Security tools inherently introduce some friction into workflows. However, too much friction can impede employee productivity to such a degree that the broader organization suffers. Historically, this has created a dilemma for CISOs, who struggle with finding the right balance between security and productivity.
Mobile Device Management (MDM) solutions are a classic example of this tension between security, productivity, and user experience. For years, MDMs have been all but ubiquitous in corporate cybersecurity, and they’ve become somewhat infamous for their disruptive approach to enforcing policy. This reputation has led many companies to consider alternative or supplementary solutions for device security. Among the most prominent is a category of solutions called device trust.
Device trust solutions ensure that devices are both known and in a secure state before they can authenticate to company resources like SaaS apps. While MDM and device trust have significant differences – for example, MDM has no relationship to authentication – they both enforce device security for end-users.
For teams considering device trust as an option to replace or complement their existing MDM solution, this article will compare the relative experiences of using MDM and device trust. A key focus will be the admin user experience, since the difficulty of deploying and managing security solutions directly affects the productivity of IT and security teams, and the success of the solution overall.
Since 1Password offers a device trust product, (1Password® Device Trust, as part of the 1Password® Extended Access Management platform) this article will occasionally use it as an example.
MDM inhibits end-user productivity
Security solutions need to work on a cultural and technical level. End-users want to be productive, and that requires control and agency over their individual workflows. Tools that frustrate or antagonize users are likely to invite employee pushback, or even drive them toward workarounds like shadow IT. As such, security’s impact on end-user workflows is a critical element to consider in securing employee adoption and support for security programs.
MDM disrupts workflows
MDMs have a well-known tendency to frustrate end-users, as they force device compliance with little regard for employee productivity or agency. In the case of OS updates, for instance, MDM remotely pushes the update to end-users, and then forcibly restarts their devices to install them. This can be immensely disruptive, and even lead to data loss.
MDM’s brute-force approach can also get in the way of users – especially more technical users – doing their jobs. For instance, an engineer might need to temporarily disable their firewall in order to run tests. MDM doesn’t give them that option; it works by graying out checkboxes and limiting a user’s agency over a device.
This reputation for disruption and annoyance often incites resistance from employees when companies roll out MDM. This can result in an uneven and lengthy deployment.
Because of these user-experience drawbacks, MDMs very often have long exemption lists populated with executives who don’t want to deal with them. A 2023 survey shows that executives and managers are most likely to use unmanaged devices to access company resources, often to get around obstructive security policies.
A 2022 report published by HAL Open Science summarized the issue: “Studies have indicated that MDM adoption varies among levels and roles of the employees, and successful implementation is influenced by the perceptions of the fairness of the decisions.”
Device trust enables productivity without compromising security
Unlike MDM, device trust solutions give admins and users more options than auto-blocking or auto-updating, letting them better account for the nuances of user workflows.
When 1Password Device Trust’s agent detects an issue, the menubar app:
- Proactively notifies users of the issue
- Gives them detailed instructions on how to fix that issue
- Tells them how long they have to remediate the problem before they’ll be blocked from authenticating
For instance, if the firewall is disabled on a device, its user will be told how to turn it back on and given a deadline to do so. After that deadline, they’ll be blocked from authenticating. But until then, users have the flexibility to remediate the problem on their own time, or to run needed tests before enabling it again.
This approach greatly reduces some of the frustrations that make MDM so unpopular among users, allowing them to stay productive while keeping their devices secure.
Deployment
In addition to the aforementioned resistance from end-users, teams need to consider the relative technical complexities and dependencies involved for admins deploying these security solutions across their organization.
MDM deployment is often uneven
Deploying MDMs on company-owned devices before they are given to end-users is fairly simple. Part of this is due to the sheer ubiquity of MDM solutions; OS vendors make it particularly easy to ship out devices that are pre-enrolled in their proprietary MDM.
For instance, Apple has Apple Business Essentials and Windows has Microsoft Intune. These allow IT to ensure that certain security features – like each OS’ built-in antivirus or encryption – are enabled by default. IT can pre-configure each device before it’s sent out to an employee.
Remote deployment is also possible, and most MDM companies provide various options for automatic, manual, self-guided, or even bulk enrollment. But these options are more complex, or may be dependent on other services from the vendor. Either way, enrollment issues are quite common, and at the end of the day, security and IT teams may still not be entirely certain that every device is enrolled and the MDM is working properly.
Device trust requires IdP integration
When it comes to deploying device trust, leadership and admins are likely to lack the familiarity they have with MDM.
Furthermore, device trust only works when it can block authentication, meaning it must interact with a company’s identity provider (IdP). 1Password Device Trust achieves this by integrating with SSO providers like Okta.
This issue is common across the device trust category. For instance, many other device trust solutions, like Okta’s and Cisco’s, come bundled with their other identity and access management products. They may even require further integrations; many of Okta’s device trust capabilities require that devices already have an MDM installed as a prerequisite.
These dependencies can introduce challenges, but for companies with the necessary infrastructure, device trust is otherwise straightforward to roll out. 1Password Device Trust offers a simple self-enrollment flow for end-users, although many teams use their existing MDM solutions to automatically push the agent to managed devices.
Administration
Endpoint security can only succeed if it serves the needs of administrators. One goal of both MDM and device trust is to give admins some ability to automate the enforcement of security policies across their whole fleet.
On the administrative side, however, MDM and device trust have significant differences in terms of the amount of work needed to manage them.
MDM introduces complexity
MDMs tend to have fairly limited telemetry and insight into device health, which means that they have limited capabilities for vulnerability management. Expanding those capabilities – for instance, in the case of a new software vulnerability that needs urgent patching – can represent a significant challenge for admins, who have to write and push out custom shell scripts to oversee critical aspects of their fleet.
A 2022 survey from Samsung Business Insights revealed some telling statistics related to MDM usage. “For more than half of the companies in our survey (53%), management of mobile devices is outsourced (either fully or in part).”
They also pointed out that smaller organizations are more likely to outsource mobile device management, “…likely because they do not have the internal IT expertise to manage and secure devices.”
Managing MDM can be challenging and resource intensive. Furthermore, its rigid enforcement and disruptive policies often lead to an uptick in help desk tickets, as users seek exemptions or assistance navigating its complexities.
Device trust reduces admin burdens
It would be an oversimplification to say that device trust solutions are inherently easier to maintain than MDMs, but they certainly can be.
At a minimum, device trust tends to be able to provide more detailed insights into devices, including the ability to detect and block unapproved or outdated software. 1Password Device Trust also has built-in capabilities for admins to add custom Checks to monitor specific vulnerabilities, without the difficulty of designing shell scripts for MDM.
However, the major differentiator in the overall admin burden is in how a device trust solution handles end-user blocking, and how severely it impedes the productivity of end-users and IT admins.
Many device trust solutions simply block authentication and then direct users to IT in order to get unblocked. As with MDM, this can lead to mountains of support tickets when frustrated users are locked out of their applications.
However, certain device trust solutions – including 1Password Device Trust – offer end-user remediation, which provides users with instructions to solve issues themselves. This substantially lightens the burden on admins, as users can resolve problems without the need for IT support.
Teams interested in end-user remediation should be sure to examine the specifics of how different device trust solutions achieve it. Many only offer self-remediation instructions for specific issues, or provide limited detail in their remediation instructions, which limits their usefulness. In other words, self-remediation is only effective insofar as it is deeply built into a solution, and not merely treated as an afterthought.
1Password Device Trust writes end-user remediation instructions for all pre-built Checks and requires them for custom Checks. This helps reduce the number of IT support tickets, since employees have agency over their devices and workflows and are never locked out without warning.
The end-user experience is critical to security and productivity
Security, by its very nature, requires friction. The key variable, however, is the level of control that IT and security teams have over how that friction is applied.
With solutions like MDM, blunt automations like forced restarts are applied flatly to resolve any perceived risk. These brute-force methods are certainly justified in some cases, but security is complex. There are important nuances to consider in resolving an issue, depending on the user, the device, and the level of risk. For instance, the risk of an employee waiting until the end of a workday to update their browser is almost certainly less than the harm done if that browser restarts in the middle of a presentation.
In balancing the scales between security and productivity, the end-user experience is a critical factor to consider. Thankfully, teams now have access to solutions that allow them to better account for the needs of their people – users and admins alike.
Want to learn even more about the relative abilities and limitations of MDM and device trust solutions? Read 1Password’s complete ebook, “Why MDM isn’t enough for device security.”
Rachel Sudbeck
Content Associate
Tweet about this post