In today's highly mobile world, enabling enterprise mobility has become mission-critical. In a 2013 Forrester survey,...
71% of IT decision makers said increasing mobility support for employees inside and outside the office was a top strategic network initiative.
The exponential growth in mobile devices, applications and data is transforming business processes. To benefit from workforce mobilization, organizations must harness mobile devices while still protecting enterprise assets. A mobility assessment is the first step to a comprehensive enterprise mobility management strategy.
Take mobile device inventory
The number and variety of mobile devices used for business continues to grow. According to Forrester, over half of North American workers now use both a smartphone and a tablet. A survey by TrendMicro found that three-quarters of U.S. companies have bring your own device (BYOD) policies. Most new devices entering the workplace today are mobile devices purchased by consumers who use them for both business and personal purposes.
Furthermore, both employee-owned and enterprise devices are growing smarter, transparently tapping wireless connectivity for remote monitoring and maintenance. From wearable gadgets to smart peripherals, offices are being overrun by the Internet of Things -- a potpourri of fixed and mobile devices that can sap network capacity while being difficult to identify and control.
Managing this exponential growth demands a continuously maintained device inventory and automated tools to recognize those devices. For best results, a mobility assessment should accommodate two distinctly different classes of wireless/mobile devices.
Fixed wireless devices. These will continue to be acquired and installed by IT to deliver shared services to mobile users -- for example, workgroup printers, Wi-Fi access points and "smart" appliances. To identify these devices, batch-load the Media Access Control addresses for IT-procured devices or choose devices that "phone home" to management systems using discovery protocols such as CAPWAP (RFC 5415).
Mobile wireless devices. These devices that are owned and used by individuals -- including laptops, smartphones, tablets, phablets, e-readers and smart watches -- will increasingly appear in the workplace unannounced. To identify these devices, use self-help enrollment tools that cater to the needs of mixed-use endpoints and visitors.
Divvying devices into these classes can help you develop more efficient device identification workflows and take advantage of emerging tools for greater scalability. For example, many enterprise wireless LAN (WLAN) products have been integrated with mobile device management (MDM), network access control (NAC) and identity management systems. Such a WLAN setup might do the following:
First, it could check each newly connected device's address against an MDM inventory, automatically redirecting IT-procured printers, phones or other devices identified by their batch-loaded addresses onto designated segments of the enterprise network.
Second, it could fingerprint devices not yet inventoried, using visible characteristics such as manufacturer, model, operating system, location or user-configured device name. The WLAN could redirect them to policy-defined URLs, such as an NAC server's guest access portal or the MDM self-enrollment page.
Last, for devices with mobile OSes that support over-the-air provisioning, use MDM systems to install configuration profiles that move devices onto secure wireless networks to complete enrollment.
Achieving this degree of transparency and automation requires integration among network, device and identity management systems, driven by carefully crafted policies. Putting these pieces into place will require careful design and testing.
To get control over endpoints, your organization may also need to review licenses or upgrades for your WLAN, MDM and other applications. These investments will pay off over time, as thousands of devices are discovered, inventoried and connected in real time, with little IT or mobile user assistance.
Set a policy for enterprise mobility
Once you've crafted a process for mobility assessment and identifying mobile devices, it's time to decide which devices to grant remote access to enterprise networks, apps and data and which ones to grant simple mobile access. Ideally, this decision should be driven by an enterprise mobility policy.
To craft a strong mobility policy, start by defining your business goals and the devices and users that fall within its scope. For example, is your objective to enable business access under BYOD? Is it to enable secure visitor access to the Internet or guest services? Or do you want to ensure that every employee's mobile device complies with an industry regulation?
Clarify your policy's scope by specifying which mobile devices are included, such as smartphones and tablets that carry or access business data. You may also exclude certain endpoints, such as IT-owned or personal-use-only devices.
The identified device list can help you determine which kinds of devices are currently used by employees, contractors and visitors. Aim to create an extensible policy that can cover new devices to meet similar goals, without being so broad that it becomes ambiguous or hard to implement.
Next, define acceptable uses for mobile devices by establishing conditions that must be satisfied to receive any degree of enterprise access. For example, a BYOD policy should include the permissions that the device's owner must grant you as the enterprise network's operator, such as the right to collect location data or wipe a lost device.
Also, state any usage limitations, such as prohibitions against business data sharing or jailbreaking, and seek the device owner's explicit agreement to your terms during self-help enrollment.
These fundamental decisions will influence the rest of your enterprise mobility policy, including technical requirements for device configuration, security controls, mandatory/allowed applications, data storage and network access.
For instance, a BYOD policy may require enrolled devices to meet minimum standards for passcodes, data encryption and remote wipe before being auto-provisioned with corporate email and WLAN access.
Finally, policies should explain the steps that enterprise IT will take to ensure compliance, such as periodically querying enrolled devices. Users should be aware of the consequences of noncompliance, such as the removal of enterprise settings or applications to remediate possible security threats.