In a perfect world, your entire workforce would carry a standard mobile device that could be managed easily and...
effectively through one platform. Alas, few IT managers enjoy this luxury -- most must deal with increasingly diverse employee and employer-owned devices, spanning multiple operating systems and product generations. How can you manage this handheld potpourri without going crazy or breaking the bank?
Different strokes for different folks
In a recent InformationWeek Analytics study of business technology managers, 59% said they specify and procure standard mobile devices, while another 13% specify standard devices that employees can purchase on their own. However, popular new devices like the Apple iPhone are making enforcement of standards difficult.
According to Gartner analyst Ken Dulaney, ergonomics and emphatic personal preferences for specific mobile device features instigate this mutiny, exacerbated by the broad spectrum of low-cost consumer-based mobile devices now available. "It is too easy for a user to purchase a smartphone with a personal credit card and then use it to access sensitive corporate data," Dulaney said. In this increasingly diverse world, the only way IT can reasonably expect to maintain control is by categorizing mobile computing devices into three distinct classes: trusted, tolerated and despised.
Rather than telling your mobile workforce that they must assimilate (resistance is futile!), give them choices -- accompanied by service-level consequences and enforceable access boundaries.
Start by specifying a few well-chosen profiles for "trusted devices" that garner full IT support. Gartner recommends adopting no more than four to seven trusted device profiles that reflect your mobile workforce's application/communication requirements, locations and work styles. Those profiles will serve as your primary target for hardware procurements, standard software images, mobile device management services, and mobile application development. If you do this right, users who depend on having access to many business applications will be encouraged to carry trusted devices.
But don't stop there. Develop a second category composed of "tolerated devices" -- the essential middle ground in your three-tiered strategy for managed diversity. Carefully define the applications and corporate network/data access levels that you can safely and effectively support for a reasonably broad range of mobile devices -- including those commonly purchased by consumers.
For example, you might support only telephony features and browser-based access to enterprise Web portals. Or you might permit access to enterprise email only under certain conditions (e.g., over secured connections, from recognized devices registered with your mobile device manager). When defining this tier, aim to empower your workforce with personal choice while clearly limiting your support responsibilities and risk exposure.
Deal with exceptions
Last but certainly not least, define processes associated with that third tier of "despised" devices -- devices over which you have so little control that officially supporting them would be cost-prohibitive or even dangerous. This should probably include so-called "closed" devices -- smartphones with factory- or carrier-installed images that you cannot reconfigure because the APIs required to do so are not exposed to third-party developers.
It is tempting to forbid business use of these unmanaged, uncontrolled devices. But as soon as you adopt this policy, a C-level executive will receive one of these sexy little handhelds as a gift and complain to your CIO that your device management strategy is broken.
One solution, according to Gartner, is to offer "concierge services" for devices that deviate from your trusted/tolerated criteria. If supporting your CEO's iPhone becomes a business necessity, determine what doing so will cost and a process for acquiring those funds. This policy in a nutshell: "We'll meet your needs -- for the right price."
Minimize your personal footprint
Note that all of the mobile devices in tier 3 -- and many of those in tier 2 -- are employee-owned handhelds used for both business and pleasure. The tools and software used to deliver full support for tier 1 devices may be too intrusive for personal devices. A less heavy-handed approach will probably be necessary to balance business risk and cost on personal devices.
For example, you might use a mobile device manager to provision trusted devices with a standard set of software packages and configurations, including security programs like VPN clients. You might install policies that require those trusted devices to synchronize only with your corporate server and block personal email (POP account) access. But employees might chafe at having these programs and policies installed on their personal handhelds, for reasons of usability and privacy.
To avoid workforce mutiny -- and to encourage corporate policy compliance -- find opportunities to limit your footprint on tier 2 personal devices. Use available tools to defend your business against device loss or compromise, without trying to shoulder full responsibility for those devices themselves. This can run the gamut from allowing read-only browser access to using temporary Java agents to prevent session data from being stored on the handheld. Inside your network, use techniques like network-based virus scanning and email spam filters to reduce risk, independent of those mobile devices you cannot fully control anyway.
Gartner predicts that more than 70% of enterprises will implement converged management and security policies for corporate-owned and non-corporate mobile devices by 2012. Mobile devices are already proliferating at a rapid pace, both in terms of platform and ownership. The sooner you develop a mobile device management strategy to deal with this daunting but inevitable scenario, the better life will be for both your employees and your IT staff.
About the author
Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.