Fortunately, securing handhelds is not hard if you centralize communications through a mobile server, such as the BlackBerry Enterprise Server for Research in Motion’s connected handhelds, or the GoodLink Server from Motorola subsidiary Good Technology for Palm Treos and other devices. These mobile servers act as proxy servers for cellular-connected mobile devices, routing approved connections to the corporate e-mail, data and applications servers as appropriate. You set rules to set limits on data access.

"We don’t keep sensitive information on the servers available to the BES [BlackBerry server]," notes Evans Wroten, CIO of InterAct Public Safety Systems, which provides emergency data and communications services.

Similarly, Microsoft Exchange Server can manage communications to Windows Mobile devices like the T-Mobile MDA and Motorola Q, though Windows Mobile devices in general are not popular among enterprise users because of overly complex user interfaces, Dyer notes. (IT departments also don’t like the Windows Mobile interface complexity, or the fact that huge variation in interfaces from device to device increases support costs, he says.)

Using a mobile server ensures that only authorized devices can access e-mail and corporate applications. Mobile servers also can tie into identity servers, such as Microsoft Active Directory, to share one set of network permissions between the corporate network and the connected devices. The BlackBerry and GoodLink servers can also enforce security policies, such as password rules, and keep antivirus software updated wirelessly.

For field forces, Motorola’s Symbol Technology subsidiary offers the similar Mobility Services Platform server, to manage connections of the specialized handhelds used by warehouse, transportation and hospital users: You can use this to track handhelds’ battery life, keep firmware updated and disable errant devices.

At the same time, IT can prevent users from sidestepping the official system in three ways. First, prevent or restrict access to the network over a Web, POP3 or SMTP interface, so Internet-enabled personal devices can’t get in. Second, lock down company PCs so users can’t install their own software (such as synchronization software for mobile devices). Third, disable the USB ports so users can’t plug in a handheld’s docking station. Desktop management software from Altiris, Hewlett-Packard, IBM, Microsoft, Novell and others—which many enterprises already use for patch management and software license management—lets you centrally apply these lockdown and port management capabilities across all users.

Support Costs (Plenty)

Handheld headache number two: Support costs can get you. Handhelds are hard to manage because they’re typically with users who aren’t in the same building as the desktop PC support team. That means handhelds need to be managed wirelessly. Although several desktop management tools can manage software updates and track device ownership (for support and cell service chargeback, for example), they’re often not used for that purpose. Cost is a big reason, notes David Wade, CIO of Citigroup subsidiary Primerica. "You don’t want to pay a per-user fee for a client license. That’s a rip-off," he says.