You are on page 1of 8




........ AND SEPARATE CORPORATE AND PERSONAL INFORMATION. PROVIDE NETWORK PROTECTION �����������������������������������������������������������������������������������������������������������������������5 10................10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) CONTENT INTRODUCTION �������������������������������������������������������������������������������������������������������������������������������������������������������������2 SCOPE OF BEST PRACTICES �����������������������������������������������������������������������������������������������������������������������������������������2 1........4 7............ ENABLE COST MANAGEMENT FOR NETWORK USAGE ������������������������������������������������������������������������������������5 8.... MANAGE APPLICATION RESTRICTIONS AND YOUR OWN APPLICATION STOREFRONT...... MAKE IT SIMPLE TO GET UP AND RUNNING ������������������������������������������������������������������������������������������������������4 5...5 FORESCOUT MDM FOR MOBILE DEVICES �����������������������������������������������������������������������������������������������������������������6 FORESCOUT COUNTERACT™ INTEGRATION �������������������������������������������������������������������������������������������������������������7 ABOUT FORESCOUT ������������������������������������������������������������������������������������������������������������������������������������������������������8 -1- . HAVE A POLICY THAT IS REALISTIC ����������������������������������������������������������������������������������������������������������������������3 2............ INCLUDE YOUR MOBILE DEVICE INVENTORY AND POLICY STATUS IN OPERATIONS REVIEWS. COVER THE BASICS: PASSWORDS......... LIMIT DATA TRANSFERS.......... START PLANNING FOR CENTRALIZED CONTROL ����������������������������������������������������������������������������������������������4 6............... AND REMOTE WIPE ���������������������������������������������������������������������������������3 4.......5 9. ENCRYPTION.3 3.. TAKE STOCK USING A MULTIPLATFORM REPORTING AND INVENTORY TOOL.........

Personal device ownership and usage in the enterprise is growing rapidly. Cover the basics: passwords. Desktops. Start planning for centralized control 9. smartphones and tablets are coming together and need a single platform to manage every device. expense management. manage and secure mobile devices in their corporate environments. We understand that IT would like to add a degree of rigor. Regardless of your business. and reporting Introduction Businesses and employees are now using mobile devices in ways not envisioned as recently as a year ago. and separate corporate and personal information -2- . both personal and corporate owned. but the solution doesn’t have to be that difficult. Make it simple to get up and running 8. Take stock using a multiplatform reporting and inventory tool 7. Limit data transfers. compliance and security. Have a policy that is realistic 6. Provide network protection 10. Manage application restrictions and your own application storefront 5. and remote wipe 4. industry or users. laptops. Include your mobile device inventory and policy status in operations reviews 2. Scope of Best Practices So why is it taking so long for businesses to officially assimilate mobile devices into their organizations? It’s usually because they want to put an IT strategy for management and operation in place first. be sure to adopt the following practices: 1. and more businesses than ever before are facing the challenge of how to fully provision. support. Enable cost management for network usage 3.10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) MDM systems include a wide range of tools that help you to support the entire enterprise mobility lifecycle – from provisioning to configuration management. This document describes 10 best practices for Mobile Device Management (MDM). encryption. app and document management.

(Android™ added this Exchange-based security control in version 2. HR should have access during exit interviews to turn off devices for employees who are leaving the company) • Includes strong application inventory and search capabilities • Includes the ability to see not just mobile devices but also BYOD computers running Windows and MacOS. you probably have a lot more personal iOS. right? And that your business has at least one iPhone or iPad that syncs to your email infrastructure (most likely for the CEO or president) using Exchange ActiveSync® or Lotus Notes Traveler®. nearly all organizations are doing this now. -3- . and deal with the lack of a centralized view into all devices.10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) 1. • Empowers the helpdesk to troubleshoot devices • Is accessible outside of IT (for example. Have a Policy That’s Realistic 3. Just Google Setting up iPhone on Exchange and see how your employees are doing it. and Remote Wipe You need to: 1. If you have a BlackBerry Enterprise Server. Chances are good that your business has a BlackBerry corporate standard. With a lightweight reporting and inventory tool. Support multiple device platforms 2. Encryption. • Require a strong password. After all. Make sure the solution: The biggest issue with this approach is that reporting is limited and not scalable—you’ll need to develop and run reports manually.) 2. ask yourself one question: Do we enforce this level of security on our laptops? You may be worried that you’ll need a new solution to implement the first three best practices. But taking the first step with reporting and inventorying can dramatically improve your current posture on the uberpopular iPhone and Android devices. If that’s the case. And with Exchange or Lotus Notes. you can enforce your PIN policy and remote wipe your iPhones. iPad®s. it’s easy for any mobile device to integrate with email infrastructure like Exchange using the ActiveSync functionality you turned on. That isn’t necessarily the case. then you are covered on that platform.2. you can keep tabs on how mobile devices are being used and by whom. Android and Windows Phone devices inside your organization. • Set up devices to automatically lock after 5-15 minutes of inactivity • Configure devices to automatically wipe after 10 failed login attempts or if they are reported lost • Enable local encryption Some organizations may want to consider more protection. For instance. Enforce Basic Security: Password. Following the three principles we’ve already outlined is a responsible approach that takes advantage of existing infrastructure for device and risk management. Take Stock Using a Multi-Platform Reporting and Inventory Tool Making decisions and quantifying risks about mobile devices is hard without good data on the mobile devices and BYOD computers that are in your environment. it’s not uncommon for terminated employees to still be using corporate mobile devices—but you can’t stop this unless you know about it. But before you put yourself in that category. And it’s a smart one considering that you really can’t stop people in your environment from using mobile devices. Allow personal devices Be sure to do the following: Frankly. They just don’t know it. and Windows Phone devices. Then you can plan a more scalable and robust managementand security solution (as described in the next best practices).

Go the agent route with caution. a LANoriented management solution can be costly. your policy could specify that any Android device with OS 2. Set up a network access control system that automatically directs new devices to a web page where the user canenroll their device themselves. Why use a more expensive—and wired—solution to manage remote mobile devices? 4. It’s a good way to broaden the discussion beyond those responsible for managing devices in your environment. simplify things for IT. tablets. If you can meet your needs with network-based security controls. By integrating your MDM system with a network access control (NAC) system. empower users to enroll their own devices by visiting a single URL. 6. -4- .4 or above is automatically granted access to corporate systems. You’ll find that a network-based solution is better for the long haul. given the proliferation of hardware/ OS/carrier combinations. such as those dictated by the HIPAA. this level of control can be automated. When you account for full Total Cost of Ownership (TCO). Integrate your MDM platform with a system that can also manage PCs and Macs as well as mobile devices. and a multi-platform solution is needed to support the variety of devices in your environment. 3. Your BlackBerry Enterprise Server is probably well entrenched. If you opt for an agent-based solution. both operationally and economically. Consider these four emerging—and economically sound— best practices: 1. Take a look at cloud-based MDM services. and create a single user view into devices and data for operations and security.2. you’ll spend lots of time installing and maintaining it across the mobile landscape. Start Planning for Centralized Control Report on and discuss your mobile device inventory and policy status—including personal devices—in your IT operations reviews. In addition to making the process easy for end users. and PCI DSS. all the better. The practices we’ve discussed so far should meet most organizations’ needs. It’s also an opportunity to raise the visibility of the benefits for your organization. and smartphones will continue to blur in both user functionality and IT operations. as well as for future resource requirements such as needed involvement from those responsible for security and other areas of IT. while any Android device on earlier operating systems will be granted more limited access or blocked entirely. 2. The lines between laptops. Make it Simple to Get Up and Running Don’t make IT responsible for reviewing each request for device and system access. For example. A versatile MDM solution will cut down on infrastructure costs. You’ll rely on your data and reports daily. In fact. Be sure your reporting and inventory tool consolidates both your existing BlackBerry and your multi-platform MDM solutions. that organizations encrypt their data and are able to destroy data on a lost device. Include Your Mobile Device Inventory and Policy Status in Operations Reviews 5. Your inventory and reporting tool should make it simple to produce the reports to start conversations in these meetings. Instead. These regulations only require. FINRA. and you’ll want to avoid any manual processes to access your business intelligence on mobile devices. But it is not multiplatform. improve operational efficiency. The essential practices cover that and more.10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) 4. in practice. Setup a default policy that approves new users’ devices and pushes down their e-mail and corporate Wi-Fi profiles. they satisfy the most stringent security and privacy regulations.

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) 7. Some MDM-solution providers can even help you deliver documents such as PDFs to devices. To resolve these issues. since those costs can quickly reach thousands of dollars per trip. This allows you to present a list of approved applications and ease their delivery to mobile devices. • MDM systems typically do not manage personally-owned Windows and MacOS computers. Verizon also has iPhone and Androids so. Also. That said. Other vendors maintain a very open policy for creating applications. . If you want to be proactive about it. with US pricing plans introduced by AT&T® for iPhones and iPads. consider linking your MDM system to a network access control (NAC) system which ties into your broader security infrastructure for PCs and provides real-time visibility and control over new and unmanaged devices. Manage Application Restrictions and Your Own Application Storefront Today. Implementing these solutions is very difficult. and the data classification exercise is nearly intractable. nor does MDM prevent infected or compromised devices from attacking the network. and separate reports. This creates an opportunity for policies to be inconsistently applied and translated across the various IT management systems and groups. Thus. MDM is blind to unmanaged devices on the network. Provide Network Protection While it is true that MDM protects devices that have already enrolled in the system. your users will know where to go for these applications and for updates. with no formal process for certifying apps. anything other than flat rate unlimited could lead to high costs. set up your own enterprise application storefront. An alternative is to create separate virtual containers for business and personal data and applications. 8. separate policies. Some would argue they do too good of a job restricting access. with another set of management screens. Even worse is when the MDM system is managed by a different group of people than are responsible for computer security. -5- • MDM systems are sometimes operated as another management silo. certain organizations or industries may need to restrict the type of application allowed on a corporateapproved device. MDM does not prevent unauthorized access to data on the network. usage tracking and restriction will become a requirement for domestic connectivity. Limit Data Transfers and Separate Corporate and Personal Information Some businesses find it valuable to restrict downloading attachments or prevent the copying of data to removable media. 10. most smartphone and tablet vendors do a good job of limiting usage to certified and approved applications. for a few reasons: • MDM systems can only see and manage devices that have already been enrolled in the MDM system. MDM systems typically do not control access to the network itself. 9. Plus. MDM is not a complete security solution. Enable Cost Management for Network Usage • Multi-national businesses need to be able to monitor and limit international data roaming.

and BlackBerry . and alerts IT personnel to approve all new devices.10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) Use both MDM and NAC for complete BYOD security. is an easy-to-use platform that includes all of the essential functionality that you need for end-to-end management of iOS. via web. Additionally provides for easy user self-enrollment. Android. ForeScout MDM for Mobile Devices ForeScout MDM. • Experience simple device enrollment and approval: ForeScout MDM provides autoquarantine for Exchange. IT can start enrolling devices and managing the entire mobile device lifecycle. Windows Phone. from enrollment to security. so deployment is quick and easy. Blackberry. a powerful cloud-based technology that is used to manage and secure more than one million endpoints for more than 1200 companies around the world. ForeScout MDM provides a whole new level of centralized visibility and control for actionable insights into your entire computing landscape. -6- . • Secure all Mobile Devices: ForeScout MDM supports all major smartphone and tablet platforms including iOS. And what’s better is that it integrates with ForeScout CounterACT™. email or SMS. to give you unified visibility and control over everything on your both Exchange and Lotus Notes environments. The MaaS360 platform was honored with the 2012 Global Mobile Award for “Best Enterprise Mobile Service” at Mobile World Congress. In just a few clicks. ForeScout MDM is powered by MaaS360. Together with ForeScout CounterACT. our flagship network security and policy automation system. powered by MaaS360. enroll. • Embrace BYOD: ForeScout MDM provides workflows to discover. ForeScout MDM is a cloud-based solution. and Windows Phone devices. application management and support. monitoring. Android. manage and report on personally owned devices as part of your mobile device operations.

California. ForeScout delivers its solutions through its network of authorized partners worldwide. ForeScout CounterACT includes ForeScout’s patented ActiveResponse™ technology which can detect and block zero-day threats. and as a result. unobtrusive. • Unified network access control and compliance reporting for all endpoint devices—PCs. ForeScout CounterACT can dynamically enforce your security policies. such as restricting the user’s access to just the Internet. When your MDM system is integrated with ForeScout CounterACT. All rights reserved. it has been chosen by more than 1. how and when needed without compromising security. If you wish to setup a guest network for personal mobile devices. Doc 2013-009 -7- . ForeScout CounterACT will detect the malicious behavior.10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) ForeScout CounterACT Integration ForeScout CounterACT is the worlds’ best selling self-contained network access control (NAC) system. smartphones. ForeScout’s real-time network security platform for access control.forescout. and tablets. • On-demand Profiling. ForeScout CounterACT can provide visibility to personal mobile devices that are not managed. mobile security. CounterACT can trigger a fresh configuration scan the moment that the mobile device tries to connect to your network. CounterACT. ForeScout Technologies. All other trademarks are the property of their respective owners. you can use ForeScout CounterACT’s built-in guest registration system. If malware exists on the mobile device and tries to propagate or interrogate your network. MDM systems routinely check to see if the configuration of a mobile device matches a defined policy. © 2013 ForeScout Technologies. intelligent and scalable. This is especially important for organizations with split responsibilities. Once a guest has been approved. Because the ForeScout CounterACT solution is easy to Inc. endpoint compliance and threat prevention empower IT agility while preempting risks and eliminating remediation costs. provides you with many advantages: • Visibility of unmanaged mobile devices: MDM systems can only see what they are managing. Headquartered in Cupertino.400 of the world’s most secure enterprises and military installations for global deployments spanning 37 countries. • Enrollment. and can automatically quarantine or remove the mobile device from your network. • Continuous Protection. block the threat. Learn more at www. ForeScout CounterACT can automate the enrollment process for new devices. About ForeScout ForeScout enables organizations to accelerate productivity and connectivity by allowing users to access corporate network resources where. • Improved security by ensuring that only enrolled and compliant devices are admitted to your network • Guest Registration. This opens a security risk between when a device is on your network and when it was last scanned. where one team manages the MDM system and another team is responsible for security management. This profile scan is done at various intervals so that battery life is maintained (like how many full virus scans can you perform to an unplugged notebook before it goes dead). Inc. saving IT time and resources. the ForeScout logo. ForeScout CounterACT can integrate with ForeScout MDM and other leading MDM vendors. and ActiveResponse are trademarks of ForeScout Technologies.