Mobile Device Management (MDM) is a system in which functions of a registered user device (e.g., a smart phone, a tablet, etc.) can be remotely controlled, e.g., by an administrator server. For example, the administrator server may control or block functions of the user device such as screen capture functions, microphone usage, camera usage, usage of certain communications hardware (e.g., Bluetooth, NFC, WiFi, etc.), access to device services (e.g., messaging), etc.
MDM techniques are sometimes used in Enterprise Mobility Management (EMM). In such application, an administrator may use an MDM system to control the allowed functions of the user device so that usage of the user device complies with certain security and/or company policies. For example, an enterprise or company may have a policy that screen shots of sensitive information presented within a particular application should not be taken. To adhere to this policy, an administrator may implement an MDM policy to prevent the user device from taking screen shots. As a cost-savings alternative to providing employees with company issued user devices, a business may allow their employees to use the employee's personal user devices for both personal and business functions. In order to ensure compliance with security policies, MDM techniques can be implemented on a personal user device.
MDM is limited in that entire functions of the user device need to be blocked, regardless of what the other users of the user device. For example, in the preceding example, the user will be unable to take screen shots entirely, even if the user is not accessing sensitive information.
Application-specific control policies can be implemented in which a small select subset of functions (e.g., camera use, copy/paste use) are disabled based on the application in the foreground of the user device. For example, application developers can add contextual capabilities to their application by directly programming these into the application, effectively hard coding the policy into the application itself. For instance, if a developer would like to control access to specific forms in an application given the location of the individual using the application, the developer could build in hardcode logic into the application to determine the user's location and deny access based on the user location. In these situations, issues arise implementing policy changes for the application. For example, since policies are hardcoded into the application, changing the policies for the application (e.g., to allow a specific subset of users to be granted new permissions when using the application) requires a lengthy redeployment and republishing of the application. Further, changing the policies would require the user to update the application in order to effectuate the changes. Additionally, access to specific changes would require the user to fully restart the application in order for those changes to take effect therefore preventing a policy for being pushed to the application while in use. Also, the list of features that can be hard coded to be controlled is a small subset of the device level controls available through MDM policy.