In enterprise IT, the only constant is change. Today, much of this change centers on the increasing numbers of employees who expect to be able to bring their personal smartphone, tablet, or laptop to work and use them for their job. In an effort to adapt to this shift in computing, 70 percent of companies in a recent Gartner survey said they have a bring-your-own-device (BYOD) program or plan to implement one within the year.
Intel® Software Adrenaline recently sat down with Jesus Garcia, consumerization strategist with Intel’s Software and Services Group, for an in-depth discussion of the methods and solutions available for managing the many devices employees are now bringing into their organizations. With a 13-years history in the IT industry—8 of which were as an IT consultant specializing in Microsoft SQL development and administration, .NET development, and application optimization—Jesus is a wellspring of knowledge for enterprise IT organizations on the best strategies and solutions to thriving on mobility and the consumerization of IT.
For companies that have BYOD programs, as well as those that provide employees with devices, a major challenge is dealing with an enormous diversity of OSs, applications, and app stores, as well as the security, productivity, and cost issues that come with that diversity. The good news is that IT departments can choose from a variety of device-management tools for laptops, smartphones, and tablets. However, this large and growing selection involves a significant investment in a CIO’s or IT manager’s time to sift through the available options.
Different Management Techniques for Different Devices
Part of this challenge is that the definition of “mobile device” isn’t as straightforward as it was just a couple of years ago, thanks to an influx of category-blurring devices such as Windows 8* tablets.
“There’s a lot of confusion over the differences between a mobile device and a PC,” said Jesus Garcia, the alliance marketing manager for Intel’s Software and Solutions Group.
“Devices based on Windows 8 and Windows 8 Pro behave more like PCs and are managed more like PCs than the mobile devices are,” Garcia said. “A Windows 8 tablet is not the same as a Windows RT tablet. A Windows 8 tablet is closer to a PC than it is to a mobile phone. Windows RT is closer to Windows Phone 8 than it is to Windows 8. So the management techniques and management infrastructures required for these two different types of devices are also different.”
For example, PCs traditionally join an Active Directory domain, and are managed by group policy objects and tools such as System Center Configuration Manager (SCCM), LANDesk* or Altiris*. Enterprise IT departments know this environment well because they’ve used it for decades.
By comparison, Android, iOS, and Windows RT devices are relative newcomers, and they have built-in management APIs that device-management vendors must follow. Mobile devices also support some form of enterprise email protocol, typically Exchange ActiveSync (EAS).
“These APIs and protocols give you a certain amount of control and capability over the device, and with every iteration—hopefully with every new version of the OS of that device—you’ll get additional, different device controls, and everybody gets the same thing,” Garcia said.
Mobile Device Management API Policies
APIs for mobile device management (MDM) fall into two categories. One category includes the roughly 40 policies that EAS supports. These policies apply to all mobile devices and give enterprises the ability to create safeguards such as automatically and remotely wiping the device after 10 failed logon attempts or requiring passwords to have a certain minimum amount of numbers and capitalized letters.
The other category includes policies that are unique to that device’s OS. These exist because each OS has different capabilities, which are reflected in its unique set of management APIs. With tools such as the iPhone Configuration Utility or other MDM solutions, enterprises can manage these APIs to configure and secure these devices beyond what EAS can do. Using Exchange or Microsoft System Center Configuration Manager (SCCM), enterprises can set only the EAS policies, while an MDM can set both the EAS policies and the OS-specific policies. Another policy-management option is Windows InTune*, with one caveat: It can manage Android devices only through EAS.
“When IT sets EAS policies, it has to consider the different types of phones that may connect because there are policies that some phones don’t support and therefore may be excluded.” Garcia said. “iOS supports the most policies, so it’s easier to set EAS policies for iOS devices versus Windows 8, Windows Phone 8, or Android.”
Some Android vendors also are using device management to make their smartphones and tablets more attractive to enterprises. For example, Samsung’s SAFE* supports EAS plus many other policies that bring Samsung SAFE devices on par with iOS devices.
“Android is open source, so vendors can expand Android with their own management frameworks, which is creating a more fragmented marketplace,” Garcia said. “With everybody else adding their own stuff, it’s more difficult for enterprises to support Android than it is for them to support iOS.”
Why Exchange ActiveSync?
Arguably the biggest benefit of EAS is its wide support by both enterprises and device vendors.
“Most companies already have an Exchange server, so you can use that to set your policies or you can use SCCM, Windows InTune, or something else,” Garcia said. “EAS provides adequate security for basic service.”
However, EAS isn’t a perfect tool. For example, it doesn’t put an agent on the device, so the IT department can’t use it to track roaming and other usage, to detect a jailbroken device, or to manage applications.
“A jailbroken phone can behave normally and trick the Exchange server into thinking it is encrypted and can be remote wiped when it really can’t,” Garcia said. “That’s why this is a basic, don’t-trust-your-golden-eggs solution because it can be circumvented.”
The InTune Alternative
EAS isn’t the only Microsoft management solution that spans a wide variety of devices. SCCM, for example, manages MacBook* and Windows devices, as well as mobile devices through ActiveSync, but it’s effective only for ActiveSync policies.
Another option is Windows InTune, which is essentially a cloud-based version of SCCM with fewer bells and whistles. Hosted by Microsoft in Azure, InTune can be used to manage PCs, and it can be linked to Exchange ActiveSync. But unlike SCCM, InTune provides more policy-management options for Windows RT and iOS by going beyond what’s available through EAS, such as controlling native device settings. InTune can only set EAS policies in Android.
“InTune provides direct management for Windows Phone 8, Windows RT, and iOS, which means policies can be set on these devices without requiring an Exchange server,” Garcia said. “That’s an important differentiation. Microsoft has made it easy to use both Windows InTune and SCCM 2012 SP1 by providing a single admin console that IT can use to look at both tools and manage all their devices.”
Enterprises can use InTune to manage non-domain-joined PCs, which are PCs that don’t regularly connect to the corporate network and are not managed with Group Policy Objects. The IT department sends a link to users so they can download and install the InTune agent on the PC. Once the agent is installed, the user configures it to communicate with InTune to facilitate tasks such as deploying updates, patches, and applications, and running malware scans. Although an enterprise can do these kinds of tasks with a tool such as SCCM, SCCM requires the device to be connected to the corporate network. With InTune, these tasks can be done over any Internet connection, wired or wireless, without requiring a connection to the corporate network.
“The devices don’t have to use a VPN to access the corporate network for IT to see and manage those devices,” Garcia said.
Another potential draw is pricing: InTune runs USD 6.00 per user per month for up to five devices, or USD 11.00 with Software Assurance.
“One of the benefits that Software Assurance gives you is the ability to upgrade to Windows 7 or Windows 8 Enterprise from Windows 7 Professional or Windows 8 Pro,” Garcia said. “InTune can manage any combination of Windows Enterprise, Ultimate or Professional versions (XP SP3, Vista, 7 or 8), Windows RT, Windows Phone, iOS, and Android devices.”
InTune’s ability to manage Windows RT is particularly valuable because it’s the only way for enterprises to set that OS’s native policies.
“No other MDM vendor has access to those policies,” Garcia said. “Windows RT has a built-in management agent that communicates with InTune.”
InTune also enables enterprises to create an application portal with links to third-party apps in their respective stores. And the InTune portal provides access to custom corporate apps for Windows 8, iOS, and Android.
With the advantages that InTune offers, why would an enterprise choose SCCM for client management instead? One reason is that if an enterprise has a mix of Macs, Windows, Linux*, and Unix* systems, SCCM can manage all of them. Also, SCCM is better suited to manage domain-joined devices that frequently connect to the corporate network.
“SCCM has the ability to deliver applications in the best format for each device,” Garcia said. “It detects whether your device is Mac OS or Windows and then decides, based on policy, which application to deliver and how that application should be packaged.”
Windows 8 and Windows RT: What’s the Difference?
Windows 8 and Windows RT each have their own set of device-management requirements. Windows 8 is familiar ground for IT departments in terms of manageability because it essentially requires the same traditional PC management practices that IT has known for so long.
Windows RT runs on ARM* processors and cannot run legacy Windows applications, two attributes that make it fundamentally different than Windows 8. For example, because they’re not PCs, Windows RT devices don’t join an Active Directory domain, so only InTune can manage Windows RT devices through its MDM APIs.
“Today, only InTune can directly set the MDM policies for Windows RT without requiring EAS,” Garcia said. “Other MDM vendors can still set EAS policies and manage it that way, but that requires a connection to an Exchange server.”
In addition, Windows RT devices have certain capabilities that help make them acceptable as companion devices, including support for VPNs and virtual smart cards, as well as encryption enabled using a technology similar to BitLocker*.
Windows RT devices are pre-installed with Microsoft Office* 2013 Home and Student, which isn’t intended for corporate use. But if the employee has a primary PC with Software Assurance for Office, the Windows RT device’s suite legally can be used for work.
Mobile Device Management: One Size Doesn’t Always Fit All
Mobile Device Management (MDM) solutions typically are designed to span a device’s entire lifecycle, from provisioning to updates and eventual un-enrollment. Like other IT solutions, MDM products often are available for deployment on-premise and as a cloud-based offering.
In addition to the capabilities available in EAS, MDM provides control over other policies related to a particular device OS. MDM solutions also are user-friendly. For example, to begin the configuration process, the MDM server sends a link that the employee clicks.
MDM solutions typically install an agent on the device, unlike InTune’s agent-less architecture for mobile devices. The MDM agent provides a variety of services, such as serving as the portal to the app store, tracking usage for expense management, and detecting jailbreaks.
“One of the things about pure MDM solutions is that they are commoditized in the sense that an iPhone will look the same and has all the same capabilities no matter who’s managing it,” Garcia said. “The way they differentiate themselves, the difference between a top-notch MDM vendor versus a lower tiered one, is how quickly they go to market with new capabilities and how many of the mobile platforms’ capabilities they support.”
For example, each version of iOS has more security features than its predecessor. Some MDM vendors will roll out updates to support these new features faster than others. Another example is a vendor’s application management capabilities. Because most MDM vendors have similar device-configuration capabilities, they also differentiate themselves in the corporate application management space.
“Today we think of most of these solutions—LANDesk, Symantec, and BigFix—as PC management vendors,” Garcia said. “Right now their MDM solutions are add-ons, plug-ins, to their PC management solutions, but we think that’s temporary. Eventually they’re going to combine them and say, ‘This is part of your management solution.’”
MDM solutions have several features that can make them an attractive option for enterprises, government agencies, and other organizations.
“These solutions are fairly easy to deploy and easy to use,” Garcia said. “They’re also very scalable. For example, Intel IT deployed a third-party MDM solution internally, and with one server, they’re able to manage 100,000 phones. If you wanted to manage 100,000 PCs, you’re going to need several servers.”
To eliminate the need to code apps to make them work, MDM solutions take advantage of the phone’s native capabilities. They don’t require a domain join, and they can work over any Wi-Fi* or cellular connection, including while roaming.
MDM solutions implement policies device-wide rather than on an application-by-application basis. For example, a policy that disables the camera applies across the board to all applications;, no exceptions. This implementation method can be an advantage or a disadvantage depending on whether an enterprise wants its corporate apps to be able to use the camera while blocking consumer ones such as Instagram* that can undermine security and productivity.
Device-wide implementation can be a problem for enterprises with BYOD programs if employees perceive the new rules as so onerous that they decline to enroll. Another risk for both BYOD and company-issued devices is that employees may look for ways to circumvent policies they perceive as heavy-handed, creating security risks in the process.
“Because of the nature of these phones—they’re heavily sandboxed—you do not have control over specific applications,” Garcia said. “You don’t know what each application is doing. There’s no logging.”
Enterprises can use MDM to uninstall apps, albeit indirectly, by using an MDM solution to create app blacklists on the server and then taking an inventory of the apps on each device. If the MDM solution detects an unauthorized app, a message is sent to the user telling him or her to uninstall the app on the device in order to retain access to email and other corporate resources.
MAM: More Flexibility and Granularity
The drawbacks to MDM highlight the need for an alternative: Mobile Application Management (MAM) solutions, which provide enterprises with more granularity and flexibility when it comes to managing apps. Like MDM, MAM solutions are available in on-premise and hosted versions.
“MAM solutions are used mainly for custom applications that the corporation developed,” Garcia said. “There are pure MDM and pure MAM solutions in the market. InTune could be considered a pure MDM solution, but the really good MDM vendors will differentiate themselves with some application management. And the really good MAM vendors will differentiate themselves with a little bit of MDM, as well.”
MAM vendors provide SDKs that their corporate customers use to add management capabilities to their in-house apps. This management code communicates with the MAM server, enabling the enterprise’s IT staff to control each of those apps individually or in groups. For example, the enterprise now can:
- Single out and log everything an employee does with a particular app instead of all of the apps on the employee’s device. That information can be useful for tasks such as ensuring regulatory compliance or assessing whether the money spent to create an app is paying off in terms of usage.
- Require a password for only certain apps. That flexibility is particularly valuable for companies with BYOD programs because it means employees are more likely to enroll in the program. “It allows corporations to separate the user persona from the corporate persona on the phones,” Garcia said.
- Identify which apps can access corporate resources or device features. “You can say, ‘You can view corporate documents only from within the corporate container, and any applications outside of that container cannot view those corporate documents,” Garcia said. “Or you can say, ‘The applications within this corporate container cannot use the camera,’ without affecting other applications on the phone.”
The MAM SDKs also enable enterprises to identify which apps need VPN access. Selective access flexibility is useful in BYOD environments because it doesn’t make sense for, say, Facebook* or personal email to go through the VPN if only one app needs to use VPN to access corporate resources. Apps using VPNs use bandwidth, so requiring VPN access for only certain apps reduces the risk a device will exceed its monthly data limit.
In-app purchases are a concern for enterprises because it’s possible that, intentionally or not, unauthorized spending is expensed to the company. MDM solutions are a nightmare for developers that rely on revenue from in-app purchases because across-the-board blocking reduces their market. MAM lets enterprises make those kinds of decisions on an app-by-app basis.
“MAM vendors are starting to work with third-party app developers,” Garcia said. “The developer would embed these MAM APIs in their software so that corporations can take advantage of that. For example, an MAM vendor can say to the enterprise, ‘Deploy our solution, and then you can have corporate management over these applications that support our tools.’”
There are a few limitations, however.
“System applications can’t be wrapped, so you can’t wrap the native email client with a MAM vendor’s API,” Garcia said. “Graphically intensive apps can’t be wrapped with management code. MAM solutions also are more expensive and more complex because these applications offer more control.”
MAM or MDM? That’s just one of many choices that CIOs and IT managers will have to make now and over the next decade as the workplace continues its rapid pace of change.
NOTE: To ensure you have the most recent information on the products and technologies discussed in this article, visit the appropriate vendor’s web sites.