Device Management Strategy Planning: More Questions Than Answers


Within the last few years, while in meeting discussing a Mobile Device Management (MDM) strategies, I have been frequently told the following by clientele when inquiring about business requirements:

“I want to be able to do all my tasks on my iPad that I currently do on my desktop.”

The request itself spikes after every winter holiday, Consumer Electronics Show or other similar event and illustrates the confusion around both MDM and strategy. A few items of note in regards to this request:

  1. This request is not a business requirement since it does not tie to any value creating business process. While there may be value in achieving the end result, the statement itself does not convey the value.
  2. The user experience of trying to using applications designed for a mouse and keyboard on an iPad could create negative value.
  3. While technically possible, data/content creation is generally more efficient in a more traditional form factor unless a proper process is defined.
  4. Apps designed specifically for a tablet form factor for specific mobile solutions like form completion that includes prepopulated selections
    (E.g. point of sale, survey taking, etc.) create new business capabilities that take advantage of the mobility enhanced form factors.

While not intended to provide a complete MDM strategy, this post has been written to help identify the important elements of the strategy and the types of questions that need to be answered. The major areas of focus, in order of importance, are as follows:

  1. Applications
  2. Users
  3. Data Access and Protection
  4. Management
  5. Devices

Many organizations plan their MDM strategy as a reaction to the devices that are being brought into the workplace. Sometimes this is unavoidable as devices may already be deployed. Remember that the device refresh cycles can be very short and the cost of new devices is very low. A well planned strategy can create ROI even if device replacement is required.


Are specific applications required?

While this question seems academic, many organizations simply use mobile devices for voice, email, SMS, browsing and other out-of-the-box functionality. For these organizations, line of business applications are not part of their use case scenario for the moment. That can change in future though.

Are said applications custom or commercially available?

If the applications are commercially available, be sure to have an understanding as to the vendor support and what licensing model. If they support multiple platforms, do they also support mixed environments? What about application deployment? Do they support enterprise deployment and managing through sideloading or is the only option purchase from the platform store (iTunes , Google Play, MS Store, etc.). Is the application available in all geographies and languages that you require?

If an application was created in-house or outsourced, some additional questions need to be answered. For example: What is the level of expertise that your development team or partner has with various mobile platforms?

Does the application have a specific security requirement?

Does the application have specific requirements based on the data that it will manage and process? For example: Will credit cards be processed and are there PCI compliance requirements? Is there personally identifiable information or health information? Does your organization already have policies for dealing with this data and does the mobile app need to comply with them? Think about items like encryption for data at rest and data in motion, VPN, passwords, etc.

Does the application have any additional requirements?

Understanding any hardware or software requirements for the applications will also help to filter the list of potential devices. Consider some of the following as a starting point: Does the application require a specific browser or browser support? Does the application require a camera? Are there any networking requirements (Wi-Fi, 4G, etc.). What about disk space and memory?

The objective of answering these questions is to start narrowing down the list of potential devices that can meet your requirements and identifying any non-technical challenges (policies etc.) that must be addressed.


Understanding User Requirements

Many of the same techniques we would use as part of a standard workforce analysis are useful to build a mobile device user strategy. Typically we would create a series of personas that represent the user population. Personas are fictitious, specific, and concrete representations of target users. Once personas are created, you will need to understand the use case scenarios that each persona will be presented with. In an organization with many personas and scenarios, it might make sense to prioritize both personas and scenarios to focus on the most important combinations. It is the combination of personas and use case scenarios that will lead to the solution design.

Once the personas are use cases are defined, consider the following questions to further identify needs:

Which of the following does the Persona in this Scenario require?

  1. Access to web-based apps on-premises
  2. Access to web-based apps in the cloud
  3. Access to corporate mobile apps
  4. Access to files located in file servers on-premises
  5. Access to files located in the cloud
  6. Access to computers using Remote Desktop
  7. Access to other computers located on-premises

Is there a requirement to link users to devices?

When planning it is also important to determine if there is a requirement to map users to the devices that they use. This requirement may be driven by many factors including:

  1. Asset Management (SAM/ITAM)
  2. Compliance Requirements
  3. Auditing

Data Access and Protection

Data Access

Data Access addresses how users gain admission to applications and data. What needs to be determined is how the various personas and usage scenarios impact current security policies, applications and infrastructure. Some of the questions to be addressed include:

  • What authentication requirements are needed for users to remotely access company apps from their devices?
  • Where will the authentication services reside and how will they be managed?
  • Is the current platform able to enforce authorization per user and per app without having to rewrite the apps?
  • Is it possible to enforce Multi-Factor Authentication according to a user’s location?
  • Are current remote access methods adequate for the mobile scenarios you’ve defined? is the user experience acceptable?


When planned properly, data protection ensures the data is accessed securely. Questions to address include

  • How will data be stored on user’s devices? Will it be encrypted? What is the risk of data loss is it cannot be decrypted?
  • What is the risk of data loss if the device is lost and the data is not encrypted?
  • Will any corporate data stores be accessed by the device? Where is the data located (datacenter, cloud, other)? Will additional safeguards be required for the data being accessed? Will it be encrypted?
  • How will data be transferred to and from the device? Will it be encrypted in motion (HTTPS, IPSEC)?
  • Will any infrastructure changes be required (PKI, firewalls, gateways, etc.)
  • Will the safeguards impede the UX?
  • Are there any regulatory compliance issues that need to be addressed (SOX, PCI, etc.)


Management refers to the services and capabilities enabling IT to measure and meet the objectives of the strategy. These services and capabilities include (but are not limited to) the following:

  1. Monitoring (users, devices, compute, storage, etc.)
  2. Reporting
  3. Provisioning & Configuration

These services and capabilities can all be very complex depending on your use case scenario. In the following sections I will provide some key questions that should be answered for each of these services and capabilities.


Monitoring should be approached from the perspective of ensuring stable enablement and not solely monitoring for malicious activity. Questions to consider include:

  • Do you have the legal ability to monitor the devices (consider BYOD)
  • Do you require agentless or agent based monitoring capabilities? Perhaps a mix depending on use case? Are agents available for your devices?
  • Will you enforce policies or simply monitor adherence?
  • Will you require remote management capabilities (E.g. remote/selective wipe)


What are your reporting needs? Do you have specific compliance reports (regulatory or otherwise) that need to be available to auditors? Is your device ownership model (BYOD, CYOD, COPE. Etc.) driving specific reporting requirements. Some examples of the types of reports that might be required include:

  • Devices

    1. Device Hardware (make, model, firmware, memory, camera, IMEI, SIM, carrier, etc.)
    2. Device Software (OS Version, Apps Installed,
    3. Device Configuration (PIN, encryption, certificates, jail broken, etc.)
  • Users

    1. Which users are using which devices
    2. Which users use the most bandwidth (exceed quota, etc.)
    3. Which users are roaming regularly
  • Security

    1. Last successful connection by device and user
    2. Failed connection attempts
    3. Device Locations

Provisioning & Configuration

Provisioning deals with how devices will be delivered to users. IT might be driven by your device ownership model and will involve answering some of the following questions:

  • How will devices be delivered to end users?
  • How will Applications be delivered to devices?
  • Will it be different for different platforms?
  • How will configurations be maintained overtime?
  • Will automation be required to make it more efficient and scalable?


For many organizations the Mobile Device Management strategy evolves out of the device choice that they (or their users) make. Often they are reactions to incidents or tactical maneuvers addressing specific concerns. Shifting to a BYOD if not planned properly can be stressful for IT. BYOD can quickly become the catalyst for supported users to take matter in their own hands and without IT’s knowledge resulting in Shadow IT. It is imperative to understand the business requirements at the outset and prudent to understand the benefits of strategically selecting the devices that will be part of the strategy.

Based on all of the information gathered thus far, here’s a starting point of the types of questions you need to answer in this part of your strategy:

  • What mobile device operating systems will you support?
  • Will you require that the device support specific management agents?
  • Will you require specific networking functionality from the device (WiFi, 3G, 4G, VPN, etc.)?
  • Have you addressed requirements specific to the application itself?

Devices are evolving rapidly. Their computational capacities are astounding and the built in manageability is quickly becoming more robust. Insure your organization’s device strategy addresses needs not just the user’s desires.


There are many things to consider in designing an MDM strategy. A great place to start is by asking what new capabilities your strategy needs to enable and what outcomes are desired. Envisioning what the business, customer, and user experience would be like in two years time is a great starting point in planning for an effective MDM strategy in place. That vision assist your organization answer the questions that will shape your MDM strategy.