How to get mobile under control

Mobility used to be simple when BlackBerrys were the gold standard for smart phones. The agency-requisitioned devices gave employees anywhere, anytime capabilities for calls and access to enterprise e-mail systems, calendars and basic Web surfing. To closely manage and secure the devices, agencies used Research in Motion’s BlackBerry Enterprise Server, which provided effective if rudimentary tracking and security functions.

Now new generations of smart phones and tablet PCs are streaming into agencies, and rather than running a single operating system, they use a mix of the Apple iOS, Google Android and Microsoft Windows Mobile platforms. With that diversity comes managerial complexity, which is further complicated by the fact that many newer devices come with far fewer controls than traditional BlackBerrys offered.

Third-party mobile device management (MDM) solutions promise a consolidated set of tools to help IT managers control smart phones and mobile hardware across multiple operating systems. But in the quickly changing mobile environment, agency IT managers say they will soon need even more services. Many see a bring-your-own-device (BYOD) juggernaut on the horizon, and the MDM choices they make today must provide a foundation for protecting valuable agency data if IT managers eventually have even less say over which mobile devices will be connecting to internal networks.

Why it matters

MDM promises to relieve IT managers of one of their biggest headaches: how to securely manage an increasingly mobile and diversified technology environment.

“For us to stay cutting-edge in delivering medical services to veterans, we need to take a look at all the technology out there — not only from a VA standpoint but also from the veterans’ standpoint,” said DJ Kachman, director of security assurance and mobile technologies at the Veterans Affairs Department. “That means providing a greater range of diversity.”

Traditional MDM offers the support agencies need to function securely in this environment. Features include the ability to enforce data encryption, strong passwords, and virtual private networks on smart phones and tablet PCs. Other must-haves include remote data wiping and device lockdowns, tools for updating security patches and changes to applications, and the ability to detect when mobile hardware has been compromised by hackers.

The pressure to implement those capabilities has been growing as agencies recognize the mission and economic value of mobile applications. Some guidance came in May when the White House released its digital government strategy, which gave the General Services Administration responsibility for establishing a platform for securing and managing smart phones and similar devices.

Even so, Federal CIO Steven VanRoekel acknowledged that the government is still in the early days of defining the details of that platform. “Ultimately, the acquisition strategy and vehicle will reflect the collective agency requirements, which are still in research and evaluation,” he said, adding that agencies will not be required to use a specific set of MDM products.

A number of agencies — including VA, the National Oceanic and Atmospheric Administration, and the Government Printing Office — aren’t waiting. They’re plowing ahead with internal evaluations of MDM solutions to find options that will meet their needs.

But IT managers face a number of challenges as they evaluate MDM solutions. Even with the continuing evolution of MDM in terms of features and vendors, agencies say they can’t always find everything they’re looking for in a commercial solution. For example, as a large organization with facilities throughout the United States and overseas, VA wants an MDM platform that can enforce agencywide policies while still accommodating some local control.

“Ideally, we would want a solution where I’m able to manage my devices using certain profiles and configurations, while another administrator, who may have a different mission, is able to apply different configurations,” Kachman said.

Flexibility isn’t the only concern. As the digital strategy also points out, wireless connectivity creates a host of new security vulnerabilities, including the ability for end users to bypass standard network defenses when connecting to the Internet. The result is the need for new approaches to continuously monitor and manage devices and secure the data on them. Such threats are redefining what capabilities should be included in MDM solutions.

The fundamentals

Traditionally, MDM focused on managing devices, but now IT managers want additional tools to control the applications that run on the smart phones and tablet PCs.

“The technology has split into two types of solutions: traditional MDM, which manages the devices, and application management, which manages the app,” Kachman said. “As we move down the road, we’ll need to have both — one to make sure the devices are healthy, one to make sure the apps are secure.”

Other areas of interest include support for continuous security monitoring, desktop virtualization, and the ability to quickly create “sandboxes” to keep an employee’s job and personal data separate.

How can agencies find the right MDM solutions?

First, look beyond the standard feature comparisons vendors use to promote their products and focus instead on which enterprise-oriented capabilities are offered.

“The list gets pretty short pretty quick when it comes to enterprise-class options,” said Tim Hoechst, chief technology officer at systems integrator Agilex.

Key enterprise features include the ease with which MDM integrates with agency network directory services and support for enterprise software licenses, which will help agencies manage volume purchases of mobile apps. The MDM solution should also communicate with the agency’s mobile applications to verify user privileges and manage encryption certificates, Hoechst said.

Next, decide on the right MDM delivery model. Today, on-premises solutions dominate MDM sales, representing nearly 85 percent of all MDM licenses, according to Gartner. But the federal government is ripe for cloud-based alternatives, agency IT managers say.

“We’re still feeling our way as to what’s best, but with the federal mandate for cloud first, we’re certainly looking there to see what’s available,” Kachman said.

Cloud-based MDM is attractive for reasons beyond federal mandates. For example, when agencies run mobile applications, operating systems and data in a cloud, it means vital information doesn’t reside on individual smart phones. “This will limit the potential impact to an agency in the event a device is lost, stolen or compromised,” the digital government strategy notes.

Some agencies are investigating whether cloud or hosted MDM systems will be less costly than on-premises solutions. NOAA is transitioning to agency-provisioned Apple iPhones in part because of the internal management expenses associated with the BlackBerry.

“We spend a significant amount of money on an annual basis to run the BlackBerry Enterprise Server,” said Zachary Goldstein, NOAA’s deputy CIO.

The agency is now exploring various MDM alternatives, including cloud-based services. “Our gut feeling is that [a cloud solution] will have a positive ROI,” Goldstein said. A multiplatform MDM solution that provides a secure foundation for BYOD could contribute to additional financial benefits in higher productivity and reductions in agency-owned smart phones, he added.

The hurdles

Among the top MDM challenges for agencies is the possibility that a shake-out of products and vendors is coming. “There are a lot of MDM solutions out there, and I think we’ll see that number shrink over the next one to two years,” Kachman said.

Therefore, agencies that bet on the wrong solution could find themselves buying a new one before they see a full return on their original investment. For that reason, agencies should gauge the ability of any potential solution provider to offer a continuous stream of new features that keep pace with evolving technologies and MDM solutions.

GPO, which is conducting a pilot program to test BYOD and MDM solutions, sees that flexibility as one of its biggest mobile challenges. “Whomever we choose for MDM, we want to make sure it’s an entity that’s well suited to handle whatever is coming next,” said Chuck Riddle, GPO’s CIO. “We can’t just make the solution choice based on today’s environment. We’ve got to look ahead.”

Cost is another roadblock. Indeed, IT organizations that face tight budgets might bristle at the idea of funding a new set of software or service licenses. Fortunately, most agencies won’t need to upgrade their existing IT infrastructure to support an MDM solution.

By contrast, neglecting MDM in an increasing mobile environment might not be an option. “The surest way to make sure that mobile deployment doesn’t happen is a Washington Post cover story that says, ‘Federal agency loses data on mobile device,’” Hoechst said. “Whereas it’s a very different situation if the headline says, ‘Federal agency finds device within 45 seconds of it being stolen.’ I’d say the value far exceeds the costs.”

Next steps: What to look for in an MDM solution

When evaluating mobile device management solutions, IT managers should pay close attention to their current needs and how mobile technology might evolve in the next few years. Key criteria include:

  • The vendor’s track record for keeping pace with mobile and MDM innovations.
  • Support for multiple mobile platforms, including Apple iOS, BlackBerry, Google Android and Microsoft Windows Mobile.
  • Strength in MDM basics, such as enforcing data encryption, strong passwords, virtual private networks, remote data wiping and device lockdowns.
  • Advanced features, including application management, continuous security monitoring, desktop virtualization and sandboxing.
  • A range of delivery model choices, including cloud and on-premises options.
  • Support for federal security requirements.

Reader comments

Thu, Jul 12, 2012 Gus

I suggest you unncessarily bound MDM with cloud-based data services, when there is more likely many, concurrent solutions. For example, a strong enterprise MDM can secure the device. A cloud office suite (think Google Apps for Govt) holds the data and its inherent MDM can lightly control that data. A remote desktop app provides only remote view & interaction, not the cloud-kept data (and rarely has associated MDM). Its more likely a enterprise device will have multiple MDM policies enforced within it, each for its respective niche in this complex cyber-system.

Wed, Jul 11, 2012 Dan Barahona San Francisco

Excellent article, Alan. I've spent a lot of time in this space - when it comes to mobility/BYOD, the #1 requirement is email access, #2 calendaring, #3 directory/contacts. Everything else (corporate apps) is distant behind these. The biggest challenge with providing employees mobile access to corporate email is securing the data. Containerization or remote wipe capabilities are great, but they address only the data at rest. They can't stop an attachment from being forwarded to a personal gmail account or to the Washington Post or to Wikileaks. Securing the data wherever it travels is the ultimate goal - and one that can now be solved with new solutions.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above