10:14 AM
Kurt Marko
Kurt Marko
Connect Directly

What Sophos Brings To MDM Table

Security vendors are rushing to fill gaping holes in IT's ability to manage mobile devices. But if you expect perfection, you'll wait too long.

The invasion of personal smartphones into the enterprise, whether through the front door of an official BYOD program or back door of I'll see how much I can get away with is by now so well established that the IT discussion is no longer about whether it's a good idea, but rather how to cope with the onslaught of unmanaged devices from a hodge-podge of manufactures and running several different OSs. For IT, standing at the rampart and yelling stop is about as effective building a sand berm in the face of an onrushing tsunami.

It's a situation not dissimilar to that faced a couple decades ago as PCs began flooding into offices while IT was still ensconced in its raised floor lairs tending to "real" computers. Gradually, a software ecosystem developed to automate and centralize the management of inherently personal and distributed devices. Today, many of those same companies, including endpoint security specialists like McAfee, Symantec and Sophos, are rushing to fill gaping holes in IT's ability to manage mobile devices.

As our MDM research report and survey found last year, fully 65% of respondents anticipate an increase in employee-owned mobile devices. To no one's surprise, as we outline in a recent report on mobile application development, the vast majority of those phones and tablets will be running iOS and Android. MDM software is the industry's solution to the vexing problem of making order out of chaos, but so far it's been greeted with a lukewarm response by enterprise IT. Our survey finds under a third of organizations have implemented these all-in-one management suites.

Sophos, a firm better known for PC anti-malware and data encryption than mobile security seems determined not to miss the post-PC market. The firm, which built its Sophos Mobile Control product upon technology licensed from Dialogs, a German firm specializing in mobile and communications software, clearly felt that developing MDM technology is far too important and strategic to remain an outsourced function and acquired the company earlier this year. The first fruits of this union were announced this week with a point upgrade to Sophos' MDM product. On the surface, there's not a lot new in Mobile Control 2.5, which already boasted a solid, if not extraordinary, set of MDM features; the complete litany of which you can actually see in more detail by looking at Dialogs' smartMan feature list [PDF] rather than the vague marketing speak pervading Sophos' own data sheet. The big additions are improvements to its management interface and enterprise integration, notably the ability to link devices and security policies to Active Directory groups.

[ Doing nothing is not an option. Read 6 Keys To A Flexible MDM Strategy. ]

Mobile Control's AD integration allows tying users to specific devices and groups to sets of configuration policies. For example, marketing employees might be allowed to use the Facebook app on the corporate WLAN while everyone else is blocked, or executives may be configured to use an exclusive remote VPN gateway when traveling not available to other employees. The ability to automatically map policies and configurations to existing users and groups is a big boost to administrator efficiency.

Another enhancement in 2.5 is support for app distribution and control on iOS. Previous versions allowed installing and removing apps on Android and Windows Phone, but Apple's tight control over app distribution can complicate life for enterprises. The new version enables IT to push or delete iOS apps installed from either the App Store or an in-house portal. The update also features improvements to device compliance checking and reporting. Mobile Control features a handy client-side app that gives users an overview of the device's compliance status including any resolution steps they must take to rectify the problems. IT gets the same data for all devices on a central management console.

Although Sophos didn't participate in our MDM Buyer's Guide, when comparing its feature list to the 20 or so categories we asked about, Mobile Control could check almost all of the boxes. No, it can't remotely control a device (at least not the ones that matter: Apple and Android), nor remotely upgrade the OS, but when it comes to app management, policy enforcement, device inventory, usage tracking, geolocation, and remote wipe, Sophos has you covered. One area that Sophos doesn't address--again, for the smartphones people care about--and in all fairness, few MDM products do--is data backup. With the proper configuration and usage guidelines, mobile device backup shouldn't be a critical feature since, as I point out in an earlier column, it's best to keep company data off of mobile devices. But as I point out in a forthcoming report on e-discovery in the age of cloud services and smartphones, there are certain types of important company information that invariably end up being either generated or inadvertently stored on mobile devices; things like text message conversations, call logs, audio recordings, camera snapshots--all of it potentially valuable information if the phone is lost or its owner is pertinent to pending litigation.

The MDM market is rapidly evolving, resembling the state of anti-virus and PC security products a decade ago; meaning every product has flaws and a widely accepted, de facto standard feature set has yet to emerge. But in IT, perfection can never be the enemy of the good, since the good is always getting better. When it comes to getting a handle on mobile devices within your organization, Sophos' updated Mobile Control is emphatically better than nothing and at least as good as most of its competitors. IT shops already using Sophos for PC endpoint management should start their MDM evaluation here.

Android and Apple devices make backup a challenge for IT. Look to smart policy, cloud services, and MDM for answers. Also in the new, all-digital Mobile Device Backup issue of InformationWeek: Take advantage of advances that simplify the process of backing up virtual machines. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Published: 2015-10-09
The API in the WebKit Plug-ins component in Apple Safari before 9 does not provide notification of an HTTP Redirection (aka 3xx) status code to a plugin, which allows remote attackers to bypass intended request restrictions via a crafted web site.

Published: 2015-10-09
The Intel Graphics Driver component in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5877.

Published: 2015-10-09
The Login Window component in Apple OS X before 10.11 does not ensure that the screen is locked at the intended time, which allows physically proximate attackers to obtain access by visiting an unattended workstation.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.