There is a moment in the great space race film, The Right Stuff, where Jeff Goldblum sprints down a lengthy hallway, bursts in to a room full of shadowy men in dark suits, and exclaims “It’s called Sputnik!” (referring to the Russian space program).
“We know”
“Sit down” the shadows call back.
Lyndon B. Johnson gets on his soapbox to make an impassioned speech, but one that ultimately yields no immediate solutions.
As MDM–>EMM–>UEM admins, I’d wager this is a feeling we all know too well. Exploding in to a room full of important people and trying, often fruitlessly, to warn them of something new on the horizon. Old corporate habits set in stone decades before mobile phones were the norm, dated bureaucratic red tape, and, more often than anything – money, are all roadblocks to updating device policies and services.
As UEM admins, we’re also acutely aware that the mobile device is no longer a luxury or a supplemental item – they have become a centerpiece of the workforce, from CEOs to laborers. Smart devices keep people connected, data flowing, and have evolved the workplace in ways we never could have imagined all across the globe. So why, given their prevalence, do so many organizations resist enforcing the changes needed to secure devices and data? That question is a loaded weapon I’m not even going to attempt to answer here as it can go off without warning.
What I can do is offer up this advice: 2019 is set to be the most pivotal year in mobile device management since the concept was born. Fundamental changes to the management experience are coming to the 2 biggest platforms the world has ever seen (iOS & Android), representing an astonishing 4 billion devices worldwide. There are some critical decisions your organization needs to make before the year is out. If the discussions of these topics haven’t already started, then you, the UEM admin, have a responsibility to march in to that room of dark suited upper management entities and demand attention.
- Do not to draw a line between BYOD and Organizational devices, as that line has been drawn for you. Understand where it is and adjust deployment practices today. Android Enterprise and iOS 13 make it clear – Personal data, apps, and services are off limits moving forward.
- Set your policies for organizational assets based on Android Enterprise and iOS 13. If you don’t belong to a deployment program and it’s available in your country, sign up today. Supervise your iOS devices (via DEP or Apple Configurator) and get your Androids in to Device Owner mode using whatever methods are available. No matter how headache inducing this can be, it’s the only responsible next step.
- Stop clinging to the past! Even if money is a concern (and when is it not), I can’t think of a good reason why any security minded organization would deploy Android 4 or iOS 8 devices today, but I see it all the time. There are inexpensive options (think $50-$100 per device) that support Android 8 and Apple has done a great job of supporting older devices with newer iOS versions. If the response is something along the lines of “We get these from a partner vendor/OEM, they cut us a great deal.” then let me segue in to my next point….
- Get a roadmap for Android Enterprise and iOS feature support from your vendors. Many purpose built devices leverage customized Android OS images that are still in the 4.x range. Find out the OEM plans for Android Enterprise support and make sure they understand how mission critical this is. Likewise make sure that DEP devices can be purchased from any of your supply chains to save you the hassle of having to add devices manually later.
- Set standards internally – UEM providers will keep the minimum supported OS lower to remain competitive. Organizations deploying UEM should set the standard higher, however. Is there someone in your company who carries around an ancient Android phone that they begrudgingly got years ago because their kid hassled them? Then they don’t get to receive corporate data on it, period. My suggestion is Android 5.1+ and iOS 10+ as the minimums for BYOD and company owned, but the higher the OS, the better.
- When UEMs start targeting Q with their Android apps, that will mark the end of Device Admin support for older devices. This means that you’ll be stuck in a device management style with an app that will (most likely) not receive any further updates. That’s a security nightmare and an incident waiting to happen. Most of the market has moved over to iOS devices supporting 64-bit architecture, so there aren’t as many concerns there, but run through your inventory just to be sure.
- No matter who you are, no matter how big and influential your organization is, the odds of your company being able to change the tides direction by stating “Well, we simply won’t buy XYZ devices anymore” are about as close to 0% as possible. Now is not the time to let egos dictate policy, but rather let the markets currents work to your benefit and guide you back to shore.
- Have a plan for company owned accounts – I see a lot of folks getting stuck for long periods because they let one person take charge of mission critical Apple/Google/Microsoft accounts. Find out who owns these, designate backup plans, and delegate authority to more than one responsible party. Remember, though they may have their benefits in the enterprise, Apple IDs are primarily focused on the everyday consumer and have their limitations. Android Enterprise should solve all your device based Google Play ID needs.
What about Windows? Microsoft continues to grow the feature set for Windows 10 in impressive ways, however their course has maintained a pretty steady trajectory over the last year, and they don’t have quite the level of changes coming that iOS and Android do. Even so, keep an eye out, make a plan to replace any Windows Phones that remain, and for the love of all UEM stop deploying Windows XP!
Final thoughts from a mobile pro: I’m not the ultimate authority on all things mobile, but I don’t think anyone with an eye on the horizon will be able to counter reasonably against these points. Still, I spend a lot of time each week listening to admins argue and fight against these coming changes. I hear variations of “Well, we just won’t support iOS/Android in our environment if this is how things work” almost daily and that’s just not a responsible position to take – It’s not fair to the company and it’s not fair to the end users. Sure, if a device doesn’t meet your internal security standards for whatever reason, don’t put it on the approved list, but don’t knock them off the same list because of Android Enterprise or iOS 13. If anything, the new features are reasons to embrace even more devices in your environment. It’s best to make peace with the state of UEM and make it work for your organization – get informed, get secure, and, most importantly, get on board.
Pingback: The state of Mobile security 2019 – Mobile Pros