Modern Workplace Jul 19, 2019

Agility means working anytime, anywhere, on any device. But is it secure? Yes!

Smartphones and tablets have become constant companions in our everyday lives, which is why it has become more critical than ever to ensure company data is securely accessible. Our Bechtle Blog outlines your options.

Share article

Smartphones and tablets are here to stay. We rely on them not only in our personal lives but also at work, ensuring that we’re always available and productive, even on the go. Thanks to their powerful hardware and software, tablets in particular have become a true alternative to traditional notebooks.


From a company’s perspective, however, mobile working means that devices are more often than not used outside its in-house network. As a result, they’re not as heavily protected as stationary desktop environments. Ideally, cloud-based services that enable access anytime, anywhere and on any device should offer the same level of security as that enjoyed by traditional on-premise server infrastructures.


So how do we ensure that company data and business dealings are secure on mobile devices? Read on to learn about a few options.


Apple iOS.

Apple offers Business Manager and related programs for managing devices (DEP) and app licences (VPP). This platform allows companies to place business devices in Supervised Mode from the moment they are powered on for the first time—crucial from a corporate perspective. Supervised Mode helps businesses supply company-owned devices more efficiently and securely with the help of a mobile device management (MDM) solution. Not only can OS updates be forced, lost or stolen devices can be permanently locked using Lost Mode or through its DEP enrolment.


Even before the GDPR took effect, companies were anxious to keep personal apps from passing along business contacts to potentially shady third-party servers. Starting with iOS 11.3, companies can configure their Managed Contacts so that apps for personal use cannot access business contacts. As a result, business contacts cannot be accessed by WhatsApp or similar apps installed on business devices doing double duty as personal phones. But business contacts aren’t the only data requiring protection. MDM allows you to block personal apps from passing on or otherwise using data supplied by business apps and Exchange accounts. This prevents users from inadvertently or intentionally storing documents in a private cloud.



Android Enterprise follows a similar approach, although users are able to see the protective mechanisms at work. Users of compatible devices are given a work profile, which may be assigned a separate passcode in addition to the device passcode, keeping unauthorised individuals from accessing it. Using the management solution, the company itself decides which business data can be communicated to personal apps, and vice versa.


Work profiles even have their own app store offering only company-approved apps. Personal apps cannot be installed under the work profile. Like on Apple iOS, personal apps cannot access business contacts. However, incoming calls are properly identified so that users can see whether the caller is a personal or business contact, provided the number was previously saved in a personal or business contact list. Companies are encouraged to familiarise themselves with Android Enterprise sooner rather than later as Google has announced that, starting with Android 10, this will be the only way to manage devices.


Microsoft Windows.

Unlike traditional, stationary Windows desktop environments, which are usually administrated using Active Directory GPOs, Surface and other tablets pose a new challenge for companies.

 Because of their increasingly mobile use, they are hardly—if ever—connected to an in-house network. This makes it much harder to deploy appropriate management policies and configurations. Companies must therefore consider not only legacy management but also newer MDM options to ensure that these devices are deployed and managed with the same level of security.

 Solutions such as MobileIron Bridge have blended traditional and modern management. They do this by including an app on the managed device that deploys, implements and even removes scripts and GPOs, without requiring that the device be connected to the corporate network. Depending on the range of features and purpose of the mobile Windows device, VPN solutions may no longer be needed.


Cloud services.

In addition to securing and protecting devices and their locally stored data, safeguarding cloud-based services is becoming increasingly important. Many companies already rely on services such as Salesforce, Office365 with Outlook Online, and more. Users find these services quite convenient as they can in theory access them through any compatible app on any device, anytime and anywhere.  From the company’s perspective, however, this puts company data at extreme risk. They must guarantee that such data is accessed only on protected business devices and through company-provided apps, to prevent corporate data from being stored or used on personal devices. Conditional access rules monitor access to cloud-based services and verify connections using previously defined policies that look at device status, application and more.


Microsoft provides its own services for Microsoft applications. However, if a customer uses a variety of authentication methods or cloud services, MobileIron Access may be a suitable option. Word, Excel, PowerPoint and other applications can be configured using app protection policies, which prevent users from storing documents in third-party cloud services or printing them locally.

Matthias Beck
Team leader System Engineers