Organizations may be tempted to focus chiefly on smartphones, tablets and laptops when creating policies and guidelines for managing mobile devices. But the best MDM policies go significantly further than that, according to experts.
In addition to looking at the devices themselves, companies developing mobile device management (MDM) policies should be thinking about several other factors including security, authentication and encryption, said Philippe Winthrop, managing director of The Enterprise Mobility Foundation, a Boston-based organization that helps organizations implement mobility policy.
Companies should also take the time to create a comprehensive mobile application management (MAM) strategy, Winthrop said. MAM strategies cover which applications to use, when to push out updates to the user base, how applications are accessed and analytics requirements.
Winthrop said the increasingly common use of the phrase mobile device management has led organizations to forget about the big mobility picture, which includes more than just devices. "It's a common misnomer when so many vendors [talk about] device management," Winthrop said. "What they mean is [more comprehensive] enterprise mobility management."
Develop an effective MAM strategy
When creating a mobile applications strategy and policies, organizations need to be very clear as to whether they'll be building the required apps internally, deploying ready-made applications like those found in Apple's App Store, or using some combination of both approaches, Winthrop said.
For more on mobile device management
Read about the development of the Sybase Unwired Platform ecosystem
Learn more about SAP's roadmap for mobile, cloud and in-memory technology
Read more about Oracle's mobile development roadmap
Companies should also look at deploying analytics applications that allow them to see who is using the apps and how often, Winthrop added. This helps companies decide if the apps are actually useful to end users and whether they should be updated or removed from devices.
"You need to make sure, depending on the app itself, that you're pushing it to the right target audience within the organization," he said.
Companies also need to develop and enforce clear policies around password protection and encryption, said Stacy Crook, a senior enterprise mobility analyst at IDC Corp., a Framingham, Mass.-based IT research firm. Such policies can range from requiring the user to input a password before logging into the application to encrypting actual data being sent to smartphones and other mobile devices.
"Authentication is very important to make sure the person who is accessing the information is the person who should be accessing it," she said.
Geofencing worth considering
Enterprises may also want to look at geofencing, a software feature that uses Global Positioning System (GPS) technology to define geographical boundaries for individual mobile applications. With geofencing, companies can set specific boundaries that show where applications and data can be used and where they're off limits, Crook said.
With geofencing, companies can set specific boundaries that show where applications and data can be used and where they're off limits.
Stacy Crook, enterprise mobility analyst
For example, government employees who step outside the walls of the Pentagon may not be able to access certain applications and may not be able to get into their mobile devices at all. The Pentagon's goal, Crook explained, is to make sure that sensitive information remains within a secure area.
With or without geofencing, companies must monitor mobile applications carefully to keep company data safe. This can include whitelisting, which allows users to download certain applications, and blacklisting, which forbids specific applications from being downloaded. For compliance purposes in regulated industries, companies should also run reports and analytics on what end users are doing with devices and applications, Crook said.
"Companies need to know if the devices have broken those policies," Crook added. For example, if someone "jailbreaks" a device -- modifying the operating system to run unauthorized applications -- companies can revoke access to the back-end servers for that machine.
Bring your own headaches, er, devices
Along with security issues comes the question of whether enterprises should let employees use their personal devices, such as their iPhones, to access corporate applications and data.
Businesses should think twice about a bring your own device (BYOD) policy that allows employees to access sensitive data. The best practice for most companies is to own the device so that they have better access to it, said Phillip Redman, research vice president at Gartner Inc. in Stamford, Conn.
Many organizations believe that as long as they can manage the content on the mobile device, they don't need to own the device, according to Redman. But those that need to secure sensitive data on the devices should avoid BYOD policies, he said.
"BYOD absolutely creates issues for organizations if you haven't planned ahead," the Enterprise Mobility Foundation's Winthrop said. Companies need to plan how they'll use BOYD and implement policies ahead of time, and they need to be flexible enough to change them as the mobile device space changes.
Mobile device management policies are "living, breathing documents because mobility is changing at a frenetic pace," he said.
Winthrop says legal issues can also surface with BYOD. In Europe and Asia, for example, it is illegal to wipe personal devices because of consumer privacy laws.
An alternative to BYOD and its risks is the corporate-owned, personally enabled (COPE) model, in which users choose a device and have the company purchase it for them. The company then owns the device and has the legal right to manage it, Winthrop said.
"You can download Angry Birds and take photos of your kids and upload them to Facebook, but [the company] reserves the right to treat it like the corporate asset that it is," he said.
Some organizations may find themselves mixing BYOD and COPE, and that's perfectly acceptable, Winthrop said. For example, a company might choose to mitigate a shortcoming of BYOD -- the high cost of individual service plans -- by getting a less expensive group rate for those participating in the COPE program.
Winthrop said the desire among companies to create effective mobile device policies is all part of a greater trend known as the "consumerization" of IT -- a trend that Winthrop feels is unstoppable.
"The consumerization of IT is about having great consumer devices like the iPhone," he said. "What also is unstoppable is the need to manage, secure and control the corporate data and protect the corporate assets which are intellectual property."
This was first published in August 2012