Mobile device management: Getting started

By Todd R. Weiss

FOLLOW

Computerworld | May 30, 2012

The rapid-fire spread of mobile devices being used by enterprise

employees can be a huge boon for businesses in productivity and
customer service gains, but those advantages don't come without a
price.
The inherent flexibility and freedom to get business done anywhere,
anytime, also makes it much harder to maintain the security and
control of corporate data when employees are accessing and storing
business information on their smartphones, tablet computers and
other mobile devices. And the rush of new devices never seems to end,
making it hard to stay out in front of innovations.
"Enterprises must plan now for the mobile devices of the future that
they don't even know of yet," says Kevin Benedict, principal analyst at
Netcentric Strategies LLC in Boise, Idaho. "So you build an
infrastructure that says it doesn't care what devices are on the end of it
and you have a framework that you just plug into."
Getting there isn't easy, however. One approach that can make
implementing a mobile workforce easier -- or at least consistent -- is
through mobile device management (MDM) strategies that can help
enterprises address all related mobile issues in a top-to-bottom
approach.
Among the challenges that an MDM strategy can help with: Which
mobile devices to support, whether to allow employees to choose and
bring their own devices into work, and how to handle security for
mobile devices, including whether to have remote data wiping
capabilities for lost or stolen devices.
Policies about devices
One of the first decisions to make with an MDM strategy is to figure out
which devices your employees will use and whether the individual or
the company will pay for them.

At New York-based Edelman, the global PR firm, most of the 3,800

At New York-based Edelman, the global PR firm, most of the 3,800

employees use RIM BlackBerries, unless they have a compelling workrelated reason to use something else, says John Iatonna, the vice
president of information security. Those cases are decided individually
by business managers -- workers can be allowed to use iPhones or
iPads if needed for the work they do, but RIM devices are Edelman's
enterprise standard mobile devices.
Two reasons Edelman prefers using corporate-owned BlackBerry
devices: The firm can negotiate more competitive pricing through its
relationship with its enterprise phone carrier and it can maintain
tighter management and security compared to other devices. "It's
much easier to get hold of and track your BlackBerries than it is [other
types of] smartphones," Iatonna says. "We do have an Apple and
Android population, but those devices weren't designed with an
enterprise environment in mind."
"BlackBerry Enterprise Server (BES) is a much more developed and
mature enterprise MDM system than the other smartphone MDM
vendors," Iatonna said. And even though RIM has been losing market
share to other vendors, its products and enterprise-level security
capabilities still offer the best answers for Edelman's needs, he said.
For its part, SAP AG, the Germany-based software vendor, began its
mobile workforce project in 2010, says global CIO Oliver Bussmann. At
the time it included some 14,000 SAP-purchased Apple iPhones and
iPads, and personal iPhones or iPads for another 500 users, who had to
sign consent forms agreeing to SAP's terms of use, which vary from
country to country depending on business requirements. The first
employees to be brought into the mobile strategy were workers in the
development organization, followed by executives and the entire global
sales force, he said.
The reason for that specific order of rollout, Bussman explains: "We
made the development teams that were building the apps test them as
part of the process." Then, "executives demanded solutions quickly
after that and then drove direction to focus on sales and other field
resources."
Starting this past January, SAP expanded the program to also include
more than 500 SAP-purchased Samsung Android Galaxy SII
smartphones and Galaxy Tab 10.1 tablets, with more to be deployed by
employees who request them based on a compelling business reason.
"Our strategy is to be device agnostic," Bussmann said, "The IT
organization has to be in the driver's seat. If the CIO doesn't embrace
the mobile trend, then the business organization bypasses the IT

organization and that's not a good thing. Then it's being done without
control and security and that can have an impact potentially on the
company."
Centreville, Va.-based Carfax uses a blended approach, with some
workers using company-issued iPhones and iPads and others using
their own Android devices, says CIO Phil Matthews. "We allow other
employees to use a BYOD (bring-your-own-device) approach where it
works better for them or where they want to keep their device on their
personal mobile plan."
The company's 400 field workers use devices that are companyprovided or paid for through reimbursements. "We actually wanted
people to have a consistent experience, so we chose iPads and iPhones
as our main devices, but some people wanted Android devices" and are
allowed to use them, he says. Workers previously carried laptops and
printers along with BlackBerry devices, but productivity rose with the
iPads and iPhones, he explains. "Our sales reps can complete more
activities with the iPads and iPhones and we can provide them with
mobile applications that allow them to collaborate much more easily
than in the past."
Cora Carmody, the senior vice president of information technology at
Pasadena, Calif.-based Jacobs Engineering Group, says her company
looked at mobile devices from a different angle -- that of expense
management. As the recession took its toll, Jacobs continued to look
for ways to cut costs until finally the cellphone bills of some 45,000
workers became an enticing target, she says.
The company had acquired several other businesses and was bringing
in new users who all had different mobile vendors and devices, so the
IT group decided to look at it and find better ways of making it work.
Their answer was what Jacobs calls "wireless divestiture" -- in other
words, buying the devices for workers but then requiring workers to
pay their own monthly bills. Workers are given calling cards for travel
and can also expense extraordinary calls if needed, Carmody explains.
Jacobs has saved about $15 million annually since reorganizing its
mobile device strategy, Carmody says.
At first there was some grumbling about the new strategy, Carmody
admits. But the company met with mobile vendors to work out good
deals for employees when they signed up for new service contracts, so
because the financials were in their favor, employees started gradually
accepting the new arrangement over time.

"You can expect some complaints and backlash at the start," she says,

"You can expect some complaints and backlash at the start," she says,
"but we are also pleasantly surprised that some people recognized the
new choices that they had" in terms of different types of service
contracts -- "and appreciated that."
Jacobs worked up front with mobile vendors to obtain discounted
rates to allow employees to move to whichever carrier and plan fit
their usage and travel patterns best, according to Carmody.
"Previously employees were carrying two devices; one for Jacobs
support and one as their own personal device." By consolidating to one
device, employees' mobile situation has been simplified considerably.
Keeping company data safe
Security at Edelman includes requirements for passwords that are
secure as possible, Iatonna says. That means that all smartphones and
tablets must use passwords that are complex and include a minimum
number of characters, along with mandatory data encryption. After a
certain number of unsuccessful passwords are entered, the device
automatically resets and erases all data. This situation hasn't
happened yet, he says.
Another piece of advice, from Jacobs' Carmody: Be prepared to
confirm for users that any devices they are considering can meet both
the security and work needs of the business. "That gives people the
freedom to do what they want to do while protecting company
security," she says. "It's one of those building blocks for the idea of
bringing your own technology to work."
In general, the company allows Jacobs email to be viewed on personal
devices, while all other key corporate applications can be accessed only
via the Jacobs corporate portal. "This provides a high measure of
security for managing corporate data and eliminates the need to help
end-users manage data volumes on their personal devices," Carmody
explains. "We, of course, also employ stringent cybersecurity practices
that guard against access should a device be lost or stolen. Finally, we
have a robust process for reporting lost or stolen assets that ensure
immediate response to protect data in those situations."
At Carfax, access to corporate data is controlled through application
privileges and passwords; users have access to corporate data and
applications based on their job need and role in the company,
Matthews said.
Remote-wiping policies

At Jacobs Engineering, employees are required to sign consent forms

At Jacobs Engineering, employees are required to sign consent forms

that allow the company to perform remote wiping of all data if the
devices are lost or stolen, even personal data personal email, photos
and games. The agreement says the company will delete it all if a device
is lost or stolen.
The need for remote wiping has happened a few times, Carmody says.
"In those cases all data is lost," she explains. Jacobs works hard to
educate the user population about its corporate policy and conditions
governing end-user device use. "We also go the extra step and educate
end-users about backing up and protecting their personal data" in case
it has to be remote-wiped someday, Carmody says.
Some MDM tools allow devices to store critical business data in a
special, secure "container," says Chris Hazelton, an analyst with The
451 Group. Business data is not retrievable outside of the container,
and can only be accessed through rich passwords and other access
protocols, making it much more secure. It can also be removed
remotely by the business if the device is lost or stolen, without
removing a user's photos, contacts and other personal information.
Both Edelman and SAP use this technique; Edelman uses AirWatch to
perform selective wiping of enterprise data, while SAP uses its own
Afaria application, which can wipe just the corporate data and leave
the personal information alone, according to Bussmann.
A sampling of MDM vendors
The list of vendors in the MDM marketplace is ever-changing as
companies continue to roll out features and new products to help
make mobile tech both easier to manage and more secure.
Here is a sampling of some of the major commercial vendors that are
making noise in the emerging field of mobile device management,
according to industry analysts interviewed for this story.
Apperian Mobile Application Management -- Mobile, secure
application development
Boxtone Enterprise Mobility Management -- promises "centralized,
automated control of all mobile devices and tablets"
Citrix Receiver -- Access to corporate data from "any computing
device," Citrix says, along with an enterprise app store.
Good Technology -- A suite that includes access to email, calendar and
intranet-based apps, as well as the means to build an internal
applications store.

Kaseya Mobile Device Management -- Policy-based management tools

for mobile devices (phones and tablets).
LANdesk Mobility Management -- Discovery, inventory and the ability
to remotely wipe devices.
Mobile Iron -- Multiplatform device management with security that
works even on employees' personal phones, the vendor claims.
Mocana Mobile App Protection (MAP) - Shuts down virus and malware
attacks against smartphones, the vendor claims.
Novell ZENworks Endpoint Security Management -- Encryption, the
ability to disable removable storage devices and firewall features in
one console.
Nukona -- Now part of Symantec, this product promises to securely
deploy and manage both Web-based apps as well as native smartphone
software.
PartnerPedia Secure Mobile App Management -- Allows corporate IT to
control the publishing, distribution and management of approved
applications to end-user devices.
- Todd R. Weiss
One of the biggest support challenges for Edelman's IT team, Iatonna
says, is when employees do get permission to use personal iPads or
iPhones for their jobs. The difficulty then becomes educating users
that their personal photos, emails and other data could be lost in the
event a remote wipe is needed on those devices.
"You have to make sure that the level of support is defined so that you
are not responsible for personal data loss," Iatonna explains. "The way
that we've tried to mitigate that is that if you want Edelman data on
your personal device you have to agree to have the MDM software
installed on it and you need [to sign] a waiver as well."
Edelman employees weren't used to that level of control and they were
uncomfortable with it because it involved their personal devices, he
says. "People said, 'Well it's my phone and you can't expect me to enter
a password and have a screen lock after five minutes.' It was always
discussions like that."
That meant getting users to come around to accepting a new sensitivity
about the data on their phones, he says. "It's a balance of privacy versus
the company's security. People are very unaware of the risks that are
posed with the smartphones right now," including hacking, data

capture and other security threats with smartphones. Users are

typically not thinking about those kinds of risks when they use the
devices.
Remote wiping and similar security measures are also used at Carfax,
Matthews says, and employees are notified that data wipes can be
performed if the devices are lost, stolen or used inappropriately. At the
same time, he says, the company also wants to give its workers some
freedom to use their devices responsibly.
For instance, Carfax allows employees to use the devices for non-workrelated things like watching videos on the road, he said. "People will
definitely do the right thing" and not abuse their freedoms with
inappropriate behavior and usage, he says. "You just need to give them
some guidelines and that's what we've done so far."
A moving target
One of the biggest pain points when it comes to MDM is time pressure
because, with mobile devices, there is always something new and
different to cope with, says SAP's Bussmann. And there can be a lot of
need for IT support.
When SAP began its mobile deployment project in 2010, demand from
workers was already high, starting with the first controlled
deployment of 1,500 devices, he explains. To cope with this, the
company decided to provide the initial user support for those first
devices via Web 2.0 using wikis and online help portals. This was a
method to reduce demands on the IT teams and give users the help
they needed on demand, he said.
It was just the right approach.
"We had only two or three months to enable those devices so we didn't
have time for setting up traditional support," Bussmann says. "You
look at the Apple devices. There's no big menu there to operate them;
they're very intuitive. This approach is similar to that."
At first, Bussmann admits, he wasn't sure that users would accept this
non-traditional help system. "To be honest, I told my guys that I'm not
sure the users are going to go for that. But there's been a change of user
behavior, definitely."
At Edelman, one of the biggest challenges of the MDM strategy has
been that the target is constantly moving, Iatonna says. "It's not
possible to have a solution for every smartphone out there because
there are so many models. You can't have the resources for all of it."

Their answer is found in AirWatch, which covers the bulk of the

devices on the market and reduces the company's risk to an acceptable
level, he says.
Iatonna looked at several different MDM vendors before choosing
AirWatch, he says, but one of the biggest lessons he learned was that
the marketplace is relatively immature. "There's a ton of people
rushing to market right now. Often times what I was seeing from
vendors was a significant gap between what is promised and what is
actually available as a real feature in a product. Maybe that's a
reflection of how quickly the handset market is changing."
When employees do come in with their personal tablets or other
devices and want to use them for their jobs, it's also important that
workable policies are in place for things such as support expectations.
Users may want device support in areas where the a company isn't able
to provide it, so those things have to be discussed ahead of time, he
said. "The waters are still very muddy," Iatonna says.
MDM lessons learned
Examine how your MDM usage policies will be viewed wherever your
company does business, from state to state in the U.S. and in other
nations, says Jacobs' Carmody. By asking employees to pay for their
mobile bills or devices, you might be affecting changes in employment
contracts that could require further reviews with labor unions or other
agencies, she explains. If it's not in an existing contract as part of their
employment, then you have to follow the contract as it is, she says,
especially in locations including Europe, where contract changes are
harder to complete.
Another good idea: Put policies into place that lay out which
applications will be approved and permissible on employee devices so
users can get support as needed, Carmody suggests.
In the larger scheme of things, your MDM deployment could even help
you as IT moves more toward the cloud and the possibility of virtual
desktops for workers, Carmody says. The lessons you learn -- especially
about mobile security -- today can help you with such future
initiatives, she explains, so be sure to share that information broadly
within the IT team.
At Carfax, one unexpected benefit of the move to more productive
mobile devices has been that some workers are now using them
instead of their previously issued laptops, Matthews says. "This year I
expect that some workers will tell us that they don't need their laptops
anymore," which will have the side benefit of simplifying maintenance
and support for the IT staff, he explains.

One lesson has become very clear, according to Matthews. "Don't let
your fears keep you from trying things," he says. "You will see different
ways to reach out to customers that you wouldn't have seen if you
didn't look at these mobile devices."
For example, he says, "We have created mobile sales and marketing
applications that allow our field reps and customers to have much
more valuable conversations with more real-time information,"
including customer-specific data. "This allows our reps to be much
more effective and efficient in how they manage their activities and
customers."
In addition, make sure you have a real long-term strategy and
understand your needs before you start the project, Netcentric analyst
Benedict says. "Don't even bother to implement mobile technology if
you don't have a mobile management strategy -- it will be totally
wasted."
The way to do that is to become fully educated in what's possible,
Benedict says. "Go to big conferences, view webinars, read books and
bring educators in to teach and show what's available. Don't build a
strategy based on your limited knowledge." Learn about what is
possible, he adds.
Analysts: Where MDM can still get better
Mobile management applications have come a long way in the last year
or so to help enterprises, says the 451 Group's Hazelton, but there's
still more that can improve.
Today, the big needs are managing the devices and handling email, but
enterprises are already looking ahead to provide custom provisioning
of applications and data to the right people in their organizations so
the entire mobile environment can be more secure and more easily
managed, Hazelton says.
One other enterprise need that's seeing progress is the creation of
private application stores that are providing analytics apps and
management tools for mobile enterprise applications, Hazelton
explains.
"There's definitely a lot of demand for MDM," he says. "It really answers
a pressing pain point for IT departments." But so far, only about 20 to
25% of the marketplace has such strategies in place for iOS and
Android devices, based on his research. The numbers are certainly
higher for BlackBerry users, he explains, because those devices have
been around longer and use RIM's enterprise-ready applications.

"It's most exciting," he says. "You have all this energy around
smartphones and enabling them. Enterprise mobility is here for the
rest of our careers."
Overall, Carfax's Matthews says, "we tell our employees that it's all one
life and you can manage it however you want to do work and your
personal stuff. We get a lot more out of employees that way. I think
they're happy personally because they don't see this device as tethered
to them and they can do other things in between work assignments."
Tips for creating an enterprise MDM strategy
Enterprise IT leaders who have been working to build MDM programs
inside their companies offer these ideas for how to get started.
Decide what devices your workers will use, whether they'll be
corporate-issued devices or bring-your-own devices that will be
supported by the company.
Make sure that whatever devices you choose can handle the level of
security that your business requires.
Create and implement strong security and device use policies and be
sure to communicate them with employees from the start. Be sure that
your devices include remote wiping capabilities and automatic remote
alerts that can tell you if unauthorized users are trying to access or
hack the devices.
Require and implement mandatory strong passwords to keep them as
secure as possible.
Examine how your MDM plan terms will be viewed legally wherever
your company does business, from state to state in the U.S. and in
other nations, to be sure that you abide by all applicable laws.
Explain to employees which applications will be approved and
permissible on employee devices.
Don't be surprised if there is some disgruntlement from some
employees when the new MDM strategy is implemented. Make sure to
educate, train and, if possible, offer some benefit with the new
approach.
Remember that your MDM plan will never be finished, but will need to
constantly evolve as new devices and technologies are introduced.
- Todd R. Weiss

Todd R. Weiss is an award-winning technology journalist and freelance

Todd R. Weiss is an award-winning technology journalist and freelance

writer who worked as a staff reporter for Computerworld.com from
2000 to 2008. Follow him on Twitter, where his handle is
@TechManTalking, or email him at toddrweiss@gmail.com.
This story, "Mobile device management: Getting started" was originally
published by Computerworld.

Todd R. Weiss Writer

Todd R. Weiss is an award-winning technology journalist and freelance writer
who worked as a staff reporter for Computerworld from 2000 to 2008.

From CIO: 8 Free Online Courses to Grow Your Tech Skills

Copyright 2014 IDG Enterprise. All rights reserved.