10 BEST

PRACTICES FOR

MOBILE DEVICE
MANAGEMENT (MDM)

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

CONTENT
INTRODUCTION 2
SCOPE OF BEST PRACTICES 2
1. HAVE A POLICY THAT IS REALISTIC 3
2. TAKE STOCK USING A MULTIPLATFORM REPORTING AND INVENTORY TOOL............................................3
3. COVER THE BASICS: PASSWORDS, ENCRYPTION, AND REMOTE WIPE 3
4. MAKE IT SIMPLE TO GET UP AND RUNNING 4
5. START PLANNING FOR CENTRALIZED CONTROL 4
6. INCLUDE YOUR MOBILE DEVICE INVENTORY AND POLICY STATUS IN OPERATIONS REVIEWS...............4
7. ENABLE COST MANAGEMENT FOR NETWORK USAGE 5
8. MANAGE APPLICATION RESTRICTIONS AND YOUR OWN APPLICATION STOREFRONT.............................5
9. PROVIDE NETWORK PROTECTION 5
10. LIMIT DATA TRANSFERS, AND SEPARATE CORPORATE AND PERSONAL INFORMATION........................5
FORESCOUT MDM FOR MOBILE DEVICES 6
FORESCOUT COUNTERACT INTEGRATION 7
ABOUT FORESCOUT 8

-1-

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

MDM systems include a wide range of tools that help you

to support the entire enterprise mobility lifecycle from
provisioning to configuration management, compliance and
security, app and document management, support, expense
management, and reporting

Introduction
Businesses and employees are now using mobile devices in ways not envisioned as recently as a year ago. Personal device
ownership and usage in the enterprise is growing rapidly, and more businesses than ever before are facing the challenge of
how to fully provision, manage and secure mobile devices in their corporate environments. Desktops, laptops, smartphones and
tablets are coming together and need a single platform to manage every device, both personal and corporate owned.

Scope of Best Practices

So why is it taking so long for businesses to officially assimilate mobile devices into their organizations? Its usually because they
want to put an IT strategy for management and operation in place first. We understand that IT would like to add a degree of rigor,
but the solution doesnt have to be that difficult.
This document describes 10 best practices for Mobile Device Management (MDM). Regardless of your business, industry or users,
be sure to adopt the following practices:
1. Have a policy that is realistic

6. Include your mobile device inventory and policy

status in operations reviews

2. Take stock using a multiplatform reporting and

inventory tool

7. Enable cost management for network usage

3. Cover the basics: passwords, encryption, and remote wipe

4. Make it simple to get up and running

8. Manage application restrictions and your own

application storefront

5. Start planning for centralized control

9. Provide network protection

10. Limit data transfers, and separate corporate and

personal information

-2-

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

1. Have a Policy Thats Realistic

3. Enforce Basic Security: Password,

Encryption, and Remote Wipe

You need to:

1. Support multiple device platforms
2. Allow personal devices

Be sure to do the following:

Frankly, nearly all organizations are doing this now. They just
dont know it. Chances are good that your business has a
BlackBerry corporate standard, right? And that your business
has at least one iPhone or iPad that syncs to your email
infrastructure (most likely for the CEO or president) using
Exchange ActiveSync or Lotus Notes Traveler. If thats the
case, you probably have a lot more personal iOS, Android
and Windows Phone devices inside your organization. After
all, its easy for any mobile device to integrate with email
infrastructure like Exchange using the ActiveSync functionality
you turned on. Just Google Setting up iPhone on Exchange and
see how your employees are doing it.

Require a strong password.

Set up devices to automatically lock after 5-15 minutes of
inactivity
Configure devices to automatically wipe after 10 failed
login attempts or if they are reported lost
Enable local encryption
Some organizations may want to consider more protection.
But before you put yourself in that category, ask yourself one
question: Do we enforce this level of security on our laptops?
You may be worried that youll need a new solution to
implement the first three best practices. That isnt necessarily
the case. If you have a BlackBerry Enterprise Server, then you
are covered on that platform. And with Exchange or Lotus
Notes, you can enforce your PIN policy and remote wipe your
iPhones, iPads, and Windows Phone devices. (Android added
this Exchange-based security control in version 2.2.)

2. Take Stock Using a Multi-Platform

Reporting and Inventory Tool
Making decisions and quantifying risks about mobile devices
is hard without good data on the mobile devices and BYOD
computers that are in your environment. For instance, its
not uncommon for terminated employees to still be using
corporate mobile devicesbut you cant stop this unless you
know about it.

Following the three principles weve already outlined is

a responsible approach that takes advantage of existing
infrastructure for device and risk management. And its a
smart one considering that you really cant stop people in your
environment from using mobile devices.

With a lightweight reporting and inventory tool, you can keep

tabs on how mobile devices are being used and by whom.
Make sure the solution:

The biggest issue with this approach is that reporting is limited

and not scalableyoull need to develop and run reports
manually, and deal with the lack of a centralized view into all
devices.

Empowers the helpdesk to troubleshoot devices

Is accessible outside of IT (for example, HR should have
access during exit interviews to turn off devices for
employees who are leaving the company)
Includes strong application inventory and search
capabilities
Includes the ability to see not just mobile devices but
also BYOD computers running Windows and MacOS.

But taking the first step with reporting and inventorying

can dramatically improve your current posture on the uberpopular iPhone and Android devices. Then you can plan a
more scalable and robust managementand security solution
(as described in the next best practices).

-3-

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

4. Make it Simple to Get Up and

Running
Dont make IT responsible for reviewing each request for
device and system access. Instead, empower users to enroll
their own devices by visiting a single URL. Set up a network
access control system that automatically directs new
devices to a web page where the user canenroll their device
themselves. Setup a default policy that approves new users
devices and pushes down their e-mail and corporate Wi-Fi
profiles.
In addition to making the process easy for end users, simplify
things for IT. For example, your policy could specify that any
Android device with OS 2.2.4 or above is automatically granted
access to corporate systems, while any Android device on
earlier operating systems will be granted more limited access
or blocked entirely. By integrating your MDM system with a
network access control (NAC) system, this level of control can
be automated.

Be sure your reporting and inventory tool consolidates

both your existing BlackBerry and your multi-platform
MDM solutions. Youll rely on your data and reports
daily, and youll want to avoid any manual processes to
access your business intelligence on mobile devices.

3.

Take a look at cloud-based MDM services. When you

account for full Total Cost of Ownership (TCO), a LANoriented management solution can be costly. Why use a
more expensiveand wiredsolution to manage
remote mobile devices?

4.

Go the agent route with caution. If you can meet your

needs with network-based security controls, all the
better. Youll find that a network-based solution is better
for the long haul, given the proliferation of hardware/
OS/carrier combinations. If you opt for an agent-based
solution, youll spend lots of time installing and
maintaining it across the mobile landscape.

6. Include Your Mobile Device

Inventory and Policy Status in
Operations Reviews

5. Start Planning for Centralized

Control

Report on and discuss your mobile device inventory and policy

statusincluding personal devicesin your IT operations
reviews. Its a good way to broaden the discussion beyond
those responsible for managing devices in your environment.
Its also an opportunity to raise the visibility of the benefits for
your organization, as well as for future resource requirements
such as needed involvement from those responsible for
security and other areas of IT. Your inventory and reporting
tool should make it simple to produce the reports to start
conversations in these meetings.

Your BlackBerry Enterprise Server is probably well entrenched,

both operationally and economically. But it is not multiplatform, and a multi-platform solution is needed to support
the variety of devices in your environment.
Consider these four emergingand economically sound
best practices:
1.

2.

Integrate your MDM platform with a system that can

also manage PCs and Macs as well as mobile devices.
The lines between laptops, tablets, and smartphones
will continue to blur in both user functionality and
IT operations. A versatile MDM solution will cut down
on infrastructure costs, improve operational efficiency,
and create a single user view into devices and data for
operations and security.

The practices weve discussed so far should meet most

organizations needs. In fact, they satisfy the most stringent
security and privacy regulations, such as those dictated by the
HIPAA, FINRA, and PCI DSS. These regulations only require, in
practice, that organizations encrypt their data and are able to
destroy data on a lost device. The essential practices cover that
and more.

-4-

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

7. Enable Cost Management for

Network Usage

Multi-national businesses need to be able to monitor and

limit international data roaming, since those costs can quickly
reach thousands of dollars per trip. Also, with US pricing plans
introduced by AT&T for iPhones and iPads, usage tracking
and restriction will become a requirement for domestic
connectivity. Verizon also has iPhone and Androids so, anything
other than flat rate unlimited could lead to high costs.

MDM systems typically do not control access to the network

itself. Thus, MDM does not prevent unauthorized access
to data on the network, nor does MDM prevent infected or
compromised devices from attacking the network.

MDM systems typically do not manage personally-owned

Windows and MacOS computers.

8. Manage Application Restrictions

and Your Own Application Storefront
Today, most smartphone and tablet vendors do a good job of
limiting usage to certified and approved applications. Some
would argue they do too good of a job restricting access. Other
vendors maintain a very open policy for creating applications,
with no formal process for certifying apps.
That said, certain organizations or industries may need to
restrict the type of application allowed on a corporateapproved device.
If you want to be proactive about it, set up your own enterprise
application storefront. This allows you to present a list of
approved applications and ease their delivery to mobile
devices. Plus, your users will know where to go for these
applications and for updates. Some MDM-solution providers
can even help you deliver documents such as PDFs to devices.

9. Provide Network Protection

While it is true that MDM protects devices that have already
enrolled in the system, MDM is not a complete security
solution, for a few reasons:
MDM systems can only see and manage devices that
have already been enrolled in the MDM system. MDM is
blind to unmanaged devices on the network.

-5-

MDM systems are sometimes operated as another

management silo, with another set of management
screens, separate policies, and separate reports. Even
worse is when the MDM system is managed by a different
group of people than are responsible for computer
security. This creates an opportunity for policies to be
inconsistently applied and translated across the various
IT management systems and groups.

To resolve these issues, consider linking your MDM system to

a network access control (NAC) system which ties into your
broader security infrastructure for PCs and provides real-time
visibility and control over new and unmanaged devices.

10. Limit Data Transfers and

Separate Corporate and Personal
Information
Some businesses find it valuable to restrict downloading
attachments or prevent the copying of data to removable
media. Implementing these solutions is very difficult, and the
data classification exercise is nearly intractable. An alternative
is to create separate virtual containers for business and
personal data and applications.

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

Use both MDM and NAC for complete BYOD security.

ForeScout MDM for Mobile Devices

ForeScout MDM, powered by MaaS360, is an easy-to-use platform that includes all of the essential functionality that you need
for end-to-end management of iOS, Android, Blackberry, and Windows Phone devices. And whats better is that it integrates with
ForeScout CounterACT, our flagship network security and policy automation system, to give you unified visibility and control
over everything on your network.
ForeScout MDM is a cloud-based solution, so deployment is quick and easy. In just a few clicks, IT can start enrolling devices and
managing the entire mobile device lifecycle, from enrollment to security, monitoring, application management and support.
Together with ForeScout CounterACT, ForeScout MDM provides a whole new level of centralized visibility and control for actionable
insights into your entire computing landscape.
Secure all Mobile Devices:
ForeScout MDM supports all
major smartphone and tablet
platforms including iOS, Android,
Windows Phone, and BlackBerry
- in both Exchange and Lotus Notes
environments.

Embrace BYOD: ForeScout MDM

provides workflows to discover,
enroll, manage and report on
personally owned devices as part of
your mobile device operations.

Experience simple device

enrollment and approval:
ForeScout MDM provides autoquarantine for Exchange, and alerts
IT personnel to approve all new
devices. Additionally provides for
easy user self-enrollment, via web,
email or SMS.

ForeScout MDM is powered by MaaS360, a powerful cloud-based technology that is used to manage and secure more than one million
endpoints for more than 1200 companies around the world. The MaaS360 platform was honored with the 2012 Global Mobile Award
for Best Enterprise Mobile Service at Mobile World Congress.

-6-

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

ForeScout CounterACT Integration

ForeScout CounterACT is the worlds best selling
self-contained network access control (NAC) system.
ForeScout CounterACT can integrate with ForeScout
MDM and other leading MDM vendors, and as a result,
provides you with many advantages:

Visibility of unmanaged mobile devices: MDM systems

can only see what they are managing. ForeScout
CounterACT can provide visibility to personal mobile
devices that are not managed.

Unified network access control and compliance

reporting for all endpoint devicesPCs, smartphones,
and tablets. This is especially important for organizations
with split responsibilities, where one team manages
the MDM system and another team is responsible for
security management.

Enrollment. ForeScout CounterACT can automate the

enrollment process for new devices, saving IT time and
resources.

On-demand Profiling. MDM systems routinely check

to see if the configuration of a mobile device matches a
defined policy. This profile scan is done at various
intervals so that battery life is maintained (like how
many full virus scans can you perform to an unplugged
notebook before it goes dead). This opens a security risk
between when a device is on your network and when
it was last scanned. When your MDM system is integrated
with ForeScout CounterACT, CounterACT can trigger a
fresh configuration scan the moment that the mobile
device tries to connect to your network.

Improved security by ensuring that only enrolled and

compliant devices are admitted to your network

Guest Registration. If you wish to setup a guest network

for personal mobile devices, you can use ForeScout
CounterACTs built-in guest registration system. Once
a guest has been approved, ForeScout CounterACT
can dynamically enforce your security policies, such as
restricting the users access to just the Internet.

Continuous Protection. If malware exists on the mobile

device and tries to propagate or interrogate your
network, ForeScout CounterACT will detect the
malicious behavior, block the threat, and can
automatically quarantine or remove the mobile device
from your network. ForeScout CounterACT includes
ForeScouts patented ActiveResponse technology which
can detect and block zero-day threats.

About ForeScout
ForeScout enables organizations to accelerate productivity and connectivity by allowing users to access corporate network resources where,
how and when needed without compromising security. ForeScouts real-time network security platform for access control, mobile security,
endpoint compliance and threat prevention empower IT agility while preempting risks and eliminating remediation costs. Because the
ForeScout CounterACT solution is easy to deploy, unobtrusive, intelligent and scalable, it has been chosen by more than 1,400 of the worlds most
secure enterprises and military installations for global deployments spanning 37 countries. Headquartered in Cupertino, California, ForeScout
delivers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.

2013 ForeScout Technologies, Inc. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT, and ActiveResponse are trademarks of ForeScout
Technologies, Inc. All other trademarks are the property of their respective owners. Doc 2013-009

-7-