Finally, real security for iPhone and Android

I’ve been very frustrated by the lack of business-level security and manageability on most smartphones. The BlackBerry triumphs for being secure and manageable if you deploy the BlackBerry Enterprise Server (BES), but the BlackBerry is not a good devcie for anything other than messaging. I want more from my smartphone than that. Windows Mobile also offers good security and some manageability through Exchange, but Windows Mobile devices are a mess that most people now avoid.

It’s the devices that people actually want — the iPhone, the Motorola Droid, the HTC Droid Eris, and the Palm Pre — that lack the security and management capabilities that would let, say, lawyers, nurses, police, bankers, soldiers, defense contractors, compliance officers, HR reps, and CEOs use them. Of these, the iPhone provides the best security and manageability, but still not enough.

So I was happy to see that Good Technology has released its iPhone and Android clients, bringing BlackBerry levels of security to these two devices, which account for most mobile Web usage (the iPhone alone accounts for half of all mobile Web usage). Good previously released clients for Symbian and Windows Mobile. A WebOS client (for the Palm Pre) is due in winter 2010. Note that the iPhone client does not yet work on iPod Touches, but Good expects iPod Touch compatibility soon. (A lot of hospitals see the iPod Touch as a great device because nurses and doctors can use it only when in the hospital Wi-Fi zone, so they can’t access patient information elsewhere, notes John Herrema, Good’s CTO.)

If your Phone doesn’t support on-device encryption, that’s OK — the Good client does. If your Droid doesn’t support complex passwords, that’s OK — the Good client does. Thus, you can use any of the Exchange ActiveSync or (promised soon) Lotus Domino security policies that your business may require. The Good clients essentially add those capabilities in software to your smartphone.

The Good client does this by running as an app on your smartphone, which means that the added security capabilities apply only to the Good software, which includes e-mail, calendar, and contacts. Thus, you’re not using the default e-mail, calendar, or contacts apps that came from your smartphone. That can help create a safe divide between your personal and business data — which your security officer will like — but it also means that data exchange between your business and personal apps won’t be as fluid. Moreover, you won’t get the same capabilities as the smartphone’s native apps. For example, the Good e-mail reader does not support e-mail folders — a critical need for many users — even though Apple’s Mail app does. Notes are also not supported.

And of course you need a Good for Enterprise server — a server app that runs on low-cost PCs — for the clients to connect to. The Good server is where you set your policies and through which mobile users first connect before their data is routed to Exchange or Domino. The good news is that the Good server uses one set of policies for iPhone, Android, Symbian, and Windows Mobile (and soon WebOS) users, so it doesn’t matter whether you have a mix of these. But the bad news, besides the fact you are paying for ongoing use of the server, is that you have to manage your BlackBerry users separately, through BES.

I believe that ultimately each of the mobile platforms should natively support the kinds of security features required by Exchange, Domino, and Novell Groupwise, and not require an intermediate server. But in the meantime, iPhone and Android users can finally be secured on par with BlackBerry users; if you’re willing to pay for a BES to satisfy your security needs, you’re probably willing to pay for a Good server as well.

You might note I haven’t said much about manageability. That’s because Good hasn’t solved that issue on the iPhone or Android. If you want to lock down an iPhone, such as disabling use of the App Store or restricting users to certain wireless router SSIDs, you have to use Apple’s iPhone Configuration Utility, which has good capabilities but can’t force-provision devices over the air or verify they’ve been correctly provisioned. And for Android, you’re completely out of luck, as there are no real management tools yet for that OS.

Both Trust Digital and MobileIron offer over-the-air provisioning of security settings for the iPhone if you use their client app and server. Zenprise’s client and server can monitor which apps are installed on iPhone, BlackBerry, and Windows Mobile devices — and that’s about all there is to manage iPhones in an enterprise-class way. So while Good has filled much of the security gap for iPhone and Android, the management gap remains. (My earlier blog entry “Making sense of mobile management” provides an overview on mobile device management options.)