- Linda Tucci, Editor at Large
If mobile device management is not at the top of your agenda, take a look at these numbers from leading research firms: IDC predicts the smartphone market will grow by nearly 50% this year, and the number of these phones in use will surpass 450 million. In addition, Deloitte LLP forecasts companies will buy more than 10 million iPads this year.
More about mobile device management
Gartner Inc. predicts that 90% of companies will support corporate applications on personal mobile devices by 2014. By that date, 80% of companies will have a mobile workforce armed with tablets, with the iPad expected to dominate the market through 2015, according to the Stamford, Conn.-based consultancy.
CIOs simply can't afford to repeat the mistake they made with the iPhone -- namely, dismissing these new tablets as toys for the elite, experts warn. These little business and personal computers are here to stay.
"The so-called consumerization comes from bringing your own device (BYOD), but also from the pressure employees put on the organization to supply or issue those new consumer devices," said Dmitri Volkmann, vice president of products and management at Good Technology Inc., an enterprise mobility software provider based in Redwood City, Calif.
Heath care provider CIO takes a big bite of Apple
Dick Escue, CIO at RehabCare Inc., a St. Louis-based provider of post-acute health care services, has a leg up on many of his peers when it comes to mobile device management (MDM). He foresaw the infiltration of personal mobile devices into the workplace four years ago. When his tech services team warned him in 2007 that the company's BlackBerry-carrying management would be clamoring for iPhones, and told him IT had better nip those requests in the bud, he did the opposite: He instructed his department to figure out a way to say yes.
"We embraced the iPhone, gave it to the people who wanted it, and they were thrilled," Escue recalled. "And they loved us as a result of it."
Since then, step by step, Escue has made the Apple iOS integral to RehabCare's computing environment -- and, in his view, a competitive business advantage. His IT team has equipped thousands of field therapists with iPhones and iPod Touches to mobilize mission-critical processes, from a pre-admission hospital screening app built on the Force.com platform to a caregiver app developed with health care vendor Casamba Inc. The iPad is the business meeting tool of choice for RehabCare executives, and is fast becoming the workstation for RehabCare's clinical staff.
As for the demarcation between personal and corporate devices, Escue suspected that employees would take better care of their devices if they regarded them as their own. If iPhone and iPod Touch users need help connecting their iTunes accounts, IT tells them how to do it.
That's not to say all this mobility convergence has been easy or inexpensive to control. Escue signed up with MDM vendor MobileIron Inc. to manage and monitor its mobile devices. Company executives remotely access corporate servers from their iPhones and iPads, using Citrix Systems Inc. virtualization apps. "I just wouldn't accept the answer from anybody that we couldn't manage thousands of these devices and make them secure," he said.
That determination has paid dividends many times over, Escue said. After his team developed its first iPhone app in four days, his CEO said that in his 40 years in business he had never seen an IT department operate that way.
To be sure, Escue's deployment of an all-Apple workplace is the poster child for a CIO's embrace of what the pundits like to call the consumerization of IT. Operating that way, however, will soon be the norm rather than the exception for IT departments, given enterprises' uptake of mobile devices.
According to these same experts and our interviews with CIOs in the past six months, however, many enterprises still lack mobile device management (MDM) strategies and formal mobile use policies that take into account the proliferation ofconsumer mobile devices in the workplace. That goes for both corporate-owned and employee-owned devices.
"Most companies do not have a formal mobility policy. They have lots of [policies] because, fortunately or unfortunately, mobile is not a centralized provisioning at most companies," said Brownlee Thomas, analyst at Cambridge, Mass.-based Forrester Research Inc.
Plus, despite the drumbeat of steadily climbing sales -- and a steady parade of CIOs on the lecture circuit touting their new smartphone or iPad deployment (see sidebar) -- CIOs seem uncertain about the degree to which personal mobile devices will become part of their enterprise's computing infrastructure. More significantly, perhaps, their views on the question diverge widely.
CIOs disagree on BYOD
The lack of consensus about personal mobile devices showed up recently in an unpublished Gartner survey of 81 U.S. CIOs who attended a March workshop on managing mobility and surviving consumerization at the firm's CIO Leadership Forum in Scottsdale, Ariz.
For example, when asked about what percentage of their workforce they expect by 2013 to own the mobile devices (laptops, tablets and cell phones) they use at work, the CIOs' responses averaged 38%. Another one-third of the CIOs, however, pegged their BYOD population at less than 20%, and almost 20% of the CIOs expect 80% or more of their employees to own the devices they use at work. That's quite a range of possibilities.
Nevertheless, when asked what percentage of their staff in five years would not be eligible to use employee-owned devices or laptops because the data they access is deemed too sensitive, the CIOs' responses averaged just 25%. That suggests that the BYOD model is poised to grow.
In a BYOD era, however, mobile device management and the policies that have served IT well in a predominantly BlackBerry and Windows world are insufficient -- or even moot -- in the brave new business environment where the user controls the endpoint, said Paul DeBeasi, research vice president at Gartner.
"The enterprise would lock down the software, put on the antivirus, control the operating system, control the application. How do you lock down an iPad?" DeBeasi said.
Applications were designed for Windows because Windows controlled 91% of the market, DeBeasi pointed out. In today's mobile environment, there is no dominant, single platform to write to. "People don't know where to begin," he said.
Standard good practice, of course, tells CIOs to begin with the business, by defining the use cases for mobile computing in their enterprise. In conjunction with the business, they then should develop a strategy for why, where and how the company wants and needs to use mobile devices.
But after the head-scratching effort of mapping out a mobility strategy with the business, what then? Well, it's important for CIOs to put the horse back in front of the cart. Given that consumer smartphones and tablets probably are in use at their business already, it's imperative for CIOs to isolate business operations from personal ones on these devices -- both the company- and user-owned ones -- to reduce business risk, Gartner warns.
Four approaches to reducing risk in a BYOD era
Guidance published in December by Gartner analysts Ken Dulaney and John Girard lays out four approaches that can limit the business risk from consumer smartphones and tablets. The authors caution CIOs that users don't like isolation methods that require or even give the impression of toggling between personal and business modes. Plus, no solution out there now is likely to please both IT departments and the user.
Here is a summary of those four approaches, including a few of each one's pluses and minuses:
1. Use comprehensive device management and security controls to enforce policy. Think BlackBerry Enterprise Server, or BES, the leader in this field with its nearly 1,000 specific policies that protect BlackBerry use. Microsoft Exchange offers the second-most inclusive framework, with some 49 policies. Those in turn serve as the basis for augmented solutions from MDM and other third-party vendors.
The great strength of this approach, the analysts say, is its low cost -- assuming, that is, that the platform's management tools are sufficient for the user's mobile environment. Its chief challenge is that most workers want Apple Inc. and Google Inc. devices, but the cross-platform standards aren't there. Comprehensive MDM and security platforms can add $50 or more per device and put additional demands on the help desk. Moreover, these third-party management tools are limited to just what the device platforms allow them to control.
2. Application certificates are another way to go. Mobile devices support certified-based access to services. IT departments can extend the concept -- and their control -- by tagging enterprise-controlled applications with encrypted certificates. If something bad happens, all the enterprise's apps can be zapped, eliminating the need to separate business and personal applications. In fact, that is the appeal of this approach.
Most companies do not have a formal mobility policy. They have lots of policies because, fortunately or unfortunately, mobile is not a centralized provisioning at most companies.
Brownlee Thomas, analyst, Forrester Research Inc.
On the other hand, application certificate controls are hard to implement and support. Implementations differ from device to device, and the apps' vendors will fight them if they hinder the user from accessing their app stores, the analysts warn. Other cautions: These controls create more work for the help desk, and fakes have already surfaced on a few mobile platforms.
3. Sandboxes isolate processes and data. Sandboxed apps are protected from each other and from attacking the OS. Sandboxes can be built into the common app, embedded in the OS, included in a Mobile Enterprise Application Platform, or MEAP, or a Mobile Consumer Application Platform, or MCAST; or they can be added by a third party. They can run locally in the device or use a server-based portal. Examples include Apple's iOS, Citrix Systems Inc.'s Receiver and Microsoft's Java Virtual Machine. The analysts see this approach as an acceptable short-term fix for isolating processes and data until virtualization on consumer mobile devices matures.
There are many challenges to this approach. The first are apps that don't work in a sandbox, and a security archive that the analysts describe as "riddled with sandbox vulnerabilities and exploits." In addition, a sandbox might not prevent users from copying and saving information in unprotected areas inside and outside the device. Finally, users will balk at sandbox technology that gets in the way of their work.
4. Virtual machines are the "ultimate approach to privacy on full workstations," according to the analysts. The problem is that the technologies "are waiting for the hardware to catch up," they say. The current generation of smartphones and non-Windows tablets don't have the processing power or battery power to handle running two OSes at the same time. Another roadblock? Users don't like interfaces that change the personality of their personal mobile devices.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.
- The Desktop Admin's Guide to BYOD: Pros and Cons of BYOD –SearchSecurity.com
- Weighing the Options for an Enterprise Mobility Strategy –SearchSecurity.com
- EssentialEnterprise Mobile Device Security Controls and Policies –SearchSecurity.com
- CW ANZ: Riding the wave of enterprise mobility –ComputerWeekly.com