Another form of context that MDM could use is time: Access to certain enterprise resources, such as Wi-Fi access points or the VPN, could be turned off after an employee's working hours. Zenprise's MDM tool supports the notion today of app-specific VPN use, so only authorized apps can access the corporate VPN, which can help prevent phishing attacks from penetrating the corporate network from an infected mobile device.
Longer-term, contextual management could be more behavior-based, similar to how data loss prevention (DLP) tools work to protect corporate data from unusual access, says Ahmed Datoo, chief marketing officer at Zenprise. For example, an MDM tool could notice that an app not used for five months has suddenly begun communicating -- a sign of a data-stealing malware infection, he says. "That's behaviorally detectable."
Why contextual MDM is trickier than it first appears
"We see lots of customer demand for contextual MDM," says Raffi Tchakmakjian, VP of product management at MDM provider Trellia. It's a notion familiar to government customers who have tools to manage user laptops based on contextual policies -- such as time and location -- to track, for example, whether a government employee is connected via a public network. But MDM tools don't have the same luxury of a monoculure environment (Windows, in the case of computers), so replicating that approach in the heterogeneous world of mobile devices will be difficult, he says. "It's hard to have the same result across users of different mobile OSes."
It also turns out that the IT groups that manage mobile security and access are rarely the same ones who manage desktop security and access, Tchakmakjian says, which has led to separate tool sets and nonunified management. But he does expect that to change as enterprises become more reliant on mobile devices and realize they're part of the basic IT infrastructure, no longer a peripheral activity.
Beyond the internal IT issues, a big challenge for implementing contextual MDM is the challenge of dealing with the contexts themselves. A common complaint about DLP tools in their heydey of the mid-2000s was their complexity. The heuristic approach of DLP, which requires anticipating all the permitted uses of data -- not just in general terms but specific files and databases, then in the context of the user and recipient -- proved to be an overwhelming task. Writing the rules for the tasks that IT could anticipate also was a massive undertaking. Many DLP users quickly realized it was no automated protection system but really a forensics tool for after-the-fact incidents and a tool for preventing the most foolish employee actions. After all, a determined thief would work around the DLP rules, rendering most policies ineffective.
Behavioral MDM could face a similar barrier. Datoo says that's why successful contextual MDM tools will need to avoid heuristic approaches reliant on identifying and acting on patterns of behavior -- which are prone to false positives unless you have the vast kind of behavioral data characteristic of a Google search engine to back you up -- and instead use a deterministic approach based on rules that trigger tests to diagnose the symptoms. That's exactly what happens when comparing the user's current location to the locations of sensitive areas, as does mapping the current time or application to allowable permissions.