Editor’s Note: As companies begin to come around to incorporating social and informal learning as part of their overall training strategy, chances are they’ll want to leverage their employees’ mobile devices. Because of this, corporations should be thinking about how to effectively control and restrict both mobile devices and the information that is contained on them. In his latest article, Dr. Woodill explores the challenges of mobile application management (MAM) and mobile device management (MDM). –Adam Bockler
The Mobile Frontier: The Challenge that Mobile Technologies Present to Information Technology Departments
Mobile and Information Technology Departments (IT)
Traditionally, IT is accustomed to exerting control over computers within the organization. They control the software installations, licensing, backups, patches, versioning, upgrades and security. IT also acts as a guarantor for information systems. They ensure maximum availability and information integrity, act as a policing system for violations of policy or threats to security, offer technical expertise for swift problem resolution, and maintain technical relationships with partners. These tasks and services have become dependent on their ability to maintain centralization. The sudden influx of privately owned mobile devices into the workplace has become a threat to the established order.
Bring Your Own Device (BYOD)
The advent of smartphones and tablets at affordable prices means that high-capacity computing is entering the workplace that is outside the control of IT. This new upstart technology has less overall capability than the old PC-based systems, but greater flexibility afforded through peripherals, specialized apps, texting, imaging and voice. The portability and sheer convenience means that these devices are being used in employee functions.
For example, outside salespeople have become dependent on these devices to keep them connected, at any time, to their clients and sales support team. They use them to touch base with the customers, run conference calls, maintain their contact list, organize their leads and sales funnel, text their technical staff, keep up with industry announcements, follow professional publications … the list goes on.
A side effect of mobile is that these devices are effectively substituting for traditional computers and their software systems in many day-to-day tasks. Laptops, in particular – which are less convenient to the mobile worker than the average mobile device (i.e., must be removed from a case, powered up, and physically supported) – are being replaced for some activities and oftentimes by the employee’s own decision. This is not simply an issue of redundancy of equipment. This movement can have serious consequences for IT because established systems begin to unravel when replaced by external, independent alternatives. This risk is pronounced when IT is slow in accommodating innovation.
In the case of a salesperson who is totally focused on making sales and generating revenue, there may be a risk of them adopting their own personal sales support systems on their mobile device and not using the corporate-sponsored software packages. This is clearly an issue, and, should this person be a high-performance employee bringing much value to the bottom line, a difficult one to solve.
First, mobile technologies may be enabling the salesperson’s success; therefore, interference may be detrimental to the organization’s income. Second, it’s difficult to discipline a renegade for being successful, and “A” players may choose to move on rather than conform. Mobile device users need to be accommodated, and this must be in a manner that also addresses the concerns of the organization.
Accommodation of mobile technologies can be accomplished through the issuing of standardized, corporate devices (also called corporate liable devices), or through the concept of “Bring Your Own Device.” BYOD is where the organization embraces the idea of a mobilized workforce, but where the worker may supply their own hardware, such as an iPhone or Android device. Many organizations are finding that their employees are pushing for this (Messmer, 2012). Ricoh America, in response to the mobile tsunami, recently opened the door for BYOD for its sales, field engineers, and administrative staff. Ricoh CEO Tracey Rothenberger stated,
“Technology is moving very fast with the introduction of new devices every month and we didn’t want to sit down and maintain a refresh strategy on something that was a personal decision for each employee … We do not care what employees bring to work as long as they follow our corporate policies for usage of the device and protection of proprietary information” (Miller, 2012).
Mobile technology, especially BYOD, raises new problems that need to be resolved. These problems include security, software interoperability and data sharing, ownership and control, and who pays for what.
Security and Bring Your Own Technology (BYOT)
BYOT is an extreme form of BYOD. It allows the user to bring his or her own device, software, and usage patterns to the workplace. For example, BYOD allows employees to make their own selection of smartphones and/or tablets, but software and usage patterns are established by IT and other stakeholders. BYOT extends the BYOD concept by allowing the employee to select their own software combinations as they feel it enables them to perform their duties.
BYOT, like BYOD, is becoming more prevalent in organizations. This adds yet another element of complexity to IT because of the sheer distance from the corporate-sponsored software. The organization needs to decide if they wish to take active measures to stop it, control it or facilitate it.
Enemies at the Gate: The Need for Operation and Information Management on Mobile Devices
Lost/Stolen Devices and Ex-Employees
An organization’s private data is its property, and is the “soul” of the business. Mobile devices may contain customer contact lists, technical data, and even sensitive material about the state of the business. As such, these devices pose a substantial threat in the wrong hands. A lost or stolen device could be used in fraud or corporate espionage. A personal device, owned by a former worker, could be the source of abuse should that workers leverage information:
- a) for their own benefit (e.g., a former employee using a client contact list to steal business for a competing company), or
- b) in retaliation for a perceived wrong (e.g., a disgruntled former employee publicly leaks sensitive information to the damage of the organization).
Banks and financial institutions, faced with the risk of unmanaged devices and their possible loss, are very concerned about finding a solution (Violino, 2012). They seem to be aware that this solution will need to evolve alongside the rapidly changing technology it addresses.
Software and Information Homogeneity and Control
Organization efficiency requires that information technology staff standardize its software. This allows for effective training, usage guidelines, cost control, compliance with licensing agreements, support contracts, interoperability and data sharing. Mobile devices, living outside the standards, create a level of destabilization.
First, they add an additional layer of technology that IT needs to address. Second, they introduce hardware and software variability into the existing workload already pressed for people and expertise. Third, without controls, they can no longer guarantee the completeness of the company data. How do they know what is going on in those devices?
Consider the issue of malware prevention software. Not yet a major problem with mobile devices, it is only a matter of time before a major incident occurs that compromises a large multi-national or public institution. IT departments are responsible to maintain information security; therefore, they will be on the hook for system disruptions or security breaches.
A great deal of investment has been made in selecting, implementing, and optimizing corporate information systems. This investment has not only consisted of time and money, but in developing a vision that is closely tied to the organizational goals. These goals originated from the top decision-makers. The idea that this order, which was hard to achieve, will suddenly fall to a chaos of mobile technologies is about as welcome as a dam bursting in a rainstorm. With the arrival of mobile, both IT and executives will want to keep as much of their control structure as is possible.
Private Property, Corporate Property
In BYOD environments, mobile devices are often the property of the worker and this leads to conflicts when corporations wish to exercise control, at any level, over these devices. Another concern is that not all workers own mobile devices. Mandating ownership, at the worker’s personal cost, may be resented and this would be a prickly issue in a unionized workplace. This is likely to be seen as an attempt at cost reduction by offloading business expenses to the employees. Attempting to enforce brand choices and/or control the device would inflame the situation.
Organizations can provide standardized devices to their workers, and this is an excellent solution for some businesses. Institutions and corporations requiring specialized security (e.g., government, research) or rugged devices (e.g., warehousing, manufacturing) would likely follow this approach.
This is not so simple in other cases because it presents two problems. One, the organization may now incur the cost of a personal computer and a mobile device for each employee – an expensive proposition. Two, people don’t want to carry two mobile devices (one for business and one for personal use); the extra bulk is contrary to the idea of mobile.
Once again, a company’s outside sales force provides a good example. They are highly mobile people who want to minimize their carry weight, especially through airports, while maximizing their connectedness. Allowing limited personal use on a business issued device is an option, but it’s not an ideal situation for either party.
The issue becomes even more complicated when information services are provided to partners, affiliates and customers. An acceptable compromise between private ownership and corporate ownership needs to be found.
Circling the Wagons: Mobile Management Strategy
Technical Aspects of Mobile Device Management (MDM) and Mobile Application Management (MAM)
MDM, which governs the device itself, is concerned with the activities of the entire device; as such, it is secure and controlled but intrusive. For example, MDM can prevent users from performing activities that are viewed as counterproductive, such as playing games or using Facebook. Device content can also be controlled. This is not an ethical solution when BYOD is mandated. MDM may also present significant stumbling blocks when partners, affiliates, and customers are involved; they may be opposed to an IT department viewing having access to their data.
MDM is primarily intended to fulfill a security role (Murray, 2012). In the event of a lost/stolen device, or should an employee leave the company, their mobile device can be blocked, locked, or erased to protect organizational information. It also allows IT staff to administer mobile devices in a manner similar to PCs in order to maximize standardization, minimize downtime due to problems, and enforce usage policy. Functions include application installations, firmware and software upgrades, scheduled backups, remote diagnostics, device history logging, and policy enforcement.
BlackBerry Enterprise Server is an example of an MDM solution designed to provision, audit, and protect smartphones and tablets through a centralized administrative interface. Their newer product, BlackBerry Fusion, is intended to work in a BYOD environment and supports BlackBerry, iOS and Android devices. With Fusion, there is limited allowance through a component called BlackBerry Balance to separate personal and business information. This is biased towards the protection of corporate data, is only available on Playbook 2.0 and enabled BlackBerry smartphones, and is optional. There are many other MDM providers, particularly for iOS devices. Examples include BoxTone, MobileIron and Good.
MAM is a strategy based on governing specific mobile applications deployed on a device, not the device itself. The functions are similar to MDM, but less intrusive on the user’s private space. Because MAM is not concerned with what is globally occurring within the mobile device, it is well adapted for a BYOD environment when property and privacy rights are to be respected.
MAM does not have all of the capabilities of MDM because it functions at the application level. This may be an issue if a company wants to enforce usage policies and device wide audits. MDM and MAM are not necessarily exclusive, and may complement one another in some workplaces, but they are quite redundant (Fass, 2012).
MAM typically controls distribution and upgrading through a distribution API or an enterprise app store. Security can be applied to individual apps through MAM whether an MDM solution is employed or not, and can protect against breaches or violations of policy. There are three basic approaches:
- Using a MAM SDK: This requires recoding apps to communicate with an administrative server, a process that requires additional resources and therefore restricts apps to corporate selections (Gruman, 2011). App updates may present additional problems, as IT will need to rebuild new versions for each distribution. This is a very customizable solution, and may be well suited to organizations that build their own custom apps. An example of an SDK solution provider is Airwatch.
- Containers: This approach requires IT to fit the app into a security “container” within the device, where all of the contents are subject to a pre-determined security paradigm, including access and encryption (Faas, 2012). Container contents can be selectively wiped by IT, when necessary. This is not very customizable, but can be simpler and easier to maintain. As an example, Accelian uses a container in its mobile management solution.
- Cloud and Middleware Solutions: Some solutions are able to work with existing apps, without changing their source code or using a container, by relying on the cloud and middleware. When data and sensitive services reside in the cloud, middleware can be employed to create device transparency for IT and solutions developers, as well as handle many security issues. This higher degree of flexibility may prove very useful when BYOT is permitted. The additional layers may prove problematic, particularly in isolating support issues. An example of a product using this approach is Apperian’s EASE product. (Editor’s Note: Float is a partner with Apperian.)
Making a Decision
In response to BYOD and BYOT conflicts, perhaps an organization would be in the position of greatest advantage to offer a stipend for mobile users to accommodate some of the mobile device costs. This is not a perfect solution and not everyone will be happy with it; however, it would allow the organization and worker to treat the mobile device as a “shared space.”
MDM is a good choice for devices that demand high security features or complete uniformity. It is also a good choice for issued devices when it need not concern itself with a user’s personal data. Quite simply, personal usage is not the organization’s responsibility; personal usage may even be against policy and MDM can help enforce this.
MAM may be a better choice in many cases. In a BYOD setting, the corporate information is still protected without compromising privacy and property rights. It is also worth considering that mobile devices free the user and allow them to perform their jobs in creative and effective ways. There are many innovation opportunities for mobile devices, and the number of apps available for mobile users is steadily increasing; excessive control can defeat this advantage (Murray, 2012). For an organization looking to leverage this advantage, an approach using containers or the cloud-and-middleware combination may be the better options.
Faas, R.. (2012) “Why Apps (Not MDM) Are The Future Of iPhone Management”. CULTOFMAC. Available online: http://www.cultofmac.com/183151/why-apps-not-mdm-are-the-future-of-iphone-management-feature/ Accessed Nov 2012.
Gruman, G.. (2011) “Mobile application management without the heavy hand” INFOWORLD. Available online: http://www.infoworld.com/d/mobile-technology/mobile-application-management-without-the-heavy-hand-770 Accessed: Nov 2012.
Miller, R.. (2012) “Ricoh CIO explains why he let 9,000 employees go BYOD”. Tales from the Cloud, CITEWORLD. Available online: http://www.citeworld.com/mobile/21026/why-richoh-lets-9000-employees-go-byod Accessed Nov 2012.
Messmer, E.. (2012) “How BYOD has changed the IT landscape”, COMPUTERWORLD. Available online: http://news.idg.no/cw/art.cfm?id=DC4AB8C1-D66A-4305-E27250F1D3B13FE9 Accessed Nov 2012.
Murray, A.. (2012) “Mobile application management (MAM) has put MDM in its place”. NETWORKWORLD. Available online: http://www.networkworld.com/news/tech/2012/060512-mam-mdm-259877.html?page=2 Accessed Nov 2012.
Violino, B.. (2012) “Forecast 2013: Setting a mobile risk management strategy”. COMPUTERWORLD. Available online: http://www.computerworld.com/s/article/9231488/Forecast_2013_Setting_a_mobile_risk_management_strategy Accessed Nov 2012.