It's conference season, and enterprise mobility remains a big draw. But I'm surprised by how, for several years now, the IT issues at these conferences haven't changed.
Never mind that the iPhone and Android are eight years old, and the iPad is five years old, all common in today's enterprises -- they're the same questions over and over again, with the same mix of vendor FUD and good advice from expert panelists like Benjamin Robbins, Steve Damadeo, Brian Katz, Bob Egan, Maribel Lopez, and me. The core questions have been settled for some time, yet they keep getting asked.
In the interest of getting enterprises to move from the past to the present, so they can then focus on the future, here are the mobility questions you can stop asking. Instead, adopt them as the known best practices.
1. Do I do BYOD or COPE?
Many organizations remain obsessed with the question of supporting bring-your-own devices (BYOD) versus issuing corporate devices to which employees can add at least some personal apps and data (COPE, or corporate owned, personally enabled).
The answer is yes. Issue devices to employees for whom a smartphone or tablet is part of their required technology portfolio and pay the data charges. With employees for whom the use of personal devices enhances their business performance but is not strictly required, let them bring their own devices -- meaning devices that conform to your security requirements and employees consent to your managing.
The truth is too many execs see BYOD as a way to make employees pay for business technology, so they contorted themselves to make BYOD the standard. At the same time, too many IT organizations freaked out about "alien" devices they could not control up the wazoo. Both reactions come from bad motivations, not from issues of business value.
It may be that your industry has a reason to favor BYOD over COPE, or vice versa, usually for proving your level of compliance on various regulations or for reasons of asset management. A law firm is more likely to insist that its lawyers use only corporate-owned devices to leave no doubt as to the ownership and source of control, whereas a publisher or university is likely to be more flexible about device ownership given the more porous nature of what many staff members do.
There are edge cases that might require a draconian approach: A government agency might forbid both BYOD and COPE, so as not to get bad press around employees wasting time on the job, instead issuing highly limited devices for work-only use.
This is not a technical issue but a risk-management one, with the risk being not so much about data security (your management policies should handle that issue regardless of BYOD or COPE) but about reputational risk and legal comfort.
2. Do I need EAS, MDM, MAM, or EMM?
This is the question vendors want you to ask, so you start thinking of the issue not in terms of policy but in terms of products: What do I need to protect, and which users does that affect in what circumstances? That will let you know which security and management products you need, as well as which favor employees.
Here's the framework of how the various options address your actual needs:
Exchange ActiveSync (EAS) is the baseline security method that every company should use at a minimum. Its policies enforce the use of encryption and passwords, and it allows you to remotely lock or wipe a device that is lost or stolen. iOS 6 and later, Android 3 and later, Windows Phone 8 and later, and BlackBerry 10 support the core policies. Support varies from mobile OS to mobile OS for more discrete EAS policies, such as disabling the camera.
Mobile device management (MDM) has evolved over the years, so the top providers -- such as Citrix Systems, Good Technology, MobileIron, IBM, and VMware -- have long ago moved beyond managing only the device and now provide ways to manage apps and, in some cases, content. If you have legitimate needs to control which apps users can have, to manage VPN settings, to impose standard configurations, and to disable features like copy and paste or cloud access, these tools have you covered.
Be aware that their specific capabilities beyond the core differ, so you should do a deep assessment of candidates to find the best fit. All the major providers support the core APIs provided by Apple's iOS and Google's Android, and an increasing number are supporting those in Windows Phone. Some also support Apple's APIs for Macs (they're based on the iOS APIs).
Many support additional content controls for apps that use the MDM vendors' proprietary APIs, but that approach ties you to specific apps and MDM servers. It's a big investment that can also limit your ability to get strong value from mobile usage.
Mobile application management (MAM) used to be a separate category of management tools to manage access to apps and their content. It's been subsumed into MDM tools from the major providers. Unless you have an MDM tool that doesn't offer the app management controls you need, a separate MAM tool doesn't make a lot of sense today.
Enterprise mobility management (EMM) is a marketing term, nothing more. I call it "expensive mobility management" because the term arose from vendors seeking to convince IT pros they needed more than "simple" MDM, by offering a large portfolio of bells and whistles that are largely unnecessary but appeal to IT's control instincts.
Focus on your needs, not the label.
3. Should I set up an internal app store?
The short answer is probably not. Yes, having an internal Web page that links to recommended iOS and Android apps from their respective app stores is a good idea. If you want to call that your app store, fine.
But running your own actual app store through an independent third-party tool is overkill. After all, you manage app distribution with the business app store that Apple provides to companies via its Volume Purchase Program (VPP), which lets you buy app licenses in bulk and manage their distribution, as well as distribute your homegrown apps. Google offers a similar capability for its Play Store, called private channel. Why reinvent the wheel?
If your goal is to configure devices used by employees (regardless of who owns them) so that specific apps are installed, updated, and managed for users in specific workgroups, you can so so via your MDM server, which use the Apple and Google APIs, respectively, to the VPP and Google Play private channel. This capability is available in the better MDM tools.
MDM tools also let you blacklist or whitelist specific apps, so you can prevent users from installing known bad apps from the public Apple and Google app stores.
4. How do I keep mobile devices from leaking my corporate data?
This question is based on a pervasive but very false premise: that smartphones and tablets are a major vector for data leakage. They are not, as you can easily see by checking the public breach report databases. Stolen laptops and misplaced USB drives are the major vectors, while mobile devices almost never show up as a breach vector.
If you fear data leakage and believe the best approach to combating it is to target the device, then you should ban Windows PCs, remove their Internet connections, or at least bind them with encryption, app management, and content management tools. PCs are where that sensitive data is, and (shock!) PCs are the devices most targeted by hackers and data thieves.
Very few organizations apply the kinds of controls to PCs that they want to apply to mobile devices, which has to make you ask if those controls are truly necessary. Also, if they are, why aren't they on your PCs, too?
However you answer that question, it takes very little to enforce encryption and password usage -- the key protections for lost or stolen mobile devices -- on smartphones and tablets. Set it up in EAS or MDM policies, and you've all but eliminated the data loss risk from mobile devices.
But what about leakage through iCloud, OneDrive, Dropbox, Box, or Google Drive, not to mention personal email? Well, if you think that only mobile devices use these services, you're naive. Mobile devices are one conduit among many, and clogging one pipe doesn't stem the unwanted flow of information -- it simply moves it to another pipe.
The right approach is to manage data access at the source, not the endpoint. Think access permissions first; if a person can't be trusted on a smartphone, he or she can't be trusted on a PC, either.
The good news about mobile: There's real thinking going on about managing data, so mobile is pioneering safer data practices that, if we're lucky, will find their way into PCs, too.
5. How should I protect against viruses?
Don't use Windows PCs. That may sound flippant, but that's the truth if you're really concerned about malware like viruses.
Even moreso than OS X, iOS is highly immune to malware, so the number of exploits has been very small.
Android is not immune, given its Windows-like file architecture, so researchers keep finding malware targeting it (mainly from fake and adware apps in the Google Play Store and, outside the West, from non-Google app stores). Yet it appears that very little malware actually is running in the Android wilds, so the true threat -- versus the potential threat -- is highly exaggerated in IT and vendor discussions.
The minuscule usage of Windows Phone means that malware hasn't targeted that platform. Ditto for BlackBerry.
There's a theme: Vendors prey on your Windows malware experiences to suggest that everything is as threatened as the PC. It's not. Malware should be a concern on Android, but no reason for panic.
The real issue for IT is whether Android antimalware apps actually protect you -- and the answer is they are more an alerting mechanism rather than a remediation mechanism. It's better to disable access from devices that have sideloading/rooting enabled and to focus on data access rights of Android users, to control what could be at risk to malware.
Move on to the question that really matters
The truth is that mobile devices are safer to use than PCs (just as cloud services are probably safer than your data center), so figure to how to make PCs as secure as mobile devices and how to protect data wherever it may happen to be.
Then ask the question that really matters: How do you get the most value from the use of mobile technology in your business?