MDM Security Checklist: How Strong is Your MDM Security?

MDM (Mobile Device Management) security is defined by how well an MDM solution configures, deploys, and manages devices for different use cases. An MDM solution needs to lock devices to the dedicated purpose without hindering the user experience, and it needs to provide real-time insights into security risks.

Mobile security risks vary according to the managed device type, the industry, and the use case. Single-purpose enterprise devices like kiosks, point-of-sale (POS), employee tablets, even IoT (Internet of Things) devices face a unique set of data security and other threats compared to BYOD (Bring Your Own Device), mobile phones, and personal devices. That’s why choosing an MDM with a specific focus on these types of devices is crucial for fleet security. 

Free MDM RFP Template for Comparing MDMs

6 questions to test your MDM security

Globally, the average cybersecurity breach costs $4.35 million. If your company is victimized by hackers, your customers won’t care to hear that your MDM features were inadequate. 

Regulatory agencies also won’t buy the MDM security excuse. If your firm is subject to HIPAA, the CCPA, the GDPR, or other frameworks, security incidents could be costly. The following 6 questions are a litmus test to determine whether your MDM security is risky and vulnerable to cyberattacks.

1. Unauthorized use: Are your employees or customers able to use your devices to access unauthorized websites, apps, or settings?
2. Downtime: Are you losing money, productivity, or customers due to device or app performance issues?
3. Manual provisioning: Is your IT team manually configuring and deploying each device?
4. Device compatibility: Does your MDM work with all your different device hardware — kiosk, point of sale, digital signage, etc.?
5. Device lockdown: Are you able to assess threats — insider abuse, tampering, theft, network security issues, and malware — and remotely lock the device down if necessary?
6. Updates: Are your devices up to date on security and OS patches?

The MDM security checklist

MDM security is a concept that involves multiple layers. Each layer needs to be aligned with the use case and risks to avoid cybersecurity issues.

A full MDM cybersecurity assessment should involve a look at each of the six layers below to understand the greater picture of risk. Within these six layers, we’ve identified 36 separate MDM security points of focus. We also have an abridged version of the MDM security checklist available for download.

• Layer 1: Cloud Platform Security 
• Layer 2: Device Hardware Security
• Layer 3: Network Security
• Layer 4: App Security
• Layer 5: Alerts and Remediation
• Layer 6: Secure user Experience

We’ll outline each of the layers below, as well as individual points to check within each layers.

Layer 1: Cloud platform security

Your MDM console is ground zero for effective mobile security. Your MDM admin portal should make it easy to provision, deploy, and manage devices according to policy and determine which users can read and write device policies.  

Usability is a key factor for cloud MDM security, and so is data integrity. You need to be able to trust that your MDM will deliver timely alerts and a complete audit trail. When inspecting your MDM’s cloud console for potential security vulnerabilities, consider the following: 

• Ease of use: How simple is the console to use? Confusing software can lead to security blind spots.
• Secure cloud gateway: Is there a policy in place to ensure your MDM portal is secure??  
• Data integrity: Is all data consistently secured, stored, and protected against potential modification? 
• Accessible device security information:  Do you know which security policies are applied to any given device, or if your MDM can show that information?
• Intelligent event feeds: Are the event feeds easy to find and understand? 

Layer 2: Device hardware security

Device hardware security matters, especially for today’s enterprise fleets. Most MDMs are built to accommodate smartphones and tablets, but far fewer offer compatibility with POS, kiosks, ruggedized devices, smart fitness equipment, telehealth devices, and more. Security considerations vary for these dedicated devices.. 

A careful approach to hardware procurement is critical for device security, and this process should involve learning whether given hardware is compatible with your MDM. Device interoperability and updates aren’t the whole scope of hardware security, but they’re important measures of MDM strength.

When assessing your current (or future) MDM, you should ask if they:

• Support current and future fleet devices types and use cases: Right now you may only have a few POS tablets, but what if you want to add self-ordering kiosks in the future? If your MDM doesn’t support this, it hinders growth by forcing you to buy another solution (or migrate). 
• Offer interoperability with your devices: Will your new self-ordering kiosk work in tandem with your frontline POS system? Will that new handheld scanner communicate back to your inventory management system? Devices should work together to streamline processes and make your life easier.
• Simplify device updates: Let’s be honest here — the easier something is, the more likely you’ll do it. Security updates are absolutely crucial, so updating devices shouldn’t be a chore. 
• Offer validated hardware: Does your MDM offer hardware validation so you can be certain the device you’re about to buy will work flawlessly? 

Layer 3: Network security

A mobile device is only as secure as its weakest layer — a secure mobile device on a compromised Wi-Fi network can leak your sensitive data. Network security matters, even if your dedicated devices aren’t built to be used over public Wi-Fi networks. 

Dedicated devices are generally deployed on a secure corporate network, but not always. An MDM needs to support Wi-Fi security for dedicated devices that travel with employees or customers. Network security policies should also protect the enterprise in worst-case scenarios, like a stolen device that’s taken off the premises and exposed to compromised WiFi.

Your MDM should make network security a simple task. Consider these features a must for optimal network security: 

• Limiting Wi-Fi connectivity to trusted networks: Open networks are vulnerable networks. Your mission-critical devices should never connect to unsecured Wi-Fi points. 
• Detecting Wi-Fi network changes: If a device changes Wi-Fi networks, the security team should know about it.
• Locking mobile devices if they leave the network: If a device travels outside the network or otherwise disconnects, remote locking should be an option. 
• Wiping lost or stolen mobile devices: Similarly, if a device “walks off,” a remote factory reset should be available, either manually or automatically. 
• Blocking user access to Wi-Fi and data settings: Device users — whether that’s customers or employees — shouldn’t be able to change network credentials or other data without explicit permission. 
• Detecting unusual data patterns: Monitoring data usage patterns is a good way to quickly find out if a device is misbehaving. Can your MDM do that? 

Layer 4: App security

Over 11% of mobile apps downloaded from the Google Play Store contain hidden cybersecurity risks, according to a recent academic study of 150,000 apps. Researchers found that over 12,000 Play Store apps had signs of a mobile backdoor, such as secret access keys or master passwords. On pre-installed bloatware apps, the percent compromised is closer to 16%. 

Mobile Apps from the official Play Store or unauthorized web sources may also contain riskware, defined as extensive permission requirements that compromise user privacy. Riskware apps are typically free and perform as promised, while secretly sharing the user’s personal data with a remote server.

Mobile apps can also introduce risk if they’re laden with mobile ads, which can run continuously in the background and lead to issues like a drained battery, excessive 4G data consumption,or slow performance. 

You can’t trust most end-users to carefully read app permissions before downloading. You also can’t trust Google Play Store apps by default. An MDM should support top-down app management for the use case, including restricting app and user permissions. Make sure your MDM allows the following: 

• Remotely install and uninstall apps: You shouldn’t have to be on site to install or uninstall apps. This can and should be done remotely. 
• Manage app versions: Does your MDM offer specific app version control? App updates are important, but some might also introduce security risks. The ability to granularly control, deploy, and pull app versions helps maintain device security.
• Granular app deployment: At the same time, maintaining good app deployment hygiene prevents devices from running old, vulnerable versions of apps. You should be able to update apps across devices — either in groups or altogether.  
• Support single or multi-app kiosk mode: Devices that are designed to run a single application (or even a selection of apps) should run in a kiosk mode that locks the app to the foreground in a way that is unable to be bypassed. 
• Monitor app behavior: Detailed insight into what apps are doing on your network — what data is being transmitted, for example — is a key component of good MDM security. 
• Limit downloading to authorized apps only: App access limitations shouldn’t be limited just on Google Play, but all third-party app stores, the web, and beyond.

Layer 5: Alerts and remediation

Mobile security is dynamic. A secure kiosk or POS could quickly become a liability when any single device security factor changes. The key to avoid threats is visibility so you can see which negative changes create risk. 

Intelligent alerts are critically important, but so is the ability to remotely respond to cybersecurity threats before a situation turns into a data breach. An MDM should offer an automated response, such as device lockdown when geofencing data indicates it’s been lost or stolen. To maintain strict security with alerts, you’ll want the following: 

• Custom alerts and intelligent notifications: When something questionable happens to any one of your fleet devices, you should know as soon as possible. Alerts should automatically trigger when specific criteria is met, like a device disconnecting from Wi-Fi or rebooted.
• Device tracking and geofencing: For portable devices like tablets, handheld scanners, and smartphones, you should have the option to track devices, and automatically alert, lock, or erase the device if it leaves a geofenced area. 
• Device lockdown: Remote lockdown for any device in your fleet ensures that you can secure it immediately (or even automatically). 
• Remote view and control: If you need to troubleshoot a device, you shouldn’t have to travel across the country (or even across town!) to do it. Remote viewing and control of dedicated devices ensures minimal downtime and maximal efficiency. 
• Remote factory reset and erase: If it comes to it, you want to be able to erase your gadgets instantly and from anywhere. 
• Offline event triggers: If a device goes offline, you may want specific actions to be executed to ensure device safety and data security — like locking the device as soon as it disconnects from the network, for example. 

Layer 6: Secure user experience

Many organizations struggle to enforce basic mobile cyber hygiene measures. For simplicity, many organizations either avoid using any sort of lock screen security or opt for a simple 4-digit PIN code instead of alphabetic or alphanumeric codes that are harder to crack.  

Devices should protect your enterprise from authorized and unauthorized users — including unacceptable activities among employees, customers, device thieves, and hackers. An MDM should support a customized user interface that’s built according to the principle of least privilege. This is the least amount of user access possible that does not interfere with or degrade operational efficiency..

Your MDM should:

• Automatically load kiosk mode: If your device is running in kiosk mode, it should automatically launch when the device is powered on or rebooted. This prevents kiosk mode from being easily bypassed. 
• Restrict calls and SMS messages: Unless your dedicated devices specifically require text messaging or telephony access, there’s no reason to allow it. It’s a security risk waiting to happen. 
• Block access to settings: Access to settings means settings can be changed. Blocking access to settings means that only authorized users can change settings. 
• Hide notifications: There’s little to no reason to display notifications on dedicated devices, so the option to hide them is important. This also prevents curious users from tapping into other apps or services by interacting with notifications. 
• Hide the status bar: Aside from hiding notifications, you can go a step further by hiding the entire status bar. This is especially useful on kiosks and other single-app use case devices. 
• Restrict camera access and screenshots: Unless you’re using the device camera to scan barcodes or QR codes, there’s no reason to allow camera access. And screenshots? There’s virtually no reason for all users to have screenshot access — this should be exclusive to admins and authorized users. 
• Block local app installs: As previously mentioned, app installation should only be allowed for authorized users. 
• Block browser access: Unless your device relies on browser access to function — like a web based check-in portal — allowing access to the browser is just asking for trouble. Best to block it out of the gate. 
• Block voice assistants: Voice assistants have little to no use in dedicated device scenarios and could potentially be used to waste mobile data or bypass other restrictions — a knowledgeable user could tell Assistant to bring up the Settings menu, for example. 

The future of MDM is dynamic mobile security

Your mobile security risks vary depending on device type, industry, and most importantly, use case. MDM originated as a tool to protect enterprise data from users in BYOD (bring your own device) and COPE (company owned/personally enabled) use cases. Today, it’s evolved to mean much more. Looking to the future of MDM is the only way to protect your fleet against the changing mobile threat landscape. 

MDM security must be dynamic. You need the flexibility to deploy and manage dedicated devices according to use cases. MDM should offer features to completely wipe and re-provision devices at any given point during the device lifecycle. Most importantly, MDM security should allow real-time or automated response based on insights into devices, apps, and user behaviors. 

When your MDM isn’t enough, it’s time to call Esper

Esper is the first-ever platform with MDM for dedicated enterprise devices. We go beyond MDM with all the tools you need to provision, deploy, update, and manage your mission critical dedicated devices. Set up a demo today to see how Esper can transform your device strategy. 

Take It With You: Download the MDM Security eBook

More MDM Resources: 

• MDM guide
• Device provisioning
• What is a factory reset? 
• Single sign-on
• Role-based access control