As mobile computing becomes ubiquitous, network security vulnerabilities increase. To address this concern, agencies are turning to mobile-device management systems that help control far-flung network endpoints, be they notebooks, tablets or smartphones.
Mobile-device management systems can enforce rules across an enterprise. These rules can restrict what applications can be installed on a device, raise a red flag when excessive charges are being racked up on a smartphone, force data backups for safety, choose strong passwords for a device, locate lost devices or remotely wipe all data from a missing device.
The challenge for agencies is to find the management system that best fits their needs. Several IT shops, including the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the Veterans Affairs Department and the General Services Administration, have tested mobile device management systems to determine which will work best within their enterprise and meet the needs of their users.
“Mobile devices introduce a new level of complexity for many government offices,” says Shawn McCarthy, director of research at IDC Government Insights. “Such devices can be more challenging to manage than traditional PCs, and the wide variety of hardware and software solutions, and even the variety of mobile operators, can make it more difficult to set standards and management practices.” While newer versions of some popular network workhorses, such as Microsoft Exchange, have added features to address the burden mobile devices place on network security, many agencies need more features and greater control.
“Exchange ActiveSync is what we call lightweight mobile-device management because it does institute some policies,” explains Phillip Redman, vice president at Gartner Research. “But it’s not nearly as full-featured and rich as you would get in what we call a heavyweight platform, which allows much more minute detail to be managed on these devices.”
Finding the Right Fit
ATF, for example, tested four mobile-device management platforms before settling on two of them, according to Noah Nason, the agency’s CTO. The agency had to adopt multiple solutions because it couldn’t find a single product to meet its needs, Nason says, explaining that ATF has a diverse user base and that senior executives, staffers, field agents and inspectors each had different needs. “Because of that diverse population, we found that no one model fit everybody,” he says. “Ideally, we’d like a mobile-device management system that covers everything and is everything to everybody, but we really haven’t found that yet,” he adds.
One solution that ATF tried used “sandboxing” to isolate an application’s actions and prevent it from interacting with other aspects of the hardware it’s installed on. That also prevents some ATF employees from accessing programs they need and from accessing files on the agency’s servers while the solution is running. “Sandboxing is a design feature intended to make the device more secure, but it also makes it less useful to some people,” Nason observes.
AirWatch, one of the solutions the agency chose, gives users more flexibility when working with applications on their mobile devices. That’s important for ATF personnel working with Citrix XenDesktop software. XenDesktop creates a virtual desktop on a device that can be used to access law enforcement programs running on Justice Department servers in the cloud.
Currently, ATF issues mobile devices to employees who access its networks, but it hasn’t ruled out broadening its mobile policy in the future to allow personal devices into the picture. “We have not gone that route yet,” Nason says. “We are considering that route, but that has significant legal, financial and security impacts that we are still analyzing.”
Working Across Platforms
The Veterans Affairs Department also is testing a mobile-device management product, according to Jerry Davis, the department’s deputy assistant secretary for information security. Among the features the VA is looking for in a mobile-device management product are password and application management and remote wiping.
The department also wants a cross-platform solution. “We want it to be platform-agnostic,” Davis said. “It seems like a new device is coming out every week. If we focus on something like iOS and the market shifts, then we’re stuck with just being able to run iOS.”
The General Services Administration also has completed a major implementation of mobile-device management technology. GSA installs a management system on “every device we own that boots — laptops, tablets and smartphones,” says Jim Leverso, director of strategic IT initiatives and workforce mobility at the agency.
GSA places a major emphasis on mobility, so the agency issues notebook computers to every user. The mobile-device management software lets GSA automatically deploy policy and application updates, track asset information such as purchase and warranty details, and expand or restrict network access.
At VA, Davis sees support of personal mobile devices in his agency’s future. “Workers don’t want to carry their own personal device and then have a work-issued device as well, so companies are getting smarter and starting to develop applications that partition work data from personal data,” he explains.
He would also like to see improvements in how management systems handle application data. Security concerns have led VA to prohibit keeping sensitive information such as patient records on mobile devices. “In the future, as applications are developed that have strong encryption and meet FIPS 140-2, we’re going to see data reside on those devices,” Davis says.
And the future promises even more use of mobile devices, Davis predicts. “The proliferation is going to be significant, and you’re going to start to see desktops go away and more and more of these mobile devices entering the environment.”