This article is more than 1 year old
OK, so the users want corporate apps on the move. Don't Panic
The short answer? No. But this is do-able
People want to be able to do their job from wherever they happen to be. It's understandable – if you don't need to be in an office chained to your desk then why not work somewhere more convenient? Let's look at five ways to make this achievable.
Remote access to local apps
At the most basic level you have the traditional approach: provide the users with a way to connect into the corporate network from afar. Chances are, you don't want to go down the old route of providing users with a basic machine-to-network VPN – the last thing you need is someone's home PC or Mac connecting to the LAN as if it were locally connected and infecting your world with malware. A far better approach is to provide a terminal-style interface, using a virtual desktop of some sort (doesn't really matter what – Citrix, VMware Horizon, and so on), thus keeping an air-gap between the corporate infrastructure and the operating system of the client.
A word of caution: you absolutely must use two-factor authentication for this kind of access. It's so fantastically easy to set up a 2FA system these days (the likes of Symantec have cloud-based offerings that are a breeze to get running) that there's really no excuse for not doing so. Remember, though, that if the 2FA user component is a software module rather than a hardware token, you mustn't let the users run the 2FA app on the same machine they're connecting from – otherwise it isn't 2FA any more.
MDM and device integration
Better than the above is to integrate your mobile devices securely with the corporate network. Specifically the company-owned ones – you can and should have absolute control over the devices such that you can disable them and/or wipe them remotely (and preferably equip them with software that will auto-wipe the device in the event that it's unable to connect to the corporate server for a number of days). Bring your own device ("BYOD") devices should never be integrated in this way – we'll come on to what to do with those shortly.
Like anything in IT, security is a compromise. Ideally you'd like your users to be able to use their mobile devices as if they were on the company network; that's fine, as long as you spend the time and money on systems to allow them to be connected securely. For Windows laptops I'm a big fan of Microsoft's DirectAccess (fiendishly difficult though it can be to set up), and for tablets and phones there are more mobile device management (MDM) services on the market than you can shake a stick at. These latter packages do what BlackBerry has always done – provide a secure, authenticated link between the device and the corporate network via the internet, along with strong server-side features that enable full control of the remote devices.
Oh, and I don't think I'm speaking out of turn in saying that MDM is a bit easier on iOS and Android than on Windows Phone, which is still playing catch-up.
Directory services in the cloud
Tradition is rapidly giving way to cloud-based applications. Even if you still have a data centre-full of kit, the chances are you have something or other running in the cloud. One of the benefits of this approach is, of course, that connecting to such apps is just as easy from outside the corporate network as inside it. The downside, though, is that if the cloud app isn't integrated with your organisation's directory service, you have an administrative pain in the proverbial when it comes to new starters and particularly employees who leave. The problem's simple: unless you integrate the cloud-based apps with your own directory service, each app will have its own user database, which you have to update when someone joins or leaves the company.
The solution is to enable cloud-based applications to authenticate logins against your own directory service. One option is to provide your own internet-facing LDAP or Active Directory presence by sitting a read-only server in your corporate DMZ. As cloud-based systems like Office 365 become more popular, an attractive option is to federate your directory with a cloud-based one – not least because the cloud app vendors are increasingly providing specific support for the popular ones.
Make it app-free
The final consideration for making apps usable on the move is to ask if you can do away with the app altogether. That doesn't mean stop using it – just think about where the app stops and the data starts.
Google Apps is the most prominent example here. One of my suppliers provides itemisations of the ad-hoc work it does for me via a Google-based spreadsheet. Cunningly, I don't need an app on my Mac to open it: the link I've been given bounces me to Google's server and launches a combination of the app and the relevant data. It's a cunning extension of the concept of object orientation (where you throw around "things" that incorporate not just data but also the functionality required to manipulate it) and it's a fabulous way to work because it doesn't rely on the recipient having specific esoteric applications on their devices.
Chances are that you'll end up implementing a subset of the above; if you do, the most important are two-factor authentication and directory access. Once you have a secure means of authenticating, and a centralised authentication scheme that makes it difficult to forget to disable leavers' logins, the other components will drop in nicely. ®