If you are working for a company that employs more than a handful of people and use a company smartphone or tablet, chances are that the device is owned and ‘managed’ by the company. ‘Managed’ basically means that the company uses a remote Mobile Device Management (MDM) solution that hooks into a management API of the smartphone. The same applies to notebooks as well, but I want to focus on mobile devices in this post. While the concept was clear to me in theory, the practical aspects of this have always been a bit vague, as I’m not working in an IT department that ‘manages’ remote devices. Recently, however, I came across an MDM solution that offers a free trial account. So I jumped at the chance and became a ‘Device Overlord’ for a day to see just how much can be controlled remotely and how the device enrollment process works.
Sign-Up
The MDM solution I used that offers a free trial account is Miradore. Sign-up to get an administrator account only requires an E-Mail address and you are up-and running in a few minutes.
Management Options
For Android, there are a number of different ways a device can be managed. One option is to manage the complete device which is only used for company purposes. On the other end of the spectrum, one can use a private device and allow the company to manage a ‘business profile’ on the device. And in between there’s the company owned device, completely controlled by the company, which allows the user to have private space where private applications can be installed. This is called ‘Fully Managed with Work Profile‘. Private and business profiles are separated, so apps installed in the private section can’t see any data stored on the business side and vice versa.
Business and Private
To get an idea of what is possible with an MDM solution, I decided to ‘manage’ two Android devices that are owned by fictitious ‘Martin Inc.’ and allow ‘my users’ to have a private profile next to the business applications. A factory reset is required on the device for this option, and the MDM client on the device gets installed right after the factory reset by tapping 6 times on the initialization screen and by scanning a 2D barcode during the initial bring-up procedure of the device. The 2D bar code is generated in the MDM administrator web console and can be sent to the user by E-Mail or other means. I’ve done this a number of times before with company owned devices ‘for real’, so running the process by generating the bar code myself from the MDM management web page gave me quite an interesting insight into the process.
Once the initial configuration of the device is done, one has a private profile and a business profile on the device. The business profile contains the MDM client app, in this case from Miradore, which has complete control of the device. Companies will probably assign a configuration profile that they have defined on the MDM management web console that describes how all devices the company owns should behave and what they allow the user to do. It is also possible to control settings on a per device basis, e.g. to give a user special permissions to do things other users might not be allowed to do with their company device.
Permissions, Restrictions and Location Data
In practice, the MDM solution has complete control over the device. Just to name a few examples of things that can be configured and enforced remotely: Apps can be pushed to and removed from the device, it’s possible to allow / deny the use of Wi-Fi, Bluetooth and tethering, it’s possible to allow or deny the user to go to flight mode, data roaming can be enabled or disabled, the option for the user to perform a factory reset can be allowed or disabled, data transfer via the USB port can be restricted, the use of the camera can be controlled, it’s possible to allow or deny printing, to take screen captures, and so on and so on.
It is also possible to track the location of the device and the MDM solution has a map on which the location of a managed device can be seen if enabled for the device. For support, the Miradore MDM management console offers remote device support with screen sharing and interaction, and when push comes to shove, it’s also possible to send a wipe command to the device to make sure data does not get into the wrong hands.
Summary
I’m very happy I had the opportunity to try this out myself as it gives me a much better understanding of how managed a managed smartphone or tablet really is and how deep MDM is integrated into Android.