5 mobile management questions you should stop asking

Android, the iPhone, and the iPad are well established in business, so it’s time to stop thinking about them as new issues

It’s conference season, and enterprise mobility remains a big draw. But I’m surprised by how, for several years now, the IT issues at these conferences haven’t changed.

Never mind that the iPhone and Android are eight years old, and the iPad is five years old, all common in today’s enterprises — they’re the same questions over and over again, with the same mix of vendor FUD and good advice from expert panelists like Benjamin Robbins, Steve Damadeo, Brian Katz, Bob Egan, Maribel Lopez, and me. The core questions have been settled for some time, yet they keep getting asked.

[ iOS vs. Android vs. BlackBerry vs. Windows Phone — find out which platform provides the security you need. | Keep up on key mobile developments and insights with the Mobile Computing newsletter. ]
In the interest of getting enterprises to move from the past to the present, so they can then focus on the future, here are the mobility questions you can stop asking. Instead, adopt them as the known best practices.

1. Do I do BYOD or COPE?

Many organizations remain obsessed with the question of supporting bring-your-own devices (BYOD) versus issuing corporate devices to which employees can add at least some personal apps and data (COPE, or corporate owned, personally enabled).
The answer is yes. Issue devices to employees for whom a smartphone or tablet is part of their required technology portfolio and pay the data charges. With employees for whom the use of personal devices enhances their business performance but is not strictly required, let them bring their own devices — meaning devices that conform to your security requirements and employees consent to your managing.

The truth is too many execs see BYOD as a way to make employees pay for business technology, so they contorted themselves to make BYOD the standard. At the same time, too many IT organizations freaked out about “alien” devices they could not control up the wazoo. Both reactions come from bad motivations, not from issues of business value.

It may be that your industry has a reason to favor BYOD over COPE, or vice versa, usually for proving your level of compliance on various regulations or for reasons of asset management. A law firm is more likely to insist that its lawyers use only corporate-owned devices to leave no doubt as to the ownership and source of control, whereas a publisher or university is likely to be more flexible about device ownership given the more porous nature of what many staff members do.

There are edge cases that might require a draconian approach: A government agency might forbid both BYOD and COPE, so as not to get bad press around employees wasting time on the job, instead issuing highly limited devices for work-only use.

This is not a technical issue but a risk-management one, with the risk being not so much about data security (your management policies should handle that issue regardless of BYOD or COPE) but about reputational risk and legal comfort.

2. Do I need EAS, MDM, MAM, or EMM?

This is the question vendors want you to ask, so you start thinking of the issue not in terms of policy but in terms of products: What do I need to protect, and which users does that affect in what circumstances? That will let you know which security and management products you need, as well as which favor employees.

Here’s the framework of how the various options address your actual needs:

Exchange ActiveSync (EAS) is the baseline security method that every company should use at a minimum. Its policies enforce the use of encryption and passwords, and it allows you to remotely lock or wipe a device that is lost or stolen. iOS 6 and later, Android 3 and later, Windows Phone 8 and later, and BlackBerry 10 support the core policies. Support varies from mobile OS to mobile OS for more discrete EAS policies, such as disabling the camera.

Mobile device management (MDM) has evolved over the years, so the top providers — such as Citrix Systems, Good Technology, MobileIron, IBM, and VMware — have long ago moved beyond managing only the device and now provide ways to manage apps and, in some cases, content. If you have legitimate needs to control which apps users can have, to manage VPN settings, to impose standard configurations, and to disable features like copy and paste or cloud access, these tools have you covered.

Be aware that their specific capabilities beyond the core differ, so you should do a deep assessment of candidates to find the best fit. All the major providers support the core APIs provided by Apple’s iOS and Google’s Android, and an increasing number are supporting those in Windows Phone. Some also support Apple’s APIs for Macs (they’re based on the iOS APIs).

Where they differ is in the edge areas, like support for Apple’s content-management APIs, and in new technologies, like Google’s new Android for Work containers.

Many support additional content controls for apps that use the MDM vendors’ proprietary APIs, but that approach ties you to specific apps and MDM servers. It’s a big investment that can also limit your ability to get strong value from mobile usage.

Mobile application management (MAM) used to be a separate category of management tools to manage access to apps and their content. It’s been subsumed into MDM tools from the major providers. Unless you have an MDM tool that doesn’t offer the app management controls you need, a separate MAM tool doesn’t make a lot of sense today.

Enterprise mobility management (EMM) is a marketing term, nothing more. I call it “expensive mobility management” because the term arose from vendors seeking to convince IT pros they needed more than “simple” MDM, by offering a large portfolio of bells and whistles that are largely unnecessary but appeal to IT’s control instincts.

Focus on your needs, not the label.

3. Should I set up an internal app store?

The short answer is probably not. Yes, having an internal Web page that links to recommended iOS and Android apps from their respective app stores is a good idea. If you want to call that your app store, fine.

But running your own actual app store through an independent third-party tool is overkill. After all, you manage app distribution with the business app store that Apple provides to companies via its Volume Purchase Program (VPP), which lets you buy app licenses in bulk and manage their distribution, as well as distribute your homegrown apps. Google offers a similar capability for its Play Store, called private channel. Why reinvent the wheel?

If your goal is to configure devices used by employees (regardless of who owns them) so that specific apps are installed, updated, and managed for users in specific workgroups, you can so so via your MDM server, which use the Apple and Google APIs, respectively, to the VPP and Google Play private channel. This capability is available in the better MDM tools.

MDM tools also let you blacklist or whitelist specific apps, so you can prevent users from installing known bad apps from the public Apple and Google app stores.

4. How do I keep mobile devices from leaking my corporate data?

This question is based on a pervasive but very false premise: that smartphones and tablets are a major vector for data leakage. They are not, as you can easily see by checking the public breach report databases. Stolen laptops and misplaced USB drives are the major vectors, while mobile devices almost never show up as a breach vector.

If you fear data leakage and believe the best approach to combating it is to target the device, then you should ban Windows PCs, remove their Internet connections, or at least bind them with encryption, app management, and content management tools. PCs are where that sensitive data is, and (shock!) PCs are the devices most targeted by hackers and data thieves.

Very few organizations apply the kinds of controls to PCs that they want to apply to mobile devices, which has to make you ask if those controls are truly necessary. Also, if they are, why aren’t they on your PCs, too?

However you answer that question, it takes very little to enforce encryption and password usage — the key protections for lost or stolen mobile devices — on smartphones and tablets. Set it up in EAS or MDM policies, and you’ve all but eliminated the data loss risk from mobile devices.

But what about leakage through iCloud, OneDrive, Dropbox, Box, or Google Drive, not to mention personal email? Well, if you think that only mobile devices use these services, you’re naive. Mobile devices are one conduit among many, and clogging one pipe doesn’t stem the unwanted flow of information — it simply moves it to another pipe.

The right approach is to manage data access at the source, not the endpoint. Think access permissions first; if a person can’t be trusted on a smartphone, he or she can’t be trusted on a PC, either.

The good news about mobile: There’s real thinking going on about managing data, so mobile is pioneering safer data practices that, if we’re lucky, will find their way into PCs, too.

5. How should I protect against viruses?

Don’t use Windows PCs. That may sound flippant, but that’s the truth if you’re really concerned about malware like viruses.

Even moreso than OS X, iOS is highly immune to malware, so the number of exploits has been very small.

Android is not immune, given its Windows-like file architecture, so researchers keep finding malware targeting it (mainly from fake and adware apps in the Google Play Store and, outside the West, from non-Google app stores). Yet it appears that very little malware actually is running in the Android wilds, so the true threat — versus the potential threat — is highly exaggerated in IT and vendor discussions.

The minuscule usage of Windows Phone means that malware hasn’t targeted that platform. Ditto for BlackBerry.

There’s a theme: Vendors prey on your Windows malware experiences to suggest that everything is as threatened as the PC. It’s not. Malware should be a concern on Android, but no reason for panic.

The real issue for IT is whether Android antimalware apps actually protect you — and the answer is they are more an alerting mechanism rather than a remediation mechanism. It’s better to disable access from devices that have sideloading/rooting enabled and to focus on data access rights of Android users, to control what could be at risk to malware.

Move on to the question that really matters

The truth is that mobile devices are safer to use than PCs (just as cloud services are probably safer than your data center), so figure to how to make PCs as secure as mobile devices and how to protect data wherever it may happen to be.

Then ask the question that really matters: How do you get the most value from the use of mobile technology in your business?

Source: infoworld-5 mobile management questions you should stop asking by Galen Gruman




It’s no secret that CEOs have a massive impact on company culture. They set a tone to reflect the values and convictions of the organizations they lead. But sometimes CEOs take that impulse too far and wind up unintentionally throwing their companies’ culture off kilter. Here are the four most common ways that can happen.

Most CEOs like to make sure everything is just right, but they’re very busy people with a lot on their plates. Often without meaning to, some CEOs turn to micromanaging their employees, making managers’ working lives a nightmare. There comes a time when CEOs have to trust their teams to do tasks the right way—and to give them space to breathe. A CEO that can’t strike the right balance risks creating a suffocating culture.

CEOs need a steady hand. When they don’t, employees are quick to notice if there’s no clear theme or motive driving their leader’s decisions, which tanks productivity and leads to unrest. CEOs often see their companies change rapidly and seldom intend to be so inconsistent, but it’s a culture killer nonetheless. They have to be able to communicate clearly with their team in order for everyone to stay on the same page. When core assumptions change, it’s up to the CEO to make their team aware of it.

Matt Stanton, co-founder of SolePower, tells me: “It’s so difficult to see an otherwise good CEO make inconsistent decisions. At best, it hurts culture, and at worst, it needlessly keeps their team frightened and on edge. Just like almost any other problem, it can be fixed through clearer communication. It’s such a shame to see it happen because it can be avoided so easily.”

Outsourcing can be a great help by allowing companies to focus in on what they do while saving time and money in other areas. In terms of company culture, though, outsourcing can have some long-term effects that CEOs want to avoid. Establishing a strong team is crucial to the efficiency and growth of any business, and outsourcing too much makes it difficult to create that team and keep it intact. Instead, investing in building the right people to help them grow with the company is an excellent alternative.

In an ideal workplace, a CEO is highly protective of their team—and for good reason. A good team is essentially a family that creates an amazing culture where everyone’s skills are valued and put to optimal use. In some cases, though, a CEO’s protectiveness over that unit can go too far, making it tough for newer employees to really feel like they can settle in. Sometimes CEOs unwittingly create an in-group and an out-group, and newcomers can feel excluded right at the time they most want to make their mark.


Managing the Hybrid Application Stack

The best part about moving data operations to the cloud is that you no longer have to worry about provisioning and managing infrastructure. The drawback, of course, is that you have to shift to a service/application-centric approach to management and then somehow integrate that with all of your legacy management systems.

Fortunately, hybrid data management is gaining a fair bit of traction in the development community as vendors seek to get the jump on what is likely to be the dominant enterprise data architecture going forward. According to BlueStripe’s Vic Nyman, the hybrid data center is likely to contain a broad mix of virtualized infrastructure, operating systems and container platforms, as well as a variety of database formats, third-party web services and distributed applications. To manage such diversity, the enterprise will need to deploy key functions such as dynamic application mapping and updating, seamless multi-platform visibility, real-time response time measurement and reporting – and this is before we can even think about expanding to microservices and application component aggregation.

While developers like BlueStripe are undoubtedly working to integrate all of these functions, so are the top cloud providers. Amazon recently updated its OpsWorks management platform to support Windows Server and allow the creation of “spot instances” that enable easy provisioning of short-term applications and services. As PC World’s Mikael Ricknäs notes, the company has made no secret of its desire to expand into more lucrative enterprise-class deployments, and providing a common management solution with legacy platforms like Windows is one of the best ways to ease the migration and integration challenges that many enterprises face.

Of course, it isn’t hard to see how service-based software can be applied to distributed service and application management as well. Fluke Networks recently released the TruView Live platform, a SaaS-based solution aimed at real-time network and application performance management. The idea is to shed the traditional point-solution approach to management in favor of a “borderless enterprise” through end-to-end visibility and control of the entire distributed architecture. This encompasses a focus on app performance and the user experience, rather than infrastructure optimization, regardless of the application, access device or location of either the user or the application host. The platform is available as a free trial now, with additional enhancements scheduled for later this year.

At the same time, a company called Ikoula has teamed up with template and migration specialist UShareSoft to create the Hybrid Cloud Toolbox, an online version of the company’s native toolbox designed to provision and migrate applications to the Ikoula public cloud or third-party public and private platforms. Powered by UShareSoft’s UForge AppCenter, the system features rapid application templating and virtual machine provisioning, as well as self-service migration and a range of server auditing, updating, patching and customization services. In this way, the enterprise gains life-cycle management and governance of their application stacks, plus cross-platform consistency within multi-hypervisor and multi-cloud deployments.

The need for extensive application and service management in the cloud is not driven solely by the elevation of the data environment onto virtual, abstract architectures, but by the way modern environments are gravitating toward self-service provisioning and deployment rather than traditional IT-centric approaches. As users increasingly take it upon themselves to craft their own data stacks, the enterprise will need to focus on the apps themselves in order to maintain a cohesive data ecosystem.

This will require new skill sets on the part of IT staff, to be sure, but if all goes as planned, it will lead to much more vibrant and dynamic data operations than anything we’ve seen in the past.

Source: itbusinessedge-Managing the Hybrid Application Stack by Arthur Cole 

Cloud-Based Management for Cloud-Based Apps

The day the first person took a smartphone to work, BYOD (bring your own device) was born. Soon after that, IT rolled out the first Mobile Device Management (MDM) application.

From an innocent beginning, a complex IT infrastructure has emerged around mobile devices, operating systems and apps, along with the network and the server applications they must communicate with on the back end. Enabling users to access data and applications securely has become something of a high-wire act.

Meanwhile, the cloud revolution has further changed the way people use their mobile devices and the way IT manages them. Today, BYOD devices – typically iOS, Android and Windows Phone – are accessing a host of cloud-based productivity applications like Office 365.

No surprise, then, that Microsoft has incorporated much of the necessary MDM functions in Office 365. These features perform three main tasks:

Conditional Access:  The smartphones and tablets may be personal, but the permission to connect to email and documents must come from IT. MDM in Office 365 works with Microsoft Intune and Microsoft Azure Active Directory to enable administrators to create security policies on those devices that apply to Word, Excel, PowerPoint and other business applications.

Device Management: When a device is lost or stolen, it is at risk of being used by unauthorized persons to access corporate email or applications. The ability to set and manage device-level PIN locking and detect jailbroken devices goes a long way to preventing the wrong people from using the devices.

Selective Wipe: One of the main reasons for BYOD is the simplicity of using a single device for business and personal tasks. The ability to easily remove Office 365 data from that BYOD device while leaving personal data in place is an essential enabler of the BYOD work style.  It gives the company the peace of mind that its data is under its control, while giving the user the assurance that his or her personal data will not suddenly disappear.

The use of cloud-based applications and storage services has raised another commonplace activity – copy and paste – to the level of a security concern. Your user may have a device that’s protected by Office 365 MDM, but if he copies text and pastes it into an insecure application or cloud-based storage service, a vulnerability could arise.

Microsoft Intune, a subscription service that’s part of the Microsoft Enterprise Mobility Suite, enables administrators to restrict cut, copy and paste activities on smartphones, tablets and PCs, so these operations can only be performed with other applications that are managed by Intune.

As smartphones and tablets become more deeply ingrained in the day-to-day workplace, IT departments will continue to walk the tightrope between user needs and robust, enterprise-level security.

Cloud-Based Management for Cloud-Based Apps By Stan Gibson