Practical IT Research that Drives Measurable Results

Manage the Invasion of Consumer Technology

Info-Tech Research Group

Introduction
IT is often wary of connecting personal mobile devices to the corporate network. While not without its risks, the benefits usually outweigh the minimal costs. Learn to efficiently and safely manage the influx of consumer technology.
This solution set provides practical steps to take when considering or implementing an official stance on the use of consumer technology in the workplace. It will help readers understand that: Like it or not, consumer technology is invading the enterprise. Recent increases in the prevalence and variety of smart mobile devices make them an unavoidable issue to consider. Allowing personal devices in the workplace boosts productivity and end-user satisfaction. The majority of organizations are allowing them and having great success doing so. There are several different mobile platforms. Each has its own nuances. Understand them and simplify the management of a personal mobile fleet. It is not risk-free. Learn about the technologies that can help mitigate potential damage. Safely merging the consumer and the enterprise begins with compliance. Draft a policy and hold training sessions to help employees deal properly with incidents and keep them from happening in the first place.

If you cant beat them, join them. It is safer to facilitate connecting personal mobile devices to the corporate network than have end-users connect without ITs oversight.
Info-Tech Research Group 2

Executive Summary
The last two years have seen a marked increase in end-user comfort with smart phones, resulting in a greater number of employees bringing in personal technology to aid with performing their job functions. 83% of organizations surveyed by Info-Tech allow personal mobile devices on their corporate networks, though most do so only after an employee has signed a policy highlighting the rights of IT and the end-user regarding data on the device. Regardless of whether users are bringing in tablets or smart phones, the majority of ITs job on the management side remains the same. Focus on policy creation, management and enforcement. Determine what level of mobile security your organization requires Minimum, Basic, Enhanced or Lockdown and implement policies and technology checks and balances accordingly. Remote wipe and over-the-air encryption are the most common security functionalities put in place by organizations at all levels of the security spectrum to mitigate the threat of sensitive data leakage. Understand that all mobile platforms are not created equal; each has its strengths and weaknesses. BlackBerry is the most popular personal device on the corporate network due to embedded infrastructure and advanced out-of-the-box security functionality. Finally, securing end-user compliance with internal mobile policy is the largest contributor to successfully managing a fleet of personal mobile devices on the corporate network.

Info-Tech Research Group

Understand

Evaluate

Strategize

Implement

Allow personal mobile technology in the enterprise to boost productivity and end-user satisfaction.
Dont dismiss personal mobile devices without consideration; there are benefits to be had by allowing end users to connect their personal mobile devices to the corporate network. Think nobodys doing it? 83% of your peers are allowing personal mobile devices on the network. Determine what level of mobile security is best for your organization.

Support consumer technology & an increasingly tech-savvy workforce to improve productivity

New technology is often met with disdain from the IT group. Understand that new technology is brought into the workplace by end-users as a facilitator of job functions.
83% of organizations allow end users to connect personal mobile devices to the corporate network. BlackBerry, Apple iOS, Android, and Windows Mobile make up the majority of allowed personal devices on corporate networks.

Allow Personal Devices

83%

N = 144

Do Not Allow Personal Devices

17%

*Respondents were asked to select all that apply, resulting in a cumulative total greater than 100%.

Organizations that allowed devices other than BlackBerry, iOS, Android and Windows Mobile were drastically less successful than those that did not. Allow personal devices on the network, but stick to the major players to avoid being trapped in a mobile device jungle.
Info-Tech Research Group 5

Embrace tech-savvy end-users; they are assets to the firm

80% of survey respondents cited end-user demand as the primary driver for
allowing personal mobile devices on the network. Pre-2008
IT brings technology to the end-user

Post-2008
End-users bring technology to IT

IT
The flow of new devices to the end-user was governed by IT. Users were not tech-savvy enough to take advantage of personal technology in the workplace and limited themselves to what was provided to perform their job roles.

IT
End-users have become more demanding about technology. The flow of new technology into the workplace has shifted from a dedicated IT group to the user. Employees are now concerned with using the latest technology to perform their jobs more efficiently, and demand that IT keeps up.

The onus of new technology introduction in the workplace has shifted from IT to the end-user.
Info-Tech Research Group 6

Dont get mired in definitions; manage any mobile device that connects to the corporate network
Smart phones make up the majority of mobile devices connecting to the corporate network, but some users may push for tablets and readers. Dont panic. The variance in devices does not matter if you have the right management strategy in place.

Employees use these devices to...

Check corporate e-mail Text message Instant messaging Connect to the Internet through corporate WiFi networks Maintain and reference corporate calendars

Tablets
Smart phones

Tablets and smart phones access the corporate network in very similar ways. Between iPhones and iPads, for example, there is no difference in the mobile management policies needed.
Info-Tech Research Group 7

Dont try to quantify innovation & productivity benefits, but understand that they are real
There is no accurate way to quantify the innovation and productivity benefits for employees, but understand that with improved business connectivity, you can expect the following changes:
Experience quicker Turn-around time on time-sensitive e-mails. Because end-users will Check and respond to their e-mail more often after-hours. Third-party apps can be your friend. Android, BlackBerry and iOS all have independent app stores, which contain mobile applications, some of which are aimed at improving productivity (though some are productivity killers). Look into apps aimed at corporate productivity and connectivity for quick wins with employees. Apps designed to transfer SMS text messages over data networks as opposed to cellular networks, for example, allow users to send unlimited text messages. Most personal devices can also connect to virtual desktops.

Meeting setup times.

Be more aware of their availability.

Flow of information between internal and external parties.

Generally be more in touch with the organization.

Info-Tech Research Group

Case Study: YMCAs experience with cost reduction

Pain Point
Administering and paying for corporate devices was significantly driving up costs. The organization needed to find a way to maintain connectivity with employees, but remove the cost burden of maintaining corporate liable mobile devices.

Solution
Allowed senior employees to keep corporate-issued phones, but mandated that data and voice contracts were personally held. Junior employees were stripped of mobile devices and encouraged to bring in personal devices to connect to the network. Saved $48,000 a year in mobile contracts alone.

Even if they were already given corporate devices, employees can be convinced to attach personal mobile devices to the network. If the cost of managing a corporate mobile device fleet is becoming a burden on IT, consider switching to a personal device setup. Gift formerly corporate devices to soften the blow of transferring the cost to employees. 9

Info-Tech Research Group

Industry: Non-Profit Segment: Small Enterprise Source: Information Technology Executive

We had a reduction in costs from no longer covering the monthly bills. We were spending about $4,000 a month in contracts and now we spend nothing.
-IT Executive, YMCA

Insight

Embrace the Apple effect: the iPhone 3G exploded by being a multi-function communications & recreational device
The introduction of Apples iPhone 3G in 2008 spurred a smart phone craze among recreational end-users, raising their comfort with technology.
The iPhone 3Gs carriersubsidized pricing opened the doors to smart phone adoption for the common man. With a subsidized price of $200 in 2008, 48% of iPhone 3G adopters were from households earning between $25 000 and $50 000 annually. The iPhone 3G was viewed as the first practical convergence device; it eliminated the need for multiple devices. The price tag of the iPhone and an accompanying plan were not feasible for lower-income markets as a phone. But the value gained from eliminating the need to purchase multiple devices spurred adoption of the iPhone as an affordable does-itall gadget.

Source: comScore

and entertainment, even as consumers weather the economy by cutting back on gadgets.
- ComScore Info-Tech Research Group

10

and the iPhone in particular, are Smart phones,and satisfying demand for a single appealing to a new demographic device for communication

Define your security needs based on the sensitivity of your data, and act accordingly to optimize device management
The level of policy enforcement and security your organization requires is contingent upon regulatory compliance requirements and data sensitivity.

Minimum
Companies that do not provide employees with any sensitive data (e.g. trade secrets, fiscal information, and press releases) do not need to invest in infrastructure to increase device security. Creating end-user mobile device policies and conducting training for such organizations is often unnecessary.

Basic
Companies that are concerned with employees carrying sensitive data in their corporate e-mail accounts must create a mobile device policy to enforce the right to remote wipe user devices and mandate password protection. End-user training on policy and compliance are also required.

Enhanced
Enhanced security measures must be taken by organizations that have highly sensitive data in employee in-boxes and calendars. These organizations must develop a mobile device policy, conduct training, and consider limiting adoption to only devices with over-theair encryption, such as BlackBerry.

Lockdown
Lockdown is necessary for those organizations that must adhere to regulatory compliance and house potentially damaging business data on end-user devices. In general, these organizations should only be considering BlackBerry. Those that accept other devices must implement third-party management tools, policies, conduct training, and limit device adoption.

Organizations with more employees had less success in allowing personal devices on their networks. Large organizations should be particularly stringent in mitigating the risks of incorporating consumer technology, and look towards Enhanced and Lockdown levels of mobile security.
Info-Tech Research Group 11

Understand

Evaluate

Strategize

Implement

Multiple mobile platforms exist for end-users; understand the nuances of each.
RIMs BlackBerry offering excels at security, but iOS and Android have traditionally been more fun; these lines of differentiation are beginning to blur as BlackBerrys get more fun, while iOS and Android become more enterprise-appropriate.
The majority of organizations allow BlackBerrys and iPhones on the corporate network, with Android catching up fast. Match your level of required mobile security to the platforms you can and cannot accommodate on the network.

Three players dominate the smart phone market

Each available platform offers benefits and disadvantages relative to competing solutions; more importantly, the cost of infrastructure will be impacted by what you decide to support.

BlackBerry
Developed by Canadian company Research In Motion, the BlackBerry was introduced to the market in 2002. Unlike the Android and iOS offerings, BlackBerry has a limited app store. Requires implementation of BlackBerry Enterprise Server (BES) or BES Express to integrate with the corporate e-mail infrastructure. Security is the platforms biggest strength, as data is encrypted on the device and over the air with a native BES setup.

Apple iOS
Developed by California-based Apple Inc., iOS runs only on Apple devices, such as iPhone, iPod Touch, and iPad. The original iPhone OS was introduced on Apples first iPhone in 2007. The OS is updated with new releases of the iPhone and also sees regular patching between major updates. The Apple app store is the largest of any mobile platform, now carrying over 300,000 apps. The security offering of iOS (renamed from iPhone OS) is less robust than BlackBerry, but is adequate for most organizations and can be improved with 3rd party technology.

Android
Seeded by Google in 2005, Android-based handsets started to become available in 2008. Unlike BlackBerry and iOS, Android is not a manufacturerspecific OS and runs on handsets from a variety of manufacturers. The OS is the only one of the big three available as open source under the Apache Software License. While not as large as the iOS app store, the Android application pool is growing quickly, and contains over 100,000 apps. Security offering is slightly less effective than iOS out of the box, as Android does not support as many ActiveSync IT policies. Ranked first among all smart phone OSes sold in the US for the 2nd quarter of 2010 at 13 33%.

Info-Tech Research Group

BlackBerry dominates the market in terms of security features, but offers little to recreational end-users
68% of businesses allow BlackBerrys on their corporate network. Strengths
Company
Research In Motion (RIM) Security. Native security features beat out iOS and Android. Dedication to enterprise. RIM dominates in the enterprise, and would like to keep it that way. BlackBerrys and the upcoming RIM PlayBook tablet will continue to focus on business features but are rapidly catering to the consumer market as well. Physical keyboard. Most business uses require quick textbased communication. Many users find that a physical keyboard has an advantage over the touch-screen-only input of the iPhone and some Android devices.

Headquarters
Waterloo, Ontario

Primary Advantage
Security features are largely ahead of competitors.

Challenges
The ugly duckling. With the exception of the touch-screenequipped BlackBerry Torch, the buttons and menus of BlackBerrys are starting to look dated. A non-intuitive interface means more help desk calls asking which thing to press to make it do that thing. Smaller app store. Having fewer apps than other platforms may limit on-the-go productivity that requires specific software, and be less appealing to users.

Primary Disadvantage
Smallest app store

Bottom line: as the security leader, there is no reason to disallow BlackBerry. For businesses with compliance regulations or sensitive data, it may be the only option.
Info-Tech Research Group 15

Offering the largest app store & strong multimedia capabilities, Apples iOS is the peoples choice
50% of businesses allow iOS devices on their corporate network. Strengths
Company
Apple Inc. Employee demand. With the recent introduction of the iPhone 4 and iPad, iOS devices lead in new connections to corporate networks in 2010. Ease of use. A user-friendly interface and walled-off app store mean more employees using their devices without issue, and fewer cries for the IT departments help. The most apps, the most fun. There are plenty of productivity apps in Apples massive store, allowing employees to keep in touch on the go. The hardware is ideal for consuming media.

Headquarters
Cupertino, California

Primary Advantage
Largest app store & community

Challenges
Enterprise ready? Although Apple is finally taking enterprise seriously with iOS 4, the corporate environment is still not the iOS devices native habitat. BlackBerry is at the top of the enterprise food chain. The most apps, the most fun. The same multimedia and app capabilities that aid productivity can distract from corporate goals. More apps also means more potential for security breaches or accidental sharing of sensitive data.

Primary Disadvantage
Security is lacking in comparison to the BlackBerry

Bottom line: give the people what they want. Allow iOS devices unless there are specific reasons not to.
Info-Tech Research Group 15

Android remains the only open source offering in the big three, and is gaining market share quickly
30% of businesses allow Androids on their corporate network. Strengths
Company
Google Inc. Future proof. Androids are taking over the world. Googles OS is the fastest growing platform of 2010, with a thriving ecosystem of hardware and apps. Android is unlikely to self-destruct any time soon. Open development. An open development platform allows easy access to productivity apps, or development of custom apps to fit the organization's needs, without the hassle of requiring thirdparty approval.

Headquarters
Menlo Park, California

Primary Advantage
Open source OS

Challenges
The cost of openness is security. Fraudulent apps can and have been developed to gather and transmit sensitive information for nefarious purposes. Determining an apps trustworthiness is left to the end user, who may not always be the best judge. Fragmented. With a variety of devices made by several different companies, some with custom versions of the OS, demand for support may be more frequent and more taxing compared to the more focused iOS and BlackBerry lineups.

Primary Disadvantage
Concerns about applications storing and distributing private information

Bottom line: you will encounter an Android soon. Learn to deal with its potential security limitations.
Info-Tech Research Group 16

Windows Phone & Symbian round out the top five, but are significantly less popular among North American end-users

Windows Mobile
Microsofts Windows Mobile OS has been on phones since 2000. Windows Mobile is being phased out to make room for its successor, Windows Phone 7. Early buzz pegs Windows Phone 7 as impressive, but it remains to be seen if it will be another mobile OS contender, or too little too late. Open development, but tightly controlled app store. Typical security features present, with some extra protection for good measure. Exchange and Mobile Office are useful in enterprise, but primary audience is consumer market.

Symbian OS
Originally owned by Finnish corporation Nokia, the Symbian OS has been on smart devices since 2000 and became open-source in 2010. Symbian is the worldwide leader, powering nearly half of all smart phones sold, but lacks penetration in North America. Runs on a variety of phones. Open development platform, but certain capabilities require authentication. Security has been a problem, but increasingly stringent app requirements have alleviated most threats. Compatible with Microsoft enterprise solutions, such as Exchange ActiveSync.

webOS
First appeared on the Palm Pre smart phone in 2009. Palm was recently purchased by Hewlett-Packard. HP is dedicated to updating webOS and leveraging it into new smart phones, as well as tablets and other devices. Although webOS does not currently have a large market share, HPs enthusiasm makes it worth watching. Runs only on Palm branded devices. Uses existing technologies such as HTML5, Java, and CSS for easy development. Development requires registration, but is open and free for in-house applications. Focus on integrating email, calendars, and social networking (including Exchange ActiveSync support) facilitates constant connectivity.

Info-Tech Research Group

17

A few management solutions embrace many platforms

Although each platform has its own challenges and idiosyncrasies, there are commonalities that make managing them less daunting than it first appears.
All platforms discussed here support Microsoft Exchange ActiveSync for e-mail, contacts, calendars, and tasks. Basic security features, such as requiring a PIN, are present on all modern devices. The fundamental connectivity apps e-mail, contacts, and calendar are native to all devices and fairly intuitive to an increasingly technology-educated workforce. Tablet computers have emerged from obscurity wearing the same operating systems as smart phones, and they are managed in exactly the same way.

BES

3rd

Party

Exchange

The sharpest divide is between BlackBerry and all other platforms. Management solutions such as BlackBerry Enterprise Server only work with BlackBerry. Third-party solutions like Good Technology, MobileIron, and Sybase iAnywhere, work with everything but BlackBerry.
18

Info-Tech Research Group

Understand

Evaluate

Strategize

Implement

There are various risks involved with each platform; learn what they are, and how to mitigate them most effectively.
Data leakage and increasing support costs are the organizations primary arguments against personal mobile device adoption. Remote Wipe and Over-the-Air (OTA) Encryption are the most effective ways to ensure lost or stolen devices do not leak sensitive information, and that information is not intercepted while in transit.

Third-party infrastructure, such as Good Technology, Sybase iAnywhere, or Mobile Iron are effective tools for organizations with Enhanced or Lockdown mobile security requirements.

Technological features, such as remote wipe and over-the-air (OTA) encryption, decrease data security risks
Native functionality on the BlackBerry via BES and BES Express, iOS and Android devices require third-party infrastructure, including Exchange ActiveSync, to implement remote wipe and OTA encryption.

Remote Wipe
Remote wipe functionality provides IT with the access to wipe a device back to factory defaults in the event it is lost or stolen. Organizations that require Enhanced or Lockdown levels of mobile security must include a remote wipe agreement in their mobile policy and invest in 3rd party infrastructure to enable remote wipe on iOS and Android devices.

OTA Encryption
OTA encryption allows IT to encrypt messages in transit between corporate mobile devices. The encryption prevents them from being intercepted and decoded by a third party. Again, this is largely a concern for organizations that require Enhanced or Lockdown levels of mobile security. An investment in third-party infrastructure is required to enable this functionality on iOS and Android devices.

Info-Tech Research Group

20

Leverage Exchange ActiveSync mailbox policies across Android & iOS personal devices to minimize security threats
Exchange ActiveSync mailbox policies enable IT to apply a common set of policy and security settings to individual or grouped users to efficiently control data connections to personal devices.
At a minimum, implement the following Exchange ActiveSync policies across varying levels of mobile security:

Minimum

Basic

Enhanced

Lockdown
Enhanced, plus the following: Require encrypted S/MIME messages Require storage card encryption Minimum device password complex characters Maximum failed password attempts

Basic, plus the following: Require device encryption Minimum, plus the following: Device encryption enabled Password expiration Over-the-air encryption via 3rd party infrastructure

Password enabled Remote wipe

A full listing of available Exchange ActiveSync policies is available via Microsoft TechNet, here.
Info-Tech Research Group 21

Consider third-party servers as critical to successfully managing personal mobile devices

45%

of organizations that are facing issues with enduser policy compliance adopt third-party infrastructure to manage personal mobile devices.

Organizations that use third-party infrastructure to manage personal mobile devices were 20% more successful than those that did not.
+20%

Third-party infrastructure, such as Mobile Iron, iAnywhere Afaria, and Good Technology enable advanced encryption and management functionality. Degree of Success Organizations that adopted third-party infrastructure to aid with personal mobile device management were markedly more successful than those that did not.

Use Do Not Use

a [third-party] server is a little bit Using than not, but with sensitive data itmore costly is the best option. The third-party server makes our iPhones as secure as the BlackBerrys we have on the server.

59%

54% 49% 51% 50% 49%

BES Exchange Third-Party

Info-Tech Research Group

- IT Director, Entertainment

22

Understand

Evaluate

Strategize

Implement

4
Draft a policy and conduct training sessions to ensure users abide by it to mitigate security risks.

Having employees sign a personal device mobile acceptable use policy that outlines the rights of IT is critical to data security, especially in the event of loss or theft. Signing a policy isnt enough; run training seminars with employees to ensure they understand the policys nuances.

Draw a line in the sand: tell end users what they can and cant do to decrease the effect on support costs
Do support end-users with the following problems:
My phone wont receive e-mails.

Dont support end-users with the following problems:

My phone wont turn on.

My phone and calendar wont sync.

My phone cant access Active Directory.

My phone is frozen.
My screen is cracked.

52% of respondents strongly agreed with the following statement: Help desk support requirements have increased [since allowing personal devices on the network].

n = 113

The majority of survey respondents interviewed saw an increase in support costs after permitting personal devices on the network. Those that did not focused heavily on developing a policy that outlined resolution options for common issues.

In short, when it comes to personal device support, focus on mitigating connectivity issues with corporate infrastructure. Leave end-users to manage their own devices when it comes to hardware and support issues.
Info-Tech Research Group 24

Maximize the potential for success by securing user compliance with internal personal mobile standards
Policy training and enforcement, coupled with technological enforcement, are the largest drivers of user compliance.
User Compliance Drivers

Success was defined by survey respondents rating of the following factors:

Mobile Security Incidents

Policy Training

7%

Contribution to user compliance.

Organizations that saw mobile security incidents decrease were deemed more successful than those that had not. Helpdesk Support Requirements

Policy Enforcement

54%

User Compliance

Organizations that saw helpdesk support requirements decrease were deemed more successful than those that had not. Costs Organizations that saw costs decrease were deemed more successful than those that had not.

Technological Enforcement

35%

Accessibility for Remote Employees Organizations that saw accessibility for remote employees increase were deemed more successful than those that had not.

User compliance is the single largest predictor of success when allowing personal mobile devices onto the corporate network, accounting for 13.5% of the variance in success.

Info-Tech Research Group

25

Develop a policy to ensure that end users are informed of what is & is not acceptable

Use the Personal Mobile Device Acceptable Use Policy to outline:

ITs right to remote wipe mobile devices in the event of loss, theft, malware infection or compliance incident.

ITs right to refuse access to the corporate network to any end-user deemed unfit.
The expectations of the end-user to adhere to strict data confidentiality standards. The requirement that end-users implement alphanumeric passwords on mobile devices. The level of support end-users can expect from the internal service-desk regarding personal mobile devices.

Info-Tech Research Group

26

Conduct training sessions to reinforce the policy & provide behavioral examples

Use the Personal Mobile Device Policy Training Slideshow to reiterate and highlight:
The purpose of the personal mobile device acceptable use policy. The major points of the personal mobile device acceptable use policy, especially security and expectations. A case study highlighting appropriate actions in common situations, such as device loss or theft. Consequences for failing to adhere to the policy.

ITs rights regarding wiping, restoring, and managing personal mobile devices.

Info-Tech Research Group

27

Respondents cited security as the foremost reason for not allowing personal mobile devices on the corporate network

Data and corporate security remain the largest factors against personal mobile devices in the workplace, but support, policy enforcement, lack of control, and corporate liability also remain significant detractors from adoption.

Info-Tech Research Group

28

Corporate mobile devices soon to be a thing of the past

Info-Tech predicts major upcoming changes in the way users perceive and interact with mobile devices.
As personal mobiles infiltrate the organization, the days of corporately owned devices are numbered. 83% of survey respondents allow personal mobile devices on the corporate network; Info-Tech believes this to be the beginning of an increasing trend, resulting in adoption of personal mobile devices. The increase in personal devices coupled with the continued pressure on IT to reduce spend will result in corporate devices going the way of the dinosaur in favor of personal mobile devices.

Android will be the number one mobile platform by 2013. Current industry rates show Android to be the #2 player in the mobile platform market, and gaining quickly. Info-Tech believes that the development potential of the platform and the multi-manufacturer support it has received, Android will be the uncontested market leader by 2013.

The differentiators between app stores across platforms will move from quantity of apps to quality & usefulness. App stores are currently using the quantity of apps as a selling point for the recreational user. Info-Tech believes this driver will begin to dissipate as app stores converge on functionality, with resulting quality and usefulness becoming primary drivers.

Info-Tech Research Group

29

Summary
Consumer technology is invading the workplace. However, unlike an alien invasion, incoming personal devices bring great potential benefits to humanity and to the IT department. Reduced costs and increased productivity follow tech-savvy employees into the enterprise.

The current big three mobile platforms BlackBerry, Apple iOS, and Android each have their strengths and weaknesses. Understand how to leverage the strengths and avoid the weaknesses of every personal device that comes in.
Stick to the major mobile platforms to avoid management headaches, but be up to speed on the less popular offerings, and realize that a variety of platforms does not always mean a variety of management techniques and technology. Define your security requirements and take a personal device stance that aligns with them. At a minimum, have a password policy and enable remote wipe as an option. Consider more advanced options and/or third-party management technology, if users are storing sensitive data. Focus on the biggest determinant of success: user compliance. Have a clear policy, and train users to be aware of how to properly use their device in conjunction with the corporate network. Put down limits on what IT can help with, to avoid increased support costs. Info-Tech believes that corporately-owned devices are being driven off the planet in favor of the new rulers-of-mobile in the enterprise: personal devices. Adapt or face extinction.

Info-Tech Research Group

30