Mobile Devices Are All Around You
More organizations than ever are confronting how to fully embrace mobile devices beyond their executive and sales teams. In a way, IT teams are being dragged into this. Many users have fully incorporated smartphones and tablets into their daily lives thanks to devices and operating systems from Apple and Google. They are choosing the personal user experience of Android and iPhone over the largely business-task-driven BlackBerry devices. They have also adopted application stores in their personal lives, blending activities like web browsing, games, and mobile payments with business uses such as corporate email. The drive to combine the personal aspects of these devices with business functions has created a need for control management of these devices.
So why is it taking so long for schools and non-profit organizations to officially assimilate mobile devices into their organizations? There are a number of reasons, but the biggest is that most of these organizations want to drop the issue into the lap of their IT folks and have them create organization policy in addition to the IT tasks. They put the cart before the horse.
The Essentials: Start with a Strong Foundation
Regardless of your business, industry or users, there are certain basic and advances practices that you should be following. Here are the best practice that will be covered in this series:
- Be Realistic with Your Policy
- Gain Insight into Who’s Mobile and What They’re Doing
- Cover the Basics: Passwords, Encryption, and Remote Wipe
- 1,2,3 to Good Policy
- Make it Simple to Get Up and Running
- Let End Users Take Care of Device Management
- Start Planning for Centralized Control
- Spread the Word about Your Progress
And some Advanced Practices: Build Upon Your Foundation
- Get a Grip on Usage Costs
- Automate Compliance Management
- Manage Application Restrictions and Your Own Application Storefront
- Provide a Backup & Recovery Service
1. Be Realistic with Your Policy
Policy is king... right? Your policy should:
- Support multiple device platforms
- Allow personal devices
Frankly, nearly all organizations are doing this now. They just don’t know it. Odds are that you have a policy that says what your computers can and can not do -- right? That you say if your staff can use personal laptops or not? Right? (Let's assume you said yes... because you should!)
You need to be doing it for your mobile devices, too! And it is far more important than you think. You probably have a lot more personal iOS, Android and Windows Mobile devices inside your organization than you think. After all, it’s easy for any mobile device to integrate with mail infrastructure like Exchange using the Activesync functionality you turned on. It is simple for your end users to set up Exchange or Google Apps on their iPhone or Android device. Trust me, they are doing it -- and you need to support it, so you can manage it.
2. Gain Insight into Who’s Mobile and What They’re Doing
Making decisions and quantifying risks about mobile devices is hard without good data on the mobile devices in your environment. For instance, it’s not uncommon for terminated employees to still be using corporate mobile devices—but you can’t stop this unless you know about it.
With a lightweight reporting and inventory tool, you can keep tabs on how mobile devices are being used and by whom.
Make sure the solution:
- Empowers your helpdesk to troubleshoot devices
- Is accessible outside of IT. For example, your HR process needs to have access during exit interviews to turn off devices for employees when they leave the organization.
- Includes strong application inventory and search capabilities
3. Cover the Basics: Passwords, Encryption, and Remote Wipe
Be sure to do the following:
- Require a strong password of at least four characters
- Set up devices to automatically lock after 5-15 minutes of inactivity
- Configure devices to automatically wipe after a certain number of consecutive failed login attempts or if they are reported lost
- Enable a level of encryption
Some organizations may want to consider more protection. But before you put yourself in that category, ask yourself one question: Do we enforce this level of security on our laptops?
4. 1, 2, 3 to good policy
You may be worried that you’ll need a new solution to implement the first three best practices. That isn’t necessarily the case. If you have a BlackBerry Enterprise Server, then you are covered on that platform. And with Exchange or Lotus Notes, you can enforce your PIN policy and remote wipe your iPhones, iPads, and Windows Mobile devices. (Android added this Exchange-based security control in version 2.2.) And let's not forget that your Apple Mac OS X Server has a certain level of device management built into it.
Following the principles we’ve already outlined is a responsible approach that takes advantage of existing infrastructure for device and risk management. And it’s a smart one considering that you really can’t stop people in your environment from using mobile devices.
The biggest issue with this approach is that reporting is limited and not scalable—you’ll need to develop and run reports manually, and deal with the lack of a centralized view into all devices.
But taking the first step with reporting and inventorying can dramatically improve your current posture on the uber-popular iPhone and Android devices. Then you can plan a more scalable and robust management
and security solution (as described in the next best practices). In the meantime, click here for our free ActiveSync reporting tool.
5. Make it Simple to Get Up and Running
Don’t make IT responsible for reviewing each request for device and system access. Instead, empower users to enroll their own devices by visiting a single URL. Set up a default policy that approves the users’ devices and pushes down their e-mail and your organizations Wi-Fi profiles. This will create efficiency in your technology footprint, take a burden off your IT department and make your end-users a lot happier.
In addition to making the process easy for end users, simplify things for IT and create innate security on your network. For example, your policy could specify that any Android device with OS 2.2 or above is automatically granted access to corporate systems, while any Android device on an earlier OS version is automatically blocked.
6. Let End Users Take Care of Device Management
With employees relying on mobile devices to get their jobs done, you don’t want basic device management issues to get in the way of productivity. You also don’t want users calling the helpdesk with issues they can resolve themselves. Empower end users with a self-service portal that allows them to:
- Enroll their own devices
- Lock and wipe their own devices if think they’ve been stolen
- Reset their own passcodes
- Locate their lost devices
...all without ever calling your IT department!
7. Think About and Plan for Centralized Control
If you have Blackberries, your BlackBerry Enterprise Server is probably well entrenched, both operationally and economically. But it is not multi-platform, and a multi-platform solution is needed to support the variety of devices in your environment.
Consider these four cutting edge best practices:
- Adopt an MDM platform that can also manage PCs and Macs as well as mobile devices. The lines between laptops, tablets, and smartphones will continue to blur in both user functionality and IT operations. A versatile MDM solution will cut down on infrastructure costs, improve operational efficiency, and create a single user view into devices and data for operations and security.
- Be sure your reporting and inventory tool consolidates both your existing devices and your multi-platform MDM solutions. You’ll rely on your data and reports daily, and you’ll want to avoid any manual processes to access your business intelligence on mobile devices.
- Take a look at cloud-based MDM services. When you account for full Total Cost of Ownership (TCO), a LAN-oriented management solution can be costly. Why use a more expensive—and wired— solution to manage remote mobile devices?
- Go the agent route with caution. If you can meet your needs with server-side management controls, all the better. Thinking long term, going agent-less is likely to save you a lot of time and effort when moving between different types of devices and platforms. An agent-based solution often requires touching devices or additional support from the IT department to make it all work.
8. Spread the Word about Your Progress
Report on and discuss your mobile device inventory and policy status— including personal devices—in your IT operations reviews. It’s a good way to broaden the discussion beyond those responsible for managing devices in your environment. It’s also an opportunity to raise the visibility of the benefits for your organization, as well as for future resource requirements such as needed involvement from those responsible for security and other areas of IT. Your inventory and reporting tool should make it simple to produce the reports to start conversations in these meetings.
Is It Designed for Any Environment?
The practices we’ve discussed so far should meet most organizations’ needs. In fact, they satisfy the most stringent security and privacy regulations, such as those dictated by the HIPAA, FINRA, and PCI DSS. These regulations only require, in practice, that organizations encrypt their data and are able to destroy data on a lost device. The essential practices cover that and more.
Build Upon Your Foundation with Advanced Practices
With the essentials in place, your organization is primed for an effective mobile IT operation in the near term. Now you need to determine whether or not your organization needs to go a step further with advanced practices.
9. Get a Grip on Usage Costs
You need to be able to track, monitor, and restrict network usage. After all, the costs for international data roaming can reach thousands of dollars per trip. Even domestic usage can quickly add up - it is worth keeping an eye on it for your own sanity, and at some point -- your boss is going to ask about it!
10. Automate Compliance Management
IT needs a way to automatically detect devices out of compliance with policy—and automatically respond. For example, your policy may specify that jailbroken or rooted devices are not allowed in the corporate environment and if one is detected, you will immediately revoke access to corporate systems. Ideally, the detection and revocation should happen automatically. At the same time, you want to automatically notify the user of the action being taken and what’s needed to come into compliance and regain access to corporate resources. Once the device is in compliance, access should be automatically reinstated.
11. Manage Application Restrictions and Your Own Application Self-Service Storefront
Today, most smartphone and tablet vendors do a good job of limiting usage to certified and approved applications. Some would argue they do too good of a job restricting access. Other vendors maintain a very open policy for creating applications, with no formal process for certifying apps. That said, certain organizations or industries may need to restrict the type of application allowed on a corporate-approved device.
If you want to be proactive about it, set up your own enterprise application storefront. This allows you to present a list of approved applications and ease their delivery to mobile devices. Plus, your users will know where to go for these applications and for updates. Some MDM-solution providers can even help you deliver documents such as PDFs to devices.
12. Backup and Recovery for Devices
If any of your users work with critical and unique data beyond email, you may want to consider using a backup and recovery solution. Those using an iPhone or an iPad can rely on iTunes to take care of this. Just make sure your policies are set to force an encrypted backup. For those not using iTunes for backup, you’ll probably need to address specific use cases.
In addition to this MDM primer, I have written Mobile Device Management product overviews for four popular MDM solutions that play nicely in schools, non-profits and small businesses. Click the links below to read those overviews and help you decide if one of these might be right for your organization!
JAMF Casper Suite Overview
IBM/Fiberlink Maas360 Overview
Miradore's MDM Overview (Free product)
Barracuda's MDM Overview (Free product)
Bruce has worked in educational technology for over 18 years and has implemented several 1:1/BYOD programs. He also has served as a classroom teacher in Computer Science, History and English classes. Bruce is the author of five books: Sands of Time, Towering Pines Volume One:Room 509, The Star of Christmas, Philadelphia Story: A Lance Carter Detective Novel and The Insider's Story: A Lance Carter Detective Novel. Follow Bruce's Novel releases by subscribing to his FREE newsletter!
Be sure to check out Bruce's Allentown Education Examiner Page, his Twitter and his Facebook!