Once upon a time there was Microsoft Excel… According to Wikipedia, the first version of this program appeared in 1987. It’s hard to believe that this application has accompanied so many people for so long. What’s more, today we could jokingly say that Excel is basically a synonym for a spreadsheet…
MDM
A bit later, MDMs appeared in the IT world. This acronym is most often developed as Mobile Device Management or (sometimes) Modern Device Management. MDM refers in particular to smartphones, or more broadly – to mobile devices and can support various mobile systems, e.g.:
- Android
An open operating system based on Linux, acquired by Google in 2005 and developed for nearly 15 years. The openness of Android means that almost every mobile device manufacturer can use the Android source code, customize it, and use it on their devices. The latest version of the system – Android 15 will most likely be published in the fall of 2024. - iOS
A closed operating system by Apple based on Unix. In this case, the closure means that only Apple uses the iOS system on its devices and there is no possibility for other manufacturers to create hardware on which iOS can be installed. This year, Apple announced the release of the latest version - iOS 18. - Windows
Microsoft's closed operating system used primarily on Nokia Lumia devices and by a few other phone manufacturers. Despite warmly received and smoothly running versions - especially 7 and 8.x, Windows Phone never achieved a great popularity and Microsoft eventually ended support for the system in 2017. - Windows 10/ Windows 11
Microsoft operating systems known from personal computers (PC) but containing built-in functions that also enable management using an MDM class system (management of earlier versions of Windows required specialized software, e.g. SCCM / Microsoft Endpoint Manager). - macOS
Operating system for computers manufactured by Apple. Similar to iOS, new versions of macOS can also be managed in the MDM system.
MTD
The newest, in our ranking “fruit” of the IT world are MTD class solutions, or Mobile Threat Defense. In short, these are applications and systems that were created as a response to:
1) The huge popularity of mobile devices with iOS and Android systems and ChromeOS*
2) Increasingly frequent use of mobiles for business purposes, e.g. for handling company email
3) The need to protect mobile devices from the frequently occurring cyber threats
4) The need to protect mobile devices from the numerous emerging cyber threats MDM
MTD may be a subtle similarity (it is NOT an equivalent) to antivirus software known from e.g. Windows systems. First, MTD may or may not be based on signatures or heuristics. Secondly, the use of machine learning algorithms, monitoring processes running on a mobile device, verifying the integrity of the mobile operating system and detecting anomalies is much more common. In the event of any security incident, MTD has a predetermined course of action (incident response). For this reason, it will be more accurate to compare MTD to a mobile EDR system**.
*Due to the niche popularity of ChromeOS in Poland, this operating system has been omitted from the description, but it is worth realizing that ChromeOS can be supported by both MDM and MTD systems.
**Due to the niche popularity of ChromeOS in Poland, this operating system has been omitted from the description, but it is worth realizing that ChromeOS can be supported by both MDM and MTD systems.
Why did we start with Excel and what does it have to do with phone management?
It turns out that even in 2024, a spreadsheet can still be used to… manage mobile devices (!). Management in Excel includes a number of “functions” such as: assigning the device to a specific person and to a specific SIM card, the model and brand of the mobile device, and even the phone number and device release date to monitor the time of the next device replacement in accordance with the company’s policy…
I trust that we will smile while reading the above words, but considering how much sensitive data is on our phones, the risk associated with lack of management seems significant. Let’s add to this the risk of leakage of company data, contractors’ data or contracts – financial and image losses can significantly damage the opinion of our company.
Jeff Bezos, the head of Amazon, was the victim of an attack on his phone and history remembers it very clearly: there is an article about it in the English-language Wikipedia:
https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking_in
Photo source: https://cyberhoot.com/blog/jeff-bezos-and-the-whatsapp-security-flaw/
It seems that awareness of the existence of MDM systems is quite common, and yet this does not translate 100% into widespread interest and practical use of such systems in companies and institutions… And it is difficult to really know the reasons for this situation.
It happens that managing mobile devices is the proverbial item on the “compliance checklist” and a spreadsheet with a list of phones does the trick… Of course, only until, for example, we end cooperation with an employee, and it is necessary to remotely erase company data from the phone he was using. … To put it bluntly: until there is a noticeable failure (a security incident involving a telephone), there is no interest in the MDM system in such an organization.
MDM – management foundation for mobile devices.
There is a lot that can be written about MDMs. However, I would like to limit myself to a few simple statements that are valid today, in mid-2024:
- Without MDM, there is no mobile fleet management in the company. Currently, there is no other comprehensive system that can provide the key management functions required for mobile devices.
- A good MDM supports iOS and Android. Of course, it may happen that a company only uses Android or iOS devices, but looking for a solution for only one platform may become an unnecessary limitation in the future. I will add that the best MDM solutions available on the market have no problem with supporting both systems and even offer management of Windows 10/11, macOS or ChromeOS.
- MDM integration with Android Enterprise is a must. For years, Google has been promoting the only and recommended approach to managing Android devices and that is Android Enterprise. And period.
- Security policies are a mandatory first step to mobile device security. There is no other way we can remotely control the security settings of an entire fleet of mobile devices. Not to mention the possibility of remotely deleting company data from the device if it is stolen or lost.
- Automatic configurations are convenient for the administrator responsible for the mobile fleet. Similarly to security policies, various types of configurations and settings are sent to all mobile devices, which significantly reduces the workload associated with managing phones compared to manually configuring each device.
Is MDM the answer to all the problems of the mobile IT world?
Unfortunately not. The popularity of smartphones and widespread access to "spying" software and hardware have taken their toll. As is the case in life, the development of malware and security-breaking tools as well as the development of security systems is a machine that spins non-stop, although often with the former predominating.
The MDM system will provide, among others:
- registering devices and assigning them to a user,
- automatic device configuration (e.g. company Wi-Fi), automatic installation and configuration of company applications, automatic enforcement of security policies (e.g. PIN/password for the device, "white"/"black" list of applications)
- automatic distribution of certificates.
What does MTD actually protect against?
MTD is a dedicated system for Android and iOS (sometimes also for ChromeOS). One of the key advantages of such specialization is the ability to integrate MTD with MDM systems, i.e. any installation of the required MTD mobile application is provided by the MDM system and it is in MDM that the configuration of MTD security policies takes place.
The threats against which MTD protects can most often be divided into 4 categories:
Solid MTD protection has one more feature: even if the mobile device is not connected to the network (airplane mode, SIM card removed, etc.), this protection still works because the types of threats and the response to them were saved directly on the device during the installation and configuration stage.
MTD system manufacturers can also provide an additional console that presents a list of all devices with an active MTD system, their status (including detected threats), information about the operating system version along with a commentary on whether an update is available for it. There are quite a few options in such a console - all related to the security of mobile devices.
The MTD console also provides access to data with analysis of all installed mobile applications on devices. This means that each application that is installed, for example, on a phone can be additionally verified in terms of privacy and security, i.e. whether it does not send data without encryption, whether it does not communicate with suspicious locations on the network, or even whether the application developer has not accidentally used mechanisms and functions considered to be "far from best practice"...
MTD – ok, so how to implement it quickly?
First, if the company does not have an MDM system, I would consider promises of quick and trouble-free implementation to be a non-issue. You can try to implement certain security functions based on private APNs, but MTD is agent-based protection, which means you need to install the application provided by the MTD manufacturer on the devices you protect and configure it appropriately. Without MDM, this will be quite a time-consuming task (especially if the company has many devices).
Secondly. If the company already uses an MDM system, implementing MTD should be much easier. Thanks to the integration of MDM and Google Play and AppStore, it will be possible to download the MTD agent and its automatic installation and configuration on devices. It is worth verifying whether the MTD system we are interested in integrates with our MDM. This can also result in a smoother MTD implementation.
Thirdly. There is also a "premium" version of the implementation. While the manufacturer of the MDM system has prepared such an integration, there is also an option to only purchase a license and activate the MTD agent embedded... in the MDM agent already installed on the phone. A few clicks and you're done. I don't think it can be any faster. 😉
PS1. If you do not have a PIN, password or biometric lock set for your phone, please set it now.
PS2. I invite those interested in available MDM and MTD solutions on the market:
MDM: https://www.gartner.com/reviews/market/unified-endpoint-management-tools
MTD: https://www.gartner.com/reviews/market/mobile-threat-defense