Network managers are scrambling to learn about mobile device management systems in response to what’s now become a very typical mandate from CIOs: We’re now going to support iPhones and Androids, while still maintaining the same type of management and security we’ve have had with our BlackBerry environment. If you have run a BlackBerry Enterprise Server (BES) to maintain a network of BlackBerry devices, you will at least have some...
base of understanding of the issues, but if you’re starting from ground zero, you will have some catching up to do.
The first step will be to define precisely what you have to support and to what degree. That means updating your mobile device policy. If you don’t have a mobility policy, it’s time to get to work on that. Fortunately, the Enterprise Mobility Forum (EMF) publishes an excellent Enterprise Mobility Guidebook that provides a template for mobile policy development. While it cannot define what the actual policy should be, it provides an excellent reference that ensures all of the important areas are addressed, which should include basic things such as who gets a mobile device, who pays for it, what constitutes acceptable use, user responsibilities, penalties for non-compliance, and the range of devices and operating systems you will support.
Defining the range of devices is critically important, as not all MDM systems support the full range of operating systems. Further, the capabilities available on each operating system will differ, so a particular system might not allow you to manage a particular set of devices at the level required by your security policy. BlackBerry is rarely a problem. Apple iOS support has improved enormously, but Android and Windows Phone 7 are about a year behind. Many won’t even talk about WebOS.
The big question that always comes up is: Can I secure an iPhone (or Android or Phone 7) device as effectively as I do a BlackBerry? The literal answer is no, but the difference might not matter in your organization. At this point only BlackBerry security has been certified as FIPS-compliant based on the Federal Information Processing Standards. Apple has reportedly applied for FIPS certification. FIPS certification is important for government agencies and highly regulated businesses, but for your “garden variety” security, the capabilities available will likely meet your requirements. Check with your security professionals about FIPS issue.
What do MDM systems do?
Each MDM supplier has its own way of organizing its products, but there are typically a few core MDM functions. The idea is to create a cradle-to-grave support system for all of the devices under your control. It should address each phase of the device lifecycle from provisioning, through maintenance and support, to end-of-life disposal.
The two core elements required are a server/database and a client for each mobile OS supported, though some solutions, like BoxTone’s, work without a client.
Core functions of mobile device management systems
Each MDM system has a core server that maintains information about all of the devices under management. This core server will not only track the hardware, but most will store the configuration settings and track software licenses and other critical data. All of the various applications or functions tap into that database. That database may reside on a server in the data center, but increasingly we are seeing cloud-based and SaaS options. Make sure you ask about high availability and the number of devices supported per server, and what happens if the server goes down. Ahmed Datoo, CMO for Zenprise, claims its largest customer has 65,000 devices under management and they are all supported on a single server.
Starting up an enterprise mobile device involves a lot more than taking the device out of the box. When a device is defined in the system database, essential information like the device type, software release, phone number and IMEI must be captured. MobileIron’s Sentry program taps into ActiveSync (Microsoft’s mobile data synchronization technology and protocol) to determine how many mobile devices are already there, but not registered (that can be a shocker). You can then send the device an SMS with a link to register on the system. If they fail to register, you can lock them out.
The user is assigned to a group, often via LDAP, and that group will have a defined security profile that can then be pushed to the device. In most cases that is done over the air (OTA). WLAN SSIDs, VPN controls and other settings can also be configured, and security policies can be set OTA. Those security settings can include such functions as requiring a strong power-on password protection, identifying which applications are allowed (i.e., whitelist/blacklist/mandatory) and enabling onboard encryption. Assigning users to groups allows those policy settings to be done uniformly for a job function or department.
There are some other interesting capabilities we are seeing on the security front. In certain manufacturing environments secrecy is important, and some solutions now have the ability to disable the device’s camera based on time of day or location.
For users to be productive with mobile devices, the devices have to work. Ongoing support functions include updating software on the device, monitoring mobile device health and providing troubleshooting assistance.
On the software front, important functions include the ability to ensure that the software versions are up to date, the policy settings are in place and the device has not been “jailbroken” (for iPhones) or “rooted” (for Androids). Jesse Lindeman, director of product management for MobileIron, says you should examine jailbreak detection closely, as there are different signatures the system must look at on different OS releases.
Companies like Kaspersky Labs, F-Secure and Symantec have been pushing mobile antivirus software, but it impacts device performance and battery life, so the industry seems to be moving to a centralized implementation. Sybase (now part of SAP) partners with Juniper for antivirus scanning.
From a security standpoint, the ability to remotely lock and/or wipe the mobile device is probably the most important function. However, it is important that the wipe function differentiates between company files and personal information, or you might wind up erasing the employees’ baby pictures and MP3s when they leave the company.
Troubleshooting problems remotely is also key. Zenprise’s Datoo notes that 50% of mobile help desk calls are “how to” questions, so their tools (as well as some of the others) allow WebEx-type access to the device. Some systems provide features like alerting users when they are in international roaming mode or giving the help desk the ability to turn on the ringer remotely so the user can call the device to locate it. These types of tools can be critical in allowing employees to stay productive.
There have been too many stories about smartphones being sold on eBay with volumes of sensitive information on them, so end-of-life decommissioning has become increasingly important. Whether the device is being upgraded or the user is leaving the company, all company-sensitive information must be removed. If an employee is leaving the company, the mobile policy should also specify if they will be allowed to keep their mobile number or if it remains in possession of the company.
Importance of MDM systems will continue to grow
In an all-BlackBerry environment, the BES could provide an enterprise with a complete and comprehensive security and management capability with over 400 policy options for its BlackBerry devices, but only its BlackBerry devices. As BlackBerry’s share of the enterprise smartphone market has shrunk with the advent of iPhone, Android and other devices, the IT department now has to determine how to best extend those same management capabilities to these devices as well.
Further, if there is still a population of BlackBerry devices, you must decide if you will continue to manage them directly through the BES or through the multidevice MDM. Virtually all of these solutions interface with BES allowing a single management interface, but there is a charge (typically $2 to $10 per month) for each device being managed.
Mobility will continue to be one of the fastest moving segments in IT, so you can expect to be dealing with MDM systems for some time into the future.
Don’t miss part 1, “Defining the need for enterprise mobile device management software,” for more information on MDM software and systems.
About the author: Michael Finneran is an independent consultant and industry analyst who specializes in wireless technologies, mobile unified communications and fixed-mobile convergence. With more than 30 years in the networking field and a broad range of experience, Finneran is a widely recognized expert in the field. He is the author of Voice Over Wireless LANs -- The Complete Guide (Elsevier, 2008). His expertise spans the full range of wireless technologies, including Wi-Fi, 3G/4G cellular, WiMAX and RFID.