How to say yes to (almost) any smartphone

Resistance is futile: The iPhone has won. Try as you may to maintain the great corporate barrier against employees using the latest smartphones on your network, the iPhone has or will soon enter your business and connect to your IT systems, and Google’s Android devices such as the Droid series are not far behind. In fact, many CIOs and CSOs have already stopped resisting and are instead putting their energies to greater use: figuring out how to say yes to smartphones that are quickly becoming key business devices.

Sure, devices such as the iPhone have strong personal utility and appeal, but they are also increasingly able to meet core corporate security and management needs. The PC revolution 25 years ago blurred the distinction between “business” and “personal.” Today’s mobile devices are meeting IT halfway, permanently ending any pretence of a hard line. Now it’s your turn to figure out how to make the most of the smartphone revolution.

This guide will help you say yes to the latest mobile devices, beginning with security capabilities, which remain a core concern for most organizations. To address this issue, I’ve created four classes to cover most businesses’ security needs. I then explain how to ensure that each mainstream mobile device can meet those requirements, noting clearly when a particular device is ill-suited to your environment. Your obligations may vary, but you can fine-tune your smartphone strategy by starting with the closest-fitting category.

There are hundreds, if not thousands, of smartphones and “featurephones” (cell phones with the carriers’ own apps), but most don’t matter when it comes to business usage, which revolves around email, calendars, contacts, to-dos, applications, and data access. To hone your pursuits, I’ve focused on Apple’s iPhone (including the iPod Touch and iPad), Google Android OS 2.x devices, Microsoft Windows Mobile, business-oriented Nokia Symbian devices (such as the S60 and E71), and Research in Motion’s BlackBerry. Palm’s WebOS-based Pre hasn’t gained traction, and analysts and mobile management vendors agree it’s not likely a factor for most businesses, but I’ve included it just in case.

Given the importance of email on mobile devices, I also note considerations for the main business email platforms — IBM Lotus Domino/Notes, Microsoft Exchange, and Novell GroupWise — and explain when it might make sense to use a third-party mobile management product. Be aware that most of those products don’t really add security capabilities. Some simplify the provisioning of the devices’ native security capabilities, but most are focused on monitoring and managing your cellular telecom spend, tracking the devices as assets, and giving IT basic status information for help desk support. Rather than adding yet another management tool, you may want to opt out of the smartphone-provisioning business altogether, which may solve the accounting issues these management platforms have been devised to address.

Keep in mind that mobile is a moving target. The advice that follows is based on what is available today, but there are upcoming changes to keep in mind. The iOS 4.0 released on June 21 will amp up the iPhone’s corporate capabilities and fit, as well as make it easier for third-party mobile management tools to manage the iPhone in the same way many organizations use RIM’s BlackBerry Enterprise Server to track the BlackBerry.

Another upcoming change of note is Novell’s beta of its forthcoming Data Synchronizer Mobility Pack, an add-on to GroupWise 8 that includes Microsoft’s Exchange ActiveSync (EAS) services. With it, you can manage EAS-compatible devices such as the iPhone and Windows Mobile as you could with Microsoft Exchange Server. Maybe Novell will finally get serious about mobile — I know several big customers poised to dump GroupWise if it doesn’t.

Finally, Microsoft says its new Windows Phone 7 OS, to ship around the Christmas holidays, will have the same security and management capabilities as today’s Windows Mobile platform.

How to say yes, no matter what type of business you are

• The four security categories defined: Which is your business?
• Category 1: Accessing and securing routine business information
• Category 2: Accessing and securing important business information
• Category 3: Accessing and securing sensitive business information
• Category 4: Accessing and securing top-secret business information
• Chart: How each smartphone platform compares

Saying yes to smartphones: What security category fits your needs? Although scare stories about smartphone security often try to hold these devices to the standards of military and financial services firms, most companies don’t require those levels of security. Besides, many defense and financial services firms have already figured out how to support iPhones despite their higher security needs.

Many companies will require a blend of the four broad categories outlined below. After all, you likely support employees who are involved in sensitive negotiations, as well as those who have little to no access to vital corporate data. As such, your “say yes” strategy should reflect that internal diversity. The universal truth of mobile is that it is not one-size-fits-all.

[ Keep up to date on important mobile developments and issues with InfoWorld’s Mobilize newsletter and Mobile Edge blog. ]

One final note: If you’re not treating employee use of personal and provisioned PCs and laptops with the same level of security requirements you’re placing on mobile devices, then something’s wrong. Doing so would mean a more immediate security gap to fix at the PC level.

Truck drivers, sales reps, sales clerks, graphics designers, Web developers, repair and maintenance staff, personal coaches, restaurateurs — people in these professions deal with routine information that is rarely personally or legally sensitive.

If their smartphone is lost or stolen, the resulting hassle amounts to reconstructing some data, ensuring the cell service is discontinued, and buying and re-outfitting a replacement device. There’s a risk of a thief accessing your email, so you do need to immediately change passwords at the server.

Required security includes a PIN to use the device. Good, but not essential, security and management capabilities incorporate password expiration and complex-password requirements, remote wipe, in-transit SSL encryption of email and other data, and a “wipe contents after x failed attempts” policy.

Category 2: Important business information. Sales managers, veterinarians, personal assistants, management consultants, IT administrators, teachers, editors, videographers, programmers, most midlevel managers — people in these professions and positions have access to some personal and financial information that won’t make or break the company but could cause economic or PR damage worth preventing. They may also have access to some internal systems via passwords that could be abused by a bad actor who gets the device.

If their smartphone is lost or stolen, the cleanup effort goes beyond the individual’s information and may require changing shared passwords, informing business partners, and losing short-term competitive advantages.

Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit SSL encryption of email and other data, and a “wipe contents after x failed attempts” policy. Good, but not essential, security and management capabilities include VPN and/or second-factor access to sensitive systems and data stores, and on-device encryption.

Category 3: Sensitive business information. Finance staff, auditors, bankers, medical professionals, HR staff, lawyers, regulators, product managers, researchers, division managers, lead IT admins, marketing and sales chiefs, chief executives in most firms, and all of their assistants — people in these impressions work with significantly confidential information (legal, financial, product, and personal) and usually have significant access to key internal data stores and systems.

If their smartphone is lost or stolen, there could be serious financial consequences, such as the notification costs if personally identifiable information is unprotected and the competitive losses if details on business negotiations, staff salaries, and the like are revealed.

Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit SSL encryption of email and other data, a “wipe contents after x failed attempts” policy, VPN and/or second-factor access to sensitive systems and data stores, and on-device encryption. Good, but not essential, security and management capabilities include the ability to control access to specific networks, to turn off the built-in camera, and to control application installation.

Category 4: Top-secret information. Military contractors, spies, police, senior diplomats, military personnel, congressional chairmen and their aides — people in these professions work with confidential information, the exposure of which could jeopardize individual’s lives or compromise the public at large.

Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit military-grade encryption of email and other data, a “military-grade wipe contents after x failed attempts” policy, VPN access to sensitive systems and data stores, physical second-factor authentication support, military-grade on-device encryption, support for S/MIME and FIPS 140 standards, and discrete “lockdown” control over accessible networks and allowable applications.

Saying yes to smartphones: Securing the needs of Category 1 businesses for routine information If your business deals with routine information, it’s pretty easy to embrace smartphones beyond the BlackBerry.

Apple iPhone. The iPhone supports the PIN requirement for this category, as well as all the good-to-have options. (Note that email encryption is handled through in-device encryption, but just for the iPhone 3G S, third-generation iPod Touch, and iPad.) SSL encryption of messages in transit is a native capability of the iPhone OS.

Enforcing these requirements and options is the issue at hand. If you can’t trust users to enable themselves, you can opt for the free iPhone Configuration Utility to set up the security policy profiles. But to ensure employees actually install the profiles, you have to manually sync them via a USB cable to your PC. If you trust your staff, you can send them the profiles or have them install the profiles from a Web link. (The forthcoming iPhone OS 4.0 will let third-party tools install such profiles.)

If you use Microsoft Exchange 2007, you can enforce PIN and password-expiration requirements using EAS policies. You can also issue a remote-wipe command via EAS. (To see which EAS policies the iPhone and other devices support, read “How to avoid the smartphone Exchange policy lie.”) If you need to manage the other capabilities using an over-the-air tool that also tracks deployments, neither of which the iPhone Configuration Utility can do, you might consider the profile validation, device locking, and access control capabilities of mobile management tools from Good Technology, Mobile Iron, and Zenprise. You can also use Sybase’s Afaria to deploy iPhone Configuration Utility profiles to the iPhone over the air.

Lotus Notes-based organizations can password-protect email access by combining Domino 8.5.1 or higher with the free Lotus Notes Traveler app available at the iTunes App Store. Notes Traveler also provides remote wipe of email, calendar, and contact data. But Domino/Notes can’t enforce devicewide policies on the iPhone, just on Notes access. If such enforcement is critical, you might consider the profile validation, device locking, and access control capabilities provided by Good Technology’s mobile management tool.

If you use Novell GroupWise or Google corporate Gmail, you’re restricted to Webmail access and have no ability to manage or secure the iPhone, even with third-party mobile management tools.

Google Android. Android devices can be set to require a PIN or custom swipe pattern before they can be accessed, but there is no way to require the use of these security measures from a server. Android also does not support most of the good-to-have security options for this category, because the operating system does not provide services such as encryption.

So far, there are only two options for even minimally secure Android usage. One is NitroDesk’s TouchDown app, which provides Exchange 2003 and 2007 access, as well as allows you to enforce EAS PIN requirements and enable EAS remote wipe. Each user would need to install this app. It’s critical to note that Android phones that claim Exchange compatibility, such as the Motorola Droid and HTC Droid Eris, do not support EAS policies natively, just unsecured Exchange synchronization. Thus, their built-in mail clients won’t connect to an Exchange server that uses EAS policies.

The other option is to deploy the Good for Android app, which provides email, calendar, and contact access to both Exchange and Notes servers. The app can require a password, encrypt the messages and other data, and remotely wipe the messages and other information stored within the app. Of course, using it requires having a Good for Enterprise server in place.

IBM is working on a version of its Lotus Notes Traveler app for Android; when that is released, it will let you secure access to Notes and to data pulled in from Notes, as well as remote-wipe that data.

Microsoft Windows Mobile. Windows Mobile supports this category’s PIN requirement and the good-to-have options. You can enforce most of them using Microsoft Exchange and its EAS policies; SSL encryption of messages in transit is a native capability of the Windows Mobile operating system.

If you use Lotus Notes with Domino 8.5.1 or later, you can use the free Lotus Notes Traveler app to remote-wipe Notes email, calendar, and contact data. But Domino/Notes can’t enforce any devicewide policies on the iPhone, just on Notes access.

If you use Novell GroupWise, you’re stuck with the Mobile Server product, which uses the Nokia IntelliSync technology (discontinued in late 2008) rather than EAS to manage devices; that means each device needs to have an IntelliSync client installed, though Novell is no longer providing the client. Effectively, this limits GroupWise to older Windows Mobile (5.0 and 2003) devices. As noted earlier, Novell is beta-testing an EAS-based replacement for Mobile Server, which it expects to ship by 2011.

Nokia Symbian. Many Nokia devices support this category’s PIN requirement, as well as the good-to-have options.

For Exchange users, Nokia supports the full set of EAS policies and management capabilities. For Notes users, IBM offers the Lotus Notes Traveler application to secure Notes email, calendars, and contacts, and to remote-wipe that data. If you want to manage Nokia devices, the Good for Enterprise server bundle can do the trick for some models such as the S60, if you’re using Exchange or Notes/Domino.

For Novell GroupWise, you’re limited to older devices that use the discontinued Nokia IntelliSync technology, which also requires you to have GroupWise Mobile Server in place.

Palm Pre. WebOS supports this category’s PIN requirement and in-transit message encryption. If you use Exchange, you can also issue more complex password requirements via EAS policies and remote-wipe the device.

Note that the WebOS does not support one good-to-have security option for this category: on-device encryption. If that’s critical, you can use the Good for WebOS app, which provides email, calendar, and contact access to both Exchange and Notes servers. The app can require a password, encrypt messages and other data, and remote-wipe messages and other data stored within the app. Of course, using it requires having a Good for Enterprise server in place.

RIM BlackBerry. The BlackBerry supports this category’s PIN requirement and all the good-to-have options — if you use the BES or BES Express servers in addition to your Exchange, Notes, or GroupWise server. The new free BES Express server software makes BlackBerry management a viable option for small businesses that use Microsoft Exchange. Without BES, the BlackBerry can have a PIN set on the device itself and can encrypt in-transit messages.

If you run Microsoft Exchange and want to use its EAS policies instead of relying on BES (such as if you support other smartphones in addition to BlackBerrys), there are third-party tools that let the BlackBerry support EAS, including AstraSync and NotifySync.

Saying yes to smartphones: Securing the needs of Category 2 businesses for important information If your business deals with important information, it’s a bit harder to embrace smartphones beyond the BlackBerry, but you can confidently support iPhone, Windows Mobile, and Nokia Symbian.

Apple iPhone. The iPhone supports all the requirements for this category, as well as the good-to-have options such as VPN support. The issues and capabilities for Category 2 businesses are the same as those described for Category 1 businesses.

One Category 2-specific issue to be aware is that the VPN support for Cisco networks does not let you use Cisco profile distribution files; you have to manually enter the VPN profile or use the iPhone Configuration Manager to generate it, so there’s more IT overhead in implementing VPN access.

Google Android. The Android operating system lacks the services to provide many of this category’s requirements, such as on-device encryption or password expiration. OpenVPN and PPTP/IPsec VPNs are supported in the operating system but may not be available in all devices (device makers don’t have to implement it).

If your concern is about protecting email, calendar, and contacts data — and you use a compatible VPN — you can probably compromise the Category 2 requirements a bit for Android users. But you can’t meet them all.

Microsoft Windows Mobile. Windows Mobile supports all the requirements for this category, as well as the good-to-have options such as VPN support. The issues and capabilities for Category 2 businesses are the same as described previously for Category 1 businesses. However, for large-scale deployments in Microsoft-based IT shops, you may want to use Microsoft System Center Mobile Device Manager 2008, which lets you add self-provisioning, such as for password resets, and handle thousands of users across multiple Active Directory controllers if they are in the same forest.

Nokia Symbian. Nokia supports all the requirements for this category, as well as the good-to-have options such as VPN support. The issues and capabilities for Category 2 businesses are the same as those described for Category 1 businesses.

Palm Pre. WebOS lacks the services to provide most of this category’s requirements, so it cannot legitimately meet the needs of Category 2 businesses.

RIM BlackBerry. The BlackBerry supports all the requirements for this category, as well as the good-to-have options such as VPN support. The issues and capabilities for Category 2 businesses are the same as those described for Category 1 businesses.

Saying yes to smartphones: Securing the needs of Category 3 businesses for sensitive information This level of business — financial services, legal, HR, and health care — is where businesses have to start making support choices that could displease users.

Apple iPhone. The iPhone supports all the requirements for this category. The issues and capabilities for Category 3 requirements are the same as those described for Category 1 businesses.

Where the iPhone becomes problematic is in the good-to-have capabilities. You can disable the camera and limit Wi-Fi access to specific SSIDs via the iPhone Configuration Utility’s profiles. But there’s no ability to control Bluetooth connections on an iPad in the iPhone Configuration Utility thus far, and no ability for any iPhone OS device (and thus not in the mobile management apps that use it for over-the-air provisioning) to restrict use of specific apps. You can disable the App Store, Safari, and iTunes, but those are heavy-handed control options that will reduce the iPhone’s intrinsic utility and appeal.

Google Android. The Android OS lacks the services to provide most of this category’s requirements, so it cannot legitimately meet the needs of Category 3 businesses.

Microsoft Windows Mobile. Windows Mobile supports all the requirements for this category, but you’ll need Microsoft System Center Mobile Device Manager 2008, Good for Enterprise, or Mobile Iron products to handle the good-to-have option of managing which applications users may install. Otherwise, the issues and capabilities for Category 3 businesses are the same as those described for Category 1 businesses.

Nokia Symbian. Nokia supports all the requirements for this category. The issues and capabilities for Category 3 businesses are the same as those described for Category 1 businesses. For the good-to-have options, I could not find third-party management tools that provide them for Nokia’s devices.

Palm Pre. WebOS lacks the services to provide most of this category’s requirements, so it cannot legitimately meet the needs of Category 3 businesses.

RIM BlackBerry. The BlackBerry supports all the requirements for this category — if you use the full version of BES with Notes or GroupWise, or either the free Express or the paid full version of BES for Exchange. (InfoWorld’s comparison of the two editions of BES explains how to choose between them.) You’ll need the full BES for the good-to-have features for all three email platforms. The issues and capabilities for Category 3 businesses are the same as those described for Category 1 businesses.

Saying yes to smartphones: Securing the needs of Category 4 businesses for top-secret information If your business deals with life-critical information, such as for defense work, there are only two viable smartphone options: BlackBerry and Windows Mobile.

Apple iPhone. The iPhone can’t meet the military-grade encryption (FIPS) requirements or provide the level of application and network-access control necessary, nor can it support physical second-factor authentication. It can be used in military organizations, but only by those people whose level of clearance doesn’t require these extraordinary security measures.

Google Android. The Android operating system lacks the services to provide most of this category’s requirements, so it cannot legitimately meet the needs of Category 4 businesses.

Microsoft Windows Mobile. Natively, Windows Mobile can’t meet military-grade requirements such as physical second-factor authentication support and military-grade (FIPS) encryption, but the Good for Government product adds these capabilities to meet Defense Department requirements.

Nokia Symbian. The Nokia devices can’t meet the military-grade (FIPS) encryption requirements or provide the level of application and network-access control necessary. They can be used in military organizations, but only by those people whose level of clearance doesn’t require these extraordinary security measures.

Palm Pre. WebOS lacks the services to provide most of this category’s requirements, so it cannot legitimately meet the needs of Category 4 businesses.

RIM BlackBerry. When used with the full version of BES and the BlackBerry Smart Card Reader, certain models of the BlackBerry can meet Category 4 requirements.

The chart below gives a quick guide to the capabilities of each smartphone platform for the four major business categories. Solid red means the capabilities are supported natively in the device and/or enterprise mail server (including free client apps for the server). Dashed red means some capabilities are not supported. Yellow means that extra-cost software, servers, and/or hardware are needed. An “X” means none of the requirements are supported.

The bottom line: You can say yes a lot By now, I hope it’s clear that most businesses can say yes to many of today’s smartphones. Although the minimal capabilities of WebOS and the Android operating system largely limit their use to Category 1 companies, businesses in Category 2 and Category 3 can clearly support the iPhone, not just the traditional BlackBerry, Windows Mobile, and Nokia Symbian devices.

So now the question is not whether your business should say yes to smartphones but what value it seeks from their broad use. That’s a better question to ask and an even better one to help the business answer.

Related stories

• Who should own your smartphones?
• How to avoid the smartphone Exchange policy lie
• Apple stages corporate mobile takeover with iPhone OS 4.0
• Can you manage an iPhone like a BlackBerry?
• InfoWorld review: BlackBerry Enterprise Server, express or deluxe?
• First look: Motorola Droid, HTC Droid Eris are risky for business

This article, “How to say yes to (almost) any smartphone,” was originally published at InfoWorld.com. Follow the latest developments in mobile computing at InfoWorld.com and read InfoWorld’s Mobile Edge blog.