my article last week on why managing devices isn't easy. The other side of BYOD is using some form of endpoint management product to make sure that you can track and secure all of your devices. These go under various headings, such as Mobile Device Management (MDM), endpoint security, or network access controls. No matter what you call them, using these products aren't easy and have lots of issues. Fiberlink was game to show me around their software, called MaaS360, and while I don't mean to pick on them I will show you what some of the drawbacks are with using these tools and what you are in store for if you are interested in trying to get a handle on your mobile devices across your enterprise.I have written frequently about the BYOD trend (such as
I tried out MaaS360 on both a Kindle Fire and an iPad and got them under my corporate thumb within about an hour, including the time it took to learn more about the various requirements for the service. Fiberlink claims that they are the first Fire supporter, I wasn't able to verify that. Here is a nice short video explanation of what the product does with an interview with our own Dan Rowinski.
If you are going to evaluate any of these products, the first thing you want to examine is which devices do they manage. For that, you will need special client software. If you want to allow anything on your network, you need some kind of agent that keeps track of what your end users are doing with it, and can protect it in case of malware or other infections. MaaS360 has versions for iOS, Android/Kindle, Blackberry, Louts Traveler, and Microsoft Exchange, among numerous other tools. Its download page (you can freely try any of these out for 30 days) is almost overwhelming.
Depending on what platform you are protecting, you will have to go through a process to install the agent and set things up. Any iOS device requires a series of cryptographic certification installation steps to get things going, which is somewhat annoying (this is from Apple, not the fault of anybody else). MaaS360 is fairly straightforward: you register your device on this screen:
And then it sends you an email with the download link that you open in the mobile's browser to finish things up.
Once you have your agent up and running, you go into your portal to track what is going on. You can get lots of detail such as the report below on a Kindle Fire (running the Android OS) that you see below:
MaaS360 can integrate with your Active Directory or LDAP server so you can bulk load up your management system without having to do much manual installation, but there still is some work involved.
A second issue is in understanding the portal page where the service tracks what is going on across your network. What information is presented, what is actionable, what you can safely ignore. It could be more work to understand what you are seeing than you bargained. This is somewhat akin to when intrusion detection products first came into corporate networks; we needed to train our security staff what they were reporting and what they needed to pay more attention to.
Next, you want to examine how flexible the device management policies are with the service. With MaaS360, you have dozens of different levers you can push to prevent the device from connecting to particular Wifi networks, allow installation of particular apps from outside the approved marketplaces, and enforce device encryption.
Finally, what is all this going to cost? MaaS360 starts at $6 apiece per month in quantity of 100 devices and discounts are available as the number of devices increases.
MaaS360 is just one of dozens of MDM and endpoint products that are out there. One of my favorite for ordinary Windows and Mac desktops is Symantec's Endpoint Protection, which currently doesn't offer any mobile agents - yet.