A common question posed by IT managers is whether or not they should be installing anti-virus software on enterprise smartphones. Like almost all security questions, the answer is a clear-cut “it depends.”

First and foremost, it’s important to define the scope of protection. Anti-virus is a misnomer. Anti-malware gets closer, but the best way to think of these tools is as endpoint security suites, which are very similar to the endpoint security installed on corporate laptop and desktop systems. The leading products do not just protect against viruses — they are full mobile device security suites. If you find a tool that is nothing but anti-virus protection, that’s definitely not state of the art and it’s also not very useful; in today’s security landscape, organizations need to outfit their hardware with software that does more.

Enterprise-class anti-malware tools have another characteristic: centralized management consoles. This creates some overlap with common MDM and EMM solutions, but each software system still has its differences.

Addressing Endpoint Security

So what’s in these endpoint security tools? Well, the vendors are still trying to figure out the best features, so they often have a little bit of everything. The common denominator is basic anti-virus and anti-malware protection.

However, on a well-managed Android smartphone, basic anti-malware protections aren’t going to come into play very often. Although malware can infect smartphones through web browsing, the most dangerous types are linked to infected applications.

IT managers who block non-approved stores and use application whitelisting are unlikely to run into malware riding on top of normal applications. Because of the protections provided by application whitelisting and store restrictions, many IT managers who have activated these operating system protections are wondering if they really need these endpoint security suites. And that’s what brings administrators to the “it depends.”

Android endpoint security suites usually include a number of other features, which can help IT admins determine if additional software is needed or not. These features can be divided into ones that look very familiar to desktop managers, and ones that are unique to the mobile environment.

A very common feature in endpoint security suites, for both desktop and mobile, is web filtering. This blocks or alerts users who are trying to browse webpages that have web-based malware, phishing or are out-of-policy for the enterprise. IT managers who think they are particularly susceptible to credential theft attacks might find web filtering a compelling reason to say “yes” to installing anti-virus to improve mobile device security.

Because mobile endpoint security suites are integrated with enterprise consoles, IT managers can also use them as “MDM lite” mobile device management tools with a restricted set of features. Many mobile device security products have the ability to control certain security policy features through their enterprise consoles. For example, features such as device unlock configuration, network access policies for unsecured Wi-Fi and remote wipe have all made their way into mobile endpoint security suites.

IT managers who have not chosen to implement a full-fledged MDM or EMM product may be able to get additional security by installing mobile anti-virus. Enhanced device monitoring provided by the enterprise console is another reason to consider an anti-virus suite. Unfortunately, the reverse isn’t true: just because a full MDM or EMM is installed, doesn’t mean that anti-malware is superfluous.

Evaluating Mobile-Specific Features

Some endpoint security products also have mobile-specific features that allow for a unified set of features across different smartphone platforms. For example, endpoint security products can audit and control smartphone features such as location tracking, cameras, and microphones, using the host operating system capabilities, a difficult task in laptops.

Another example is containerization: A mobile-specific feature with significant endpoint security benefits. Not every endpoint security suite has containerization, but many of them do, giving a more homogeneous experience across the end-user community when heterogeneous devices are in use. It also provides a secure environment where employees can access sensitive information, and IT professionals can have an extra layer of data protection.

In other cases, endpoint security solutions add clever features that make sense only in a mobile environment. “Find my phone” and remote wipe are well-understood mobile-specific security features, but that’s just a start. Several products watch the smartphone SIM, and can send an alert when the SIM is changed or when a phone is jailbroken — which can indicate a stolen phone or tampering.

Another application is anti-spam protections. Monitoring email spam and phishing is usually taken care of by the enterprise’s email service, but what about SMS spam or unwanted voice calls? Several mobile endpoint security solutions can help with that. Both of these examples are areas where IT managers looking for specific additional security, beyond basic anti-malware protections, may want to turn to endpoint security suites.

The list of features, risks and mitigations makes it clear that there’s no clear answer, but installing anti-virus will depend on organizational needs. IT managers who have a very low-risk profile may find that anti-malware tools increase cost and complexity. Organizations that decide they need additional protections or specialized features will want to install an endpoint security suite.

Endpoint security suite vendors are working hard to earn their keep, and their products bring much more than basic protection against viruses. These should be explicitly evaluated — even if they are eventually rejected — by every IT manager.

Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.