Mobile device management: Getting started
The rapid-fire spread of mobile devices being used by enterprise employees can be a huge boon for businesses in productivity and customer service gains, but those advantages don't come without a price.
The inherent flexibility and freedom to get business done anywhere, anytime, also makes it much harder to maintain the security and control of corporate data when employees are accessing and storing business information on their smartphones, tablet computers and other mobile devices. And the rush of new devices never seems to end, making it hard to stay out in front of innovations.
"Enterprises must plan now for the mobile devices of the future that they don't even know of yet," says Kevin Benedict, principal analyst at Netcentric Strategies LLC in Boise, Idaho. "So you build an infrastructure that says it doesn't care what devices are on the end of it and you have a framework that you just plug into."
Getting there isn't easy, however. One approach that can make implementing a mobile workforce easier -- or at least consistent -- is through mobile device management (MDM) strategies that can help enterprises address all related mobile issues in a top-to-bottom approach.
Among the challenges that an MDM strategy can help with: Which mobile devices to support, whether to allow employees to choose and bring their own devices into work, and how to handle security for mobile devices, including whether to have remote data wiping capabilities for lost or stolen devices.
Policies about devices
One of the first decisions to make with an MDM strategy is to figure out which devices your employees will use and whether the individual or the company will pay for them.
At New York-based Edelman, the global PR firm, most of the 3,800 employees use RIM BlackBerries, unless they have a compelling work-related reason to use something else, says John Iatonna, the vice president of information security. Those cases are decided individually by business managers -- workers can be allowed to use iPhones or iPads if needed for the work they do, but RIM devices are Edelman's enterprise standard mobile devices.
Two reasons Edelman prefers using corporate-owned BlackBerry devices: The firm can negotiate more competitive pricing through its relationship with its enterprise phone carrier and it can maintain tighter management and security compared to other devices. "It's much easier to get hold of and track your BlackBerries than it is [other types of] smartphones," Iatonna says. "We do have an Apple and Android population, but those devices weren't designed with an enterprise environment in mind."
"BlackBerry Enterprise Server (BES) is a much more developed and mature enterprise MDM system than the other smartphone MDM vendors," Iatonna said. And even though RIM has been losing market share to other vendors, its products and enterprise-level security capabilities still offer the best answers for Edelman's needs, he said.
The reason for that specific order of rollout, Bussman explains: "We made the development teams that were building the apps test them as part of the process." Then, "executives demanded solutions quickly after that and then drove direction to focus on sales and other field resources."
Starting this past January, SAP expanded the program to also include more than 500 SAP-purchased Samsung Android Galaxy SII smartphones and Galaxy Tab 10.1 tablets, with more to be deployed by employees who request them based on a compelling business reason.
"Our strategy is to be device agnostic," Bussmann said, "The IT organization has to be in the driver's seat. If the CIO doesn't embrace the mobile trend, then the business organization bypasses the IT organization and that's not a good thing. Then it's being done without control and security and that can have an impact potentially on the company."
Centreville, Va.-based Carfax uses a blended approach, with some workers using company-issued iPhones and iPads and others using their own Android devices, says CIO Phil Matthews. "We allow other employees to use a BYOD (bring-your-own-device) approach where it works better for them or where they want to keep their device on their personal mobile plan."
The company's 400 field workers use devices that are company-provided or paid for through reimbursements. "We actually wanted people to have a consistent experience, so we chose iPads and iPhones as our main devices, but some people wanted Android devices" and are allowed to use them, he says. Workers previously carried laptops and printers along with BlackBerry devices, but productivity rose with the iPads and iPhones, he explains. "Our sales reps can complete more activities with the iPads and iPhones and we can provide them with mobile applications that allow them to collaborate much more easily than in the past."
Cora Carmody, the senior vice president of information technology at Pasadena, Calif.-based Jacobs Engineering Group, says her company looked at mobile devices from a different angle -- that of expense management. As the recession took its toll, Jacobs continued to look for ways to cut costs until finally the cellphone bills of some 45,000 workers became an enticing target, she says.
The company had acquired several other businesses and was bringing in new users who all had different mobile vendors and devices, so the IT group decided to look at it and find better ways of making it work.
Their answer was what Jacobs calls "wireless divestiture" -- in other words, buying the devices for workers but then requiring workers to pay their own monthly bills. Workers are given calling cards for travel and can also expense extraordinary calls if needed, Carmody explains.
Jacobs has saved about $15 million annually since reorganizing its mobile device strategy, Carmody says.
At first there was some grumbling about the new strategy, Carmody admits. But the company met with mobile vendors to work out good deals for employees when they signed up for new service contracts, so because the financials were in their favor, employees started gradually accepting the new arrangement over time.
"You can expect some complaints and backlash at the start," she says, "but we are also pleasantly surprised that some people recognized the new choices that they had" in terms of different types of service contracts -- "and appreciated that."
Jacobs worked up front with mobile vendors to obtain discounted rates to allow employees to move to whichever carrier and plan fit their usage and travel patterns best, according to Carmody. "Previously employees were carrying two devices; one for Jacobs support and one as their own personal device." By consolidating to one device, employees' mobile situation has been simplified considerably.
Keeping company data safe
Security at Edelman includes requirements for passwords that are secure as possible, Iatonna says. That means that all smartphones and tablets must use passwords that are complex and include a minimum number of characters, along with mandatory data encryption. After a certain number of unsuccessful passwords are entered, the device automatically resets and erases all data. This situation hasn't happened yet, he says.
Another piece of advice, from Jacobs' Carmody: Be prepared to confirm for users that any devices they are considering can meet both the security and work needs of the business. "That gives people the freedom to do what they want to do while protecting company security," she says. "It's one of those building blocks for the idea of bringing your own technology to work."
In general, the company allows Jacobs email to be viewed on personal devices, while all other key corporate applications can be accessed only via the Jacobs corporate portal. "This provides a high measure of security for managing corporate data and eliminates the need to help end-users manage data volumes on their personal devices," Carmody explains. "We, of course, also employ stringent cybersecurity practices that guard against access should a device be lost or stolen. Finally, we have a robust process for reporting lost or stolen assets that ensure immediate response to protect data in those situations."
At Carfax, access to corporate data is controlled through application privileges and passwords; users have access to corporate data and applications based on their job need and role in the company, Matthews said.
At Jacobs Engineering, employees are required to sign consent forms that allow the company to perform remote wiping of all data if the devices are lost or stolen, even personal data personal email, photos and games. The agreement says the company will delete it all if a device is lost or stolen.
The need for remote wiping has happened a few times, Carmody says.
"In those cases all data is lost," she explains. Jacobs works hard to educate the user population about its corporate policy and conditions governing end-user device use. "We also go the extra step and educate end-users about backing up and protecting their personal data" in case it has to be remote-wiped someday, Carmody says.
Some MDM tools allow devices to store critical business data in a special, secure "container," says Chris Hazelton, an analyst with The 451 Group. Business data is not retrievable outside of the container, and can only be accessed through rich passwords and other access protocols, making it much more secure. It can also be removed remotely by the business if the device is lost or stolen, without removing a user's photos, contacts and other personal information.
Both Edelman and SAP use this technique; Edelman uses AirWatch to perform selective wiping of enterprise data, while SAP uses its own Afaria application, which can wipe just the corporate data and leave the personal information alone, according to Bussmann.
A sampling of MDM vendors
The list of vendors in the MDM marketplace is ever-changing as companies continue to roll out features and new products to help make mobile tech both easier to manage and more secure.
Here is a sampling of some of the major commercial vendors that are making noise in the emerging field of mobile device management, according to industry analysts interviewed for this story.
Apperian Mobile Application Management -- Mobile, secure application development
Boxtone Enterprise Mobility Management -- promises "centralized, automated control of all mobile devices and tablets"
Citrix Receiver -- Access to corporate data from "any computing device," Citrix says, along with an enterprise app store.
Good Technology -- A suite that includes access to email, calendar and intranet-based apps, as well as the means to build an internal applications store.
Kaseya Mobile Device Management -- Policy-based management tools for mobile devices (phones and tablets).
LANdesk Mobility Management -- Discovery, inventory and the ability to remotely wipe devices.
Mobile Iron -- Multiplatform device management with security that works even on employees' personal phones, the vendor claims.
Mocana Mobile App Protection (MAP) - Shuts down virus and malware attacks against smartphones, the vendor claims.
Novell ZENworks Endpoint Security Management -- Encryption, the ability to disable removable storage devices and firewall features in one console.
Nukona -- Now part of Symantec, this product promises to securely deploy and manage both Web-based apps as well as native smartphone software.
PartnerPedia Secure Mobile App Management -- Allows corporate IT to control the publishing, distribution and management of approved applications to end-user devices.
- Todd R. Weiss
One of the biggest support challenges for Edelman's IT team, Iatonna says, is when employees do get permission to use personal iPads or iPhones for their jobs. The difficulty then becomes educating users that their personal photos, emails and other data could be lost in the event a remote wipe is needed on those devices.
"You have to make sure that the level of support is defined so that you are not responsible for personal data loss," Iatonna explains. "The way that we've tried to mitigate that is that if you want Edelman data on your personal device you have to agree to have the MDM software installed on it and you need [to sign] a waiver as well."
Edelman employees weren't used to that level of control and they were uncomfortable with it because it involved their personal devices, he says. "People said, 'Well it's my phone and you can't expect me to enter a password and have a screen lock after five minutes.' It was always discussions like that."
That meant getting users to come around to accepting a new sensitivity about the data on their phones, he says. "It's a balance of privacy versus the company's security. People are very unaware of the risks that are posed with the smartphones right now," including hacking, data capture and other security threats with smartphones. Users are typically not thinking about those kinds of risks when they use the devices.
Remote wiping and similar security measures are also used at Carfax, Matthews says, and employees are notified that data wipes can be performed if the devices are lost, stolen or used inappropriately. At the same time, he says, the company also wants to give its workers some freedom to use their devices responsibly.
For instance, Carfax allows employees to use the devices for non-work-related things like watching videos on the road, he said. "People will definitely do the right thing" and not abuse their freedoms with inappropriate behavior and usage, he says. "You just need to give them some guidelines and that's what we've done so far."
A moving target
One of the biggest pain points when it comes to MDM is time pressure because, with mobile devices, there is always something new and different to cope with, says SAP's Bussmann. And there can be a lot of need for IT support.
When SAP began its mobile deployment project in 2010, demand from workers was already high, starting with the first controlled deployment of 1,500 devices, he explains. To cope with this, the company decided to provide the initial user support for those first devices via Web 2.0 using wikis and online help portals. This was a method to reduce demands on the IT teams and give users the help they needed on demand, he said.
It was just the right approach.
"We had only two or three months to enable those devices so we didn't have time for setting up traditional support," Bussmann says. "You look at the Apple devices. There's no big menu there to operate them; they're very intuitive. This approach is similar to that."
At first, Bussmann admits, he wasn't sure that users would accept this non-traditional help system. "To be honest, I told my guys that I'm not sure the users are going to go for that. But there's been a change of user behavior, definitely."
At Edelman, one of the biggest challenges of the MDM strategy has been that the target is constantly moving, Iatonna says. "It's not possible to have a solution for every smartphone out there because there are so many models. You can't have the resources for all of it." Their answer is found in AirWatch, which covers the bulk of the devices on the market and reduces the company's risk to an acceptable level, he says.
Iatonna looked at several different MDM vendors before choosing AirWatch, he says, but one of the biggest lessons he learned was that the marketplace is relatively immature. "There's a ton of people rushing to market right now. Often times what I was seeing from vendors was a significant gap between what is promised and what is actually available as a real feature in a product. Maybe that's a reflection of how quickly the handset market is changing."
When employees do come in with their personal tablets or other devices and want to use them for their jobs, it's also important that workable policies are in place for things such as support expectations. Users may want device support in areas where the a company isn't able to provide it, so those things have to be discussed ahead of time, he said. "The waters are still very muddy," Iatonna says.
MDM lessons learned
Examine how your MDM usage policies will be viewed wherever your company does business, from state to state in the U.S. and in other nations, says Jacobs' Carmody. By asking employees to pay for their mobile bills or devices, you might be affecting changes in employment contracts that could require further reviews with labor unions or other agencies, she explains. If it's not in an existing contract as part of their employment, then you have to follow the contract as it is, she says, especially in locations including Europe, where contract changes are harder to complete.
Another good idea: Put policies into place that lay out which applications will be approved and permissible on employee devices so users can get support as needed, Carmody suggests.
In the larger scheme of things, your MDM deployment could even help you as IT moves more toward the cloud and the possibility of virtual desktops for workers, Carmody says. The lessons you learn -- especially about mobile security -- today can help you with such future initiatives, she explains, so be sure to share that information broadly within the IT team.
At Carfax, one unexpected benefit of the move to more productive mobile devices has been that some workers are now using them instead of their previously issued laptops, Matthews says. "This year I expect that some workers will tell us that they don't need their laptops anymore," which will have the side benefit of simplifying maintenance and support for the IT staff, he explains.
One lesson has become very clear, according to Matthews. "Don't let your fears keep you from trying things," he says. "You will see different ways to reach out to customers that you wouldn't have seen if you didn't look at these mobile devices."
For example, he says, "We have created mobile sales and marketing applications that allow our field reps and customers to have much more valuable conversations with more real-time information," including customer-specific data. "This allows our reps to be much more effective and efficient in how they manage their activities and customers."
In addition, make sure you have a real long-term strategy and understand your needs before you start the project, Netcentric analyst Benedict says. "Don't even bother to implement mobile technology if you don't have a mobile management strategy -- it will be totally wasted."
The way to do that is to become fully educated in what's possible, Benedict says. "Go to big conferences, view webinars, read books and bring educators in to teach and show what's available. Don't build a strategy based on your limited knowledge." Learn about what is possible, he adds.
Analysts: Where MDM can still get better
Mobile management applications have come a long way in the last year or so to help enterprises, says the 451 Group's Hazelton, but there's still more that can improve.
Today, the big needs are managing the devices and handling email, but enterprises are already looking ahead to provide custom provisioning of applications and data to the right people in their organizations so the entire mobile environment can be more secure and more easily managed, Hazelton says.
One other enterprise need that's seeing progress is the creation of private application stores that are providing analytics apps and management tools for mobile enterprise applications, Hazelton explains.
"There's definitely a lot of demand for MDM," he says. "It really answers a pressing pain point for IT departments." But so far, only about 20 to 25% of the marketplace has such strategies in place for iOS and Android devices, based on his research. The numbers are certainly higher for BlackBerry users, he explains, because those devices have been around longer and use RIM's enterprise-ready applications.
"It's most exciting," he says. "You have all this energy around smartphones and enabling them. Enterprise mobility is here for the rest of our careers."
Overall, Carfax's Matthews says, "we tell our employees that it's all one life and you can manage it however you want to do work and your personal stuff. We get a lot more out of employees that way. I think they're happy personally because they don't see this device as tethered to them and they can do other things in between work assignments."
Tips for creating an enterprise MDM strategy
Enterprise IT leaders who have been working to build MDM programs inside their companies offer these ideas for how to get started.
Decide what devices your workers will use, whether they'll be corporate-issued devices or bring-your-own devices that will be supported by the company.
Make sure that whatever devices you choose can handle the level of security that your business requires.
Create and implement strong security and device use policies and be sure to communicate them with employees from the start. Be sure that your devices include remote wiping capabilities and automatic remote alerts that can tell you if unauthorized users are trying to access or hack the devices.
Require and implement mandatory strong passwords to keep them as secure as possible.
Examine how your MDM plan terms will be viewed legally wherever your company does business, from state to state in the U.S. and in other nations, to be sure that you abide by all applicable laws.
Explain to employees which applications will be approved and permissible on employee devices.
Don't be surprised if there is some disgruntlement from some employees when the new MDM strategy is implemented. Make sure to educate, train and, if possible, offer some benefit with the new approach.
Remember that your MDM plan will never be finished, but will need to constantly evolve as new devices and technologies are introduced.
- Todd R. Weiss
Todd R. Weiss is an award-winning technology journalist and freelance writer who worked as a staff reporter for Computerworld.com from 2000 to 2008. Follow him on Twitter, where his handle is @TechManTalking, or email him at firstname.lastname@example.org.