Not only is the deterministic approach simply more feasible in practice, the notion of remediation if you break a policy (like using the camera where you're not supposed to) is more acceptable to users, says Jesse Lindeman, product manager at MDM provider MobileIron. It also helps IT, he says: "It lets IT manage the exceptions, not the endless details."
But even a deterministic approach has a fundamental weakness, Lindeman says: The device has to be managed by the MDM tool in order to apply the policies to it, whether based on context or not. A company that has an MDM tool that turns off mobile devices' cameras based on user location is easily spied on by a user who brings in a digital camera or simply a smartphone not known to the MDM tool; the same can be said of a smartphone known to the MDM but with the radios turned off to avoid detection. "A security guard who collects these devices before you enter the building is probably both cheaper and more effective," he says.
The back end is where the action needs to be
Lindeman says for contextual MDM to have a strong chance of being effective, it must be more integrated with the back end. For example, wireless access points need to detect guest devices and block services to that device until the person validates by logging in (thus making the device manageable). Likewise, detecting traffic patterns: Where is the mobile device sending information? What services is it accessing in the network? Do those match the user's rights? That's a more proactive use of wireless LANs than most companies have today.
Ironically, where MDM today does integrate with the back end is through Microsoft Exchange, using Exchange ActiveSync policies and tapping into Active Directory for user role information to help determine appropriate policy sets. Apple has picked up that notion in Mac OS X Lion Server's new Profile Manager. Of course, BlackBerry Enterprise Server (BES) has been doing that for years, using its own protocols.
But Exchange is essentially an edge server, with little or no role in other data management, network management, and user management systems. Thus, the context available to MDM tools today is partial at best. Tchakmakjian, Lindeman, and Datoo all see that as a legacy of where mobile began a decade ago: with the BlackBerry essentially as a communications tool. When the iPhone redefined mobile devices as a new form of computing, the mail server remained mobile devices' primary conduit to enterprise systems.
It's clear that at several levels -- Microsoft's and Apple's extended support for mobile devices in their server OSes, in mobile savviness being added to network management tools such as those from Aruba Systems, and the increasing back-end integration efforts by MDM vendors -- this is all changing. Coupled with smart approaches to context detection and policy application, contextual MDM could really happen in a way that reflects the vision. But give it a few years.
This article, "Contextual mobile management: How real is the promise?," was originally published at InfoWorld.com. Read more of Galen Gruman's Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen's mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.