This is the fifteenth post in my series on BYOD. I have mostly avoided talking about technology, as in many ways that is the least important, and the most straightforward aspect of dealing with BYOD. Most people automatically think of Mobile Device Management (MDM) when they think of mobile or BYOD technology, but that is far from the only viable solution. Here I’ll outline the key technology solutions that are available to help you deliver usable and effective BYOD to your organisation.
These products synchronise email, calendar and contact information between a centralised email system (such as MS Exchange) and mobile devices’ native applications. They also typically provide limited or basic policy enforcement functionality, e.g. password length and complexity. Policy enforcement support is based on the functionality of the sync product and the underlying capabilities of the device OS.
The best known of these products is Microsoft Exchange Active Sync.
- You’ve probably already paid for it if you have MS Exchange.
- No separation of personal from work data.
- Often limited policy enforcement and monitoring capability.
Mobile Device Management (MDM)
MDM products are probably the ones that most immediately come to mind when people talk about mobility and BYOD. However in my view they are very limited in their ability to address the problems that we face in these areas. MDM products typically use an agent on the device that communicates with a back-end management application. Policies are defined within the management application and then the agent enforces those policies, monitors the devices’ compliance with those policies and may trigger actions based on the level of compliance ranging from notifying an administrator through to disabling the device. The policies available to an MDM application are usually more complex than those supported by a messaging sync application. Typically these applications can also remotely lock or wipe devices, and track location. MDM apps can usually deploy applications to mobile devices. In addition they often include a form of app store for user selected apps.
A caution I give to everyone investigating the procurement of MDM products is that the smartphone and tablet market is evolving so quickly that I think that many of the MDM features will become absorbed into the core platforms or will become obsolete as better solutions evolve. I therefore recommend purchasing MDM products as a service rather than buying licenses and managing them internally. Most vendors offer their product as a service either directly or through resellers.
- Extensive policy enforcement.
- Additional controls are usually included.
- Provide one platform for managing all smartphones and tablet devices.
- No separation of personal from work data.
- Additional cost.
- Likely to be superseded by changes in the hardware/OS space.
An application resident on the device which is managed separately from the device. The container is itself encrypted, and it encrypts all of the data in the container separately from any device encryption, as well as preventing data from being moved outside of the container. The container usually has an encrypted connection back to the enterprise, and can in many ways be treated as an extension of the organisation onto the device. The container usually contains other applications as well as organisation data. For example, some containers include an email client or document editing functionality as well as document storing and viewing capabilities. Security policies can be set for the container independently of any on the device. This allows the container to be managed even when the device is not, and to allow a strict separation between a personal device and corporate information on it. In many cases the container can be remotely wiped or removed without touching the rest of the device.
Good Technology pioneered the secure container concept, but recently many other vendors have released their own versions. Most MDM vendors are moving to create a secure container offering either as part of their MDM offering or to complement it.
- Separation of personal from work data.
- Often includes additional applications and functionality.
- Allows you to move away from managing the device.
- Provide one platform for delivering to all smartphones and tablet devices.
- Additional cost – can be significantly more if it requires MDM as well.
We are all familiar with Apple’s app store (aren’t we?). A corporate app store mimics the functionality of that app store – it allows delivery of corporate provided, sanctioned or purchased apps to users or devices that are authorised to use them. To do this, it needs to incorporate functionality to deploy apps to devices, to authenticate users and/or devices and to restrict or make available those apps that they are authorised to use. Many app stores also include functionality to meter usage and account for license consumption, as well as manage necessary approvals to authorise use or deployment of an app (e.g. In the case of an app that has an associated cost it may require line manager approval). Corporate app stores may be provided by the major OS vendors, as a part if an overall MDM solution, or by 3rd party vendors (e.g. VMware’s Horizon App Manager). Some App Stores are for mobile devices only (especially those that are part of an MDM product), and some cater to multiple form factors. I am strongly in favour of application stores as I think that they increase the ability of people to perform self-service thus increasing their control and responsibility while reducing costs to serve them.
- Can improve user control and buy in through giving them choice.
- Can reduce cost to service users and devices.
- Can fragment your app delivery if you go for a mobile-only app store.
The virtual phone is a simulated phone, run in software on another smartphone, just as a virtual server is a server (including OS) running in software on a physical server. The virtual phone is isolated from the real phone, has its own phone number and can therefore be regarded in many ways as a separate device. Given this it is little wonder that this approach is being championed by VMware. As Apple will never allow a hypervisor to run on their devices, this will never be available for iPhones and therefore I think this is a dead-end, but good on them for trying.
As far as I know the only vendor offering this technology is VMware.
- Gives separate number on one device.
- Requires hardware support.
- Requires service provider support.
- Therefore virtual phone is only supported on a small number of possible handsets.
- Will never happen on iOS.
- Not a solution for tablets.
One of the key uses of smart devices (especially tablets) is as a platform for consuming content – specifically reading documents so you don’t have to print them out and carry them. File distribution applications automate the delivery of documents and other files to mobile devices. They are often combined with a secure container or include secure container functionality. For instance Accellion and Diligent Boardbooks are file distribution products that incorporate secure containers. Other secure container products incorporate file distribution as one of the “contained” services.
- A key use case for mobile devices – you better have it!
- Significantly improve security by offering an alternative to storing files on the device.
- Can fragment management and services if offered separately from other tools.
- Can be costly if purchased separately.
Data Loss Prevention
Data Loss Prevention (DLP) products act as gatekeepers at the borders for an organisation’s data. Based on policies they will determine whether a piece of data (such as an email, an attachment or a file) can “leave” the organisation’s boundaries (however that might be defined) . For example a DLP product might check every outgoing email to see whether it contains specific terms. If the email does, then the email will not be delivered to an external recipient. Rules can prevent the exit of emails which include data patterns (such as credit card numbers or unique identifiers) or types of attachments (e.g. Excel files) as well as specific terms. In addition some products can impose controls on people within an organisation checking their email. For instance, they might not allow you to see sensitive emails, or download sensitive attachments when accessing email from particular channels such as webmail or on a mobile device. They can be built into other products (such as email or MDM products) or can be standalone products. In my opinion DLP products are the most overlooked and underrated tool in the BYOD/mobility toolbox.
DLP products are available from typical security vendors as well as being part of Microsoft Exchange Enterprise (for email). MobileIron offer a mobile specific form of DLP.
- Can help stop embarrassing data leaks.
- Add additional controls over and above those available from other mobility toolsets.
- Poorly implemented rules can negatively impact the user experience of BYOD.
Virtual desktops are a way of delivering traditional desktop (usually Windows) applications to any device. The mobile device runs a virtual desktop client, which connects to a virtual desktop being run in a data centre somewhere. Virtual desktops are a great tool to give people access to traditional applications when they are connected. However, they are not a solution to BYOD. The reason I bought an iPad in the first place was to get away from Windows machines and their applications, so I am unlikely to be thrilled if giving a virtual one is your way of allowing me to work on my own device. In addition they only work while I am online while true mobile working should be available online or offline. If viewed as a way of giving me access to some specific applications that complements other BYOD tools and services then virtual desktops are a great option to have.
- Easy to deliver if you are already running virtual desktops.
- Can deliver applications that cannot be delivered to mobile devices any other way.
- Don’t deliver a native device experience.
- Almost unusable on smaller form factors (e.g. smartphones)
There are a range of different technologies out there to help you deliver BYOD and mobility. Mobile Device Management is not the only option, and in fact for many organisations is unnecessary. A complete BYOD solution is likely to involve a range of different technologies targeting different uses and users. Think carefully about what needs you are addressing and how you will address them – some may not require a technology solution at all.