Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Endpoint Security Glossary

MDM (Mobile Device Management)

Centralized management and security for corporate mobile devices (smartphones, tablets, laptops). MDM enables remote wipe, app distribution, encryption enforcement, and compliance monitoring—essential requirements for secure BYOD and corporate mobility strategies.

MDM is to companies with mobile devices what Active Directory is to Windows PCs: the central control authority. Without MDM, smartphones and tablets are uncontrolled entry points—with MDM, they become managed, compliant corporate devices.

MDM / UEM - The Terms

TermFocusKey Feature
MDM (Mobile Device Management)Device management (iOS, Android)Original features (2000s): Remote wipe, passcode, encryption
MAM (Mobile Application Management)App management without device managementOnly specific apps are controlled; advantage: BYOD without full device control
EMM (Enterprise Mobility Management)MDM + MAM + MCM (Content) + IdentityComplete mobility platform
UEM (Unified Endpoint Management)iOS + Android + Windows + macOS + LinuxModern term; all device types in a single console; market leaders: Microsoft Intune, Jamf, VMware Workspace ONE

> Recommendation: UEM solution for unified management of all endpoints

What MDM can (and cannot) do

MDM can

Enforce security:

  • Enforce screen lock with PIN/biometrics
  • Enable device encryption (iOS: always; Android: check)
  • Define password complexity
  • Inactivity lock (e.g., after 2 minutes)
  • Jailbreak/root detection → block access

App management:

  • Centrally deploy apps (App Store + enterprise apps)
  • Enforce apps (VPN app, EDR agent)
  • Block apps (TikTok, Facebook – regulatory reasons)
  • App configuration (VPN profiles, certificates, Wi-Fi)

Compliance and Monitoring:

  • Device inventory (what devices does the company have?)
  • Monitor OS version (detect outdated iOS/Android)
  • Compliance status (are all requirements met?)
  • Geo-location (if allowed/enabled)

Emergency Measures:

  • Remote Wipe: Remotely erase device (lost/stolen)
  • Selective Wipe: Erase only company data (BYOD!)
  • Remote Lock: Lock device
  • Remote Passcode Reset

MDM cannot

  • Read encrypted app content (WhatsApp messages)
  • Monitor browser history (without MAM/browser management)
  • Track location without activation and consent
  • Access private apps and data (BYOD: separate containers)
  • Detect security vulnerabilities in apps (for this: MAM + MTD)

Microsoft Intune - Configuration Example

Microsoft Intune (part of M365 / Entra ID Suite) offers:

  • Best integration with Azure AD / Entra ID
  • Windows, iOS, Android, macOS in a single console
  • Conditional Access: Only compliant devices → Access
Compliance Policy (iOS - Example):

  Device Status:
  ✓ Jailbreak: Not allowed
  ✓ Mobile Threat Defense: Threat level max. "low"

  Device Properties:
  ✓ Minimum iOS: 17.0
  ✓ Maximum iOS: not restricted

  System security:
  ✓ Password required: Yes
  ✓ Simple password: No
  ✓ Password type: Alphanumeric
  ✓ Minimum password length: 8
  ✓ Maximum inactivity before password prompt: 5 minutes
  ✓ Password expiration (days): 365

  If non-compliant:
  → Conditional Access: blocks access to Exchange, SharePoint
  → Notification to user
  → After 3 days: Remote Wipe (if not resolved)
Configuration Profile (iOS - deploy automatically):

  Wi-Fi:
    SSID: CompanyWLAN
    Security: WPA3 Enterprise
    Certificate: [Device certificate from PKI]

  VPN:
    Type: Always-On VPN (IKEv2)
    Server: vpn.company.com
    Authentication: Certificate

  Certificates:
    Root CA: [Internal CA]
    Device Certificate: [For 802.1X / VPN]

  Restrictions:
    AirDrop: Blocked (Data leak risk!)
    iCloud Backup: Blocked (Only corporate MDM backup)
    App Store: Allowed (or only specific apps)
    Camera: Allowed (or blocked in sensitive areas)
    Siri: Allowed (or disabled in sensitive areas)

BYOD with MDM - The Balance Between Security and Privacy

BYOD Challenge:

  • Employees want to use personal devices
  • Companies must protect data
  • Employees ask: "What can IT see on my phone?"

Solution: MDM Container / Work Profile

iOS (Managed Open In / Managed Accounts):

  • Company apps and data: managed
  • Personal apps: untouched
  • Separation at the app level
  • MDM sees: device compliance, installed managed apps
  • MDM does not see: personal apps, personal photos, browser

Android Enterprise (Work Profile):

  • Separate "Work Profile" (virtualized container)
  • Work apps: dedicated icon badge (briefcase)
  • MDM manages only the Work Profile
  • Personal side: completely invisible to MDM
  • Selective Wipe: deletes only the Work Profile

What the IT admin actually sees (GDPR transparency)

Visible:

  • Device model and OS version
  • Compliance status (Passcode set? Encrypted?)
  • Installed managed apps
  • Last check-in time

Not visible:

  • Location (without explicit activation/consent)
  • Call log
  • Private messages
  • Browser history
  • Private apps

GDPR Guidelines for BYOD Programs

  • Company policy or declaration of consent
  • Transparent information: What data is collected?
  • Right to selective wipe instead of full wipe
  • Data protection impact assessment (if extensive monitoring)

Mobile Threat Defense (MTD) - MDM Supplement

MDM = Configuration and compliance MTD = Real-time threat detection on the device

MTD solutions detect:

  • Phishing links in SMS, email, browser
  • Malicious apps (including sideloaded APKs)
  • Network attacks (man-in-the-middle on Wi-Fi)
  • OS vulnerabilities (jailbreak exploits)
  • Anomalous app behavior (credential stealers)

Integration: MDM + MTD + Conditional Access:

MTD agent on device detects threat → reports to MDM → Compliance = "compromised" → Conditional Access blocks access to company apps → User receives notification: "Please resolve MTD issue"

Known MTD solutions:

  • Microsoft Defender for Endpoint (mobile)
  • Lookout for Work
  • Zimperium zIPS
  • SentinelOne Singularity Mobile

Licensing costs: typically €2–5/device/month additional

MDM Deployment - Checklist

Preparation

  • Select MDM solution (Intune, Jamf, Workspace ONE)
  • Set up MDM server or configure cloud tenant
  • Apple Push Notification Service (APNs) certificate (for iOS)
  • Android Enterprise Binding (Google Account)
  • Enrollment strategy: User vs. Device Enrollment
  • Create company policy / GDPR notices

Define Policies

  • Passcode policy (length, complexity, expiration)
  • Encryption (iOS: always; Android: check)
  • Jailbreak/Root Detection: Block Access
  • Minimum OS Update Requirements
  • App Whitelist/Blacklist
  • VPN Configuration (App-Specific or Always-On)

Enrollment

  • Corporate Devices: Zero-Touch Enrollment (Apple DEP / Android Zero Touch)
  • BYOD: Self-Service Portal
  • User Communication: What is managed? What is not?
  • Pilot Group: 10–20 devices first
  • Full rollout after successful pilot

Monitoring

  • Compliance dashboard: check daily
  • Non-compliant devices: escalation process
  • Outdated OS versions: notification to user + deadline
  • Lost/stolen devices: remote wipe process documented

AWARE7 Services on This Topic

ISO 27001 Beratung Penetrationstest
Back to Glossary Book a free consultation