In our last blog entry we gave an introduction into the different issues regarding mobility management.  Most company managers tend not to think about governance issues with mobile phones because it is very difficult to manage all of the different devices their organizations may have; however, your organization may have a robust mobile management package without even realizing it, Microsoft Exchange.

Microsoft first introduced integrated mobile messaging support in Exchange Server 2003. This provided Exchange customers with a low-cost, easy-to-manage mobile messaging solution as part of their Exchange deployments. Microsoft has continued this pattern with the subsequent releases of Exchange Server 2003 Service Pack 2 and Exchange 2007.

Advantages of Exchange Mobility

There are four key advantages to the implementation of mobile messaging in the Exchange Server product family:

• Exchange mobility reduces costs. Support for mobile messaging is included as part of the server. There is no additional cost for this functionality. No additional server software is required, and users who are already licensed to use Exchange don’t need additional client licenses. Mobility management is integrated with the same familiar user, server, and system management tools that administrators already know how to use, so training and management costs are minimized.
• Exchange mobility is highly scalable. Microsoft has carefully tuned Exchange Server 2003 and Exchange 2007 to provide industry-leading scalability. This tuning extends to the Exchange ActiveSync implementation, which provides efficient communications between client and server. Unlike other mobile messaging servers which rapidly require the addition of more servers (both third-party mobile servers and core messaging servers) as the mobile user base expands, Exchange uses the same servers for mobility as well as OWA and Outlook Anywhere.
• Exchange mobility supports many different devices. Microsoft provides client support for Exchange ActiveSync in its own Windows Mobile operating system, and has licensed the Exchange ActiveSync protocol to other device and software manufacturers, including DataViz, Nokia, Palm, Apple , Google, and Symbian. This provides your company an even broader choice of device styles, types, sizes, and capabilities.
• Exchange mobility provides policy and security enforcement. The Exchange ActiveSync protocol includes tools for policy and security management, including remote device wipe, password strength and age restrictions, and password-based device locking and lockout. The EAS protocol delivers policies to the device, where device-based software can enforce and control them.

Direct Push

The versions of EAS supported in Exchange Server 2003 Service Pack 2 and Exchange 2007 use a significantly different technology called Direct Push to synchronize with mobile devices. Direct Push uses a client-created HTTPS connection to the server. The mobile device creates a connection and keeps it open for a duration known as the heartbeat interval, sending an initial synchronization request when the connection is opened. The server can then take several synchronization actions.  The great thing is that the mobile device is not constantly checking the server for items; the server only pushes items to the device when they are available.  This keeps the device battery from running down.

Device Security Policy

Exchange Server  has the capability to create security policies that are delivered to the client device through Exchange ActiveSync. The device implements the policy and takes action when it receives the policy information from the server. Different devices have differing levels of support for EAS policies, which can specify several aspects of device security:

• Whether or not a device must be locked with a personal identification number (PIN).
• The minimum length of the PIN.
• Whether the PIN can be numeric-only or alphanumeric.
• Whether failed PIN entry attempts should trigger a local device wipe.
• How often policy settings are reapplied to the device.
• Whether data must be encrypted or not.

Local and Remote Device Wipe

When a mobile device is lost or stolen, the potential risk can be significant. Mobile devices often contain sensitive business data, including personally identifiable information of employees and customers, sensitive e-mail messages, and other items whose compromise can have a negative impact. Exchange ActiveSync addresses this risk by providing two levels of device wipe capability.

Local device wipes are triggered when a user incorrectly enters a PIN more than a specified number of times (the policy default is 8 times, but the administrator can adjust this value). After each two missed attempts, the device displays a confirmation prompt that requires the user to type a confirmation string (usually “A1B2C3”). This prevents the device from being wiped by accidental key presses. Once the PIN retry limit is reached, the device immediately wipes itself, erasing all local data.

Remote wipes occur when the administrator issues an explicit wipe command through the Exchange Mobile Admin tool; in Exchange 2007, users can also issue wipe commands for their own devices from within Outlook Web Access. Remote wipe operations are separate from local wipes, and a device can be wiped remotely even if EAS policies are in use. The device user doesn’t have the ability to opt out of the remote wipe. Wiping the device remotely has the effect of performing a factory or “hard” reset; all programs, data, and user-specific settings are removed from the device.

Conclusion

Mobile devices offer a powerful way for people to be more productive and flexible in how they work. Microsoft Exchange Server provides powerful, built-in mobile messaging capability that includes security policy management, device lockout and wipe, and full synchronization for calendar, contact, task, and e-mail data. With a broad array of licensees who support the Exchange ActiveSync protocol, your organization can find the right form factor and capability of mobile device for their needs, all supported by the mature, reliable Exchange Server product line.

Before we even begin, let’s start with this as fact; email IS corporate sensitive information.  Not buying it?  What if you were visiting a perspective client who you knew was also looking at your competition.  A person working at the client happens to be a friend of one of the competitors (or is getting paid).  You set your mobile device down and this person swipes it.  You would probably think you lost it.  Would you feel comfortable with your competitor looking at your emails or your calendar?  What if it was one of your employees who loses a phone at a bar?

That’s just email.  What if you have applications with mobile databases on the device?  Financial statements?  Company documents?  The list goes on and on.  It is easy to see how sensitive that device becomes and the increasing need to manage it.  With that in mind, we lead into mobility management.

As far as I am concerned, mobility management – if you look at it holistically – includes:

• Requirements assessment
• Business and IT policy creation
• Device procurement…which ties into
• Device provisioning…which ties into
• Device management…which ties into
• (Custom) Application development…which ties into
• Application management
• Service management
• Security management
• Expense management
• End-user support
• Help Desk / Remote Access
• Device replacement
• Data back up

This sounds like a lot, and it is.  Depending on the size of your company and the nature of the data, some of these items are unnecessary.  The point is that handing an unmanaged phone to an employee and allowing them to access corporate data is not very secure.  You would not allow that kind of access with a PC.

Let’s revisit our scenario from above.  Did you know, if your company uses a Microsoft Exchange Server for email, that you can wipe out all of the data on your device from your Outlook Web Access system?  This is device management.  Did you know that you can require a PIN to be entered whenever you phone “wakes up” so only you could look into the phone?  This is security management.

We have only touched the surface.  In future blogs, we will explore these items individually and judge the impact each has on your business.  At the end of the day, companies need to find a balance in terms of how they support devices.  They have to make a decision around what extent they will cover and support the devices and service.  There’s no right answer and there’s no wrong answer (except having no answer at all).

That’s probably the first question a manager asks themselves when thinking about enterprise mobility.  Of course, like all other things mobile, it raises a lot more questions.  You should ask yourself these:

• What is the nature of the application I want to deploy?  Is it email, IM, and PIM (calendar, contacts, etc.)?  Is it only voice (call, PTT, etc.).  Do I want to push out backend corporate data?  Do I want to extend a current application?  Any combination or all of the above?
• Who is going to use the mobile application?  Do they already have a corporate mobile device?  Do they have their own personal device?  Are they comfortable with technology?
• Where is the mobile application going to be used?  Is it possible the device may be dropped?  Do I need a ruggedized device?  Do I get non-ruggedized phones real cheap and can easily replace them if they get damaged?
• What features does the device require?  Does it need GPS?  Camera? Barcode scanner?  Does it need to be connected to a network at all times?  Just some of the time?
• What is my budget to accomplish all of this?

Who wants to stick their neck out, throw a dart, and hopefully create a successful mobile application that pays for itself in a year or two?  Relax; it’s not as daunting as you think.  Like all IT decisions there are trade-offs with every solution; but by answering the questions above, you have already completed much of the requirements gathering.

Once you get a handle those issues, the major consideration is whether to use your employee’s personal phones versus purchasing a corporate phone for everyone to use.  There are easy to see benefits in both choices.  With a standard corporate phone, you can choose a single mobile OS that best fits your applications, data requirements, and policy requirements.  You can probably work out a good deal with one of the mobile carriers to get corporate pricing.  By incorporating individual phones, you give your employee’s a device they’re already comfortable with and with little or no budget outlay from you.

The drawbacks are basically the inverse of the benefits.  Corporate phones will require a budget outlay and you may have to buy a bunch of them.  Using personal phones means multiple operating systems which means you either have to develop or purchase applications that run on multiple platforms and absorb the cost of that.  Device management of personal phones becomes a much bigger issue since you will only want to encrypt and/or wipeout corporate data.

If you determine you need ruggedized or specialized devices, your choice is easy.  You will need to buy them.  If you are only deploying email, IM, and PIM, let your employees use their own phones.  They probably already are, but you should think about management of corporate sensitive emails.  They gray area is when you start deploying line of business applications.  We will address that in the future.

This is my first post in what I hope to be an entertaining and informative series of thoughts and observations.  Let me use this post to explain what the blog will be about.  I will typically focus on how mobility affects businesses.  This usually falls under the umbrella of enterprise mobility.

Whether you know it or not, your employees (and probably you) are using mobility.  You are communicating with you co-workers on their mobile devices and they are probably finding some way to read their corporate email on their devices.  The primary questions are, how can you make this profitable for your business and how can you control it?  Don’t let the term “enterprise” make you think this is only about Fortune 500 companies.  A small HVAC firm with five workers in the field can realize a high ROI by implementing a mobile solution!

I will cover a multitude of issues about the benefits, pitfalls, and latest news surrounding enterprise mobility.  This can range from how mobility affects GRC (Governance, Risks, Compliance) policies, to how the latest iPhone game is making your employees less productive, and, as a mobile technology manager and developer myself, how the heck do develop and manage all the current mobile platforms!

Let’s end this post by identifying three core types of corporate mobility initiatives:

Transform The Business — There’s an opportunity for enterprises to use mobility to completely redefine their businesses. However, this entails risk, as customers may be unwilling to accept major business changes, and, in today’s economy, may have to wait.

Grow The Business — These are role-specific mobile applications such as field-force automation, sales force automation, and logistics, which offer good ROI even in a recession.  Enterprises should look for solutions that involve low or zero capital expenditure funding, such as Software as a Service (Salesforce.com?).  Field Force Automation and other mobile business solutions achieve ROI by redefining the business process, by changing the way people work; they will typically deliver ROI in a year or less.

Run The Business — These are options such as wireless connectivity in laptops and mobile email.  The deployment of solutions such as 3G data cards and wireless email can be done at fairly low cost, albeit with modest ROI.  On the plus side, these can open up links to other corporate initiatives such as remote working/telecommuting and disaster recovery.

I know you are probably think of all the reasons why you wouldn’t want to jump into this pool, but I hope you will continue to check back and see why it is a good idea.