A mobile mess looms for CIOs who ignore the rising popularity of handhelds. New third-generation (3G) cellular networks make wireless handheld computing more convenient for everyone from executive travelers to salespeople and field technicians. This trend poses new challenges to CIOs who need to maintain enterprise network and data security, plus keep end-user support costs down.
Yet most enterprises have no policies or mobile management strategy in place to achieve these goals, notes a recent study by the BPM Forum, an industry association. And without a mobile device management strategy, a trickle of connected devices brought in by individuals can quickly become a nasty, unmanaged torrent.
Your first big CIO headache regarding handhelds: they are easily lost or stolen, putting any data they contain at risk. Even data that seems routine, such as personal contact information or e-mails about a deal in progress, can expose a company to high notification costs (if customers must be contacted regarding a privacy breach) or reveal insider information, according to Yankee Group analyst Nathan Dyer.
Fortunately, securing handhelds is not hard if you centralize communications through a mobile server, such as the BlackBerry Enterprise Server for Research in Motion’s connected handhelds, or the GoodLink Server from Motorola subsidiary Good Technology for Palm Treos and other devices. These mobile servers act as proxy servers for cellular-connected mobile devices, routing approved connections to the corporate e-mail, data and applications servers as appropriate. You set rules to set limits on data access.
“We don’t keep sensitive information on the servers available to the BES [BlackBerry server],” notes Evans Wroten, CIO of InterAct Public Safety Systems, which provides emergency data and communications services.
Similarly, Microsoft Exchange Server can manage communications to Windows Mobile devices like the T-Mobile MDA and Motorola Q, though Windows Mobile devices in general are not popular among enterprise users because of overly complex user interfaces, Dyer notes. (IT departments also don’t like the Windows Mobile interface complexity, or the fact that huge variation in interfaces from device to device increases support costs, he says.)
Using a mobile server ensures that only authorized devices can access e-mail and corporate applications. Mobile servers also can tie into identity servers, such as Microsoft Active Directory, to share one set of network permissions between the corporate network and the connected devices. The BlackBerry and GoodLink servers can also enforce security policies, such as password rules, and keep antivirus software updated wirelessly.
IT can prevent users from sidestepping the official system in three ways. First, prevent or restrict access to the network over a Web, POP3 or SMTP interface, so Internet-enabled personal devices can’t get in. Second, lock down company PCs so users can’t install their own software (such as synchronization software for mobile devices). Third, disable the USB ports so users can’t plug in a handheld’s docking station. Desktop management software from Altiris, Hewlett-Packard, IBM, Microsoft, Novell and others – which many enterprises already use for patch management and software license management – lets you centrally apply these lockdown and port management capabilities across all users.
SUPPORT COSTS (PLENTY)
Handheld headache number two: support costs can get you. Handhelds are hard to manage because they’re typically with users who aren’t in the same building as the desktop PC support team. That means handhelds need to be managed wirelessly. Although several desktop management tools can manage software updates and track device ownership (for support and cell service chargeback, for example), they’re often not used for that purpose. Cost is a big reason, notes David Wade, CIO of Citigroup subsidiary Primerica. “You don’t want to pay a per-user fee for a client license. That’s a rip-off,” he says.
“Enterprises historically have not seen much of a need to spend $50 to manage a device that costs about the same amount of money,” concedes Rhett Glauser, an Altiris spokesman, though he says the costs of data loss are starting to change that calculation. But enterprises have another option: using the same BlackBerry or GoodLink mobile servers they already have to manage e-mail, since those servers can also track users, audit user activity, and manage firmware and software updates. The desktop management tools don’t offer the server functions, so they cannot replace the BlackBerry or GoodLink servers.
One related issue: the wider the variety of handhelds you must manage, the bigger the challenge. The mobile servers are typically designed for one class of handhelds, sometimes two. Different types of users prefer – and sometimes really need – different types of PDAs, so it’s easy to have, for example, executives standardize on the BlackBerry but salespeople standardize on the Treo.
If the BlackBerry is one of those platforms, IT will need to manage at least two mobile servers in parallel, which increases IT’s overhead. (GoodLink can manage both Palm and Windows devices.) Third-party management tools that can manage all three types of devices (Palm, Windows Mobile and BlackBerry), such as iAnywhere Solutions’ Afaria and Credant Technologies’ MobileGuardian, still need a separate mobile server.
While CIOs would prefer a single management platform, they say the extra overhead is manageable. “It’s not that much effort for IT to support the two systems for day-to-day support,” says Bob Graham, senior vice president and CIO at Farmers & Merchants Bank.
Furthermore, it’s better to take on the extra cost of supporting an additional platform than to force all users to a single device that doesn’t serve their needs well, says Brendan O’Malley, CIO of cupcake maker Tastykake. “Still, we have two device [platforms], not 17,” he notes.
GET AHEAD OF USERS
While IT executives say you can’t allow a free-for-all of devices into the enterprise, you can choose among different strategies to manage the choice and acquisition of the connected handhelds.
At Liquidation World, for example, “only company-owned equipment is allowed on the network. That gives us control,” says IS Director Chad Richardson. At InterAct Public Safety, the fact that IT manages e-mail and network access through a mobile server tied into a specific type of device gives the enterprise a simple way to manage the devices people use. End users can’t simply buy their own device and ignore IT, since devices have to be registered with the mobile server to get any network access.
InterAct strictly controls some devices but is flexible on others. For example, the company relies heavily on text messaging to communicate to its field and sales forces, so all employee-provided phones must support text messaging. While most employees choose to take the company-paid cell phone (some even port their personal number to it), some bring in their own phone because they belong to family plans, notes CIO Wroten. But when it comes to devices that can access e-mail and other corporate data, the company supports only the BlackBerry devices it provisions.
Primerica gives its thousands of independent contractors a list of approved handhelds they can buy, but it provisions the BlackBerrys and Treos used by employees, since employees have access to corporate data that the contractors do not, says Tom Swift, the bank’s executive vice president of field technology.
No matter how tightly the enterprise chooses to manage handheld provisioning, the consumer nature of these devices means that there can be multiple versions of devices to manage. Fortunately, the makers of the two most popular types of connected handhelds – the BlackBerry and the Treo – have reduced the version churn in recent years and have kept the interface and management functions consistent across models, says Greg Nelson, senior consultant in the IT group at Russell Investment Group, a brokerage and financial services provider. That wasn’t the case just a few years ago.
A final management concern: you must manage the number of cellular providers. While many companies can standardize on one if their usage is within a region where one carrier has good coverage, firms with national or international presence often need multiple carriers.
Giving a choice of cellular carriers, while often necessary for coverage reasons, can lead to device envy. Carriers often get short-term exclusive distribution deals for new devices, so users of one carrier may not be able to get the same sexy device their colleagues using the other carrier can. Also, devices typically can’t be replaced without a penalty for two years, so some users get itchy when the new devices arrive.
“These are challenges for us, so we explain that it could cost $600 to terminate a plan so they can upgrade,” notes Greg Inginio, the senior vice president of IT operations at IndyMac Bank.
Whatever variation works for your enterprise, “the key is having strong policies up front. Control what they do,” says Farmers & Merchants Bank’s Graham. But don’t forget the carrot. “Encourage the use of [company] smart phones and PDAs, so employees don’t carry their own,” he says.
Galen Gruman is principal of the Zango Group, a firm that provides business development and editorial services. He has written for a wide variety of leading business publications, and has written or coauthored more than 20 how-to books. He can be reached at firstname.lastname@example.org.
Tips from a mobile veteran
Early adopters of mobile devices have identified three components for a successful mobile management strategy. Here’s the lowdown from Tastykake CIO Brendan O’Malley:
- Get ahead of your users. Develop a management strategy before user demand surges, covering device standards, personal usage (and any reimbursements for it), security and access controls, and cellular providers. O’Malley advocates allowing reasonable personal usage of mobile devices without reimbursement: If usage is excessive, that needs to be addressed, but reimbursement is pretty tough to manage effectively, he says. Provide leading-edge devices so that you minimize the chance of powerful users forcing in “cool” but nonstandard equipment.
- Reduce complexity where you can. Decide which devices you will buy or allow, then stick to those. Respect the fact that mobile devices and their operating systems have significant differences that matter to different groups of users, and be prepared to support a couple of platforms. “If people out in the field think a new device is worthwhile, we’ll give it a shot,” O’Malley says.
- Carefully weigh costs, but keep users’ needs in mind. For example, Tastykake pays for traveling execs’ BlackBerrys but does not use cellular connections in the handhelds its distributors use on delivery routes, since there’s no need to get real-time delivery data, and the cost of cellular service quickly gets expensive as you add users.
Mobile server helpers
The applications to manage your connected devices depend on your mix of handheld PCs.
BlackBerry Enterprise Server: Research in Motion’s server and management software acts as a proxy between your e-mail server and BlackBerrys, using the carrier networks to wirelessly manage the devices.
GoodLink: Good Technology’s connected-handheld service includes the GoodLink Server to act as a proxy to the enterprise e-mail system, the GoodLink e-mail software that resides at the carrier, and two software applications for the GoodLink Server to manage the access and security settings. Supported devices include Palm OS and Windows Mobile devices (support for Symbian devices is planned).
Microsoft Exchange Server 2003: The standard Microsoft e-mail server includes the ability to manage connections to and settings for Windows Mobile handhelds.
Afaria: This software from iAnywhere Solutions provides central management of devices and cellular laptops, for software updates, access control and security management of BlackBerry, Palm, Symbian and Windows Mobile devices. However, it does not replace the need for an e-mail proxy server that works with the devices.
CMG Enterprise: This software from Credant Technologies supports the same devices as iAnywhere’s Afaria, with similar management capabilities, and the same need for a separate e-mail proxy server