WEBVTT 1 00:00:00.000 --> 00:00:00.960 In this lesson, 2 00:00:00.960 --> 00:00:03.840 we're going to talk about MDM and MAM, 3 00:00:03.840 --> 00:00:05.850 which stands for mobile device management 4 00:00:05.850 --> 00:00:08.100 and mobile application management. 5 00:00:08.100 --> 00:00:11.640 Both of these are part of a larger concept known as EMM 6 00:00:11.640 --> 00:00:14.040 or enterprise mobility management. 7 00:00:14.040 --> 00:00:16.950 Enterprise mobility management is a class of software 8 00:00:16.950 --> 00:00:19.080 that's designed to apply security policies 9 00:00:19.080 --> 00:00:20.790 for use on mobile devices, 10 00:00:20.790 --> 00:00:22.410 things like smartphones and tablets, 11 00:00:22.410 --> 00:00:24.060 as well as controlling the applications 12 00:00:24.060 --> 00:00:26.430 that can be installed on those devices. 13 00:00:26.430 --> 00:00:28.710 This is a big issue for enterprises. 14 00:00:28.710 --> 00:00:31.050 when they issue out smartphones to their employees, 15 00:00:31.050 --> 00:00:32.190 they need a way to control 16 00:00:32.190 --> 00:00:34.320 what data is being put on those smartphones 17 00:00:34.320 --> 00:00:36.990 and what applications can be run on those smartphones 18 00:00:36.990 --> 00:00:39.660 to ensure that everything is being done safely. 19 00:00:39.660 --> 00:00:42.150 So when it comes to enterprise mobility management, 20 00:00:42.150 --> 00:00:44.700 there are lots of different pieces of software out there 21 00:00:44.700 --> 00:00:46.500 that an organization may use. 22 00:00:46.500 --> 00:00:47.850 And depending on where you work, 23 00:00:47.850 --> 00:00:50.130 you may use any one of these, something else entirely, 24 00:00:50.130 --> 00:00:51.720 or none of these. 25 00:00:51.720 --> 00:00:54.780 This includes things like VMware Workspace ONE, 26 00:00:54.780 --> 00:00:57.660 Microsoft's Endpoint Manager, known as Intune, 27 00:00:57.660 --> 00:01:00.420 Symantec and Broadcoms's Protection Mobile, 28 00:01:00.420 --> 00:01:02.190 Citrix's Endpoint Management, 29 00:01:02.190 --> 00:01:04.740 or Apple's Business Manager. 30 00:01:04.740 --> 00:01:06.510 This list is just a small sample 31 00:01:06.510 --> 00:01:09.420 of the wide range of enterprise mobility management software 32 00:01:09.420 --> 00:01:11.580 that exists out there in the field. 33 00:01:11.580 --> 00:01:12.600 Now for the exam, 34 00:01:12.600 --> 00:01:15.270 you do not need to know any of these products by name 35 00:01:15.270 --> 00:01:16.590 or how to use them, 36 00:01:16.590 --> 00:01:17.940 but you should be aware of the fact 37 00:01:17.940 --> 00:01:20.070 that enterprise mobility management software 38 00:01:20.070 --> 00:01:21.960 comes in two main varieties: 39 00:01:21.960 --> 00:01:25.290 mobile device management and mobile application management. 40 00:01:25.290 --> 00:01:27.480 Mobile device management, or MDM, 41 00:01:27.480 --> 00:01:29.430 is going to set device-level policies 42 00:01:29.430 --> 00:01:32.880 for authentication, feature use, and connectivity. 43 00:01:32.880 --> 00:01:34.980 When you're dealing with mobile device management, 44 00:01:34.980 --> 00:01:35.880 this will give the ability 45 00:01:35.880 --> 00:01:39.390 to turn on or off certain features, including hardware. 46 00:01:39.390 --> 00:01:41.670 For example, I've worked in organizations 47 00:01:41.670 --> 00:01:44.640 where we've disabled the camera on those smartphones. 48 00:01:44.640 --> 00:01:45.473 Why? 49 00:01:45.473 --> 00:01:47.070 Because we didn't want people taking pictures 50 00:01:47.070 --> 00:01:48.450 of classified areas, 51 00:01:48.450 --> 00:01:49.830 and therefore we wanted to make sure 52 00:01:49.830 --> 00:01:51.810 those cameras did not work. 53 00:01:51.810 --> 00:01:53.190 In that organization, 54 00:01:53.190 --> 00:01:55.560 any devices that were brought into our office area 55 00:01:55.560 --> 00:01:56.790 had to have their cameras 56 00:01:56.790 --> 00:01:59.760 and microphones disabled in MDM solution. 57 00:01:59.760 --> 00:02:00.810 In addition to that, 58 00:02:00.810 --> 00:02:03.090 we've also turned off the WiFi capability 59 00:02:03.090 --> 00:02:04.560 on lots of mobile devices 60 00:02:04.560 --> 00:02:06.660 in another organization I worked at. 61 00:02:06.660 --> 00:02:08.520 This is because when you connect to WiFi 62 00:02:08.520 --> 00:02:10.170 in something like a coffee shop, 63 00:02:10.170 --> 00:02:13.170 you have no way of identifying if that connection is secure. 64 00:02:13.170 --> 00:02:15.210 So one of the things that we did, 65 00:02:15.210 --> 00:02:17.280 using our mobile device management software, 66 00:02:17.280 --> 00:02:18.330 was to turn off the ability 67 00:02:18.330 --> 00:02:20.400 to connect to any wireless network. 68 00:02:20.400 --> 00:02:21.600 Everything had to be done 69 00:02:21.600 --> 00:02:24.240 using the cellular modem inside of that device 70 00:02:24.240 --> 00:02:27.300 because cellular could be trusted between our device 71 00:02:27.300 --> 00:02:28.920 and our service provider's towers, 72 00:02:28.920 --> 00:02:30.000 but it couldn't be trusted 73 00:02:30.000 --> 00:02:32.460 if somebody was connecting over a wireless network. 74 00:02:32.460 --> 00:02:34.440 Now, this was a business decision, 75 00:02:34.440 --> 00:02:36.810 but it was one that cost us a lot of money 76 00:02:36.810 --> 00:02:39.660 because now everybody has to do all their synchronization 77 00:02:39.660 --> 00:02:42.570 over a cellular connection and not over WiFi, 78 00:02:42.570 --> 00:02:44.670 and this led to very large cell phone bills 79 00:02:44.670 --> 00:02:45.930 for that organization. 80 00:02:45.930 --> 00:02:48.600 But it was a choice we made based on the security posture 81 00:02:48.600 --> 00:02:50.370 of that given company. 82 00:02:50.370 --> 00:02:52.980 So, remember, when it comes to mobile device management, 83 00:02:52.980 --> 00:02:54.510 this is a type of software 84 00:02:54.510 --> 00:02:56.880 that allows us to control the device itself, 85 00:02:56.880 --> 00:02:59.130 including its features like the camera and microphone, 86 00:02:59.130 --> 00:03:01.230 as well as its connectivity options. 87 00:03:01.230 --> 00:03:02.340 In addition to this, 88 00:03:02.340 --> 00:03:05.370 mobile device management software also allows administrators 89 00:03:05.370 --> 00:03:07.950 to be able to remotely wipe a device if it was lost, 90 00:03:07.950 --> 00:03:10.200 remotely lock a device if somebody is using it 91 00:03:10.200 --> 00:03:11.940 and you no longer want them to use it, 92 00:03:11.940 --> 00:03:13.470 and some will even give you the ability 93 00:03:13.470 --> 00:03:15.090 to remotely access that device 94 00:03:15.090 --> 00:03:16.560 and see what the user is seeing 95 00:03:16.560 --> 00:03:18.900 as you're troubleshooting one of their issues. 96 00:03:18.900 --> 00:03:19.980 Now, the second class 97 00:03:19.980 --> 00:03:21.750 of enterprise mobility management software 98 00:03:21.750 --> 00:03:24.630 you're going to come across is known as MAM, 99 00:03:24.630 --> 00:03:27.300 which stands for mobile application management. 100 00:03:27.300 --> 00:03:29.010 Now, mobile application management 101 00:03:29.010 --> 00:03:31.080 is going to set forth the policies for apps 102 00:03:31.080 --> 00:03:32.910 that can process your corporate data, 103 00:03:32.910 --> 00:03:36.150 and it will prevent data transfer to personal apps. 104 00:03:36.150 --> 00:03:39.300 Essentially, this is a sandbox type of solution. 105 00:03:39.300 --> 00:03:40.470 This solution will configure 106 00:03:40.470 --> 00:03:42.990 an enterprise managed container or workspace 107 00:03:42.990 --> 00:03:45.270 where all of the company's data is going to be stored, 108 00:03:45.270 --> 00:03:47.790 and everything outside of that is considered untrusted 109 00:03:47.790 --> 00:03:48.930 and not allowed to interact 110 00:03:48.930 --> 00:03:50.760 with what's inside the container. 111 00:03:50.760 --> 00:03:53.310 So mobile application management software 112 00:03:53.310 --> 00:03:55.290 is very popular with organizations 113 00:03:55.290 --> 00:03:57.720 that allow their end users or their employees 114 00:03:57.720 --> 00:04:00.930 to able to access corporate data on their personal devices. 115 00:04:00.930 --> 00:04:05.040 This is known as BYOD or bring your own device. 116 00:04:05.040 --> 00:04:08.340 For example, let's say I hired you to work at Dion Training. 117 00:04:08.340 --> 00:04:10.020 You wanted to be able to use your iPhone 118 00:04:10.020 --> 00:04:12.300 or your Android phone with our corporate networks 119 00:04:12.300 --> 00:04:14.040 and be able to access our data. 120 00:04:14.040 --> 00:04:16.470 We could implement mobile application management 121 00:04:16.470 --> 00:04:18.930 so we can create a container inside of your device 122 00:04:18.930 --> 00:04:20.580 that's going to hold all of our data. 123 00:04:20.580 --> 00:04:22.080 That container will be encrypted, 124 00:04:22.080 --> 00:04:24.360 and all of our data will remain safe and secure 125 00:04:24.360 --> 00:04:26.970 regardless of what you do with the rest of your phone. 126 00:04:26.970 --> 00:04:29.250 This is a great way to protect your corporate assets 127 00:04:29.250 --> 00:04:32.070 if you're going to allow a bring your own device policy. 128 00:04:32.070 --> 00:04:33.030 On the other hand, 129 00:04:33.030 --> 00:04:35.700 if we're going to be issuing out smartphones to everybody, 130 00:04:35.700 --> 00:04:37.800 we might use an MDM policy 131 00:04:37.800 --> 00:04:40.050 where there's a mobile device management policy 132 00:04:40.050 --> 00:04:41.070 where we're going to be able to control 133 00:04:41.070 --> 00:04:43.140 the actual device itself. 134 00:04:43.140 --> 00:04:44.280 If you have your own smartphone 135 00:04:44.280 --> 00:04:45.780 and you're using it in my company, 136 00:04:45.780 --> 00:04:46.613 you're not going to allow me 137 00:04:46.613 --> 00:04:48.420 to turn off your camera or your microphone 138 00:04:48.420 --> 00:04:50.880 or your wireless connectivity or things like that. 139 00:04:50.880 --> 00:04:52.500 But if I'm giving you the ability 140 00:04:52.500 --> 00:04:54.720 to access my data on your smartphone, 141 00:04:54.720 --> 00:04:55.560 you'll probably be okay 142 00:04:55.560 --> 00:04:58.290 with installing a single application on your device 143 00:04:58.290 --> 00:04:59.820 that's going to contain all of my data 144 00:04:59.820 --> 00:05:01.410 that you're going to have access to. 145 00:05:01.410 --> 00:05:02.250 And this is the difference 146 00:05:02.250 --> 00:05:05.100 between using mobile device management at the device level 147 00:05:05.100 --> 00:05:06.630 and mobile application management 148 00:05:06.630 --> 00:05:09.390 at the application level or container level. 149 00:05:09.390 --> 00:05:12.060 Now wing using mobile application management, 150 00:05:12.060 --> 00:05:13.890 most companies are going to have you install 151 00:05:13.890 --> 00:05:15.720 a couple of different applications, 152 00:05:15.720 --> 00:05:17.370 including one for email, 153 00:05:17.370 --> 00:05:20.760 calendar, contacts, and data storage. 154 00:05:20.760 --> 00:05:21.840 These different containers 155 00:05:21.840 --> 00:05:23.460 will all host their data separately 156 00:05:23.460 --> 00:05:24.810 inside of this container, 157 00:05:24.810 --> 00:05:25.830 and it will be encrypted 158 00:05:25.830 --> 00:05:27.660 so it can't be read by other applications 159 00:05:27.660 --> 00:05:29.730 that are existing on your device. 160 00:05:29.730 --> 00:05:33.450 In addition to this, whether you're using MDM or MAM, 161 00:05:33.450 --> 00:05:35.910 you may also implement DLP controls, 162 00:05:35.910 --> 00:05:38.160 which stands for data loss prevention. 163 00:05:38.160 --> 00:05:40.350 Data loss prevention controls will detect 164 00:05:40.350 --> 00:05:42.600 when data is being taken from a device, 165 00:05:42.600 --> 00:05:45.330 ensuring it's only being used in proper ways. 166 00:05:45.330 --> 00:05:47.040 For example, in our corporate email, 167 00:05:47.040 --> 00:05:49.140 we use Google Workspace to provide that, 168 00:05:49.140 --> 00:05:52.290 and we have a DLP or data loss prevention solution 169 00:05:52.290 --> 00:05:53.940 as part of that system. 170 00:05:53.940 --> 00:05:55.440 If one of our team members tries 171 00:05:55.440 --> 00:05:58.260 to send a large file out using our email, 172 00:05:58.260 --> 00:06:00.330 it's actually going to detect that, block it, 173 00:06:00.330 --> 00:06:02.250 and notify our system administrators 174 00:06:02.250 --> 00:06:05.790 that they are trying to exfiltrate data out of our systems. 175 00:06:05.790 --> 00:06:07.410 In that case, we would then look at it 176 00:06:07.410 --> 00:06:09.540 and see why that system was flagging 177 00:06:09.540 --> 00:06:11.040 on that particular email. 178 00:06:11.040 --> 00:06:12.630 And it may have been that that team member 179 00:06:12.630 --> 00:06:15.180 was trying to send out an email to their personal account 180 00:06:15.180 --> 00:06:16.560 that contained all of the names 181 00:06:16.560 --> 00:06:19.110 and addresses of every employee that we have. 182 00:06:19.110 --> 00:06:19.943 That would be something 183 00:06:19.943 --> 00:06:21.960 that is set up in our data loss prevention system 184 00:06:21.960 --> 00:06:23.040 to identify anything 185 00:06:23.040 --> 00:06:25.110 that looks like personal identifiable information 186 00:06:25.110 --> 00:06:26.850 and block it from being sent. 187 00:06:26.850 --> 00:06:28.530 Similarly, if they tried to send something 188 00:06:28.530 --> 00:06:29.790 that looked like credit card numbers, 189 00:06:29.790 --> 00:06:31.740 the system would catch that and block it 190 00:06:31.740 --> 00:06:33.000 to ensure those credit card numbers 191 00:06:33.000 --> 00:06:34.980 are not leaving our systems. 192 00:06:34.980 --> 00:06:36.690 Now, you may remember that I said 193 00:06:36.690 --> 00:06:38.700 all applications are going to be installed 194 00:06:38.700 --> 00:06:40.950 through the App Store if you're using an iPhone 195 00:06:40.950 --> 00:06:42.660 or using a store like Google Play, 196 00:06:42.660 --> 00:06:44.640 if you're using an Android device. 197 00:06:44.640 --> 00:06:47.460 This is actually a problem for a lot of large organizations 198 00:06:47.460 --> 00:06:49.710 because they may have wanted to develop an application 199 00:06:49.710 --> 00:06:51.600 for a tablet or a smartphone 200 00:06:51.600 --> 00:06:54.300 and only have it accessible to their own users 201 00:06:54.300 --> 00:06:56.250 that are internal to their company. 202 00:06:56.250 --> 00:06:57.840 Well, to solve this problem, 203 00:06:57.840 --> 00:07:00.960 Apple created an enterprise developer distribution program 204 00:07:00.960 --> 00:07:03.360 that allows private application distribution 205 00:07:03.360 --> 00:07:06.090 through a program called the Apple Business Manager. 206 00:07:06.090 --> 00:07:07.500 The Apple Business Manager 207 00:07:07.500 --> 00:07:10.530 is essentially a mobile application management suite 208 00:07:10.530 --> 00:07:12.840 that allows you to be able to push applications 209 00:07:12.840 --> 00:07:15.570 from a private repository to your devices 210 00:07:15.570 --> 00:07:17.490 that are part of your corporate network. 211 00:07:17.490 --> 00:07:18.930 Google has a similar thing, 212 00:07:18.930 --> 00:07:20.250 and their private channel option 213 00:07:20.250 --> 00:07:22.320 is called Managed Google Play, 214 00:07:22.320 --> 00:07:24.660 which is a managed version of the Google Play Store 215 00:07:24.660 --> 00:07:27.030 that contains only the apps that you want distributed 216 00:07:27.030 --> 00:07:28.680 to your employee's devices. 217 00:07:28.680 --> 00:07:31.380 So keep this in mind when it comes to mobile devices 218 00:07:31.380 --> 00:07:33.030 in an enterprise environment. 219 00:07:33.030 --> 00:07:34.560 You're most likely going to be working 220 00:07:34.560 --> 00:07:37.080 with either an MDM or an MAM, 221 00:07:37.080 --> 00:07:37.913 and you're going to be working 222 00:07:37.913 --> 00:07:39.780 with either a mobile device management system 223 00:07:39.780 --> 00:07:42.120 or a mobile application management system. 224 00:07:42.120 --> 00:07:45.240 Both of these are a form of enterprise mobility management, 225 00:07:45.240 --> 00:07:47.550 and some enterprise mobility management solutions 226 00:07:47.550 --> 00:07:49.560 can actually do both of these features 227 00:07:49.560 --> 00:07:52.203 depending on your use case and your specific needs.