A year or two ago, IT departments were focused on mobile device management (MDM) as a way to secure smartphones and other mobile devices. It was a natural extension of how IT had always handled technology in the workplace. While there are times that strict device management is the best approach (such as K-12 schools), IT departments are beginning to realize that MDM isn’t always the course of action.
In fact, the rush to lock down every device feature was little more than stale and rather old thinking on the parts of IT leaders who are now looking for better options.
The concept was essentially an extension of how IT folks handled Macs and PCs in their organizations. Create a baseline configuration for all computers of one type complete with corporate settings and needed apps, roll it out, and then use client management tools to ensure users can’t make major system changes, install their own applications, or alter core operating system components.
That concept has served IT departments in organizations of every size and type quite well over the years. It ensures every user has the correct environment, that the computers are secured, and allows for quick and easy Mac or PC replacement if there are problems. It’s no wonder that device management was the first impulse for IT folks when it comes to the iPhone, iPad, Android devices and pretty much all post-PC mobile devices. It also happened to be the model that RIM provided for organizations giving workers BlackBerries.
But there’s a key point in this line of thinking that’s easy to miss – it’s based around the concept of a computer or a device being owned by an organization and not by the person using it. By extension that means that IT owns the device and has the right to configure it for optimal security as well as to configure the user experience to what IT staffers assume is the best option that doesn’t compromise device or data security.
IT folks had no problem finding vendors to support this way of looking at mobile technology, particularly after Apple built really strong device management capabilities into iOS 4. In doing so, Apple created a pretty lucrative cottage industry around the ability to manage iPhones and iPad (and BlackBerries and eventually Android devices and Windows Phone handsets). The concept paralleled standard IT processes and effectively let IT approach mobile devices as they did computers – IT and MDM seemed like a match made in heaven (at least to IT guys and the MDM vendors).
Users had a rather different take on the whole situation, especially when major features of their iPhone, iPad, or other device was disabled or blocked by IT. What’s the harm in downloading the free version of Words With Friends? Why shouldn’t I be allowed to check my personal email? Why can’t I install the various iWork apps, especially if I’m willing to pay for them?
Those reactions were one thing when the company had been buying devices and handing them to IT to setup and distribute. But then along came BYOD – officially sanctioned or not, users started buying iPhones and iPads and bringing them into the office, where they asked to be able to setup their work email accounts or to be able to use corporate Wi-Fi. None of them were happy with the idea that they had to turn control of their devices over to IT at that point, particularly if it meant giving IT the power to wipe their devices or monitor the apps that they installed.
This tension over ownership had definite consequences including the fact that if IT handled the situation poorly, users tended to simply avoid IT altogether .
That brings us to the dialog happening today about what the best practice is for mobile devices regardless of who actually owns them. Is locking down the device really necessary? Can IT secure business data without heavy-handed management? Can IT set policies and trust that users will abide by them? If not, should IT be able to monitor personal devices that access corporate resources?
The growing consensus is that looking at device management is the wrong approach in many cases and that IT’s ability to claim ownership of computers doesn’t extend to mobile devices – at least not in quite the same way. That’s led to a focus on securing data and/or managing apps rather than the device and to working with users as partners rather than thinking of them as the enemy.