3 Keys For Preparing Users
By Tim Josephson
It's hard to ignore all the cool new features offered by today's smartphones, especially if you are a multi-tasking mobile warrior who would rather give up food and water than your trusty wireless sidearm.
Hold the phone, though! Despite the flexibility, freedom and thin client capabilities of these handheld marvels, smartphones used within an enterprise can create significant headaches for mobile administrators if effective policies and user training are not in place to keep a management eye on all those widgets and mobile apps.
"As users expect greater functionality from their devices beyond telephony, we believe the converged mobile device [smartphone] market to grow faster than the overall mobile phone market," says IDC research analyst Ramon Llamas in a late 2009 report. He notes that 43.3 million of these devices were shipped worldwide during Q3 2009. Mobile subscribers worldwide are expected to total 5.9 billion by 2013, says Infonetics Research.
Meanwhile, more than half the companies in the U.S. have banned or restricted workers from using such social networking sites as Twitter, LinkedIn and MySpace while on the job, according to a 2009 survey by Robert Half Technology, a staffing company. Enforcing these rules may be tough when you consider that smartphones are being used as your windows into cyberspace and can be quietly slipped into even the most sensitive meeting.
Fortunately, there are steps you can take to properly train and prepare your users.
> Package configurations changes and updates. Most smartphones can be configured and managed over the air (OTA), otherwise it would create a logistics nightmare for a company with hundreds or thousands of deployments. To make the job easier, it is a good idea to package configuration changes or procedures into configuration service modules that relate to groups of functions. For example, you can create a group that focuses just on browser management and another than maintains connection types and email (establishing restrictions for Wi-Fi hot spot access, for example).
> Force a user's hand. When configurations or policies are changed via OTA updates, it usually requires users to reboot their smartphones. The problem is that rebooting may take a phone offline for several long minutes (as is the case with the BlackBerry). This means that many employees may wait until late at night to reboot and update their systems to avoid missed calls and lost opportunities. Unfortunately, this means the smartphone is not up to speed with the latest mobile management policies. The solution is to lock the system until a response is received and the update applied. It may be annoying to the user, but much better than having a loose mobile cannon and possible security breach.
> Cover your assets. Deploy a mobile asset management and audit tool that routinely checks the status of a device, including the presence of any additional storage and unapproved applications. It's expected that people will store a few family photos and insert next week's dentist appointment into their mobile calendar (hopefully in personal mode), but an audit will pinpoint the presence of a peer-to-peer music sharing application or perhaps an active FaceBook account and allow managers to block their use before they create a problem.
> Add muscle to the honor system. Everyone wants to play by the rules, but it still may be advisable to prevent certain applications from installing or ever executing on smartphone. This is done by signing applications or .cab files with a certificate that must be verified by the application loader. You can even apply two execution modes to the device: Privileged and unprivileged. A privileged execution has access to all application programming interfaces (APIs) whereas unprivileged does not have access to some APIs such as some SIM functions. Most applications will execute and run in the unprivileged mode.
> Hold your cards. Removable compact flash (CF) or secure digital (SD) cards can be used to store applications and sensitive data, creating a security risk if a device is lost or stolen. The best solution is to ban the use of these cards altogether. Some companies have even gone as far as to seal the outside card slot with glue to avoid inserting a removable CF/SD card. A less extreme alternative is to disable the slot entirely, and be sure internal cards are secured with passwords and encryption.
> Be Web and security savvy. These devices are smart, highly capable and can do most everything a desktop or notebook computer can do over a wide range of networks and from outside the protective bubble of a corporate firewall or remote VPN. It is critical to apply standard SSL Web security, and keep in mind the three 'As' of mobile management: Authentication, authorization and accountability.
> Train your staff on using mobile devices. Let them know what is (and what is not) allowed in terms of applications and on-board software. You may not want all of your smartphone users to subscribe to an online navigation service such as VZ Navigator due to cost implications. You may want to make it clear than mobile social networking and applications that track your whereabouts and broadcast that information to the world are not sanctioned. Better to keep such apps on a personal cell phone and away from an entry point to the corporate data resources.
> Establish clear cut rules. Create a formal guideline regarding the use of smart phones within your organization, and integrate it as part of a mobile management plan. Are they totally restricted? Can they only be used for voice calls and internal email access? Many companies elect to selectively disable some of the internal features of smartphones, such as the built-in camera, or even block use within specific areas of a company.
> Develop a list of approved smartphone devices. The systems on this list should be in line with your security rules and the capabilities of your internal support and help desk staff. This means avoiding some of the fast and fancy devices that seem to debut every week, and looking carefully at devices -- such as the iPhone -- that are easily linked to your corporate VPN, but may be a little too applications-rich to eliminate any potential security problems.
> Prioritize the use of smartphones. Be sure to match system capabilities and functions to job responsibilities and management levels. If someone only needs a device for voice and email, then don't offer a device that has enough computing power to satisfy a third world country.