With so many people working from home, the line is blurring between work and personal devices. Many employees are just as likely to access work email on their own smartphones as they are on work devices. Similarly, those who have been given work devices are likely to try snatching a quick game of Candy Crush on their work phone every now and then.
That creates some serious security concerns for employers. Devices on untrusted networks running untrusted software are potential attack vectors. They are also physically vulnerable. How can administrators ensure that business data on those devices stays safe if they're lost or stolen? The answer lies in a mixture of on-device functionality and back-end administrative tools.
Android has used separate work and user profiles for several years as part of its Android for Work offering, which lets administrators create work profiles on employee devices that are managed by an EMM system. Android 11, launched in September 2020, expanded that separation to cover more tasks. Users will now see different profile tabs when sharing files and changing settings. It also enables employees to pause the work profile on their devices after hours so that they can watch Netflix in peace without enduring a barrage of work-related notifications.
Apple takes a different approach on its devices, foregoing sandboxes in favour of controls that restrict the flow of data between different applications. Administrators can install work applications via centralised management software, including custom apps of their own, control how that data is stored, and remove it remotely. Apple devices can take instruction about what apps can open specific files using a feature called Managed Open In, which stops unmanaged personal apps opening managed files. iOS devices can even be made to avoid backing up that data to Apple's iCloud service.
Admins handling Apple devices can also define managed domains such as an internal company website. The device will then apply the same protections and restrictions to any file downloaded from that website as it does to data in managed apps.
Back-end mobile device management software
The device-level functionality is just one part of the equation. The other is the software that allows administrators to set those policies. You'll hear different acronyms for these. One of the most common is mobile device management (MDM), which focuses purely on managing the devices themselves, defining which devices can join your network and managing features such as remote device wiping.
Over time, this evolved into enterprise mobile management (EMM), which covers the management of the device and its data and applications. This will help you to manage lists of company-approved applications for work, possibly through your own internal branded app store. Products like MobileIron (now owned by Ivanti), VMware AirWatch, and Citrix Endpoint Management fill this role. Microsoft Endpoint Manager (formerly InTune) also offers EMM capabilities.
Some of these tools also extend into unified endpoint management (UEM), which offers management not just for iOS and Android devices, but for desktop operating systems including Windows, Mac, and sometimes Linux.
Ideally, employees would only use work devices for work tasks, but in a pandemic world, that's no longer realistic for many. These tools can help to make things more convenient for employees while also giving IT and compliance managers the peace of mind they need when protecting company information.