The Mobile Security Challenge
Mobile devices present a unique security challenge: they leave the office, connect to untrusted networks, can be lost or stolen, and may be used for both work and personal purposes. Without MDM, each employee's phone is an unmanaged endpoint that can access corporate email, cloud storage, and internal systems with no visibility or control from IT. A lost phone without full-disk encryption and a PIN exposes all its data to whoever finds it. MDM closes this gap by giving IT centralised management and security enforcement over mobile devices, regardless of where those devices are located.
MDM vs MAM — The Key Distinction
MDM (Mobile Device Management) manages the entire device. An MDM solution enrolls the device, installs a management profile, and then IT can: enforce screen lock PINs and biometrics, require full-device encryption, remotely wipe all data if the device is lost, push and remove apps, restrict camera or screenshot capabilities, configure WiFi and VPN profiles automatically, and track device location. MDM gives IT full control — but that full control extends to personal data on personal devices, which creates privacy concerns and employee resistance.
MAM (Mobile Application Management) manages specific corporate apps rather than the entire device. A MAM solution creates a managed container around corporate apps — the corporate email client, document editor, and VPN client are managed and secured, while personal apps are completely untouched by IT. Corporate data within managed apps can be encrypted and remotely wiped; personal photos and messages are never accessible to IT. MAM is the preferred approach for BYOD scenarios because it respects employee privacy while still protecting corporate data.
Many modern solutions are described as EMM (Enterprise Mobility Management) or UEM (Unified Endpoint Management) — these terms describe platforms that handle both MDM and MAM capabilities alongside laptop and desktop management in a single console. On the exam, MDM vs MAM is the key distinction to understand — match the solution to the ownership model and privacy requirements of the scenario.
Device Ownership Models
| Model | Who Owns Device | Personal Use | IT Control Level | Best Management Approach |
|---|---|---|---|---|
| BYOD | Employee | Yes — primary use | Low — privacy concerns | MAM — manage apps, not device |
| COPE | Corporate | Yes — allowed | High — company owns device | MDM with personal space separation |
| CYOD | Corporate | Limited | High | MDM — full device management |
| COBO | Corporate | No — work only | Full — locked down | MDM — maximum restrictions |
Key MDM Capabilities for the Exam
Remote wipe: Erase all data on a lost or stolen device remotely. Full device wipe removes everything; selective wipe removes only corporate data while preserving personal content (MAM capability). Remote wipe is the primary data protection control for mobile devices — the exam frequently asks "what should an administrator do when an employee reports their company phone lost?" → initiate a remote wipe.
Screen lock and PIN enforcement: MDM can require a PIN, password, or biometric to unlock the device and set maximum inactivity timeout. A device without a screen lock is an open door to corporate data if lost. MDM policies can require minimum PIN complexity (6-digit minimum, no simple patterns) and maximum attempts before wipe.
Encryption enforcement: MDM verifies that full-disk encryption is enabled and can block device enrollment if it's not. Modern Android and iOS devices enable encryption automatically when a screen lock is set, but MDM provides verification and compliance reporting.
Geofencing: Location-based policies that trigger actions when a device enters or leaves a defined geographic boundary. A device that leaves the country might automatically have corporate app access revoked. A device on the corporate campus might automatically connect to the internal WiFi profile. Geofencing requires location services to be enabled on the device.
App management: MDM can push required apps automatically to enrolled devices, remove apps when a device is unenrolled or an employee leaves, and maintain whitelists (only approved apps allowed) or blacklists (specific apps prohibited). Enterprise app stores allow distributing custom internal apps that aren't in public app stores.
Certificate deployment: MDM can automatically deploy authentication certificates to devices for WiFi (WPA2-Enterprise), VPN, and email (S/MIME). Users don't need to manually install certificates — they're pushed silently during enrollment.
Mobile Device Security Best Practices
OS and app updates: Mobile OS updates frequently patch security vulnerabilities. MDM can report which devices are running outdated OS versions and can block network access for devices below a minimum version threshold. This compliance checking is a key MDM value proposition beyond just device configuration.
Jailbreaking and rooting detection: Jailbroken iOS devices and rooted Android devices have bypassed security controls and can run unapproved software. MDM platforms detect jailbroken/rooted devices and can automatically quarantine them — blocking corporate email and VPN access until the device is restored to a compliant state.
Containerisation: Rather than managing the entire device, containerisation creates an encrypted, isolated partition for corporate data and apps. Corporate content cannot be copied out of the container (no copy-paste to personal apps, no screenshots in corporate apps). This is MAM in practice — the container is managed by IT, everything outside it is untouched.
Mobile Device Security — Beyond MDM
MDM is the management layer, but mobile device security includes several additional concepts tested on A+ and Security+. Sideloading — installing apps from sources other than the official app store (Google Play, Apple App Store) — bypasses the store's security review process and significantly increases malware risk. MDM policies can disable sideloading on enrolled devices. Carrier unlocking vs jailbreaking/rooting: carrier unlocking allows a phone to be used on different cellular networks — this is legal and doesn't affect security. Jailbreaking (iOS) and rooting (Android) bypass the OS security model and allow apps to gain system-level access — this compromises the device's security posture and should be detected and quarantined by MDM.
Bring Your Own Application (BYOA) extends the BYOD concept to applications — employees use their preferred applications (personal Dropbox, WhatsApp) for work alongside corporate-approved apps. This creates data leakage risk: work files saved to personal Dropbox leave corporate control. DLP integrated with MAM addresses this by preventing corporate data from being opened in or shared with non-managed applications. The container model is the technical enforcement: corporate apps can only share data with other corporate apps within the managed container, not with personal apps outside it.
GPS tracking and remote location: MDM can use the device's GPS to track location. For company-owned devices this is standard practice — enabling recovery of lost/stolen devices and enforcement of geofencing policies. For BYOD devices, GPS tracking raises significant privacy concerns and should be disclosed clearly in the BYOD policy and employee agreement. Some MDM platforms allow location tracking to be disabled for BYOD while still enforcing security policies on managed apps.