Mobility madness: Managing mobile devices

Starting to plan for 2007? You may want to add antivirus software for your users' mobile phones to your to-do list.

Yes, mobile phone antivirus. Late that year, according to a recent Gartner research note, is the earliest we can expect to see mobile phone and PDA viruses -- named as one of today's five most overhyped security threats -- actually come to fruition. For now, according to vice president and research fellow John Pescatore, mobile antivirus products are simply a waste of your time and money.

"The anti-viral industry sees cell phones as the way to grow sales outside of a flat, commoditised PC market," Pescatore wrote. "However, device-side antiviruses for [mobile] phones will be completely ineffective. The most effective approach to blocking mobile malware will be to block it in the network."

Mobile phone viruses certainly exist -- the first, the SymbOS/Cabir worm, appeared in June 2004 and uses Bluetooth communications to spread between Nokia 60 series phones running the Symbian operating system. However, current low adoption of smart phones, limited use of wireless messaging and low levels of interoperability between mobile operating systems mean there is simply no way they could repeat the pandemics of the Slammer or MSBlaster style attacks that proved so fatal to conventional PCs.

By year's end, Gartner predicts, only 10 percent of customers will have smart phones or PDAs with always-on wireless capabilities. This should grow quickly, particularly as Australia's unquenchable hunger for modern mobiles pushes smart phones into the mainstream. IDC Australia recently noted that shipments of traditional pen-based PDAs had dropped 26 percent in the first quarter of this year, but that smart phones accounted for 89 percent of the total market and were growing at an extremely healthy rate.

HP, Research in Motion (maker of Blackberry handhelds), PalmOne, O2, and Sony Ericsson dominated, each having more than 10 percent of the overall market. Symbian dominated the market with 72 percent share, while Microsoft's Windows Mobile operating system had 17 percent, and PalmOS matched proprietary solutions with five percent of the market each. Such a top-heavy market will give hackers two very common targets at which to direct malicious code.

However, the operating system spread changes over time, within a few years it's a safe bet that PDAs, smart phones, or wireless mobile terminals dedicated to specific functions will have taken on significant roles for employees in every part of your business. Just because they may be safe from viruses now does not mean their security and management implications can be ignored. On the contrary, you should take it as a blessing that you have a two-year grace period to implement your mobile solutions and prepare for any coming threat.

The disconnected node
The much hyped security risk of mobile devices reflects a similar story that was heard continually as notebook shipments rapidly grew to challenge those of desktops over the past decade. In an era where workers expect access to their corporate information wherever they travel, it is rare to find a company that still hasn't equipped its knowledge workers with notebooks. Many have all but done away with desktops, preferring to give their workers the ability to take their information with them where they need it.

Because they are more or less technologically identical to desktop PCs, existing methods of managing PCs -- usually involving communication between a central asset management server and tiny agent applications running on the device -- have been extended to notebooks with considerable success.

The one major difference: notebooks may not be connected to the corporate network for days or weeks at a time, and even then they may not stay attached long enough for new software updates to be fully downloaded. Travelling employees may only connect sporadically from the field, and often over slow dial-up connections that will simply not be able to carry the many megabytes typically required for a software update.

"You don't want to be sitting in a hotel room at night dialling into my e-mail system back at the office and suddenly find that you've got a 50MB patch set being pushed down to me because somebody in IT thought it was a good idea to push this out to everyone at this point in time," says Computer Associates principal consultant for enterprise management Rob Crutchley.

For remote device management software, the answer to this problem has been patience. Contemporary management platforms automatically detect how much bandwidth is available to a mobile user, progressively downloading updates in small chunks whenever the opportunity arises. If the user is busy checking e-mail or surfing the Web, the update application simply backs off to free up precious bandwidth. Once the user passes through the office and can connect using the faster wireless LAN, opportunistic management applications up the throttle to finish the job.

"A laptop is effectively a networked device connected to a LAN one day, and the next day it's a mobile device," says Dale Dixon, product line manager with remote management vendor ManageSoft. "That's where the dynamic nature of mobile devices becomes important. An administrator shouldn't need to care [what devices are connected and how]; the administrator should just be able to say 'I want to roll this application out to a group of users, and the technology should be able to deal with it'."

Portable devices, however, change the nature of the challenge significantly. Mobile phones are constantly connected via the GPRS service of ubiquitous GSM mobile networks, a fact that Blackberries and their many clones have built upon to produce always-connected wireless data terminals.

GPRS, however, is still slow and expensive -- meaning that even though devices may be connected to the corporate network, they have less bandwidth than a notebook would over a dial-up connection. This makes it tricky to push large software updates out to phones that are looking less like phones and more like miniature remote desktops every day.

Coming 3G mobile networks will make transferring data faster and allow management tools to address mobiles like any other IP end point. However, like any other end point these mobile devices will still need to be managed more and more like conventional desktops. True to its desktop roots, for example, Microsoft Windows Mobile 5.0 includes features for pushing image updates to remote devices, which download the new code at a trickle. Yet allowing each device to manage itself, without a central record of each device's status and licensing requirements for installed applications, is a recipe for disaster.

To this end, traditionally desktop-focused management platforms such as ManageSoft, Novell ZENworks, and others have recently been given features specifically for managing mobile devices. Such platforms can track configuration of mobile devices, notebooks, and desktops through a single interface; enforce a range of standard operating environments (SOEs) based on each user's profile and privileges; and drip-feed updates to remote devices based on the bandwidth available to them.

The whole world in your hand
Growth of mobile devices is being driven by recognition that they provide a robust platform for letting mobile staff store, manipulate, and create data during interactions with customers or equipment in the field. In the case of notebooks, this data could be anything typically found on a desktop or server; in the case of specialised mobile devices, the data is likely to be a more narrowly focused subset of the enterprise data.

In some visions of mobile computing, after all, wirelessly connected devices are little more than remote terminals using thin-client technology to display application screens and data being generated on servers that could be half a world away.

Such stateless devices are, however, unlikely to hinder the use of mobile devices for increasingly important tasks such as creating records of field activities. Such applications introduce a new problem: while many handheld devices are often connected wirelessly to the corporate network, applications can't take connectivity for granted. Mobile applications need to be built with enough self-sufficiency that they can operate even without any network connectivity, then dump the new data to more permanent server storage whenever a connection is available.

Such is the approach of Kevah, a mobile data entry application from Valorem Systems that securely records, time-stamps, and encrypts digital photographs, notes, and voice annotations using handheld devices.

Its functionality has proved invaluable for companies such as Tenaxe Australia, a security firm whose guards use five Palm Zire 72 handhelds running Kevah to record happenings as they do their rounds around Sydney's World Square complex. If a security guard notices a potential safety hazard or security problem, he or she can photograph it using the Zire's built-in camera. A Kevah algorithm fingerprints the digital image, encrypts it with 128-bit encryption along with the guard's notes, and stores it in the device's memory for later download to the main server.

A similar system is used by maintenance providers to shopping centre management company Centra, which has empowered its maintenance company to automatically fix spills, breakages, and other problems as long as the incidents are documented using photographic evidence from a Kevah-equipped handheld. Images are downloaded and archived on the Kevah server when the handhelds are docked, and the system automatically prepares incident reports that have slashed the time workers spend doing paperwork at the end of a shift.

"Our focus has been to provide the mobility tools for multimedia data capture," says Valorem CEO Jon Tinberg. "Because we're in a Palm environment, the photos get ported into a data repository in our file structure. We're continually pushing Kevah so it will integrate and map into the enterprise system that sits in the fixed infrastructure."

Because they're now being used to create critical enterprise data rather than simply replicating phone numbers from a desktop PC, mobile devices now require far stronger methods for data protection. That includes both data backup -- handily taken care of by mobile device management platforms that automatically run incremental backups when devices are connected -- and more nagging issues of security. No mobile device should, after all, be deployed at all until you've come up with an answer to the most pressing mobile device question: what happens if it gets lost?

This was a question for which many vendors didn't previously have an answer. With the introduction of fingerprint scanners into some models and encryption capabilities into both devices and mobile management platforms, however, current solutions offer several methods for ensuring that sensitive corporate data stored out in the field cannot be used if it falls into the wrong hands.

If you can count on a wireless signal wherever your employees will be working, for example, conventional token-based user authentication may also be an option. Several management platforms offer a "device kill" feature that locks lost or stolen devices out of the corporate network. New PDAs such as HP's hw6515 Mobile Messenger even offer built-in GPS (global positioning system) functionality -- something that will no doubt be exploited by management platforms that could program the smart devices to literally SMS you their current location anywhere on earth.

Building for mobility
Responsibility for preserving data integrity between handheld device and network data store doesn't rest exclusively on the device management platform you choose; equal responsibility rests with the enterprise developers building the applications in the first place.

To some extent, existing development platforms can do some of the heavy lifting: Tight integration between Microsoft's SQL Server database and the small-footprint SQL Server CE database, for example, eases the process of synchronising data between remote devices and the application database. Current mobile-aware development technologies can also help in translating desktop-style user interfaces into interfaces suitable for mobile devices.

There are caveats, however: since most mobile devices have small pen-driven screens and only a few have even smaller keyboards, usability is a major concern. This not only impacts application design -- for example, requiring uncluttered and intuitive application screens that validate entered data and don't rely extensively on keyboard input -- but also affects mobile device management strategies.

"Web services has come a long way in helping the integration of these devices," says Eric Sibly, solutions architect with solutions development giant Avanade. "A reduction in filling out manual forms means companies can get their processes moving a lot quicker, and built-in reference data can improve the timeliness and quality of information they're getting. However, in applications where you need to do real-time updates, you've got to look at the type of connectivity and make sure you know what happens if the wireless link fails."

Avanade had to address this exact problem during a recent project with Queensland Rail, which recently worked with Avanade to build a shipment scheduling system that used PDAs and the CDMA mobile network to let train drivers bring detailed information on shipments along with them. With uncertain wireless coverage in regional areas, the application had to be designed with enough data permanence to ensure that they remained usable even in black spots. Collected data is stored on the devices until it can be synchronised back to the home server once the CDMA signal is picked up again.

Engineering the business for mobility
Handheld devices and notebooks aren't the only things needing to be managed in the shift to mobility. Surveys suggest that many managers are still reluctant to empower their workers to take their data -- and their daily work -- out of the office with them.

A recent survey, entitled Mobility and Mistrust, conducted on notebook vendor Toshiba's behalf by Sweeney Research, involved 600 managers and workers across Australia and New Zealand. Sixty-three percent of managers worried that it was hard to monitor and supervise remote employees; 40 percent of respondents lacked the trust that employees would get the job done out of the office; and 39 percent said -- incorrectly -- that appropriate technology was not available to support flexible working practices.

Such issues may have been a problem in the past, but a growing culture of mobile working in progressive organisations -- backed by perfectly workable management tools that extend corporate data management and security policies into the field -- has turned that on its head. Forward-looking companies are racing to embrace mobility, with many solutions resolving the visibility problem by offering continuously updated online presence information.

Fears about the spectre of new attacks via mobile devices can't help their perception any, but managers need to realise that this risk, like any other, can be more than adequately managed with the right combination of technology and processes. Combine managerial will to explore new business opportunities with the technology to make it happen, and you've got a potentially winning combination.

"We've got the opportunity where, when businesses actually think about jobs and job roles, they have got to think more creatively about how they can get people to perform optimally," says Dr James Cowley, a business strategist with Instinct & Reason who reviewed the Toshiba survey. "Now, for example, you don't have to get everybody into one little room at the same time for a meeting, but can do this through software. If you're not putting people under amazing pressures, you can actually get better performance out of them."

In taking a secure, realistic approach to mobile computing, you can also ensure that your employees' newfound freedom doesn't create a security headache for your company's IT staff. Just be sure to take a consistent, centralised approach to managing all sorts of devices and you'll be able to ensure that security and data protection policies are applied equally across mobile and fixed equipment.

Thankfully, you have room to move now: by the time the virus writers figure out how to really do a number on smart phones, most companies planning on using them should have robust enough network and data protection in place that even a rogue field device won't be able to compromise the many benefits of mobile working.

Ten steps to good mobility
Odds are that at least some of your business processes can be significantly improved by cutting the cord. Here are some tips for wielding the knife:

• Don't worry. Lazy employees have a way of getting caught out whether they're in the office or out in the field. If you're still hung up on concerns that mobility will compromise your workers' effectiveness, get with the program: mobility actually makes them more effective by keeping the data they need accessible at all times.

Limit functionality. Handhelds don't have to be one-size-fits-all propositions; many of the most useful applications do just one thing, and do it well.

Keep it simple. The small size of PDAs and smart phones makes an easy-to-use, efficient user interface essential. Test extensively, trial interfaces on users, and look for ways to simplify functions, automate data filling, and otherwise make remote users' jobs as easy as possible.

Think thin. If you're worried by the thought of having critical corporate data on a small terminal that could easily be left at the local Starbucks, consider using thin-client software like Citrix MetaFrame, in which the mobile device is just a window onto applications and data running, safe and sound, on your server.

Think secure. If you can't guarantee constant connectivity to the network, you're going to have to keep some data on the device to ensure a consistent user experience. Use encryption to make sure the data is unusable to anyone else should the device go missing, and consider getting devices with fingerprint scanners to add another layer of protection.

Manage stringently. Incremental, bandwidth-aware backup tools have helped PC administrators get control of remote notebooks to some degree, but PDAs and smartphones are a completely different kettle of fish. Make sure your remote management tools accommodate various mobile platforms, and can extend features such as licence monitoring and standard operating environment (SOE) installation to handheld as well as notebook devices.

Design for mobility. Good design of data structures makes management much easier. Increasing commonality between desktop and mobile devices means the transition from desktop to mobile applications is nowhere near as complex as it used to be. Tiny mobile databases such as Microsoft SQL Server CE work closely with their server counterparts to synchronise data, making it much easier for your applications to support remote devices with minimal fuss. Build your interfaces for mobiles' smaller screens, and -- voilà -- you're mobile.

Capture remotely, store locally. Notebooks pack a lot of grunt, but mobile devices sacrifice performance and storage for battery life and their tiny form factor. Don't even try to store critical data on a mobile device long-term; ensure that your application strategy treats them as devices for data entry and application access, and nothing more.

Get wireless. Mobile devices have been around for years, but it's only with common support for GPRS, CDMA, and emerging 3G networks that they're coming into their own. If you ever rejected a non-wireless mobile solution in the past, take another look at today's technology. Constant wireless connectivity can keep mobile devices well managed simply because, unlike often disconnected notebooks, they are always connected and always available for data backup, upgrades and other tasks.

Be safe. Hackers have already created viruses that run on mobile phones and PDAs, but don't stress about them for now: suitable devices for propagating viruses are still few and far between, and there are no viruses (so far) capable of infecting both mobile devices and normal desktop PCs. Focus on extending current security regimes to protect and quarantine mobile devices as necessary, and you can venture into the mobile world without having to be paranoid.

This article was first published in Technology & Business magazine.
Click here for subscription information.