Preview only show first 10 pages with watermark. For full document please download

Deep Dive

Rating
Date

November 2018
Size

2.4MB
Views

9,273
Categories

Computers & electronics Computers Handheld mobile computers

Transcript

SPECIAL REPORT DECEMBER 2011 Mobile and BYOD i In This Deep Dive i Deep Dive Articles ፛፛ BYOD STRATEGY The BYOD era is here . . . . . . . . . . . . . . . . . . . . 2 The CIO’s BYOD rethink. . . . . . . . . . . . . . . . . . 6 The secret of consumerization. . . . . . . . . . . . . 11 n Sidebar: The case for user innovation. . . 15 ፛፛ MOBILE STRATEGY Device management, OS by OS. . . . . . . . . . . 16 n Table: Mobile management and . . . . . . . 17 security capabilities compared n Sidebar: What the mobile . . . . . . . . . . . . 19 management vendors offer Deep Dive The app management tools. . . . . . . . . . . . . . . 20 Don’t overdo app management. . . . . . . . . . . . 23 Mobile security: Safer than PCs. . . . . . . . . . . . 26 ፛፛ HANDS-ON Say yes to (almost) any device. . . . . . . . . . . . . n Chart: How each mobile platform’s. . . . . securability compares BES: Express or deluxe?. . . . . . . . . . . . . . . . . . Simple iOS support how-to. . . . . . . . . . . . . . . Copyright © 2011 InfoWorld Media Group. All rights reserved. 28 33 34 37 i Mobile and BYOD Deep Dive BYO D S T R AT EGY The BYOD era is here A heterogeneous mobile device world means new thinking for IT and legal i By Galen Gruman it’s time for it to face facts: the great corporate barrier against employees using personal smartphones has been breached. Despite everything you may believe about the need to control employee access and equipment, it’s clear that doing so no longer means forcing employees to use only a standard corporate device. In fact, more than half of businesses in 2011 have entered the world of bring your own device (BYOD), in which employees own or choose the smartphones and tablets they use in the corporate environment — devices also used for personal purposes. In fact, some organizations are even subsidizing employees’ service plans as an easy way to avoid the procurement and management headaches of an increasingly standard piece of work equipment. So the question is not whether but how? THE OWNERSHIP ISSUE CAN BE TRICKY Some organizations — especially those in government, health care, and defense — face a new legal question: Who actually needs to own the device? There’s no clear answer to that question as yet, but the fundamental issue is when is ownership necessary to gain management control. But more conservative organizations often decide they need legal ownership of the device. The result has been three different approaches to handling ownership, in order of popularity: ፛፛ Shared management. The organization‘s contractor and employment policies boil down to “if you access business resources from a personal device, you give us the right to manage, lock, and even wipe that device, even if you end up losing personal data and apps as a result.” This is often codified with a written agreement that spells out management expectations for both parties. ፛፛ Corporate ownership and provisioning. The organization buys and owns the device, even if it allows nonbusiness use on it. Employees who don’t like the phone service on such devices (they may not get free minutes when calling family members and friends) are free to carry INFOWORLD.COM DEEP DIVE SERIES a personal device as well that has no corporate access. ፛፛ Legal transfer. The organization buys the device from the user. In some cases, that ownership is permanent — a surefire way to dissuade employees from participating. In other cases, the organization buys the device for a token amount (say, a dollar) and gives the user the right to use it for personal purposes and commits to selling it back for the same price when the employee leaves the organization — that’s more likely to gain user acceptance. EMPLOYEE-OWNED MOBILE DEVICES: A QUESTION OF MONEY Subsidizing employees’ use of their own mobile devices seems like a great way to contain cell phone costs. After all, reimbursing a flat fee for work usage of employees’ phones can cap your monthly per-user costs and reduce the likelihood of inactive cell phones going unnoticed on the rolls. Moreover, you can eliminate the need to fight with carriers over billing or to outsource this activity to a TEM (telecom expense management) firm to ensure you’re not being cheated. (To get a sense of the severity of carrier billing issues, consider this: Even after paying TEM firms to review and fix billing issues, TEM clients come out ahead, saving real money on their telecom bills.) But moving to a subsidized, employee-owned smartphone or tablet plan probably won’t save you money, says Michael Voellinger, executive vice president at Telwares, a telecom services and consulting firm with a long history in the TEM business. “It’s usually a wash,” says Voellinger, whose firm has seen some clients save money this way, while others ended up spending more. Why isn’t a capped per-user payment cheaper than setting up and managing a company-wide plan? Because many of the issues that come with employer-paid devices also apply when paid by the employee. For example, if an employee goes overseas and incurs roaming costs, who pays? Or when an employee exceeds a data plan’s limits for work purposes, how do you determine your share of this cost? As it turns out, your largest D E C E M B E R 2 011 2 i Mobile and BYOD Deep Dive cost ends up being staff time to figure out and process these exceptions as they occur, not the specific extra charges themselves, Voellinger notes. Moreover, if device charges are treated as a reimbursable expense, it becomes difficult to quantify your telecom spend across the organization. In essence, you’re burying the data, which tends to lead to unnecessary usage and, thus, higher costs. EMPLOYER-OWNED MOBILE DEVICES: A QUESTION OF MANAGEMENT Of course, many companies that issue devices to employees do a poor job monitoring and keeping track of devices. This often leads to some employee usage bills of several thousand dollars on any given month, as well as “ghost” devices that continue to be paid for even after the employee is gone. Voellinger advises companies to consider the context of their employees’ device use before settling on a strategy. For example, if most employees’ use of devices for work purposes is limited, then a subsidized, employee-owned device plan can make sense, as it adds convenience at a predictable cost. This approach can also make sense for dispersed organizations, especially those spanning multiple countries, as no single carrier can meet all of their device needs, thereby reducing savings typically available via group discounts and bulk purchases. But subsidizing employees’ personal device use could end up costing much more than an organization-wide plan from a single carrier, Voellinger notes, especially when reliance on mobile minutes and bytes is heavy. For some businesses, cost won’t be the deciding factor: Strict auditing or compliance standards may require you to keep personal and corporate systems separate. Although Voellinger advises companies to issue and manage employee devices, he says some companies will nonetheless end up with personal devices in use and should factor them into their policies and systems. (Voellinger walks through many of the considerations in his own blog.) YOUR MOBILE DEVICE STRATEGY: OBTAINING THE RIGHT MIX Of course, your device strategy need not be black-andwhite. Some companies may want to mix employee subsidies for certain users with company-provided devices for INFOWORLD.COM DEEP DIVE SERIES other users, Voellinger suggests. In other words, you may have several classes of users and choose a different provisioning and cost strategy for each. Forrester analyst Ted Schadler strongly recommends dividing your information workers into several groups based on how their mobile enablement benefits the company. “Don’t treat everyone the same,” he says. For example, you might segment your staff as follows: ፛፛ Those who use the most sensitive data get companypaid, company-managed devices ፛፛ Those who work extensively away from their desks receive subsidies for most or all of their personal device charges ፛፛ Those who work away from their desks occasionally receive a partial subsidy for their personal device use ፛፛ Those who rarely work away from their desks receive no subsidy, and you may consider locking their devices out of your systems altogether When considering costs, don’t forget that there is more than just service plans and device costs. The complexity of supporting multiple kinds of devices — a mix of BlackBerrys, Android devices, and iPhones and iPads — adds a cost as well, Voellinger notes. The price for that extra support could neutralize any savings you earn focusing entirely on cell phone access charges. Then again, that cost could be worth it, Voellinger notes, as it allows you to use the right device for the job. This approach often bolsters employee productivity through increased satisfaction, given the expectations of today’s employees, Voellinger says: “What makes my blood boil is that an employee gets downgraded when they walk in the door” compared with what they use at home. The employee’s reaction is increasingly likely to be, “You’re seriously going to hand me XP Pro and a BlackBerry Curve?” And don’t forget that company-issued and companymanaged devices have their own support costs, not just for employee support but also for billing and asset management. NAVIGATING MOBILE DEVICES’ DUAL-USE NATURE One argument for allowing employees to use their own devices for work purposes is that carrying two devices and having two mobile phone numbers is a pain. Sure, people have long had personal phones at home D E C E M B E R 2 011 3 i Mobile and BYOD Deep Dive and office phones at work, but because people carry their devices with them most of the time, it can be an employeefriendly policy to let them use just one device for both purposes. It could be a personal device that’s subsidized for work usage or a work device that allows personal usage to a certain cost limit. People take care of personal issues on their work phones and take work calls at home, so allowing for the same mix on a cell phone isn’t a stretch. Data capabilities, however, provide a new wrinkle, and the fact that employees’ devices can store and access company information such as emails, contacts, calendars, and documents is enough to make many IT and security pros wince at the thought of dual use. This problem is not unique to devices. Many employees work at home — and even at the office — on personal computers. Gartner estimates that more than 15 percent of midsize businesses allow employees to use their own personal laptop at work. Also, some users play games, check personal email, or run iTunes or Windows Media Player at work to listen to their personal music on their work computers. “The focus is on mobile, but the problem is universal. What’s the demarcation? There is none,” says Telwares’ Voellinger. “By owning the asset [the smartphone or PC], is the prevention [of abuse or breach] any different? The risk is still the same.” That’s why the “secret” to device management is “treating employees like grown-ups and using a ‘trust and verify’ model for policy control,” Forrester’s Schadler says. “You have to stop treating it as an IT policing issue and instead treat it as a business risk management question.” More and more companies are making this shift in their thinking, Schadler says, not just for devices but also for bring-your-own PCs (and Macs) and other user-facing technologies. Yet for devices, the dual-use bar for managing access and data security is quite different, given that most devices don’t yet offer PC-level security and management capabilities. For example, it’s fairly straightforward to require the use of encryption, certificates, and other security tools on Windows PCs, no matter who owns them, thereby allowing IT to ensure that a home PC is secured the same way as a work one. (For Macs, it’s not quite as easy, but still largely possible.) But for devices, security and management capabilities vary greatly from device to device. BlackBerrys, INFOWORLD.COM DEEP DIVE SERIES iOS devices, some Android devices, and Windows Mobile devices can enforce PC-level security and data management if the business has the right policy servers in place. Very few policies are enforceable on WebOS, Windows Phone 7, the 2.x (smartphone) version of Google Android, and Nokia Symbian devices. Third-party tools are beginning to change that reality, but by and large it’s fair to say that you can’t control the data and access on these newer devices at the same level you can a home PC. “You need to strike a balance between an IT-controlled management tool set such as you have built for desktop management and employee-led management, where employees are responsible for their own devices,” says Schadler. “That balance point will vary based on your industry and culture.” SURPRISE: YOU PROBABLY CAN’T CONTROL AS MUCH AS YOU MAY WANT Further complicating this issue are the legal ramifications of dual-use devices. The laws on what employers can do with employees’ personal equipment and accounts haven’t caught up to today’s mix of devices and cloud services, notes Peter Vogel, an attorney at Gardere Wynne Sewell who specializes in Internet, computer, and e-discovery issues. There are plenty of misunderstandings as to what a business can and can’t control. Despite the legal ambiguity from conflicting court decisions and the lack of precedent in many areas, patterns have developed in cases involving home PCs and other personal technology that may influence your device ownership strategy. For example, corporate email belongs to the company, and the company has full access to it, no matter where the employee accesses it. Plus, the company can set policies for what is transmitted through corporate email. “But email issues are complicated by employees who use Webmail services such as Gmail, AOL, and Hotmail to conduct company business. Many courts have ruled that employers lose confidentially and potentially valuable trade secrets when employees send confidential information via Webmail,” Vogel says. That reasoning could easily be applied to the use of personal devices. International issues also pop up, Vogel notes: “Generally in the U.S. emails are private to employers, while in the E.U., Canada, and Japan emails are private to employees. D E C E M B E R 2 011 4 i Mobile and BYOD Deep Dive Furthermore, in the E.U. there are data privacy laws for individuals called the 1995 Data Directive that permits citizens of the E.U. to access any computer that contains data about them and change that data. The U.S. has nothing like this at all, and when there is communications between the E.U. and U.S., determining which law applies gets very complicated.” In a 2008 case, a federal court ruled that text messages on police department-paid pagers belonged to the police officers, not the police department, because the messages were stored by a carrier. The department wanted the messages to see which were personal so that they could calculate how much the officers owed the department for personal use. Vogel says this case was decided on very narrow grounds — the fact that the messages were stored at the carrier, which is subject to different laws than a company that stores its own records — but nonetheless raises the kind of ambiguity sure to surface as devices are used increasingly for both personal and corporate activities. You might try to deal with these and other issues through employment agreements, Vogel suggests. “Generally employees are bound to the terms of employment agreements,” he explains. “So if the employment agreement states that the employees provide their own PDAs or smartphones but the employer pays a monthly allowance, one would have to look at the terms of the employment agreement to see if the employee is entitled to privacy.” But “generally just having a corporate policy is not enough without some affirmation of the employees to agree,” Vogel notes. “Companies run the risk that courts will conclude that even though corporate policies are in place, they are either unenforced or selectively enforced. As a result, without rigid enforcement, a company cannot depend on the courts to adopt these corporate policies regarding who owns emails and text messages and who is entitled to privacy.” Another issue: What information on these devices is discoverable in a court case? “Every state is wrestling with this,” says Telwares’ Voellinger. “Pennsylvania, for example, assumes that the moment information goes out onto public networks, it’s discoverable.” That could cover anything delivered through the Internet, for example, which devices and PCs use routinely. INFOWORLD.COM DEEP DIVE SERIES THE PRACTICAL ISSUES OF PERSONAL DEVICE USE Beyond the law are practical considerations: If an employee uses a personal device for business purposes and then leaves the company, customers and partners can still contact that former employee — and may not know how to contact his or her replacement. If the company issues the smartphone, the phone number can be moved to another employee, Voellinger notes. But this risk is not that new nor is it smartphone-specific. Moreover, although BlackBerrys, iPads, iPhones, Windows Mobile devices, and some Android devices support remote-wipe capabilities, there’s a risk that an employeeowned device could still retain corporate data when the employee leaves, Voellinger says. The risk here can be largely managed by requiring employees to use devices that meet specific requirements, so the devices you let access your networks are ones you know you can manage as needed, no matter who owns them. Some employees may be less apt to answer a personal smartphone after hours when it is subsidized by the employer than to answer a work smartphone issued by the employer, Voellinger says. The reason: The employee figures the subsidy just applies to work hours, especially if getting reimbursed for extra work usage is a painful process. On the other hand, if the phone is routinely used for work and business purposes, there may be no rigid work/home time boundaries in the employees’ mind. Forrester’s Schadler also recommends that your corporate policy be thought out more than most are: “Most firms that support iPhones require their employees to sign a statement that lets the company do a remote wipe on the device and implement other policies in exchange for application support. We recommend that you] extend this policy-based approach to cover jailbreaking, password requirements, and use of features such as cameras and GPS for work purposes.” In the end, who should own your smartphone or tablet? Sometimes the employee, sometimes the company, and sometimes both. There are good reasons for all three scenarios, even in the same company. The trick is to understand the ownership options that make the most sense in your context, not fall back to “this is how we’ve always done it.” i Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. D E C E M B E R 2 011 5 i Mobile and BYOD Deep Dive BYO D S T R AT EGY The CIO’s BYOD rethink The notions of risk and control differ with mobile devices and other BYOD i By Galen Gruman how does your cio (or you, if you are the cio) view the influx of iPads, iPhones, and Androids into the organization by individual users and business departments? ፛፛ It’s an unauthorized invasion driven by naive users that will increase costs and threaten security and compliance. It must be stopped or at least contained. ፛፛ It’s an unauthorized trend that suggests there’s something wrong with the status quo of what the IT organization provides or supports — and perhaps a surprise trend that indicates IT has fallen out of touch. ፛፛ It’s a positive development that IT can both support and leverage for the benefit of users, of IT, and of the organization as a whole. If the answer is 1, your CIO is very likely the wrong person to lead the IT organization going forward. The best answer is 3, though if the answer is 2, that means the CIO is capable of rethinking his or her management framework to meet the changing realities of organizations today. Unfortunately, a lot of organizations still choose answer 1. Why is the CIO’s reaction to the “bring your own device” phenomenon such a litmus test? Because it encapsulates most of the issues that face businesses today in terms of technology. InfoWorld’s Eric Knorr has nicely described this new empowered-user reality and proposed basic approaches IT should take to adapt, so I won’t retread those steps here. InfoWorld’s Bob Lewis has also explained why the underlying control orientation of data-processing-style IT simply doesn’t work today. so I won’t repeat that either. What I will show is why the first answer is the wrong answer. Thanks to a series of studies by the research firm Aberdeen Group, there are hard numbers to show that the additional costs are trivial, that the economic savings are significant (covering those extra costs several times over), and — perhaps most important to risk-averse CIOs and their compliance-focused brethren — that a proactive BYOD strategy actually increases security and compliance. Note: I’m using “BYOD” to also include “choose your own device,” not just “bring your own device,” as there are reasons a company may want to own the device legally. Either INFOWORLD.COM DEEP DIVE SERIES way, the result is support for user-driven heterogeneity. “Being best in class lowers both the costs and the risks,” says Andrew Borg, the mobility analyst at Abderdeen. This means having a policy-based approach to management, using IT Service Management (ITSM) principles, he says, which should be in place anyhow in any large organization. Most companies are not best in class, relying on inefficient, endpoint-oriented approaches that cost a lot and drive users to work around IT. Plus, embracing mobile heterogeneity “is a transformation of IT’s role, a move from a role of naysayer to an enabler for business,” he says — a way “to get out of the dog house” IT has put itself in recently. Borg points out that mobility is viewed as one of the most strategic business initiatives for 2011 in Aberdeen’s corporate surveys. In fact, more than half of companies see it as a way to increase employee productivity. As a result, users get the tools they want or need (it doesn’t matter whether it is want or need — perhaps the first lesson for old-school CIOs to learn), the business gets extra flexibility and capability to execute better, and IT wins greater assurance on security and compliance without diving into a bottomless pit of work and expense. MOBILE SECURITY IS NOT DIFFICULT TO ACHIEVE — BUT OFTEN IS NOT In an almost every organization, users have brought in iPhones, iPads, and other mobile devices, regardless of what the corporate standard might be. Some departments pay for them in a typical “shadow IT” response to IT saying no, and many employees simply use their own devices as adjuncts to whatever is officially provisioned. Aberdeen’s surveys show: ፛፛ The average number of mobile platforms currently supported by enterprises today is 2.9 — thus, already the norm for most is not a BlackBerry-only world. ፛፛ Today, 62 percent of companies surveyed have formal BlackBerry support in place, 43 percent for iOS, 30 percent for Android, 24 percent for Windows Mobile, 13 percent for Symbian, and 13 percent for Windows Phone. D E C E M B E R 2 011 6 i Mobile and BYOD Deep Dive ፛፛ Today, 80 percent of companies surveyed allow BlackBerrys (with or without formal support), 77 percent allow iOS, 61 percent allow Android, 46 percent allow Windows Mobile, 33 percent allow Symbian, and 31 percent allow Windows Phone. The bottom line is that BYOD (that is, device heterogeneity) happens whether you want it to or not. If you’re told to embrace the unofficial BYOD, an old-school CIO’s first reaction will likely be that these devices are risky in terms of security and should be disallowed. If you’re a BlackBerry shop using RIM’s BlackBerry Enterprise Server (BES) product, that’s almost certainly your reaction. However, for the vast majority of security needs, mobile device management (MDM) tools deliver what you need for iOS devices, thanks to Apple’s native MDM APIs, and often for Android devices, usually by installing a client app. If you have modest security needs and use Microsoft Exchange or an Exchange ActiveSync (EAS)-compatible email server, you can ensure security compliance directly for iOS devices and some Android devices (any noncompliant devices are simply denied access) — no third-party MDM needed. Ironically, the “say no” approach increases risk of data breaches, data loss, and noncompliance. Only 26 percent of “laggards” (the bottom 30 percent of companies surveyed) centrally manage their mobile devices over the air, Aberdeen has found, though this is a basic capability of most MDM tools and is easy to deploy. Instead, they do nothing or have desktop support staff individually set up mobile devices. One result: 67 percent of “laggards” don’t recover or decommission lost or stolen devices — an expensive loss given regulatory reporting requirements. Compare that to 3.4 percent for the best-in-class companies — those that on average manage 88 percent of employees’ mobile devices — and 4.9 percent of “average” companies, the middle 50 percent, who on average manage 44 percent of employees’ mobile devices. More shocking, only 30 percent of tablets — which really means iPads, given that 99 percent of corporate-used tablets are iPads — are remotely wipable. Never mind that remote wipe is a basic MDM capability that even Exchange all by itself supports or that the mechanism for enabling remote wipe on a tablet (iOS or Android) is the same as for an iPhone, so it should be automatically enabled for any tablet that has email access. “There’s no reason that iPads should be less managed than iPhones — yet they are,” Borg says. That suggests IT’s approach to them is the problem; INFOWORLD.COM DEEP DIVE SERIES it’s either ignoring them or trying to impose burdensome high-touch controls that keep many iPads in the shadows. The truth is, in the last year mobile security has become a straightforward issue to handle. If you don’t allow access on mobile devices, your employees will work around you. For example, they may forward email from their “secured” desktop clients to Gmail and Hotmail accounts they then access on their smartphones or tablets, where they’re both invisible to you and at much higher risk for data loss or breach. In fact, this is so routine, it’s not funny. Aberdeen’s Borg points out that IT has a great carrot here that it often is not using: email access. IT should start by securing corporate email access and telling employees, “ ‘If you want email, meet policies.’ That is the carrot that works for everyone.” After all, people who have unsanctioned devices almost always want to access their email and calendars from them. Thus, they need to go through your email server — which can impose policies such as requiring on-device encryption, passwords requirements, and automatic device wipe after a specified number of failed attempts. In other words, telling users they can access email officially gives you the very control lost when you block them from that access. Because the technology is policy-based, you don’t need to know the specific devices a user has or configure it yourself — the server validates the compliance and acts accordingly. You don’t need to manage the endpoints, just the gateways to your data. For those devices that need the user to install specific apps to achieve policy compliance, it’s easy enough to provide an intranet page linking to them, along with a list of recommended or approved devices. Note: That’s why you’d also require a VPN to access sensitive data and might use virtual LANs on your wireless network to segregate sensitive traffic from personal traffic. But if you allow remote access into your organization’s network and data repositories, you should be doing this already. The fact that the client happens to be mobile is irrelevant. Some CIOs raise the compliance bugaboo, suggesting that HIPAA, Sarbanes-Oxley, HICAP, PCI, and all the other regulations make it impossible to embrace mobility. That’s simply not true. Using an MDM tool, “from the device perspective BlackBerry and iOS can be made compliant with every regulation I’m aware of,” Borg says. That does leave one gaping hole: Android, a platform D E C E M B E R 2 011 7 i Mobile and BYOD Deep Dive whose popularity is surpassing the iPhone’s. In contrast, Windows Phone 7 and WebOS are also not very securable, but their market shares are very tiny, so they’re usually not an issue from users’ perspectives. Borg says that eventually Android will be manageable as well, but for now only a few Android devices can meet such regulatory requirements, such as Samsung tablets when managed by Sybase’s Afaria product. And the new Android 4 OS brings with it EAS support nearly as strong as iOS’s for both smartphones and tablets, and Android 3 for tablets did the same. Plus, Motorola Mobility’s line of business Android smartphones incorporates the same level if security. So both Exchange shops and MDM vendors have more to work with on the Android front than in its early years. Thus, your policy as CIO should be that compliant devices are allowed in. As long as the compliance requirements IT imposes are reasonable, employees will respect them. You may need more than one level of compliance; employees who work with and access nonsensitive information should have less onerous compliance policies. Companies already do that with, say, financial and employee information, so they should be able to extend that tiered access thinking to device policies. For example, maybe any device is allowed to use the public virtual LAN to access the Internet, but only devices that support ondevice encryption, remote wipe, and password requirements can access corporate email and general file shares. Additionally, only devices that support VPNs and certificates can access sensitive data that should be gated within the internal network anyhow, such as through VPNs, certificates, and the like. The bottom line: In exchange for reasonable freedom of device, users allow IT to manage their devices via policies. Many companies require employees to explicitly to agree to this, others simply assert it as a policy, and some insist on owning the device even if they allow employee choice — that’s an HR or legal issue the CIO can leave to others to figure out. The CIO’s job is to ensure the policies are executed at the technology level. Yes, there will always be rogue users, mobile or otherwise, who continue to forward work email to noncompliant devices. For example, users also transfer data to their home desktops this way, so the behavior needs to be treated more broadly. “The organization has become permeable, so you need to look at the whole picture,” Borg says — not just INFOWORLD.COM DEEP DIVE SERIES specific endpoint devices. “You need to move the focus from the endpoints to the core,” he says. As for securing applications — usually the next objection raised after the device issue is neutralized — there are tools to do so where it makes sense. The first question, of course, should be whether it matters what games a user might install or what office app they use. Chances are it doesn’t matter. Again, the right approach is to apply policies to those applications where there’s material risk or other need for direct management, such as licensing compliance and access monitoring. The sandbox segregation of iOS and BlackBerry OS reduces the risk of malware problems, though again Android devices fall behind and may end up being supported only for nonsensitive classes of users. MOBILE COSTS DON’T INCREASE APPRECIABLY WITH BYOD Once an old-school CIO gets over the security excuse, he or she usually raises the cost objection. Given the huge number of devices, IT support costs will skyrocket, and IT will be overwhelmed with calls and need extensive training on every possible device. The internal network will require significant capacity increase — from bandwidth to available IP addresses for the DHCP server — to handle the tripling or quadrupling of devices that access it (over Wi-Fi). Telecom costs will skyrocket as everyone gets a data plan for each and every device. Baloney. Let’s take those three cost objections one by one. First, Aberdeen’s research has found that support costs go up just 1.3 percent for best-in-class companies and up 7.0 percent for the rest when they allow device heterogeneity. That’s a low rise, even among those not best in class. One reason is simple: When users choose their own devices, they tend to pick ones they know and learn the ones they pick. In other words, they aren’t dependent on IT. “They are more self-supporting,” Borg says. When such users call IT, it tends to be for two reasons, according to Brian Reed, marketing chief at mobile services management provider Boxtone: help with forgotten passwords and problems with cellular coverage (which IT can’t help with, of course), not with the devices themselves. I’ve talked to more than a dozen CIOs who’ve allowed users to choose their own devices, whether or not paid for by the company, and not one has had an issue with support costs as a result. Aberdeen’s data shows their experience D E C E M B E R 2 011 8 i Mobile and BYOD Deep Dive is the norm. In fact, this data suggests that forcing all users to use a specific device is likelier to increase support costs than allowing users to choose their own devices. Those who don’t care will take the standard issue, Borg notes. “There are indeed costs to training and expertise. However, you probably have existing talent to support iOS and Android, but even if you need to add talent, the costs are low,” Borg says. He also says most organizations recoup that extra cost because BYOD lowers corporate spending by replacing at least some employer-paid devices with employee-paid ones. (And iOS devices are cheapest to support, so a switch to them could actually save IT support costs.) Second, Borg chuckled when I raised the specter of network costs ballooning as iPads, iPhones, and Androids invaded the workplace and camped on Wi-Fi networks all day. Sure, you will need more IP addresses and perhaps more wireless network bandwidth. “But it’s time for retirement if a CIO can’t add servers. Solutions are available to grow beyond where you are, and it’s just an incremental cost. It’s not rocket science, full of danger, or high-cost,” he says. CIOs will need to address network growth regardless of smartphones and tablets, Borg notes. His research shows 22 types of devices are already available on wireless LANs, such as video surveillance, videoconferencing, and HVAC controls: “And these are just the beginning.” The fact is that wireless connectivity needs will increase anyhow, so CIOs need to plan accordingly whether or not they like the BYOD idea. Third, there’s the issue of telecom costs rising as employees get 3G data plans for all those devices. Of course, the first question the CIO should ask is “Why do I care?” Such costs should not be IT costs but business costs. Business units should figure out sensible policies for mobile network access costs, then apply them through a technology called the budget, which managers and the CFO’s organization are more than capable of handling. They can decide which employees really need three data plans and who doesn’t, when it makes sense to stop reimbursing for $15-per-night hotel Wi-Fi charges in favor of 30-day tablet 3G plans that cover several trips for $20 or $30, and the like. The good news is that carriers typically charge consumers less for data plans than they charge businesses, so you often save one-third to half the cost simply by having the employee doing the purchasing. This is one reason the BYOD phenomenon has become so popular. Another reason: Rather than poring over telecom bills INFOWORLD.COM DEEP DIVE SERIES to catch errors and departed employees’ plans, a company can stop worrying about the problem by using a stipend approach instead. It used to be that you could negotiate preferred rates for telecom by playing one carrier off another, but as we move to having just two major carriers (and only two if you plan on supporting both iPhones and iPads, though Sprint may get 3G iPads in 2012), that leverage is disappearing. Plus, if you support BYOD, you must have multiple carriers — individuals’ family plans are too powerful for them to switch carriers for the company’s benefit. Whoever manages telecom — the CFO’s office, the CIO’s office, or some other business unit — can simply dispense with the headaches, at least for their mobile telecom. Using a stipend has other advantages: ፛፛ It creates cost certainty, as you decide how much each employee will receive or be reimbursed, if you prefer. You can have multiple classes of stipend to address the fact that some employees are always on the road. It’s also to the company’s advantage to have both their basic smartphone and tablet costs covered to ensure 24/7 access, whereas for others it’s a workday need only, so a stipend to cover part or all of one device’s telecom costs is sufficient. ፛፛ It lets users leverage their family plans, so calls to other family members and friends don’t accrue against them — which would add pressure on the company to increase the stipend amount. ፛፛ It has employees pay attention to costs more carefully. They’re less likely to ignore the “you’re roaming overseas” prompts on their iPads to turn off roaming if they know they’ll foot the bill for it. ፛፛ It reinforces that employees have both the freedom and the responsibility that comes with it, reinforcing the notion of being a trusted member of the team. “My IT controller discovered the capped stipend idea years ago, and it has been a bonanza,” says Bernard “Bud” Mathaisel, executive adviser and CIO of Achievo, a software and IT outsourcer, and former CIO of Disney, Ford, Solectron, and other large companies. “It allowed us to plan and track IT budgets, while giving the users something they wanted, with them governing how the device was used, who they chose for their plan, and how they contracted. It took IT out of the personal independence equation, and everyone was happy.” An old-school CFO, lawyer, or HR director may be nerD E C E M B E R 2 011 9 i Mobile and BYOD Deep Dive vous about such an approach, fearing liability for unreimbursed expenses or for having different reimbursement classes. But businesses have long done this: They cap allowable meal expenses for travelers and often for airfares and hotel costs — that’s a capped reimbursement. To avoid the accounting overhead, some provide per-diem expenses regardless of what employees actually spend — that’s a capped stipend. The same thinking is used for bonuses, salaries, stock grants, ability to work at home, access to company vehicles, and the like, so applying that approach to mobile devices and associated costs really should be no big deal. In any event, this is not the CIO’s or IT’s problem. THE TRICKIER ISSUE: THE NOTION OF SHARED OWNERSHIP What all of this comes down to is a different view of technology: It says that the device and its service is jointly owned by the company and the employee, not clearly by one or the other. Although iOS and BlackBerry provide the tools to manage company assets separately from employee assets, and there are ways to accomplish some of that in Android, it’s the very sharedness that is at the root of a lot of fear over BYOD. The same Aberdeen research that dispels the security and cost myths about mobile heterogeneity also shows a curious fact: Half of the best-in-class companies don’t let employees bring in their own devices. The other half are split between letting them bring in any compliant device and one on a preapproved list. For the rest of the companies surveyed, more than half let employees bring in any device. Thus, those companies best able to manage BYOD are least likely to allow its fullest form. If you’re an old-school CIO, you’ll take that fact and use it to show why you should ban most devices — all while characterizing it as an expansion of what is allowed, of course. But what the data really indicate is that companies that allow a free-for-all are not best in class; they have no visibility into what is accessing their network and data, and they have no or few policies at the network or data level. They’ve abdicated their responsibility. The best-in-class companies do in fact support heterogeneity: 74 percent of them support two or more devices, versus 65 percent of all companies and 45 percent of laggards. The problem many of them have is in giving up ownership of the device, often because they believe they need that ownership to enforce the policies. Ironically, a INFOWORLD.COM DEEP DIVE SERIES conservative approach to ownership did not translate into a conservative approach to heterogeneity. Aberdeen’s data shows that these best-in-class companies that insist on owning the devices are beginning to change their minds as they gain confidence over their management of device heterogeneity. The surveys show that a higher percentage of the best-in-class companies currently insisting on device ownership are planning to allow some or complete employee ownership than the average companies that currently insist on device ownership. Borg says this demonstrates a methodical approach to mobile heterogeneity that takes the challenge one step at a time to ensure it works over the long term: “It’s a matter of trust and a more cautious approach. The best-in-class companies pilot before they deploy and ensure that the MDM solutions work as advertised with employee-liable [employee-owned] devices. They know that once the horse has left the proverbial barn, there’s no turning back.” When all is said and done, a modern CIO will look — if he or she hasn’t already done so — at the mobile heterogeneity and user choice as powerful benefits for the organization that IT can easily support and even drive. The tools are there, the methods are known, the risks are lower than for inaction or avoidance, and the goodwill that results is strong. Perhaps even more valuable: Addressing mobile heterogeneity through a policies-based approach is a great way to pilot this postmodern, stewardship-oriented IT philosophy that will be needed for the cloud , social technology, analytics, and all the other technology-augmented business activities that a modern company and its employees rely on. Rick Pople, global IT practices leader at the consultancy Hackett Group, says most organizations will struggle with this new world. Middle managers are right to be concerned they will end up with a heterogeneous mess — the whole overview has not been thought through the right way. “That’s why they are wrapped in the notion maintaining control over the environment rather than embrace the fact that the global, heterogeneous nature of transactions, platforms, and data allow greater degree of freedom — in a deliberate way,” Pople says. That is why a CIO’s reaction to the BYOD phenomenon is such a litmus test of that CIO’s ability to lead today: Mobile is just the most pressing, obvious example of a deeper change coming. i Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. D E C E M B E R 2 011 10 i Mobile and BYOD Deep Dive BYO D S T R AT EGY The secret of consumerization A strong social impulse is what’s driving BYOD and the shift to user centrism i By Galen Gruman i have yet to meet an it exec or cio for whom the “con- sumerization of IT” — employees asserting control over the technology they use for work — isn’t now a major area of contemplation. And sometimes consternation. But there’s more to the trend than Apple-blinded employees bringing Macs, iPhones, and iPads into the office, even if they are the most identifiable champions of this trend. Let me take you through the key issues behind the consumerization — there’s much more to it than mobile devices. Something is changing Two years ago, iPhones started appearing in the office, often connecting to corporate email and Wi-Fi networks. For many, that marked the beginning of the phenomenon known as the consumerization of IT, but it started years before the iPhone. People have been using their home PCs and Macs — systems not typically under strict IT management — for years, and of course Salesforce.com created a booming business selling cloud-based salesforce automation software directly to business execs, explicitly and proudly bypassing IT, half a decade ago. As is usually the case with anything new, the IT reaction was to say no, and fears about security breaches quickly became the justifications for the policy. But just as with the home computer, public hotspot, and Salesforce.com phenomena that came before, the cost savings, lack of actual significant security problems, and executive joy at the new technology forced IT to move from “no” to “how.” What’s really going on But anyone who believes the consumerization phenomenon is driven by just technology is missing the point. The real change — and why it’s ultimately not an IT decision — is a change in business itself. The 1950s were the pinnacle of the hierarchical, militarystyle “company man” business — a consequence of the mass of military-trained World War II soldiers returning to the workforce. Then came the 1960s and 1970s, where individuals asserted their rights as individuals and as members of minority and other groups. The 1980s saw a deconstruction of the corporation into a flatter model, with fewer middle managers and more employee empowerment. INFOWORLD.COM DEEP DIVE SERIES D E C E M B E R 2 011 11 i Mobile and BYOD Deep Dive In manufacturing, this became highly codified, using techniques from management gurus such as W. Edwards Deming, including the use of Lean and Six Sigma coupled with employee co-ownership in the form of quality circles and Toyota’s “anyone can stop the assembly line” philosophy. The 1990s and 2000s saw a continuing hollowing out of middle management, the introduction of part-time and contract labor forces, and the replacement of routine work with robots, software, and offshore workers (in societies that largely had no individual-empowerment culture). That left many companies with a smaller set of knowledge workers retained because they could think for themselves, as well as use their intuition, personal skills, and so on, whether for sales, customer service, product design, or operations. Everything else is decentralizing The result is a workforce of nomads who come together as needed, using a wide range of resources in a variety of locations. Inevitably, that nomadism accentuates the importance of the tools these employees use to do the work they’re valued for. As each person’s individual strengths vary, so do the tools they prefer to use — and begin to insist on using. This phenomenon is by no means unique to knowledge workers. Many tradespeople — contractors and chefs, for example — have long used their own equipment because of the perceived better fit, quality, and/or feel. Software, computing devices, and the like are the knowledge worker’s equivalent. The new social compact Given these fundamental shifts in both business structures and the type of value desired from individual employees, a rift has developed between those new realities and the structures that live on from the “company man” era. For example, employees are told to manage all or most of their retirement savings and to keep up their skills on their own dime and time. The company may help a bit, but it no longer takes care of employees in these ways. The notion of a job marriage, where doing your job meant lifelong employment and a secure retirement, is gone. Thus, the relationship between the employee and employer has changed to one of ad hoc participation. As long as it makes sense for both the employee and employer, the relationship stands. When either decides the relationship is no longer desired, it’s over. Yet the old “company man” approach lives on in IT and INFOWORLD.COM DEEP DIVE SERIES other operational systems. One example is the notion of a standard technology environment, where PCs and their software are reliably stamped out in identical units like cookies in a Mothers factory. The other is the notion that employees need to be protected from risk, by having it D E C E M B E R 2 011 12 i Mobile and BYOD Deep Dive removed via technology wherever possible. In other words, whereas employees are told to act like adults when it comes to their retirement and skills, they’re treated like babies when it comes to technology usage. Technology has to adjust, too As workers are told to be more independent and self-supporting, they’re fenced in at home. Abbie Lundberg, the former editor in chief of CIO magazine and now a technology management consultant, has a great analogy for this situation: IT, the CSO, the legal department, and often HR treat business employees as babies who they lock in the house so that they don’t crawl out into the street and get killed. The better metaphor, she says, is to think of business staff as teenagers who are going to drive the car whether you want them to or not. It’s better to teach them how to drive and set limits and expectations such as having a curfew and no-consequences permission to call for help if they do get in trouble. The truth is that if you fence them in, they will find a way out. And that is what will get them — and the company — in trouble. Remember, today’s knowledge workers are valued for their creativity and drive, and their technology familiarity lets them act on it in the realm once the sanctum of IT. Some data to consider The uncomfortable reality for IT and business executives is that most are operating in a fool’s paradise when it comes to the consumerization trend. A recent IDC study shows that although 40 percent of IT decision makers say they let employees access corporate information from employee-owned devices, 70 percent of employees say they access corporate data that way. That means in many organizations IT has no real handle on what is actually happening in the systems it is managing. IDC’s research also shows that the use of personally owned devices is only growing. Other IDC research shows the IT disconnect from the already-consumerized technology reality in their companies. Note the mismatch in this slide between IT’s and users’ views of policies relating to who pays for mobile services: IT thinks that the business determines and directly pays for businessrelated access, a view shared only by BlackBerry users (those whom IT provisions). Users of other mobile platforms say they bear the costs or charge them to the company as an expense — and thus make the decisions. In other words, these IT organizations see only the BlackBerrys that represent the pre-consumerization state of their organizations. INFOWORLD.COM DEEP DIVE SERIES Forrester Research says that the consumerization trend will only intensify as the Millennials become a greater proportion of the workforce. In 2010, a quarter of employees were Millennials, a proportion that rises to 40 percent in 2020. Think about it: The Boomers who grew up in the D E C E M B E R 2 011 13 i Mobile and BYOD Deep Dive individual-empowerment era of the 1960s and 1970s are largely the ones who have the political clout and financial ability to use their own technologies, but the generations that follow see such technology as simply normal. I’ve heard several CIOs at large, conservative enterprises say they had to allow iOS and Android devices because “kids” wouldn’t work for a firm that forced them to use a BlackBerry and Windows XP PC. The U.S. Army is a great example; it’s proactively looking to deploy Android devices and iPads, and it’s training troops on appropriate use of iPhones and other such devices because its 20-something workforce uses them anyhow. One more study, this time from Aberdeen Research. I covered it in detail earlier this year in my blog because its conclusion is such a shocker: The more you try to control employee-oriented technology, the more it costs you and the less safe you are (see page 6). Remember that analogy of trying to fence in teenagers? That’s why: When you rigidly control the technology and processes of knowledge workers, they actively work around you — and against you. Your “secured” email ends up getting forwarded to Gmail and Hotmail accounts where you have zero control or visibility into it. Documents find their ways onto CD-Rs, thumb drives, and cloud storage for transfer to home computers and from there to mobile devices. Cloud apps will be used more and more, as IT becomes viewed as the obstacle to getting work done. The real shocker to me was the fact that a free-for-all environment is safer and cheaper than a rigidly controlled one. But it made sense after Aberdeen researcher Andrew Borg explained it: If employees aren’t actively fighting IT, they’re less likely to cause issues. And of course the safest, cheapest approach is the “wise parent” approach: Use a mix of policies, incentives, and education to help your teen become a self-sufficient adult. The incentive is the right to use a device of their own choosing; the policies channel that use in safe ways, and education helps both reduce resistance to some burdensome but truly necessary policies and increase self-vigilance by the employee — the overwhelmingly vast majority of whom want to do the right thing for them and their company, after all. A new framework for a new relationship So how does IT function in this new world? PwC came up with the framework shown in this slide, which I think it right (both because I contributed to it and because it’s enjoyed a good INFOWORLD.COM DEEP DIVE SERIES reaction when I’ve made this presentation to various IT audiences). Later this year, the full PwC report laying out this framework will be available as a free download. It’s a different way for many in IT to think, as it starts with “soft” values and requires IT to share ownership of risk management and technology decision making with employees and their business departments. (It requires the same of the legal, executive, and HR teams.) But as the consumerization trend is fueled by “soft” human issues, it only makes sense that the management response to it be grounded in human approaches. On the technology side, the framework favors policies, not rigid barriers, to steer employees to the right outcomes while allowing appropriate freedom and creativity. It says the IT monoculture at the endpoint level is a dead direction, so IT instead should think of technology as an onion with multiple layers. The outer, employee-oriented layers should be flexible and individualizable, while core systems D E C E M B E R 2 011 14 i Mobile and BYOD Deep Dive should be standardized and safeguarded as much as possible. A simple illustration: Allow any mobile device that conforms to your routine information access policies, but add layers of authentication and security measures such as encryption for those information resources that are truly sensitive within the network. Even if you let an employee access their workgroup share drive from an iPad doesn’t mean that same employee can open your HR database. The bad news is that not all the technology is available to manage this onion skin — the notion of information rights management is rarely implemented in typical enterprise data objects or systems, and rarely in user apps and devices. The good news is that by shifting risk from an IT- or CSOonly job to a shared one, you incentivize the business to reduce that risk through other means. The other good news is that consumerization is not new. The first IBM PC or Apple IIe owned by an employee or department started this journey. The Internet pushed it to a whole new level, as information became unbounded, not just computing capability. Yet organizations have not only survived, they’ve thrived with that new power. Think back to the notion that Internet access had to be strictly controlled; it once seemed necessary and scary, but ended up not being so bad. Then you adapted as it became clear you had to, finding many positives to exploit along the way. Now apply that thinking to this newest set of waves: mobile, cloud, and social media. i Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. ፛፛THE CASE FOR ENCOURAGING USER INNOVATION i By Bob Lewis User innovation is a tough sell in good times. In uncertain economic times, it’s tougher. Sell it anyway. To do so, you must understand the three main arguments against any project that seeks to free users to be more innovative: risk, cost, and return. So let’s imagine you want to make this happen, using Apple’s iPad as the focal point of the program … not a bad idea as a lot of users want them anyway. Here’s how it plays out. User innovation: The risks To encourage user innovation, you have to either give users the tools they’ll need to innovate new solutions or let them shop the tool store for their own. Allowing users to purchase their own tools fills your average IT professional with righteous dread. It means giving users unlocked devices they can use as they want, thereby greatly increasing the possibility of security holes in your network, according to most information security professionals. Giving users the tools to innovate, on the other hand, encourages the creation of the legendary renegade spreadsheet and other weapons of mass confusion — disasters caused by users’ supposed inability to properly design and test the solutions they create. Not to mention an inevitability: The tools you provide won’t be the tools they want. All of the risks are real. Even worse, only IT cares about them — so long as they remain risks. Should any become real, everyone else in the business will care about them deeply, and in particular, they will care to know why IT allowed an entirely preventable situation from ever occurring. Do what you can to minimize and mitigate the risk without preventing the activity. User innovation: The costs Then there’s the cost. Tools aren’t free. When users get stuck or find themselves in trouble, they call for support, and that isn’t INFOWORLD.COM DEEP DIVE SERIES free either. Budgets are tight and getting tighter, and in Maslow’s hierarchy of needs, user tools aren’t needs; they are, depending on your perspective, either wants or desires. A lot of the cost argument against user innovation is utter nonsense. Tools first: Some are free, and a lot more are cheap enough that the out-of-pocket cost isn’t worth mentioning. As for the Maslow argument, Maslow would smack anyone making it upside the back of their heads. Corporations don’t have wants and desires. They have nondiscretionary expenses — needs — and discretionary expenses. Classifying the latter as either wants or desires ignores the fundamental nature of business — namely, that expenditures are investments. The needs/wants/desires formulation says that given a proposal for an unnecessary expenditure (a “desire”) that yields a risk-free 387.4 percent return on investment, businesses should reject it for not being a “need.” If you work in a company that takes this position, you might want to consider moving to a different company that has more interest in making something I like to call “profit.” User innovation: The return Risk and cost are easy to justify when there’s a quantifiable financial return. That’s where the conversation about user innovation becomes awkward — because there isn’t one. At least, there isn’t anything you can predict in a measurable way. As Albert Einstein once pointed out, “If we knew what it was we were doing, it would not be called research, would it?” That’s both the difficulty and opportunity of user innovation. It’s a statistical thing. Take a critical mass of smart people who understand the business and were born with the curiosity gene. Give them a bit of time and the proper encouragement. You won’t know which ones will end up having an aha moment that turns into a huge opportunity. Statistically speaking, though, the odds seem pretty good, and one or two is all it will take to pay for the company’s investment. Bob Lewis is InfoWorld’s Advice Line blogger. D E C E M B E R 2 011 15 i Mobile and BYOD Deep Dive M O B I L E S T R AT EGY Mobile management, OS by OS Enterprise-grade security and manageability aren’t exclusive to BlackBerry i By Galen Gruman although more and more businesses are opening up to smartphones other than the BlackBerry, it’s amazing how many people still believe that the iPhone in particular doesn’t have appropriate security for most enterprises. It does, and iOS 4 and later for the iPad, iPhone, and iPod Touch support more security and management capabilities than all competitors except the BlackBerry and perhaps (based on what criteria matter to your business) Windows Mobile. “Businesses do seem to be comfortable with BlackBerry, certainly, and also with Windows Mobile. They are increasingly comfortable with iOS, especially with iOS 4,” notes Forrester Research analyst Andrew Jaquith. Why? Because these three mobile OSes use a mobile management server approach that lets IT set and enforce policies across the user base. In fact, Apple added that capability in iOS 4, released in summer 2010. Most management tools While you’re rethinking your mobile management strategy, go ahead and make your website mobile-friendly as well for iPhones, Androids, and more. Dori Smith explains how in the InfoWorld.com tutorial “How to make your website mobile today.“ support multiple devices; the exception is BlackBerry Enterprise Server (BES), which supports only RIM devices. But what about the other mobile devices? Google’s Android is fast gaining popularity, now selling more devices than Apple and RIM each. Then there’s the new Windows Phone 7 from Microsoft and WebOS 3.0 in Hewlett-Packard’s short-lived TouchPad. Can they safely be brought in? Let’s go through the current versions of the seven major mobile platforms and their variants to see how securely they can be managed. The table at the end of this story highlights the capabilities of each mobile platform for the most common security and management needs. First, a note on Exchange ActiveSync (EAS) policies, MicroINFOWORLD.COM DEEP DIVE SERIES soft’s protocol for mobile security and device management: EAS is fast becoming the de facto protocol for managing mobile devices, supported to varying degrees by Apple (in iOS and Mac OS X), Google (in Android OS 3 and 4 and in corporate Gmail, and in some Android 2 devices), HewlettPackard/Palm (in WebOS 1.1 and later), IBM (in the latest version of Lotus Notes), Nokia (in some Symbian-based devices), Novell (in a server add-on for GroupWise), and of course Microsoft (in Windows, Windows Mobile, and Windows Phone 7). Only RIM is avoiding EAS, preferring to stick with its BES. It’s also key to note that although there are 29 possible EAS policies, some of them don’t apply to many mobile devices, such as disabling infrared or disallowing unsigned CAB files (Windows-specific app files). Second, a note on storage of corporate email, calendar, and contact data: Devices that support Microsoft Exchange, IBM Lotus Notes, or Novell GroupWise wipe out the emails and address books when access to the server is revoked — or even just disabled, as in the case of iOS — using protocols such as LDAP to do so. In other words, these servers use the same mechanisms to recall such corporate data from mobile devices as they use for PCs. RIM BLACKBERRY OS The key to securing a BlackBerry is to use BES 5.0, which provides over-the-air management based on more than 400 security and management policies that IT can use, from password requirements to remote wiping. RIM does offer free versions of BES for Microsoft Exchange and IBM Lotus Notes environments; it does not support Novell GroupWise as the full version does. New to BES 5.03 is the ability to selectively wipe business data and apps from users’ BlackBerrys without affecting user data (they must run BlackBerry OS 6 or 7). Some BlackBerry models support RSA’s SecurID secondfactor hardware authentication tool, which is required in selected military environments. RIM BLACKBERRY TABLET OS RIM’s strategy for securing its BlackBerry Tablet OS, used D E C E M B E R 2 011 16 i Mobile and BYOD Deep Dive 17 ፛፛MOBILE SECURITY AND MANAGEMENT CAPABILITIES COMPARED Key: EAS = via Microsoft Exchange ActiveSync. BES = via BlackBerry Enterprise Server 5.x. 3PS = via third-party server. NA = information not available Capability Apple iOS Google 3.x, 4.x, 5.x Android 2.x, 3.x, 4.0 HP WebOS 1.x, 2.x, 3.0 Microsoft Microsoft Nokia RIM Windows Windows Symbian BlackBerry Mobile 6.x Phone 7.x 2.x, 3.x1 5.x, 6.0, 7.09 On-device encryption Yes Yes (AOS 3,4) No Yes No Yes2 Yes Over-the-air data encryption Yes Yes Yes Yes Yes Yes Yes Complex passwords Yes Yes (AOS 2.2 and later) Yes Yes No Yes Yes Enforce password policies Yes3 EAS4 (AOS EAS 2.2 and later) EAS, 3PS EAS EAS, 3PS BES Support VPNs Yes Yes Yes (WebOS 2.0 only) No No Yes Yes Disable camera Yes3 No No EAS, 3PS No No BES Restrict/block app stores Yes3 No No EAS, 3PS No No BES Restrict/block wireless LANs Yes3 No No EAS, 3PS No No BES Remote lockout Yes3 EAS (AOS 2.2 EAS and later), 3PS (AOS 2.2 and later) EAS, 3PS EAS No BES Remote wipe Yes3 EAS (AOS 2.2 EAS and later), 3PS (AOS 2.2 and later) EAS, 3PS EAS EAS, 3PS BES Selective wipe of business apps and data only 3PS (iOS 4,5) No No No No BES (BB OS6,7 only) Enforce and manage policies EAS, 3PS (iOS 4,5) EAS (AOS 2.2 EAS and later) EAS, 3PS EAS EAS, 3PS BES EAS policies supported 14 9 (AOS 2.2)5, 5 (WebOS 1,2), 296 13 (AOS 3,4)5 7 (WebOS 3) 7 NA none7 Manage over the air EAS, 3PS (iOS 4,5) EAS (AOS 2.2 EAS and later), 3PS EAS, 3PS EAS EAS, 3PS BES Second-factor authentication (RSA SecurID) No No Yes8 No No Yes8 No No Notes: 1. Some Nokia E-series and N-series devices only. 2. Storage cards not encrypted. 3. Via choice of Apple iPhone Configuration Utility (no over-the-air confirmation or auditing), Mac OS X 10.7 Lion Server, EAS, and 3PS. 4. Require PIN only. 5. Some third-party email client applications support additional EAS policies within those applications only. 6. Exchange Server Enterprise license required for support of all 29 EAS policies, lowertier licenses support 15 EAS policies. 7. BES supports more than 500 policies of its own. 8. Some device models only. 9. BlackBerry Tablet OS 1.0 requires BlackBerry tethering to support all these capabilities except VPN. INFOWORLD.COM DEEP DIVE SERIES D E C E M B E R 2 011 i Mobile and BYOD Deep Dive in the RIM PlayBook, is the same as for the BlackBerry: BES. But that’s because the PlayBook must be wirelessly tethered to a BlackBerry to access corporate resources; the BES that protects the BlackBerry thus protects BlackBerry data available via the PlayBook. Note that BlackBerrys and PlayBooks not managed by BES have no security capabilities. APPLE IOS iOS 4 stepped up mobile management significantly by allowing auditable, assured application of EAS policies, as well as iOS-native policies, over the air. It allows for selective wiping of business data and apps, and it supports complex passwords, on-device encryption, and remote wipe. iOS supports 14 EAS policies managed through Exchange, and it uses configuration payloads that can be emailed to users, made accessible via a Web link, or provisioned over the air through Mac OS X 10.7 Lion Server. If you use a mobile device management tool from AirWatch, Boxtone, Good Technology, MobileIron, Symantec, Sybase’s Afaria unit, Tangoe, Trellia, Zenprise, or others, you can audit and enforce their use, as well as provision them over the air. iOS 5 adds a few additional policies for MDM tools to take advantage of as well: They can turn off iCloud syncing, require the use of a password to access iTunes, disable email forwarding, delete — not just render inaccessible — apps (both individually and for all corporate-provisioned apps), disable voice and data roaming, set policies for the handling of nontrusted certificates, detect and reapply userdeleted MDM configuration profiles, set Web proxies, set autologin for approved Wi-Fi access points, send crash data, and monitor battery levels MICROSOFT WINDOWS MOBILE Although this mobile OS was discontinued two years ago, it remains in use at many companies running legacy applications, especially in government. Windows Mobile 6.x supports all 29 EAS policies if you use an enterprise license for Microsoft System Center Mobile Device Manager, which is part of Exchange; otherwise, it supports 14 EAS policies. A variety of mobile management tools support Windows Mobile devices as well, and some Windows Mobile devices support the SecurID authentication device. MICROSOFT WINDOWS PHONE 7 The new Microsoft mobile OS has fewer management INFOWORLD.COM DEEP DIVE SERIES and security capabilities than Windows Mobile, even though it uses the same Exchange or EAS-compatible servers as the management console. The biggest omissions are lack of support for on-device encryption and for requiring use of complex passwords, so will not work with many companies’ ActiveSync policy requirements. (Microsoft says it will add such support later.) Windows Phone 7 — including the 7.5 “Mango” release of fall 2011 — supports fewer EAS policies than Windows Mobile and iOS, for example. It does not support several policies that may matter to some enterprises: disable camera and disallow application downloads. It also doesn’t support VPNs. GOOGLE ANDROID OS Although one of the most popular smartphone OSes, Android has been among the least secure. The Android 2.2 and earlier smartphone versions do not have on-device encryption nor do they support complex passwords, for example. “Enterprises are generally quite uncomfortable with Android right now, partly because the enterprise security road map doesn’t seem to clear to them, and partly because the vast number of Android devices makes it hard to understand what will work for them and what won’t,” says Forrester’s Jaquith. “The lack of OS file system encryption is often cited as a concern.” But just as rabid iPhone users forced many businesses to allow iPhones in before Apple stepped up iOS’s security, enthusiastic Android users are doing the same today. “Many customers seem willing, essentially, to punt and use something like Good Technology’s product to put a secure workspace on Android devices so that they can use them,” Jaquith notes. IBM’s Lotus Notes Traveler app adds such a secure workspace for Notes users, as does NitroDesk’s TouchDown app for Exchange users. Over time, Android should get more secure. In fact, the tablet-oriented Android 3.0 OS does support on-device encryption and policies for complex passwords, password history, and password expiration. The Android 4 OS, released in late 2011 for some devices, brings those security capabilities to Android smartphones, as well as tablets. And it may not be just Google that fills in that blank in the short term. For example, Android 2.2 includes only a basic VPN, but Motorola Mobility’s Droid Pro includes the more robust and beefed-up AuthenTec IPSec multiD E C E M B E R 2 011 18 i Mobile and BYOD Deep Dive ፛፛WHAT THE MOBILE DEVICE MANAGEMENT VENDORS OFFER As smartphones and tablets proliferate, and as employees make the case for device diversity, IT is faced with the challenge of managing access, usage, and security across multiple mobile devices. To address that need, many vendors have developed tools that provide a central console to manage multiple devices over the air with a common set of policies, ensuring consistent policy enforcement and providing auditing capabilities as well. These tools use one of two approaches, and sometimes both: (1) They use policy profiles, typically based on the widely used Microsoft Exchange ActiveSync (EAS) protocol. (2) They use a client application on each supported device to provide the managed, secured workspace and additional policies. Those that support the BlackBerry work with Research in Motion’s own tool, BlackBerry Enterprise Server (BES). AirWatch supports Android, BlackBerry, iOS, and Windows Mobile. It also provides content-filtering policies, provides dataroaming policies, and allows on iOS 4 and 5 selective wiping of business data (leaving personal data intact for employee-owned devices). Boxtone supports Android, BlackBerry, iOS, and Windows Mobile. It also provides tools for troubleshooting user devices, user self-registration, and asset tracking (including carriers used). Fiberlink’s Maas360 manages and enforces policy-based security and provides application management on Android, BlackBerry, and iOS devices, on other devices using Microsoft Exchange or IBM Lotus Notes, and Windows and Mac OS X PCs. Good Technology’s Good for Enterprise and Good for Gov- headed VPN. Likewise, the Motorola Mobility Atrix, the Photon 4G, and its other business smartphones adds ondevice encryption and Android 3-level EAS policies despite Android 2.2’s lack of native support for them. HEWLETT-PACKARD WEBOS Although WebOS got a lot of buzz before it was released in 2009’s Palm Pre, it didn’t win a significant audience. HP bought it in summer 2010, released the WebOS 2.0 update in fall 2010, and released WebOS 3.0 in summer 2011. But WebOS remains the least secure of the major mobile OSes. WebOS 1 and later support complex passwords, WebOS 2 introduced support for VPNs, and WebOS 2.1 added support for on-device encryption. WebOS 1 through 3 support just five EAS policies: four for password management and one for remote wipe. WebOS 3 added two more. Unlike Android, there aren’t client apps that can create secure workspaces to fill in the security gaps. INFOWORLD.COM DEEP DIVE SERIES ernment tools support Android, iOS, Symbian, and Windows Mobile. The tools also permit control over application installation, allow on iOS 4 and 5 selective wiping of business data (leaving personal data intact for employee-owned devices), and can be set to allow only specific device/operating-system combinations. McAfee’s Trust Digital EMM supports Android, iOS, Symbian, Windows Mobile, and WebOS. It also provides tools for troubleshooting user devices and user self-registration. MobileIron’s MobileIron Server supports Android, BlackBerry, iOS, Symbian, Windows Mobile, and WebOS. It also permits control over application installation, allows on iOS 4 and 5 selective wiping of business data (leaving personal data intact for employee-owned devices), and provides telecom expense management capabilities. Sybase’s Afaria supports Android, BlackBerry, iOS, Symbian, and Windows Mobile. It also provides control over application installation, lets IT set up an internal “app store,” and permits asset tracking of mobile devices. Tangoe’s MDM supports Android, BlackBerry, iOS, and Windows Mobile. It also permits control over application installation and provides telecom expense management and service monitoring capabilities. Wyse Trellia’s MDM supports Android, BlackBerry, and iOS, . It also provides data-usage policies. Zenprise’s Mobile Manager supports Android, BlackBerry, iOS, and Windows Mobile. It provides telecom expense management and service monitoring capabilities. NOKIA SYMBIAN Billed as the most popular smartphone OS in the world, Symbian is almost invisible in the United States. Symbian’s share of global Web traffic has declined steadily, as Nokia has retired it for smartphones in favor of Windows Phone 7. The Symbian OS comes in many varieties, with most Nokia devices not supporting business-class security or management. But the Nokia E-series and N-series devices usually support the basics, including on-device encryption, complex passwords, and remote wipe. These devices support an unknown number of EAS policies — Nokia wouldn’t say how many — but the total appears to be fewer than iOS. Disabling the built-in camera and preventing access to Wi-Fi networks are two examples of EAS policies that iOS and Windows Mobile handle (and that BES offers) that Symbian does not. Many mobile management tools support these Nokia devices. i Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. D E C E M B E R 2 011 19 i Mobile and BYOD Deep Dive M O B I L E S T R AT EGY The new app management tools As IT concerns shift from devices to apps, policy-based products emerge i By Galen Gruman it concerns are fast moving from mobile device manage- ment (MDM) to mobile application management (MAM) as part of a shift in thinking from whether to allow mobile devices in to how to best take advantage of them. At IT conferences, I hear more and more questions about how to manage those applications. For organizations used to controlling the software on a user’s PC via tools such as IBM’s Tivoli and Microsoft’s SMS, the iPhones, iPads, and Androids now becoming commonplace herald a Wild West environment. The heterogeneity of those devices is daunting enough — most desktop application management tools can’t even do a decent job of handling Mac OS X applications, so no one expects them to go near the mobile devices. But mobile OSes veer even more dramatically from the desktop, making app management less suitable for IT’s traditional approach. The use of app stores means IT isn’t the central distributor of apps in mobile, while the mix of HTML and native apps raises another level of complexity. Sure, IT can put together its own mobile app “store,” but it’s often a glorified website or intranet site with links to approved or recommended apps, both internal and external. Even as IT has given up the notion of ruling over mobile devices and instead has come to view them as a device jointly “owned” with the user, IT rightfully wants to manage the business-oriented apps on those devices. That INFOWORLD.COM DEEP DIVE SERIES way, when an employee leaves the company or a device is lost, the application and its data can be removed from the device. IT also rightfully wants to be able to manage updates and licenses, as well as track usage — especially in the messy context of apps used by employees, contractors, and business partners, in which even a control-oriented organization simply can’t seize the traditional control over all the devices. THE FIRST WAVE: MANAGING HTML APP CONTAINERS VIA POLICIES What’s evolved in the device management space is a policy-oriented approach. In this scenario, a tool such as BlackBerry Enterprise Server (BES) (see page 34), Microsoft Exchange (via Exchange ActiveSync protocol, or a thirdparty MDM utility, such as those from Good Technology, MobileIron, and Trellia, manages the data it provisions, including mail, contacts, and so on. It can also impose devicewide access policies, such as password requirements, remote lock, and more. Some of these tools can even manage applications they provision, essentially allowing or disallowing access, as well as pushing updates. The same is beginning to happen in mobile application management. One option is to go for the approach used by Antenna Software, whose Volt MAM essentially puts HTML5 apps in a virtual box on the iPhone or Android device. These apps can tap into devices’ native capabilities through JavaScript API extensions from Apple, Google, and others, as well as via W3C-supported BONDI APIs. (Those extensions allow, for example, the capturing of signatures through a canvas tag or the generation of bar codes.) You develop these HTML5 apps in your IDE of choice (even a text editor), but you do have to use Antenna’s APIs for the apps to work within the Volt client and be provisionable and manageable by the Antenna Mobile Platform (AMP) server. D E C E M B E R 2 011 20 i Mobile and BYOD Deep Dive From there, you can code installation profiles based on user policies such as roles. When a user logs into the (usually hosted) server, the apps tied to his or her profile are downloaded to the device. The server also pushes updates and gives IT a console for monitoring usage, changing application permissions, locking down data, and wiping apps when a user leaves the company or changes roles. With these “boxed” apps, IT can control and monitor the apps in that box. The approach is very similar to how many MDM tools work, providing their own clients, managing the email, and so on, apart from the rest of the device; it’s akin to the VDI approach used in Citrix Systems’ Receiver app for mobile devices. That box approach provides a clear separation between work and personal apps and data, but it’s a bit heavyhanded, forcing users (in the case of Antenna’s Volt) to open a container app to access business-provisioned HTML apps. That’s acceptable for HTML apps, as users typically first launch a browser before running a Web app, and you can think of the Volt client as a browser for enterprise apps. Plus, IT directly controls those apps because they run on IT’s servers just like a desktop Web app. The enterprise-created HTML5 apps provisioned through Volt are kept in their own workspaces, so their data is encrypted and separated from the device’s other info. Apple’s iOS natively supports such encryption and separation, but Google’s Android 2.x supports neither and Android 3.x and 4.0 support just encryption. Because the enterprise HTML5 apps run within Volt, the AMP server can directly manage them, without affecting the device’s other apps. In the case of iOS, the AMP server can also manage native apps provisioned through AMP or through an MDM integrated with AMP. Likewise, an MDM tool that integrates with AMP can manage apps provisioned by AMP (HTML5 and native) or by the tool itself (native). Either way, the HTML5 apps provisioned through Volt work offline, syncing data when reconnected. Theoretically, the Volt-provisioned HTML5 apps could be accessed as separate apps on an iOS device’s home screen, rather than through Volt. They would still be secured and managed as an app bundle by AMP, but the user would not see that bundling. Some users like to view all their apps individually, while others like to group them; essentially, Volt forces them to be grouped. (Android doesn’t support app bundles, so Volt-provisioned HTML5 INFOWORLD.COM DEEP DIVE SERIES apps must run within Volt on that platform.) Antenna CTO Dan Zeck says that the company chose to run the Volt-provisioned apps on iOS devices from within the Volt app because IT customers wanted a visible separation of business and personal apps, both to increase IT’s comfort level in the presence of the separation and to help users make the mental switch between private and work activities. But there’s no technical reason the apps couldn’t appear as individual home screen icons and maintain that behind-thescenes secure separation in iOS, he notes. (BlackBerry OS 6 and 7 also support such innate separation, though currently it works only with the most recent version of BlackBerry Enterprise Server and for just BES-provisioned apps.) As is the case with MDM tools that support app provisioning, the AMP server can install and manage native iOS apps only if the enterprise has an enterprise SDK agreement with Apple. AMP then uses those credentials to install the apps directly, without going through the public App Store. This is an Apple requirement, meant to put enterprise apps through the same quality-control standards as any iOS app. Other tools such as AppCentral offer similar capabilities. However, the combination of the Volt client and AMP hosted server appears to be more appropriate for enterprises, in terms of integration with policy servers such as LDAP, integration with MDM tools, and use of high-level encryption and authentication technologies. (AT&T uses AMP in its Workbench offering, but the Volt/AMP pairing is not limited to AT&T-connected devices, as Workbench is.) The Volt client was released this spring for iPhones running iOS 4 and devices running Android OS 2.1 through 2.3; other versions are planned. THE SECOND WAVE: MANAGING NATIVE APPS DIRECTLY VIA POLICIES Though useful, the Antenna approach doesn’t extend to native apps, which can’t run inside another app or on IT’s servers. That’s where the AppCentral and AppGuard services come in. The company AppCentral (formerly named Ondeego) has released iOS and Android versions of its MAM technology that take a different approach to mobile application management and distribution, one that appears very well suited to native apps. In a nutshell, with the AppGuard part of the service, you add code to your iOS and Android apps that uses AppCentral’s policy APIs and provides a “listener” function. The D E C E M B E R 2 011 21 i Mobile and BYOD Deep Dive APIs let the app communicate with an AppCentral server as to policies for that app and/or user, such as restricting usage to specific Wi-Fi access points (a common requirement in health care) or zeroing out the app and its data if the user’s permissions are revoked (such as when a contractor’s gig is completed). The “listener” function monitors activities such as an app launching or coming to the foreground (suggesting it’s in active use), so it can then check the current device and application state against the policies. The “listener” function also communicates app status and activity back to the server — not entire device status, which may allay concerns from employees, contractors, and business partners over how invasive your management may be. What’s key is that the management is embedded in the app, so you don’t have to manage the device itself. Thus, you should be able to extend legitimate application management to a greater number of users than the universe of devices you actually manage. Apple has blessed AppCentral’s technology, so iOS developers need not worry about their apps being rejected due to use of non-Apple APIs. In the Android world, there is no such approval concern, of course. And in the Android world, IT can wrap someone else’s app with the AppGuard technology, to produce an IT-manageable and -monitorable version. The AppCentral tool provides the provisioning of the apps, including licensing management and distribution of third-party titles — a big challenge in the mobile space, especially with iOS apps where Apple allows enterprises to directly distribute their own programs and requires all third-party apps to be distributed through the App Store. There are also challenges in both iOS and Android in bulk licensing, given the pay-per-user model of the Apple App Store and Android Market; you can buy multiple licenses and issue redemption codes to users so that they’re not billed, but that’s not a terribly efficient mechanism for a large organization. AppCentral has some capabilities here, though the issue is a complex one, and IT’s and mobile OS vendors’ interests may not fully align. THE NEW MAM SHOWS IT IS ADJUSTING TO THE NEW “CONSUMERIZED” REALITY We’re still in early days when it comes to mobile management. In the last two years there’s been a mini gold rush in the MDM space, with dozens of vendors joining the fray. In INFOWORLD.COM DEEP DIVE SERIES the last year, the MDM concept has taken hold in the enterprise, allowing even highly regulated companies to support iPhones, iPads, and Androids — unimaginable in 2009. MAM is next. IT worrywarts are shifting their hand-wringing from devices to applications, some for legitimate purposes, some as a new objection to raise. I fully expect that companies like Antenna and AppCentral will lead the charge to resolving legitimate application management needs as Good, MobileIron, and Sybase did in the MDM space. Even better, approaches like AppCentral’s that move away from the heavy hand of total control to the nuanced approach of specific control indicate that IT is adjusting to the emerging “consumerized IT”-driven shared model of business technology, where users, IT, and third-party providers are all part owners and thus part managers. That approach requires a shift to more granular management and policy-based management. The tools to support that new reality are emerging. THE FRETTING OVER MOBILE APP MANAGEMENT CAN NOW STOP A year ago, CIOs commonly said they wouldn’t support iPhones or bring-your-own-device policies due to security and management concerns. Today, that viewpoint is passé, thanks to both the push from users and the release of IToriented management tools for iOS and Android devices. As device management concerns have faded, I’ve heard app management concerns take their place in both private conversations and at IT conferences. Those app management fears can dissipate, too. Organizations can continue to use the simple solution of provisioning apps directly from a secured website or by emailing users the links — the only real option for iOS devices until last fall. And now those organizations that need or want to manage applications more directly — with the same level of control, security, and compliance monitoring they enjoy on the desktop — have tools to move up to that level. What is great to see in all this is an approach that gives IT control without unduly confining users. As mobile devices move quickly to being dual-purpose personal/business implements, tools such as Volt let the two usage aspects coexist nicely. Users aren’t forced to work with lockeddown smartphones and tablets, and IT isn’t forced to accept free-for-all devices. Everyone wins. i Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. D E C E M B E R 2 011 22 i Mobile and BYOD Deep Dive M O B I L E S T R AT EGY Don’t overdo app management Third-party apps in mobile shouldn’t be treated as they were on PCs i By Galen Gruman You’ve accepted the fact that users are working on iPhones, iPads, and Android devices, even if you don’t own those units. You’ve figured out that mobile device management (MDM) tools can secure those items, so your corporate date is safe on them — at least as secure as it is on PCs. But what about the apps on those devices? How do you manage them? How do you handle site licenses for them? How do you get enterprise support for them? These are the questions IT admins are now asking. They won’t like the answer: You don’t do all these things any longer. (For apps that tap directly into your corporate information systems and processes, app management is sensible, and there are tools to help you do just that, as the story on page 20 explains.) WHY APP MANAGEMENT IS A LEGACY APPROACH I know it’s severe heresy for many in IT, but managing third-party apps is usually addressing the wrong problem. The issue you should be investigating is how to manage your information and the access to it. Way gone are the days that applications and user equipment are safely locked within your four walls and managing them could be a proxy for regulating your data and permissions for it. The corporate boundaries are permeable, and they have been for some time, as people work at home and on the road, as you use a mix of staff and contractors. The rise of smartphones and tablets has simply made this new reality obvious to all. Any business that protected information by controlling computing devices and their applications — rather than actually managing that data access at the source — is now revealed to have been not protecting what’s really valuable. If you think about it, worrying about endpoints is the bad way to tackle information management. This approach is rooted in the mainframe days of IT, when all the real computing action took place in the data center, and users had at most dumb terminal access. When PCs came along, IT fretted about having real information reside on people’s INFOWORLD.COM DEEP DIVE SERIES desks, and vendors came up with all sorts of technologies to rope those PCs into the data center’s controls. Many are sensible, such as encryption and forced sign-in, as they protect the information that is so valuable. Less sensible, though, are those that treat apps as clients of the data center. Microsoft in particular has been a master of tapping into the IT mentality so that its Office apps are clients of Exchange and other servers. As a result, IT buys site licenses that have expensive maintenance options and require constant attention to make sure the licensing rules are followed as employees come and go. It’s a great revenue stream for Microsoft, Adobe Systems, and other similarly inclined vendors, as well as for purveyors of asset-management tools, and it’s been a great way to justify IT staff. The inmates and jailers are all collaborating. The problem with that approach is that these applications are not in fact clients to some server-based application. They are not like ERP and CRM systems, despite Microsoft’s and others’ attempts to make them so. (One organization I know dropped 90 percent of its Office licenses in favor of Google Docs but had to keep half of its client access licenses due to Microsoft’s successful intermingling of client and server technologies.) Instead, iOS users opt for iWork, Quickoffice, or Documents to Go, not Office. Android users go with Quickoffice or DocsToGo, as do BlackBerry and other mobile operating systems’ users. They work with native Office files, so for most organizations, it doesn’t really matter that they’re not Microsoft apps, just as it doesn’t really matter if a user on a PC or Mac runs OpenOffice, iWork, or Google Docs. As long as the tools support the Office capabilities required by your work process, who cares what client is running? IT has cared, but it really shouldn’t. What seems to really perturb IT admins is that these apps come from app stores, where there are no site licenses. And these vendors don’t offer enterprise support plans. Welcome to the reality of consumerized IT. D E C E M B E R 2 011 23 i Mobile and BYOD Deep Dive HOW TO MANAGE APPS IN THE ERA OF CONSUMERIZED IT These apps — and more from the Mac, Windows, Chrome, and other emerging app stores — are purchased by individuals, and most app stores let consumers install them at no additional cost for each device associated to the user ID. There are no site licenses; the Apple app stores, for example, treat businesses pretty much like individuals: Each user gets a license that applies for as many as five of their devices. In the case of a device accessed by multiple users, such as a kiosk iPad or a library Mac, the license applies to all users for that one piece of hardware. Devices can have apps from multiple accounts. Thus, an iPad could have personal apps downloaded from the user’s iTunes Store account, as well as business-provisioned apps downloaded from the business’s iTunes Store account or from a network page that provisions a business’s internally developed apps to its authorized users. There are also mobile application management (MAM) tools for applications you develop in-house and want to provision broadly, both for native apps and for HTML5based Web apps (see page 20). Note the dichotomy: IT manages internal apps using long-standing techniques, whereas commercial apps are unmanaged. In this new world, commercial apps are treated the same as devices: It’s a bring-your-own reality, where the license is associated to the individual, regardless of who ends up shouldering the cost. And at the small costs of mobile apps, having a labor- and technology-intensive process to manage their purchases and track their installation is simply out of whack with the reality on the ground. (Yes, I know there are certain organizations that need strict controls. They’ll continue to work that way, as they should. But you have to ask yourself honestly, what control do you really need over apps and endpoint devices. It’s not as much as you’re used to.) These commercial apps are INFOWORLD.COM DEEP DIVE SERIES not part of the MAM mix, though some MDM tools let you restrict which apps can be installed on a user’s device authorized to access your network. Realistically, however, this approach works only for highly controlled devices, such as iPads used in a retail store by all employees; it’s not feasible for bring-your-own devices. But your private, internal apps are assumed to be managed, either in a lightweight way such as being downloaded (if a native app) or accessed (if a Web app) from an intranet site (VPN-protected, I would hope). You may use a MAM tool to manage them, such as to remove apps from contractor and employee devices when they leave the project or company. The use of MAM makes sense for apps that run locally and don’t require access to resources in your data center — in other words, a stand-alone tool that you don’t want a person using at another business. Likewise, MAM makes sense for removing or disabling apps that store sensitive data locally on a device. However, most internal apps are really front ends to an internal resources — ERP, CRM, IT management console, databases, BI, VDI, and the like — for which you exercise your control by managing access to the internal resource. In other words, you should disable access to that information for that user, regardless of the apps they might work with. They may still have the apps, but they can’t access or work on the data. This realization explains why so many businesses are enamored with tools like Citrix Receiver — essentially the same model of a Web app and should be of your native D E C E M B E R 2 011 24 i Mobile and BYOD Deep Dive client apps. This access-control approach — rather than app management approach — is both safer and easier than trying to track every endpoint app (including browser) a user may leverage to access that information. Plus, this accesscontrol approach applies to any device: smartphone, tablet, computer, and whatever else may be on the horizon, whether owned by the business, the user, or both. IT needs to think different. Let go of the endpoint mentality, and instead focus on the information and access to it. Then you won’t be asking about how to manage apps or worry about site licenses — at least not for stuff outside the data center. The poster child for this new approach is Bechtel, whose CIO Geir Ramleth successfully exited the endpoint business two years ago. I hear more and more CIOs at conferences and in interviews starting to think the same way. The reality is that users are smarter about tech and need less mothering than in the 1980s and 1990s. I remember when fax machines, photocopiers, and printers were expensive, complex, and fragile. Secretaries guarded them carefully, and regular staff were kept away; many companies had departments to manage copying and faxing. Over time, the technology got better and cheaper, and employees got more familiar. Today, these devices are broadly available to everyone, in a self-service context. Many of us have them at home. You call a contractor when they break, and facilities or low-level IT monitors paper and toner levels — or the staff does. And no one vets what you copy or print to make sure it’s authorized; the assumption is you can be trusted with the information you have access to. Well, that’s what’s happening with PCs, mobile devices, and some classes of apps. ALSO RETHINK APP SUPPORT As for enterprise support plans, just think about all the money you’ll save as users spend more time on mobile devices whose apps don’t carry that additional expense. Yes, you’ll have to train your support staff to know the apps that you decide are corporate-standard or corporate-preferred. But you do that anyhow with tools like Office today. For tools that employees choose to use beyond your standards, the employee provides his or her own support — that’s the trade-off for the flexibility to choose from outside the official list. It’s a trade-off that many people are willing and even happy to make. (Those that don’t want that choice will use whatever you issue and support.) Mobile and desktop apps that come through app stores follow the same model as SaaS “cloud” apps and open source apps — developers update them regularly and users get those updates when they are ready. There’s very little in the way of support; the notion of vendor support phone lines is pretty much dead already for individually oriented software, including business-oriented apps like Office and Creative Suite. The fact that mobile, app store, and cloud apps don’t provide it is really just more of what’s already happened. If you really need support for such apps, you’ll find a cottage industry of consultants and support firms happy to take your business. They just won’t be the same companies that developed the apps. It’s basically no different than those copiers, printers, and fax machines — or a home appliance or car: You usually rely on a local independent service provider rather than the manufacturer. That’s where computers have been going for some time, and apps are following — outside the data center that is. i Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. INFOWORLD.COM DEEP DIVE SERIES D E C E M B E R 2 011 25 i Mobile and BYOD Deep Dive M O B I L E S T R AT EGY Mobile security: Safer than PCs Malware is not yet a serious problem, but other threats could emerge i By Galen Gruman in security circles, the talk on mobile centers around obile management, protecting access to and use of corm porate information by smartphone users. Summer 2010’s iOS 4 was a game-changer for most IT organizations, giving the Apple iPhone, iPad, and iPod Touch security capabilities equivalent to those of Windows Mobile and meeting the needs of most BlackBerry users, ending the main objection at many companies for allowing iOS devices in. (When used with BlackBerry Enterprise Server, the RIM device does remain more secure for high-requirements organizations.) What they’re not talking about are threats that reach the smartphone itself, the equivalent of the malware that ravages Windows PCs every day. There are no equivalents of Symantec’s Norton Antivirus or Kaspersky Lab AntiVirus for iOS devices, and just a handful for Android devices and BlackBerrys. Does that put your devices at risk, or are they somehow inherently secure? A key reason that so-called endpoint mobile security is not seen as a big deal is that mobile OSes such as iOS, Android, BlackBerry, and Chrome OS use a couple techniques not common on desktop OSes to make infection more difficult. One is sandboxing, which confines apps and their data and requires explicit permission to exchange data among them. The other is code-signing, which makes software developers register and be vetted before their apps can be installed. “A lot of mobile devices have a very different security model,” says Scott Crawford, a security analyst at the consultancy Enterprise Management Associates (EMA), and the OS makers have built in security from the get-go. “By contrast, the original Windows had very little security,” creating a tempting target early on and an architecture whose vulnerabilities became widely known. There’ve long been antivirus products for Windows Mobile and Nokia Symbian devices, but they’re not that necessary. All smartphone platforms combined have seen fewer than 1,000 malware threats, versus hundreds of thousands for Windows PCs, notes Khoi Nguyen, group prodINFOWORLD.COM DEEP DIVE SERIES uct manager for mobile security at Symantec. In fact, the need for antimalware apps on smartphones is so low that Symantec is focusing on delivering mobile management tools instead. (It and McAfee do offer antimalware tools for Android, though, which has proven highly susceptible to malware through its unregulated app market.) THE EMERGING THREATS, AND WHO’S SUSCEPTIBLE But despite their more secure designs, a few threats have begun to emerge for mobile OSes, so security experts and vendors figure it’s just a matter of time before the increased usage of such devices and their use of more valuable information than just emails will attract hackers. For example: ፛፛ The Android Market contains lots of apps that are spyware, Trojan horses, or other malware. One recent malware app secretly sends SMS messages to a Russian service, which charges the user very high fees for the messages. Google doesn’t evaluate the apps posted there for security or other concerns, pulling malware from the Android Market only after enough users complain, and the company requires minimal information for developers to be codesigned, notes EMA’s Crawford. ፛፛ Apps don’t have to be malware to be trouble, says Symantec’s Nguyen. He cites an Android app whose poor coding saps lots of network access, overwhelming nearby cell towers and making it unavailable to other users. Hackers who want to do denial-of-service attacks can use such techniques intentionally. ፛፛ A flaw in the PDF reader plug-in for mobile Safari let hackers load a jailbreaking app onto iOS devices — raising the specter of desktoplike malware on the iPhone and iPad, though Apple quickly patched the flaw. ፛፛ One Apple developer’s code-signing identity was stolen, letting the thieves submit apps to Apple under his name. Crawford says that shows the Achilles’ heel of the cryptography-based code-signing approach: There’s a single “root of trust” that, once breached, makes everything vulnerable, and the breach often can be done through nontechnological means (phishing is the prime example). D E C E M B E R 2 011 26 i Mobile and BYOD Deep Dive ፛፛ Nokia has seen several episodes of Symbian vulnerabilities relating to flaws in its code-signing technology — a year ago, one hacker even found a way to disable the code-signing requirement, Nguyen recalls — and in 2005 a major malware attack caused Nokia to rework the OS’s security approach. It’s situations like these — especially for the unvetted Android Market — that has Kaspersky Lab working on an Android antimalware app. But Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab Americas, isn’t so sure there’ll be equivalent products for iOS, BlackBerry, or Windows Phone 7 because all do more serious vetting of the apps sold through their stores — at least not in the near future. He notes that sandboxes aren’t hacker-proof and may get easier to hack as more connections are made between sandboxes to allow applications to work together or share data, as users expect from their desktop experience. There likely won’t be an antimalware app for iOS devices — because Apple won’t allow them, note both Schouwenberg and Crawford. (Apple declined to comment.) As mobile devices get more popular and users access and store more valuable information than email on them, they’ll begin to attract the attention of hackers now happily making lots of money by breaking into Windows PCs. “It will happen,” says Ted Julian, a mobile security analyst at Yankee Group. It’s clear that if any mobile OS is likely to be the easy target for hackers, it’s Android, whose architecture is most like that of the desktop PC due to its openness, says Schouwenberg. “Android is forcing other OSes to be more open, which increases risk,” adds Symantec’s Nguyen. It’s also harder to protect Android devices than other devices, notes Julian. The reason: There are so many Android variants in use — four versions of the OS itself, just as many UI overlays from device makers, and a variety of other customizations from both carriers and device makers — that Google or the carriers couldn’t quickly patch all the devices as, say, Apple can with its iOS devices. THE FALSE SECURITY OF APP STORES Apple pioneered the concept of a vetted app store, and every other mobile platform maker has followed suit. It’s well known that Apple reviews apps to ensure they conform to Apple’s programming and even “decency” standards, and such review gives users the sense that Apple has INFOWORLD.COM DEEP DIVE SERIES filtered out malicious apps, says Julian. But that’s a risky assumption for any app store, not just Apple’s, Julian says. Reviewing all the apps line by line by security experts simply isn’t possible given the thousands of apps that are submitted each month, and automated code analysis tools aren’t yet up to snuff, he notes. Julian says that Apple, Google, Microsoft, RIM, and the rest will eventually be able to find the “obvious stuff,” reducing the risk to everyone’s benefit. But some malware will still get through. Android users can make any vetting meaningless by disabling the OS’s block on unsigned apps, a setting easily changed in the OS’s Settings app. Some users disable the block so that they can install apps not available in the Android Market, such as apps not authorized for their specific device/carrier combination. Likewise, iOS devices jailbroken to allow unapproved apps undercut any security vetting by Apple in the App Store. Theoretically, sandboxing would limit the damage of mobile malware. And it will, everyone interviewed for this article agreed. “It’s good that people are building in isolation” via sandboxes, Julian says. But it’s not a perfect defense. “You can Swiss-cheese a sandbox,” notes EMA’s Crawford, as you add mechanisms to allow apps to communicate with each other or share data. The app most likely to have such holes punched in it is the browser, for which plug-ins add both capabilities and entry points for hackers, as Apple discovered in the PDF-jailbreak vulnerability, says Kaspersky’s Schouwenberg. “That showed the limits of sandboxes.” Crawford notes the issue “wasn’t the design of the browser itself, but how it’s stretched — through the extensions, helper objects, and plug-ins that open the doors where control is slight.” He notes that users want such extensions, which are often developed by smaller companies and individual developers not necessarily well versed in application security, so mobile OS makers who wall off the browser are likely to get strong user pushback. And the push to using HTML5 as a pan-mobile application development platform could increase the risk of the browser as a malware vector, he says, if the HTML5 apps were to rely on local helper apps. Web apps concern Crawford the most of all the potential mobile threats because “Web security is getting too little action today,” despite the constant stream of reported exploits on the desktop. i Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. D E C E M B E R 2 011 27 i Mobile and BYOD Deep Dive H A N DS - O N Say yes to (almost) any device How to support iPhones, iPads, Androids, and other devices beyond BlackBerry i By Galen Gruman resistance is futile: the iphone has won. try as you may to maintain the great corporate barrier against employees using the latest smartphones on your network, the iPhone has or will soon enter your business and connect to your IT systems, and Google’s Android devices such as the Galaxy series are not far behind. In fact, many CIOs and CSOs have already stopped resisting and are instead putting their energies to greater use: figuring out how to say yes to smartphones that are quickly becoming key business devices. Sure, devices such as the iPhone have strong personal utility and appeal, but they are also increasingly able to meet core corporate security and management needs. The PC revolution 25 years ago blurred the distinction between “business” and “personal.” Today’s mobile devices are meeting IT halfway, permanently ending any pretense of a hard line. Now it’s your turn to figure out how to make the most of the smartphone revolution. This guide will help you say yes to the latest mobile devices, beginning with security capabilities, which remain a core concern for most organizations. To address this issue, I’ve created four classes to cover most businesses’ security needs. I then explain how to ensure that each mainstream mobile device can meet those requirements, noting clearly when a particular device is ill-suited to your environment. Your obligations may vary, but you can fine-tune your smartphone strategy by starting with the closest-fitting category. To hone your pursuits, I’ve focused on Apple’s iPhone (including the iPod Touch and iPad), Google Android OS devices, Microsoft Windows Mobile and Windows Phone 7, business-oriented Nokia Symbian devices (such as the S60 and E71), and Research in Motion’s BlackBerry. HewlettPackard’s WebOS-based devices have been discontinued, so I’ve not included it here in the detailed explanations. Given the importance of email on mobile devices, I also note considerations for the main business email platforms — IBM Lotus Domino/Notes, Microsoft Exchange, and Novell GroupWise — and explain when it might make sense to use a third-party mobile management product. Be aware that many of those products don’t really add INFOWORLD.COM DEEP DIVE SERIES security capabilities. Some simplify the provisioning of the devices’ native security capabilities, but most are focused on monitoring and managing your cellular telecom spend, tracking the devices as assets, and giving IT basic status information for help desk support. Rather than adding yet another management tool, you may want to opt out of the smartphone-provisioning business altogether, which may solve the accounting issues these management platforms have been devised to address. Keep in mind that mobile is a moving target. The advice that follows is based on what is available today, but vendors (hopefully) will continue to improve their products’ capabilities. WHAT SECURITY CATEGORY FITS YOUR NEEDS? Although scare stories about smartphone security often try to hold these devices to the standards of military and financial services firms, most companies don’t require those levels of security. Besides, many defense and financial services firms have already figured out how to support iPhones and iPads despite their higher security needs. Bank of America, Citigroup, Nationwide Insurance, and Standard Chartered are recent examples. Many companies will require a blend of the four broad categories outlined below. After all, you likely support employees who are involved in sensitive negotiations, as well as those who have little to no access to vital corporate data. As such, your “say yes” strategy should reflect that internal diversity. The universal truth of mobile is that it is not one-size-fits-all. One final note: If you’re not treating employee use of personal and provisioned PCs and laptops with the same level of security requirements you’re placing on mobile devices, then something’s wrong. Doing so would mean a more immediate security gap to fix at the PC level. Category 1: Routine business information. Truck drivers, sales reps, sales clerks, graphics designers, Web developers, repair and maintenance staff, personal coaches, restaurateurs — people in these professions deal with routine D E C E M B E R 2 011 28 i Mobile and BYOD Deep Dive information that is rarely personally or legally sensitive. If their smartphone is lost or stolen, the resulting hassle amounts to reconstructing some data, ensuring the cell service is discontinued, and buying and re-outfitting a replacement device. There’s a risk of a thief accessing your email, so you do need to immediately change passwords at the server. Required security includes a PIN to use the device. Good, but not essential, security and management capabilities incorporate password expiration and complex-password requirements, remote wipe, in-transit SSL encryption of email and other data, and a “wipe contents after x failed attempts” policy. Category 2: Important business information. Sales managers, veterinarians, personal assistants, management consultants, IT administrators, teachers, editors, videog raphers, programmers, most midlevel managers — people in these professions and positions have access to some personal and financial information that won’t make or break the company but could cause economic or PR damage worth preventing. They may also have access to some internal systems via passwords that could be abused by a bad actor who gets the device. If their smartphone is lost or stolen, the cleanup effort goes beyond the individual’s information and may require changing shared passwords, informing business partners, and losing short-term competitive advantages. Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit SSL encryption of email and other data, and a “wipe contents after x failed attempts” policy. Good, but not essential, security and management capabilities include VPN and/or second-factor access to sensitive systems and data stores, and on-device encryption. Category 3: Sensitive business information. Finance staff, auditors, bankers, medical professionals, HR staff, lawyers, regulators, product managers, researchers, division managers, lead IT admins, marketing and sales chiefs, chief executives in most firms, and all of their assistants — people in these impressions work with significantly confidential information (legal, financial, product, and personal) and usually have significant access to key internal data stores and systems. If their smartphone is lost or stolen, there could be serious financial consequences, such as the notification costs if personally identifiable information is unprotected and the INFOWORLD.COM DEEP DIVE SERIES competitive losses if details on business negotiations, staff salaries, and the like are revealed. Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit SSL encryption of email and other data, a “wipe contents after x failed attempts” policy, VPN and/or second-factor access to sensitive systems and data stores, and on-device encryption. Good, but not essential, security and management capabilities include the ability to control access to specific networks, to turn off the built-in camera, and to control application installation. Category 4: Top-secret information. Military contractors, spies, police, senior diplomats, military personnel, congressional chairmen and their aides — people in these professions work with confidential information, the exposure of which could jeopardize individual’s lives or compromise the public at large. Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit military-grade encryption of email and other data, a “military-grade wipe contents after x failed attempts” policy, VPN access to sensitive systems and data stores, physical second-factor authentication support, military-grade on-device encryption, support for S/ MIME and FIPS 140 standards, and discrete “lockdown” control over accessible networks and allowable applications. SECURING THE NEEDS OF CATEGORY 1 BUSINESSES FOR ROUTINE INFORMATION If your business deals with routine information, it’s pretty easy to embrace smartphones beyond the BlackBerry. Apple iOS. The iOS used in the iPhone, iPad, and iPod Touch supports the PIN requirement for this category, as well as all the good-to-have options. (Note that email encryption is handled through on-device encryption, but just for the iPhone 3G S, iPhone 4, iPhone 4S, third- and fourthgeneration iPod Touches, iPad, and iPad 2.) SSL encryption of messages in transit is a native capability of iOS. Enforcing these requirements and options is the issue at hand. If you can’t trust users to enable themselves, you can opt for the free iPhone Configuration Utility to set up the security policy profiles. But to ensure employees actually install the profiles, you have to manually sync them via a USB cable to your PC. If you trust your staff, you can send them the profiles or have them install the profiles from a D E C E M B E R 2 011 29 i Mobile and BYOD Deep Dive Web link. Another option that enables both over-the-air provisioning and enforced installation is the use of Mac OS X 10.7 Lion Server’s new policy management tools. Otherwise, you’ll need a third-party mobile management tool, such as those from AirWatch, Boxtone, Good Technology, MobileIron, Symantec, Sybase’s Afaria unit, Tangoe, Trellia, or Zenprise, among others. These also support overthe-air management, compliance and deployment auditing, and additional security controls that the iPhone Configuration Utility does not, and more policies than Lion Server. If you use Microsoft Exchange 2007 or 2010, you can enforce PIN and password-expiration requirements using EAS policies. You can also issue a remote-wipe command via EAS. Lotus Notes-based organizations can password-protect email access by combining Domino 8.5.1 or higher with the free Lotus Notes Traveler app available at the iTunes App Store. Notes Traveler also provides remote wipe of email, calendar, and contact data. But Domino/Notes can’t enforce devicewide policies on the iPhone or iPad, just on Notes access, though it can remotely lock or wipe an iOS device. If such policy enforcement is critical, you might consider the profile validation, device locking, and access control capabilities provided by a third-party mobile management tool. If you use Google’s corporate Gmail, you’re restricted to using EAS policies. If you use Novell GroupWise, you can use the Data Synchronizer Mobility Pack add-on for GroupWise 8 to manage the iPhone via EAS policies. Or you can use the GW Mail iPhone app to provide a secure email client hat works with GroupWise 6 and later — but GW Mail can’t enforce devicewide policies, just policies within its client. Google Android. Android devices can be set to require a PIN or custom swipe pattern before they can be accessed, and with Android 2.2 and later you can require use of a password on the device and remote-wipe it. It also supports SSL in-transit encryption, but it does not support on-device encryption. The tablet-oriented Android 3.0 does support encryption, as well as EAS policies for password expiration, password history, and password complexity. So does Android 4.0 for both smartphones and tablets, as well as Motorola Mobility’s line of Android 2.x smartphpones. So far, there are only two general options for more-secure Android usage, such as to gain encryption of stored email data on pre-3.0 devices. One is NitroDesk’s TouchDown INFOWORLD.COM DEEP DIVE SERIES app, which provides Exchange 2003 and 2007 access, as well as allows you to enforce EAS PIN requirements and enable EAS remote wipe. Each user would need to install this app. It’s critical to note that many Android phones that claim Exchange compatibility, such as the Motorola Droid and HTC Droid Eris, do not support EAS policies natively, just unsecured Exchange synchronization. Thus, their built-in mail clients won’t connect to an Exchange server that uses EAS policies. The Android 2.2 OS update brings some EAS policy support to such devices, such as password requirements. The other option is to deploy a third-party management tool’s client, such as the Good for Android app, which provides email, calendar, and contact access to both Exchange and Notes servers. The app can require a password, encrypt the messages and other data, and remotely wipe the messages and other information stored within the app. Of course, using it requires having a Good for Enterprise server in place. The same is true for similar clients from MobileIron and others. For Lotus Notes environments, IBM has an Android version of its Lotus Notes Traveler app that lets you secure access to Notes and to data pulled in from Notes, as well as remote-wipe that data. Microsoft Windows Mobile. Windows Mobile supports this category’s PIN requirement and the good-to-have options. You can enforce most of them using Microsoft Exchange and its EAS policies; SSL encryption of messages in transit is a native capability of the Windows Mobile operating system. If you use Lotus Notes with Domino 8.5.1 or later, you can use the free Lotus Notes Traveler app to remote-wipe Notes email, calendar, and contact data. But Domino/ Notes can’t enforce any devicewide policies on the iPhone, just on Notes access. If you use Novell GroupWise 8, you can install the optional Data Synchronizer Mobility Pack to gain EAS policy access. Otherwise, you’re stuck with the Mobile Server product, which uses the Nokia IntelliSync technology (discontinued in late 2008) rather than EAS to manage devices; that means each device needs to have an IntelliSync client installed, though Novell is no longer providing the client. Effectively, this limits GroupWise to older Windows Mobile (5.0 and 2003) devices. Windows Mobile 7. Microsoft’s newest mobile OS D E C E M B E R 2 011 30 i Mobile and BYOD Deep Dive has less support for security than Windows Mobile. In this category, it supports the PIN requirement, as well as the following good-to-have capabilities: SSL encryption of intransit email, and remote wipe. It does not support the good-to-have on-device encryption or complex-password enforcement policy. You can enforce the supported policies if you’re using an EAS-compatible server such as Microsoft Exchange, Google’s corporate Gmail, or GroupWise 8 with the optional Data Synchronizer Mobility Pack installed. There is currently no support for Lotus Notes. Nokia Symbian. Many Nokia devices support this category’s PIN requirement, as well as the good-to-have options. For Exchange users, Nokia supports a subset of EAS policies and management capabilities, but the company declined to say which. It appears from my research that Nokia supports fewer EAS policies than Apple’s iOS 4 or 5. For Notes users, IBM offers the Lotus Notes Traveler application to secure Notes email, calendars, and contacts, and to remote-wipe that data. If you want to manage Nokia devices, the Good for Enterprise server bundle can do the trick for some models such as the S60, if you’re using Exchange or Notes/Domino. For Novell GroupWise, you’re limited to older devices that use the discontinued Nokia IntelliSync technology, which also requires you to have GroupWise Mobile Server in place. RIM BlackBerry. The BlackBerry supports this category’s PIN requirement and all the good-to-have options — if you use the BES or BES Express servers in addition to your Exchange, Notes, or GroupWise server. The new free BES Express server software makes BlackBerry management a viable option for small businesses that use Microsoft Exchange or Lotus Notes. Without BES, the BlackBerry can have a PIN set on the device itself and can encrypt in-transit messages. If you run Microsoft Exchange and want to use its EAS policies instead of relying on BES (such as if you support other smartphones in addition to BlackBerrys), there are third-party tools that let the BlackBerry support EAS, including AstraSync and NotifySync. Note that the BlackBerry PlayBook tablet does not have any native security capabilities in the 1.0 version of its operating system (that may change in 2012’s expected 2.0 release). But the tablet has no access to corporate data protected by BES unless you tether the PlayBook first to INFOWORLD.COM DEEP DIVE SERIES a BlackBerry smartphone, in which case the tablet is just a window onto the protected smartphone’s data and apps. SECURING THE NEEDS OF CATEGORY 2 BUSINESSES FOR IMPORTANT INFORMATION If your business deals with important information, it’s a bit harder to embrace smartphones beyond the BlackBerry, but you can confidently support iOS, Windows Mobile, and Nokia Symbian. Apple iOS. iOS supports all the requirements for this category, as well as the good-to-have options such as VPN support. The issues and capabilities for Category 2 businesses are the same as those described for Category 1 businesses. One Category 2-specific issue to be aware is that the VPN support for Cisco networks does not let you use Cisco profile distribution files; you have to manually enter the VPN profile or use the iPhone Configuration Manager, Mac OS X Lion Server, or a third-party management tool to generate it, so there’s more IT overhead in implementing VPN access. Google Android. The Android 2.x operating system lacks the services to provide many of this category’s requirements, such as on-device encryption and password expiration. OpenVPN and PPTP/IPsec VPNs are supported in the operating system but may not be available in all devices (device makers don’t have to implement it). Android 3.x and 4.0 do fill in the gaps on encryption and password expiration policies. If your concern is about protecting email, calendar, and contacts data — and you use a compatible VPN — you can probably compromise the Category 2 requirements a bit for Android users. But you can’t meet them all. Microsoft Windows Mobile. Windows Mobile supports all the requirements for this category, as well as the goodto-have options such as VPN support. The issues and capabilities for Category 2 businesses are the same as described previously for Category 1 businesses. However, for large-scale deployments in Microsoft-based IT shops, you may want to use Microsoft System Center Mobile Device Manager 2008, which lets you add self-provisioning, such as for password resets, and handle thousands of users across multiple Active Directory controllers if they are in the same forest. Windows Phone 7. The Microsoft OS supports most of the requirements for this category, with the notable excepD E C E M B E R 2 011 31 i Mobile and BYOD Deep Dive tions of a complex-passwords policy. It supports none of this category’s good-to-have options. The issues and capabilities for Category 2 businesses are the same as those described for Category 1 businesses. Nokia Symbian. Nokia supports all the requirements for this category, as well as the good-to-have options such as VPN support. The issues and capabilities for Category 2 businesses are the same as those described for Category 1 businesses. RIM BlackBerry. The BlackBerry supports all the requirements for this category, as well as the good-to-have options such as VPN support. The issues and capabilities for Category 2 businesses are the same as those described for Category 1 businesses. SECURING THE NEEDS OF CATEGORY 3 BUSINESSES FOR SENSITIVE INFORMATION This level of business — financial services, legal, HR, and health care — is where businesses have to start making support choices that could displease users. Apple iOS. The iPhone and iPad support all the requirements for this category. The issues and capabilities for Category 3 requirements are the same as those described for Category 1 businesses. Where iOS becomes problematic is in the good-to-have capabilities. You can disable the camera and limit Wi-Fi access to specific SSIDs via the iPhone Configuration Utility’s or Lion Server’s profiles or through third-party management tools. Likewise, you can use third-party management tools to restrict users to specific apps. Using the iPhone Configuration Utility, Lion Server, or a third-party management tool, you can disable the App Store, Safari, and iTunes, but those are heavy-handed control options that will reduce the iPhone’s intrinsic utility and appeal. Google Android. The 2.x version of Android OS lacks the services to provide most of this category’s requirements, so it cannot legitimately meet the needs of Category 3 businesses. Android 3.x and 4 do meet this category’s basic needs, but not the nice-to-have capabilities. Microsoft Windows Mobile. Windows Mobile supports all the requirements for this category, but you’ll need Microsoft System Center Mobile Device Manager 2008, Good for Enterprise, or MobileIron products to handle the good-to-have option of managing which applications INFOWORLD.COM DEEP DIVE SERIES users may install. Otherwise, the issues and capabilities for Category 3 businesses are the same as those described for Category 1 businesses. Windows Phone 7. The Windows Phone 7 OS lacks the services to provide most of this category’s requirements, so it cannot legitimately meet the needs of Category 3 businesses. Nokia Symbian. Nokia supports all the requirements for this category. The issues and capabilities for Category 3 businesses are the same as those described for Category 1 businesses. For the good-to-have options, I could not find third-party management tools that provide them for Nokia’s devices. RIM BlackBerry. The BlackBerry supports all the requirements for this category — if you use the full version of BES with Notes or GroupWise, or either the free Express or the paid full version of BES for Exchange. You’ll need the full BES for the good-to-have features for all three email platforms. The issues and capabilities for Category 3 businesses are the same as those described for Category 1 businesses. SECURING THE NEEDS OF CATEGORY 4 BUSINESSES FOR TOP-SECRET INFORMATION If your business deals with life-critical information, such as for defense work, there are only two viable smartphone options: BlackBerry and Windows Mobile. Apple iOS. iOS can’t meet the military-grade encryption (FIPS) requirements (except for S/MIME support in iOS 5) or provide the level of application and network-access control necessary, nor can it support physical second-factor authentication. It can be used in military organizations, but only by those people whose level of clearance doesn’t require these extraordinary security measures. Google Android. The Android operating system lacks the services to provide most of this category’s requirements, so it cannot meet the needs of Category 4 businesses. Microsoft Windows Mobile. Natively, Windows Mobile can’t meet military-grade requirements such as physical second-factor authentication support and military-grade (FIPS) encryption, but the Good for Government product adds them to meet Defense Department requirements. Windows Phone 7. The Windows Phone 7 operating system lacks the services to provide most of this category’s requirements, so it cannot legitimately meet the needs of Category 4 businesses. Nokia Symbian. The Nokia devices can’t meet the milD E C E M B E R 2 011 32 i Mobile and BYOD Deep Dive ፛፛HOW EACH MOBILE PLATFORM’S SECURABILITY COMPARES Apple iOS 3.2, 4, 5 Cat. 1 (routine) Cat. 2 Cat. 3 Cat. 4 (important) (sensitive) (top-secret) Exchange ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❙❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Notes ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❙❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ GroupWise ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Google Android OS 3.x, 4.0 Exchange ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Notes ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ GroupWise ❚❚❚❚❚❚❚❚❚❚❚❚ ❚❚ Google Android OS 2.2 Exchange ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Notes ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ GroupWise ❚❚❚❚❚❚❚❚❚❚❚❚ ❚❚ Microsoft Windows Phone 7.x Exchange ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Notes ✘ GroupWise ❚❚❚❚❚❚❚❚ Microsoft Windows Mobile 6.x Exchange ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Notes ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ GroupWise ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Nokia Symbian 3 Exchange ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Notes ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ GroupWise ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Hewlett-Packard WebOS 1.x, 2, 3 Exchange ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Notes ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ GroupWise ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Research in Motion BlackBerry 5, 6, 7 Exchange ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ Notes ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ GroupWise ❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚❚ n = natively supported. n = supported with extra tools. ✘ = not supported. Capabilities listed are for Exchange 2007 and later, Lotus Notes 8.5.1 and later, GroupWise 8 and later. itary-grade (FIPS) encryption requirements or provide the level of application and network-access control necessary. They can be used in military organizations, but only by those people whose level of clearance doesn’t require these extraordinary security measures. RIM BlackBerry. When used with the full version of BES and the BlackBerry Smart Card Reader, certain models of the BlackBerry can meet Category 4 requirements. THE BOTTOM LINE: YOU CAN SAY YES A LOT By now, I hope it’s clear that most businesses can say yes INFOWORLD.COM DEEP DIVE SERIES to many of today’s smartphones. Although the minimal capabilities of Windows Phone 7 and Android 2.x largely limit their use to Category 1 companies, Category 2 and Category 3 businesses can support iOS and even Android 3.x and 4.0, not just the traditional BlackBerry, Windows Mobile, and Nokia Symbian devices. So now the question is not whether your business should say yes to smartphones but what value it seeks from their broad use. That’s a better question to ask and an even better one to help the business answer. i Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. D E C E M B E R 2 011 33 i Mobile and BYOD Deep Dive H A N DS O N BES: Express or deluxe? The free BlackBerry Enterprise Server Express is good enough for most i By Mike Heck for almost as long as blackberry smartphones have b een the darlings of enterprise business users, RIM’s BlackBerry Enterprise Server (BES) has been the preferred solution for managing these devices and for providing secure access to corporate email. BlackBerry Enterprise Server has grown along the way, with the latest version 5.0.1 sporting a new, simplified Webbased administration interface and groups for easier management of roles, IT policies, and software configurations. BlackBerry Enterprise Server 5 also promises better reliability through server failover features and system health checks. That’s all good news for large organizations. There’s also good news for smaller organizations. The BlackBerry Enterprise Server Express provides small and midsize businesses with many of the same security, management, and push technologies of BlackBerry Enterprise Server — but at no cost beyond their existing Microsoft Exchange or Domino servers. From the BlackBerry user’s perspective, BES and BES Express are the same. Both let users wirelessly synchronize email, calendars, and contacts, as well as access files stored on the server. The two products even play together nicely in large organizations. You could use Express to manage personal BlackBerry phones that employees purchase and bring to work, while BES handles the heavy lifting of corporate BlackBerry devices that are deployed in large numbers. How do these two BlackBerry-only solutions stack up for companies and their IT organizations? I created a Microsoft Small Business Server 2008 test environment to find out. BLACKBERRY ADMIN Installing BlackBerry Enterprise Server or BlackBerry Enterprise Server Express requires about three hours, including any prerequisite software. INFOWORLD.COM DEEP DIVE SERIES (The process is much faster for upgraders, thanks to the BES Transporter Tool.) Experienced IT staff shouldn’t have any problem with the step-driven setup application. Others, though, would be well advised to let a consultant do the job. I discovered several unintuitive settings related to user accounts and Active Directory, as well as configuration problems with the Web server that could easily trip you up. Both editions share the new BlackBerry Administration The Web-based BlackBerry Administration Service (above) makes it easy to assign IT policies and software configurations to users. With the Web Desktop Manager, (below) admins can let users configure their phones, install applications, and handle backups and restores. D E C E M B E R 2 011 34 i Mobile and BYOD Deep Dive Test Center BlackBerry Enterprise Server 5.01 Test Center VERY GOOD 8.3 BlackBerry Enterprise Server Express 5.01 GOOD 7.8 i Research in Motion i Research in Motion Business Connectivity (20%) Business Connectivity (20%) �� 8 Management and Security (20%) �� 8 Management and Security (20%) �� 9 �� 7 �� 8 �� 8 Administration (20%) Scalability (20%) �� 9 Setup (10%) �� 7 Value (10%) �� 8 COST $3,299 for server software and 50 client licenses; volume discounts available. PLATFORMS Microsoft Exchange, IBM Lotus Domino, or Novell GroupWise; runs on Windows Server 2000 or later and Microsoft SQL Server. BOTTOM LINE BlackBerry Enterprise Server 5 combines Web-based administration, over-the-air device provisioning, granular control with 450 IT policies, and a host of high-availability features required by large enterprises. Administration (20%) Scalability (20%) �� 7 Setup (10%) �� 8 Value (10%) �� 10 COST Free. PLATFORMS Exchange Server 2010, 2007, and 2003 and Windows Small Business Server 2008 or 2003, or Lotus Domino and Lotus Messaging Server. BOTTOM LINE Small and medium-size businesses needing to give their BlackBerry users secure access to Microsoft Exchange or Lotus Notes email and internal documents can’t go wrong with the nocost BES Express. Service, a Web-based console that only works with Microsoft Internet Explorer. The GUI eliminates the desktop software that was part of BES 4.x, and it’s well designed. For example, the home screen provides options for managing users and groups, creating and assigning IT policies, handling operating system upgrades on the handsets, and dealing with applications on smartphones. Administrators can also manage the server from this console. Although previous versions of BlackBerry Enterprise Server had groups, they’re more flexible in BES and BES Express 5.0.1. For instance, groups can belong to other groups (nesting or child), which helps IT managers deal with complicated corporate structures. Groups, like individual users, can be assigned to roles, IT policies, and software configurations, and they’ll inherit the roles, policies, and configuration from their parent groups. You’ll need INFOWORLD.COM DEEP DIVE SERIES to construct group hierarchies carefully, because there’s no easy way to manage exceptions for a specific user. Both BlackBerry Enterprise Server and BlackBerry Enterprise Server Express 5.0.1 provide new administration roles that can be used to spread out IT management tasks more efficiently. For example, you could assign one person to serve as senior help desk administrator and others to administer a particular server or group of users. Further, both editions turn over a lot of control to users — self-service that can reduce the work for help desk staff. The Web Desktop Manager (subject to policies) allows users to activate and configure their smartphone settings, back up and restore data residing on the phone, and install applications. BLACKBERRY ENTERPRISE SERVER VS. BLACKBERRY ENTERPRISE SERVER EXPRESS BlackBerry Enterprise Server Express features more than 35 controls and policies, including remotely wiping a lost smartphone and enforcing password policies. I had no trouble creating policies to lock out Bluetooth, enable the still camera, and allow software loading with the device tethered to a PC. Using the tabbed interface, you pick the rule and whether the feature is enabled or disabled. Typically, both products start with most device features enabled, so you only need to create a rule when restricting a particular capability. Most organizations will be satisfied with the basic controls in BlackBerry Enterprise Server Express, while those who need lots of fine-tuning will find it in BlackBerry Enterprise Server. Where BES Express can either allow or prohibit the use of a feature (MMS, SMS, Bluetooth, camera, media card, modem, Wi-Fi, USB/serial, internal network connections, and so on), BlackBerry Enterprise Server can control exactly how the feature is used. For example, BES lets you control whether Bluetooth can connect to BlackBerry DeskD E C E M B E R 2 011 35 i Mobile and BYOD Deep Dive top, be used for device discovery or dial-up networking, exchange contacts, or transfer files. You can set a minimum encryption level for Bluetooth connections and even ensure that the LED connection light flashes whenever the BlackBerry is connected to a Bluetooth device. The one policy area where BES Express matches BES is application control. In both editions, “listed” applications (such as the BlackBerry Java applications you choose to include in your company’s repository) can be made optional or mandatory, or they can be prohibited based on a user’s permissions. Similarly, “unlisted” applications can be allowed or blocked; if allowed, these applications can be prevented from using device storage or limited in the types of connections they can establish. Both BlackBerry Enterprise Server and BlackBerry Enterprise Server Express automate operating system and application updates, but BES has additional tools to make the whole software management process more reliable. That’s because you can check for any software dependencies that need to be installed first. It’s even possible to trigger a software upgrade based on a device’s hardware or wireless carrier. For instance, if you have a BlackBerry Torch user on AT&T, you could specify an AT&T-specific version of BlackBerry OS 6 for the Torch to be installed. Again, that sort of precision isn’t available with Express. In both editions, application and IT policy updates can be pushed during off-peak hours to minimize disruptions to users. While BlackBerry Enterprise Server allows devices to be activated over the air, initial provisioning is a manual proINFOWORLD.COM DEEP DIVE SERIES cess in BlackBerry Enterprise Server Express. But with the Web Desktop Manager, users can handle it by themselves. BlackBerry Enterprise Server also has high-availability features that Express lacks. For instance, you can configure primary and standby servers for automatic and manual failover — which could keep downtime to a minimum when there’s a hardware problem or during server upgrades. (There are no additional licensing fees for servers running in standby mode.) Working in concert with failover, BES 5.0.1 adds system health checks. For example, you can create a certain performance threshold. If that measurement is exceeded, the failover to the backup server automatically occurs. Both flavors of BlackBerry Enterprise Server do a very good job of providing BlackBerry users with secure, wireless access to email and documents behind the firewall, and the Web-based interface minimizes the workload of IT administrators. For personally liable BlackBerry devices that only require access to an Exchange server and where a basic set of security policies is adequate, Express will do the trick. But when your support staff has to manage thousands of devices or when email to mobile executives absolutely positively must never stop flowing, then BlackBerry Enterprise Server is the only choice. i Mike Heck is an InfoWorld contributing editor. D E C E M B E R 2 011 36 i Mobile and BYOD Deep Dive H A N DS O N Simple iOS support how-to If your IT support organization fears iPhone and iPad overload, fear not i By Galen Gruman it’s a refrain I’ve heard more and more from IT managers in my travels in recent months: Yes, we can secure devices using Exchange or mobile device management tools, but what we really worry about is the support burden that iPads and iPhones will put on us. I’m happy to say that the IT support burden should not increase meaningfully — or at all — as employees bring in iOS devices. But first, a caveat: Android is a different story due to all the permutations in the OS from vendor to vendor and the uncertainty over which apps are legitimate, though some principles I describe here for supporting iOS devices such as the iPad and iPhone should apply as well. And unlike with iOS, you’ll get calls from employees who can’t connect to your secured wireless network due to the poor implementation in Android 2.x, 3.x, and 4 for PEAP-secured Wi-Fi networks. Ditto for those Android 2.x smartphone users whose devices can’t support many of your Exchange ActiveSync policies such as on-device encryption and complex passwords. I can’t help you there. First, a recent study shows that iOS devices require the least support of the major mobile platforms. The device that IT prefers, the Research in Motion BlackBerry, is more difficult to support, but as they continue to fade from the business environment, the IT mobile support burden should decrease. In fact, aggressively replacing BlackBerrys with iPhones is probably the quickest way to lighten the IT mobile support load. Android smartphones require the most support, but their current lack of basic enterprise security and manageability means you’re not likely to allow their use for business purposes and, thus, don’t need to support them. (Motorola Mobility’s crop of business-savvy Androids are the notable exception, though Android 4 promises to reduce that gap as well.) That study points to an unsurprising reason: The iOS user interface is easier for users, so they tend to need less help. Reports from Forrester Research and Aberdeen Research shows that users who choose their own devices (no matter who pays for them) are more self-supporting. Plus, if INFOWORLD.COM DEEP DIVE SERIES the device is a personal possession, even if also accessed for business, users are much more careful about not losing and not damaging the item. All of this explains the lower support overhead for iOS devices. But at some point, IT will have to deal with iOS devices directly. When that happens, here are ways to keep the effort low while meeting users’ needs. USE SECURITY POLICIES AND CERTIFICATES iOS supports more Exchange ActiveSync (EAS) policies than any other modern mobile OS; only the long-dead Windows Mobile still used in government and some businesses supports more. When anyone tries to access email from Exchange or corporate Gmail (if EAS is enabled), the email server validates the policies immediately, forcing users to comply in return for access. Because iOS uses standard EAS policies, you merely need to set them up, without regard for whether the user has iOS — it can be the same policy set you use for desktop access. If you use IBM’s Lotus Notes and Domino, you can’t impose these policies on the iOS device (using the 8.5.2 or later version of Notes Server), just on the Lotus client. That’s an IBM limitation, not an Apple one. The same is true, for the same reason, on the GroupWise email server, assuming you have the Data Mobility Pack installed to add EAS support. For these two old-school email systems, you should look at deploying a mobile device management (MDM) tool that supports multiple mobile OSes via policies. What you can do with IBM’s and Novell’s EAS support is wipe the devices completely or just the email server’s data. iOS also supports certificates, such as for PEAP-secured Wi-Fi access and VPN access. Again, these should be the same as you use for any device. USE CONFIGURATION PROFILES But it’s the provisioning profiles that you really should invest in, as they can save you lots of time in putting together a user self-configuration service. D E C E M B E R 2 011 37 i Mobile and BYOD Deep Dive Apple’s provisioning certificates are based on XML, so you can generate them through several means. MDM tools generate them, for example. Mac OS X Lion Server also generates and remotely installs them on a per-user or per-device basis, tying into your Active Directory or Open Drectory infrastructure so that you can set and apply policies for individuals, groups, devices, and device groups. The Web interface is simple, and the policies can be applied to Lion-based Macs. It does mean using a separate tool, but that’s no different than using BlackBerry Enterprise Server (BES) to do the same for BlackBerrys. Mac OS X Lion Server is much cheaper than an MDM tool, especially if its policies cover your needs. (Lion Server costs just $50 to upgrade a Lion-based Mac to it, and $80 from a Snow Leopard-based Mac.) There’s also Apple’s free iPhone Configuration Utility, which is the still-available predecessor to Mac OS X Lion Server’s policy manager. The iPhone Configuration Utility runs on both Windows (XP through 7) and Macs (both Snow Leopard and Lion), so many IT organizations may prefer it to Lion Server. You can create profiles for each device, then sync them to the device directly over USB, by emailing it to the user, or by placing the file on a Web page and having the user open that link. But what you really want to do for a self-service approach is create configuration profiles for various classes of users, rather than handle each user individually. You can do that too in the iPhone Configuration Utility: Create configuration profiles by selecting Configuration Profiles in the Sidebar’s Library section. Then click New. You get several panes, one or each type of policy or configuration you want to set. Go through each one in turn. For example, you might set up the VPN shared secret credentials, so you or the user doesn’t have to enter that manually on each device — the user would only have to enter his or her own credential (which you want them to do anyhow so if the device is lost your VPN is not accessible to someone else), such as the one managed by ActiveDirectory. Likewise, you could add the Exchange Server address, the setup for internal Wi-Fi access points. LDAP configurations, shared calendar details, load security credentials, specify a required MDM server, and so on — all the common stuff to a group. A key setting in the General pane is Security: Here, you control whether the user can revoke the configuration cerINFOWORLD.COM DEEP DIVE SERIES tificate, and if so, you can specify the required password. For example, an IT support staffer could revoke the profile manually by knowing the password, but not the user. If you have some configurations that are universal and others that are specific to a role or department, create a separate configuration profile. You should do so hierarchically, so only the universal profile sets the universal settings and only the local profiles set the local settings. iOS lets you install multiple configurations, so you can layer the configurations and later update just the universal one or just the local one without affecting the other configurations’ settings. When you save the profile, you can then share it with as many users as you want. You can email the profiles, and when the users open the profile on their iOS devices, they get a prompt to install them. Alternatively — better for a self-service approach — you can include the links to these profiles from Web page or intranet site (such as a new-user welcome page that also contains the employee manual, time sheets, and payroll direct-deposit forms, or a departmental hub page), so users can simply install their own. Because these profiles configure their iPhones and iPads to work with your network and other resources, you know they will — if they’re really using the devices for business purposes, anyhow. The downside of the iPhone Configuration Utility is that it can’t update installed profiles automatically, as an MDM tool or Lion Server can; users have to download the newest version to get it. That is, unless you want to create your own over-the-air policy server — Apple has provided instructions on how to do so using the SCEP protocol and a Cisco IOS or Microsoft Windows Server platform. Unfortunately, I’m aware of no similar way to create such self-install profiles for BlackBerry, Android, or other mobile platforms. BUSINESS APPS The other piece you can do for employee self-service is to provide Web pages with links to your preferred apps. Apple has created an iTunes minisite that lists popular business apps; it’s a good place to find recommended titles. In iTunes, right-click an app’s icon and choose Copy Link from the contextual menu. When a user clicks that link, he or she is taken to the iTunes Store on the iOS device to purchase or download the app. Thus, you encourage the D E C E M B E R 2 011 38 i Mobile and BYOD Deep Dive adoption of the tools you prefer employees use for business purposes. For Android users, you could set up links to the Google Android Market, as well for your recommended Android apps. It’s probably easiest to have employees expense these recommended apps, as iTunes emails them a printerfriendly receipt. But if you prefer to manage the purchase of apps yourself, Apple’s Business App Store lets you set up centralized billing and purchase tracking for required and recommended apps, both those from the App Store and those from developers making custom (nonpublic) iOS apps for you. If you want to restrict users to specific apps, you can do that via policies, but then you’re pretty much killing the point of a bring-your-own device. I’m assuming that most businesses that want to support iOS devices with minimal IT overhead are likewise keeping the burden on employees who use the devices low. After all, the more you impose, the more you need to support. a new device. iOS 5’s wireless backup should make that backup process even easier. iOS has no visible file system (files are stored within their apps’ containers, as a security measure), so users often are confused on how to attach items to emails and otherwise bring content into apps. The trick is to start with the content. For example, to email a photo, go to the Photos app, select the photos, then use the Share menu to send it via email. Most apps use that menu or a similar one. Also, to move files among applications, look for the Open In menu — you may get it from tapping and holding a document, by using the Share menu, or via some other app-specific methods — to open a document from the current app into another one (only compatible apps are listed). Apps have to specifically support Open In, so some apps may not have this capability. If an employee has trouble when not near an IT support staffer, he or she can easily take screenshots to show the state and email them to the help desk. Press the Sleep/Wake and Home buttons simultaneously to take a screenshot, which then appears in the Photo app’s Camera Roll album. There’s TROUBLESHOOTING no limit on the number of screenshots one can take. iOS may be intuitive for most users, but not everything is Most apps provide a quick-scroll option: Tap the top of the obvious from the get-go. Plus, troubleshooting issues always screen and the app’s screen usually jumps to the top of its come up with any device. Some, like lost passwords, IT supcontent (such as the list of email messages). Unfortunately, port should already have a universal system in place for there’s no equivalent to jump to the bottom of content. managing. But here are a few questions that are likely to arise A few gestures are universal: Scroll within an app with and would be useful to know or at least consider as part of one finger; scroll within a pane or window within an app a self-support FAQ: (usually this is for websites) with two SUBSCRIBE TODAY iCloud automatically backs up iOS fingers. Pinch together a finger and 5 device settings to users who sign in Keep up to date on the thumb to zoom in; reverse that gesture via their Apple ID or iCloud account. latest mobile news with to zoom out. Double-tap the Home That will greatly help restoration of the InfoWorld Mobilize button to open the multitasking bar a system that gets reset somehow. that shows all running apps and lets newsletter. App data is not backed up, however, you switch to any of them (as well as to iCloud. iTunes also tracks all the Delivered quit any of them by tapping an holding apps and media purchased through straight to an app and then tapping its Close box). it, so those can be redownloaded if a If you’re concerned about a tidal your inbox device is wiped or reset, and they can wave of iOS devices drowning your be downloaded to a new device if the each support team, relax. They’re easier to employee loses the current one — at week. support than you fear — and the techno charge. Also, iTunes backs up user niques here can reduce the burden data, as well as settings, so by syncing Don’t even more by providing self-service the iOS device to iTunes periodically, a miss a beat, options to your employees. i user can self-restore a wiped device or wherever you happen Galen Gruman is an InfoWorld executive editor and its Mobile Edge blogger. transfer the apps, data, and settings to to be. Sign up now! INFOWORLD.COM DEEP DIVE SERIES D E C E M B E R 2 011 39

Deep Dive

Rating

Date

Size

Views

Categories

Share

Transcript