Many of us are becoming increasingly familiar with the power and ease of using modern mobile OSs like iOS, Android, Windows Phone 7, and WebOS. These allow users to browse, check their email inboxes, use apps, and connect with friends with remarkable ease.
It shouldn’t be a surprise then that more and more people want to use these same platforms in the workplace. In many cases, the devices are owned and paid for not by the company but by the employees themselves. Many IT departments—faced with manpower and financial constraints due to the economic climate—agree. A Computerworld survey in September 2010 suggested that 75 percent of all organizations already support the use of employee-owned mobile devices, as this presents a win-win situation. The employees are happy in that they get to use the devices of their choice and the employer is happy as the employees shoulder the mobile device and subscription costs.
Many companies now support multiple mobile platforms (e.g., relatively new ones like iOS and Android OS) besides the traditional enterprise platform—BlackBerry OS. It’s also worth noting that whether or not devices are officially supported or not, they will still be used on office networks. In fact, according to a 2010 survey, 41 percent of IT professionals said that unauthorized devices already connect to their networks.
What Kind of “Support” Do Companies Offer?
The degree of “support” offered for these platforms widely varies. Enterprise-oriented platforms traditionally featured strong mobile device management (MDM) capabilities. System administrators can control many aspects of the phones—what settings should be used, what kinds of password are safe to use, what applications can be installed/run, and so on. In an enterprise environment, this was perfectly normal and expected, as desktops are similarly managed.
However, that simply is not the case for employee-owned devices. The platforms themselves may include the necessary features for MDM, albeit one key difference—phones sold to consumers don’t have these features properly set up. IT departments are thus left with two options—provide limited “support” for these devices (which, more often than not, is limited to allowing access to internal email servers) or get their employees to allow MDM onto their self-owned devices. One is easy and cheap to do; the other, more difficult and expensive. Which one will end up being done?
Why MDM Matters
Losing centralized MDM can be a big problem. It puts the security of mobile phones purely in the users’ hands who may or may not be aware of what they can do to secure their devices. In many cases, too, the phone in question is as much an entertainment device as a work device. The user is more likely to care if an application runs well than if his/her device has, say, an auto-wipe policy if it’s stolen. Users will always have other concerns aside from security.
For IT administrators, however, the biggest problem with regard to MDM is the fact that data leakage is never addressed. This happens when confidential information is disclosed to parties that ordinarily would not have access to the said information. With managed devices, administrators could at least disable features that facilitate data leakage such as 3G connectivity, Wi-Fi access, or Bluetooth. Without MDM, whether these features are activated or not is at the users’ discretion who are likely to leave them on in the name of convenience.
What Should System Administrators Do?
What should companies do in such a situation? There are no easy answers. Restricting mobile device support to locked-down, enterprise-centric devices is difficult (particularly as consumer-centric platforms show continued growth). Including employee-owned devices in a centralized device management program is sure to require extensive and difficult negotiations between employees and IT departments as well as to raise costs.
On the other hand, however, simply allowing mobile devices access to office networks is problematic. MDM is one of the most useful tools available to an IT administrator who manages mobile devices and not utilizing it has serious security implications. IT administrators lose the ability to prevent data leakage and generally leave mobile device security in the hands of users and not trained professionals.
The answers will vary for each company. What’s more important, however, is that the question be asked in the first place. Administrators have to go into this process with eyes open and with the awareness of all the possible costs and benefits allowing personal mobile device use entail/bring.