Showing all posts tagged mdm:

Security Theatre

There are many things in IT that are received knowledge, things that everyone knows.

One thing that everyone knows is that you have to manage employee's mobile devices to prevent unauthorised access to enterprise systems. My employer's choice of MDM agent is a bit intrusive for my personal tastes, so I opted not to install it on my personal iPad. The iPhone is the company's device, so it's their own choice what they want me to run on it.

Among other things, this agent is required to connect to the company Exchange server from mobile devices. You can't just add an Exchange account and log in with your AD credentials, you need this agent to be in place.


But why the focus on mobile devices?

When I upgraded my work and home Macs to Yosemite, I finally turned on the iCloud Keychain. I hadn't checked exactly what was syncing, and was surprised to see work calendar alerts turning up on my home Mac. My personal Mac had just grabbed my AD credentials out of iCloud and logged in to Exchange, without any challenge from the corporate side.

So how is that different from my iPad? Why is a Mac exempt from the roadblock? A Mac is arguably less secure than an iPad if it gets forgotten in a coffee shop or whatever - never mind a Windows machine. Why is "mobile" different? Just because?

Many enterprise IT people seem to lose their minds when it comes to mobile device management. I'm not necessarily arguing for just dropping the requirement, just for a sane evaluation of the risks and the responses that are required.

We don't have to care, we're IT

Brian Katz comments with his usual incisiveness on Mobile Device Management (MDM) in "IT is in the Experience Business".

MDM is dead and it’s been dead for a long time.

Oh thank $DEITY. As I have had occasion to comment myself, users don’t want their devices to be managed. They - or in fact we, since I’m a subject of MDM, not an admin - will tolerate a reasonable amount of inconvenience in the name of what we recognise as reasonable security requirements. What we don’t want is for our phones to end up like our Windows laptops, taking half an hour to boot and prone to all sorts of random malfunctions, slowdowns and incomprehensible roadblocks due to the number of "security" solutions they are larded down with.

This is exactly what is driving the enterprise adoption of Macs. Techies had been running Linux and maybe keeping the corporate Windows image around in a VM, but now civilians are moving to the Mac as fast as they can manage. Now we know the answer to the question "how bad do products have to be to drive even Muggles to change platform?".

IT isn’t just in the solution business anymore. It can’t be reactive and spend months trying to build the perfect thing the business asked for but needed much sooner than IT could deliver. IT is in the experience business. Users need to have great interactions that lead to fantastic experiences that help them get stuff done and move the business towards its goal.

(Emphasis mine)

Exactly right. Enterprise IT apps are all overgrown with feeping creatures, and users can’t get away from them fast enough. It doesn’t matter whether the apps are home-grown or COTS that has been customised, because the issue is not a technical problem but a worldview problem within IT.

Enterprise IT departments have always operated like The Phone Company, but this is now a post-breakup world, and now IT does have to care. Users bring their own tools, their own devices, even their own clouds. Users help themselves and each other; anything to avoid dealing with the hell-desk.

But things don’t have to be this way. Brian concludes his post with this statement of the business of IT:

We’re in the business of providing secure right time experiences that allow the user to (in the words of the army) be all they can be.

Now that is an IT vision that users might actually enjoy.