Mobile management morphs

MDM software now goes way beyond controlling physical devices

Ask any three IT professionals what they're looking for in mobile-device management (MDM) software and you're likely to get five different answers. Customers are pushing the limits of the software -- asking it to do many more things than it was originally created to do -- and vendors are happy to oblige.

For instance, when senior enterprise engineer Jeff Roman went looking for software to manage a mix of 3,000 smartphones at construction management firm Skanska, his top three priorities were ease of use, hardware security and cost -- in that order. On the other hand, for Arun Abraham, director of network service at publisher Scholastic, the issue was asset management. "I need to know all devices that are active and polling our servers at any time," he says.

[ Also on InfoWorld: Buckle up -- here comes the hard part of mobile. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]

(See MDM tools: Features and functions compared.)

Julian Bond, head of information, communication and technology at U.K.-based window blinds maker Hillarys Blinds, needed to control and manage the user experience for 1,000 external sales representatives equipped with Samsung Galaxy S IIIs. This included the ability to put a "walled garden" around critical applications on each sales adviser's device and to troubleshoot issues with Bluetooth-connected receipt printers on the fly.

When Computerworld surveyed IT managers for this story, 78 percent said they are using or plan to use mobile management software for basic hardware device management, while 68 percent mentioned security and 59 percent checked mobile application management.

But many are looking for additional features in areas such as network management (33 percent) and content management (27 percent), too.

So how do IT organizations choose? By finding tools that offer the right mix of features and then carefully testing to make sure those features work as advertised, IT managers say.

These days, mobile device management tool vendors need to be all things to all people for all mobile platforms, and they're responding. [ See the chart.] Eventually, analysts say, MDM software will converge with more traditional software for managing PCs and laptops, providing a single control point for managing and implementing policies across all endpoint devices.

As enterprise apps continue to expand onto mobile, users will expect a consistent experience -- and a single help desk resource that can remedy application issues, whether the app is running in the cloud, on a desktop PC or on an iPhone.

Sorting through the options

All MDM software supports the basic hardware management functions available through Android and iOS APIs, but many vendors now support extended management API sets. One example is Samsung for Enterprise (Safe), which adds features such as the ability to disable Wi-Fi and Bluetooth connectivity and to manage Bluetooth-connected devices such as printers.

Many tools also now enable automated provisioning and provide a protected space within which enterprise apps and data can reside. Many have also added network management features such as usage monitoring and reporting, and the ability to restrict downloads to Wi-Fi connections in a bid to control cellular data and roaming costs.

Vendors are differentiating in other areas as well. Symantec's mobile management suite includes anti-malware features. Citrix has re-launched its Zenprise acquisition under its XenMobile MDM brand name and enables virtualized access to the user's desktop applications through CloudGateway, which, along with XenMobile, is part of the vendor's Mobile Solutions Bundle. Finally, IBM, SAP and Symantec all offer tools for managing desktops and laptops, with consoles that enable access to both sets of management tools.

Many organizations are still looking for the right tools. Of survey respondents who said they support the use of smartphones and tablets for business use, just 45 percent said they had already deployed mobile management software, while 24 percent were either in the process of deploying or planned to deploy software within the next 12 months.

While 54 percent said the mobile management software they use meets most or all of their needs, 38 percent said it meets only some of their needs. One reason is that the tools are still maturing, says Guinn. "There are more than 50 different vendors out there and they're all fragmented. Many are acquiring features they don't have, so things are being bolted on."

What users choose -- and why

CenterBeam, a managed service provider, uses IBM's Endpoint Manager for Mobile Devices, a Tivoli product that manages servers, PCs and mobile devices for all clients' machines from a single console.

Ultimately, IT needs a product that takes an holistic view of all endpoints, says Shahin Pirooz, executive vice president, chief security officer and CTO. CenterBeam manages many different types of customer endpoint devices in 49 countries. "Unified endpoint management is the strategy. The ability for us to set custom policies consistently for fixed and mobile endpoints is huge for us. If you separate PC and mobile into silos you end up with gaps."

Ultimately, the large asset management vendors will "own this market," agrees Jim Guinn, managing director at consultancy PwC.

But the best-of-breed tools in the market remain popular because they tend to be first to market with innovative features and because most IT organizations aren't ready for an integrated approach, says Phil Redmond, an analyst with Gartner. "The majority of organizations don't manage endpoints in the same place. Only 20 percent [of Gartner's clients] are interested in managing PCs and mobile from the same group."

At Skanska, the infrastructure group manages both, but Roman says he's fine using different tools to manage Windows PCs, BlackBerries and iOS devices. He's still using BlackBerry Enterprise Server (BES) but has added AirWatch for iPhones and iPads because, he says, it was much less expensive than other options he evaluated and BlackBerry's multiplatform MDM tool, BES 10, wasn't available at the time.

At Hillarys Blinds, Bond chose SAP's Afaria primarily because its support for Samsung's extended management APIs enables his staff to control the user's Wi-Fi, camera and Bluetooth, and to manage wireless printers. But the ability to manage both mobile and desktop apps from the same console is a checklist item for the future.

"We'd prefer one tool, definitely," says Scholastic's Abraham. But today, he adds, "You must focus on what is the best platform for what you want to do."

"We have two different support groups working alongside of each other. That causes a surprising amount of grief" at Hillarys, says Bond. For example, the internal sales management app has desktop and mobile versions, but users must talk to two different groups to get the issues addressed. "As we are starting to move enterprise apps onto mobile, I'm having to rethink how I support that."

Kadlec Health Systems' CIO Dave Roach chose Good Technology's Good for Enterprise to manage 2,500 Android and iOS devices that employees bring to work. He likes Good's mature containerization technology, which isolates the healthcare provider's business applications and data within a secure container on the user's phone, and he found that the administrative user interface was easier to use than were other products tested. But now he's testing desktop virtualization to provide access to electronic medical records software, and he likes the idea of enabling virtual access to that same application on mobile devices through Citrix's mobile management suite.

Like many organizations, Kadlec still has BlackBerry users -- about 500 of them -- so his staff is evaluating BlackBerry Enterprise Service 10. The new release, launched in January, can now manage Android and iOS as well as BlackBerry devices. "Had RIM been able to support Android and iOS before, we wouldn't have looked at Good and we would have had one solution to manage," Roach says. But with the BlackBerry population shrinking, the decision is no longer a slam-dunk. "We'll have to see whether that meets all of our needs or not," he says.

Scholastic is moving off BoxTone and going with AirWatch's SaaS offering for 1,000 BlackBerries, 1,200 iPhones and 100 or so employee-owned smartphones. "BoxTone is on premises and we spent a lot of time and energy to keep it going," he says. While the vendor introduced its own SaaS option last year, Abraham felt that AirWatch's implementation was more mature. "AirWatch aligns well with our cloud strategy," he says.

Advice from the trenches

When selecting an MDM product, Abraham recommends testing the quality of support and making sure the core features work as advertised. "BoxTone does a better job than AirWatch managing BlackBerries," he says. But Abraham has experienced problems with the accuracy of BoxTone's inventory screen in the recent past (a problem BoxTone says has been remedied). "Whatever you look at, ensure that it does your basics and does them well," he advises.

Containerization approaches also differ - there are no industry standards -- so it's important to test. With BoxTone, for example, when a new app is pushed to the secure container the user has to log in to the container to find and use it, says Abraham, while with AirWatch, "It just kind of appears."

Look for tight integration with email, CenterBeam's Pirooz advises. Some MDM software can disable an account that was hacked but can't take down the user's mailbox itself, he says. One reason he likes Tivoli Endpoint Manager for Mobile Devices is that if it detects a jailbroken device, it can shut down the person's mailbox. In this way the person can't get his email from any device until he comes forward to resolve the issue.

The tools are changing quickly, so it's also important to reassess, Pirooz says. He was required to use Tivoli Endpoint Manager in his previous position at EDS and wasn't impressed. But since then IBM acquired and integrated BigFix into Tivoli. "Now it's much better," he says.

Most of the prominent MDM tools also support the creation of an enterprise app store -- a feature that IT executives say their users find helpful. Hillarys has one in-house-developed app its sales representatives can download, but its store also includes other recommended Android apps for download, including Flashlight and Tape Measure. "Rather than forcing them to go to Google Play it's easier to just point them to a corporate area with all of the apps we recommend," Bond says.

At Skanska, Roman uses AirWatch to both push out homegrown enterprise apps and to provide access to others on demand through an app store, which has both a corporate and public apps page. Users belong to groups based on location, and each group has different policy controls that lock out or enable certain features based on the needs and regulatory restrictions in each region.

"In some places we're not allowed to have a camera active on the device. In others, management doesn't want anything but business resources on the phones so we whitelist or blacklist apps." The app store, he says, provides quick access to apps that the user knows are approved.

Limitations and disclaimers

Users can sometimes get around policy controls. For example, jailbreak detection can be defeated by jailbreak spoofing apps users can download that make it look like the device hasn't been jailbroken, says Guinn. "If technology doesn't enable them to get access to the data, there's probably two or three ways they can work around that," he says.

"Apple will not allow MDM software to password-protect a root-level MDM profile on the user's device, so any user with a little knowledge can unenroll themselves without putting in a password," says Roman. "And with Android it drives me crazy that I cannot deliver my Microsoft Exchange ActiveSync settings down to the phones without using a third-party application."

When a user is unenrolled, MDM can remove the certificate on iOS devices. "But with Android we have to do a complete device wipe or send someone from IT to unenroll them and remove the certificate manually," he says.

Neither iOS nor Android allows mobile device management software to control when users can install operating system updates, and that drives Bond nuts. "If you're putting out a trivial JavaScript app you can run it on anything you want. We have a complex, heavyweight app" that measures and designs custom-built blinds, he says. "They could release an update that breaks my application for 1,000 users."

Mobile OS update requests get pushed to users before Bond's team has a chance to test them, and while he warns users not to jump the gun, he says they're so accustomed to various updates that they tend to accept them without thinking. "The user doesn't know whether it's a big or a little update. And you can't expect people who aren't employees to exercise the same level of care," he says.

Costs versus benefits

MDM software can also be expensive. IT executives say they typically encounter prices in the range of $25 to $50 per device for a perpetual license, plus maintenance fees that can tack on another 20 percent or more per year.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies