Managing a mobile mess
- 19 November, 2008 15:06
A mobile workforce is inherently a more productive one. When one’s job isn’t constrained by location or business hours, decision-makers are more responsive, field workers more efficient.
But where there are drivers for the business and the more flexible worker, the one party that has little to gain from enterprise mobility is the IT administrator.
Today’s administrator is faced with enormous challenges. Ever since their domain was stretched beyond the LAN to supporting workers roaming on public networks, the mix of mobile devices and services to support has grown ever more complex.
Where a typical mobile workforce began with Win32 laptops and perhaps RIM BlackBerry devices for senior executives, today there are Windows Mobile devices to consider, Symbian-based smartphones from Nokia, Motorola and Ericsson, the stupendously popular Apple iPhone and an upcoming slew of Android-based open source devices. There are multiple carriers to bargain with, multiple devices to support, more applications demanded out in the field.
Where the IT administrator sees a pain-point, the channel should see opportunity.
The five biggest bugbears:
Is the device compatible with the organisation’s existing infrastructure?
One of the main causes of frustration is the tendency for workers to approach an IT department with a new device they have purchased, seeking to connect to corporate IT assets with it.
CIOs, said Ovum telecommunications analyst, Claudio Castelli, are receiving “daily phone calls asking when the company will be able to support the iPhone”.
The iPhone – a highly functional consumer device, is the ultimate expression of what Nathan Burley, a fellow Ovum analyst, called the “consumerisation of IT”.
It was only a few years ago that a clear distinction could be made between a corporate device and a personal device – one focused on encrypted push email, the other was anything with a camera, media player and external media ports. But today, even RIM is launching BlackBerrys with glitzy consumer features; the new BlackBerry Pearl Flip phone, for example.
For some administrators, the answer to the question of new devices is to simply say ‘no’. If the device isn’t in their mobile strategy (if indeed they have one), it won’t be considered. That scenario becomes somewhat more complicated when it’s the CEO that wants the sexy new device.
Page Break“Even CEOs are looking for phones that are attractive from a cosmetic point of view, that bring in elements of lifestyle into the mobile environment,” RIM Asia-Pacific regional vice-president, Greg Wade, said. “They desire the same device Gen Y does – that mesh of personal and enterprise functions from one device.”
New devices, Burley said, created numerous problems when an organisation had already invested in solutions that extended applications to mobile staff.
If you are using a sales force solution, for example, often the application was developed for a single platform, be it Symbian, Windows Mobile or BlackBerry. There are significant costs involved with porting the application to whatever other mobile platform is demanded.
One potential solution is to move to a hosted web-based application model, so that applications can be accessed from any authenticated browser.
“Companies spend a significant amount of money developing these applications,” Burley said. “They aren’t going to redevelop them just because somebody wants to use a new device.”
Can the device be secured such that it can’t be used to gain access to sensitive information should it fall into the wrong hands?
There is also a very good chance that new devices will equate to new security vulnerabilities. IT administrators that once relied on the encrypted secure ‘push’ email functions of the BlackBerry, for example, now have to consider the more open approach of the iPhone or upcoming Android phones.
There are two great fears around security, RSA Security country manager, Mark Pullen, said. The first is security of access – for which there are many mature solutions available, the most obvious being two-factor authentication (something you know and something you have).
The second, and perhaps more pressing to mobility, is to protect the information the mobile user carries with them. Most of the leading mobile platforms feature remote-kill features, enabled either by a phone call or web-based browser, should an employee lose a device.
The latest tools available look instead at the root cause of the data being vulnerable in the first place – the saving of data to inappropriate mediums. Enter the much-hyped world of Data Loss Prevention (DLP), technologies and policies that warn or prevent users from storing sensitive data in inappropriate places such as local device storage or removable media.
Page BreakWith 45 different vendors and great confusion in the market, Pullen said DLP is a great opportunity for systems integrators to “make sense of it all for the customer”.
Who takes responsibility for supporting the device?
Most often, the purchasing decision on mobile devices is made by business units who then hand management of the devices to operations staff.
“Operations struggle with it, because the costs of controlling and managing the device isn’t put in the business case,” Sybase mobility director, Guy Maroney, said. “This is sometimes overlooked during purchase – they tend to only include the upfront CapEx cost.”
Ownership and support is a job nobody seems to want. Again, enter the channel. Ovum’s recent studies indicate that the growing complexity and diversity of devices is leading more than 50 per cent of multinational organisations toward a managed services model for support.
“There are multiple parties to deal with – service providers, solution providers to integrate solutions and vendors,” Castelli said. “Every party has different contracts, contacts and tariffs to consider. To manage the cost of services, organisations are looking for a single point of contact, somebody to blame when anything goes wrong.”
Carriers will have a large role to play, being that they control the cellular networks.
“But if the mobile solution involves complex IT integration, systems integrators have a good chance of winning deals,” Castelli said.
How does the organisation control the spiralling data costs associated with increased use of mobile devices in the field?
One of the attractions to the RIM BlackBerry solution has been capped, consistent monthly charges for mobile email access. But as more bandwidth hungry applications come into the mix, so have bigger data bills.
People using wireless data for the first time tended to get “sticker shock” with their first mobile data bill, RIM’s Wade said.
Page BreakGlobal marketing manager for the popular Windows Mobile-based device manufacturer i-mate, Allison Caruk, recommended only downloading the headers of emails to see whether the message warrants further reading. She suggested users turn on Wi-Fi roaming when in a local network, and syncing email and applications via an offline cable when in the office or at home to save on download volumes.
Thankfully, mobile data prices are decreasing. An as-yet-unreleased report by Ovum found a price war in the laptop data card market has flowed through to handsets.
In June 2007, for example, a Telstra PAYG plan was $15 per megabyte. It’s now just $2 per megabyte. In June 2007, where Optus’ $14.95 plan included 20MB of data, users can now enjoy 500MB.
How does the organisation ensure the mobile solution performs on a network adequately to ensure the desired productivity?
With all the overheads associated with mobility, one needs to ensure the networks being connected to perform well enough to enable the productivity pay-offs.
While 3G networks and especially Telstra’s Next G has broadened the reach of high-speed mobile broadband, remote work is still fraught with performance problems, blackspots and situations where it’s either too much of a struggle or too bigger expense to gain remote access corporate applications.
Organisations such as Citrix, Cisco and Riverbed offer solutions in this space.
One solution oft-considered is thin-client technology such as Citrix’s ICA protocol – in which an organisation might host an application in a datacentre, deliver screenshots out to devices, but limit the amount of throughput to a threshold of say, 20kb.
Riverbed (SteelHead), Cisco, Citrix (WANScaler) and several other organisations offer an alternative – WAN optimisation. Generally sold via a network appliance, the technology uses compression, caching, and the streamlining of network protocols, to basically “make networks run faster”.
Riverbed offers a stripped-down version software that can be uploaded to a Windows or Mac laptop to connect back to the corporate datacentre – but this software isn’t yet available on smaller devices.
Page BreakThe technology also tends to be expensive. Riverbed’s appliances start at $US5 for a small remote office up to for $US120,000 for datacentre grade appliances. The mobile controller product is sold with a 30-concurrent user licence for around $US13,000, which works out on a concurrent basis to being around $US100 per user.
Riverbed marketing evangelist, Robert Healey, said many organisations were prepared to pay this expense as the opportunity cost of missing business prospects is greater.
Investing in spot solutions is one thing, having a mobile strategy is another. Gartner mobile expert, Robin Simpson, has long advocated what is called ‘managed diversity’ – whereby the IT department proactively distributes a small list of supported devices that can gain access to the most corporate applications, plus a list of devices it can support only in a limited fashion, and a third list of devices it won’t support.
The simplest and cheapest option is to narrow choice – via the selection of a single mobile platform. Any given platform vendor has solutions to many of the five bugbears, provided an organisation is limited to its products.
RIM’s BlackBerry Enterprise Server, for example, is carrier-agnostic and gives a high level of control to IT administrators over the remote management of alerts, software upgrades and some 400 policy options. Communication is end-to-end encrypted and a phone call can remote-kill the device, while support is usually available via the carrier.
Windows Mobile can now boast some of these credentials too. Systems Centre Mobile Device Manager enables organisations to apply the same standard operating environment to their Windows Mobile Devices that they already use on Windows laptops, sharing the same Active Directory (authentication) credentials. Encryption is optional and a remote wipe can be executed via a helpdesk telephone call or by logging in to a self-service web portal.
Within the OEMs there are yet further options. All i-mate devices come with Custom IQ – a free web-based, point-and-click policy-building tool that provides administrators with remote control over device email settings, security settings and the like. The manufacturer also offers Secure IQ – a similar service that enables a user that has lost their device to remotely lock, remove data, or set off an alarm that can’t be turned off. Support is offered by the device vendor at the cost of a local call.
A more common scenario is that more than one type of mobile device will be used within the organisation. For those that can afford them, there are management tools available.
Page BreakSybase’s ‘Afaria’ management tool provides a comprehensive suite of policy management modules that run across Win32 laptops, Windows Mobile devices, Symbian handhelds and BlackBerry devices. Apple’s iPhone will be available early next year.
These modules include centralised, automated backup of devices, enforced connection settings, inventory and licensing management, the enforcing of security policies, patching and provisioning of new software and remote control functionality for support and security tasks.
The cost of the solution isn’t trivial – Afaria costs around $40,000 per server and $100 per client.
“If you only have Windows Mobile devices, you can use System Management Server, but that won’t help you if you also have Symbian-based devices,” Sybase’s Maroney said. “If you only have Symbian-based devices you can use Telesync, but it won’t help you with Windows Mobile, and so on. If you have two device types, Afaria makes sense.”
The choices for IT administrators will widen further now VMware is including smaller mobile devices in its vClient initiative.
VMware South Pacific vice-president, Paul Harapin, said all the device choice, security, support, performance and cost bugbears associated with supporting multiple devices could be solved if a thin-client approach is taken to mobile computing.
“Today, we tend to provision a device to people – you build a laptop, give it to the employee. If the employee loses that device, you’re screwed,” he said. “With vClient, you provide services to individuals regardless of the device they have.”
Harapin predicted a future where fleet management no longer involved provisioning employees with new devices.
“Instead, you as an employee are given a stipend, let’s say $1000 a year, to go toward whatever device you want. And as an administrator, you make services available to employees rather than devices,” he said.
Should a contractor with their own laptop come to work for the organisation, they can be provided a service that expires the afternoon their contract expires. “You can lock down and disable DVD drives, USB ports,” Harapin said.
“You can restrict the vClient to only connect to the corporate network. You can enforce policies that only let you connect after you update patches.
“It makes sense that the device should end up being irrelevant to the services you want to provide across the network.”
The end game
The end game, RSA’s Pullen said, is to ensure that the right checks and balances are in place in policy and technology terms, but that these shouldn’t act as “a handbrake” to the business. “You want to get the benefits of mobility,” Sybase’s Maroney said. “Rather than stifle users, you want to allow for the different styles of working patterns that make people productive.”
A new approachManaged mobility services, Ovum analyst, Claudio Castelli, claimed are all the rage among multinationals. But he predicted the same trend will creep into mid-sized organisations too – creating new opportunities for systems integrators.
Gen-i is one Australian integrator ready to take up the challenge. The company now offers a fully managed mobility solution around Windows Media and BlackBerry devices.
The new service was built after being demanded by a Gen-i customer that was “finding mobility very costly to manage themselves,” manager of enterprise solutions for Gen-i, Steve Anderton, said.
Gen-i is managing the lifecycle of devices, from consulting and the point of order to provisioning, application deployment, through support and maintenance and refresh.
Gen-i places no restrictions on price choices, but works at a consulting level with the customer to construct mobile policy. That said, the outsourcing approach does at least provide customers with some clear and predictable costs about how much mobile diversity costs to manage. Gen-i’s service is priced on scale, so the price should naturally go up per device being supported.
Contracts with carriers are still managed by the customer, Anderton said, while Gen-i provides detailed monthly reporting to ensure value for money.
Originally the systems integrator offered services around BlackBerry Enterprise Server, but with the release of Systems Centre Mobile Device Manager, Anderton claimed Microsoft had come on “in leaps and bounds”, prompting an additional investment in Windows Mobile skills.
The integrator also provides fully managed endpoints for customers working from home, usually via the resale of thin client technology from VMware, Citrix and Microsoft. Using Citrix WANScaler and Remote Access Gateway, Anderton said the service can “limit the cost to the customer while maximising the throughput on the network”.
Gen-i also acknowledges that mobile devices are relied on for decision-making among the highest-ranking mobile users. Under the managed services deal, these users are nominated for “emergency support” – in which Gen-i staff actually travel to the homes and hotels of senior executives to work on faults or installations.
Anderton said Gen-i hasn’t been marketing the service as it wanted to “bed it down with one customer first”. Today, with five or six customers trialling the solution, the company feels it has the robustness in its processes to take it to a wider market.