MobiVisor blog series: Data protection with MDM - secure mobile devices

The introduction of the GDPR represents a challenge, especially for SMEs, as financial and human resources for implementing the extensive requirements are often limited. In our article we will shed light on how you can take important steps towards more data protection in your company by using an MDM.

 

What does an MDM have to do with data protection?

The GDPR clearly regulates how personal data is to be handled. Of course, this applies to customer data on the one hand and to employee data on the other. Since more and more mobile devices such as tablets or cell phones are now being used for work, it must be ensured that these are also adequately secured due to their connection to the company network. This so-called Endpoint Management represents an important factor in the implementation of the GDPR guidelines in the company. In order to secure mobile devices in accordance with GDPR, a MDM be used. With regard to mobile devices in companies, the following points of the GDPR are particularly relevant:

  • The purpose for which data is collected must be clear
  • Information on data processing must be provided in a transparent, accessible and easy-to-understand manner
  • Users must be informed about how long the data will be stored
  • Anyone can request that data be deleted
  • All people can access the data concerning them and also request that it be corrected
  • Data protection through technology design and data protection-friendly default settings

In principle, companies have a much greater obligation to protect all personal data. With regard to mobile IT, this means that the following must be ensured:

  • Unauthorized persons outside the company have no access to personal data
  • Employees have no access to personal data other than their own
  • Data leaks must be prevented
  • Data must be able to be deleted quickly and cannot be restored after deletion
  • Software and apps used in the company may only collect and store data that is really relevant

 

How do you implement data protection with an MDM?

A particularly important point in relation to the data protection of personal data is the prevention of access by unauthorized persons. This includes all outside parties, such as competing companies, hackers, friends or family of employees, and much more. It must be clear to these different groups how access is prevented, although the measures may vary.

 

No access for unauthorized people

  • Definition of a list of password and firewall protected Wi-Fi connections that may be used
  • If devices are used primarily for work, they should be set up as work devices. To do this, the devices must be reset once and “Use for work only” selected during setup. This gives the company the broadest access rights and can implement more and stricter security policies.
  • Specifying a password policy with high complexity, so that users have to assign a password before they can fully use the device. This prevents password assignment from being skipped out of convenience and allows strangers to use the device without any hurdles.
  • If the device is lost or stolen, it must be ensured that data cannot be stolen. For this purpose, Android devices have a function called “Lost Modus” applied. This blocks the device temporarily and prevents the device’s contents from being used.
  • The application of data protection guidelines for Android and iOS devices already ensures GDPR-compliant protection. These policies already disable features that can compromise data security, such as USB debugging or Social Media Apps

 

Manage access within the company

Data protection violations can also occur within the company, for example if employees have access to sensitive data from clients, customers or patients with whom they have nothing to do. Another example is the inadequate security of company documents, so that they could be copied at will. All in all, role and assignment management is the focus of internal company data protection.

The following MDM functions can be used as part of the company’s access management:

  • Depending on their authorizations and activity or role in the company, employees should be divided into groups within the MDM. Different apps can be added to these groups depending on the needs of the group. Furthermore, various security policies and authorizations can be assigned. In addition, apps can also be configured so that certain actions are no longer possible with them, e.g. taking screenshots.
  • Another way to restrict access is KIOSK Mode: This hides settings and, if desired, the notification bar. Only a selected app catalog appears on the device screen. This makes the operation more streamlined and therefore less prone to errors.

Prevent data leaks

Data protection violations also include data leaks in which company data is unintentionally released into circulation. This can happen quickly if employees are allowed to use mobile devices for private purposes in addition to work. This double use is therefore not suitable for companies that work with a lot of personal data. Here too, data protection can be supported with an MDM:

  • Increased data protection can be guaranteed simply by the way the devices are set up. This is how Android devices can be set up with two profiles: One contains all work apps, the second contains all personal apps. Only work-related apps are on the work profile. This site may be fully managed by the company.
  • It is also recommended to configure the App Store and Google Play Store to only allow apps that have been approved by the company. This prevents apps from being downloaded that may not comply with the GDPR regulations
  • To secure mobile IT, it makes sense to choose a secure email provider. In addition, the MDM can be used to specify that only company accounts are allowed to be used on the mobile device. This can prevent phishing emails or malware from reaching the devices via private accounts.

Complete, secure deletion of data

If mobile devices are no longer used, they must be properly decommissioned. This includes, on the one hand, properly backing up the data, resetting the device and possibly returning it to the hardware provider. The following MDM functions can support this:

  • If the device is no longer available, it must still be possible to delete it. To do this, the device can be completely reset remotely by the IT admin.

Limit data collection from apps

A recurring concern among companies is that apps can access personal data in the background and that it may be forwarded abroad. In a corporate context, care should be taken to ensure that apps comply with the GDPR guidelines. It is also best to use apps whose hosting servers are in the EU. In non-EU countries, personal data is often handled differently and it is not uncommon for it to be passed on to third parties – be it the government or shopping providers – even without prior consent. The following MDM functions can be used to manage the handling of apps:

  • To prevent certain apps from being used, they can be blacklisted. This means they cannot be downloaded or opened. However, all other apps may be used – provided there are no other restrictions. However, this requires that the list of banned apps must be updated again and again. The whitelist offers a more comprehensive solution: Only what is on the whitelist is allowed – everything else is automatically blocked.
  • As mentioned above, you should always prefer apps that meet data protection standards. This also includes clearly stating what data is collected and why the app needs it. There should also be information about where the data is stored and who needs to be contacted if the data is deleted.
  • To function properly, apps require access to certain parts of the phone, such as location, photos, contacts, etc. However, it should always be noted that even if an app asks for certain permissions, it may not need them at all. Therefore, the MDM should determine what the apps have access to. Android offers the option of configuring the permissions manually via MDM.

 

Conclusion

In order to meet the GDPR and the associated data protection requirements, companies must pay greater attention to how and to what extent they use their mobile IT. In addition to simply securing the devices, access authorizations and the use of apps must also be taken into account. However, with the help of an MDM, many data protection-relevant settings can already be made.

 

Does your company currently lack suitable solutions for managing and securing mobile devices? Get to know our services and contact us without obligation.

Contact us
Kontakt