By Galen Gruman
JANUARY 15, 2007
A mobile mess looms for CIOs who ignore the rising popularity of
connected handhelds. New third-generation (3G) cellular networks make
handheld computing more convenient for everyone from executive travelers
to salespeople and field technicians. This trend poses new challenges to
CIOs who need to maintain enterprise network and data security, plus
keep end-user support costs down. Yet most enterprises have no policies
or mobile management strategy in place to achieve these goals, notes a
recent study by the BPM Forum, an industry association.
And without a mobile device management strategy, a trickle of connected
devices brought in by individuals can quickly become a nasty, unmanaged
torrent. That nearly happened at American Family Life Assurance Company
of Columbus (better known as Aflac) a few years ago. The IT department
had been willing to set up e-mail access for a few handheld devices
brought in by frequent travelers, handling them on a case-by-case basis.
But after returning from Christmas vacation in January 2004, Greg Gatti,
vice president of infrastructure services in IT, had 3 dozen
connectivity requests for shiny new Hewlett-Packard iPaqsthat year's
must-have gadgetand other PDAs that various staffers got as presents.
"Very quickly, we had so many devices that it was a nightmare for our
computer support team," he recalls. And just as quickly, Aflac created a
strategy and set of policies to get in front of the connected-handheld
Like other financial-sector companies, Aflac had to get its smart phone
house in order not only to reduce management complexity but also to meet
federal requirements around data management and security. Aflac's
ultimate strategy: Ban all non-company-issued handhelds from connecting
to enterprise servers and computers, lock down PCs so
handheld-synchronization software couldn't be installed by users, and
forbid the use of POP3 and SMTP e-mail access to the corporate network
so wireless Internet users couldn't sneak in the back door. Aflac also
decided to rely on a mobile e-mail server to manage both e-mail access
and the handhelds themselves, and ensure automatic installation of
firmware patches and enforcement of password policies. This strategy is
common in the financial services sector, with similar policies currently
in use at Citigroup's Primerica subsidiary, Farmers & Merchants Bank,
IndyMac Bank and Russell Investment Group, among others.
Nonfinancial companies could mimic this approach, Yankee Group analyst
Nathan Dyer says, but the research shows that many companies have yet to
craft a mobile management plan.
Our Data Went Where?
Your first big CIO headache regarding handhelds: They are easily lost or
stolen, putting any data they contain at risk. Even data that seems
routine, such as personal contact information or e-mails about a deal in
progress, can expose a company to high notification costs (if customers
must be contacted regarding a privacy breach) or reveal insider
information, Dyer notes.
Fortunately, securing handhelds is not hard if you centralize
communications through a mobile server, such as the BlackBerry
Enterprise Server for Research in Motion's connected handhelds, or the
GoodLink Server from Motorola subsidiary Good Technology for Palm Treos
and other devices. These mobile servers act as proxy servers for
cellular-connected mobile devices, routing approved connections to the
corporate e-mail, data and applications servers as appropriate. You set
rules to set limits on data access.
"We don't keep sensitive information on the servers available to the BES
[BlackBerry server]," notes Evans Wroten, CIO of InterAct Public Safety
Systems, which provides emergency data and communications services.
Similarly, Microsoft Exchange Server can manage communications to
Windows Mobile devices like the T-Mobile MDA and Motorola Q, though
Windows Mobile devices in general are not popular among enterprise users
because of overly complex user interfaces, Dyer notes. (IT departments
also don't like the Windows Mobile interface complexity, or the fact
that huge variation in interfaces from device to device increases
support costs, he says.)
Using a mobile server ensures that only authorized devices can access
e-mail and corporate applications. Mobile servers also can tie into
identity servers, such as Microsoft Active Directory, to share one set
of network permissions between the corporate network and the connected
devices. The BlackBerry and GoodLink servers can also enforce security
policies, such as password rules, and keep antivirus software updated
For field forces, Motorola's Symbol Technology subsidiary offers the
similar Mobility Services Platform server, to manage connections of the
specialized handhelds used by warehouse, transportation and hospital
users: You can use this to track handhelds' battery life, keep firmware
updated and disable errant devices.
At the same time, IT can prevent users from sidestepping the official
system in three ways. First, prevent or restrict access to the network
over a Web, POP3 or SMTP interface, so Internet-enabled personal devices
can't get in. Second, lock down company PCs so users can't install their
own software (such as synchronization software for mobile devices).
Third, disable the USB ports so users can't plug in a handheld's docking
station. Desktop management software from Altiris, Hewlett-Packard, IBM,
Microsoft, Novell and otherswhich many enterprises already use for patch
management and software license managementlets you centrally apply these
lockdown and port management capabilities across all users.
Support Costs (Plenty)
Handheld headache number two: Support costs can get you. Handhelds are
hard to manage because they're typically with users who aren't in the
same building as the desktop PC support team. That means handhelds need
to be managed wirelessly. Although several desktop management tools can
manage software updates and track device ownership (for support and cell
service chargeback, for example), they're often not used for that
purpose. Cost is a big reason, notes David Wade, CIO of Citigroup
subsidiary Primerica. "You don't want to pay a per-user fee for a client
license. That's a rip-off," he says.
"Enterprises historically have not seen much of a need to spend $50 to
manage a device that costs about the same amount of money," concedes
Rhett Glauser, an Altiris spokesman, though he says the costs of data
loss are starting to change that calculation.
But enterprises have another option: using the same BlackBerry or
GoodLink mobile servers they already have to manage e-mail, since those
servers can also track users, audit user activity, and manage firmware
and software updates. The desktop management tools don't offer the
server functions, so they cannot replace the BlackBerry or GoodLink
One related issue: The wider the variety of handhelds you must manage,
the bigger the challenge. The mobile servers are typically designed for
one class of handhelds, sometimes two. Different types of users
preferand sometimes really needdifferent types of PDAs, so it's easy to
have, for example, executives standardize on the BlackBerry but
salespeople standardize on the Treo.
If the BlackBerry is one of those platforms, IT will need to manage at
least two mobile servers in parallel, which increases IT's overhead.
(GoodLink can manage both Palm and Windows devices.) Third-party
management tools that can manage all three types of devices (Palm,
Windows Mobile and BlackBerry), such as iAnywhere Solutions' Afaria and
Credant Technologies' MobileGuardian, still need a separate mobile
While CIOs would prefer a single management platform, they say the extra
overhead is manageable. "It's not that much effort for IT to support the
two systems for day-to-day support," says Bob Graham, senior vice
president and CIO at Farmers & Merchants Bank.
Furthermore, it's better to take on the extra cost of supporting an
additional platform than to force all users to a single device that
doesn't serve their needs well, says Brendan O'Malley, CIO of cupcake
maker Tastykake. "Still, we have two device [platforms], not 17," he
Get Ahead of Your Users
While IT executives say you can't allow a free-for-all of devices into
the enterprise, you can choose among different strategies to manage the
choice and acquisition of the connected handhelds.
At Liquidation World, for example, "only company-owned equipment is
allowed on the network. That gives us control," says IS Director Chad
Richardson. At InterAct Public Safety, the fact that IT manages e-mail
and network access through a mobile server tied into a specific type of
device gives the enterprise a simple way to manage the devices people
use, says Wroten. End users can't simply buy their own device and ignore
IT, since devices have to be registered with the mobile server to get
any network access. Farmers & Merchants Bank, IndyMac Bank and Tastykake
take the same approach.
InterAct and Primerica strictly control some devices but are flexible on
others. InterAct, for example, relies heavily on text messaging to
communicate to its field and sales forces, so all employee-provided
phones must support text messaging. While most employees choose to take
the company-paid cell phone (some even port their personal number to
it), some bring in their own phone because they belong to family plans,
notes CIO Wroten. But when it comes to devices that can access e-mail
and other corporate data, InterAct supports only the BlackBerry devices
Primerica gives its thousands of independent contractors a list of
approved handhelds they can buy, but it provisions the BlackBerrys and
Treos used by employees, since employees have access to corporate data
that the contractors do not, says Tom Swift, the bank's executive vice
president of field technology.
No matter how tightly the enterprise chooses to manage handheld
provisioning, the consumer nature of the deviceswhich are typically sold
through the cellular carriersmeans that there can be multiple versions
of devices to manage. Fortunately, the makers of the two most popular
types of connected handheldsthe BlackBerry and the Treohave reduced the
version churn in recent years and have kept the interface and management
functions consistent across models, says Greg Nelson, senior consultant
in the IT group at Russell Investment Group, a brokerage and financial
services provider. That wasn't the case just a few years ago.
A final management concern: You must manage the number of cellular
providers. While many companies can standardize on one if their usage is
within a region where one carrier has good coverage, firms with national
or international presence often need multiple carriers.
Giving a choice of cellular carriers, while often necessary for coverage
reasons, can lead to device envy: Carriers often get short-term
exclusive distribution deals for new devices, so users of one carrier
may not be able to get the same sexy device their colleagues using the
other carrier can. Also, devices typically can't be replaced without a
penalty for two years, so some users get itchy when the new devices
"These are challenges for us, so we explain that it could cost $600 to
terminate a plan so they can upgrade," notes Greg Inginio, the senior
vice president of IT operations at IndyMac Bank.
Get in Front
Whatever variation works for your enterprise, "the key is having strong
policies up front. Control what they do," says Farmers & Merchants
Bank's Graham. But don't forget the carrot. "Encourage the use of
[company] smart phones and PDAs, so employees don't carry their own," he
At Tastykake, O'Malley makes a point to provide the leading-edge
connected handhelds, so usersespecially executives with the power to say
no to ITaren't tempted to get their own devices. "We figure out what
people need and give it to them," he says.
Encouraging connected-handheld use does increase costsfor equipment,
cellular plans and device managementbut is well worth the extra
productivity and the data security protection, Graham and O'Malley say.
But not having a mobile plan will cost you more in the long run. As
InterAct's Wroten puts it, "This is a cost of doing business."
Galen Gruman is a frequent contributor to CIO. He can be reached at
ggruman (at) zangogroup.com.
Subscribe to InfoSec News