Mobile Security Capabilities: MDM & MAM

Olivia Holmes

About Olivia Holmes

Olivia is the editor of "The MAM Blog," producer of the "Life in the Mobile Enterprise" podcast, and inbound marketing analyst at Apperian.

View all posts from Olivia Holmes

Security at its core means considering all possible attack vectors, assessing the risks that an organization is exposed to and determining how to address them.

In the mobile world, smartphones, tablets, and the technology that enables them, continue to mature and grow in use, but the same can be said for the threats that leverage mobile as their attack vector. Because of this, security measures that protect end-users and organizations that depend on these technologies must continue to evolve.

This week on the Life in the Mobile Enterprise (LiME) podcast, Harvey Morrison, SVP of Public Sector at Apperian, and Chris Hazelton, Director of Product Marketing and Strategy at Apperian, join me for a deep dive into mobile security.

Listen in as we discuss how mobile security has evolved, the different security capabilities of MDM versus MAM, and the security protocols that organizations in highly regulated settings such as the public sector, healthcare and financial services, are using to ensure the highest level of security.

Download “The Complete Guide to Mobile Security” for an overview of today’s enterprise mobile security landscape, and specific recommendations for creating an extensible and scalable mobile security strategy.


Email feedback to

Over the past five years or so, we’ve reached a point where everybody has nearly unlimited data with their mobile service plans, whether those are corporate-liable or personal-liable phones. For IT organizations, the mission is knowing what corporate data resides on those devices and how to secure it.

Initially, that concern was focused on email and the main tool for managing mobile security was mobile device management (MDM). MDM is still an effective approach for setting up mobile devices, managing mobile email, and access points for devices. But when it comes to enabling the use of mobile apps within the enterprise or public sector and providing the highest level of mobile security with policies and management at the application level, that’s where MDM falls short.

Many of our customers have MDM but chose to implement a standalone mobile application management (MAM) solution alongside to overcome the limitations of MDM.

MDM versus MAM Mobile Security Capabilities

One of the limitations is that MDM requires a profile be installed on the devices being managed. This works fine in the case of company-issued mobile devices but becomes a challenge with BYOD users, contractors, and business partners, who either do not want to enroll their devices or already have their device enrolled via another MDM.

Let’s say a federal agency wants to share an app with state and local government and first responders. In most cases those devices are controlled by a variety of different MDM systems and because there can only be one profile installed on each device, distributing the app can become a real issue. Organizations then have to determine which MDM system is in control of the devices and whether the other organizations will let their end users enroll in that MDM.

Another challenge is the security gap around data and apps that are being managed by MDM. While MDM does a good job of protecting the device, the sensitive data is in the apps and organizations need fine-grained security policies that are focused at the app and data level. This is where MAM comes into play and while many MDM vendors offer some MAM capabilities, to leverage that functionality and distribute policy-enabled mobile apps, the device must be enrolled in MDM.

Standalone mobile application management (MAM) can be used with or without MDM, to allow IT administrators to manage the corporate footprint that resides on a device – corporate apps and data– with security and management policies.

Even before an app has been installed on a device, administrators can use MAM to inspect an application and make sure there isn’t any malicious malware, trojans, or weak coding that may create openings for security breaches. Then, before app is pushed out to a broader audience, IT can use MAM to wrap the app with policies including:

  • SSO Integration
  • DAR Encryption
  • App-Level VPN
  • App Expiration
  • Copy/paste protection
  • Data wipe
  • Self-Updating apps

Government Level Mobile Security

The government has pushed mobile security to the next level with two key protocols for securing apps and data. First, National Institute of Standards and Technology (NIST) requires that all mobile apps need to have some form of two-factor authentication. This means employees at the federal level must use their Common Access Cards (CAC) along with their personally-identifiable credentials to in order to obtain access to mobile apps. Secondly, NIST is exploring the use of derived credentials, a means of storing a personal identifier in a mobile device itself and not on a Common Access Card so that users don’t have to carry around a card to be able to gain access to an app.

When it comes to ensuring mobile security, organizations must consider all possible attack vectors, assess the risks they are exposed to, and determining how to address them. While securing and locking down the device might be requirement, policies that provide data protection at the app level with MAM is necessary in order to close the security gap that MDM exposes.

The following table compares MDM and MAM policies and their relative security value:

MAM vs MDM Security

For more details download the newly published, Complete Guide to Mobile Security below.

The CompleteGuidetoMobileSecurity_171w
Learn how to use mobile application management, standalone or alongside mobile device management, to deliver the highest level of mobile security.
The Complete Guide to Mobile Security