Managing Mobile Chaos

By Nick Wreden  |  Posted 2011-12-06

While employees relish the anywhere, anytime power of smartphones and tablets, IT executives shudder at the security risks associated with the advent of free-roaming, employee-owned devices that have a direct pipeline to the corporate honeypot: data.

Despite this concern, worker demands for portability, flexibility and accessibility are so great that many IT execs have accepted this handheld anarchy—sometimes termed BYOD (bring your own device)—and have begun actively managing it. As a result, the market for mobile device management (MDM) is growing rapidly, driven by three main trends.

First, smartphones and similar mobile devices are morphing from consumer gadgets into enterprise tools, boosted by apps that can do everything from tracking customers, schedules and expenses to creating texts, presentations and spreadsheets.

The second trend is hybrid computing, which offers functionality both in the cloud and in corporate data centers.

Finally, executive demand for agility is leading to corporate flexibility, even in firms with a strict allegiance to standards. According to “The Mobile Operating System Wars Escalate,” a 2011 study by Forrester Research, 48 percent of companies surveyed support two or more mobile operating systems, and 59 percent offer some support for employee-owned devices.

“BlackBerries are sitting in drawers because users want technology that fits their requirements, not the corporation’s,” says Christian Kane, researcher, infrastructure and operations, for Forrester. “As a result, corporations are turning to solutions that are device-agnostic, while still enabling management and security. Corporations are benefiting from lower provisioning and other costs, while giving employees more choice.”

Organizations such as Merit Medical Systems, Marquette University and Q2ebanking are turning to MDM solutions that incorporate many of the features familiar from PC management, with the addition of on-the-go functionality, such as remote wipe/lock, real-time device monitoring, location broadcast and software distribution.


Training and Product Updates

Merit Medical, based in South Jordan, Utah, turned to mobile device management several years ago to address training and product updates for its worldwide sales force. The $297 million medical-device manufacturer then integrated cloud-based applications, such as the Google suite and CRM offerings from, into its tool chest, and it’s now envisioning integrating distributors and customers into a mobile con-stellation, complete with in-house e-commerce capabilities.

In the medical-device industry, regulatory issues, new research and advancing product development shorten the shelf-life of information, and prospects and customers demand the most current information. After distributing iPhones to its remote sales force three years ago, Merit provided product and training information via email, spreadsheets and PDFs. While this information was beneficial, “the process didn’t work very well,” admits Lincoln Cannon, director of Web systems, because the latest information got lost among similar documents.

So Merit turned to an online learning system from eLeaP for product training, along with Google Docs and other offerings from Google’s online suite of products, to ensure access to a single source for the latest information. 

“So far, so good,” says Cannon, but then challenges arose. Sales reps didn’t like using multiple log-ons and passwords to access the applications; the IT team didn’t like the constant provisioning and deprovisioning of user accounts as responsibilities changed or the composition of the sales force evolved.

To resolve these issues, the company turned to Symplified Suite with the Mobile Edition. The application integrated with Microsoft Active Directory, combining ease of rules-based provisioning with an authentication intercept that enabled single sign-on (SSO). “That solved the issue of tying together our existing system with SaaS [software as a service] and cloud applications,” says Cannon. Users can now log onto their mobile device—which includes Apple iPads—and see authorized applications, which can be in the cloud or on the server.

The hybrid cloud- and server-based solution benefits staff, distributors and, soon, customers. In 30 minutes, Merit built an online “sales store,” where staff can order brochures and promotional material. Securely adding apps takes only minutes. Logging into CRM capabilities from opens the door to all other authorized applications. About 100 distributors worldwide can access relevant applications, and Merit plans to enable customers to access their accounts in 2012.

Cannon emphasizes the ease of MDM set-up and access, which throttles back provisioning and similar demands on the IT staff. This has reduced friction between IT and sales and marketing over project priorities. “The flexibility and ease of something that is relatively inexpensive results in one less thing to worry about,” he says.


Wireless Wild West

Marquette, a Milwaukee, Wis., Jesuit university with about 12,000 students, was transformed into a wireless Wild West by the growing popularity of mobile devices. According to security analyst Justin Webb, the proliferation of wireless devices presented three issues. The first was visibility: Managing the spectrum of wired, wireless and mobile devices required knowledge about numbers and usage.

Security was the second issue, as the university had to meet both its own and legal requirements for security, while avoiding onerous requirements that might discourage students from academic exploration. Third, both students and staff were purchasing mobile devices rate, which Webb called a tipping point for a reevaluation of security, management and even the future of the university’s network.

Network visibility delivered eye-opening insights. A ForeScout Technologies solution mapped about 7,000 wireless clients, a number that has increased every year since the rollout of the wireless network. The number of mobile devices totaled about 15 percent of network nodes. Wired network traffic is declining, while the ever-increasing number of wireless devices and increasing bandwidth usage are driving the university to consider purchasing additional IPv6 addresses.

Marquette developed a two-tiered system for security. Students are required to use a four-digit log-on password, while university-owned devices incorporate both a log-on and password. Off-campus access is via a VPN. Microsoft Exchange can execute a remote wipe if university devices are lost or stolen.

The ForeScout solution monitors the network to see if traffic veers into no-trespassing areas on servers. Auto-remediation walls off the errant device and directs violators to install antivirus software.

“The benefits include less time spent monitoring traffic for forbidden behavior,” says Webb. “And it’s improved the relationship between those responsible for security and those handling the networks, since our routers and switches don’t have to be reconfigured to deal with various security issues. And it’s all transparent to users.”

Finally, the marriage of high-speed wireless networks and widespread availability of mobile devices is causing Webb to muse about eventually eliminating wired networks in the dorm.

Security Is Primary Concern

While mobile users roam the campus at Marquette, the 170 employees at Q2ebanking roam the offices in Austin, Texas—and the country—selling and supporting electronic banking solutions. Because the company faces scrutiny from federal regulators, mobile management security is a primary concern.

Another issue is the ability to manage devices that range from iPads and iPhones to Palm and Windows devices, while ensuring VPN integration. A third issue concerns authentication: Q2ebanking wanted a system based on soft tokens, since hard tokens create user resistance and greater support costs.

VeriSign (acquired by Symantec) Identify Protection met these security criteria—including the ability to bind credentials and access rights. Q2ebanking was so pleased that it incorporated the system into its own offerings to the financial industry.

“Provisioning takes only five minutes, administration is minimal and users find it unobtrusive,” says Ward Howell, director of security solutions consulting. The biggest issues were integration with Microsoft’s Active Directory, as well as ensuring firewall and other security involving mobile access, both of which were successfully handled.

But it’s not just about companies finding solutions; the industry must also play a role, according to Merit’s Cannon. “The biggest issue [we faced] was integrating Active Directory with cloud security systems,” he says. “The industry has to create a better hybrid cloud solution, so applications and data can be placed on the best platform, and then enable access and processes to be spanned between them.”  

Forrester’s Kane points out that solutions and best practices are still evolving, and he anticipates that future generations of MDM will incorporate “corporate app stores,” similar to the stores offered by major consumer vendors. Vendors could ensure that users get the latest iteration, taking the burden off
IT. Another step could include advanced tracking of employee usage, which could lead to more efficient license management.

It’s a classic story in a new, increasingly mobile world: Users want freedom and choice; corporations demand security and standards. Mobile device management meets the demands of both, while providing an emerging platform to handle both threats and the yet-to-be-explored opportunities of the cloud.