A mobile mess looms for CIOs who ignore the rising popularity of connected handhelds. New third-generation (3G) cellular networks make handheld computing more convenient for everyone from executive travelers to salespeople and field technicians. This trend poses new challenges to CIOs who need to maintain enterprise network and data security, plus keep end-user support costs down. Yet most enterprises have no policies or mobile management strategy in place to achieve these goals, notes a recent study by the BPM Forum, an industry association.And without a mobile device management strategy, a trickle of connected devices brought in by individuals can quickly become a nasty, unmanaged torrent. That nearly happened at American Family Life Assurance Company of Columbus (better known as Aflac) a few years ago. The IT department had been willing to set up e-mail access for a few handheld devices brought in by frequent travelers, handling them on a case-by-case basis. But after returning from Christmas vacation in January 2004, Greg Gatti, vice president of infrastructure services in IT, had 3 dozen connectivity requests for shiny new Hewlett-Packard iPaqs\u2014that year\u2019s must-have gadget\u2014and other PDAs that various staffers got as presents."Very quickly, we had so many devices that it was a nightmare for our computer support team," he recalls. And just as quickly, Aflac created a strategy and set of policies to get in front of the connected-handheld wave.Like other financial-sector companies, Aflac had to get its smart phone house in order not only to reduce management complexity but also to meet federal requirements around data management and security. Aflac\u2019s ultimate strategy: Ban all non-company-issued handhelds from connecting to enterprise servers and computers, lock down PCs so handheld-synchronization software couldn\u2019t be installed by users, and forbid the use of POP3 and SMTP e-mail access to the corporate network so wireless Internet users couldn\u2019t sneak in the back door. Aflac also decided to rely on a mobile e-mail server to manage both e-mail access and the handhelds themselves, and ensure automatic installation of firmware patches and enforcement of password policies. This strategy is common in the financial services sector, with similar policies currently in use at Citigroup\u2019s Primerica subsidiary, Farmers & Merchants Bank, IndyMac Bank and Russell Investment Group, among others.Nonfinancial companies could mimic this approach, Yankee Group analyst Nathan Dyer says, but the research shows that many companies have yet to craft a mobile management plan.Our Data Went Where?Your first big CIO headache regarding handhelds: They are easily lost or stolen, putting any data they contain at risk. Even data that seems routine, such as personal contact information or e-mails about a deal in progress, can expose a company to high notification costs (if customers must be contacted regarding a privacy breach) or reveal insider information, Dyer notes.Fortunately, securing handhelds is not hard if you centralize communications through a mobile server, such as the BlackBerry Enterprise Server for Research in Motion\u2019s connected handhelds, or the GoodLink Server from Motorola subsidiary Good Technology for Palm Treos and other devices. These mobile servers act as proxy servers for cellular-connected mobile devices, routing approved connections to the corporate e-mail, data and applications servers as appropriate. You set rules to set limits on data access."We don\u2019t keep sensitive information on the servers available to the BES [BlackBerry server]," notes Evans Wroten, CIO of InterAct Public Safety Systems, which provides emergency data and communications services.Similarly, Microsoft Exchange Server can manage communications to Windows Mobile devices like the T-Mobile MDA and Motorola Q, though Windows Mobile devices in general are not popular among enterprise users because of overly complex user interfaces, Dyer notes. (IT departments also don\u2019t like the Windows Mobile interface complexity, or the fact that huge variation in interfaces from device to device increases support costs, he says.)Using a mobile server ensures that only authorized devices can access e-mail and corporate applications. Mobile servers also can tie into identity servers, such as Microsoft Active Directory, to share one set of network permissions between the corporate network and the connected devices. The BlackBerry and GoodLink servers can also enforce security policies, such as password rules, and keep antivirus software updated wirelessly.For field forces, Motorola\u2019s Symbol Technology subsidiary offers the similar Mobility Services Platform server, to manage connections of the specialized handhelds used by warehouse, transportation and hospital users: You can use this to track handhelds\u2019 battery life, keep firmware updated and disable errant devices.At the same time, IT can prevent users from sidestepping the official system in three ways. First, prevent or restrict access to the network over a Web, POP3 or SMTP interface, so Internet-enabled personal devices can\u2019t get in. Second, lock down company PCs so users can\u2019t install their own software (such as synchronization software for mobile devices). Third, disable the USB ports so users can\u2019t plug in a handheld\u2019s docking station. Desktop management software from Altiris, Hewlett-Packard, IBM, Microsoft, Novell and others\u2014which many enterprises already use for patch management and software license management\u2014lets you centrally apply these lockdown and port management capabilities across all users.Support Costs (Plenty)Handheld headache number two: Support costs can get you. Handhelds are hard to manage because they\u2019re typically with users who aren\u2019t in the same building as the desktop PC support team. That means handhelds need to be managed wirelessly. Although several desktop management tools can manage software updates and track device ownership (for support and cell service chargeback, for example), they\u2019re often not used for that purpose. Cost is a big reason, notes David Wade, CIO of Citigroup subsidiary Primerica. "You don\u2019t want to pay a per-user fee for a client license. That\u2019s a rip-off," he says."Enterprises historically have not seen much of a need to spend $50 to manage a device that costs about the same amount of money," concedes Rhett Glauser, an Altiris spokesman, though he says the costs of data loss are starting to change that calculation.But enterprises have another option: using the same BlackBerry or GoodLink mobile servers they already have to manage e-mail, since those servers can also track users, audit user activity, and manage firmware and software updates. The desktop management tools don\u2019t offer the server functions, so they cannot replace the BlackBerry or GoodLink servers.One related issue: The wider the variety of handhelds you must manage, the bigger the challenge. The mobile servers are typically designed for one class of handhelds, sometimes two. Different types of users prefer\u2014and sometimes really need\u2014different types of PDAs, so it\u2019s easy to have, for example, executives standardize on the BlackBerry but salespeople standardize on the Treo.If the BlackBerry is one of those platforms, IT will need to manage at least two mobile servers in parallel, which increases IT\u2019s overhead. (GoodLink can manage both Palm and Windows devices.) Third-party management tools that can manage all three types of devices (Palm, Windows Mobile and BlackBerry), such as iAnywhere Solutions\u2019 Afaria and Credant Technologies\u2019 MobileGuardian, still need a separate mobile server.While CIOs would prefer a single management platform, they say the extra overhead is manageable. "It\u2019s not that much effort for IT to support the two systems for day-to-day support," says Bob Graham, senior vice president and CIO at Farmers & Merchants Bank.Furthermore, it\u2019s better to take on the extra cost of supporting an additional platform than to force all users to a single device that doesn\u2019t serve their needs well, says Brendan O\u2019Malley, CIO of cupcake maker Tastykake. "Still, we have two device [platforms], not 17," he notes.Get Ahead of Your UsersWhile IT executives say you can\u2019t allow a free-for-all of devices into the enterprise, you can choose among different strategies to manage the choice and acquisition of the connected handhelds.At Liquidation World, for example, "only company-owned equipment is allowed on the network. That gives us control," says IS Director Chad Richardson. At InterAct Public Safety, the fact that IT manages e-mail and network access through a mobile server tied into a specific type of device gives the enterprise a simple way to manage the devices people use, says Wroten. End users can\u2019t simply buy their own device and ignore IT, since devices have to be registered with the mobile server to get any network access. Farmers & Merchants Bank, IndyMac Bank and Tastykake take the same approach.InterAct and Primerica strictly control some devices but are flexible on others. InterAct, for example, relies heavily on text messaging to communicate to its field and sales forces, so all employee-provided phones must support text messaging. While most employees choose to take the company-paid cell phone (some even port their personal number to it), some bring in their own phone because they belong to family plans, notes CIO Wroten. But when it comes to devices that can access e-mail and other corporate data, InterAct supports only the BlackBerry devices it provisions.Primerica gives its thousands of independent contractors a list of approved handhelds they can buy, but it provisions the BlackBerrys and Treos used by employees, since employees have access to corporate data that the contractors do not, says Tom Swift, the bank\u2019s executive vice president of field technology.No matter how tightly the enterprise chooses to manage handheld provisioning, the consumer nature of the devices\u2014which are typically sold through the cellular carriers\u2014means that there can be multiple versions of devices to manage. Fortunately, the makers of the two most popular types of connected handhelds\u2014the BlackBerry and the Treo\u2014have reduced the version churn in recent years and have kept the interface and management functions consistent across models, says Greg Nelson, senior consultant in the IT group at Russell Investment Group, a brokerage and financial services provider. That wasn\u2019t the case just a few years ago.A final management concern: You must manage the number of cellular providers. While many companies can standardize on one if their usage is within a region where one carrier has good coverage, firms with national or international presence often need multiple carriers.Giving a choice of cellular carriers, while often necessary for coverage reasons, can lead to device envy: Carriers often get short-term exclusive distribution deals for new devices, so users of one carrier may not be able to get the same sexy device their colleagues using the other carrier can. Also, devices typically can\u2019t be replaced without a penalty for two years, so some users get itchy when the new devices arrive."These are challenges for us, so we explain that it could cost $600 to terminate a plan so they can upgrade," notes Greg Inginio, the senior vice president of IT operations at IndyMac Bank.Get in FrontWhatever variation works for your enterprise, "the key is having strong policies up front. Control what they do," says Farmers & Merchants Bank\u2019s Graham. But don\u2019t forget the carrot. "Encourage the use of [company] smart phones and PDAs, so employees don\u2019t carry their own," he says.At Tastykake, O\u2019Malley makes a point to provide the leading-edge connected handhelds, so users\u2014especially executives with the power to say no to IT\u2014aren\u2019t tempted to get their own devices. "We figure out what people need and give it to them," he says.Encouraging connected-handheld use does increase costs\u2014for equipment, cellular plans and device management\u2014but is well worth the extra productivity and the data security protection, Graham and O\u2019Malley say. But not having a mobile plan will cost you more in the long run. As InterAct\u2019s Wroten puts it, "This is a cost of doing business."