enterprise device management
Along with increased mobility in the enterprise comes the need to somehow manage a range of devices potentially carrying sensitive data. Tony Dennis looks at some of the methods available for making sure that such data remains secure.
One of the best ways in which mobile operators can attract large enterprises and organisations as customers is to offer them wireless access to email, the Internet and mission critical applications – such as CRM (Customer Relationship Management). However, having sensitive data reside on mobile handsets and wireless PDAs is a major security concern. What enterprise customers really require are systems that help to securely manage data held on their employees’ mobile devices. To answer these fears, leading vendors claim the ideal solution lies with remote DM (remote Device Management). Typically, such a product will provide the ability to lock a device; wipe its data; and manage stored applications. In other words, DM allows any sensitive data to be totally managed from a remote location.
Presently there is no one, single dominant solution for providing remote DM capabilities. Many different approaches exist for the actual provision of remote device management services. For example, some organisations may prefer to handle the management of remote devices in-house and thus purchase such solutions through value added resellers. Others might prefer to outsource such a facility to a large systems integrator – or, perhaps even their network operator – who would then provide the service by ‘hosting’ it on existing network servers.
Significantly, many mobile network operators now are focussing heavily on data services rather than their voice business. Consequently, providing remote device management not only becomes an obvious service for mobile operators to promote to their business customers, but it can also form just one small part of the operator’s overall offering to businesses.
While there is no shortage of companies competing in the remote DM space, fortunately, an industry standard for such facilities is available through the Open Mobile Alliance (OMA). In effect, the OMA inherited the appropriate DM standard when it merged with another industry body – the SyncML Initiative. Thus some vendors still refer to the relevant standard as SyncML version 1.1.2, while others label it simply as OMA DM. However, the technology has become so widespread that solution vendors trumpet their support for OMA DM compatible devices. Crucially this OMA technology has been adopted by most of the leading handset manufacturers, including Kyocera; LG; Motorola; Nokia; Samsung Siemens/BenQ; and Sony Ericsson.
Clear indication of facilities
Fortunately, the objectives formulated by the OMA’s DM Working Group provide us with a pretty clear indication of exactly the kind of facilities remote DM can provide. The Group’s list includes the ability to change device configuration settings; a facility for software installation and changing software parameters; an ability to update software and firmware; plus the ability to change application settings and user preferences. To ensure that there is consistency across different vendors’ offerings, the DM Working Group also specifies how management information should be retrieved from devices and how to process events and alarms generated by remote devices.
Built into any remote DM solution, of course, is the necessity to use OTA (Over-The-Air) technology. Once again there is an industry body, the OTA Flash Forum, promoting compatibility between the different producers’ wares. The Forum now has over 40 members. A typical provider of this OTA technology is Redknee whose product, Synaxis Handset Synchronisation Management (HSM), is based on SyncML DM 1.1.2. While HSM can provide operators with device management, that’s just one of the facilities it can offer. Redknee’s solution can be expanded with a firmware OTA (FOTA) module to support firmware upgrades, for example. Such OTA upgrades will prevent the necessity for device recall if problems are discovered with built-in applications after handsets have been shipped. It’s a very good example of how remote DM will form part of an operator’s service to its business customers.
In the case of remote DM, Nokia hopes to capture the market with its Intellisync product. “Our solution is unique because it allows enterprises to install the software behind their firewalls,” Tarmo Jukarainen, director for device management with Nokia Enterprise Solutions, claimed. Some organisations view their data as being so sensitive that they would reject the alternative to an in-house solution – namely allowing remote device management to be hosted elsewhere and paying a monthly fee to the mobile operator. This ‘hosted’ option is very similar to the way operators offer RIM’s BlackBerry email, for example.
Jukarainen maintained that where Intellisync offers corporates the greatest benefit is in a situation whereby an executive loses a smartphone or wireless PDA at an airport, for example. Once the organisation’s help desk is informed of this event, the help desk can issue a command which automatically locks the mobile phone to prevent any further usage. Additionally, it is possible to send an instruction which wipes all the user data held on that device. Jukarainen claims that with Intellisync, user data doesn’t even have to be stored in any special folder or disk on the device, everything – except the built-in applications – will be removed during a wipe.
Such measures would, of course, be ineffective if the user had forgotten to set a password. Consequently Intellisync offers organisations the ability to ‘set policies’. This means that the device can be remotely configured to not function unless a PIN/password has been entered. In order to achieve a much higher level of security, that password can be longer than the standard four digit PIN normally used to protect mobile phones. This is particularly important for multi-nationals which are bound by the American Sarbanes-Oxley Act (SOX) to protect customer data from theft.
Although Intellisync is currently supplied by Nokia, the company acquired the technology with its 2005 purchase of the firm, Intellisync. Consequently, client software can be loaded onto a wide range of devices including RIM Blackberries, Palm OS devices – like the Treo – and Windows Mobile based devices. It also runs on Symbian UIQ handsets as well as Nokia Series 80 and Series 60 machines. Nokia’s advantage, however, is that its Advanced DM client is built directly into its latest models – especially its E Series. “Companies won’t have to wait half a year for the newest phones to be supported,” Jukarainen claimed. The additional benefits of having DM built in rather than added as an afterthought include the ability to prevent users from changing the device’s settings, Jukarainen explained. Nokia claims that its E Series devices are among the first in the industry to natively support remote device management based on the OMA’s DM. Once again, Intellisync Device Manager isn’t really a standalone product. It forms part of the Intellisync Mobile Suite 6 which covers wireless email; plus file and data synchcronisation.
When it comes to using the technology, in the UK, the London Borough of Barnet’s Children and Families Services unit is one organisation that has installed its own remote device management facility. The council’s social workers were forced to return to the office each time they needed to access and share information, update other staff members, and complete a whole host of administrative tasks. “We chose a mobile solution alongside a more traditional PC based solution because of costs, ease of implementation and what we wanted it to achieve,” commented Tony Nakhimoff, divisional manager, with Barnet Council. The Council’s PDA based system provides wireless e-mail; diary management; and information sharing. O2 has supplied Barnet with over 200 Xda II wireless PDAs which, in addition to enabling social workers to access information, also double as ordinary mobile phones.
Security of information
whole installation for Barnet was security of information. Should an Xda II be lost or stolen, the Council could use Nokia’s Intellisync Mobile Suite to lock and data wipe the Xda II, thus ensuring confidentiality of information. The council believes the system has comprehensively addressed the security concerns these types of sensitive deployments can have – where data on children cannot be allowed to fall into the wrong hands. Significantly, Barnet elected to install the software on its own servers and use its own IT staff to manage the system. The actual installation work was carried out by a value added retailer – Handheld PCs.
French software house, Abaxia, has taken a slightly different approach to DM by offering the ability to remotely manage the user interface (UI). It means an operator can remotely change a handset’s background and add new icons to the screen. Taken to extremes, it would even be possible to provide a different UI for an organisation’s managers than the UI for the other employees. In addition, to this it is also possible to remotely configure a handset’s WAP settings for use with a company’s Intranet, for example. That could include setting up the handset to make VoIP calls. Other options include making changes to contact information or diary settings. In order to offer this service, Abaxia has joined with Swapcom to utilise the latter’s Device Management Centre which is compatible with a wide range of mobile handsets. Abaxia also sees the need to provide adequate security when a handset receives an OTA request to make changes to the handset. Consequently it has made use of the security mechanisms offered by SIM card manufacturer, Gemplus. According to Cedric Mangaud, Abaxia’s president, offering this level of customisation for big clients is no different from the way the leading PC suppliers, like Dell, already customise PCs for their major purchasers. In order to be cost effective, however, Mangaud estimates that a single customisation requires a minimum of about 200 users.
In an ideal world, an IT support department wouldn’t need different tools to manage handsets and wireless PDAs alongside tools aimed at managing PCs, for example. One vendor already claiming to have solved this particular problem is iAnywhere. “With Afaria, it’s easy for administrators to manage all of their mobile devices including Blackberry; Windows Mobile Pocket PC and Smartphone; Palm; and Symbian devices, and even laptop computers from a single console,” claimed Joe Owen, vp for engineering with iAnywhere. While iAnywhere might be among the first to make such a claim, it’s obvious that other leading vendors in the mobile space will rapidly follow suit. Furthermore, the launch of Microsoft’s Windows Mobile 5.0 OS, with its added security features, encouraged a number of leading Mobile players to enter the remote device management space. Amongst those vendors was leading mobile browser supplier, OpenWave, which has introduced its MDM (mobile device Manager) product.
Currently businesses are somewhat spoilt for choice when it comes selecting a remote DM solution. Remote DM is obviously still in its early days, but for the brave early adopters the benefits will be significant.