Saying yes to smartphones: Securing the needs of Category 1 businesses for routine information
If your business deals with routine information, it's pretty easy to embrace smartphones beyond the BlackBerry.
Apple iPhone. The iPhone supports the PIN requirement for this category, as well as all the good-to-have options. (Note that email encryption is handled through in-device encryption, but just for the iPhone 3G S, third-generation iPod Touch, and iPad.) SSL encryption of messages in transit is a native capability of the iPhone OS.
Enforcing these requirements and options is the issue at hand. If you can't trust users to enable themselves, you can opt for the free iPhone Configuration Utility to set up the security policy profiles. But to ensure employees actually install the profiles, you have to manually sync them via a USB cable to your PC. If you trust your staff, you can send them the profiles or have them install the profiles from a Web link. (The forthcoming iPhone OS 4.0 will let third-party tools install such profiles.)
If you use Microsoft Exchange 2007, you can enforce PIN and password-expiration requirements using EAS policies. You can also issue a remote-wipe command via EAS. (To see which EAS policies the iPhone and other devices support, read "How to avoid the smartphone Exchange policy lie.") If you need to manage the other capabilities using an over-the-air tool that also tracks deployments, neither of which the iPhone Configuration Utility can do, you might consider the profile validation, device locking, and access control capabilities of mobile management tools from Good Technology, Mobile Iron, and Zenprise. You can also use Sybase's Afaria to deploy iPhone Configuration Utility profiles to the iPhone over the air.
Lotus Notes-based organizations can password-protect email access by combining Domino 8.5.1 or higher with the free Lotus Notes Traveler app available at the iTunes App Store. Notes Traveler also provides remote wipe of email, calendar, and contact data. But Domino/Notes can't enforce devicewide policies on the iPhone, just on Notes access. If such enforcement is critical, you might consider the profile validation, device locking, and access control capabilities provided by Good Technology's mobile management tool.
If you use Novell GroupWise or Google corporate Gmail, you're restricted to Webmail access and have no ability to manage or secure the iPhone, even with third-party mobile management tools.
Google Android. Android devices can be set to require a PIN or custom swipe pattern before they can be accessed, but there is no way to require the use of these security measures from a server. Android also does not support most of the good-to-have security options for this category, because the operating system does not provide services such as encryption.
So far, there are only two options for even minimally secure Android usage. One is NitroDesk's TouchDown app, which provides Exchange 2003 and 2007 access, as well as allows you to enforce EAS PIN requirements and enable EAS remote wipe. Each user would need to install this app. It's critical to note that Android phones that claim Exchange compatibility, such as the Motorola Droid and HTC Droid Eris, do not support EAS policies natively, just unsecured Exchange synchronization. Thus, their built-in mail clients won't connect to an Exchange server that uses EAS policies.
The other option is to deploy the Good for Android app, which provides email, calendar, and contact access to both Exchange and Notes servers. The app can require a password, encrypt the messages and other data, and remotely wipe the messages and other information stored within the app. Of course, using it requires having a Good for Enterprise server in place.
IBM is working on a version of its Lotus Notes Traveler app for Android; when that is released, it will let you secure access to Notes and to data pulled in from Notes, as well as remote-wipe that data.
Microsoft Windows Mobile. Windows Mobile supports this category's PIN requirement and the good-to-have options. You can enforce most of them using Microsoft Exchange and its EAS policies; SSL encryption of messages in transit is a native capability of the Windows Mobile operating system.
If you use Lotus Notes with Domino 8.5.1 or later, you can use the free Lotus Notes Traveler app to remote-wipe Notes email, calendar, and contact data. But Domino/Notes can't enforce any devicewide policies on the iPhone, just on Notes access.
If you use Novell GroupWise, you're stuck with the Mobile Server product, which uses the Nokia IntelliSync technology (discontinued in late 2008) rather than EAS to manage devices; that means each device needs to have an IntelliSync client installed, though Novell is no longer providing the client. Effectively, this limits GroupWise to older Windows Mobile (5.0 and 2003) devices. As noted earlier, Novell is beta-testing an EAS-based replacement for Mobile Server, which it expects to ship by 2011.
Nokia Symbian. Many Nokia devices support this category's PIN requirement, as well as the good-to-have options.
For Exchange users, Nokia supports the full set of EAS policies and management capabilities. For Notes users, IBM offers the Lotus Notes Traveler application to secure Notes email, calendars, and contacts, and to remote-wipe that data. If you want to manage Nokia devices, the Good for Enterprise server bundle can do the trick for some models such as the S60, if you're using Exchange or Notes/Domino.
For Novell GroupWise, you're limited to older devices that use the discontinued Nokia IntelliSync technology, which also requires you to have GroupWise Mobile Server in place.
Palm Pre. WebOS supports this category's PIN requirement and in-transit message encryption. If you use Exchange, you can also issue more complex password requirements via EAS policies and remote-wipe the device.
Note that the WebOS does not support one good-to-have security option for this category: on-device encryption. If that's critical, you can use the Good for WebOS app, which provides email, calendar, and contact access to both Exchange and Notes servers. The app can require a password, encrypt messages and other data, and remote-wipe messages and other data stored within the app. Of course, using it requires having a Good for Enterprise server in place.
RIM BlackBerry. The BlackBerry supports this category's PIN requirement and all the good-to-have options -- if you use the BES or BES Express servers in addition to your Exchange, Notes, or GroupWise server. The new free BES Express server software makes BlackBerry management a viable option for small businesses that use Microsoft Exchange. Without BES, the BlackBerry can have a PIN set on the device itself and can encrypt in-transit messages.
If you run Microsoft Exchange and want to use its EAS policies instead of relying on BES (such as if you support other smartphones in addition to BlackBerrys), there are third-party tools that let the BlackBerry support EAS, including AstraSync and NotifySync.