How should you handle mobile devices that have access to company data and systems?
This is a crucial question for today’s on-the-go, hybrid workforce. Maybe you give your team company-owned mobile devices. Or perhaps your employees find it more convenient to access internal systems from their own phones.
Whatever the scenario, you’ll want to address mobile devices from a cybersecurity perspective. There are several ways to do this. The most common solutions are MDM (mobile device management) and MAM (mobile application management).
But which one is right for your organization and the devices in question? Can MDM and MAM work together?
The answer depends on who owns the device—and what capabilities you need if the device is lost or stolen.
Here’s everything you should know about MDM vs. MAM.
MDM in a nutshell
MDM is all about securing a physical device. This software allows admins to monitor, manage, and secure company-owned devices remotely. It’s the primary tool for enforcing your organization’s security configuration settings.
As you can imagine, employees often won’t allow their personal devices to be onboarded into a company’s MDM. So MDM for BYOD is usually a non-starter.
MAM in a nutshell
MAM is all about securing applications and their data. This software allows admins to remotely monitor, manage, and secure applications and related data on both company-owned and employee-owned devices.
Generally speaking, MAM is less invasive than MDM. For example, you can configure your MAM solution so that it disables copying and pasting data out of Outlook into another application. But MAM solutions generally don’t have access to an employee’s personal data like photos and contacts on their BYOD device.
MAM and MDM working together
MDM and MAM are typically used together for company-owned devices, and MAM by itself is typically used for employee-owned devices.
MAM is what protects the company’s data. At the end of the day, that’s most important.
MDM for company-owned devices is typically used for policy enforcement. This may include things like:
- Enforcing firewall enablement
- Enforcing installation of endpoint security agent
- Enforcing passcode length
- Enforcing enablement of biometric authentication
MAM vs. MDM scenarios
Let’s imagine a few situations and examine whether MDM or MAM is the appropriate solution.
A) Company-owned device is stolen
- MDM allows you to wipe the entire device.
- MAM allows you to wipe applications and their data, but you’ll probably just wipe the entire device.
B) Employee leaves; BYOD device has corporate applications and data on it
- With MAM installed, you can wipe your company’s applications and their data.
C) Employee gets a new BYOD device to replace their old one
- MAM allows you to wipe only the relevant applications and their data from the old device. You can also import those same settings and applications to the new device.
And the winner is… MAM+MDM for corporate; MAM alone for BYOD
On corporate devices, it makes sense to enable both MDM and MAM. Whatever configuration-related policies you have, MDM enables you to do the actual enforcement.
For BYOD devices, it’s best to install MAM alone—without MDM.
Why?
If the goal is to protect company data on BYOD devices, then MAM gets you there with fewer headaches and legal implications. MAM also strikes a better balance between protecting your data and protecting your employees’ freedom.
Here are the 3 biggest reasons we recommend MAM alone, without MDM, for BYOD devices.
1. You get the control you need
Let’s be honest, you don’t need the ability to delete an employee’s personal photos. But you do need to prevent them from moving company data out of safe applications. You also need to secure those applications (and that data). MAM does what you need without potentially doing things you don’t need.
2. You respect your employees’ privacy
While MDM can be configured in many ways, it’s hard to shake the fact that it can exercise control over an employee-owned device. If an employee allows you to put MDM on their BYOD device, there’s more potential for liability down the road if an admin makes a configuration mistake.
3. You avoid the two-phone problem
I can’t count how many times I’ve seen someone with two phones—a company device, and a personal device.
No one should have to deal with that headache. I feel sorry that they work for a company that forces them to have a separate device. I want to sit them down and explain that there’s a better way to do this—one that fits how most people live and work today. That way is MAM.
How do you get MAM?
Good news if you’re a Microsoft customer: MAM is available as part of Intune and Microsoft 365. The list of 365 apps supported by Intune is quite extensive. Whatever your employees need to do, whatever application they’re using, Intune delivers the MAM capabilities you need.
However, Intune is so powerful, it can get overwhelming. Your IT admins probably have enough work on their hands already.
If that’s the case, a partner like Corsica Technologies can help you secure your applications with MAM. Reach out to us today, and let’s strengthen your mobile device security.
Want to learn more about MDM vs. MAM?
Reach out to schedule a consultation with our security specialists.
