In basic terms, strategies that allow organizations to roll out business software to their employees’ smartphones are an interesting idea: everyone has a smartphone these days and a broad rollout can be relatively quick. With such an approach, however, the IT or compliance department will often want to retain a certain degree of control.
MDM solutions such as AirWatch, Intune, or MobileIron allow a company to control how the software is run on iOS and Android devices. Put simply, a protected zone is set up, with a secure firewall, in which the applications run.
Both in technical, but above all in organizational terms, this is much more difficult to implement in reality than you may think. It creates a hurdle that often makes the situation for employees so complicated that they simply don’t use the apps. What is more, MDM tools limit the speed and simplicity of the apps so much so that many users prefer to politely decline and this option remains unused.
We have also developed a mobile app in-house for our own Linchpin intranet solution, and all of its initial first customers tried to get it up and running using MDM. Some succeeded, while others failed. The situation as a producer of apps like these is always a thankless one, because, to be able to test whether everything works properly, we would actually have to install all of the MDM solutions first ourselves. Software producers do not tend to support this approach. A reasonable support function, which answers MDM-specific questions, was also not always available to our corporate customers, although they sometimes paid enormous sums for the solution.
What I personally find worst is that an artificial, cumbersome and generally impractical MDM cage costs more in license fees than our entire intranet solution. That means that economic reasons blocked the pathway to an MDM solution for many of our customers in advance (also and especially for those enterprises with thousands of commercial employees). On top of this, more and more problems kept showing up on the technical side. These were impossible to solve properly in the majority of cases, since it was impossible to reasonably establish any automated or other consistent test scenarios.
As a software producer, the frustration surrounding MDM has led to us creating our own small special solution in the form of a gateway server that makes MDMs superfluous. But I should back up a bit first before I go on: if you want to operate your intranet extremely securely, then it needs to reside behind a firewall. This has the unmistakable advantage of keeping your intranet server safe from all of those bad actors who try to compromise servers on the internet. This also applies if your intranet software contains a potential security loophole – and all software has flaws like this that someone will find sooner or later. Don’t let anyone tell you differently. Software can be a scruffy affair. It depends on services, which in turn depend on libraries. The structure is so complex that nobody can seriously rule out one of the elements not having a weak spot. Good providers know this and react quickly when a problem with security arises. It’s a number one priority for all cloud offerings. If your system is equipped with an additional firewall, it will still protect you from hackers if a security loophole exists that still needs to be closed.
Lots of our corporate customers run their systems from behind a firewall. Now if you want to access a protected system like this with a smartphone, you first have to open a tunnel through the firewall. On your smartphone, you do that with a VPN client (Virtual Private Network). As a rule, however, license fees also have to be paid for each user of the VPN solution, which, similar to MDMs, can result in enormous costs. But even if you use OpenVPN, for example, as a free, open source solution, it’s no fun to use because you have to activate the VPN first every time you want to access the mobile intranet.
If you receive a push message in a situation like this, you cannot just click on it. You have to open the VPN tunnel first. And no one is going to do that.
With complete conviction and without performing any surveys, I reckon that systems that need to be accessed through VPN tunnels on smartphones are pretty much dead when it comes to their active use.
And yes, it’s true that many organizations force their people to use their apps through a VPN tunnel. But nobody likes to do it. And under circumstances like these, people will only use them if there is no way around it. When I really have to, I’ll move mountains. But just to find out about something quickly? As a user, I’m not going to switch the VPN on for this extra.
MDM solutions promise to get around these problems by automatically having a VPN tunnel on-board so that users can access the intranet easily using the mobile app. And on the whole, this works as well. Things don’t look so good though when it comes to the details, however – for example, when users try to open attachments and files on their smartphone using locally installed viewing apps. The file would have to be extracted through the MDM firewall, and in many cases that is prohibited.
Hmm, while I’m telling you all this, I’m not really sure whether you actually need to understand all these details. In any case, MDM systems make things incredibly complicated and are also incredibly expensive. And although we have hundreds of systems successfully in use, they are more of a bind when used on a mobile basis in combination with MDM systems. In any case, you need highly motivated and skilled MDM specialists. It is certainly not a simple affair.
So, back to our Linchpin solution. It is really easy in comparison. So, we built a gateway server. This gateway server is available for connection calls from intranet systems that reside behind a firewall. Mobile apps installed on smartphones can connect to the gateway server. One-time authentication takes place using QR codes, which are scanned into the mobile app. And end-to-end encryption ensures that data cannot be intercepted between the intranet server and the smartphone.
Either use a publicly accessible intranet or use a solution that allows easy access from your smartphone to your intranet server.
We have invested a lot in our Linchpin solution to make sure that secure systems can also be reached over the gateway server. If you cannot find a way around MDM solutions, your intranet team should really put them through their paces. They can work. However, in 80 percent of the cases I know about, the result is pretty dubious and nothing that your users will be giving you rounds of applause about. So be really careful when it comes to MDM solutions.
Link to this page: https://seibert.biz/intranetbookmdm
- No labels