Child pages
  • Intranet Book: MDM Solutions: Nice in Theory, Annoying in Practice
Skip to end of metadata
Go to start of metadata


In basic terms, strategies that allow organizations to roll out business software to their employees’ smartphones are an interesting idea: everyone has a smartphone these days and a broad rollout can be relatively quick. With such an approach, however, the IT or compliance department will often want to retain a certain degree of control. 

MDM solutions such as AirWatch, Intune, or MobileIron allow a company to control how the software is run on iOS and Android devices. Put simply, a protected zone is set up, with a secure firewall, in which the applications run. 

Both in technical, but above all in organizational terms, this is much more difficult to implement in reality than you may think. It creates a hurdle that often makes the situation for employees so complicated that they simply don’t use the apps. What is more, MDM tools limit the speed and simplicity of the apps so much so that many users prefer to politely decline, and this option remains unused. 

We’ve also developed a mobile app in-house for our own Linchpin intranet solution, and all of its initial customers tried to get it up and running using MDM. Some succeeded, while others failed. The situation as a producer of apps like these is always a thankless one because to be able to test whether everything works properly, we’d actually have to install all of the MDM solutions first ourselves. Software producers don’t tend to support this approach. A reasonable support function, which answers MDM-specific questions, was also not always available to our corporate customers, although they sometimes paid enormous sums for the solution. 

What I personally find worst is that an artificial, cumbersome, and generally impractical MDM cage costs more in license fees than our entire intranet solution. That means that economic reasons blocked the pathway to an MDM solution for many of our customers in advance (also and especially for those enterprises with thousands of commercial employees). On top of this, more and more problems kept showing up on the technical side. These were impossible to solve properly in the majority of cases since it was impossible to reasonably establish any automated or other consistent test scenarios.

As a software producer, the frustration surrounding MDM has led to us creating our own small special solution in the form of a gateway server that makes MDMs superfluous. But I should back up a bit first before I go on: if you want to operate your intranet extremely securely, then it needs to reside behind a firewall. This has the unmistakable advantage of keeping your intranet server safe from all of those bad actors who try to compromise servers on the internet. This also applies if your intranet software contains a potential security loophole – and all software has flaws like this that someone will find sooner or later. Don’t let anyone tell you differently. Software can be a scruffy affair. It depends on services, which in turn depend on libraries. The structure is so complex that nobody can seriously rule out one of the elements having a weak spot. Good providers know this and react quickly when a problem with security arises. It’s a number one priority for all cloud offerings. If your system is equipped with an additional firewall, it will still protect you from hackers if a security loophole exists that still needs to be closed.

Lots of our corporate customers run their systems from behind a firewall. Now if you want to access a protected system like this with a smartphone, you first have to open a tunnel through the firewall. On your smartphone, you do that with a VPN client (Virtual Private Network). As a rule, however, license fees also have to be paid for each user of the VPN solution, which, similar to MDMs, can result in enormous costs. But even if you use OpenVPN, for example, as a free, open-source solution, it’s no fun to use because you have to activate the VPN first every time you want to access the mobile intranet. 

If you receive a push message in a situation like this, you can’t just click on it. You have to open the VPN tunnel first. And no one is going to do that. 

With complete conviction and without performing any surveys, I reckon that systems that need to be accessed through VPN tunnels on smartphones are pretty much dead when it comes to their active use.

And yes, it’s true that many organizations force their people to use their apps through a VPN tunnel. But nobody likes to do it. And under circumstances like these, people will only use them if there’s no way around it. When I really have to, I’ll move mountains. But not just to find out about something quickly. As a user, I’m not going to switch the VPN on for this extra bit of info. 

MDM solutions promise to get around these problems by automatically having a VPN tunnel on-board so that users can access the intranet easily using the mobile app. And on the whole, this works as well. Things don’t look so good though when it comes to the details, however – for example, when users try to open attachments and files on their smartphone using locally installed viewing apps. The file would have to be extracted through the MDM firewall, and in many cases, that’s prohibited. 

Of course, you don’t need to understand all these details. The point is that MDM systems make things incredibly complicated and are also incredibly expensive. And although we have hundreds of systems successfully in use, they’re more of a bind when used on a mobile basis in combination with MDM systems. In any case, you need highly motivated and skilled MDM specialists. It’s certainly not a simple affair. 

So, back to our Linchpin solution. It’s quite easy in comparison. We built a gateway server that’s available for connection calls from intranet systems that reside behind a firewall. Mobile apps installed on smartphones can connect to the gateway server. One-time authentication takes place using QR codes, which are scanned into the mobile app. And end-to-end encryption ensures that data can’t be intercepted between the intranet server and the smartphone.

Either use a publicly accessible intranet or use a solution that allows easy access from your smartphone to your intranet server. 

We’ve invested a lot in our Linchpin solution to make sure that secure systems can also be reached over the gateway server. If you can’t find a way around MDM solutions, your intranet team should really put them through their paces. They can work. However, in 80 percent of the cases that I’m aware of, the results are pretty dubious and they won’t elicit rounds of applause from your users. The bottom line is: be careful when it comes to MDM solutions.


Link to this page: https://seibert.biz/intranetbookmdm


The Social Intranet

Foster collaboration and strengthen communication. Be effective with enterprise intranets mobile and in the cloud.

Virtual Collaboration in Companies: Social Intranets as a Digital Home 

Never before has the business world been so overrun by cloud software and specialized vendors as it is now. There is so much software out there that it is becoming increasingly difficult to keep track of things. It is all the more important for the future of work to have a place for digital meeting - a reliable home port meaningfully networked with numerous other systems that makes it quick and easy to navigate. This will increase transparency in the company and make collaboration more effective. Based on many years of experience, this book tells you how it already works in today's digitalized world and which trends you probably should rather than shouldn't follow.

About the author

Martin Seibert was 17 when he founded the software company Seibert Media. Twenty-four years later, it has nearly 200 employees and generates 35 million euros in annual sales. He has been sharing his enthusiasm for technology in YouTube videos for many years - and now also in his new book about social intranets.


Free for interested parties

Paperback on Amazon

eBook on Amazon

This page was last edited on 03/31/2021.