Managing Mobile Devices

A mobile mess looms for CIOs who ignore the rising popularity of connected handhelds. New third-generation (3G) cellular networks make handheld computing more convenient for everyone from executive travelers to salespeople and field technicians. This trend poses new challenges to CIOs who need to maintain enterprise network and data security, plus keep end-user support costs down. Yet most enterprises have no policies or mobile management strategy in place to achieve these goals, notes a recent study by the BPM Forum, an industry association.

And without a mobile device management strategy, a trickle of connected devices brought in by individuals can quickly become a nasty, unmanaged torrent. That nearly happened at American Family Life Assurance Company of Columbus (better known as Aflac) a few years ago. The IT department had been willing to set up e-mail access for a few handheld devices brought in by frequent travelers, handling them on a case-by-case basis. But after returning from Christmas vacation in January 2004, Greg Gatti, vice president of infrastructure services in IT, had 3 dozen connectivity requests for shiny new Hewlett-Packard iPaqs—that year’s must-have gadget—and other PDAs that various staffers got as presents.

"Very quickly, we had so many devices that it was a nightmare for our computer support team," he recalls. And just as quickly, Aflac created a strategy and set of policies to get in front of the connected-handheld wave.

Like other financial-sector companies, Aflac had to get its smart phone house in order not only to reduce management complexity but also to meet federal requirements around data management and security. Aflac’s ultimate strategy: Ban all non-company-issued handhelds from connecting to enterprise servers and computers, lock down PCs so handheld-synchronization software couldn’t be installed by users, and forbid the use of POP3 and SMTP e-mail access to the corporate network so wireless Internet users couldn’t sneak in the back door. Aflac also decided to rely on a mobile e-mail server to manage both e-mail access and the handhelds themselves, and ensure automatic installation of firmware patches and enforcement of password policies. This strategy is common in the financial services sector, with similar policies currently in use at Citigroup’s Primerica subsidiary, Farmers & Merchants Bank, IndyMac Bank and Russell Investment Group, among others.

Nonfinancial companies could mimic this approach, Yankee Group analyst Nathan Dyer says, but the research shows that many companies have yet to craft a mobile management plan.

Our Data Went Where?

Your first big CIO headache regarding handhelds: They are easily lost or stolen, putting any data they contain at risk. Even data that seems routine, such as personal contact information or e-mails about a deal in progress, can expose a company to high notification costs (if customers must be contacted regarding a privacy breach) or reveal insider information, Dyer notes.

Fortunately, securing handhelds is not hard if you centralize communications through a mobile server, such as the BlackBerry Enterprise Server for Research in Motion’s connected handhelds, or the GoodLink Server from Motorola subsidiary Good Technology for Palm Treos and other devices. These mobile servers act as proxy servers for cellular-connected mobile devices, routing approved connections to the corporate e-mail, data and applications servers as appropriate. You set rules to set limits on data access.

"We don’t keep sensitive information on the servers available to the BES [BlackBerry server]," notes Evans Wroten, CIO of InterAct Public Safety Systems, which provides emergency data and communications services.

Similarly, Microsoft Exchange Server can manage communications to Windows Mobile devices like the T-Mobile MDA and Motorola Q, though Windows Mobile devices in general are not popular among enterprise users because of overly complex user interfaces, Dyer notes. (IT departments also don’t like the Windows Mobile interface complexity, or the fact that huge variation in interfaces from device to device increases support costs, he says.)

Using a mobile server ensures that only authorized devices can access e-mail and corporate applications. Mobile servers also can tie into identity servers, such as Microsoft Active Directory, to share one set of network permissions between the corporate network and the connected devices. The BlackBerry and GoodLink servers can also enforce security policies, such as password rules, and keep antivirus software updated wirelessly.

For field forces, Motorola’s Symbol Technology subsidiary offers the similar Mobility Services Platform server, to manage connections of the specialized handhelds used by warehouse, transportation and hospital users: You can use this to track handhelds’ battery life, keep firmware updated and disable errant devices.

At the same time, IT can prevent users from sidestepping the official system in three ways. First, prevent or restrict access to the network over a Web, POP3 or SMTP interface, so Internet-enabled personal devices can’t get in. Second, lock down company PCs so users can’t install their own software (such as synchronization software for mobile devices). Third, disable the USB ports so users can’t plug in a handheld’s docking station. Desktop management software from Altiris, Hewlett-Packard, IBM, Microsoft, Novell and others—which many enterprises already use for patch management and software license management—lets you centrally apply these lockdown and port management capabilities across all users.

Support Costs (Plenty)

Handheld headache number two: Support costs can get you. Handhelds are hard to manage because they’re typically with users who aren’t in the same building as the desktop PC support team. That means handhelds need to be managed wirelessly. Although several desktop management tools can manage software updates and track device ownership (for support and cell service chargeback, for example), they’re often not used for that purpose. Cost is a big reason, notes David Wade, CIO of Citigroup subsidiary Primerica. "You don’t want to pay a per-user fee for a client license. That’s a rip-off," he says.

"Enterprises historically have not seen much of a need to spend $50 to manage a device that costs about the same amount of money," concedes Rhett Glauser, an Altiris spokesman, though he says the costs of data loss are starting to change that calculation.

But enterprises have another option: using the same BlackBerry or GoodLink mobile servers they already have to manage e-mail, since those servers can also track users, audit user activity, and manage firmware and software updates. The desktop management tools don’t offer the server functions, so they cannot replace the BlackBerry or GoodLink servers.

One related issue: The wider the variety of handhelds you must manage, the bigger the challenge. The mobile servers are typically designed for one class of handhelds, sometimes two. Different types of users prefer—and sometimes really need—different types of PDAs, so it’s easy to have, for example, executives standardize on the BlackBerry but salespeople standardize on the Treo.

If the BlackBerry is one of those platforms, IT will need to manage at least two mobile servers in parallel, which increases IT’s overhead. (GoodLink can manage both Palm and Windows devices.) Third-party management tools that can manage all three types of devices (Palm, Windows Mobile and BlackBerry), such as iAnywhere Solutions’ Afaria and Credant Technologies’ MobileGuardian, still need a separate mobile server.

While CIOs would prefer a single management platform, they say the extra overhead is manageable. "It’s not that much effort for IT to support the two systems for day-to-day support," says Bob Graham, senior vice president and CIO at Farmers & Merchants Bank.

Furthermore, it’s better to take on the extra cost of supporting an additional platform than to force all users to a single device that doesn’t serve their needs well, says Brendan O’Malley, CIO of cupcake maker Tastykake. "Still, we have two device [platforms], not 17," he notes.

Get Ahead of Your Users

While IT executives say you can’t allow a free-for-all of devices into the enterprise, you can choose among different strategies to manage the choice and acquisition of the connected handhelds.

At Liquidation World, for example, "only company-owned equipment is allowed on the network. That gives us control," says IS Director Chad Richardson. At InterAct Public Safety, the fact that IT manages e-mail and network access through a mobile server tied into a specific type of device gives the enterprise a simple way to manage the devices people use, says Wroten. End users can’t simply buy their own device and ignore IT, since devices have to be registered with the mobile server to get any network access. Farmers & Merchants Bank, IndyMac Bank and Tastykake take the same approach.

InterAct and Primerica strictly control some devices but are flexible on others. InterAct, for example, relies heavily on text messaging to communicate to its field and sales forces, so all employee-provided phones must support text messaging. While most employees choose to take the company-paid cell phone (some even port their personal number to it), some bring in their own phone because they belong to family plans, notes CIO Wroten. But when it comes to devices that can access e-mail and other corporate data, InterAct supports only the BlackBerry devices it provisions.

Primerica gives its thousands of independent contractors a list of approved handhelds they can buy, but it provisions the BlackBerrys and Treos used by employees, since employees have access to corporate data that the contractors do not, says Tom Swift, the bank’s executive vice president of field technology.

No matter how tightly the enterprise chooses to manage handheld provisioning, the consumer nature of the devices—which are typically sold through the cellular carriers—means that there can be multiple versions of devices to manage. Fortunately, the makers of the two most popular types of connected handhelds—the BlackBerry and the Treo—have reduced the version churn in recent years and have kept the interface and management functions consistent across models, says Greg Nelson, senior consultant in the IT group at Russell Investment Group, a brokerage and financial services provider. That wasn’t the case just a few years ago.

A final management concern: You must manage the number of cellular providers. While many companies can standardize on one if their usage is within a region where one carrier has good coverage, firms with national or international presence often need multiple carriers.

Giving a choice of cellular carriers, while often necessary for coverage reasons, can lead to device envy: Carriers often get short-term exclusive distribution deals for new devices, so users of one carrier may not be able to get the same sexy device their colleagues using the other carrier can. Also, devices typically can’t be replaced without a penalty for two years, so some users get itchy when the new devices arrive.

"These are challenges for us, so we explain that it could cost $600 to terminate a plan so they can upgrade," notes Greg Inginio, the senior vice president of IT operations at IndyMac Bank.

Get in Front

Whatever variation works for your enterprise, "the key is having strong policies up front. Control what they do," says Farmers & Merchants Bank’s Graham. But don’t forget the carrot. "Encourage the use of [company] smart phones and PDAs, so employees don’t carry their own," he says.

At Tastykake, O’Malley makes a point to provide the leading-edge connected handhelds, so users—especially executives with the power to say no to IT—aren’t tempted to get their own devices. "We figure out what people need and give it to them," he says.

Encouraging connected-handheld use does increase costs—for equipment, cellular plans and device management—but is well worth the extra productivity and the data security protection, Graham and O’Malley say. But not having a mobile plan will cost you more in the long run. As InterAct’s Wroten puts it, "This is a cost of doing business."

Related:

Copyright © 2007 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act