We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about site visitors.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Cookie
    language
  • Duration
    1 anno
  • Description

    This cookie is used to store the user's language preference.

  • Cookie
    post_viewed_
  • Duration
    1 ora
  • Description

    This cookie prevents a single visit to an article from being counted multiple times when the page is refreshed.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _ga_*
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to count visitors to the page

  • Cookie
    _ga
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to calculate visitor, session, and campaign data and track site usage for site analytic reporting. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Guides

Mobile Device Management: security & control for IT teams

Discover how Mobile Device Management (MDM) enhances security, manages corporate data, and simplifies IT administration for mobile devices in the enterprise. 

La Gestione dei Dispositivi Mobili

14 April 2025

Table of contents

  • What is Mobile Device Management (MDM)? 
  • How Mobile Device Management works 
  • MDM for Android vs. Apple devices 
  • MDM and BYOD: security and flexibility 
  • MDM for remote workforces 
  • Choosing the right mobile device management software 

What is Mobile Device Management (MDM)? 

As businesses increasingly rely on mobile devices, managing security, compliance, and data access has become a top priority for IT teams. Mobile Device Management (MDM) is a set of technologies and policies that enable organizations to control, secure, and enforce policies on mobile devices such as smartphones, tablets, and laptops. 

MDM solutions provide over-the-air management capabilities, allowing IT teams to remotely configure settings, deploy applications, and ensure compliance with corporate policies. While often confused with Enterprise Mobility Management (EMM) and Unified Endpoint Management (UEM), MDM focuses specifically on managing mobile devices rather than a broader range of endpoints like desktops or IoT devices. 

With the rise of BYOD (Bring Your Own Device) policies and remote work, MDM software plays a crucial for protecting corporate data without compromising employee productivity.

How Mobile Device Management works 

A Mobile Device Management (MDM) system enables IT administrators to control, secure, and manage enterprise devices through a centralized platform. The system consists of two main components: 

  • An MDM server, which acts as the central hub for configuring, managing, and monitoring devices. 
  • An MDM client app, installed on each device, which enforces the policies set by the server and executes its commands. 

With over-the-air (OTA) management, businesses can remotely configure and update devices without requiring manual intervention. Let’s explore the key functionalities with practical examples and code snippets. 

Device enrollment and user authentication 

The first step in any MDM solution is enrolling devices to link them to the enterprise network. Enrollment can be done in three ways: 

  • Manual enrollment
    Users enter their corporate credentials to connect the device to the MDM system. 
  • Automated enrollment
    Corporate-owned devices come preconfigured with an MDM profile, which activates upon first boot. 
  • Zero-Touch Enrollment
    Solutions like Apple Business Manager (ABM) and Android Enterprise allow devices to enroll automatically without user intervention. 

Example: registering a device using an MDM API (python) 

Many MDM solutions provide REST APIs for managing devices. Below is a Python example of registering a device with an MDM server: 

python 

import requests 

# MDM server API endpoint 

url = "https://api.mdmserver.com/register" 

# Device details 

device_data = { 

    "device_id": "123456789", 

    "user": "john.doe@company.com", 

    "device_type": "Android", 

    "os_version": "13", 

    "serial_number": "SN12345XYZ" 

} 

# API request to register the device 

response = requests.post(url, json=device_data, headers={"Authorization": "Bearer API_KEY"}) 

# Check response 

if response.status_code == 201: 

    print("Device successfully registered!") 

else: 

    print(f"Registration failed: {response.text}")

Managing installed applications 

A key feature of MDM solutions is controlling the applications installed on corporate devices. IT administrators can: 

  • Enforce installation of corporate-approved apps (e.g., Microsoft Teams, internal enterprise apps). 
  • Block unauthorized apps (e.g., social media, games). 
  • Prevent the removal of critical applications required for work. 

Example: blocking apps on Android enterprise 

With Android Enterprise, IT administrators can use JSON policies to create an app blacklist

json 

{ 

  "applications": [ 

    { 

      "packageName": "com.whatsapp", 

      "installType": "BLOCKED" 

    }, 

    { 

      "packageName": "com.instagram.android", 

      "installType": "BLOCKED" 

    }, 

    { 

      "packageName": "com.microsoft.teams", 

      "installType": "FORCED" 

    } 

  ] 

}

Enforcing security policies 

An MDM system can implement security policies such as: 

  • Mandatory device encryption
  • Two-factor authentication (2FA) for secure data access. 
  • Blocking unapproved network connections

Example: enforcing encryption on Android devices 

json 

{ 

  "policy": { 

    "encryptionRequired": true, 

    "passwordMinimumLength": 8, 

    "passwordRequireAlphanumeric": true, 

    "passwordExpirationTimeout": 30 

  } 

}

This policy ensures that all managed devices must be encrypted and use strong passwords with at least 8 alphanumeric characters

Remote lock and data wipe for lost or stolen devices 

If a device is lost or stolen, IT administrators can: 

  • Remotely lock the device to prevent unauthorized access. 
  • Perform a selective or full data wipe to remove sensitive corporate data. 
  • Trigger an alert or display a lock message. 

Example: remote wipe API call 

python 

import requests 

# MDM server API endpoint for remote wipe 

url = "https://api.mdmserver.com/wipe" 

# Wipe request payload 

wipe_data = { 

    "device_id": "123456789", 

    "wipe_type": "FULL"  # Options: FULL (entire device), WORK_PROFILE (only corporate data) 

} 

# API request to wipe the device remotely 

response = requests.post(url, json=wipe_data, headers={"Authorization": "Bearer API_KEY"}) 

if response.status_code == 200: 

    print("Device successfully wiped!") 

else: 

    print(f"Error during wipe: {response.text}")

Configuring Wi-Fi and VPN for secure connections 

To protect enterprise network connections, MDM solutions allow automatic configuration of Wi-Fi settings and VPN profiles on managed devices. 

Example: Wi-Fi configuration policy for managed devices 

json 

{ 

  "wifiConfig": { 

    "ssid": "CompanyNetwork", 

    "hidden": false, 

    "securityType": "WPA2", 

    "password": "SuperSecure123", 

    "autoJoin": true 

  } 

}

Example: VPN configuration for iOS with Apple MDM 

xml 

CopiaModifica 

<dict> 

    <key>PayloadType</key> 

    <string>com.apple.vpn.managed</string> 

    <key>VPNType</key> 

    <string>IKEv2</string> 

    <key>Server</key> 

    <string>vpn.company.com</string> 

    <key>AuthenticationMethod</key> 

    <string>Certificate</string> 

</dict>

These configurations are deployed over-the-air, ensuring that all employees use secure network connections

MDM for Android vs. Apple devices 

Both Android and Apple devices support MDM mobile device management, but there are differences in how they handle security and compliance: 

MDM Mobile Device Management Android

  • Offers deep customization, but security depends on device manufacturers. 
  • Supports Android Enterprise for better integration with corporate environments. 
  • Allows app management through Google Play Managed Distribution

MDM Mobile Device Management Apple 

  • Apple Business Manager provides built-in MDM support for iPhones, iPads, and Macs. 
  • Features supervised mode, which gives IT full control over corporate-owned devices. 
  • Supports zero-touch deployment for seamless device setup. 

Choosing the right MDM solutions depends on whether a company uses a BYOD approach or provides employees with corporate-owned devices. 

MDM and BYOD: security and flexibility 

The BYOD (Bring Your Own Device) model allows employees to use their personal devices for work, boosting productivity while also increasing security risks such as: 

  • Potential data leaks if a device is lost or stolen. 
  • Malware and cyber threats on unprotected devices. 
  • Unauthorized access to sensitive corporate information. 

An effective Mobile Device Management (MDM) solution helps organizations secure corporate data without violating employee privacy

Containerization: separating corporate and personal data 

Containerization is an MDM strategy that creates a secure, isolated workspace within a device, separating corporate data from personal files. 

Real-world example 
A company using Microsoft Intune can implement containerization for Android and iOS devices through App Protection Policies.

Which allows IT to: 

  • Secure corporate email accounts without affecting personal email. 
  • Prevent copy/paste between work and personal apps
  • Block saving corporate files to unauthorized cloud storage (e.g., Google Drive personal account)

Microsoft Intune JSON Configuration (Restricting Copy/Paste to Work Apps Only) 

 

json 

{ 

  "dataProtection": { 

    "copyPasteBetweenApps": "policyManagedApps", 

    "saveToPersonalStorage": "block", 

    "restrictClipboardSharing": "block" 

  } 

}

With this policy, users can access corporate data on their personal devices but cannot transfer sensitive information outside the secure MDM environment

Selective wipe: removing only corporate data 

One major employee concern in a BYOD environment is the fear that IT might delete all personal data if they leave the company. 

With Selective Wipe, MDM allows IT administrators to erase only corporate data, leaving personal files, apps, and settings untouched. 

Real-world example
A departing employee can keep his or her smartphone with all photos, personal emails, and apps, while IT selectively wipes to remove:

  • Corporate email accounts
  • Enterprise-managed applications
  • Work-related files stored in the corporate container

API example: triggering a selective wipe via an MDM server 

python 

import requests 

# MDM server API endpoint for selective wipe 

url = "https://api.mdmserver.com/wipe" 

# Wipe request payload 

wipe_data = { 

    "device_id": "987654321", 

    "wipe_type": "WORK_PROFILE"  # Options: FULL (entire device), WORK_PROFILE (only corporate data) 

} 

# API request to perform selective wipe 

response = requests.post(url, json=wipe_data, headers={"Authorization": "Bearer API_KEY"}) 

if response.status_code == 200: 

    print("Corporate data successfully wiped!") 

else: 

    print(f"Error during wipe: {response.text}")

This ensures that only corporate data is removed, allowing employees to retain their personal apps, photos, and messages. 

Application whitelisting: controlling app access to corporate data 

Companies cannot restrict which personal apps employees install on their devices, but they can limit corporate data access to approved apps only using an application whitelist

Real-world example
A company might allow access to corporate data only through: 

  • Microsoft Outlook for email. 
  • Microsoft Teams for internal communication. 
  • Google Drive (corporate version) for document management. 

Block access to Gmail, WhatsApp, or personal cloud storage for security reasons

Android enterprise JSON configuration (whitelisting approved apps only) 

json 

{ 

  "applications": [ 

    { 

      "packageName": "com.microsoft.outlook", 

      "installType": "ALLOWED" 

    }, 

    { 

      "packageName": "com.microsoft.teams", 

      "installType": "ALLOWED" 

    }, 

    { 

      "packageName": "com.google.android.apps.docs", 

      "installType": "ALLOWED" 

    } 

  ] 

}

This ensures that only authorized apps can access corporate data, while all others remain isolated. 

MDM for remote workforces 

The rise of remote work has significantly increased the complexity of IT security. Without the protection of corporate networks, businesses must ensure that corporate data remains secure on devices that are outside the office environment. 

Without a physical enterprise network to protect devices, it is critical to implement solutions that ensure:

  • Ensuring secure access to corporate resources from remote locations. 
  • Managing and updating devices remotely, without requiring physical access. 
  • Monitoring compliance to prevent security breaches and unauthorized access. 

With a well-implemented MDM (Mobile Device Management) software, IT administrators can effectively protect company assets while maintaining flexibility for employees. 

Remote Device Management via Over-the-Air (OTA) updates 

One of the biggest advantages of MDM solutions is the ability to distribute updates and configurations over-the-air (OTA), eliminating the need for physical device access. 

What can be done with OTA? 

  • Upgrade operating systems to patch security vulnerabilities. 
  • Apply new security policies without disrupting employee workflow. 
  • Deploy security patches to protect against malware and cyber threats. 
  • Install or remove business applications remotely. 

Example: remotely updating an Android device via API 

python 

import requests 

# API endpoint for OTA updates 

url = "https://api.mdmserver.com/update" 

# Update payload 

update_payload = { 

    "device_id": "123456789", 

    "os_update": "14.0", 

    "patch_security_level": "2024-03-01" 

} 

# API request to initiate OTA update 

response = requests.post(url, json=update_payload, headers={"Authorization": "Bearer API_KEY"}) 

if response.status_code == 200: 

    print("OTA update successfully initiated!") 

else: 

    print(f"Update failed: {response.text}")

With this approach, IT teams can ensure all managed devices remain up-to-date and secure, reducing the risk of exploitation by cybercriminals. 

Configuring VPN and secure Wi-Fi for protected data access 

One of the biggest security risks in remote work is the use of unsecured public or home Wi-Fi networks, which can expose corporate data to cyber threats such as man-in-the-middle (MITM) attacks. 

To mitigate these risks, MDM solutions enable IT administrators to: 

  • Automatically configure corporate VPN connections to ensure secure remote access. 
  • Set security policies for Wi-Fi, preventing the use of untrusted networks. 
  • Enforce VPN-only access to corporate data, blocking unprotected network connections. 

Example: automatic VPN configuration via MDM 

json 

{ 

  "vpnConfig": { 

    "vpnType": "IKEv2", 

    "serverAddress": "vpn.company.com", 

    "authenticationMethod": "Certificate", 

    "forceTunnel": true 

  } 

}

This ensures that every managed device automatically connects to the corporate VPN, preventing employees from accessing business resources through insecure networks. 

Compliance monitoring to prevent security breaches 

One of the most critical functions of an MDM mobile device management software is continuous security compliance monitoring to detect and block potential threats. 

IT administrators can set rules to ensure that devices comply with corporate policies, for example:

  • Detect and block rooted or jailbroken devices, preventing unauthorized access. 
  • Identify malware or unauthorized applications and quarantine affected devices. 
  • Monitor network connections to detect suspicious activity. 

Example: blocking a non-compliant device via API 

python 

import requests 

# API endpoint for compliance check 

url = "https://api.mdmserver.com/check_compliance" 

# Device data 

device_data = { 

    "device_id": "987654321", 

    "root_status": True,  # Indicates if the device has been rooted 

    "malware_detected": False 

} 

# API request for compliance verification 

response = requests.post(url, json=device_data, headers={"Authorization": "Bearer API_KEY"}) 

# If the device is non-compliant, block it immediately 

if response.json().get("compliance_status") == "non_compliant": 

    block_url = "https://api.mdmserver.com/block_device" 

    block_response = requests.post(block_url, json={"device_id": "987654321"}, headers={"Authorization": "Bearer API_KEY"}) 

    if block_response.status_code == 200: 

        print("Non-compliant device successfully blocked!") 

    else: 

        print("Error blocking device.")

By implementing compliance enforcement, IT teams can immediately lock down compromised devices, preventing unauthorized access to corporate data

Choosing the right mobile device management software 

There are several MDM solutions available, ranging from cloud-based services to on-premise deployments. When selecting an MDM software, businesses should consider: 

  • Scalability
    Can it support a growing workforce and a variety of devices? 
  • Security features
    Does it offer encryption, remote wiping, and threat detection? 
  • Ease of use
    How simple is it for IT administrators to deploy and manage devices? 
  • Integration
    Does it work with existing IT infrastructure, such as Active Directory or Microsoft Intune

Some popular mobile device management software providers include Microsoft Intune, VMware Workspace ONE, Jamf Pro (for Apple devices), and Google Endpoint Management

Conclusion

With the increasing reliance on mobile devices in the workplace, MDM solutions are essential for ensuring security, compliance, and productivity. Whether managing company-owned devices or securing a BYOD environment, businesses need a robust MDM strategy to protect corporate data and streamline IT operations. 

As cyber threats evolve, implementing MDM mobile device management is no longer optional—it’s a necessity for organizations that want to stay secure in a mobile-first world. 

Questions and answers

  1. What is Mobile Device Management (MDM)? 
    MDM is a security and management solution that allows businesses to control, monitor, and secure mobile devicesused by employees. 
  2. How does MDM work? 
    MDM uses a central server and client software installed on devices to enforce security policies, install apps, and monitor compliance. 
  3. What are the benefits of using MDM? 
    MDM improves device security, protects corporate data, enables remote device management, and enhances IT efficiency. 
  4. Can MDM manage personal devices? 
    Yes, MDM can manage BYOD devices by separating personal and work data to protect employee privacy. 
  5. What’s the difference between MDM, EMM, and UEM? 
    MDM focuses on mobile devices, EMM includes app and content management, and UEM extends management to desktops and IoT devices. 
  6. Is MDM compatible with both Android and Apple devices? 
    Yes, MDM mobile device management Android supports Android Enterprise, while MDM mobile device management Apple integrates with Apple Business Manager. 
  7. Can MDM track employee locations? 
    Yes, some MDM solutions offer location tracking, but it depends on company policies and local regulations. 
  8. How does MDM handle lost or stolen devices? 
    MDM allows IT teams to remotely wipe or lock lost devices to protect sensitive data. 
  9. Is MDM software cloud-based or on-premise? 
    MDM can be deployed on-premise or as a cloud-based solution, depending on business needs. 
  10. What are some leading MDM providers? 
    Popular MDM software includes Microsoft Intune, VMware Workspace ONE, Jamf Pro, and Google Endpoint Management. 
3
To top