, and your approach may even be harmful.
An MDM solution requires employees to agree to have their devices fully managed by a central authority, their employer. While MDM features differ by platform, they all provide the MDM administrator with a form of remote control over device features. This can be as benign as setting various security features to their default state, or as extreme as forcing a device to wipe without the consent of the person behind the keyboard.
Advantages of MDM Solutions
There are a number of reasons why MDM solutions are so widely used, although some of these reasons are better founded than others. MDM's technological capabilities certainly play a role, but so does cost and force of habit.
Here are some of the most common reasons why organizations use MDM solutions:
They are effective in quickly achieving surface level compliance.
MDMs can force a device into the desired compliance state (at least at the simplest level) and keep it there without consulting or negotiating with the end user.
This means that a user whose device is enrolled in MDM cannot turn off their firewall, download unapproved apps, or delay a software update. This has some clear advantages, but it ends up being a double-edged sword, as I'll cover in the next section.
Allow remote wipe and lock.
These features are crucial for third-party audits as they ensure that sensitive data is not at risk if a device is lost or stolen or if an employee is terminated.
Are easy to implement
The agent part of MDM is usually built into the operating system and devices can be pre-configured by IT before being distributed to employees. This ensures that things like disk encryption are enabled the first time an end user logs in.
However, setting up MDM on existing (not new) devices can present challenges, and installation failures are common.
Since the operating system vendor provides most of the functionality that makes MDM possible, the barrier to entering the MDM space is much lower than building a device management solution from scratch. The commoditization of MDM software means buyers can get competitive pricing and a wide range of vendor options.
They are a known quantity.
Most IT administrators and managed service providers are familiar with MDM and can easily find IT engineers with experience running it at scale.
There is first party support.
Operating system vendors are creating their own device management products (e.g.Apple Business Fundamentalsemicrosoft intune) that are cheaper and often have better features than third-party MDM providers.
Disadvantages of MDM solutions
MDM has a clear use case, but there are still many device security issues that it fails to solve or that its solutions create bigger problems for.
Here are some disadvantages of MDM to consider:
They cannot make you 100% compatible.
If an MDM can't make a device compliant with brute force or automation, you're out of luck. And that means you have no way of dealing with some of the highest risk compliance issues like encrypting SSH keys, sending two-factor backup codes securely, or minimizing the time production data is stored on a device.
These valid security goals are very different from the simple tools provided by traditional MDM solutions. Because they cannot be resolved through the lens of MDM, they are often declared out of scope, giving everyone a false sense of security.
They offer limited visibility.
Most MDMs only provide a small number of critical data points about a device. IT administrators must write and deploy custom shell scripts to gather valuable data to answer pressing fleet questions.
If MDM is not properly installed on a device, visibility is zero, which means that most companies need to supplement MDM with Zero Trust solutions to ensure that devices cannot access company applications unless MDM is activated.
They create more work for you.
It takes a lot of effort to maintain an MDM, both in terms of writing scripts and responding to support tickets. For example, if you want to ensure that Firefox is always up to date, the MDM method is to force everyone to have Firefox, then disable its (already perfectly adequate) auto-update mechanism and push the updates via a manual script. .
You're on your own with Linux.
as we wrote before, MDM is inherently incompatible with Linux terminals. There is no real solution to automatically address the nearly endless options that Linux offers its users regarding basic operating system features like firewalls, terminals, and automatic updates.
In most organizations, Linux users make up a small percentage of the workforce, but since they handle some of their most sensitive data, this turns out to be a big problem.
They can create long-term problems with employee morale and productivity.
MDM solutions take away a user's authority over their device, leading to frustration and resentment between end users and IT.
Here's a common MDM complaint: an employee is in the middle of their workday when all of a sudden a pop-up appears saying the laptop will be reset to 10..9..8...
At best, this is a minor upgrade that only takes a few minutes, but it could just as easily be an operating system upgrade that costs employees an hour they've been counting on.
Also, end users sometimes have good reason to violate MDM policy. A developer might need to turn off the firewall for ten seconds to test something, but MDM removes that option.
They create as many "exceptions" as there are rules.
The average end user might have no choice but to put up with device lockouts and hard resets, but the average CEO won't put up with a rogue agent telling them what to do with their device.
Most MDM companies have "VIP lists" of users who are exempt from participating because they find it distasteful and disruptive. The size of this list can grow quickly, and everyone on it is a security risk.
They can drive employees to use Shadow IT.
Users who don't qualify as "VIPs" can still find ways around MDM:usually working on their personal devicesIronically, this exacerbates the problem MDM was initially trying to solve: sensitive data disappearing on unseen devices and unapproved applications.
Device security is higher than MDM
Here's what we've established so far: MDM solutions are complex to implement and maintain. While they are well known in the IT world, their invasiveness and less than stellar user experience significantly reduce their effectiveness in addressing today's security challenges. .
Furthermore, if you are trying to protect your data, MDM may only solve one piece of the puzzle. For example, they can't tell who is using a device: that's what authentication is for.
The case we make is not that MDM solutions areplace; they areincompleteAny missing puzzle pieces — Linux users, VIPs, SSH keys and sensitive data — also need to be addressed. If MDM could solve these problems it would, but clearly a different approach is needed.
Adopt a user-centric endpoint security solution
As you might have guessed, we're not exactly disinterested observers when it comes to this topic. At Kolide, our product is a fleet visibility and compliance solution that solves many of the issues that are outside the scope of MDM.
Kolide makes the device monitoring process transparent, allowing users to see who can access their devices, what data is being collected, and even the full source code of the agent running on their devices. Meanwhile, Kolide provides IT administrators with a cross-platform platform (even Linux). ) for all devices, so it's ready for auditing.
Rather than forcing changes to users' devices or locking them out of access to critical data and applications for hours, the software sends automatic alerts to employees when a problem is detected. The notification includes simple self-fix steps that teach users how to resolve the issue on their own. This restores a sense of agency (no unexpected reboots) and reduces strain on IT resources.
Many of us have been conditioned to think that the "blocking" approach is the only way to comply. But this is simply not the case. To be clear, organizations have both a right and an obligation to ensure that only secure devices can access critical resources. But you can control access without robbing agency employees and blocking them from accessing their devices.
We must change our mindset around endpoint security. Rather than a top-down "big brother" approach, the principles ofhonest securityhe can help you make safety part of your company culture.
Ready to change the device management conversation?Try Kolide for freeand experience the power of Honest Security.