When they talk about MDM, which is Mobile Device Management, for some reason everyone immediately imagines a kill-switch that remotely detonates a lost phone at the command of an information security officer. No, in general, this is also there, only without pyrotechnic effects. But there are a lot of other routine tasks that are much easier and painless with MDM.
Business strives to optimize and unify processes. And if earlier a new employee had to go to a mysterious basement with wires and light bulbs, where wise red-eyed elders helped set up corporate mail on his Blackberry, now MDM has grown to a whole ecosystem that allows you to perform these tasks in two clicks. We will talk about safety, cucumber-currant Coca-Cola and the differences between MDM and MAM, EMM and UEM. And also about how to remotely get hired to sell pies.
Friday at the bar
Even the most responsible people take a break sometimes. And, as often happens, they forget backpacks, laptops and mobile phones in cafes and bars. The biggest problem is that the loss of these devices can turn into a wild headache for the information security department if they contain information sensitive to the company. Employees of the same Apple managed to check in at least twice, losing at first , and then - . Yes, now most mobile phones come with encryption out of the box, but the same corporate laptops are far from always configured with hard drive encryption by default.
Plus, threats such as the targeted theft of corporate devices in order to extract valuable data began to emerge. The phone is encrypted, everything is as secure as possible and all that. But did you notice the security camera where you unlocked your phone before it was stolen? Given the potential value of data on a corporate device, these threat models have become very real.
In general, people are still sclerotics. Many companies in the US have begun to treat laptops as consumables that will inevitably be forgotten in a bar, hotel or airport. There is evidence that at the same US airports every week, of which at least half contain confidential information without any protection.
All this pretty much added gray hair to the security guards and led to the development of MDM (Mobile Device Management) at the beginning. Then there was a need to manage the life cycle of mobile applications on controlled devices, and MAM (Mobile Application Management) solutions appeared. A few years ago, they began to unite under the common name EMM (Enterprise Mobility Management) - a single system for managing mobile devices. The apogee of all this centralization is UEM (Unified Endpoint Management) solutions.
Honey, we bought a zoo
The first to appear were vendors that offered solutions for centralized management of mobile devices. One of the most famous companies - Blackberry - is still alive and well. Even in Russia it is present and sells its products, mainly for the banking sector. This market was also entered by SAP and various smaller companies like Good Technology, later bought by the same Blackberry. At the same time, the concept of BYOD was gaining popularity, when companies tried to save on the fact that employees dragged their personal devices to work.
True, it quickly became clear that technical support and information security were already flinching from requests like βHow do I set up MS Exchange on my Arch Linuxβ and βI need a direct VPN to a private Git repository and a product database from my MacBook.β Without centralized solutions, all the savings on BYOD turned into a nightmare in terms of maintaining the entire zoo. Companies needed all control to be automatic, flexible and secure.
In retail, the story unfolded a little differently. About 10 years ago, companies suddenly realized that mobile devices had appeared. It used to be that employees used to sit at warm tube monitors, and somewhere nearby, the bearded owner of the sweater was invisibly present, making it all work. With the advent of full-fledged smartphones, the functions of rare specialized PDAs can now be shifted to an ordinary inexpensive serial device. At the same time, the understanding came that this zoo needs to be managed somehow, since there are many platforms, and they are all different: Blackberry, iOS, Android, then Windows Phone. On the scale of a large company, any manual gestures are a shot in the foot. Such a process will eat up valuable IT and support man-hours.
Vendors at the very beginning offered separate MDM products for each platform. Quite typical was the situation when only smartphones on iOS or Android were controlled. When we more or less sorted out the smartphones, it turned out that the data collection terminals in the warehouse also needed to be managed somehow. At the same time, you really need to send a new employee to the warehouse so that he simply scans the barcodes on the right boxes and enters this data into the database. If you have warehouses all over the country, then support became very difficult. It is necessary to connect each device to Wi-Fi, install the application and provide access to the database. With modern MDM, or rather EMM, you take an admin, give him a management console and configure thousands of devices with template scripts from one place.
Terminals at McDonald's
An interesting trend is observed in retail - moving away from stationary cash desks and points of clearance of goods. If earlier in the same M.Video you liked the teapot, then you had to call the seller and stomp with him through the entire hall to the stationary terminal. On the way, the client managed to forget ten times why he was walking and change his mind. The very effect of impulsive buying was lost. Now MDM solutions allow the seller to immediately come up with a POS terminal and make a payment. The system combines and configures warehouse terminals and merchants from one management console. At one time, one of the first companies that began to change the traditional checkout model was McDonald's with its interactive self-service panels and girls with mobile terminals who took orders right in the middle of the line.
Burger King also began to develop its ecosystem, adding an application that allowed you to order remotely so that it was prepared in advance. All this was combined into a harmonious network with controlled interactive racks and mobile terminals for employees.
Yourself a cashier
Many grocery hypermarkets reduce the burden on cashiers by installing self-service checkouts. The Globe moved on. At the entrance, they offer to take a Scan & Go terminal with an integrated scanner, with which you simply scan all the goods on the spot, pack them into bags and leave after paying. It is not necessary to gut the products laid out in packages at the checkout. All terminals are also managed centrally and integrated with both warehouses and other systems. Some companies are trying similar cart-integrated solutions.
A thousand flavors
A separate song is vending machines. On them, in the same way, it is necessary to update the firmware, monitor the remnants of burnt coffee and powdered milk. Moreover, synchronizing it all with the terminals of the attendants. Of the large companies, Coca-Cola distinguished itself in this regard, which announced a prize of $ 10 for the most original drink recipe. In a sense, it allowed users to mix the most addictive combinations in branded devices. As a result, variants of sugar-free ginger-lemon cola and vanilla-peach Sprite appeared. They haven't reached the taste of earwax, like in Bertie Bott's Every Flavor Beans, but they are very determined. All telemetry and the popularity of each combination are closely monitored. All this is also integrated with mobile applications of users.
Looking forward to new flavors.
We sell pies
The beauty of MDM / UEM systems is that you can quickly scale your business by connecting new employees remotely. You can easily organize the sale of conditional pies in another city with full integration with your systems in two clicks. It will look something like this.
An employee is brought a new device. In the box - a piece of paper with a barcode. We scan - the device is activated, registered in MDM, takes the firmware, applies and reboots. The user enters his data or a one-time token. All. Now you have a new employee who has access to corporate mail, data on stock balances, the necessary applications and integration with a mobile payment terminal. A person arrives at the warehouse, picks up the goods and delivers them to direct customers, accepting payment using the same device. Almost like in strategies to hire a couple of new units.
What it looks like
One of the most functional UEM systems on the market is VMware Workspace ONE UEM (formerly AirWatch). It allows integration with almost and with ChromeOS. Even Symbian was until recently. Workspace ONE also supports Apple TV.
Another important plus. Apple only allows two MDMs, including Workspace ONE, to tinker with the API before releasing a new version of iOS. Everyone at best - for a month, and for them - for two.
You simply set the necessary usage scenarios, connect the device, and then it works, as they say, automagically. Policies, restrictions arrive, the necessary access to internal network resources is provided, keys are uploaded and certificates are installed. A few minutes later, the new employee has a device completely ready for work, from which the necessary telemetry is continuously pouring. The number of scenarios is huge, from blocking the phone's camera in a specific geolocation to SSO by fingerprint or face.
The admin configures the launcher with all the applications that will arrive to the user.
All possible and impossible parameters, such as the size of icons, the prohibition of their movement, the prohibition of the call icon and contacts, are also flexibly configured. Such functionality is useful when using the Android platform as an interactive menu in a restaurant and similar tasks.
From the user's point of view, it looks something like this
Other vendors also have interesting solutions. For example, EMM SafePhone from NII SOKB provides certified solutions for the secure transmission of voice and messages with encryption and recording capabilities.
Rooted phones
A headache for information security are rooted phones, where the user has maximum rights. No, purely subjectively, this is an ideal option. Your device must give you full control rights. Unfortunately, this runs counter to corporate goals, which require the user to be unable to influence corporate software. For example, he should not be able to get into a protected section of memory with files or slip a fake GPS.
Therefore, all vendors in one way or another try to detect any suspicious activity on a managed device and block access when root rights or non-standard firmware are detected.
Android usually rely on . From time to time, the same Magisk allows you to bypass its checks, but, as a rule, Google fixes this very quickly. As far as I know, the same Google Pay never worked again on rooted devices after the spring update.
Instead of deducing
If you are a large company, then you should consider implementing UEM/EMM/MDM. Current trends indicate that such systems are increasingly being used - from locked iPads as terminals in a candy store to large-scale integrations with warehouse bases and courier terminals. A single point of control and quick integration or change of the employee's role give very big advantages.
My mail - [email protected]
Source: habr.com