MDM Integration Module

Overview

Mobile Device Management (MDM) systems are gaining rapid adoption among enterprises that wish to better manage the plethora of smartphones and tablet computers that are in common use by businesspeople. MDM systems can help IT security managers secure the sensitive corporate data that is frequently stored on such devices. However, MDM by itself is not a complete security solution for the following reasons:

  1. MDM systems can only see and manage devices that have already been enrolled in the MDM system. This leaves IT Managers blind to unmanaged devices on the network.
  2. MDM systems typically do not control access to the network, they typically control access to applications (for example, Microsoft Exchange). Thus, MDM does not prevent unauthorized access to data on the network, nor does MDM prevent infected or compromised devices from attacking the network. IT security managers need the ability to control where mobile devices can go on the network, enforcing policies based on the device type, operating system, compliance status, owner of the device, and logged-in user of the device.
  3. MDM systems are often operated as another IT management silo, with another set of management screens, separate policies, and separate reports. Even worse, the MDM system is often managed by a different group of people than are responsible for computer security. This creates an opportunity for policies to be inconsistently applied and translated across the various IT management systems and groups.

The MDM Integration Module from ForeScout allows you to leverage your existing MDM solution within the broader context of unified security control that ForeScout CounterACT provides. The module links your MDM system to ForeScout CounterACT, bringing information about MDM-managed devices which are connected to the enterprise network to the CounterACT appliance, where the information is displayed alongside information about unmanaged mobile devices and devices that are outside the scope of your MDM system (such as PCs). From the CounterACT console, you can configure and enforce network security policies, monitor and report on policy adherence for devices in your organization – PCs, Macs, Linux, smartphones and tablets.

The MDM Integration Module, an optional plug-in for ForeScout CounterACT, is sold separately. It is one of several extended integrations that are available as part of the ForeScout ControlFabric architecture. ForeScout currently integrates with AirWatch, Fiberlink MaaS360, Citrix XenMobile, MobileIron and SAP – and more are on the way. When used in conjunction with your existing MDM system, ForeScout CounterACT and the MDM Integration Module provide:

  • Automated real-time detection. ForeScout CounterACT lets you detect mobile devices the moment they connect to your network.
  • Extended visibility by detecting unmanaged devices on the network in real-time.
  • Seamless enrollment and installation of MDM agents on unmanaged devices by initially placing them in a limited access network, assessing device type and ownership, directing them to an MDM installation web page, and then allowing network access once the device has passed required compliance checks.
  • Improved security by blocking unauthorized users and devices from the network, as well as imposing whatever limits you want on authorized devices.
  • Just-in-time compliance checks triggered by ForeScout CounterACT the moment a device connects to the network. Through bi-directional integration, CounterACT triggers the MDM system to immediately re-assess the device, and CounterACT bases its network access decision on the result of that assessment.
  • Policy-based blocking of unauthorized users and devices from the network, as well as enforcing any limits you want on authorized devices. ForeScout CounterACT can base network access control (NAC)decisions on many different factors including the type of device, operating system, ownership (corporate vs. BYOD), compliance status, enrollment in the MDM system, and several other factors.
  • Unified network access policy management and compliance reporting for endpoint devices—PCs, Macs, smartphones, tablets and others.
  • Guest registration. If you wish to setup a guest network for personal mobile devices, you can use ForeScout CounterACT’s built-in guest registration system. Once a guest has been approved, CounterACT can dynamically enforce your security policies, such as restricting the user’s access to just the Internet.
  • Continuous monitoring. If malware exists on the mobile device and tries to propagate or interrogate your network, ForeScout CounterACT will detect the malicious behavior, block the threat, and can automatically quarantine or remove the mobile device from your network. ForeScout CounterACT includes ForeScout’s patented ActiveResponse™ technology which can detect and block zero-day threats.

Product Tours

Product Screenshots

Click image to enlarge.

Control Mobile Devices

From within the CounterACT console, restrict the network access of mobile devices that are non-compliant or unauthorized.

See Inventory of Devices

ForeScout CounterACT lets you see an inventory of devices on the network – PCs, mobile devices, printers, etc.

See Properties of Mobile Devices

The MDM Integration Module lets you see detailed properties of mobile devices which are enrolled in a connected MDM system.

FS Application Inventory imageSoftware Inventory Of Mobile Devices

The MDM Integration Module lets you see an inventory of software on mobile devices, including which devices have the software.

Compare

= Best = Good = Fair = Poor*
ForeScout CounterACT ForeScout CounterACT + ForeScout Mobile Security Module ForeScout CounterACT + MDM Integration + MDM MDM
Operational Management
Expense management
Inventory Management
App management, app store
Network Security
Access control
Block threats
Detect on access
Profile device
Device and Data Security
Password
Configuration enforcement
Containerization / encryption
Jailbreak and root detection
Unified visibility and network access policy
User impact
Transparent Lightweight Lightweight Lightweight
Price
$ $$ $$$* $$$$

*Assumes that high risk devices/users are enrolled in ForeScout MDM and lower risk devices/users are managed by ForeScout Mobile Security Module.

Specs

The MDM Integration Module is a plug-in that runs on any ForeScout CounterACT appliance or virtual appliance.

CounterACT currently integrates with ForeScout MDM, AirWatch, Citrix XenMobile MDM, Fiberlink MaaS360 and MobileIron – with more on the way. If you are using a different MDM system that requires integration with ForeScout CounterACT, please contact us.

Resources

Datasheets

Brochures

Analyst Reports

Solution Briefs

White Papers

Best Practice Guides

Webinars and Webcasts

Reviews

Videos

Blogs and Articles