Policy Driven Approach to Mobile Device Management in Government


The following describes the process by which policy outcomes are developed through a Mobile Device Management implementation effort as well as to describe the technology behind the solution for the readers understanding of a workable solution for implementing Mobile Technologies within commercial enterprises and Government Agencies’. The purpose is to enable other groups/organizations to leverage the process knowledge contained, and also to demonstrate a capability for policy management within a dynamic IT space. Further questions include how will organizations respond to faster IT development and will security and process bottlenecks become more responsive as demand for IT services increases. This whitepaper also provides a detailed checklist of the six key critical areas in the management and security of mobile devices and the data that resides on them. MDM is mission-critical for millions of IT professionals around the world within the commercial market as well as Government.


Mobility Policy Management

Effective Mobility Policy Management begins at the top of an organization, with leader­ship determining policy development and management is an organizational priority. This accomplishment can take some time, though is generally the pre-requisite to accom­plishing any policy determination. The next steps help set the course for mobility policy management.

  1. Identify Stakeholders
    Most organizations will have a CIO, a CSO and other common stakeholders. The mobility as a space tends to converge various stakeholders, where parties were before not much interested in workstation policy, but are very much interested in tablet policy. A service champion should also be identified, a stakeholder who has both a particular interest in the policy development of mobility, and also has notable influence over the organization. Other parties that should be considered as stakeholder candidates include, counsel/legal, union, asset management, field user representative, among others. A good consideration is that if someone cares about tablets and mobile access, they will probably care about the policy to govern them, thus making the challenge with stakeholder identification, the synthesis of the key stakeholders among all the interested parties.
  2. Identify business requirements
    Mobility requirements from the business tend to be very fluid. The recommendation here is to follow a very close management of business requirements, with frequent “check-ins” to confirm that requirements are still valid.
  3. Prioritize requirements
    As with the identification, the prioritization should be revised frequently to ensure that the fluidity of the mobility space is effectively managed.
  4. Negotiate requirements
    The process of negotiation can be lengthy, though it’s one of the most important steps. Discussions, information sessions and workshops are all important tools to enable stakeholders to feel included, and also to provide their perspective and feedback. How inclusive the negotiation process is will vary by the organizational culture. At the same time, the more inclusive the process, the more likely the mobility policy will succeed in terms of adoption and eventually overall security and data management. We suggest that the up-front investment be made, to ensure that as much consensus can be at­tained as possible, which ends up paying off with adoption and adherence rates later on.
  5. Finalize business needs and relate requirements
    The process of connecting the business needs to the project requirements for policy development is highly important. It draws the relationship and proves the significance of each policy statement. The eventual matrix developed in this step can be used throughout the policy development effort to reference why policy decisions have been made in the past, providing clear context for future policy discussions, for mobility policy as well as other IT policy spaces.
  6. Develop mobility policy / updates to existing policy per established processe
    Once agreement to a plan has been reached, the crafting of the policy text will follow an iterative and reviewed process. We also recommend that this process be inclu­sive of various stakeholders, such as to improve adoption and adherence rates in the future.


Common Challenges to Mobility Policy Management

Mobility is more fluid than most other IT spaces, and thus working with mobil­ity policy and mobility IT project implementations encounters a nuanced set of challenges.

  1. Various stakeholders with varying business needs
    Mobility tends to elicit the interest of more stakeholders than other spaces. Due to cultural and novelty reasons, everyone seems to be interested in mobility. Whether the goal is increased flexibility by location, additional features, similarity to commercial in­terfaces, convenience, or other interests, most folks and leadership in an organization will be interested in contributing their feedback and perspective to the mobility policy outcome. How this interest is managed, will vary by organization; we recommend an inclusive process, to develop the “best-fit” policy for the organization.
  2. Organization silos may not facilitate convergence towards a solution
    Some organizations still have robust silos, political, functional, personality-based, leadership based. These silos, while they may facilitate accountability mechanics elsewhere, in terms of policy development, silos tend to disrupt, delay, and reduce the effectiveness of policy deliberations. We recommend that clear expectations be defined to stakeholders and other contributors whereby silo dynamics must be limited. The degree of limitation will vary by organization, and in our opinion, will help determine the expediency and effectiveness of the policy deliberation, in addition to having a high impact on how pleasant or how unpleasant the process is for the people actively participating.
  3. Mobility context changes more rapidly than other IT spaces
    It’s advantageous to keep in mind that the fluidity of the Mobility space will pres­sure many projects to constantly re-evaluate business decisions, risk analysis, core objectives and tactical approach, among other spaces. We recommend keeping an open mind towards a flexible project that is open to iterative, man­aged modifications.
  4. Various organizational perspectives on what is “policy” and who authori­tatively defines mobility “policy”
    Frequently, the term “policy” means different things to different people, and has a different impact on organizational groups. Clarifying the definition of policy, the standard process for developing and implementing policy, and defining how closely the mobility efforts will follow the standard process. We recommend managing expectations early in the policy development effort to clearly define “policy” and the process by which policy will be developed and implemented for mobility efforts.


Mitigating Actions for the Challenges to Mobility Policy Management

Given the challenges describes, we’ve developed various mitigation strategies.

  1. Effectively define roles and responsibilitiesAs with any project or effort, the fluidity of the mobile space makes it even more crucial to effectively manage roles and responsibilities, while maintain­ing flexibility in these assignments as the mobility effort progresses. Frequently variations in project needs will create a need for re-evaluation in roles and responsibilities. We recommend defining roles and responsibilities early on, and revisiting them with all stakeholders on a frequent basis.
  2. Establish clear expectations for contributionsDuring the policy working groups, discussions, workshops and other functions where contributions are expected, it’s important to clarify expectations regarding participation and contributions. Defining writing assignments, research and collaborative writing goals should all occur early on for best results. Maintaining a schedule for contribu­tions may also help everyone meet defined milestones. We recommend managing expectations for policy contributions to maximize group effectiveness.
  3. Effective discussion/meeting facilitation, especially inclusion of all parties and consideration of all contributions/perspectivesDuring the policy negotiation process, it’s important that meetings, discussions and workshops (and the like) remain effective. Participants must be engaged and feel that their contributions are valued. We recommend implementing all rules regarding run­ning effective meetings during this phase to ensure maximal inclusion potential, and maximizing meeting productivity.
  4. Adherence to the plan and agreed-upon timeframesAs with any project, the effective management of schedule and milestones continues to provide value to the overall effort. We recommend a robust project management background for the basis of running a project to develop and implement mobility policy.


Process Development

While not an all-inclusive process development analysis, this section aims to highlight the ar­eas in the process development space that require nuanced attention for the effective integrat­ing a Mobility service into the enterprise.

  1. Design mobility procedures to “plug-into” existing processesWhere possible, mobility procedures should integrate into existing processes and procedures. Therefore, we recommend a maturity analysis of existing processes to help identify the interfaces between new mobility processes and existing IT service processes.
  2. Develop ad-hoc processes in the interim (as needed)Where tactically feasible, interim processes should be developed to connect existing processes to mobility processes. The iterative nature of process development means that these ad-hoc processes may be revisited at a later time when focus in that space makes the most sense. We recommend that the mobility process development effort define a plan for building ad-hoc processes where needed and provide an overall process development and integration plan.
  3. Key interfaces between existing IT Service processes and emerging mobility processesSome IT processes will interface with mobility processes more than others. We suggest particular attention to the following ITIL processes: Request Fulfillment, Incident Management, Event Management, Service Asset & Configuration Man­agement, among others.
  4. Involve process owners in the development of new procedures / procedure updatesProcess owners should be heavily involved in the development and administra­tion of new process efforts. Where process owners have not been defined, they should be assigned prior to any process development efforts. We recommend enabling process owners to contribute heavily to the development of new mobil­ity processes.
  5. Train all personnel on the business priority of the service and the changes/updates to the processes and respective proceduresDeveloping effective training materials will significantly improve the effective­ness of new process adoption and adherence. We recommend that resources be invested to develop detailed training plans available to all staff that will inter­face with the new processes.
  6. Monitor process and procedure development and maintain the course along the process development planAs with other project efforts, the monitoring of process development will be key to ensuring that the fluid mobility space is effectively managed by the new mobility processes. Frequent check-ins and re-evaluations are helpful to con­tinuously improve mobility processes, whether ad-hoc or more permanent. We recommend inclusion of stakeholders in process development and implementa­tion and frequent opportunities for participants to offer feedback and sugges­tions for improvement of mobility processes.


Tangoe offers a seamless policy management experience

tangoe-200With MDM, Applications, Containerization and Content Management as a central and single pane of glass to secure and manage all mobile devices and operating systems within the corporate environments, Tangoe MDM supports the entire mobile lifecycle and its core functions including:

  • End-User Self-Activation
    Reduce IT and help-desk work cycles with the Tangoe MDM Self-Service Portal that increases end user adoption and satisfaction
  • Security and Policy Compliance
    From a single global web-based console, monitor device usage statistics, enforce security policies, secure mobile access to corporate resources, track lost devices, remotely lock and wipe iOS, Android, BlackBerry, and Windows devices, and more
  • Containerization
    Create a secure corporate workspace container to enforce security policies for en­terprise data, communications and applications on a mobile device (Smartphone or tablet) separating corporate data from personal data and applications.
  • Application Management
    Deploy, upgrade, update and remove IT approved public and custom-built applications for iOS, Android, Windows and BlackBerry mobile devices
  • Content Management
    Secure, containerized access to enterprise content with policy controls including view, edit, delete, print, share and more.
  • Real-Time Expense Management
    Reduce the risk of bill shock by tracking device data, voice and SMS usage in real-time against pre-configured individual and pooled carrier plans’ usage thresholds.


  • Block unapproved devices from accessing enterprise resources such as Exchange and the application portal
  • Manage and enforce mobile application policies across device types and liability models to reduce risks from potential security breaches and data leakage
  • Configure secure email policies that prevent unauthorized forwarding, cut and paste and sending unencrypted data
  • Consistently enforce your IT team’s usage and management policies automati­cally across the device fleet with the Tangoe MDM patented rules engine.
  • Monitor device usage against carrier rate plans in real-time which can save budget dollars by preventing bill shock
  • Reduce security and cost risks when a device is lost or stolen by tracking its location and enforcing your security policies


Security and Policy Compliances

Tangoe MDM’s Rules Based Framework allows for administrators to define policies on specific Platform and or Device Type. Tangoe MDM provides the capability to config­ure device settings automatically and intelligently with Tangoe’s patented Rules Based Framework. Rules allow administrators to enforce policies, applications, and monitors to devices on the basis of user criteria (AD/LDAP groups, OU’s, departments, business units, etc.) and device criteria (device liability, jailbroken/rooted status, make, model, OS version, memory, battery, roaming status, voice/text/data thresholds and much more).

MDM is designed to create enforcement rules based on company business rules. For example:

  •  Every user with a corporate iPhone in Sales will have apps ‘XYZ’ App, encryp­tion, strict password policy and Salesforce app; but personally owned iPhones in Sales will be enforced with a rule for strict password and Salesforce app.
  •  Sales employees with Androids will have a different configuration.
  • Accounting employees will have different configurations.

With Tangoe MDM, IT leaders deploy and control large numbers of mobile devices any­where in the world. From a single global web-based console, IT leaders easily enforce security policies and compliance, secure mobile access to corporate resources, track lost devices, and remotely lock and wipe Apple, Android, BlackBerry, and Windows mobile devices. End-users get fast activation on their device of choice while enterprises easily manage thousands of mobile devices and applications.

Integration between Tangoe MDM and Tangoe’s Wireless TEM portal provides a seam­less user experience for end-to-end mobile policy compliance.

  • Tangoe MDM receives carrier plan details and updates in real-time from Tan­goe’s Wireless TEM portal as well as plan-based alerts.
  • Tangoe’s Wireless TEM portal receives application lists, device memory status, and real-time usage statistics from Tangoe MDM.
  • Only approved devices for procurement are provisioned with the appropriate usage, management and security policies when accessing enterprise resources.


Content Management

Tangoe MDM’s Content Management solution addresses Data Loss Prevention (DLP) on mobile devices. Tangoe MDM supports data synchronization which can enable a secure file container (or zone) on the device so that users can have access to all of the files, documents, PDFs, media from file shares, mapped drives and/or SharePoint. This container can be con­trolled so that no information can be cut/copied/pasted outside of the container; and no infor­mation can be forwarded or opened by another program outside of the container. All content would remain within the enterprise environment and not temporarily stored in our environment.

Administrators can control which applications have access to read/edit information from the container.

The container can be selectively wiped if the device is lost/stolen or decommissioned.

Secure Collaboration for your mobile workforce:

  • Connect to all enterprise document repositories as they can when they’re in the office
  • Instant access to the most current documents from personal devices
  • No sluggish VPN
  • Easy sharing
  • Use trusted apps on personal devices
  • End-to-end governance with no compromises to corporate data
  • Mobile workforce stays compliant with regulatory requirements
  • Say Yes to BYOD with personalized BYOA (Apps)
  • Say No to BYOC− high-risk consumer cloud storage work-arounds
  • Keep your data safe
  • Lower support costs



As a mobile-centric company, Tangoe understands that a successful BYOD solution for device mobility presents unique challenges like device fragmentation, the privacy and governance over the content stored on a mobile device, and security and management concerns. With Tangoe Containerization, those challenges are addressed to maximize the benefit to all eco­system stakeholders – employees, employers, wireless carriers, and device manufacturers. Containerization empowers users with unrestricted device choice that fits the full range of their personal needs while enabling them to have secure access to their enterprise data, all while also protecting their privacy.

Containerization empowers users with unrestricted device choice that fits the full range of their personal needs while enabling them to have secure access to their enterprise data, all while also protecting their privacy.

By providing two personas, the Containerization platform secures business applications from potentially breaching personal ones by architecturally eliminating the need to wrap each business application in a shell to protect it. Standard applications execute in native binary form providing unrestricted application choice.

Tangoe delivers the following important benefits to employees and organizations:

  • Maximum business and application choice
  • A carrier- and device-agnostic client that is downloadable for each product family
  • Maximum device choice for employees
  • High application agility in dual persona profiles
  • Executes on non-rooted, stock operating systems and scales across an entire device family
  •  Government grade secure container that isolates business applications from threat
  • Management and client safeguards to protect employee privacy
  • Comprehensive infrastructure-less management and security console for both user and IT
  • Assure your employees that enrollment in your BYOD program will not jeopar­dize any of their personal, private data such as pictures, birthdays, and con­tacts; if you need to remove corporate data, do so without harming any personal information.
  • Encrypt corporate data using the most sophisticated, FIPS-140-2 certified encryption algorithms, protect against malware and prevent unauthorized access via security policies that are tailored by employee group and securely distributed OTA (over the air).
  • Enables secure, employee-friendly, BYOD programs combined with data leak­age prevention policies by permitting ‘personal data’ to co-exist on the same device with corporate applications while maintaining logical separation of corpo­rate applications and data from personal applications and data.
  • Prevent personal applications from accessing enterprise data
  • Deploy container policies including copy/paste restrictions for data, application install and removal controls, and anti-tamper (root and debugger) support
  • Scale across your fleet of Android and iOS devices a consistent user experi­ence through one central portal


Application Management

MDM’s Application Management provides your organization with the ability to reliably make applications available to your smartphone devices in an intelligent and automated manner. You will be able to eliminate the administrative labor associated with application deployment to your mobile community, and also significantly diminish the amount of reactive support that is usually required for such activities.

Mobile Enterprise App Distribution and Management

  • OTA automated deployment and installation of required applications via APNS (Apple Push Notification Service)
  • Deployment rules can include device OS, download via Wi-Fi (and not via cellular) connectivity, and minimums for battery life and available memory
  • Deploy required and recommended internal applications OTA across your enterprise and manage secure user access to the Enterprise App Portal
  • Blacklist and whitelist applications and enforce compliance with the Automated Rules Engine and the Tangoe MDM on-device client reporting application inventory

Rules-based monitoring for the presence or absence of an application The MDM rules engine can now automatically change device feature / functions based on the presence or absence of an application. For instance, if a device has a blacklisted application, the device can be prevented from accessing Exchange and the Enterprise App Portal.

Enterprise Application Portal

  • Employees can request and deploy enterprise and approved 3rd party applications on-demand from their smartphone, tablet or the Tangoe MDM Self-Service Portal Integrate directly with public “app” stores for IT approved applications
  • On-demand access from the iOS and Android clients and the Self-Service Portal
  • Administrators can now disable the Enterprise App Portal for individual liable users This feature strengthens security policy compliance rules by preventing access to enterprise applications and storing app data on an IL device.
  • Applications are deployed on-demand OTA via SSL
  • Authenticate users before allowing them to view and download enterprise apps
  • ABQ – Allow – Block – Quarantine access to the Enterprise Application Portal and Microsoft Exchange if an application is not installed or if a black-listed application is present
  • Generate application inventory, version history, and compliance reports for app life­cycle planning, policy enforcement and management
  • Employees with devices that are detected to be Jailbroken / Rooted can automatically be prevented from accessing the Enterprise Application Portal
  • MDM’s Application Management provides your organization with the ability to reliably make applications available to your smartphone devices in an intelligent and automated manner.
  • Support Apple’s Volume Purchase Program includes importing redemption keys (purchased from Apple) into an MDM app profile, automatically manage the up­load, storing and distribution of redemption codes, remove private and 3rd party apps, and force password use to purchase applications on iTunes Apps
  • Tangoe MDM offers exception reports for devices whose applications were not properly installed
  • Ensures apps are deployed to the correct device OS, and that the device has enough battery and memory available.
  • Exception reporting for devices that do not meet minimum requirements for the application to be deployed.



As mobility gains popularity within the corporate enterprise and Government Agencies the management of those devices becomes critical and the security of the enterprise is at risk. It is therefore paramount that IT Departments take a measured ‘Policy Driven’ approach to implementation of the MDM Solution as well as taking advantage of proven technology solutions on the market today. G2SF Mobile Solutions Practice has years of practical experience implementing and managing mobile solutions within Government and has used best in class technologies with our policy driven approach.

Tangoe MDM is unique in the fact that it is the only MDM solution that offers its own in-house fully Managed Services and End-User Support model on top of the software. This can ensure that both your mobile user community and the infrastructure they rely on are well-supported, secure, and stable.

Tangoe’s Managed MDM Service allows enterprises to easily and quickly leverage all of the powerful features of Tangoe’s (MDM) software. Tangoe’s MDM Managed Ser­vices team has over 10 years of experience in helping customers manage their mobile devices, and as mentioned above, the solution can be delivered in both a cloud-based model and remotely delivered for customer-premise MDM instances.

Tangoe MDM has been designed to support both Corporate Liable (CL) devices (compa­ny owned devices) as well as Individually Owned (IL) devices (personally owned, Bring Your Own Device “BYOD”).

The Tangoe MDM solution can be delivered as an on‐premise solution or hosted SaaS type model. Tangoe is starting to see a shift from enterprises deploying our solution behind their firewall to more of a hosted solution however Tangoe is very flexible as we understand organizations often have different requirements in this regards.

Tangoe is unique in the fact that it is the only MDM solution that offers its own in-house fully Managed Services and End-User Support model on top of the software. This can ensure that both your mobile user community and the infrastructure they rely on are well-supported, secure, and stable.

Through Tangoe’s robust MDM feature set, enterprises can reduce IT support and labor costs for mobile devices by more than 50 percent. With comprehensive capabilities at the server and device levels, enterprises can proactively prevent costs BEFORE they are incurred as well as monitor and minimize costs in real time. Tangoe’s MDM solution enables enterprises to control costs throughout the entire lifecycle of their mobile devices.

Global organizations depend upon Tangoe’s technology-enabled managed services and pat­ented technologies to optimize and manage the lifecycle of their fixed and mobile enterprise communications resources.






Tangoe is a leading global provider of Communications Lifecycle Management (CLM) software and related services to a wide range of global enterprises. CLM encompasses the entire life­cycle of an enterprise’s communications assets and services, including mobile device manage­ment, telecom expense management planning and sourcing, procurement and provisioning, inventory and usage management, invoice processing, expense allocation and accounting, and device recycling. Tangoe’s Communications Management Platform (CMP) is an on-demand suite of software designed to manage and optimize the complex processes and expenses associated with this lifecycle for both fixed and mobile communications assets and services. Tango’s customers can also manage their communications assets and services by engaging Tango’s client service group.

Additional information about Tangoe can be found at www.tangoe.com. Tangoe is a registered trademark of Tangoe, Inc.



G2SF is an IT Service Management, Engineering and Sciences, Consulting Firm providing quality support to the Federal Government, State and Local, Defense and Commercial Markets. Headquartered in Reston, VA the company has built its reputation on an unwaver­ing commitment to a diverse customer base, valuable partnerships within the public and private sectors, and a dedication to recruiting and retaining only top performers. G2SF is currently certified as a participant in the program for the US Small Business Administration (SBA). G2SF has gained recognition as a one-source information technology (IT) solution company, offering a wide array of IT Service Management, Mobil Solutions, Program Management, Professional Services, Training, and Engineering Services. Our IT Service Management Consulting Practice supports the day-to-day operations of many of our customers’ IT operations from the functional to the highly technical such IT Infrastructure and Program Support Services.