Managing BYOD starts with asset management
I think therefore ITAM
The prevalence of BYOD (bring your own device) activity across the enterprise landscape has seen every IT vendor worth its salt try to offer a solution to the problem of keeping employees' mobile devices under control.
There are several worthy options, such as CYOD (choose your own device) and managed virtualised desktop solutions, but the best medicine for BYOD might just be right under your nose.
The IT manager tearing his or her hair out wondering when there might be time to implement a BYOD platform is looking at a complex matrix of different device management, system management and, crucially, asset management panes of glass.
That word “asset” is important: the pre-existing IT management infrastructure might already provide some of the clues – but only if managers know what question to ask of themselves and of their current suppliers.
The IT sub-discipline of asset management is affectionately known as ITAM. In terms of form and function, ITAM is generally defined as a collection of business practices designed to optimise expenditure on IT-related purchases, management and redistribution, based on an agreed inventory process.
Closely related to BYOD is mobile device management (MDM), and it would be impossible to complete this discussion without reference to this. How do BYOD and MDM interplay?
Should we be asking ourselves whether we should use ITAM as a starting point for strategic MDM and BYOD planning?
If you are a responsible and thoughtful tech manager with an ITAM platform, what should you look for in that system before embarking on an MDM journey?
Martin Thompson, asset management analyst and owner of The ITAM Review, thinks software and application monitoring are must-haves for any MDM solution.
“Within asset management tools, the IT department has visibility on when, how long and how many times an application on a mobile device has been used,” he said.
“This type of control is aimed at smartphones and tablets and should be viewed just as you would view the data usage for software installed on a machine.”
In this way, he said, we can use ITAM to give us MDM-flavoured insight into what kind of BYOD challenges we face.
“This aspect of MDM for BYOD is particularly important as large vendors now allow a single user to install their product on a set number of devices. Mobile devices count as an asset, so an organisation needs to have visibility on how many instances of the software a single user has installed,” Thompson adds.
But the "ITAM for BYOD control" argument needs to go further than simply counting the number, type and form factor of devices – and further too than being able to describe what user has what device with what application.
The next stage is a layer of identity so that we know what data is being accessed and exchanged with the corporate data centre at any moment.
“Inventory is a core part of any strong mobility solution, and because the requirements are an extension of what IT has always needed, the skills and investments you’ve made should be seamless to use,” said Simon May, an enterprise device infrastructuralist at Microsoft
“Additionally look for solutions that use inventory, analytics and machine learning to help make insight more actionable, for example solutions that take signals from a device and use that to provide conditional access to company resources to the user on that device.”
This leads us to the inherent differences between what might be a custom-built BYOD management solution and a more configurable total MDM solution.
Even if IT management does have a good ITAM-driven grasp of its installed technology base, there is still a shopping list of factors that will shape the MDM alignment before it is powered up.
Looking back at our installed base of BYOD devices with an ITAM-focused eye, we must first decide whether we will host the MDM software layer on the company network or buy it in as a cloud software service.
After conducting an audit of all our devices’ lock and wipe capabilities, we then decide how to push out the MDM controls to the devices.
Further down the line (after other crucial foundations such as compliance tests) we get to decide which mobile operating system(s) we will support and what central email and application set we will support.
Samsung comes into this technology space with its Knox container offering. This is a virtual Android environment within the mobile device so that the container has its own home screen, launcher, apps and widgets.
Applications (and their data) inside the container are isolated from applications outside the container. This isolation means the Knox container can be used as a secure enterprise workspace, while everything outside the container represents the user’s personal space.
Two for the price of one
Part of the company's Samsung Approved For Enterprise (SAFE) programme, Knox (named after the fort if you hadn’t guessed) addresses the security issues faced by enterprises deploying BYOD by providing a “dual-persona environment” which isolates enterprise apps and data from personal apps and data.
This throws up a diversion for the ITAM purist, but it is only a diversion: there is the same amount of data and devices but they are just treated differently.
At the same time, Samsung lists a dozen MDM solution industry partners that support many (but not all) Knox features and offer comprehensive policy levels.
For example, SAP Afaria, an MDM product that was part of SAP’s Sybase acquisition, delivers a solution designed to expand Samsung’s SAFE technology.
Citrix XenMobile is designed to provide an enterprise-class application and data management solution for all Knox-enabled devices, including Galaxy smartphones and tablets.
There are clearly ITAM-BYOD-MDM crossover points then, but we shouldn’t run away with this idea.
According to Simon Townsend, chief technologist for workspace management vendor AppSense, ITAM can help overcome some of the challenges presented by BYOD but it is no silver bullet.
"Any device, any operating system and any application that can interact with enterprise systems needs to be monitored"
“Having a solution such as MDM that just looks after mobile devices is simply adding more workload onto the corporate IT team’s plate,” he said.
This creates what he calls the “and” problem, which gives IT teams the headache of having to manage a mix of Windows physical and virtual desktops and laptops and Macs and mobile devices too.
“The only common factors across these mixed workspace estates are the need for effective management of policies and user privileges: you have to manage the profiles of users, what they can and cannot access and what IT policies they are subject to, and deliver a consistent user experience too," said Townsend.
“While management in the traditional Windows sense is sometimes not possible in BYOD, it’s critical to at least see and record what people are doing and which applications and assets they are using. Organisations need to bring ITAM-flavoured device management into overall workspace management.”
Perhaps we need to realise that the IT industry is shifting from an enterprise centric world to one that is essentially user centric. With that in mind, we might be able to view the assets inside the BYOD challenge differently.
Please help yourself
“All users really want is access to their apps and data on whichever device they choose, wherever. The challenge for IT is to meet those needs while still meeting the compliance and security needs of the organisation,” said Joe Baguley, CTO EMEA at VMware.
“Hence the hybrid world we find ourselves in today with a diverse mix of tools. We need the ITAM thinking to shift from an organisation managing or owning physical assets such as mobile devices to instead delivering services, including to assets that they don’t own and never will.
“IT departments can also offer application catalogues, containing business-critical cloud and SaaS applications, and allow user access from any device, whenever and wherever they need it.
“Again, the balance between user experience and business best practice is kept – with access to each application determined by the user’s identity and environment (device, location and connectivity level).”
The end result is each worker having self-service access to, and secure sharing of, all relevant resources to drive productivity.
Phil Barnett, vice president and general manager EMEA at Good Technology, agrees that BYOD is not simple and that multiple devices used by numerous employees cause multiple issues.
Barnett thinks that a wholly containerised approach is the only way that IT can manage and keep track of all its internal ITAM load – whichever device or application employees are using.
“When an employee can access applications, services, documents and workflows only through a secure login portal, IT can monitor usage and give or restrict access to specific servers or applications. For example, the sales team is likely to need a different group of applications from the finance team,” he says.
"These tighter restrictions are beneficial to both the IT department and the end-user. As well as keeping track of a company’s assets, there is also the ability to configure devices automatically, deploy apps and if necessary wipe sensitive data.
“It also offers a consistent user experience and impinges less on privacy. When everything controlled by the IT department is confined within one application, the user has no fear of IT accessing personal information and files on their device.”
Is there a danger of moving too close to a containerised approach and forgetting our initial ITAM mantra?
It is true that containerisation helps IT to manage and audit the security and other requirements of a heterogeneous enterprise mobile landscape.
But enterprise mobility has entered a new phase, driven by the combination of advanced mobile devices, improved wireless connectivity and increased adoption of cloud-based services. We therefore need some way of bringing several new worlds together – and quite how we do this is not yet clear.
Steve Drake, former IDC analyst and now business development director at FeedHenry, predicts that MDM and mobile application management (MAM) vendors will partner with mobile app platform vendors to gain the scalability and flexibility demanded by enterprises.
"To date, most of the large enterprise mobility management deployments have been independent of mobile application platform deployment and rollout of mobile apps,” he says.
“Large enterprise mobility management deployments were often the first step for an organisation to manage devices and control applications. However, in 2014, given the market maturity and advances in best-of breed-offerings, we expect to see larger combined deployments.”
Cathal McGloin, CEO of FeedHenry, agrees. “MDM provided employees with mobile access to their calendar, contacts, work schedules and email and gave IT managers peace of mind that if a corporate device was reported lost or stolen it could be remotely locked and wiped,” he says.
But he points out that today there is a far broader requirement of MDM, especially in the ITAM for BYOD world. Enterprises demand end-to-end platforms that support mobile app development and management.
“Importantly, rather than managing the device, enterprises are now focused on controlling access to sensitive data as it moves between the enterprise and the device,” says McGloin.
“This shift has fundamentally changed the market for point solutions like MDM and MAM, so that MDM and app enablement are two sides of the same coin.
"We are starting to see that rather than being managed separately, MDM and app development and distribution are linked by the common thread of data security – securing apps and devices and managing user policies through the same platform.”
So even MDM as we knew it won’t quite cut the mustard for ITAM-aware BYOD controls in 2014 and onward. We need an information-first, management-first approach to all devices. Bringing assets and information together into a new MDM could be the answer.
If you see asset-aware BYOD management (AABYODM, pronounced ‘aabyoohdum’) being used, then you will know why. ®