MDM Security Checklist: How Strong is Your MDM Security?

Picture this: It's 2 AM, and your phone is buzzing with alerts. One of your retail kiosks has been compromised, and customer payment data is potentially exposed. You have six missed calls from your CEO. Legal is freaking out about compliance implications. And you're realizing that the mobile device management (MDM) software you trusted to lock down those devices failed when you needed it most.

This isn't a hypothetical nightmare — it's a $4.35 million reality for companies hit by the average cybersecurity breach. When you're managing fleets of dedicated devices — from point-of-sale systems to digital signage to employee tablets — your MDM security isn't just about device management. It's about protecting your business, your customers, and let’s be honest, your career.

The challenge? Most MDM solutions were built for smartphones and bring-your-own-device (BYOD) scenarios, not the specialized security needs of dedicated enterprise devices. Your kiosk security requirements are different from someone's personal iPhone. Your POS system faces different threats than a tablet in a conference room. And if your MDM doesn't account for these differences, you've got the wrong tool for the job.

6-Question Litmus Test: Is Your MDM Actually Protecting You?

Real talk: mobile security risks aren't one-size-fits-all. But if your company gets hit by hackers, your customers won't care that their data was compromised due to inadequate MDM features. The same goes for regulatory agencies. If your firm is subject to HIPAA, CCPA, GDPR, or other data privacy frameworks, security incidents breach compliance and trust, and can be extremely costly.

The following 6 questions are a litmus test to determine whether your MDM security is risky and vulnerable to cyberattacks:

1. Unauthorized use: Can your employees or customers use your devices to access unauthorized websites, apps, or settings?
2. Downtime: Are you losing money, productivity, or customers due to device or app performance issues?
3. Manual provisioning: Is your IT team manually configuring and deploying each device?
4. Device compatibility: Does your MDM work with all your different device hardware, such as kiosks, point of sale systems, digital signage, etc.?
5. Device lockdown: Are you able to assess threats — insider abuse, tampering, theft, network security issues, and malware — and remotely lock the device down if necessary?
6. Updates: Are your devices up to date on security and OS patches?

Self-Assessment: The MDM Security Checklist

Think of MDM security like securing a fortress. A moat and drawbridge make a great first line of defense, but they're useless if attackers scale the walls. You need multiple defensive layers working together — Each layer catches what the others might miss, and they all need to match your specific use case and risk profile.

A full MDM cybersecurity assessment should examine each of the six layers below to understand the greater picture of risk. These six critical security layers cover the 36 most important vulnerabilities in dedicated device deployments. We also have an abridged version of the MDM Security Checklist available for download.

Get these layers right, and you'll have the kind of defense-in-depth approach that actually stops attacks before they become breaches.

• Layer 1: Cloud Platform Security 
• Layer 2: Device Hardware Security
• Layer 3: Network Security
• Layer 4: App Security
• Layer 5: Alerts and Remediation
• Layer 6: Secure User Experience

Let's walk through each layer and the individual points to check within them. 

Layer 1: Cloud platform security

Your MDM console is ground zero for effective mobile security. Your MDM admin portal should make it easy to provision, deploy, and manage devices according to policy and determine which users can read and write device policies.  

Usability is a key factor for cloud MDM security. So is data integrity. You need to be able to trust that your MDM will deliver timely alerts and a complete audit trail. When inspecting your MDM’s cloud console for potential security vulnerabilities, consider: 

• Ease of use: How simple is the console to use? Confusing software can lead to security blind spots.
• Secure cloud gateway: Is there a policy in place to ensure your MDM portal is secure??  
• Data integrity: Is all data consistently secured, stored, and protected against potential modification? 
• Accessible device security information: Do you know which security policies are applied to a given device, or can your MDM show that information?
• Intelligent event feeds: Are the event feeds easy to find and understand?

Layer 2: Device hardware security

Device hardware security matters, especially for today’s enterprise fleets. Most MDMs are built to accommodate smartphones and tablets, but far fewer offer compatibility with POS, kiosks, ruggedized devices, smart fitness equipment, telehealth devices, and other dedicated devices with complex security considerations.

A careful approach to hardware procurement is critical for device security. This process should assess whether the given hardware is compatible with your MDM. Device interoperability and updates aren’t the whole scope of hardware security, but they’re important measures of MDM strength.

When assessing your current (or future) MDM, you should ask if they:

• Support current and future fleet device types and use cases: You may only have a few POS tablets right now, but what if you want to add self-ordering kiosks in the future? If your MDM doesn’t support this, it hinders growth by forcing you to buy another solution (or migrate). 
• Offer interoperability with your devices: Will your new self-ordering kiosk work in tandem with your frontline POS system? Will that new handheld scanner communicate back to your inventory management system? Devices should work together to streamline processes and make your life easier.
• Simplify device updates: Let’s be honest here — the easier something is, the more likely you’ll do it. Security updates are absolutely crucial, so updating devices shouldn’t be a chore. 
• Offer validated hardware: Does your MDM offer hardware validation so you can be certain the device you’re about to buy will work flawlessly? 

Layer 3: Network security

Mobile devices are only as secure as the weakest layer. For instance, a secure mobile device on a compromised Wi-Fi network can still leak sensitive data. Network security matters, even if your dedicated devices aren’t intended to be used over public Wi-Fi networks. 

Dedicated devices are generally deployed on a secure corporate network, but not always. An MDM needs to support Wi-Fi security for dedicated devices that hit the road with employees or customers. Network security policies should also protect the enterprise in worst-case scenarios, like a stolen device that’s taken off the premises and exposed to compromised WiFi.

Any solid MDM should simplify robust network security by including these key features and capabilities:

• Limit Wi-Fi connectivity to trusted networks: Open networks are vulnerable networks. Your mission-critical devices should never connect to unsecured Wi-Fi points. 
• Detect Wi-Fi network changes: If a device changes Wi-Fi networks, the security team should know about it.
• Lock mobile devices if they leave the network: Remote locking should be an option if a device travels outside the network or otherwise disconnects. 
• Wipe lost or stolen mobile devices: Similarly, if a device “walks off,” a remote factory reset should be available, either manually or automatically. 
• Block user access to Wi-Fi and data settings: Device users — whether customers or employees — shouldn’t be able to change network credentials or other data without explicit permission. 
• Identify unusual data patterns: Monitoring data usage patterns is a good way to quickly find out if a device is misbehaving. Can your MDM do that? 

Layer 4: App security

Over 11% of mobile apps downloaded from the Google Play Store contain hidden cybersecurity risks, according to an academic study of 150,000 apps. Researchers found that over 12,000 Play Store apps had signs of a mobile backdoor, such as secret access keys or master passwords. On pre-installed bloatware apps, the percent compromised is closer to 16%. 

Mobile Apps from the official Play Store or unauthorized web sources may also contain “riskware,” extensive permission requirements that compromise user privacy. Riskware apps are typically free and perform as promised, while covertly sharing the user’s personal data with a remote server.

Mobile apps can also introduce risk if they’re bloated with mobile ads. These ads can run continuously in the background and lead to issues like a drained battery, excessive 4G data consumption, or slow performance. 

You can’t rely on most end users to carefully read app permissions before downloading. You also can’t trust Google Play Store apps by default. A good MDM will support top-down app management for the use case at hand, including restricting app and user permissions. Make sure your MDM allows you to:

• Remotely install and uninstall apps: You shouldn’t have to be on site to install or uninstall apps. This can (and should) be done remotely. 
• Manage app versions: Does your MDM offer specific app version control? App updates are important, but some can introduce security risks. The ability to granularly control, deploy, and pull app versions helps maintain device security.
• Granular app deployment: At the same time, maintaining good app deployment hygiene prevents devices from running old, vulnerable versions of apps. You should be able to update apps across devices — either in groups or altogether.  
• Support single-app kiosk mode or multi-app mode: Devices that are designed to run a single application (or even a selection of apps) should run in a kiosk mode that locks the app to the foreground in a way that is unable to be bypassed. 
• Monitor app behavior: Deep visibility into what apps are doing on your network — what data is being transmitted, for example — is a key component of good MDM security. 
• Limit downloading to authorized apps only: App access limitations should be limited not just on Google Play but also on all third-party app stores, the web, and beyond.

Layer 5: Alerts and remediation

Mobile security is dynamic. A secure kiosk or POS could quickly become a liability when any single device security factor changes. The key to avoiding threats is visibility, which allows you to see which negative changes are creating risk. 

Intelligent alerts are critically important, but so is the ability to remotely respond to cybersecurity threats before a situation turns into a data breach. An MDM should offer an automated response, such as device lockdown, when geofencing data indicates a device is lost or stolen. To maintain strict security with alerts, you’ll want the following: 

• Custom alerts and intelligent notifications: When something sketchy happens to any device in your fleet, you need to know ASAP. Alerts should automatically trigger when specific criteria are met, like a device disconnecting from Wi-Fi or rebooted.
• Device tracking and geofencing: Portable devices like tablets, handheld scanners, and smartphones should be able to track and automatically alert, lock, or erase themselves if they leave a geofenced area. 
• Device lockdown: Remote lockdown for any device in your fleet ensures that you can secure it immediately — or better, automatically.
• Remote view and control: If you need to troubleshoot a device, you shouldn’t have to travel across the country (or even across town!) to do it. Remote viewing and control of dedicated devices ensures minimal downtime and maximal efficiency. 
• Remote factory reset and erase: In a worst-case scenario, you want to be able to erase your gadgets instantly and from anywhere. 
• Offline event triggers: If a device goes offline, you may want to execute specific actions to ensure device safety and data security, like locking the device as soon as it disconnects from the network.

Layer 6: Secure user experience

Many organizations struggle to set or enforce basic mobile cyber hygiene measures. For simplicity, many organizations either avoid using any sort of lock screen security or opt for a simple 4-digit PIN code instead of harder-to-crack alphabetic or alphanumeric codes.  

Devices should protect your enterprise from authorized and unauthorized users, from unacceptable activities among employees and customers to device thieves and hackers. An MDM should support a customized user interface that’s built according to the principle of least privilege. This is the least amount of user access possible that doesn’t interfere with or degrade operational efficiency.

Your MDM should:

• Automatically load kiosk mode: If your device is running in kiosk mode, it should automatically launch when the device is powered on or rebooted. This prevents kiosk mode from being easily bypassed. 
• Restrict calls and SMS messages: Unless your dedicated devices specifically require text messaging or telephony access, why allow it? It’s a security risk waiting to happen. 
• Block access to settings: Access to settings means that settings can be changed. Blocking access to settings means that only authorized users can change settings. 
• Hide notifications: Typically, there’s little to no reason to display notifications on dedicated devices, so the option to hide them is crucial. This blocks curious users from tapping into other apps or services by interacting with notifications, while also preventing annoying disruptions. 
• Hide the status bar: In addition to hiding notifications, you can hide the entire status bar. This is especially useful on kiosks and other single-app use cases. 
• Restrict camera access and screenshots: There's no reason to allow camera access unless you’re using the device camera to scan barcodes or QR codes. Likewise, screenshots should be exclusive to admins and authorized users only. 
• Block local app installs: As mentioned above, app installation should only be allowed for authorized users. 
• Block browser access: Unless your device relies on browser access to function (like a web-based check-in portal), allowing access to the browser is just asking for trouble. It's best to block it from the get-go. 
• Block voice assistants: Voice assistants rarely have practical applications in dedicated device scenarios, and could potentially be used to waste mobile data or bypass other restrictions — a knowledgeable user could tell the Assistant to bring up the Settings menu, for example. 

Don't Just Manage Devices — Defend Your Business

Here's what we've learned: mobile security risks vary depending on device type, industry, and most importantly, use case. MDM originated as a tool to protect enterprise data from users in BYOD (bring your own device) and COPE (company-owned/personally enabled) use cases. Today, it’s evolved to mean much more. Yet most MDM solutions still treat every device like it's someone's personal smartphone.

The MDM tools that worked five years ago aren't built for today's dedicated device security challenges. The threat landscape keeps evolving, and your security needs to evolve with it.

That means having an MDM that can adapt on the fly. One that lets you lock down a compromised device instantly, wipe and rebuild your entire fleet if needed, and automatically respond to threats before they become breaches. Most importantly, it means having visibility into what's actually happening across your devices so you can stay ahead of problems instead of just reacting to them.

Ready for MDM That Actually Gets Dedicated Devices?

Esper is the leading MDM platform specifically for dedicated enterprise devices — not retrofitted from consumer solutions, but purpose-built from the ground up. We give you rock-solid protection for the security layers we just walked through, plus all the deployment and management tools your team actually needs.

To see how Esper can transform your MDM security, book a demo with one of our experts. Still on the fence? Learn what sets our device management software apart here. 

More MDM Resources: 

• Guide What is MDM? Everything You Need to Know About Mobile Device Management
• Blog What is Device Provisioning?
• Blog What is a Factory Reset?
• Blog SSO: What it is and Why it's Important
• Blog RBAC: What it is and Why It's Crucial to Device Health and Security