MDM Do You Really Need It? Explore Simple and Free Alternatives

ManagementMDM has its own pros and cons but cheaper (i.e. FREE) alternatives (that you probably already own) may provide you with enough control and security – so do you really need MDM?

MDM 101:

All MDM products can provide the same set of features with regards to device management. All MDM vendors rely on the same OS specific MDM APIs to control and manage the device. In opposed to the Windows days where a vendor could “add functionality” to the Windows OS, for mobile devices (i.e. Android, iOS and Windows Phone) vendors must use the same set of APIs the OS vendor provides. This means all products are the same! Do not believe me?, read Apple’s iOS 6 MDM document here and then compare the features Apple’s offers to the ones offered by your favorite MDM vendor. Looks the same?

So what is the difference between vendors? Mainly UI and off course MDM supplementary products (for example app stores and app security – wrapping, gateways, secure email clients, secure browser etc.).

To MDM or not to MDM?

Each OS vendor provides different set of MDM related APIs. For that reason we must break our answer into 2 parts: one for iOS and the second for Android.

iOS:

Apple’s set of MDM APIs provides the following 3 main capabilities:

  • Device configuration. For example, enforce password on the device, enforce device encryption, configure Wifi, add Exchange account etc.
  • Device query: for example, query the list of installed apps at a given moment
  • Manage apps and configuration profiles. Install and remove apps and configuration profiles

The main advantage of using an MDM solution to manage iOS devices is a central management console with a nice UI. The disadvantages are costs and in many cases overhead as most of the MDM capabilities are not required in practice.

A Simple MDM Alternative (FREE):

All the MDM iOS configuration capabilities can be easily applied to iOS devices for free using Apple’s own iPhone Configuration Utility.

  • Download and install iPhone Configuration Utility – the app works on Windows and Mac
  • Create a configuration profile. Apple’s intuitive UI will guide you through the process
  • Click the export button, for ease of use, choose Security: None.  This will save the confirmation profile as a file with a .mobileconfig extension
  • Copy the output .mobileconfig file to a Web server that can be accessed by your iOS users from their iOS device
  • Send a link to this file to your mobile users and ask them to open this file using mobile Safari (i.e. the default Web browser of their iOS device)
  • Once a user clicks on the installation link, the profile you have created will be installed (enforced) automatically
  • Note: because we have chosen “none” when we exported the file the user will see this profile as “unsigned”.

ActiveSync – Another Simple and Free Alternative

The Exchange ActiveSync (EAS) protocol that is provided for free in Microsoft Exchange includes many policies that can be used to configure an iOS device without the need to MDM the device.

When a user creates an Exchange account on his iOS device, the Exchange server “asks” the iOS to enforce policies defined for this user in the Exchange server. ActiveSync policies can be set globally (i.e. the default policy) or per groups. The Exchange account will not sync any data unless the iOS has enforced all policies it receives from the Exchange server. The user will not be able to disable any one of the policies enforced by the Exchange server until the user removes the Exchange account. Removing the Exchange account deletes all emails, calendar items, contacts and tasks that are related to this Exchange account.

The following policies can be defined in Exchange and enforced by the iOS device:

  • Enforce passcode on device
  • Minimum passcode length
  • Maximum failed passcode attempts – the device is wiped once the specified value is exceeded.
  • Passcode requires both numbers and letters. The user must enter a device passcode that contains at least one letter and one number.
  • Inactivity time in minutes.
  • Prohibit simple passcode
  • Passcode expiration in days
  • Passcode history
  • Minimum number of complex characters in passcode. Specifies how many characters in a passcode must not be numbers or letters.
  • Require manual syncing while roaming. Turns push off while the device is roaming, and is specified separately for each Exchange account.
  • Allow camera
  • Allow web browser. Prohibits the use of Safari and removes the app from the Home screen.
  • Maximum age of email messages synced.
  • Require device encryption (iPhone 3G and iPod touch models prior to Fall 2009 don’t support device encryption and won’t connect to an Exchange Server that requires it.)

To learn more please visit Apple’s site.

TIP: When setting an Exchange ActiveSync policy in Exchange you may define whether to block access from devices that do not comply fully with the policy or allow access.

 The World of Android

As with all Android related “things” there is no one answer. The stock Android ROM (the “Android” that is provided by Google) requires an MDM app (essentially an “agent”) to be installed on the device and assigned admin rights (more info). MDM vendors can use such agent to control device lock password, disable camera and enforce device encryption (supported only with Android versions 3.x and 4.x). However, Android vendors, specifically Samsung, add their own MDM APIs to their own Android devices (in addition to what Google stock ROM provides). Those MDM APIs are valid only for specific device models however those APIs extend greatly what MDM products can manage/control on those specific Android devices. Samsung’s SAFE – the leading Android MDM extension adds many new MDM APIs, for example MDM products can use this API to manage Exchange accounts, VPN etc.

The main problem with Android again is fragmentation, IT cannot gain the same level of control and security for all different Android devices.

ActiveSync to the rescue (again):

When a user creates an Exchange ActiveSync account on his Android device, the device will not sync any data before it complies with all the ActiveSync policies. The user will not be able to remove a policy without removing the Exchange account first.

The free Exchange ActiveSync alternative can provide organizations with the following capabilities.

Android 2.2 and 2.3 (about 23% of all Androids out-there)

  • Require password
  • Require alphanumeric password
  • Number of failed attempts allowed
  • Minimum password length
  • Time without user input before password must be re-entered
  • Remote wipe

Android 4.x adds the following policies:

  • Restrict password history
  • Password expiration timeout
  • Allow attachment download
  • Max attachment size
  • Disable camera
  • Require device encryption and require storage card encryption
  • Require manual sync when roaming

More info: Android by OS version, ActiveSync and Android 2.x, ActiveSync and Android 4.x

Exchange ActiveSync Policies vs MDM

ActiveSync Advantages:

  • Free, out-of-the-box with Microsoft Exchange
  • Easy to implement
  • Basic but includes the most commonly used capabilities like password and encryption
  • Cross-platform (i.e. works on iOS and Android and even Windows 8)
  • Devices can be managed from within the Exchange or using standard Powershell scripts (I know this may be considered as a disadvantage for some).

MDM is better because:

  • One management console to manage them all
  • Most MDM vendors provide an agent that detects Jailbreak/root devices. A jailbreak/rooted device cannot be trusted to enforce policies sent to it by the Exchange server.
  • In iOS allows to query devices for their specific information

 

I hope I was able to share some light on what can be done (for free) without MDM.

What do you think? Does your organization use MDM? Are you happy?

 

  • Pingback: MDM Do You Really Need It? Explore Simple and F...

  • HybridTwin

    I was curious if you have elaborated possibly elsewhere what these MDM solutions can do/prevent with regards to the actual business content(i.e. contacts sync’d via EAS being merged with other contact lists). I really enjoyed your breakdown by platform and would love to see more detail in this format.

    Are there free solutions for removing the EAS content(contacts, cal, etc.)ONLY from iOS and Android devices. Can this be done through any apple, google, MS tools mentioned in your post?

    • Mike Brunet

      Thanks for the feedback HybridTwin.

      MDM is a wide term, there are more than 100 MDM vendors however
      pure MDM players do not provide any contacts protection. In general contacts
      that sync using EAS are separated from other contacts on the phone so when you
      delete the EAS profile/account those contacts are removed also. As far as I know
      those contacts are not synced with other sync methods except of EAS (i.e. will not backup). You may also opt on using a secure container which is basically a replacement app to the original contacts/calendar/email apps that comes with your device. Those apps are secure (you have full control of the contacts and those cannot be shared with the phone) however your end users will probably not like it as the user experience is far worse than the one that is offered by the device manufacture.
      With regards to controlling contacts (removing them from
      iOS/Android), as far as I know the only solutions that provide this
      capabilities are secure email gateways.

      • MessagingAdmin

        Many of the higher tier (top right Magic Quadrant) MDM providers can “selectively remove one email profile” which would allow you to remove just the corporate data without a “full device wipe”, which is the level of granularity you are given with the native wipe commands.
        The additional features of “sandboxing” are also available with many of the premium offerings, allowing corporate data to reside within a non-email application that can also be selectively removed from the device without wiping everything out.
        This is key in allowing employees to bring their own device without destroying their personal photographs, apps, etc in the process of off-boarding.