Mobile Management Strategies

  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/ on line 61.
No votes yet

All companies deploying mobile devices have a mobile management strategy, whether they plan one or not.

Today's mobile management boils down to a trade-off between control and usability. The stronger the control, the less flexible and familiar the experience is for the user.

The slide above is from a talk I gave for Tekserve. It shows the relationship between five possible mobile management strategies: wild west, Exchange, Mobile Device Management, sandboxing, and VDI.

(footnote: These strategies are not exclusive. It is common to see a combination deployed in large or even not-so-large environments.)

Wild West

By far, the most common mobile strategy is Wild West. Rather, we should call this a non-strategy. In the Wild West, iPads roam free. "Shadow IT" is the law of the land. Users have themselves figured out access to corporate email and documents. Dropbox is a common solution. No lock-screen passcodes burden their users. There is no uniformity to apps. There is no way to remotely remove data from a lost iPad. A thief would have unimpeded access to email, contacts, calendar, and documents.


Adding a thin layer of management is not difficult if your company uses a corporate email server. Microsoft Exchange and Google Apps for Business and Education have mobile management built in. This protection rides on top of Microsoft's Exchange ActiveSync Protocol, and requires nothing more than an "Exchange" type email account on the device. With this level of control, you get a number of helpful over-the-air abilities:

  • Require passcode
  • Require a complex passcode
  • Lock device after X unsuccessful attempts to unlock
  • Remove passcode
  • Disable camera
  • Erase device

The most significant of these is "require passcode," which enables Apple Data Protection.j

Mobile Device Management

Mobile Device Management, or MDM, adds additional controls on top of Exchange. Devices must be "enrolled" into MDM, usually using a web page or an app. MDM delivers all the features of Exchange, plus several more:

  • Remotely set up email, VPN, calendar, identity certificates
  • Send free and pre-paid apps to devices
  • Send web bookmarks to devices
  • Inventory devices for apps, usage info, and identities
  • Configure features of email accounts not available in the UI: sandboxing, encryption
  • Additional restrictions on iCloud, encrypted backups, FaceTime, the App Store, videos, and more

The MDM protocol is built into iOS by Apple and has been present since iOS 4. Apple continues to quietly expand MDM with each iOS revision.

There are a large number of MDM Providers, each building on Apple's common foundation. The differences tend to show up within the administrative console.

MDM takes more effort on the backend than Exchange. But apart from the initial enrollment, users do not experience a significant change to their experience of the device.


A Sandbox is a world within an app. Just like Las Vegas, whatever happens in the app, stays in the app. The app syncs content back to the corporate servers. So the company focuses its management efforts on securing that data within the sandbox.

Sandboxes can limit themselves to certain read-only documents pushed out from corporate. Or they can be close to entire OSes, with their own email and document editing. Unlike MDM, a sandbox environment can be fully FIPS compliant for those businesses who need this.

Sandboxes effectively segregate personal and corporate use. By their nature, all company work must be done within the Sandbox app. This can severely limit the options for users, who are no longer able to decide the best choices for their tools.

VDI/Remote Desktop

VDI is an option when Sandboxing isn't enough control. With VDI, the iPad uses a remote desktop protocol to control a desktop computer (usually Windows) running in a secure data center. So data isn't actually stored on the iPad itself. Unfortunately, the iPad makes a lousy replacement for a real mouse and keyboard. Mapping a desktop interface onto the multitouch display just doesn't fit well.


Each deployment comes with its own requirements. But in general, Mobile Device Management offers the best balance of strong management and familiar experience.


Recent Activity