When did IT get into the mobile phone business? This question is coming up more and more often, and IT departments are starting to look like boiled frogs. (If you aren't familiar with the boiled frog analogy, basically, if you throw a frog into boiling water, it will jump out. If you put a frog in cool water and slowly heat it up to a boil, the frog doesn't jump out and ends up boiling to death.) IT departments look more like boiled frogs because of mobile devices' surge in popularity and the user community's expectations that IT pros are supposed to be experts in all of the platforms and seamlessly support them. We have more important things to do!
A growing number of users are asking why they can't have an iPhone (or a Palm Pre or a Windows Mobile device or an Android device) instead of a BlackBerry. Even employees who are not issued company smartphones want to connect their personally-owned devices to the corporate email system. At our help desk, we have seen smartphone-related requests move from a top 25 issue to a top 10 issue in the past eight months. As IT departments are increasingly asked to do more with less, this support issue can easily be relegated back to the user.
An alternative approach
Let's look at an alternative approach to this issue and then see if we can poke holes in it.
IT leaders can do away with corporate mobile plans and have users get whatever device they want and allow them to connect to their work Microsoft Exchange account. Give them $100 toward their first phone and $75 per month extra per month to help pay for their plan.
Here are the benefits:
- Eliminates the need to manage a special BlackBerry Enterprise Server. IT departments no longer have to manage a special BlackBerry Enterprise Server and worry about supporting Microsoft Exchange and another business critical server with the same level of availability. Everything is managed at the Exchange server, which already has the robustness, the backup systems, and the service levels needed to support a high-availability environment. Help desk requests go from setup and configuration tasks at 30 minutes per incident to clicking a Remote Wipe button in the management console if the device is reported lost or stolen. Also, you do not have to install and support additional applications such as iTunes.
- Saves the company money.
Many of these corporate mobile plans are a joke; for instance, they offer 15% discounts based upon the number of users with pooled minutes. What they don' tell you is that in some plans (such as AT&T), there are no rollover minutes, and if a user goes over the allotted minutes in their plan, they are still charged the overage rates even if there are plenty of minutes in the corporate plan. Then we have to go through administrative headaches to collect the overage charges from the employee. You have an angry employee, as well as a bunch of unnecessary administrative overhead to correct the issue. Your accounting and payroll departments have more important things to do.
- Requires self-governance. Employees are motivated to keep their minutes in check. In fact, a wisely managed plan can actually put a couple of extra bucks in users' pockets. For those employees who don't quite cover their plan, consider personal use of the business phone. Now you don't have to comb through individual phone bills and carve out what was a personal call and what was a business call and add unnecessary expense reports and accounting department resources to get things straight.
- Leads to better a customer service experience. In the case of AT&T, business accounts need to go through a business account representative to get service. These reps work Monday through Friday, 9:00 - 5:00. So if your phone breaks or gets lost on a Friday, you usually have to wait until Tuesday at least before you can get a replacement. You cannot go to an AT&T or Apple store or Radio Shack to get immediate service; they will not and cannot service you. Reimbursed personal plans allow users to go directly to a retail location seven days a week and get immediate service. Also, these retail locations now become the employee's mobile phone support. The retail locations are staffed with experts on all aspects of each phone; it's their job to be the expert so that responsibility doesn't fall to your IT department.
- Improves employee productivity. When an employee uses a device that they like and are comfortable using, an argument can be made that they are more productive. Additionally, this new policy allows employees who wouldn't qualify to get a corporate-provided mobile phone to use their own phone to access company resources whenever or wherever they are.
- Saves IT from having to stay abreast of the latest smartphones technology. With the advances in smartphone technology happening at such a fast pace, staying on top of all the changes will be a full-time job. With hundreds of new applications coming out for the iPhone every week and the introduction of Android devices, it's going to get more difficult to keep up to date. This environment sets IT up to fail their customers by becoming a roadblock to introducing new technologies. Traditional IT staff, who are focused on servers, applications, software development, and networks, will be hard-pressed to become the mobile device guru. This is best left up to partners who have full-time experts in these areas.
With this level of flexibility, there are also the following potential risks:
- Company applications This is probably the one issue that would prevent IT from executing this plan. Unless the application can be run via a virtual machine interface (such as Citrix Repeater) on the smartphone, company-specific applications on mobile devices are typically proprietary to the device.
- Security BlackBerry services are used and approved by NATO for secure messaging; the other devices do not have this level of security. Although other devices are catching up, they are still not up to the level of the BlackBerry. However, leveraging ActiveSync connections via SSL can make email secure. If you employ email filters, such as those provided by Cisco's IronPort, you can reduce social security numbers, credit card numbers, or other HIPAA or PCI risk areas, from ever leaving your organization. Additionally, leveraging new mobile applications, such as Mobile Citrix Client, doesn't require any company data to reside on the phone at all.
- Employee responsibility The biggest challenge will be employees actually telling IT that their phone was lost or stolen so we can wipe the phone. Upper management support will be key here.
- Employee waiver
With all ActiveSync devices, there is the ability to remotely wipe a phone or disable it; in addition, with Exchange, you can enforce a PIN code to lock the phone. Although some phones allow you to change the frequency of when it locks the screen, the capability is still there. When dealing with personal phones, this can be tricky. When you wipe the phone, you also wipe personal information, pictures, videos, etc. In order to access company resources, you can require employees to sign a waiver to allow the company to locate and wipe the phone in the case of lost or stolen phones and when an employee is terminated.You will have to remind users to back up their device. All of the other devices can leverage SSL-encrypted connections to Microsoft Exchange via ActiveSync. Is it as secure? That is debatable. But when you truly look at the risk of data loss, it is minimal. Both services allow you to remotely wipe the device in the event of theft or loss. Of course, the user community must leverage Microsoft ActiveSync with SSL certificates.
When considering these risks, it is important to put them into context. Yes, iPhones can be a major distraction in the wrong hands with all of the time-wasting games, but what is the real cost of being so tight-fisted with company resources? Administrative overhead, HR, training, support, maintenance, etc. all need to be taken into consideration when you need to micromanage your workforce at that level.
Also, how much of an impact would the potential security risks regarding non-BlackBerry devices actually have on your organization? Do you leverage Citrix or other virtual technology where the data doesn't reside on the device? Do you control PCI and HIPAA information at the source and prevent it from being transferred or emailed in the first place? Is the nature of your business such that your email traffic and files will not be a detriment to your business if it falls into the wrong hands? How secure is secure enough for your business?
I believe that intensive and rigorous end user training about computer security would go a lot further than restricting the device. This training makes users aware of what is possible with regards to identity theft, social engineering, virus protection, transaction encryption, and protection of personally identifiable information.
- Podcast: Is it time for IT to let users bring their own laptops and smartphones?
- SmartPlanet: Time to get smarter about embracing mobile devices
- Sanity check: Should IT support user-owned smartphones?
- Why the BlackBerry still trumps the iPhone in the enterprise
- March 10 Webcast: Building a Business-ready Mobile Infrastructure