mdm security and usability

Navigating the intricate landscape of Mobile Device Management (MDM), Mobile Application Management (MAM), and Enterprise Mobility Management (EMM) is not just about understanding technical jargon. It's about applying these frameworks in real-world scenarios where the balance between user convenience and security is often blurred.

The concept of balancing these two seemingly contrasting needs is the cornerstone of effective device management. In today's article, we'll explore this balance in detail, examining the complexities of various device management options such as Bring Your Own Device (BYOD), Corporate Owned, Personally Enabled (COPE), and comprehensive MDM systems.

For MDM administrators, making the right choice often becomes a question of aligning organization-specific needs with these frameworks. We will also consider the importance of being transparent with users about security protocols and garnering their consent for a mutually beneficial environment.

This article is part of our guide "Mastering Mobile Device Management Operations: A Guide for Admins".

The Landscape of Mobile Device Management: BYOD, COPE, and Fully Fledged MDM

Definitions and Brief History

BYOD, COPE, and fully fledged MDM serve as the cornerstones of modern device management solutions. BYOD allows employees the freedom to use their personal devices for work-related tasks. COPE models involve devices that are owned by the organization but can also be used for personal activities. Finally, a fully fledged MDM system is a comprehensive framework that monitors, manages, and secures all mobile devices across an organization.

For MDM admins, understanding the history and evolution of these models can provide valuable insights. For instance, BYOD gained popularity with the advent of smartphones and the increasing power of personal computing devices. COPE has been a compromise solution that aims to give the best of both worlds. Fully fledged MDM solutions have often been the choice for organizations that require rigorous security protocols due to the nature of their work, such as government agencies or financial institutions.

Key Differences and Guidance for MDM Admins

The primary distinctions among these options lie in the level of control that an organization can exercise and the freedom of usage afforded to the users. BYOD offers the least control but maximum freedom, COPE offers a balanced approach, and fully fledged MDM systems provide maximum control but may significantly limit user freedom.

As an MDM admin, your choice will largely depend on the unique needs of your organization. For instance, if data security is of paramount importance and the devices need to handle sensitive data, leaning towards a fully fledged MDM might be more appropriate. On the other hand, if you work in a creative industry where individual freedom and flexibility are highly valued, a BYOD or COPE approach may be more suitable.

Setting the Scope for Usage Rules and Security Measures

It’s critical for MDM administrators to define the boundaries of their security measures and usage rules. This becomes especially relevant when you opt for a BYOD approach, which inherently limits the extent of your control. With fully fledged MDM, you can even enforce policies like mandatory VPN usage or restrict data transfer channels. However, such stringent measures could negatively impact user experience and productivity.

The Spectrum of Control: Understanding the Extremes

Absolute Control: Pros & Cons

mdm absolute control

At one end of the control spectrum lies the "Absolute Control" model, where administrators wield an iron fist over the management of mobile devices within an enterprise. Here, MDM solutions can go as far as enforcing stringent application whitelists, dictating permissible device settings, and continuously monitoring real-time geographical location data. While this approach offers unparalleled security benefits—such as reducing the risks of data breaches, unauthorized access, and malware attacks—it does come with significant downsides.

User satisfaction often suffers under this extreme. Employees may feel micromanaged, causing discontent and potentially hindering their productivity. This could result in a tense workplace environment where employees are less likely to be proactive or innovative. Also, the high level of control can make quick adaptability to new tools or processes cumbersome, potentially delaying time-sensitive projects.

Therefore, MDM administrators must exercise caution when adopting an Absolute Control model. A collaborative approach involving consultations with department heads and key stakeholders is recommended to understand the unique functional requirements of different teams. Furthermore, rolling out controls in phases can help measure any negative impact on productivity, enabling administrators to fine-tune the model as needed.

Free Reign: Pros & Cons

free reign mdm

At the other extreme is the "Free Reign" model, which imposes minimal controls on device usage within the organization. From a security perspective, this approach is inherently risky—leaving the enterprise exposed to a variety of potential threats such as data breaches, unauthorized access, and malware. However, it also offers the highest degree of freedom to employees, fostering an environment conducive to creativity, autonomy, and job satisfaction.

Administrators interested in this model would do well to initiate a pilot program with a select group of users. Observing this cohort for a set period will provide invaluable data on the model's practical implications, such as the frequency of security incidents, rate of resource misuse, or any unforeseen operational challenges. The gathered insights can then inform the decision to adopt, modify, or abandon the Free Reign model at the organizational level.

Striking a Balance: The Middle Ground

middle ground

Most organizations find that a balanced approach tends to offer the best of both worlds. In this "Middle Ground" model, MDM admins establish tiered user profiles with varying degrees of access and restrictions based on roles, departments, or security clearance within the organization. For instance, higher-level executives might have broader access to apps and data, whereas entry-level employees could face more limitations.

This balanced approach allows for adequate security controls while also providing enough leeway for employees to be productive and satisfied. Through constant feedback loops and regular policy reviews, administrators can continually refine this model to meet the evolving needs and expectations of both the enterprise and its employees.

Usage Rules: The Human Factor

Importance and Practical Examples

Usage rules in a mobile device management environment aren't just technical requirements; they are also deeply tied to the human factor. Whether it's restricting the use of social media during work hours, prohibiting the downloading of certain types of content, or setting rules for data sharing, these policies can have a significant impact on how employees interact with their devices.

For example, MDM admins can implement policies that block access to streaming services during work hours to enhance productivity. Alternatively, you might allow liberal internet access but monitor bandwidth usage to ensure it's not affecting the corporate network adversely.

Employee Productivity and Satisfaction: Finding the Balance

The tension between employee satisfaction and productivity is an age-old challenge for organizations. While it might be tempting to enforce a stringent set of rules to ensure maximum productivity, such a strategy can backfire and have the opposite effect. According to a report by Gallup, employees who are engaged and satisfied are 21% more productive than those who are not (Gallup, 2020).

As part of an MDM strategy, administrators should consider deploying periodic surveys or utilizing employee feedback platforms to gauge satisfaction levels concerning device usage rules. It could reveal common grievances that warrant attention. For instance, if a significant number of employees express that a particular website necessary for their work is being blocked, that policy could be revisited.

Risk vs. Reward: When Lenient Usage Rules Work

While lenient device usage rules may seem counterintuitive from a security standpoint, they can foster a more trusting, autonomous, and thus, productive work environment. According to a study published in the Harvard Business Review, high-trust companies "report 74% less stress, 106% more energy at work, 50% higher productivity" (Harvard Business Review, 2017). However, leniency comes with its own set of risks—most notably, potential breaches in data security and misuse of corporate resources.

MDM admins should continually evaluate the risk-versus-reward implications of their policies. Implementing real-time monitoring and alert systems for certain kinds of behaviors considered risky can be a balanced approach. For example, if an employee tries to download a non-whitelisted app, instead of an automatic block, the action could trigger a review process. This allows for a more nuanced, case-by-case assessment, ensuring that the policy is neither too lax nor overly stringent.

Security Measures: The Non-Negotiables

Basic Requirements Across All Models

Certain security measures are universally essential, irrespective of whether an organization opts for a BYOD, COPE, or fully fledged MDM approach. These include endpoint security features, data encryption, and secure access controls. MDM admins should treat these as the non-negotiable aspects of their device management strategy.

For example, two-factor authentication (2FA) can be a mandatory requirement across all models. Even in a flexible BYOD environment, enforcing 2FA can add an extra layer of security without severely limiting user freedom. Additionally, the use of encrypted data channels can be made mandatory for any data exchanges involving sensitive or proprietary information.

Balancing Security Measures and Usability: Tips for Admins

Security measures can often be cumbersome, leading to workarounds by the employees, which defeats their purpose. MDM admins must strive for a balance where security measures are effective yet not too invasive or cumbersome.

One way to achieve this is by implementing Single Sign-On (SSO) solutions that allow employees to access multiple services with a single set of credentials. This not only enhances security but also simplifies the user experience. Similarly, admins can employ contextual access controls that restrict access based on various factors like location, device health, and time, thereby providing a layered security approach without being overly restrictive.


Striking the right balance between usage rules and security measures is crucial for successful mobile device management. Whether opting for BYOD, COPE, or a fully fledged MDM approach, admins must carefully consider the unique needs and risks associated with their organizational structure and culture. The ultimate goal is to create an environment where security measures are stringent enough to protect corporate assets but flexible enough to encourage productivity and employee satisfaction. By keeping a finger on the pulse of both technological advancements and employee feedback, MDM admins can craft a balanced, efficient, and secure device management strategy.

Julien Ott
September 12, 2023

Discover Appaloosa

Discover our cutting-edge solutions for managing mobile devices, whether they are personal or corporate. Dive into our enterprise mobility solutions and simplify your mobility.