Advertisement

SN Applied Sciences

, 2:42 | Cite as

Analysis of a cloud-based mobile device management solution on android phones: technological and organizational aspects

  • Kamil GlowinskiEmail author
  • Christian Gossmann
  • Dominik Strümpf
Case Study
Part of the following topical collections:
  1. Engineering: Innovative Computing Technologies: Digital Information, Communications and Multimedia

Abstract

Mobile Device Management (MDM) in companies becomes more and more important due to security reasons. Since a mobile device—as the term expresses—is mobile, it cannot be controlled by a company and local administrators like stationary equipment. Most of today’s mobiles are operated by an Android system. Current MDM-solutions, as well as their implementation and impact on change management, will be discussed. This paper will not provide any recommendations for or against any MDM-system. Instead, the goal is to provide a general How-To, to illustrate what an MDM-system is capable of, especially when implemented as a cloud-based solution and how to make the best use of it for your company. As an example, one commercial and two open-source systems will be discussed.

Keywords

Change Management Implementation Mobile device management (MDM) Security TOE BYOD 

1 Introduction

A large number of people in companies are using smartphones for access to critical company data. These tools, called mobile device management (MDM), become more and more essential. It is a fast-growing market that rises rapidly from year to year. In 2012, the market value was over $500 million with more than one hundred software vendors, when in 2015, the market value was already $2 billion. The forecast until 2019 for the MDM market value has been announced with $3.94 billion [1]. Combined with an increasing number of mobile devices and a need for security, there is no end to the increasing market value insight. This paper focuses on management and security in Android phones. Although the MDM-solutions we show in this paper support other devices, Android is currently the most used operating system on the mobile market, as shown in Fig. 1. In order to not exceed the scope of this paper, the focus is on how to make other devices compliant and how to manage them. With regard to the general data protection regulation (GDPR), the introduction of an MDM solution is interesting for companies to ensure data protection compliance. Such a tool provides central management of a company’s policy for mobile phones allowing the restriction of functions for preventing improper use. Improper use would mean the risk of losing company data due to a lack of proper security settings and the risk of harmful installations by users, for instance, viruses or trojans on a company’s personal computer (PC).
Fig. 1

Global market share held by the leading smartphone operating systems in sales to end users from 1st quarter 2009 to 1st quarter 2018 [2]

Due to the high amount of different mobile device management vendors and different feature descriptions, it is very difficult to select the proper MDM vendor. As shown by the statistics above, an MDM-solution cannot only focus on Android but has to offer support for other systems, as well. The question of which MDM system should be used arises in every organization that plans to introduce such a system. In 2017, Gartner Inc. released the magic quadrant for mobile device management software that is often used to make purchase decisions, as illustrated in Fig. 2. Although the magic quadrant shows leaders, visionaries, challengers, and niche players of the market and gives a certain overview, special circumstances in the small and medium market are not considered.
Fig. 2

Gartner magic quadrant for MDM software Gartner Inc. [3]

While administrators today are using powerful tools for ensuring a PC´s security by group policies and antivirus software on Windows systems or powerful management of user rights on Linux machines, mobile devices in companies lack such tools. Furthermore, while critical server equipment to a company can be safely placed in special secured environments with access restrictions, people who use mobile devices usually are no administrators. Everyone with physical access to the devices has potential access to a company network when using corporate APNs. This becomes critical whenever a mobile device gets forgotten or lost. The only control of these devices can now be achieved using wireless communication, relying on infrastructure not controlled by the company [4].

2 Methodology

The purpose of this paper is to give an overview of one commercial and two freemium MDM-systems, their implementation, and central management through the cloud and for devices in the cloud, i.e., for staff members. The example use case covers the lock of the camera application on the mobile device as an example of restrictions. The steps for accomplishing this task should be a blueprint to be used for the implementation of other scenarios like restricting usage time, phone costs, or geo-blocking a company phone. This paper shows organizational aspects regarding security for a company when its staff accesses the corporate network with its own devices.

To evaluate the technical aspects of implementing MDM solutions, several criteria must be met by these. In the appendix, a table will give a decision base to a company’s management, which solution might fit best. This paper, on the other hand, cannot provide any recommendation for or against any of the analyzed MDM-systems due to various facts that need to be considered, for instance, costs, number of devices, support, personal preference of a graphical user interface (GUI) and so on. The change management part, however, will cover possible implementation strategies based on organizational development and the Technology-Organization-Environment-framework (TOE) [5], which will be adopted for the cloud-based MDM solutions. The evaluated systems are the two freemium solutions Miradore MDM and ManageEngine MDM, while Sophos MDM comes as a complete commercial solution. All systems offer an on-premise installation part with supporting routines stored in the cloud and cloud-based solutions only. We started with the on-premises installation for testing purposes and switched to the cloud solutions afterward. Since all solution providers intend to give up their on-premises part in the MDM-systems, this step seems to be logical, especially when on-premises-solutions cannot work without expensive infrastructures like Exchange/Sendmail-Server and a messaging system, in order to send out configuration profiles and compliance short message system (SMS) as shown at the end of the appendix. Furthermore, it needs to be mentioned that all solutions work with web browsers.

3 Related work-security and compliance in general-technological aspects

MDM is vital for ensuring that a company’s data are secured. According to M. Pierer, the concept of MDM systems can be categorized in the following areas [1]: definition of security policies, distribution of policies over the air, Controlling, maintaining and monitoring compliance, and reacting on policy breaches. In general, bringing one’s device-appliances (BYOD) with software installed by staff members themselves can be considered as a trend and driving force behind MDM and company policies [4]. On the other hand, almost all mobile devices require an account from the manufacturer to work correctly. That means one might upload data on cloud servers without noticing it [6]. This happens almost whenever using standard settings. All tested systems offer features to restrict settings in Android for implementing security profiles. The only problem was what happened if older devices would be used. The only system, or more precisely its agent, capable of managing an older Android version, was Sophos. This system offers plugins for multiple hardware manufacturers of devices. The downside, however, is the agent and the plugin for the specific device need to be installed. Both freemium systems offer only one client, yet at least support Samsung mobiles separately.

Due to the various Android systems from device to device, the restrictions possible by MDM vary as well. So, the criteria for the evaluated systems are not the number of possible restrictions, but a working environment, especially the setup process, management, and costs. Evaluated Systems were Sophos Mobile Device Management as a commercial system, Miradore, and Mobile Device Manager Plus, as freemium environments. The criteria catalog can be found in the appendix. The outcome, however, revealed that the commercial system, due to multiple plugins for many devices as well as a TCO over five years lower than a freemium system, would be the best choice.

Regarding manageability, application rollout, and restrictions, there is not that much difference in the features of the tested systems since, as already mentioned, these settings depend on the managed device and its Android system. For Samsung devices, Samsung KNOX in devices starting with Android 5 offers much more restrictions than Android steered devices without Samsung KNOX. The choice of what system to implement has to be based on the number of managed devices and the security needed. The need for additional server hardware regarding on-premises solutions, however, needs to be kept in mind while an outsourced cloud solution provides more flexibility and scalability. The tested freemium systems can only be used for a company when one pays for advanced features. If not, they are limited in the number of devices and restrictions for profiles.

The process of MDM requires the setup or registration, the adding of devices, and making them compliant. As a first step, an agent has to be installed on the device. This agent has to be acquired from the Google Play Store for Android devices or the solution provider as an APK-file. It is not recommended to download these agents from other sources since they might have been tampered with. Depending on the device, there might be plugins for communicating with the MDM. They are comparable to the hardware abstraction layers for Windows or specific kernels for Linux. As an example, Samsung smartphones and Sophos MDM require the Sophos Mobile Control Application, as well as the Sophos Samsung Plugin. Furthermore, communication between the MDM and the smartphone needs to be enabled. In companies, a static IP-address is being reserved for this purpose, and a contract with a mobile network operator for each own Access Point Name (APN) is concluded. The advantage is that any smartphone communicating over this APN can be integrated into one’s corporate network. No matter if a user chooses to bring his own device (BYOD) or one offered by the company, choosing your own device (CYOD) is a question of comfort only [6]. Of more importance is that every mobile device uses your corporate firewall and can access only resources in your network grant to him. After a device is compliant, management can be accomplished with policies according to the company’s needs. The deployment and management process (Fig. 3), from an enrollment of a mobile device to issuing security commands, is part of any MDM-solution.
Fig. 3

The deployment and management process for the introduction of a MDM-soltion [7]

However, not all devices support every restriction, which depends on the mobile device and implementation of the Android system rather than on the MDM itself. So, there are various possibilities in restricting functions on a specific device, while other devices lack these. Mostly you might want restrictions on the access point name, so a user cannot change the Access Point Name-settings (APN) to bypass the corporate network. Other useful settings include the limitation of installable applications. So, you can lock the device on Google Play Store apps and prohibit all unknown sources. Even if a user tries to unlock unknown sources, he will not be able to do so. Furthermore, the Play Store could also be completely disabled.

The configuration of mobile devices is being done by the over the air-standard (OTA), supported in all MDM-solutions. This standard ensures the configuration of devices using any available channels like near field communication (NFC), Bluetooth, Wireless Fidelity (WiFi)/wireless local area network (WLAN), or the mobile network itself [1]. Almost any setting accessible via the Android system can be restricted. The most useful feature of MDM is the rollout of applications. That means you can do nearly anything like global policy objects (GPOs) in a Windows environment. So, you can keep every mobile device updated at the same level, all having the identical application versions, which makes support easier while preventing users from updating their apps on their own and test compatibility before the company approves an update. In the appendix, further details about restricting the use of applications will be shown.

For security reasons, if a device gets lost or is reset, MDM ensures, it can no longer access the corporate network, while management is done by a web browser from any location [6]. More important than the rollout of APKs are entire security profiles in preventing users from installing apps or taking configurations steps on the device by themselves. The profiles avoid modifications of the configuration, which a user should not be authorized to do. This also covers changing the APN, usage of SD-cards for storing company data, accessing WLANs, or the use of the camera. The latter being a beautiful feature in critical environments, where taking pictures is not allowed. Examples for this restriction are shown in the appendix, as well as the setup of the MDM-solutions.

4 The organizational aspect

According to literature, modern MDM solutions are cloud solutions. Even though they were not invented initially as such [4], they did develop in this direction [8] and are today mostly handled as such [9]. The relationship between technology, particularly modern usage of smartphones, and organizational change, has not been sufficiently explored in the literature. Some studies have revealed that a rapid introduction of technology could greatly affect institutional arrangements such as formal organizational processes, including human actions and social relations [10]. Organizations exist and operate within an environment that influences their shape, determines their structure, offers opportunities, and poses threats. Customers and competitors are paramount amongst these external factors.

An analysis of an enterprise’s environment must first determine if a change that is planned (introduction of an MDM solution) has an impact on the organizational environment, especially on the external environment. If this is not the case, only the inner organization environment is considered.

Although the introduction change of an MDM solution for a company could be seen, according to Butterfield “as a concrete discreet change with a general period of time and little emotional impact” [11], the introduction should not only follow a pure Systems Intervention Strategy (SIS), but tend to use this as a guideline for a Change process and should also be augmented by a realistic approach.

The TOE [4] framework is an organization-level theory that represents one segment of how firm contexts influence the adoption and implementation of innovations, as illustrated in Fig. 4.
Fig. 4

The TOE framework [12]

According to Min et al., the Frameworks is based on the three aspects of an enterprise context: Technological, Organizational, and Environmental. These aspects have an impact on internet technology (IT) innovation-related decisions like MDM and the use of technological innovations in organizations [13].

The technological context includes any technology relevant to the company, technology already in use at the company, as well as the one being available in the marketplace, but not currently in use. The organizational context refers to the characteristics as well as the resources of a company, including linking structures between employees, intra-company communication processes, company size, and the number of available resources. The environmental context includes the format of the industry, the availability of technology service providers, and the regulatory environment [14]. The definitions of the aspects show that there are crucial general business issues that need to be considered. Because of that, an adaptation of the TOE framework was approached, as illustrated in Fig. 5.
Fig. 5

The extended TOE framework [15]

As mentioned before, these aspects of the TOE can be seen as essential, as has been denoted by several studies. First, the advantage, i.e., the greater the perceived relative advantage of ES, the more likely it will be adopted [16, 17]. Secondly, compatibility, i.e., the greater the perceived compatibility is with current infrastructure, values, and beliefs, the more likely they will be adopted [16, 17]. Thirdly, the lower the perceived complexity is, the more likely it will be adopted [16, 17]. Furthermore, the ability to experiment with MDM encourages its adoption [16, 17]. Top management support can provide a motivating environment of innovation diffusion through oral notes [18]. The greater the top management’s support, the more likely it will be adopted [16, 17]. An organization and its decision-making management should make an effort to access and analyze possible changes in organizational culture, process, and work relationships [17] to avoid the negative impact that comes with an introduction of MDM solutions. Also, experience is seen as a critical aspect. The greater the expertise available in the organization, the more likely it will be adopted [16], especially the usage and experience with Mobile devices. When it comes to trust, the experience can be seen as an essential turning point. Trust is a core requirement of a positive relationship in various contexts [19], and competitive pressure can be seen as an effective motivator. Competition in the industry is generally recognized to influence IT adoption positively, which is also true for MDM [17]. The trading partner support, in other words, the Provider of the Device Management, also has a significant positive effect on the adoption [17]. Security is another trading partner-related concern which is not only about authenticity, authorization, and accountability but is more concerned with data protection, disaster recovery, and business continuity [19]. Because dealing with security concerns has always been a focus of most firms, MDM should not present unusual or additional challenges. In some instances, the restricted configuration or customization possibilities of MDM noticeable presented fewer security risks [18]. Also, as a part of the security aspect is the BYOD concept for firms. Security and privacy must be given, an integrated and integrative process encompassing the whole organization. The concept is already prevalent in many organizations worldwide, and a successful strategy can provide benefits for both employees and organizations. Seen from the viewpoint of an employee, it can increase mobility, flexibility, and ability to adopt the technology of choice. Moreover, it can lead to greater job satisfaction and an increase in employee productivity in organizations” [20]. Modern MDM is the primary key to allow your employees to bring their device, since through the separation of company and private data, employers and employees can participate of the benefits of using the device of their choice (in the defined limitations, like using a particular OS, etc.) and minimizing the hazards. Furthermore, a lack of usage of an MDM solution is the main reason for structural problems with BOYD [20]. As an alternative to the BOYD approach, Corporate Owned, Personal Enabled (COPE) is possible. This means the organization buys the mobile device, and the user can use the mobile device privately. Although the initial investment for the organization is high, the auditing and monitoring are inexpensive. Moreover, the familiarity of the mobile device to the end-user is given because end users tend to utilize their favorite mobile devices for business purposes. Therefore, productivity and efficiency can be increased [1]. In general, a combination of those initiatives is used in organizations. In departments, where sensitive data is stored extensively, it is advisable to choose the Corporate Owned Business Only (COBO) initiative.

Roll-Out: As for the SIS, the organizational requirements, security policies, and data protection issues must be considered first, which will be mainly related to security. Yet, these must be defined for each firm on a best practice base, depending on the organization’s complexity and company size. Organizations have to think about a roll-out strategy to enroll all mobile devices, which belong to them over a mobile device management system. Because of the direct impact of mobile end users, this phase is seen as the most critical one. However, the cooperation of each employee is necessary, without the collaboration of the users, the enrolment and application distribution cannot take place, and the control and maintenance is difficult.” [1].

5 Conclusion

Regarding technological aspects, Mobile Device Management can be considered a solution for enterprises to extend their security from classic internal networks to mobile devices, even when users bring their own devices (BYOD). Yet, it also plays an essential role when using COPE or COBO approach in firms for security reasons. MDM ensures these devices are compliant with corporate policies, like GPOs in Windows. That means a user cannot tamper with a device without being banned from the corporate network once a policy violation is being detected. Even for the management, it is made much more comfortable to update many mobile devices to current software version (APK-files), comparable to software distribution in Windows. A mobile device can be remotely controlled as well, monitored, and restricted in their functions to the desired level.

Regarding the Organizational aspect, we showed the relation of MDM solutions that are state of the art to the cloud and the relationship between technology modern usage of smartphones, and organizational change. Furthermore, the importance of the external and internal corporate environment was shown. Indeed, there is not a mere change of fixed timescales and limited emotional impact, but other organizational aspects are affected as well.

Since the relevance of TOE framework is found increasing in the recent literature for IT innovation-related decisions, the authors used the extended version of the Frameworks (extended by the aspect of business strategy) to analyze in the literature which aspects could be essential for an introduction and acceptance of an MDM solution.

Concerning the technological aspect, relative advantage, compatibility, complexity, organizational readiness, and compatibility were identified as essential. Also, the ability to experiment has been identified as an important aspect. In the Organizational aspect of the TOE, the top management support is seen as crucial for the acceptance, as well as experience. As for the environmental aspect, competitive pressure is seen as an effective motivator for adoption.

As for the last aspect, the business strategy was analyzed. Due to this analysis, it was shown that security is the main factor and is thus of the highest importance for firms. Hence, dealing with security concerns has always been a major focus.

In the course of evaluating an MDM solution, a company should define a strategic approach to the acquisition and use of hardware (BYOD, COPE, COBO, etc.)

In an MDM Rollout, any company needs to consider the organizational requirements, security policies, and data protection issues. The strategy for the enrolment of all mobile devices also has to be taken into account. Collaboration with employees is also seen as an essential factor for a rollout, due to the direct impact of mobile end users.

This study was based on literature research. Certainly, more thorough research on practical implementation could provide deeper insight and detect possible weaknesses in implementation.

Notes

Funding

No fundings were received or used for this work.

Compliance with ethical standards

Conflict of interest

All Authors have declares that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

References

  1. 1.
    Pierer M (2016) Mobile device management mobility evaluation in small and medium-sized enterprises. Springer, WiesbadenGoogle Scholar
  2. 2.
    Global market share held by the leading smartphone operating systems in sales to end users from 1st quarter 2009 to 1st quarter 2018. www.statista.com
  3. 3.
    Gartner magic quadrant for MDM software (Gartner Inc. 2017). p 4. https://techorchard.com/wp-content/uploads/2017/07/Gartner_MagicQuadrant_EMM_2017.pdf. Accessed 22 July 2018
  4. 4.
    Kersten H, Klett G (2012) Mobile device management. Hüthig Jehle Rehm, HeidelbergGoogle Scholar
  5. 5.
    Baker J (2011) The technology-organization-environment framework. Information systems theory: explaining and predicting our digital society, 2nd edn. Springer, New York, pp 231–246Google Scholar
  6. 6.
    Disterer G, Kleiner C (2014) Risiken mobiler Endgeräte. Mobile Endgeräte im Unternehmen, 1st edn. Springer, Wiesbaden, pp 5–13Google Scholar
  7. 7.
    Own screenshot from manageengine mobile devie manger plus V 9.0.0Google Scholar
  8. 8.
    Liu L, Moulic R, Shea D (2010) Cloud service portal for mobile device management. In: IEEE 7th international conference on e-business engineering, vol 474.  https://doi.org/10.1109/ICEBE.2010.102
  9. 9.
    Alizadeh M, Hassan W (2013) Challenges and opportunities of mobile cloud computing. In: IEEE 9th international wireless communications and mobile computing conference.  https://doi.org/10.1109/IWCMC.2013.6583636. Accessed 22 July 2018
  10. 10.
    Yeo R, Marquardt M (2015) Think before you act: organizing structures of action in technology-induced change. J Organ Change Manag 28(4):511–528.  https://doi.org/10.1108/JOCM-12-2013-0247 CrossRefGoogle Scholar
  11. 11.
    Butterfield R (2013) Change–a personal view. Management Resource Centre. http://www.mrc-world.com/. Accessed 01 July 2018
  12. 12.
    DePietro R, Wiarda E, Fleischer M (1990) The context for change: organization, technology, and environment. In: Tornatzky LG, Fleischer M (eds) The process of technological innovation. Lexington Books, LexingtonGoogle Scholar
  13. 13.
    Li M, Zhao D, Yu Y (2015) TOE drivers for cloud transformation: direct or trust-mediated? Asia Pac J Market Logist 27(2):226–248.  https://doi.org/10.1108/APJML-03-2014-0040 MathSciNetCrossRefGoogle Scholar
  14. 14.
    Tornatzky LG, Eveland JD, Fleischer M (1990) Technological innovation as a process. In: The processes of technological innovation. Lexington Books. pp 27–50Google Scholar
  15. 15.
    Butterfield R, Maksuti S, Tauber M, et al (2016) Towards modelling a cloud application’s life cycle. In: 6th international conference on cloud computing and services science, pp 310–319.  https://doi.org/10.5220/0005912403100319316
  16. 16.
    Ramdani B, Kawalek P, Lorenzo O (2009) Predicting SMEs’ adoption of enterprise systems. J Enterp Inform Manag 22(1/2):10–24.  https://doi.org/10.1108/17410390910922796 CrossRefGoogle Scholar
  17. 17.
    Gangwar H, Date H, Ramaswamy R (2015) Understanding determinants of cloud computing adoption using an integrated TAM-TOE model. J Enterp Inf Manag.  https://doi.org/10.1108/JEIM-08-2013-0065 CrossRefGoogle Scholar
  18. 18.
    Borgman H, Bahli B, Heier H, Schewski F (2013) Cloudrise exploring cloud computing adoption and governance with the TOE framework. In: 46th Hawaii international conference on system sciences.  https://doi.org/10.1109/HICSS.2013.132
  19. 19.
    McKnight DH, Chervany L (2016) The meanings of trust. Technical Report MISR 96-04, Management Information Research Center, University of Minnesota, MinneapolisGoogle Scholar
  20. 20.
    Bello AG, Murray D, Armarego J (2017) A systematic approach to investigating how information security and privacy can be achieved in BYOD environments. Inf Comput Secur 25(4):475–492.  https://doi.org/10.1108/ICS-03-2016-0025 CrossRefGoogle Scholar
  21. 21.
    Butterfield R (2015) Change management tools—a support booklet, prepared for the FH-Burgenland, EisenstadtGoogle Scholar
  22. 22.
    Stricklen M, McHale T, Caminetsky M, Reddy V (2008) Mobile device management. https://patentimages.storage.googleapis.com/3b/ec/bf/cfe24b906ca78e/US20080070495A1.pdf. Accessed 02 Apr 2018

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.FH BurgenlandEisenstadtAustria

Personalised recommendations