Blocking apps? There's a smarter way to manage mobile

To safeguard data, too many IT organizations use a chainsaw rather than a scalpel. Here's how you should be managing cloud storage access

Mobile management provider MobileIron recently surveyed its customers to find out what apps they block on managed user devices. In doing so, it found a sad commentary on how many companies mismanage mobile devices.

The top 10 blocked apps fall into two categories: personal (Facebook, Twitter, WhatsApp, Skype, and -- I didn't realize people still played this -- Angry Birds), and cloud storage (Box, Dropbox, Google Drive, OneDrive, and SugarSync).

IT should not be blocking either category, unless those devices are issued and paid for by the company and expressly limited to work activities. Most smartphones in the workplace are employee-owned and perhaps employer-subsidized. Except for malware and spyware, employers have no right to block personal apps on personal devices or even corporate devices for which personal use is allowed.

Managing employee productivity is not IT's job

If you're worried about employees wasting time at work, manage them based on their work performance. Do you also restrict their phone calls and coffee breaks? If so, you should block mobile phone usage during work hours, period. IT should not be in the business of managing employee performance -- that lets management avoid doing its job and penalizes employees in very unfair, counterproductive ways. IT organizations that do so reflect companies employees should avoid.

There's a smarter way to manage cloud storage apps

The prohibition against cloud storage is also a sign of bad or dumb IT, but for a different reason.

Companies have legitimate concerns about corporate data leaking to unauthorized parties, and personal cloud storage services could be such a venue. Of course, it's a rare venue, based on the public breach reports. USB drives, CDs, and missing laptops are by far the top sources of breaches, and mobile devices and cloud services almost never surface. Still, I get the concern.

The problem is that blocking personal cloud storage apps is unnecessary, and doing so means employees can't access their own data on their mobile devices. That's an invitation to employees creating workarounds IT doesn't want to encourage.

The reality is that in both iOS and Android, you can keep corporate data off personal cloud storage and keep personal data off corporate storage. Both can coexist yet be separate. That's what IT should be doing instead of blocking cloud storage apps.

I discussed several possible approaches to smart cloud storage management with the folks at MobileIron, and here's the advice we came up with:

iOS 8 and later -- used by practically every iOS device today -- let IT manage corporate email via a mobile management server so that you can prevent corporate emails from being moved to personal accounts; you can even block copy and paste. That's true within the standard Mail client, so you don't need two email apps.

Microsoft OneDrive and Google Drive (as part of Google Apps for Business or Government) do the same for their cloud storage in both iOS and Android. A user can opt for the OneDrive or Google Drive app for both personal and corporate cloud storage, with different login credentials for the personal and corporate access. If configured to do so, the apps keep the data segregated so that it can't flow between the personal and corporate accounts.

Box and Dropbox provide separate personal and corporate apps for iOS, so users would use the personal app for personal cloud access and the corporate app for corporate could access. Through a mobile management server, you can keep the corporate apps from sharing data to or from other apps.

iOS doesn't let you run multiple instances of the same app, which is why Box and Dropbox have to provide separate personal and corporate versions. However, Android allows multiple instances. If you use Android 5.0 Lollipop or later, you can create a separate corporate workspace on it, using either Google's Android for Work or, on some devices, Samsung's Knox. That corporate workspace is managed through a mobile management server and runs separate instances of whatever apps whose data you want to separate from personal usage.

Thus, you might run an instance of Gmail, Calendar, and Box in the corporate workspace, and let users run those same apps in separate instances in the personal workspace. In fact, they can use any apps they want on that personal workspace -- even malware and spyware. Your corporate data is safe because data can't cross the workspaces, if you configure the mobile management server that way.

As you can see, there's no need to block cloud storage apps on employees' mobile devices. There is a need to manage the data and apps on those devices, but much better tools than blanket blocking can do that. Use a scalpel, not a chainsaw.

Copyright © 2015 IDG Communications, Inc.