Agility is more important to businesses than ever before. Employees are scattering across the globe, using corporate and non-corporate devices to access critical data.
While agile, remote work has greatly complicated companies’ IT infrastructures, from hardware to software to cybersecurity.
Computers and mobile devices used for business now encompass multiple brands that use different operating systems and software.
OS diversity can make it difficult to manage devices equitably. Additionally, the physical distance between employees and their jobs creates logistical issues.
Of course, mobile devices that access critical business data open massive risk if lost or stolen. With more complex cyber-attacks and more opportunities to exploit mobile workers and their unprotected networks, organizations must reinforce all devices.
Mobile Device Management (MDM) seeks to remedy all these problems, allowing a company’s IT department to procure, provision, secure, and manage devices well beyond their walls. The “mobile” part of MDM is a bit of a misnomer, as MDM solutions can also manage desktops and laptops.
With the correct MDM setup, your IT team can manage every device that can access your network, no matter what operating system it uses. When implemented, functionality, security, and flexibility should be retained across your organization.
In this article, we will fully explain how MDM works, its features and advantages, as well as the different MDM solutions available to you.
If you already employ an army of mobile devices, schedule a call with us today to see how we can help manage and secure your company’s fleet.
Table of Contents
What is MDM?
MDM allows companies to organize their fleet of devices and manage them. Managing an entire fleet of devices demands the correct software, servers, policies, and processes.
Ultimately, MDM must be a mindset that is cultivated through a culture. MDM runs on hardware and is run through software, but true MDM happens when the correct ideas and decisions are executed.
For a more technical explanation, read on to the next section.
At its most basic level, MDM starts with a server management console and an agent. An MDM server will either be in the cloud or housed in a data center. More and more, MDM products are included as a core feature of Microsoft and Apple’s productivity suites.
The MDM agent is a piece of software that will allow administrators to monitor and control applications, security policies, and more.
With the MDM server, administrators have a single point of management for all devices in an organization, no matter the owner, operating system, or type of hardware.
The admin can decide which third-party applications can be installed on these devices, and what devices can access business-critical data. They can also wipe the device in case it is lost, stolen, or become the entry point for a data breach.
While these features add to cybersecurity, the agility of MDM comes through the ability to deploy custom settings to each new device that is onboarded to your organization.
Once an administrator sets up a standard deployment, they can leverage the MDM server to push these settings to new devices. They can even do so over the air (OTA), so the new device is already configured when it arrives at its end user.
Once settings are deployed to all devices, the admin can monitor the devices for signs of decline in performance or security. They can even detect if a device is nearing its end of life, so they can deploy and configure a new device before a user is taken offline
In total, MDM is hardware (servers and devices), software (MDM agent and management console), policies (security, access controls), and processes (proactive monitoring). Together, they create a whole new approach to our world of remote work.
MDM and BYOD
Before moving on to the individual features and advantages of MDM, we must acknowledge its specific importance in the modern business world.
COVID-19 changed the way we work, and since many more employees began working remotely, we have only continued to change our collective mindset about remote work.
In that time, remote workers have also begun using their personal devices, connected to their personal networks to connect remotely to business data.
The use of personal devices, or Bring Your Own Device (BYOD), can reduce costs for businesses in the short term by limiting the cost of purchasing hardware or office space.
More importantly, it can create massive security vulnerabilities for companies, exposing them to potentially irreparable costs via a data breach.
Since the massive shift to remote work in 2020, cybercriminals now target mobile devices and laptops that can give them a red carpet to business-critical data.
This puts the responsibility of enforcing protective measures on the company, and it can be managed easily through a proper MDM setup.
IT admins can use the MDM console to create policies that secure apps and data. They can also use the console to maintain their workers’ privacy, separating company data into a different app without gaining access to the rest of the device.
Because of the massive liabilities opened by personal devices, we recommend avoiding them altogether. Managing personal devices on your network is a risk not worth taking, and one that can be easily mitigated through some of the features MDM provides.
Read on for more details on how MDM can procure corporately-owned devices, and deploy them securely.
Now that we know the ‘what,’ and ‘why,’ of MDM, let’s talk about the ‘how.’ How does MDM add security and agility to your organization? How do these key features function, how can they be optimized, and how can we improve upon them?
Let’s find out.
Procurement and Deployment
The right hardware is key to a productive team, but so is the right fit. Have you ever watched a lifetime Windows user try and operate MAC iOS? Worse yet, have you watched an Apple user try and operate Windows OS? It can be like speaking a different language for some people.
Naturally, your workforce will prefer to work on different hardware (desktop or laptop) and on different operating systems (Windows, Apple, or even Linux). We’ll cover the ability to deploy and manage these devices coming up, but what about just setting up these devices?
MDM platforms allow you to purchase devices from your (IT partner’s) trusted vendors and have them shipped directly to any destination you choose.
If your admin has set up a standard deployment setting for the piece of hardware and its operating system, MDM allows you to apply the setting while the hardware is in transit. This eliminates the need to ship hardware to one location where it can be configured, only to be shipped out to its user later.
With a fully functioning device right when you need it, employees will experience almost zero downtime, with no productivity lost.
Once a new device arrives, or all existing devices in your organization are onboarded to your MDM, it’s time to put that last ‘M’ into practice.
There are so many helpful ways that you can use MDM platforms to make your company safer and more productive than ever. Below we will touch on some of the most important.
Ideally, your entire workforce will be working off corporate-owned devices. You always want to know where those devices are, don’t you? Even if employees are accessing your network via a personal device, you should be able to know where it is.
The point is not to spy on your employees – rather know if a device with access to your data is in their possession. If a device turns up or is logged into from a foreign country or even two different states in an unreasonable amount of time, this could be a sign of a breach.
With features like Geofencing, you can set a geographical perimeter for devices that prohibit access from outside its borders. Some MDM consoles will also show you a unified map of all your devices.
If a device is lost, misplaced, or stolen, your data becomes vulnerable. In this case, the next feature can save you from disaster.
In the case that a corporate device finds itself in the hands of non-authorized personnel, MDM consoles give you the option to lock and/or wipe data off the device completely.
This may sound like a drastic measure. Know that with the right combination of data backup and an MDM, the critical data and settings on your device can easily be restored.
Your data is what is important. With the right setup, the device is simply a vessel for the data itself.
Identity and Access Controls
Identity Management and Access Controls are imperative measures for cybersecurity whether your devices are remote or on-premises. Even if you are not yet using an MDM, leveraging conditional access policies is key to security right away.
In short, Identity Management is the process of assigning profiles to each user in your organization. Access Controls are role-based if-then statements that govern who has access to what places and data.
These two facets of security are to protect your most sensitive data from those who do not need access to it. If someone’s daily role does not demand access to financial, personal, or any other data, they should not have express access to it. The same goes for locations within a physical location.
An MDM can help pre-configure these user profiles and their given access before their device even arrives. This protects you and your data on Day 1 of onboarding a new employee, with no added downtime.
For more on Identity Management and Access Controls, read our comprehensive guide linked here.
MDM enhances your security through its ability to enforce security standards on every connected device, as well as to serve out a uniform set of apps and settings to any new device.
Again, this makes onboarding new hires a simple, efficient process. Once role-based conditional access policies are set, you can simply choose your new hire’s default setting and send their device to them with the same security as the rest of your team.
Consider these cybersecurity best practices:
Set company-wide password strength requirements. Enforce multi-factor authentication and single sign-on (SSO) settings. Configure automatic security update installation. Install antivirus software. Filter out access to unapproved URLs and applications.
All these actions and more can be taken in your MDM console and served out to every device on your network, new or old.
With automated reporting through an MDM, you don’t have to appoint somebody to keep an inventory of your devices. Not to mention, you need to know if devices are nearing end-of-life, if they are up to date, and more.
Who has the time to monitor, track, and log all the necessary items for every device in your organization?
Your MDM, that’s who.
Standard reports from your MDM console will list all your devices, with details about their software, performance, and health. You will get breakdowns of how long devices have been enrolled, which are inactive, and which are backed up into your cloud.
You can also see which devices are non-compliant with company standards, have update installation failures, or if there is active malware on the device.
Best of all, you can configure custom reports to give you all the data you need to keep things running efficiently. There are many more options than we can list here, but whatever you might need can be rolled into clear reports without additional manual changes.
MDM Software and Solutions
Microsoft Intune MDM
Intune is the MDM platform from Microsoft. Despite being a Microsoft product, Intune is compatible with more operating systems than any other MDM product.
It comes packaged with Microsoft Endpoint Configuration Manager to form Microsoft Endpoint Manager.
Endpoint Configuration Manager is meant to manage on-premises devices, while Intune is focused on mobile devices. Ultimately, Intune carries the same features as Endpoint Configuration Manager, but with extra, mobile-focused capabilities.
Intune also comes with Microsoft Intune Company Portal, a mobile app that allows employees to access corporate-approved data and resources. The Company Portal requires that login before accessing company data, sandboxing away data from mobile devices.
Microsoft Intune Price
Intune and Configuration Manager come as a part of Microsoft 365 Business Premium, E3, and E5. M365 must be purchased on a per-user/per-month basis.
Business Premium currently costs $22/month per user, while E3 costs $36/month, and E5 is $57/month – all when purchased annually. IT Support Guys recommends Business Premium or E3 to most of our customers. For more information, check out our Microsoft 365 Business Premium vs. E3 breakdown.
Apple MDM: Apple Business Essentials
Apple Business Essentials was released in Spring 2022, fulfilling a long-standing need for an MDM designed for Apple devices and SMBs alike.
Apple’s Time Capsule backup solution was phased out on April 26, 2018, and there has been no comparable backup solution for Apple in the time since.
Solving this issue is the most important aspect of Business Essentials in our eyes. As you will read later, backing up Apple products is something that even the best Apple-aligned solutions had not brought to the table.
As most Apple products only run with proprietary software and devices, Business Essentials is a big relief for SMBs buying Apple devices. Business Essentials plans can add iCloud storage and AppleCare+ for hardware, streamlining hardware repair and exchange for smaller businesses.
As the IT partner of many clients operating within the Apple ecosystem, we are both excited and relieved to see the addition of this new service.
Apple MDM: Apple Business Essentials Price
Like Microsoft 365, Apple Business Essentials is priced on a per-user/per-month basis but is based on the number of devices per user.
Apple Business Essentials for single-device users costs $2.99/month and $9.99 with added AppleCare+. Multi-device user licenses $6.99/month, or $19.99 with AppleCare+. The extra-storage multi-device license boosts users from 200GB to 2TB of storage and costs $12.99/month or $24.99 when upgraded with AppleCare+.
Business Essentials offers all the main functions we spoke about prior, but some come with slightly different names. Standard settings are referred to as “collections,” for example.
What is Jamf?
Jamf is an independent MDM software produced by a company of the same name. Formerly “The Caspar Suite,” Jamf recognized the growth of Apple devices in workplaces and developed their software to solve an underlying need for enterprise solutions.
Their success was validated when IBM hired Jamf to manage their Mac devices in 2015. The company reported in 2022 that its software was managing over 20 million devices worldwide.
While solving for Apple devices, Jamf Pro can connect with Microsoft Intune, even extending Intune to iOS devices. It was not until 2020 that Jamf was able to include full iOS compliance.
Jamf also has individual software for identity management (Jamf Connect), endpoint security (Jamf Protect), and internet filtering for devices (Jamf Data Policy).
Jamf offers a few different bundled options on either a per-user/per-month or per-device/per-month basis when purchased annually.
Their cheapest bundle is the Jamf Fundamentals Plan ($4/month per device), which includes Jamf Now, a simple Apple device management platform.
The Jamf Business Plan costs $13/month per user and comes with Jamf Pro, Jamf Connect, and Jamf Protect. It also comes with Jamf Threat Defense for network-based attacks and real-time reporting.
The Jamf Data Policy plan is the company’s Identity Management and Access Control software, priced at $5/month per device.
Businesses can also purchase standalone device management, identity management, and security solutions individually on a per-device basis.
Apple Business Essentials vs. Jamf
Because of its long-standing hold on Apple MDM, Jamf offers more comprehensive features than Apple Business Essentials, as of the writing of this post. That said, it is worth considering who Apple is seeking to serve with Business Essentials.
Apple maintains that they are not trying to compete with Jamf and that they are fine with Apple customers using the third-party software if they are happy.
Business Essentials is perfect for small businesses with 500-or-fewer users. Apple’s offering stands alone in its ability to back up Apple devices, which the company has lacked since Time Capsule.
User management within Business Essentials also stands out for the purposes of identity management and access controls mentioned earlier. Adding on AppleCare+ should also speed up procurement and deployment for these smaller businesses.
Jamf recently launched the Jamf Fundamentals plan, which is essentially a lite-version of Jamf Pro. If you recall, Jamf Fundamentals costs $4/device, while Apple Business Essentials is $2.99.
Nick Amundsen, senior VP of Strategy at Jamf, recently said the difference between Fundamentals and Business Essentials is that their product is for small businesses that are scaling.
“Jamf is the only platform available that will empower these organizations to truly scale with the entire Apple ecosystem, and solve pain points around deployment, user access, management, and security,” he said.
For the smaller businesses, Business Essentials could be a breakthrough. For bigger organizations with IT personnel that can maximize the in-depth features of Jamf, there could be features therein that make the difference.
No matter what, if your organization uses Apple hardware but not Business Essentials, make sure you are equipped with data backup capabilities.
Meraki is an MDM solution from Cisco, focusing mainly on security features. It is compatible with Apple and Microsoft devices.
Cisco’s proprietary MDM is mostly designed around Cisco-based networks and networking hardware, including Meraki-branded hardware itself.
Meraki’s functions are like that of other MDM solutions but may lack some of the premium elements.
Employees and devices are spreading, which can add a lot of positives to an organization if approached correctly. Mobile Device Management (MDM) can help in several ways.
MDM can unify your workforce despite differing hardware and operating systems. It can push a standard group of security settings to every device that has access to your data. It can lock a lost device from afar.
Best of all, it can do all these things and more – immediately or in transit – so that you never lose a second of productivity.
IT Support Guys has helped numerous businesses deploy, protect, and manage their team’s devices. Schedule a call with us today to talk to an MDM expert about how we can help you do the same.