CIOs scrambling to adapt mobile device management to a BYOD era

The astonishing incursion of personal devices into the enterprise requires a new look at mobile device management. It's time to put the horse back before the cart.

This article can also be found in the Premium Editorial Download: CIO Decisions: Managing the mobile workforce:

If mobile device management is not at the top of your agenda, take a look at these numbers from leading research firms: IDC predicts the smartphone market will grow by nearly 50% this year, and the number of these phones in use will surpass 450 million. In addition, Deloitte LLP forecasts companies will buy more than 10 million iPads this year.

Gartner Inc. predicts that 90% of companies will support corporate applications on personal mobile devices by 2014. By that date, 80% of companies will have a mobile workforce armed with tablets, with the iPad expected to dominate the market through 2015, according to the Stamford, Conn.-based consultancy.

CIOs simply can't afford to repeat the mistake they made with the iPhone -- namely, dismissing these new tablets as toys for the elite, experts warn. These little business and personal computers are here to stay.

"The so-called consumerization comes from bringing your own device (BYOD), but also from the pressure employees put on the organization to supply or issue those new consumer devices," said Dmitri Volkmann, vice president of products and management at Good Technology Inc., an enterprise mobility software provider based in Redwood City, Calif.

According to these same experts and our interviews with CIOs in the past six months, however, many enterprises still lack mobile device management (MDM) strategies and formal mobile use policies that take into account the proliferation ofconsumer mobile devices in the workplace. That goes for both corporate-owned and employee-owned devices.

"Most companies do not have a formal mobility policy. They have lots of [policies] because, fortunately or unfortunately, mobile is not a centralized provisioning at most companies," said Brownlee Thomas, analyst at Cambridge, Mass.-based Forrester Research Inc.

Plus, despite the drumbeat of steadily climbing sales -- and a steady parade of CIOs on the lecture circuit touting their new smartphone or iPad deployment (see sidebar) -- CIOs seem uncertain about the degree to which personal mobile devices will become part of their enterprise's computing infrastructure. More significantly, perhaps, their views on the question diverge widely.

CIOs disagree on BYOD

The lack of consensus about personal mobile devices showed up recently in an unpublished Gartner survey of 81 U.S. CIOs who attended a March workshop on managing mobility and surviving consumerization at the firm's CIO Leadership Forum in Scottsdale, Ariz.

For example, when asked about what percentage of their workforce they expect by 2013 to own the mobile devices (laptops, tablets and cell phones) they use at work, the CIOs' responses averaged 38%. Another one-third of the CIOs, however, pegged their BYOD population at less than 20%, and almost 20% of the CIOs expect 80% or more of their employees to own the devices they use at work. That's quite a range of possibilities.

Nevertheless, when asked what percentage of their staff in five years would not be eligible to use employee-owned devices or laptops because the data they access is deemed too sensitive, the CIOs' responses averaged just 25%. That suggests that the BYOD model is poised to grow.

In a BYOD era, however, mobile device management and the policies that have served IT well in a predominantly BlackBerry and Windows world are insufficient -- or even moot -- in the brave new business environment where the user controls the endpoint, said Paul DeBeasi, research vice president at Gartner.

"The enterprise would lock down the software, put on the antivirus, control the operating system, control the application. How do you lock down an iPad?" DeBeasi said.

Applications were designed for Windows because Windows controlled 91% of the market, DeBeasi pointed out. In today's mobile environment, there is no dominant, single platform to write to. "People don't know where to begin," he said.

Standard good practice, of course, tells CIOs to begin with the business, by defining the use cases for mobile computing in their enterprise. In conjunction with the business, they then should develop a strategy for why, where and how the company wants and needs to use mobile devices.

But after the head-scratching effort of mapping out a mobility strategy with the business, what then? Well, it's important for CIOs to put the horse back in front of the cart. Given that consumer smartphones and tablets probably are in use at their business already, it's imperative for CIOs to isolate business operations from personal ones on these devices -- both the company- and user-owned ones -- to reduce business risk, Gartner warns.

Four approaches to reducing risk in a BYOD era

Guidance published in December by Gartner analysts Ken Dulaney and John Girard lays out four approaches that can limit the business risk from consumer smartphones and tablets. The authors caution CIOs that users don't like isolation methods that require or even give the impression of toggling between personal and business modes. Plus, no solution out there now is likely to please both IT departments and the user.

Here is a summary of those four approaches, including a few of each one's pluses and minuses:

1. Use comprehensive device management and security controls to enforce policy. Think BlackBerry Enterprise Server, or BES, the leader in this field with its nearly 1,000 specific policies that protect BlackBerry use. Microsoft Exchange offers the second-most inclusive framework, with some 49 policies. Those in turn serve as the basis for augmented solutions from MDM and other third-party vendors.

The great strength of this approach, the analysts say, is its low cost -- assuming, that is, that the platform's management tools are sufficient for the user's mobile environment. Its chief challenge is that most workers want Apple Inc. and Google Inc. devices, but the cross-platform standards aren't there. Comprehensive MDM and security platforms can add $50 or more per device and put additional demands on the help desk. Moreover, these third-party management tools are limited to just what the device platforms allow them to control.

2. Application certificates are another way to go. Mobile devices support certified-based access to services. IT departments can extend the concept -- and their control -- by tagging enterprise-controlled applications with encrypted certificates. If something bad happens, all the enterprise's apps can be zapped, eliminating the need to separate business and personal applications. In fact, that is the appeal of this approach.

Most companies do not have a formal mobility policy. They have lots of policies because, fortunately or unfortunately, mobile is not a centralized provisioning at most companies.

Brownlee Thomas, analyst, Forrester Research Inc.

On the other hand, application certificate controls are hard to implement and support. Implementations differ from device to device, and the apps' vendors will fight them if they hinder the user from accessing their app stores, the analysts warn. Other cautions: These controls create more work for the help desk, and fakes have already surfaced on a few mobile platforms.

3. Sandboxes isolate processes and data. Sandboxed apps are protected from each other and from attacking the OS. Sandboxes can be built into the common app, embedded in the OS, included in a Mobile Enterprise Application Platform, or MEAP, or a Mobile Consumer Application Platform, or MCAST; or they can be added by a third party. They can run locally in the device or use a server-based portal. Examples include Apple's iOS, Citrix Systems Inc.'s Receiver and Microsoft's Java Virtual Machine. The analysts see this approach as an acceptable short-term fix for isolating processes and data until virtualization on consumer mobile devices matures.

There are many challenges to this approach. The first are apps that don't work in a sandbox, and a security archive that the analysts describe as "riddled with sandbox vulnerabilities and exploits." In addition, a sandbox might not prevent users from copying and saving information in unprotected areas inside and outside the device. Finally, users will balk at sandbox technology that gets in the way of their work.

4. Virtual machines are the "ultimate approach to privacy on full workstations," according to the analysts. The problem is that the technologies "are waiting for the hardware to catch up," they say. The current generation of smartphones and non-Windows tablets don't have the processing power or battery power to handle running two OSes at the same time. Another roadblock? Users don't like interfaces that change the personality of their personal mobile devices.

Let us know what you think about the story; email Linda Tucci, Senior News Writer.

Dig deeper on Mobile technology and management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close