Control and Monitoring of Enterprise Mobile Device Applications

Applications, or apps, are fast becoming the de facto user interface for mobile devices. Therefore, to be able to provide adequate security you will need to provide adequate monitoring of these applications. This will allow you to identify harmful applications in a timely manner and intervene when necessary.

Let’s get real: Your users will download content (willfully or involuntarily) that is in violation of your enterprise policies. It's in your best interests — and your users’ best interests, even though they may not embrace this notion right away — that you have good visibility into their application usage behavior and intervene where appropriate.

Be aware of any local regulatory matter that might forbid these intrusive policies, as in some regions they could be a violation of citizens' rights.

Methods to control and monitor applications

Now that you understand the importance of monitoring and controlling applications on your users’ devices, you need to determine what type of solution you want to deploy.

There are two approaches to application control and monitoring:

  • Client-only: In a client-only approach, you have a monitoring application running on every mobile device that you need to configure in the enterprise. While daunting, it provides you with an unparalleled degree of individual control, and you can set up policies that are unique to every user in the enterprise.

    More impressive is that you can take into account the real-time characteristics of the device — such as location, battery life, and other applications running — to make a much more customized strategy.

  • Server-based: At the other end of the spectrum is a server-based approach that employs a centralized gateway to which all device traffic is backhauled and generic policies are applied. While user and device identification are still possible in this approach, and policies can be tailored to cater to the individual device, the specific characteristics that an agent could supply in the previous approach are no longer available here.

    However, the economies of scale are evident, as you can have a centralized console for configuration, monitoring, and enforcement without having to worry about connecting to every individual device.

A more common hybrid approach is to tie in a lightweight agent with a server back end that can benefit from the agent providing the instrumentation and lightweight policy enforcement, with the server doing more complex application usage analysis and determination of policy changes that can then be relayed to the agent when appropriate.

Identifying harmful applications

You have to be on the lookout for seemingly harmless applications that your users download to solve a business issue. The application might seem innocent, but it could have an underlying security loophole that when exploited can cause all kinds of issues.

For example, an increasing number of new laws are mushrooming that ban automobile drivers from using their cellphones while driving. This has given rise to a number of text-to-voice applications that convert your text messages and e-mail into voice and play it back to you while you're driving. Seems like a very useful function. Bad idea!

A number of these applications also use the “hybrid approach” whereby their app is actually a lightweight agent, and a bulk of the transcription happens in the cloud. So your users may actually be compromising valuable corporate data in the quest to be more productive while they're driving.

If you have an application-monitoring function in place, you can identify a harmful application by using the agent on the device, which would flag an unapproved application at install time. Alternatively, in a server-based environment, you can use tools to look for specific traffic patterns to identify corporate e-mail and texts that are going to unknown destinations and take appropriate action.

blog comments powered by Disqus