This post will cover Google’s MDM. If you haven’t heard of Google’s Mobile device management, or mobile device management in general, read this post first which explains MDM in greater detail.
Mobile devices have shaken up the workflow. However, when we say mobile devices, we don’t just mean phones. It’s an umbrella term that also includes tablets, laptops, Chromebooks and smartwatches too. Productivity is now device agnostic. Businesses are no longer strictly reliant on desktop workstations.
And why not? BYOD has a whole swathe of benefits, including:
- lower overheads
- increased flexibility
- improved employee satisfaction
All positives, right? Unfortunately, no. Giving employee’s personal devices access to a corporate network is a massive security risk.
The more access these devices have the greater the risk. Consequently, MDM is like a balancing act that juggles data security and data accessibility. No admin wants to hinder productivity, but no admin wants to expose servers and databases to malware or leaks.
But we are getting ahead of ourselves. First, what is Mobile Device Management?
What is MDM or Mobile Device Management?
Put simply, mobile device management is a set of rules to mitigate the security risks of exposing a network to an office full of smartphones. These rules or policies, determine what you can and can’t do on a device whilst you are at work.
Furthermore, if you are an admin, you might use MDM software to create rules or policies. These policies might require something like additional authentication before letting an employee login to a network. Or prohibit access to an endpoint for a group of employees. From an employee’s perspective, MDM is a locked screen that requires a password. Or MDM is an app that won’t download because it isn’t whitelisted.
The introduction of clouds and servers made BYOD possible. Likewise, the introduction has also made a lot of data vulnerable. Damage isn’t local anymore. Malware affects an entire network instead of a single device. Information leaks from a database instead of a hard drive. And it happens to businesses every day.
What is MDM Software For Specifically?
Network administrators use MDM software to establish centralised control over all the devices on a network. With enterprise MDM software, admins can set policies that create and control: application whitelists, access privileges, authentication (two-factor, biometric), the device’s camera, remote wiping and geofencing.
Another common MDM feature is establishing a partition for corporate data on the device. Partitions separate private information from company information. We call these partitions sandbox environments.
MDM has become more important in recent years. Especially now that the Government’s new Notifiable Data Breaches Scheme has come into effect.
The scheme includes an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.Office of the Australian Information Commissioner
Google’s Answer to Enterprise MDM
The Google MDM enterprise solution comes as a bundle with Google Workspace. Google Workspace (formerly G Suite), is the Google platform that includes apps like Google Docs, Gmail, Google Meet and Google Drive.
There are two versions of Google’s Mobile Device Management: Basic and Advanced. The type of Google Workspace account you subscribe to will determine the level of Google MDM features you can access.
Fundamental Google MDM features are available to Google Workspace Business Starter users and above. To get the advanced features, you will need a Premium Cloud Identity or a Google Workspace Business Plus or Enterprise account. Some, but not all, of the advanced features of Google’s MDM are available to Google Workspace Business Plus accounts. To use all of Google’s Advanced MDM features you will need the Google Workspace Enterprise Account.
With Basic Google MDM, you can:
– Keep corporate data safe by requiring that mobile devices have a screen lock or password.
– Wipe corporate information from lost or stolen devices.
– Make your preferred work apps available to Android devices.
– Publish and distribute private apps.
– See a list of devices that are accessing corporate data in the Google Admin console.
With Enterprise Google MDM, you can:
– Enforce stronger device passwords.
– Make your preferred work apps available to users in a catalogue of recommended apps (Android and iOS).
– Keep work and personal apps separate on Android devices with a work profile.
– Restrict access to a device’s settings and features, such as mobile networks, Wi-Fi, screen captures, and more.
– Monitor compliance with policies you set, and get reports about users, devices, and OS versions. To learn how to turn on advanced management, see set up advanced mobile management.
10 Ways Google MDM Will Protect Your Company Data
1. Agentless Mobile Management
Firstly, agentless mobile management means that there is no software (or agent) installed on the employee’s device. For this reason, Google MDM is popular with companies that want to support BYOD but with minimal configuration. It is easier to scale, isn’t as intrusive, and means fewer hours are spent setting up MDM software on every single device.
Admins can enforce policies on any device brought into an organisation. This provides additional flexibility and control over visiting devices. Google MDM is agentless for both Android and iPhone devices (although devices running older versions of Android will need to install the Google Apps Device Policy app).
There are some obvious limitations to agentless MDM. Other MDMs may install software on the device in order to send information anytime it’s connected to the internet. However, with agentless MDM policies will only take effect when the device connects to the MDM network. Depending on your organisation’s requirements this could be a good thing if employees aren’t restricted out of the office. In contrast, however, it means that the organisation has far less control over the device. Remember when we mentioned that MDM can be a balancing act? Case in point.
2. Distribute Applications From the Admin Console
Secondly, Google Play has private channels for businesses to host enterprise apps. Only pre-approved members of the organisation can access these channels. All the privileges and functionality for devices will be controlled from the Admin Console in Google Workspace.
To upload and publish private apps in the Admin console, you only need an Android application package (APK) and a title. Apps are usually ready for users to download within 10 minutes. Add the published app to the applications whitelist in the admin console so employees can download it. Consequently, employees have easy access to required apps.
The organisation controls privately distributed apps. This means that if an employee leaves, you have the power to remove the app or remotely wipe all stored data. There are many ways to configure how Google’s MDM will deal with an app. For example, if an application starts to request new permissions it’s possible to add a rule that blocks that app until you reach a resolution.
3. The Google Ecosystem
A lot of the oomph behind Google’s MDM doesn’t come directly from the MDM features, but from the MDM’s integration with the Google Workspace and Cloud Identity platform.
Cloud Identity is an Identity as a Service (IDaaS) and enterprise mobility management (EMM) product. It offers the identity services and endpoint administration that are available in Google Workspace as a stand-alone product. As an administrator, you can use Cloud Identity to manage your users, apps, and devices from a central location—the Google Admin console.Google
Above all, cloud identity manages directories, users, security, and single sign-on. Even more, it provides great insights and powerful analytics through Google Trends.
However, managing policy and identity can get really complicated for even a medium-size organisation. As a result, having everything on one platform simplifies the network administrator’s workflow and makes MDM solutions easier to scale.
Furthermore, having everything on one platform has security benefits. If every application has a different password, then passwords are recycled or forgotten. With Google’s MDM, this isn’t a problem, partially because of Google OAuth, but also because one account has access to everything.
4. Wipe Only Google Workspace Data, Not the Device
The new management feature gives administrators some leeway in what they can erase on a user device. For instance, they can use the feature to enforce policies for remotely erasing all data on a user’s iOS device if stolen or lost. Or they can use it to ensure that only Google Workspace data is wiped clean if a device goes missing.eweek
Many workplaces have MDM policies in place to protect company data. Terminations are rarely amicable. When an employee is terminated, or worse stops showing up, there needs to be a policy in place to protect the data they have on their device.
Depending on the business, ex-employees could be incentivised to sell company data. In the worst cases, a terminated employee might still have access to corporate data storage long after their termination.
Wiping everything on a phone is a little intrusive. Certainly, it may lead to visible complaints on social media, or Glassdoor. So, this can lead to situations where existing employees and new employees are reluctant to connect a mobile device to the corporate network. Not great for BYOD.
The trend in MDM is shifting towards a sand-boxed corporate environment, and Google is ahead of the curve. With Google MDM, Google Workspace is the sandbox.
5. Block Non-Compliant Devices
Another excellent feature of Google’s MDM is that admins can block non-compliant devices. Furthermore, admins can decide what constitutes a non-compliant device in this context. These automated rule sets require advanced mobile management features, and only super admins can commit them to policy.
Consequently, the ability to create custom rules means that Google’s MDM can fulfil just about any MDM requirement. Google isn’t the only MDM that has this functionality. IBM’s InfoSphere MDM allows for the creation of external rules, as does Microsoft’s Office 365. However, Google’s MDM may be considered more user-friendly. A neat GUI provides admins with blank or predefined templates to control rules, events conditions and actions.
Each device-management rule starts with an event that happens on a managed mobile device. When the event is detected, the rule checks for any conditions you specify. If the conditions are met, an action is carried out. You can create your own rule or work with a predefined template. You can assign a rule to your whole domain, an organizational unit, or a group in Google Groups.Google
6. 14-Day Trial of Advanced Features
The easiest way to get a feel for Google’s MDM, and see if it will fit your organisation, is to just give it a go. There is 14-day free trial available for up to 10 users. The trial includes all the features available to paid cloud accounts or enterprise Google Workspace accounts. Above all, note that this isn’t a trial of Google’s MDM as a stand-alone feature. Rather, its a trial of Google Workspace or Google’s Cloud Identity platform.
You can trial the version that you plan to use in your organisation. The Google Cloud Identity platform trial will allow you to connect up to 50 users. Remember the Google Workspace trial only allows up to 10 users.
7. Reporting Analytics and Trends
Another excellent feature of Google MDM lies in the reporting section of the admin panel. There exists a wealth of human-readable data. Google MDM prepares graphs, reports and all kinds of analytics. As a result, you can use these analytics to better understand how mobile devices are being used in your organisation.
Also, you have the ability to filter data according to device. For example; tablets, mobile phones or desktops. The admin panel will tell you what apps were used and how they are being used. Seems like if you are paying for all these apps, you should also know if and how they’re being used.
Even more, Google’s MDM data is an effective tool for informing stakeholders and decision-makers. If they aren’t familiar with MDM, they can get a feel for how the software is being used, with just a glance.
8. Additional Training
Google has published a course for cloud identity admins that covers Google’s MDM. Google published its MDM course on Coursera. The course features 15-30 hours of content. Therefore, it’s recommended that network admins spend about a week working through it.
The course costs $49. Users also have the option to audit the course. This means that they can watch all the videos and access the suggested reading. If you don’t pay, you can’t access the graded content, and there is no certificate of completion.
By the end of the course participants should be able to:
– Establish a Cloud Identity domain for their organization or personal domain.
– Add users in order to practice user lifecycle management.
– Modify user permissions to gain an understanding of core Cloud Identity features.
– Add mobile devices within the Google Mobile Management module.
– Modify mobile management policy sets to gain familiarity with product options.
– Navigate the Reports module, and practice running reports.
– Explore and apply different security protocols to the domain.
The course is a nice initiative on Google’s part. For businesses, it means that there are a lot of employable people out there who know how to use this technology and a certificate to prove competency.
9. Multi-Factor Authentication
Google’s Cloud identity platform comes with a wide variety of MFA policies out of the box. Above all, these MFA policies will prevent common attacks like social engineering, phishing and credential stuffing. Google’s Multi-Factor Authentication isn’t just for malicious actors. It also helps prevent simple mistakes.
They have everything from phishing-resistant security keys and mobile push notifications to one-time passwords. Google will add all these security measures to your MDM policy out of the box.
If you use Gmail or Google Drive, you have probably already run into Google’s 2-FA. 2-FA policies are fully customisable in the admin panel. This lets your admins tailor the policies. Similarly, you don’t want to inconvenience employees with 2-FA if the task doesn’t require additional authentication.
10. Require Device Activation
Finally, you can require device activation from the admin console. When selected, it means that an admin will need to activate every new device when it connects to the network.
Above all, this is a useful strategy if you have a physical mobile management policy. Maybe an admin needs to tell employees what they can do on their phone. Or have them sign a waiver stating they are aware their device could be wiped if they are terminated. It puts a human between the device and the network.
You can enter an email address that decides who will be notified w7hen a new device connects. Normally the network admin.
Google is a tech giant. Hence, we expect a certain level of quality from their software, and their MDM does not disappoint. The agentless implementation makes it one of the easiest MDM for iOS devices. Its integration with existing Google Workspace platform means you might not even need to switch up your workflow. They have thought it through and delivered. This is, in our opinion, one of the best solutions on the market for mobile device management.
Therefore, if you’re looking to implement this, or any other MDM solution in your business, then send us a message. Our team is well-versed in Google Workspace, Office 365 and a whole host of other platforms and tools your business may need.