Current MDM frameworks, unless using some kind of container approach, will always play catch-up to hackers wanting to bypass the controls enforced to their phones, as highlighted in the following article describing how to get around Airwatch’s MDM restrictions.
The conclusion of that article is spot on:
“MDM solutions are great for employers to manage mobile devices. However, they are not without their problems. Not only was I able to bypass compliance for having a rooted device, but I was also able to bypass the need to encrypt my device from the profileGroupSetting table. Bypassing compliance restrictions for AirWatch is relatively trivial after a few hours and I’m sure it is probably similar with many others MDM solutions.”
An MDM container approach will only ensure your corporate data does not leave that secured container and stays safe within it. However, it does not ensure trojan/malware installed on the Operating System host has not made that hosting environment so “toxic” that low level API haven’t been compromised, i.e.: Bluetooth connection to a keyboard, ability to screenshot, access to memory, etc.
This is why a real improvement on today’s MDM solutions, will only occur when provided natively to the devices and offering OS level containers with specific containers/profiles according to the level of security required. One that needs to be provided through and by Apple/Google. Until then, MDM will just be a nice add-on that improves security against common miss-use but not against seasoned hackers. Depending on your business requirements, today’s MDM could be just enough!