Mobile monitoring is a complex topic. On one hand, organizations can gather detailed data to help them identify and suggest productivity improvements through alternative or additional apps or processes, without sacrificing security. But on the other hand, monitoring done wrong can reduce employee morale and potentially violate data privacy laws. Exactly how companies should approach mobile app monitoring depends on the business problems they must solve.
Let’s take a look at mobile app monitoring in-depth, including common use cases, risks of monitoring employee devices, and types of monitoring solutions employers can use.
Why mobile app monitoring?
Like anything else in IT, the use case for mobile app monitoring matters. Different companies have different reasons they want to monitor mobile apps, which directly impacts how they go about monitoring. Let’s look at some of the most common use cases for mobile app monitoring.
Proactive app performance monitoring
In some cases, an organization’s use case for mobile app monitoring is similar to traditional application performance monitoring and optimization. Apps that crash or are too resource-intensive negatively impact user experience and business workflows. Proactive monitoring helps companies detect and address app performance issues. Just like any software on any end-user device, if it isn’t working properly, it isn’t helping.
Tracking employee productivity
While it may be controversial, some organizations use mobile monitoring to track employees’ actions on their phones. Monitoring tools for employee productivity often go beyond mobile app monitoring and track things like texts, photos, and calls. Some software products for this use case even take screenshots to provide visibility into employee activity.
The legality of this is a whole other can of worms, and raises a genuine set of ethical questions for IT teams: Should employers be allowed to gather this much data on an employee’s device? Is the device the property of the employee, or the business? Does this make a difference?
Addressing shadow IT
Shadow IT is one of the most challenging problems for IT and security teams to address, particularly if they have adopted a bring-your-own-device (BYOD) policy. IT needs visibility and control over business apps, but no one wants to derail productivity.
Broadly speaking, we can break shadow IT down into two categories:
- Duplicate shadow IT. End-users are using apps that duplicate functionality in software that IT has already approved. This situation often arises because the end-users don’t know there’s already a solution in place. This category of shadow IT can create unnecessary costs and security risks with no practical business benefit.
- Shadow IT for new functionality. End-users are seeking out unapproved apps that solve problems that aren’t addressed by IT-approved apps. While this might seem beneficial to the user, it comes with potential security risks. Additionally, software not purchased through IT may end up costing more per user on an individual licensing basis.
Do companies have the right to monitor apps on an employee’s mobile device?
While mobile app monitoring is technically feasible, there are legal and privacy concerns to consider. Employers generally have the right to monitor the device and associated apps on a work-issued phone. Similarly, companies can monitor SaaS applications via admin consoles that capture data from users that access the apps from mobile devices.
Mobile app monitoring gets more complicated with BYOD. With BYOD, an employer doesn’t own the devices so they need to expect that employees will also use their own devices for non-work purposes. Frankly, there’s no one-size-fits-all answer, but the employer’s rights generally depend on an agreed-upon BYOD policy.
Can employers monitor mobile app activity on devices that connect to their network?
Mobile app monitoring— in the context of monitoring tools on the phone that send data to a monitoring platform from the local device over the network— is not the only way an employer can monitor mobile activity. The organization can also monitor the network activity itself when an employee connects to a corporate network.
There are a number of articles and threads that thoroughly explore the nuance, but in summary, employees should assume all network traffic is monitored when connected to an employer’s network. Even if employers aren’t installing certificates to play man-in-the-middle and decrypt HTTPS traffic, they can see traffic headers, access network device logs, and use protocols like NetFlow for detailed traffic analysis. Something like Auvik TrafficInsights, for example, can analyze and parse data flows to see what applications are in use, where the traffic is coming from and heading to, etc.
Potential legal challenges
One of the risks with mobile app monitoring is that getting it wrong can have legal implications. In the US, the Electronic Communications Privacy Act (ECPA) of 1986 is an important piece of legislation related to electronic monitoring. According to the American Bar Association (ABA), the ECPA prohibits intentional interception of an employee’s electronic communication, and violating the Act can lead to criminal and civil penalties.
The ECPA includes two key exceptions relevant to employee mobile app monitoring:
- The “business purpose exception” allows employers to monitor electronic communications if there is a legitimate business reason
- The “consent exception” allows employers to monitor communication if there is consent
Of course, much has changed since 1986, and the ECPA doesn’t explicitly address every mobile app monitoring use case. There have been several calls to reform the ECPA and address the realities of modern technology.
Outside of the US, in Ontario, beginning in 2023, employers with more than 25 employees must have a written electronic monitoring policy. Employers must now disclose what data they are capturing from employees’ devices, intentionally or not. While this legislation does not provide employees with any new privacy rights, it exemplifies the importance of transparency in mobile app monitoring practices.
In the EU, which tends to have stronger employee privacy laws than the US, employee monitoring needs to comply with legislation such as General Data Protection Regulation (GDPR). Kara Trowell’s Proceed with Caution When Remotely Monitoring Employees in the EU provides a solid introduction to remote employee monitoring in the EU. Key takeaways include:
- Violating data privacy laws can lead to hefty fines. For example, an H&M subsidiary was fined €41 million related to a workforce monitoring program.
- GDPR doesn’t just apply to European businesses. Even if an organization isn’t based in the EU, it must comply with GDPR if it monitors employees at any time within EU borders.
- Artificial intelligence (AI) and machine learning (ML) can complicate things. AI and ML are built-in to many monitoring tools. In the EU, using AI or ML can trigger additional requirements related to GDPR article 22 (automated individual decision-making, including profiling).
How can employers balance visibility and data privacy?
Clearly, there’s a tension between monitoring and data privacy. On one end of the spectrum, no monitoring provides complete privacy. On the other end, granular monitoring can provide deep visibility. Neither extreme is usually the right answer.
Finding a balance between visibility and privacy starts with clearly understanding the problem an employer wants to solve. Here’s a breakdown of popular tools related to mobile app monitoring.
| Mobile app monitoring tools | ||
|---|---|---|
| Tool category | Description | Use cases |
| Application performance monitoring (APM) | Tracks telemetry related to end-user experience. | Monitoring mobile app performance. |
| Employee monitoring software | Monitors mobile app activity such as texts, emails, phone calls, and app usage. | Employee productivity monitoring. |
| Mobile device management (MDM) | Provides central management and security policy enforcement for mobile devices throughout an organization. | Deep control and access to the entire mobile device. |
| Mobile application management (MAM) | MDM-like functionality at the application- level instead of the device level. | Control over mobile apps related to business functions, but not the entire mobile device. |
| SaaS discovery management | Provides visibility into cloud and on-prem apps users access. | Addressing shadow IT risk related to cost, operations, and security. |
App performance monitoring can often be addressed with crash reports and tools like mobile application performance management (APM) tooling. Employee monitoring software addresses use cases where heavy oversight is required.
MDM provides deep visibility and control, but carries less (or more, depending on how you view it) importance in environments that support BYOD.
MAM stops short of providing an employer control over an entire device and instead limits access to business applications.
Final thoughts: Find the right tool for the job
There’s rarely a one-size-fits-all answer in IT, and mobile app monitoring is no different. Some employers are worried about tracking employees’ on-device activity. Others require visibility into mobile app use to keep costs and security risks in check. The key for employers is clearly defining the problems they are (and aren’t) trying to solve and identifying the right tool for the job.
Your Guide to Selling Managed Network Services
Get templates for network assessment reports, presentations, pricing & more—designed just for MSPs.
Leave a Reply