Tips for Your MDM Concept: How to Maintain Data Security When Mobile Devices Are Lost

Companies that equip their employees with mobile devices should pay special attention to one aspect of the device lifecycle – the fact that smartphones or tablets are often lost without ever reappearing. This article will show you what to pay attention to when procuring hardware and implementing your MDM strategy, and how to protect data on the device.

Android Smartphone in Lost Mode

Lost Mode – an important piece of the puzzle for every MDM concept.

Smartphones and tablets are increasingly pushing their way into existing work processes and opening up completely new possibilities in everyday business. However, they also pose major challenges for companies which, in addition to their technical implementation, also affect many administrative and organizational processes. This begins with device procurement and continues with the rollout, exchange and return of mobile devices.

In addition to the purely financial damage caused by the loss of hardware, businesses also have to factor in employee downtime, replacement costs and, last but not least, potential immaterial damage caused by the loss of data on the device.

MDM Tip 1: Use Devices with Find Device Features

The ability to retrieve lost devices, lock them remotely and delete data should be a top priority from the company’s point of view when selecting devices.

With the Find My iPhone and Find My Device services, the two industry giants Apple and Google offer extensive options on their platforms. iOS and Android users for example can display the current location of the device they are looking for, remove content and reset all settings. Provided however that they have previously set up a Google or iCloud account on the device and enabled the service to find the device.

In the corporate context, a Google or iCloud account is not necessarily required. In addition, these services should not be set up solely by employees. This can be easily solved by using a mobile device management system.

MDM Tip 2: Operating Devices in Fully Managed Mode

Companies using an MDM system can benefit from additional iOS and Android security features in addition to the Find Device options. The only requirement with both platforms is the use of fully managed devices that are integrated in a COBO (Corporate-Owned, Business-Only) or COPE (Corporate-Owned, Personally-Enabled) scenario.

For iOS devices, this means that smartphones and tablets can only be operated in supervised mode. Android devices must be set to Fully Managed Mode (also Work Managed Device). Integration into your MDM system requires the device to be set up as soon as it is put into operation.

MDM Tip 3: Ensure Separation of Private and Business Data for BYOD Devices

In the event of loss of BYOD (Bring Your Own Device) devices, i.e. private devices for business use, the business area on the device in question should be deleted remotely without any delay. The prerequisite for this is the separation of business and private data on the devices. For iPads and iPhones, this separation can be achieved via a native business container. Android, on the other hand, offers a separate work profile for this purpose. However, the replacement of private mobile devices is not the task of the company.

MDM Tip 4: Check Lost Mode Support for Android

If a fully managed iOS device is lost, Lost Mode can be activated from the MDM system at any time. This then locks the device similar to the Find My iPhone feature described above. However, an important difference is that the device can only be unlocked via the MDM console. Unlocking by entering a PIN, as possible with the Find My iPhone feature, is not intended.

Only in Lost Mode is it possible to determine the location of the iOS device when using an MDM system – provided that the corresponding requirements exist on the iPhone or iPad at that moment (e.g. that the device is online).

In contrast to Apple, which has implemented all MDM functions as part of the operating system right from the start, companies with Android devices are heavily dependent on the functionality of the MDM system. Here, the MDM provider must implement the lost mode functionality itself and make it available to the devices by means of an app.

Due to the fragmentation of the Android operating system, implementation of lost mode for the Android platform is very difficult, which is reflected in differences in functionality. Although most MDM solutions can primarily block access to the Android device and determine its location, you should consider the following points when selecting your MDM system:

  • When locking an Android device, it should be possible to activate Wi-Fi, LTE and GPS connections simultaneously to increase the chances of successful device feedback to the MDM system.
  • Resetting the device, access via USB interfaces for file transfer or debugging must also be prevented.
  • Any changes to the device status, such as changing a SIM card, approaching loss of battery or incoming calls, can be reported by the MDM system.
  • If the device cannot be found by locating it, it should ultimately be possible to delete it completely (full wipe). The extent to which the device can still be reached for this purpose is questionable. However, the delete command should always be issued.

MDM Tip 5: Using Device Enrollment Programs

Companies may also use other technical measures that make it more difficult for unauthorized persons to use the hardware. This can be done using special corporate services from Apple and Google.

Apple’s Device Enrollment Program (DEP) and Google’s Zero-Touch Enrollment are two services for the mass provision of mobile devices for MDM systems. These services enable companies to purchase from authorized resellers and automatically provision devices with a configurable MDM server the first time they are turned on.

When starting, the devices automatically communicate with Apple or Google servers and use unique device characteristics to determine whether they have been configured for the DEP or Zero-Touch program. If this is the case, the device automatically connects to the company’s MDM system and sets up the device according to pre-defined policies.

This functionality can also be used when resetting a lost device. If an unauthorized person were to reset a device to factory defaults, a DEP or Zero-Touch enabled smartphone or tablet would automatically attempt to contact the MDM server again. During the subsequent setup of the device, the access data of the MDM system will be queried. This process is very difficult to break through and reduces the possibility and incentive of unauthorized hardware operation.

Conclusion

In summary, companies should also use MDM systems to minimize the risk of equipment loss. They should rely on MDM solutions with lost mode support for iOS and Android, such as Cortado Cloud. In addition, fully managed devices with additional DEP or Zero-Touch activation must be used to continuously protect devices from unauthorized access.

Comments are closed.