How (not) to manage apps in an iOS and Android world

You’ve accepted the fact that users are working on iPhones, iPads, and Android devices, even if you don’t own those units. You’ve figured out that mobile device management (MDM) tools can secure those items, so your corporate date is safe on them — at least as secure as it is on PCs.

But what about the apps on those devices? How do you manage them? How do you handle site licenses for them? How do you get enterprise support for them? These are the questions IT admins are now asking.

They won’t like the answer: You don’t do these things any longer.

Why app management is a legacy approach I know it’s severe heresy for many in IT, but managing apps is addressing the wrong problem. The issue you should be investigating is how to manage your information and the access to it. Way gone are the days that applications and user equipment are safely locked within your four walls and managing them could be a proxy for regulating your data and permissions for it.

The corporate boundaries are permeable, and they have been for some time, as people work at home and on the road, as you use a mix of staff and contractors. The rise of smartphones and tablets has simply made this new reality obvious to all. Any business that protected information by controlling computing devices and their applications — rather than actually managing that data access at the source — is now revealed to have been not protecting what’s really valuable.

If you think about it, worrying about endpoints is the bad way to tackle information management. This approach is rooted in the mainframe days of IT, when all the real computing action took place in the data center, and users had at most dumb terminal access. When PCs came along, IT fretted about having real information reside on people’s desks, and vendors came up with all sorts of technologies to rope those PCs into the data center’s controls. Many are sensible, such as encryption and forced sign-in, as they protect the information that is so valuable.

Less sensible, though, are those that treat apps as clients of the data center. Microsoft in particular has been a master of tapping into the IT mentality so that its Office apps are clients of Exchange and other servers. As a result, IT buys site licenses that have expensive maintenance options and require constant attention to make sure the licensing rules are followed as employees come and go. It’s a great revenue stream for Microsoft, Adobe Systems, and other similarly inclined vendors, as well as for purveyors of asset-management tools, and it’s been a great way to justify IT staff. The inmates and jailers are all collaborating.

The problem with that approach is that these applications are not in fact clients to some server-based application. They are not like ERP and CRM systems, despite Microsoft’s and others’ attempts to make them so. (One organization I know dropped 90 percent of its Office licenses in favor of Google Docs but had to keep half of its client access licenses due to Microsoft’s successful intermingling of client and server technologies.)

Instead, iOS users opt for iWork, Quickoffice, or Documents to Go, not Office. Android users go with Quickoffice or DocsToGo, as do BlackBerry and other mobile operating systems’ users. They work with native Office files, so for most organizations, it doesn’t really matter that they’re not Microsoft apps, just as it doesn’t really matter if a user on a PC or Mac runs OpenOffice, iWork, or Google Docs. As long as the tools support the Office capabilities required by your work process, who cares what client is running? IT has cared, but it really shouldn’t.

What seems to really perturb IT admins is that these apps come from app stores, where there are no site licenses. And these vendors don’t offer enterprise support plans. Welcome to the reality of consumerized IT.

How to manage apps in the era of consumerized IT These apps — and more from the Mac, Windows, Chrome, and other emerging app stores — are purchased by individuals, and most app stores let consumers install them at no additional cost for each device associated to the user ID. There are no site licenses; the Apple app stores, for example, treat businesses pretty much like individuals: Each user gets a license that applies for as many as five of their devices. In the case of a device accessed by multiple users, such as a kiosk iPad or a library Mac, the license appies to all users for that one piece of hardware.

Devices can have apps from multiple accounts. Thus, an iPad could have personal apps downloaded from the user’s iTunes Store account, as well as business-provisioned apps downloaded from the business’s iTunes Store account or from a network page that provisions a business’s internally developed apps to its authorized users.

There are also mobile application management (MAM) tools for applications you develop in-house and want to provision broadly, both for native apps and for HTML5-based Web apps.

Note the dichotomy: IT manages internal apps using long-standing techniques, whereas commercial apps are unmanaged.

In this new world, commercial apps are treated the same as devices: It’s a bring-your-own reality, where the license is associated to the individual, regardless of who ends up shouldering the cost. And at the small costs of mobile apps, having a labor- and technology-intensive process to manage their purchases and track their installation is simply out of whack with the reality on the ground. (Yes, I know there are certain organizations that need strict controls. They’ll continue to work that way, as they should. But you have to ask yourself honestly, what control do you really need over apps and endpoint devices. It’s not as much as you’re used to.)

These commercial apps are not part of the MAM mix, though some MDM tools let you restrict which apps can be installed on a user’s device authorized to access your network. Realistically, however, this approach works only for highly controlled devcies, such as iPads used in a retail store by all employees; it’s not feasible for bring-your-own devices.

But your private, internal apps are assumed to be managed, either in a lightweight way such as being downloaded (if a native app) or accessed (if a Web app) from an intranet site (VPN-protected, I would hope). You may use a MAM tool to manage them, such as to remove apps from contractor and employee devices when they leave the project or company. The use of MAM makes sense for apps that run locally and don’t require access to resources in your data center — in other words, a stand-alone tool that you don’t want a person using at another business. Likewise, MAM makes sense for removing or disabling apps that store sensitive data locally on a device.

However, most internal apps are really front ends to an internal resources — ERP, CRM, IT management console, databases, BI, VDI, and the like — for which you exercise your control by managing access to the internal resource. In other words, you should disable access to that information for that user, regardless of the apps they might work with. They may still have the apps, but they can’t access or work on the data.

This realization explains why so many businesses are enamored with tools like Citrix Receiver — essentially the same model of a Web app and should be of your native client apps. This access-control approach — rather than app management approach — is both safer and easier than trying to track every endpoint app (including browser) a user may leverage to access that information. Plus, this access-control approach applies to any device: smartphone, tablet, computer, and whatever else may be on the horizon, whether owned by the business, the user, or both.

IT needs to think different. Let go of the endpoint mentality, and instead focus on the information and access to it. Then you won’t be asking about how to manage apps or worry about site licenses — at least not for stuff outside the data center. The poster child for this new approach is Bechtel, whose CIO Geir Ramleth sucessfully exited the endpoint business two years ago. I hear more and more CIOs at conferences and in interviews starting to think the same way.

The reality is that users are smarter about tech and need less mothering than in the 1980s and 1990s. I remember when fax machines, photocopiers, and printers were expensive, complex, and fragile. Secretaries guarded them carefully, and regular staff were kept away; many companies had departments to manage copying and faxing. Over time, the technology got better and cheaper, and employees got more familiar. Today, these devices are broadly available to everyone, in a self-service context. Many of us have them at home. You call a contractor when they break, and facilities or low-level IT monitors paper and toner levels — or the staff does. And no one vets what you copy or print to make sure it’s authorized; the assumption is you can be trusted with the information you have access to.

Well, that’s what’s happening with PCs, mobile devices, and some classes of apps.

Also rethink app support As for enterprise support plans, just think about all the money you’ll save as users spend more time on mobile devices whose apps don’t carry that additional expense. Yes, you’ll have to train your support staff to know the apps that you decide are corporate-standard or corporate-preferred. But you do that anyhow with tools like Office today.

For tools that employees choose to use beyond your standards, the employee provides his or her own support — that’s the trade-off for the flexibility to choose from outside the official list. It’s a trade-off that many people are willing and even happy to make. (Those that don’t want that choice will use whatever you issue and support.)

Mobile and desktop apps that come through app stores follow the same model as SaaS “cloud” apps and open source apps — developers update them regularly and users get those updates when they are ready. There’s very little in the way of support; the notion of vendor support phone lines is pretty much dead already for individually oriented software, including business-oriented apps like Office and Creative Suite. The fact that mobile, app store, and cloud apps don’t provide it is really just more of what’s already happened.

If you really need support for such apps, you’ll find a cottage industry of consultants and support firms happy to take your business. They just won’t be the same companies that developed the apps. It’s basically no different than those copiers, printers, and fax machines — or a home appliance or car: You usually rely on a local independent service provider rather than the manufacturer. That’s where computers have been going for some time, and apps are following — outside the data center that is.

This article, “How (not) to manage apps in an iOS and Android world,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.