This guidance describes what mobile device management is and its benefits for Primero v1.x and the mobile application.
What is Mobile Device Management?
MDM, or mobile device management, is a third-party product installed on mobile devices to ensure devices are configured with a standard set of applications, functions, and security. MDM ensures devices are performing consistently, can be located and can be supported remotely. MDM solutions may provide you with access to everything on a mobile device and will ensure that you do not need to worry about data falling into the wrong hands, as remote lock and wipe functionality prevents data breaches.
MDM functionalities includes: remote user management, device updating, security policy enforcement, application download controls, data backup, device tracking and GPS, application distribution, remote wiping, password enforcement, and data encryption enforcement.
Depending on the level of functionalities required, the cost of the solution may vary. Using an MDM solution requires trained staff and administration to monitor the solution. Though the solution provides security, organizations must complete regular security audits. Also, if the phone is not connected to the internet, management of the mobile devices is not possible. Examples of MDM solutions are WS02 and Mobilock.
MAM, or mobile application management, secures the application on the mobile device, rather than all applications and the complete device. If a device goes missing, using an MAM solution will only wipe application-level data from the phone.
If organizations decide to move forward with utilizing their personal mobile devices, the devices can potentially expose security vulnerabilities if devices are not directly supervised by IT staff. This is where the need for an MDM and MAM solution and accompanying security policies comes in. Organizations need to look at all the factors that come along with a MDM and MAM solutions and mobile management solution works best for them.
What is the value add?
Essentially the application will be installed on the device and it controls everything on the device. We will use this to push upgrades, monitor the phones, understand when there are issues (like for example when there are sync problems, we can diagnose this via the MDM).
The IT focal point is responsible for the phone so they will install the application on the phone and track which phone is given to which staff member. They will collect the phones if staff leave/resign.
The system administrators would be able to use the MDM to push out the upgrades to the phones and track the application/usage.
The added value is that:
- We do not need to depend on users to upgrade the mobile app
- We can remotely troubleshoot issues when users say they have problems
- Organizations can track their assets and ensure that users are only using their phones for Primero-related work
If we didn’t have something like this we wouldn’t be able to remote wipe phones if they got into the wrong hands if they were lost/stolen, adequately troubleshoot issues that users are having on their phones and would require staff to manually push upgrades.
Please note that remote wipe functionality only works when the mobile device is connected to the internet.
Is Mobile Device Management required to use the Primero Mobile Application?
With the Primero application, we have gone to great lengths to ensure security protocols and processes are in place and kept up to date. But what about mobile? The android application has in-app security built-in but there are many considerations that should be made to ensure the device and its data are kept safe.
MDM solutions are strongly encouraged but are not mandatory for use of the Primero Mobile Application.
Functionality & Costs
Depending on the level of functionalities required, the cost of the solution may vary ranging from $2 - $5 per month per device. Using an MDM solution requires trained staff and administration to monitor the solution. Though the solution provides security, organizations must complete regular security audits. Also, if the mobile device is not connected to the internet, management of the mobile devices is not possible. Examples of MDM solutions are WS02 and Mobilock.
If organizations decide to move forward with utilizing their personal mobile devices, the devices can potentially expose security vulnerabilities if devices are not directly supervised by IT staff. This is where the need for an MDM and MAM solution and accompanying security policies comes in. Organizations need to look at all the factors that come along with a MDM and MAM solutions and decide which works best for them.
What are the implications of having MDM on personal phone?
MDM solutions may provide you with access to everything on a mobile device and will ensure that you do not need to worry about data falling into the wrong hands, as remote lock and wipe functionalities prevents data breaches.
With that said, case workers who are using their personal devices are not going to be inclined to hand over their personal devices to have an MDM solution installed due to the insecurity of having their personal data compromised. MDM solutions like Mobilock have a “bring your own device” management system which allows for case workers to have secure access to applications like CPIMS+ on their own devices without access to their personal information/applications. In Primero, currently MDM is only installed on procured devices.
What can be the additional risks of having the mobile app on the personal phone without MDM vs having mobile app on the office phone with MDM, and if there are additional risks, how can we mitigate them in other ways (such as freezing personal account etc.)?
MDM solutions ensure devices are preforming consistently, can be located and can be supported remotely. If a case worker is using their personal phone without an MDM solution, it becomes harder to troubleshoot specific in-app issues. That being said, this is why we have system administrator’s in-country to help troubleshoot these types of issues. Another reason we would want to have MDM installed on a personal device would be to ‘remotely wipe’ the application to ensure it does not land in the wrong hands. But again, if the system is at risk of being compromised, system administrator’s are in place to disable user access so no one can log into CPIMS+ on a lost or stolen phone. At any time system administrators can also reset passwords as well. Lastly, if there is an update to the mobile app, we could update the mobile app remotely if an MDM was in place. But as mentioned, system admins can help with this as well.
Also, when a case worker is not actively using an app on the phone (i.e. entering a case), the CPIMS+ mobile application will log out the case worker prompting them to log back in, making it hard to compromise confidential data.