While security professionals (like me) fret about iPhone threats, this prosumer smartphone continues to spread throughout the enterprise. At last month's Interop Las Vegas, a packed crowd gathered to hear panelists discuss enterprise iPhone adoption trends. When moderator Nathan Clevenger (Enterprise Editor, Smartphone Magazine) polled the audience, roughly one third officially supported the iPhone, while another third banned it. The rest used iPhones anyway, without their employer's help.
According to Clevenger, 44% of businesses that have not yet embraced iPhones plan to do so this year. As one attendee observed, where the one-laptop-per-child initiative failed, one-iPhone-per-child appears destined to succeed. College students glued to their iPhones will soon hit the enterprise. Once there, these Millennials will demand not just iPhone tolerance but enterprise iPhone applications. "Apple's iPhone commercials have done a great job raising mobility awareness," Clevenger said. "If there's an app for everything in their personal lives, it's only a matter of time until they expect an app for everything in their business lives too."
This puts IT in a bit of a bind. On one hand, IT must find ways to exploit the business potential of the iPhone. At the same time, IT must manage iPhone support costs and risk exposure while working around hardware and OS limitations. Clevenger's panel discussed both challenges and possible strategies.
The iPhone as a marketing tool: Get started with B2C
Clevenger argues that many businesses could benefit from using the iPhone as a marketing tool -- a trendy way to reach out to customers. "Look at Kraft -- they went beyond allowing iPhone email access to recognize that using iPhone apps to connect to consumers can be very powerful," he said. "Kraft's iFood Assistant is a consistently top-selling iPhone app -- they've easily generated more revenue from selling that app than it cost to develop. And, of course, iFood generates shopping lists filled with Kraft food items."
A growing list of Fortune 1000 companies have developed iPhone apps to communicate with existing or potential customers, including Target's Gift Finder app, Burger King's Now Phone Ordering app, eTrade's Mobile Pro app, and AAA's Discounts app. Many business-to-consumer (B2C) iPhone apps can be downloaded from the AppStore free of charge -- their purpose is to draw attention, promote products, and make it easier for mobile users to tap services that are otherwise inaccessible or hard to use on-the-go.
By developing B2C iPhone apps, these companies are learning to exploit a relatively effective and inexpensive new advertising and service delivery channel. But not only are they learning how to develop enterprise iPhone applications -- they're doing so with minimal management overhead and security risk.
For example, panelist Irv Shapiro (CEO, IfByPhone) noted that eTrade's iPhone client helps mobile users keep tabs on their portfolios but does not attempt to leave any data on the device itself. "eTrade is using the iPhone as a fat client to create a very good user experience -- much better than a Web browser -- while dealing with the fact that it is not a secured device," Shapiro said.
In fact, many iPhone apps are just presentation wrappers that overcome human factor challenges that are inherent to Web portals, without requiring significant application processing or data storage on the remote device itself. As it happens, "dumb" devices that don't store valuable data and can't run background applications make less interesting targets for thieves and hackers. By developing iPhone apps for consumers, enterprises may be learning how to reduce risk exposure in business applications as well.
Enterprise iPhone management: Defer MDM headaches
Furthermore, B2C iPhone apps can leverage the iTunes AppStore for global delivery and end user self-activation. Businesses that develop B2C apps don't need to provision or track consumer iPhones, nor do they have any motivation to configure or enforce device-level policies.
Conversely, enterprises that adopt iPhones for internal workforce use -- especially those that deploy private applications -- continue to struggle with Apple's minimalist device management infrastructure. iPhone 2.0 added Exchange ActiveSync support (including IT-initiated remote wipe) and a local configuration utility to control password and VPN policy. But this barely scratches the surface of large enterprise mobile device management (MDM) requirements.
"There are lots of business applications for iPhones today," Shapiro said. "They are just not enterprise applications. The reality is that an IT department is going to tap out above 50 iPhones [when managing devices this way]."
"Mobile device management is a big rock to push uphill," said panelist Adam Blum (CEO, Rhomobile). "And the AppStore model of funneling all applications through a limited number of Apple testers with uncertain approval time frames just won't work for the enterprise."
Several vendors have scrambled to fill these gaps. For example, Trust Digital's Enterprise Mobility Management platform takes a portal approach whereby IT invites newly authorized iPhone users to visit a URL. When a user clicks that URL and authenticates, EMM pushes IT-configured policies (XML files) to the iPhone, as appropriate for each user/group. This lets an enterprise provision iPhones over-the-air, linked to ActiveDirectory identities, without requiring one-by-one physical connection to a desktop utility.
After provisioning, many business applications are taking a secure sandbox approach to overcome the iPhone's weak device lock and lack of device-level data encryption. For example, end users can download the Sybase iAnywhere Mobile Office for the iPhone directly from the AppStore. Once installed, that iAnywhere client "phones home" to a corporate iAnywhere Mobile Office server to be activated, creating a password-protected, encrypted application sandbox on the iPhone for email, calendar, contact, and task activities.
Although iPhone 3.0 includes critical improvements (e.g., encrypted backup), Interop panelists did not expect Apple to focus on enterprise MDM or security needs anytime soon. Shapiro observed that most workers in the United States and Canada do not work for large enterprises. "It could be that Apple has decided to become dominant in non-enterprise [markets] first, and then slowly move into the enterprise," he said.
Enterprise iPhone features: Extend and consolidate
There are many highly visible iPhone 3.0 features that business users will appreciate, including copy/paste, 3G modem tethering, and Exchange calendar synchronization. But Clevenger believes the most promising 3.0 advance for business may be SDK support for third-party hardware integration.
"This could be the trigger for line-of-business application development," he said. "If you look at who's using mobile devices today, the vast majority of enterprise applications beyond email are task-oriented, performed on a specialized or ruggedized device. Most of these applications require integration with some other device like a barcode scanner."
According to J.T. Starzecki (CEO, iPhoneZenMasters), the iPhone has only just started to change the face of mobility. "With 3.0, that device becomes more than just a phone. We're on the verge of yet another shift, with third-party add-ons that give the iPhone advanced capabilities," he said.
Panelists envisioned a plethora of new vertical apps -- for example, healthcare workers could use their iPhones as diabetic blood glucose monitors, RFID patient badge readers, temperature sensors, and indoor location detectors. The iPod Touch devices now being deployed to soldiers in Iraq could be used for both rifle calibration and battlefield blood inventory.
Clevenger speculated that many WinCE applications that now run on specialized hardware will end up being ported to general-purpose iPhones. "Right now, when you go to an Apple store to buy an iPhone, they check you out on a Windows Mobile device!" he said. Once iPhones can be outfitted with extensions like receipt printers, Clevenger expects those legacy point-of-sale devices to be replaced.
In short, look for opportunities to use a mobile device that your workers already carry or can purchase off-the-shelf to support many different specialized tasks. "In the past, there's been virtually no cross-over between the mobile devices used by information workers and task workers," Clevenger said. If enterprises can learn to use the same mobile platform(s) to do more, their total cost of ownership might be reduced.
Enterprise iPhone applications: Get creative
On the other hand, Blum argued that enterprise developers should leverage today's interest in iPhone apps as an opportunity to find more effective ways to deal with mobile diversity. "Boutique app developers have created a huge customer base for the iPhone, but there are stumbling blocks for enterprise [app developers]," he said. "Even companies that have a standard mobile device still have heterogeneity. I think you will need apps that work on the iPhone and on other devices."
To facilitate this, Blum advocates a "write once, run anywhere" application development platform, such as his firm's Rhodes smartphone development framework. Developers can get a feel for this approach with minimal investment by using Rhohub, a hosted cross-platform development and installation environment for HTML/XML apps that can run on BlackBerry, Windows Mobile, Android, Symbian and iPhone devices. Rhohub is now in public beta; visit http://www.rhohub.com.
Some in the Interop audience questioned whether sufficient enterprise drivers existed for iPhone apps, given today's platform limitations. But other audience members agreed with these panelists -- the time has come for enterprises to find ways in which to embrace the iPhone. "Your customers that use iPhones are going to be risk-takers -- they're going to be the ones pushing your company to use the iPhone. Use this new device for apps that couldn't easily be done before, and for external [B2C] applications first," Shapiro said. "Internal enterprise apps will follow."
About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in June 2009