The rapid-fire spread of mobile devices being used by enterprise employees can be a huge boon for businesses in productivity and customer service gains, but those advantages don't come without a price.
The inherent flexibility and freedom to get business done anywhere, anytime, also makes it much harder to maintain the security and control of corporate data when employees are accessing and storing business information on their smartphones, tablet computers and other mobile devices. And the rush of new devices never seems to end, making it hard to stay out in front of innovations.
"Enterprises must plan now for the mobile devices of the future that they don't even know of yet," says Kevin Benedict, principal analyst at Netcentric Strategies LLC in Boise, Idaho. "So you build an infrastructure that says it doesn't care what devices are on the end of it and you have a framework that you just plug into."
Getting there isn't easy, however. One approach that can make implementing a mobile workforce easier -- or at least consistent -- is through mobile device management (MDM) strategies that can help enterprises address all related mobile issues in a top-to-bottom approach.
Among the challenges that an MDM strategy can help with: Which mobile devices to support, whether to allow employees to choose and bring their own devices into work, and how to handle security for mobile devices, including whether to have remote data wiping capabilities for lost or stolen devices.
Policies about devices
One of the first decisions to make with an MDM strategy is to figure out which devices your employees will use and whether the individual or the company will pay for them.
At New York-based Edelman, the global PR firm, most of the 3,800 employees use RIM BlackBerries, unless they have a compelling work-related reason to use something else, says John Iatonna, the vice president of information security. Those cases are decided individually by business managers -- workers can be allowed to use iPhones or iPads if needed for the work they do, but RIM devices are Edelman's enterprise standard mobile devices.
Two reasons Edelman prefers using corporate-owned BlackBerry devices: The firm can negotiate more competitive pricing through its relationship with its enterprise phone carrier and it can maintain tighter management and security compared to other devices. "It's much easier to get hold of and track your BlackBerries than it is [other types of] smartphones," Iatonna says. "We do have an Apple and Android population, but those devices weren't designed with an enterprise environment in mind."
"BlackBerry Enterprise Server (BES) is a much more developed and mature enterprise MDM system than the other smartphone MDM vendors," Iatonna said. And even though RIM has been losing market share to other vendors, its products and enterprise-level security capabilities still offer the best answers for Edelman's needs, he said.
For its part, SAP AG, the Germany-based software vendor, began its mobile workforce project in 2010, says global CIO Oliver Bussmann. At the time it included some 14,000 SAP-purchased Apple iPhones and iPads, and personal iPhones or iPads for another 500 users, who had to sign consent forms agreeing to SAP's terms of use, which vary from country to country depending on business requirements. The first employees to be brought into the mobile strategy were workers in the development organization, followed by executives and the entire global sales force, he said.
The reason for that specific order of rollout, Bussman explains: "We made the development teams that were building the apps test them as part of the process." Then, "executives demanded solutions quickly after that and then drove direction to focus on sales and other field resources."
Starting this past January, SAP expanded the program to also include more than 500 SAP-purchased Samsung Android Galaxy SII smartphones and Galaxy Tab 10.1 tablets, with more to be deployed by employees who request them based on a compelling business reason.
"Our strategy is to be device agnostic," Bussmann said, "The IT organization has to be in the driver's seat. If the CIO doesn't embrace the mobile trend, then the business organization bypasses the IT organization and that's not a good thing. Then it's being done without control and security and that can have an impact potentially on the company."
Centreville, Va.-based Carfax uses a blended approach, with some workers using company-issued iPhones and iPads and others using their own Android devices, says CIO Phil Matthews. "We allow other employees to use a BYOD (bring-your-own-device) approach where it works better for them or where they want to keep their device on their personal mobile plan."
The company's 400 field workers use devices that are company-provided or paid for through reimbursements. "We actually wanted people to have a consistent experience, so we chose iPads and iPhones as our main devices, but some people wanted Android devices" and are allowed to use them, he says. Workers previously carried laptops and printers along with BlackBerry devices, but productivity rose with the iPads and iPhones, he explains. "Our sales reps can complete more activities with the iPads and iPhones and we can provide them with mobile applications that allow them to collaborate much more easily than in the past."
Cora Carmody, the senior vice president of information technology at Pasadena, Calif.-based Jacobs Engineering Group, says her company looked at mobile devices from a different angle -- that of expense management. As the recession took its toll, Jacobs continued to look for ways to cut costs until finally the cellphone bills of some 45,000 workers became an enticing target, she says.
The company had acquired several other businesses and was bringing in new users who all had different mobile vendors and devices, so the IT group decided to look at it and find better ways of making it work.
Their answer was what Jacobs calls "wireless divestiture" -- in other words, buying the devices for workers but then requiring workers to pay their own monthly bills. Workers are given calling cards for travel and can also expense extraordinary calls if needed, Carmody explains.
Jacobs has saved about $15 million annually since reorganizing its mobile device strategy, Carmody says.
At first there was some grumbling about the new strategy, Carmody admits. But the company met with mobile vendors to work out good deals for employees when they signed up for new service contracts, so because the financials were in their favor, employees started gradually accepting the new arrangement over time.
"You can expect some complaints and backlash at the start," she says, "but we are also pleasantly surprised that some people recognized the new choices that they had" in terms of different types of service contracts -- "and appreciated that."
Jacobs worked up front with mobile vendors to obtain discounted rates to allow employees to move to whichever carrier and plan fit their usage and travel patterns best, according to Carmody. "Previously employees were carrying two devices; one for Jacobs support and one as their own personal device." By consolidating to one device, employees' mobile situation has been simplified considerably.
Keeping company data safe
Security at Edelman includes requirements for passwords that are secure as possible, Iatonna says. That means that all smartphones and tablets must use passwords that are complex and include a minimum number of characters, along with mandatory data encryption. After a certain number of unsuccessful passwords are entered, the device automatically resets and erases all data. This situation hasn't happened yet, he says.
Another piece of advice, from Jacobs' Carmody: Be prepared to confirm for users that any devices they are considering can meet both the security and work needs of the business. "That gives people the freedom to do what they want to do while protecting company security," she says. "It's one of those building blocks for the idea of bringing your own technology to work."
In general, the company allows Jacobs email to be viewed on personal devices, while all other key corporate applications can be accessed only via the Jacobs corporate portal. "This provides a high measure of security for managing corporate data and eliminates the need to help end-users manage data volumes on their personal devices," Carmody explains. "We, of course, also employ stringent cybersecurity practices that guard against access should a device be lost or stolen. Finally, we have a robust process for reporting lost or stolen assets that ensure immediate response to protect data in those situations."
At Carfax, access to corporate data is controlled through application privileges and passwords; users have access to corporate data and applications based on their job need and role in the company, Matthews said.
Remote-wiping policies
At Jacobs Engineering, employees are required to sign consent forms that allow the company to perform remote wiping of all data if the devices are lost or stolen, even personal data personal email, photos and games. The agreement says the company will delete it all if a device is lost or stolen.
The need for remote wiping has happened a few times, Carmody says.
"In those cases all data is lost," she explains. Jacobs works hard to educate the user population about its corporate policy and conditions governing end-user device use. "We also go the extra step and educate end-users about backing up and protecting their personal data" in case it has to be remote-wiped someday, Carmody says.
Some MDM tools allow devices to store critical business data in a special, secure "container," says Chris Hazelton, an analyst with The 451 Group. Business data is not retrievable outside of the container, and can only be accessed through rich passwords and other access protocols, making it much more secure. It can also be removed remotely by the business if the device is lost or stolen, without removing a user's photos, contacts and other personal information.
Both Edelman and SAP use this technique; Edelman uses AirWatch to perform selective wiping of enterprise data, while SAP uses its own Afaria application, which can wipe just the corporate data and leave the personal information alone, according to Bussmann.
A sampling of MDM vendors
The list of vendors in the MDM marketplace is ever-changing as companies continue to roll out features and new products to help make mobile tech both easier to manage and more secure.
Here is a sampling of some of the major commercial vendors that are making noise in the emerging field of mobile device management, according to industry analysts interviewed for this story.
Apperian Mobile Application Management -- Mobile, secure application development
Boxtone Enterprise Mobility Management -- promises "centralized, automated control of all mobile devices and tablets"
Citrix Receiver -- Access to corporate data from "any computing device," Citrix says, along with an enterprise app store.
Good Technology -- A suite that includes access to email, calendar and intranet-based apps, as well as the means to build an internal applications store.
Kaseya Mobile Device Management -- Policy-based management tools for mobile devices (phones and tablets).
LANdesk Mobility Management -- Discovery, inventory and the ability to remotely wipe devices.
Mobile Iron -- Multiplatform device management with security that works even on employees' personal phones, the vendor claims.
Mocana Mobile App Protection (MAP) - Shuts down virus and malware attacks against smartphones, the vendor claims.
Novell ZENworks Endpoint Security Management -- Encryption, the ability to disable removable storage devices and firewall features in one console.
Nukona -- Now part of Symantec, this product promises to securely deploy and manage both Web-based apps as well as native smartphone software.
PartnerPedia Secure Mobile App Management -- Allows corporate IT to control the publishing, distribution and management of approved applications to end-user devices.
- Todd R. Weiss
One of the biggest support challenges for Edelman's IT team, Iatonna says, is when employees do get permission to use personal iPads or iPhones for their jobs. The difficulty then becomes educating users that their personal photos, emails and other data could be lost in the event a remote wipe is needed on those devices.
"You have to make sure that the level of support is defined so that you are not responsible for personal data loss," Iatonna explains. "The way that we've tried to mitigate that is that if you want Edelman data on your personal device you have to agree to have the MDM software installed on it and you need [to sign] a waiver as well."
Edelman employees weren't used to that level of control and they were uncomfortable with it because it involved their personal devices, he says. "People said, 'Well it's my phone and you can't expect me to enter a password and have a screen lock after five minutes.' It was always discussions like that."