BYOD: Why Mobile Device Management Isn't Enough

The main reason companies are turning to MDM software is security, cited by 72% of the respondents to our survey. The other three reasons we provided are greater mobile spending efficiency (12%), inventory/audit (8%) and cost savings (7%).

The security controls for MDM software all do pretty much the same thing, because each mobile device's operating system limits what MDM vendors can do to a device.

Some MDM vendors (including Good) require the user to access email within their application or a partner's application, rather than from the email application provided with the device. This setup lets the MDM vendor enforce certain policies the device's email application doesn't support, particularly encryption and selective email data wiping. All device vendors now allow encryption and wiping, but those features are controlled at the device level. What if you want to wipe company data only and not the phone user's personal pictures? You can do that only if all of the company data is isolated within the MDM vendor's application.

The big limitation of MDM technology has to do with the fact that mobile applications, unlike PC applications, run in sandboxes. For the most part, each mobile application has to specifically request, at install time, the ability to access shared parts of the phone, such as contacts, phone records and other data. If the application doesn't request that type of access at install time, the application is denied access to those areas. It can't be altered later.

The upside to this approach is that it greatly increases mobile device security. Most PC malware and security problems involve an application being compromised by an attacker, and the attacker using that application to access data or another application on the system. It's called "lateral movement" in the security world, and mobile operating systems were architected to prevent those attacks.

This is why most malware needs to jailbreak, or root, the phone to cause real havoc. Without breaking out of the application jail or becoming root, the malware wouldn't be able to access anything on the device.

MDM vendors have the same problem. They can't root or jailbreak your device, but they would like to control the security of the apps on the device. So when they want to add a capability, like remotely wiping data, they have to wait until the mobile operating system allows it. MDM vendors are at the mercy of mobile OS makers such as Apple and Google.

This state of affairs doesn't mean MDM is useless -- quite the contrary. But IT leaders must understand MDM software's inherent limitations. MDM vendors are governed by the same policies and rules as all of your other mobile apps. So those vendors must think of creative ways to get around the mobile operating system security model to improve your phone's security. Kind of odd, isn't it?

There's precedent for such a business model. Antivirus software, for example, uses the same techniques as many kernel malware and rootkits, and it completely violates the Windows kernel architecture, which is why in the early days of antivirus software it was so unstable and caused so many incompatibility problems.