Introduction to MDM and WeGuard
“My cell phone is my best friend. It’s my lifeline to the outside world.” — Carrie Underwood
Today, a cell phone (or a Tab), is not just a mechanism of establishing and maintaining contact/communication between 2 parties. Yes, it still does that, but it is not at all limited by that, by a very huge margin. It has become something like an identity for the individual. Add to that all that you can do with the cell phone — keep yourself entertained, updated, gather knowledge, keep notes/reminders more like a personal assistant and of course get some office work done while travelling to the football game with friends in tow. But what about securing the work ?
As more and more organisations start to understand the benefits of having flexible and convenient work how do organisations make sure that the work done by the employees/associates do not compromised. Welcome to Mobile Device Management (MDM). This article, discusses a few aspects of MDM on an Android device, a very broad and high level perspective of how it works, how it allows an enterprise to control a device, thus delegating the responsibility of managing the devices to a secure and highly available system, security management and how can an enterprise benefit out of it. Interested ? Keep on reading.
Now the first question that any newbie have is, “How does MDM work on Android” ? Let us understand that first .. on a native Android Android device.
Android, in general, provides APIs to work with, get the device location (if the location is turned on), login/talk to others Apps, Gmail and so may other APIs. For setting up a MDM, Android provides APIs too, but with a difference. You cannot access them directly. You as a MDM solution provider, need to approach Google to use the Android Management APIs. Once, you have been approved (for a specific period), you can start using the APIs.
Officially Google provides access to MDM in 2 different ways.
- Android Management API .
- In this case, Google takes care of entire management of device wherein, from the time of device Enrolment all the APIs will be invoked directly from by Google. The MDM providers (WeGuard is the MDM provider in the diagram below) provides a console which is integrated with Android Management APIs. This allows the MDM customer, which usually is an enterprise which needs to control the devices, to interact with the Google DPC installed on Device and allow the customer to execute commands from the console which the DPC understands and executes on the phone. Google DPC is installed as a part of the Enrolment process and it takes care of all the execution of commands on the device(s). We as a team, think Google is going to push for this option as an EMM in future.
- Google Device Policy Agent will have Owner privileges and it has complete control over the device.
- DPC identifier :
- Device Policy Control (DPC) is another way to enable MDM on your phones. With this all the MDM features and APIs need to be implemented by MDM Agent (WeGuard). Note that Google also has a Device Policy App by the same name which is used in the previous case. In this case WeGuard is the Device Policy App and Google’s Device Policy App does not get installed. EMM console will directly talk to the device and execution of commands or policies will be done by this WeGuard MDM Agent. (Here it is worth noting that other providers example AirWatch, MobileIron and others also have their own DPCs). You may ask, If this is the case why Google is required to give us the access for the APIs. The DPC agent anyway will take care of it, right ? No. Here, DPC identifier is the key that has to be approved or given by Google, after all the clearances of certifications which will in turn allow the DPC agent to run the commands issued by the EMM console and in link between the MDM provider (WeGuard in this example), Google and the device in question.
- DPC Agent (here WeGuard) will get device Owner (Managed Device) privileges where agent will get full access of the APIs.
Now, both the above mechanisms fall under what we call as COSU or Corporate Owned Single Use. All the mechanisms are essentially provisioned by your company and when you join a company it gives you a device, and takes it back when you are done working for that company and that is that.
But how about your own personal device? Do you ditch the device just because the company has given you device? You won’t have the personal family pictures that you clicked last night on your phone to be available to your company, right ? So do you carry 2 phones ? That’s ridiculous, right ?
This is where the “BYOD” concept comes in handy. A dedicated device mostly used for the company owned devices where the company will have a full access. However, BYOD devices will have full access of company persona not personal, so this can hold personal and corporate data. When you ditch the company midway, all the company has to do is remove the company data from your phone and you can use your phone in a way as if nothing happened. Only thing that you will notice is that certain apps (owned by your company) have been removed. That’s it. Nifty, isn’t it ?
To sum up, WeGuard currently has all the MDM/EMM capabilities that we have discussed above.
- WeGuard is MDM/EMM product whitelisted by Google, and it implements the features of MDM capabilities.
- WeGuard understands how to manage the devices and your Business applications can reside on top of WeGuard, allowing WeGuard to actively monitor the device and provide responsive actions as an when required (example battery, location, outage, data usage etc).
- A perfect suitable solution for the SMBs to large scale enterprises.
- WeGuard can lockdown to the Business persona and increase the productivity of the crew.
- Robust security features as provided by Google.
To be a MDM provider on Android devices, a company should apply for the EMM Community registration and get the certification done in different categories and Google will Whitelist the company/product as a Partner in the category in which it was certified. Keep a note its lengthy process :)
So, how do you determine if your enterprise devices need MDM ? Yes, if the answer to at least one of the following questions is yes:
- Do you want to make sure device that assigned for the business under control from the time of Enrolment and has the right set of apps and permissions as soon as it is available to your enterprise ?
- Do you want to have full Application control and management, even remotely, have business related apps installed, un-installed, upgraded at the click of a button ?
- Do you want Business Admin to be able to configure on device/s ?
- Do you want continues device tracking or as and when required ?
- Do you want to have complete control of when system updates should take place ?
- Do you want to wipe or restrict device usage at any point of time so that enterprise data is not compromised ?
- Do you want to monitor devices continuously with all events. Ex : Battery alerts, Network outage, Data Usage etc.
- Do you want to have hardware control example GPS, Bluetooth, and Power button ?
- Do you want to make sure device is not misused ?
For more features of WeGuard please check our www.weguard.io
Note :
- The processes described above works on all Android devices which are running 6.0+ (The Google Way)
- There are other MDM solutions which are specific to OEM such as
- Samsung — Knox SDK
- LG — GATE
- There might be some hacked ways to installed DPC like 6 times tap, Adb device owner but these are not suggestible ways of Google.
Do look forward to the next article in the series MDM and WeGuard which should appear in a couple of weeks..
