Employee-Liable Smartphones on Corporate Networks: Five Tips to Boost Admin Control
If 2009 was the Year of the Smartphone, 2010 is destined to be the Year IT Grapples With Managing All Those Smartphones.
Properly keeping track of and securing employees' personal devices, or "personal-liable" devices, on a corporate network is sure to be atop the list of mobile administrators' challenges in the coming year, as more and more staffers file help-desk tickets to have their new iPhones, Droids, or Nexus One handsets linked up to enterprise systems. What's worse, the technically savvy users in the bunch may link up their devices without your consent--or even knowledge--according to mobile-device-management software company Zenprise.
Creating, instituting, and upholding a plan to keep tabs on which devices are connected to what network resources and when constitute crucial steps in creating an effective mobility strategy. On that note, Ahmed Datoo, Zenprise VP of marketing, sent along the following five tips to help mobile administrators get a better handle on which devices can and/or do access your corporate resources.
I've summed up Datoo's points briefly, and then posted the full text of his suggestions below. Naturally, most of the advice Datoo offers relates to the company's own Zenprise MobileManager product, but other firms such as BoxTone also offer comparable products that serve many of the same purposes. Smart mobile administrators will want to investigate the wide range of mobile management products on the market today to see which offerings best fits their own organizations' specific needs.
Five Tips From Zenprise for Securing Personal-Liable Mobile Devices on Corporate Networks
1. Create a formal corporate policy that specifies staffers must check in with IT and get approval before connecting a personal mobile device to the corporate network.
2. Employ a product that lets you see which devices are connected to your corporate network, when they are connected, and to whom they belong.
3. Devise a set of security policies attached to your Microsoft Exchange Server, BlackBerry Enterprise Server (BES), etc., to ensure that any and all devices connected to your corporate network meet a predefined set of security standards.
4. Give your users some sort of self-service option that lets them quickly and remotely wipe their devices if they lose or misplace handhelds.
5. Employ a product that lets mobile administrators randomly "audit" users' devices for potentially problematic applications, to help identify unknown and potentially harmful third-party software.
Keep reading for the full text of Datoo's five tips, along with further explanation of each.
Zenprise's Five Tips
1. Require users to proactively seek permission to connect via Exchange ActiveSync (EAS).
Microsoft Exchange ships with EAS enabled by default for all users. This means that employees can enable their iPhone, Android, Palm, and Symbian devices to retrieve corporate mail, without asking the IT department for authorization or approval. In order to secure a device, the IT department must have visibility into which devices are connecting to the network. Therefore, it's important to set a policy that requires users to contact the IT department for permission to enable ActiveSync.
2. You can't secure what you can't see. Gain visibility into which devices are connecting into the network.
A "particularly worrisome trend" cited by a recent Aberdeen Research report found that the vast majority of organizations meeting the demand for individual-liable devices had little to no visibility into device usage and telecom costs. Without full visibility into the devices running on a network, IT is subject to greater security risk from employee liable phones. Once an administrator has authorized and enabled EAS for a user to connect into the network with an iPhone, for example, they do not need permission to add additional devices to the network. Without daily or weekly reports, IT has no visibility when a user switches their smartphone for another type of device.
3. Like everything else on the network, smartphones must also have security policies.
Companies should set up a default EAS security policy so that all phones connecting into the network have a minimum level of security enabled. In many instances, this will force users to do things like set up a security password or enable other security policies before they can access their email for the first time.
4. Smartphones are an extension of corporate data. Give users the ability to wipe their own device in case their device gets lost.
According to Accenture, 10 to 15 percent of all handheld computers, PDAs, mobile phones, and pagers are lost by their owners. More often than not, users will delay reporting their device as lost or stolen, either in the hopes that they can retrieve the device, or because they are embarrassed for losing it. Every second of delay could mean the loss of sensitive corporate data. Providing users with an ability to wipe their own devices will significantly reduce the risk of both personal and corporate data loss.
5. All work and no play? Track applications installed on the device.
The line continues to blur between the personal and corporate use of smartphones. Organizations that allow users to install personal or corporate applications on their device, should audit for rogue third-party applications, and control which corporate applications mobile devices can access. More and more users are unintentionally downloading memory hogging or malware embedded applications. By understanding which applications are installed and running, enterprise IT can avoid potential security and compliance risks.