How to Manage Mobile Device Mayhem
When it comes to mobile, can campus users be left to their own devices? Universities are increasingly turning to mobile device management solutions to create some order--and security--whether the devices are BYO or institutionally owned.
Illustration by Shane McGowan |
Managing mobile devices is hard enough when institutions own the equipment--Apple products, for example, often require a different approach in an enterprise setting. But when students, staff, and faculty flood campus with their own devices--be they Android, Windows, iOS, or BlackBerry--the task becomes exponentially harder.
Many universities are turning to mobile device management products to manage the mayhem. While vendors are peddling more than 50 MDM products, the right solution for your institution will depend largely on your specific setup and needs. But even small pilot deployments of 30 or 40 tablets--especially those involving iPads--may require an MDM solution.
Identifying your needs and developing an appropriate approach are a key first step. The rapid growth in the use of personal devices at Purdue University (IN), for example, led the school's chief information security officer, David Shaw, to convene a project team in 2012 to study MDM policy. "When [campus users] are accessing university data, we need some reasonable level of protection," Shaw says. "Some are accessing sensitive data." In his view, the mobile device is just another endpoint device that Purdue needs to manage.
The type of mobile-policy reassessment undertaken at Purdue is becoming increasingly common on campuses, and mirrors what is happening in corporate settings, says Chris Silva, an analyst with the Altimeter Group of San Mateo, CA. "We used to see more devices such as BlackBerrys owned by the organization and locked down," he says. But now in the BYOD era, he adds, "the device matters less and the focus is more on role-based access to applications. We are seeing an array of devices ranging from university-owned to BYOD, and the solutions have to be able to handle those distinctions. One MDM solution should be able to apply different rules to different types of devices."
Case Study: Wharton School of Business
Key Takeaway: Because the school wanted only to manage an iOS environment, it selected a specialized MDM solution.
When the executive MBA program at the Wharton School of the University of Pennsylvania decided to give its approximately 400 students iPads, CIO Dan Alig began looking for an MDM solution.
"When we first started working with Apple, we knew that we would need an application like this if we were going to have any semblance of control over these devices--we couldn't control them using our Exchange server," he recalls. "The most important feature we needed was the distribution of content and apps. We were able to create a Wharton app store so students can download apps that we have purchased for them."
Wharton Apps, as the store is known, also allows the school to push out apps developed internally that aren't available in Apple's App Store. Because it was interested only in managing the iPads, Wharton chose JAMF Software's Casper Suite, which focuses on iOS device management.
"Other MDMs may be more feature-rich, but we zeroed in on iOS-specific content distribution," explains Alig. "We are getting ready for our third year of distributing iPads, and we are learning about it both from an administrative and pedagogical perspective. The MDM has helped us have a better experience. It would have been a management nightmare otherwise."
|
In 2012, an MDM evaluation team at the University of Pennsylvania came up with what it considers the top three questions to ponder before choosing an MDM solution:
- Stand-alone or integrated product? In general, stand-alone products have more features, simpler interfaces, and function better. However, for those wanting to manage both mobile and desktop clients with the same solution, an integrated product is worth considering. And if a desktop-management solution is already in place, is there an MDM component available? If the answer is yes, the benefits of a relatively quicker deployment and unified environment may outweigh the shortcomings compared to a dedicated product.
- What do you want to manage--and what will you want to manage? What does the environment to be managed look like now? What will it look like in two years? An iOS-only environment can get by with iOS-focused tools, but those considering supporting Android, Windows Phone, or another mobile OS should keep that in mind when choosing a product.
- Managing one group or many? Does the product need to apply one set of policies to a single group of users or several sets of policies to several sets of users? A product that can easily handle multi-tenancy is key, particularly in larger organizations.
Case Study: Thomas College
Key Takeaway: With MDM solutions all very similar, Thomas chose a cross-platform solution from a vendor with which it already has a relationship.
Thomas College (ME) is a Windows shop: About 95 percent of its computers are Windows PCs and the school uses Microsoft products for almost everything on campus. But with tablets increasing in popularity, the college decided to create an iPad lab to expose students--especially education majors who will use iPads extensively in Maine's K-12 schools--to the new technology. Not surprisingly, it fell to the IT team to figure out how to manage the lab's 30 new iPads. "We quickly realized that the kind of tools that we use every day and take for granted in the Windows environment for configuration management are not available in the iOS world," says Chris Rhoda, vice president of information services and CIO.
Because the college already deploys Absolute Software's Computrace security solution on all its laptops, Thomas looked into Absolute Manage MDM as well as some other vendor solutions. "They all had many of the same features," notes Rhoda. "Since we already had a relationship with Absolute, we decided to go with its product, and we have been pretty happy with it."
Absolute Manage MDM allows Thomas to remotely manage the mobile devices over 3G or WiFi, as well as wirelessly configure, query, and even wipe or lock each device. The IT team has standardized configurations, and can push different profiles and settings to specific devices based upon the user.
"We do allow students the freedom to add apps to the devices, and then periodically we do a reset to the original image," adds Rhoda. "That gives us a chance to see the kinds of apps students are using and decide if we should consider making those part of our base image."
|
Concerns About Vendor Solutions
But are commercial MDM solutions up to the challenge, particularly with respect to the third question? According to Chris Rhoda, vice president of information services and CIO at Thomas College (ME), MDM vendors have struggled to create enterprise management solutions for personal products. "They are doing their best, but they are not perfect," he explains.
It's an observation borne out by the MDM team from Stanford University (CA). When the team reviewed the commercial products available a few years ago, it found that most products were intended for businesses, which don't necessarily share Stanford's complex, multilayered network environment.
Stanford expects its users to enroll and support their devices largely on their own, and it was looking for hierarchical reporting and administrator access down to the workgroup level. "Unfortunately, there were no commercial solutions that could function in this sort of environment or provide the distributed-management features that we needed," recalls Mark Mellis, an associate information security officer at Stanford. So the school decided to build its own MDM solution, starting with an iOS version since 85 percent of devices on the network ran iOS. (This solution won a Campus Technology Innovators Award in 2012.)
Case Study: Southern Illinois University
Key Takeaway: By buying Windows 8 tablets, the school did not need a new MDM solution.
Southern Illinois University has avoided the whole MDM issue entirely. The school is rolling out 2,500 Dell Latitude 10 tablets to students next fall. Unlike iPads or Android tablets, the Dells fit easily into the school's existing IT environment, thus decreasing the total cost of ownership and improving IT efficiency. The Latitude 10 does not require new MDM or software licensing, supports new and legacy Windows applications, is compatible with Adobe Flash, and connects with existing peripherals to allow end users to work and play the way they always have.
"We started out assuming we would be giving incoming freshmen iPads, but we decided to do a side-by-side comparison of iPads, Android tablets, and Dell Windows 8 tablets," explains CIO David Crain. "We eliminated the Androids right away. They didn't have the functionality we needed or the enterprise-management tools. With iPads, we would have had to look at available third-party MDM apps. The Dells, on the other hand, we could plug right into the Windows System Center Configuration Manager to handle all the security essentials. We estimate a $3 million lower TCO over four years compared to the iPad."
|
Stanford wanted to offer MDM to the broadest possible cross section of the university community for four reasons:
- To protect university information.
- To control support costs by automating provisioning of services such as e-mail and calendaring.
- To assist community members in protecting their own privacy.
- To provide insights into trends in mobile device use.
In many ways, the Stanford decision to build its own MDM was a stopgap measure to allow commercial vendors to come up to speed. "We knew from the beginning that we would eventually need to migrate to a commercial product in order to support platforms other than just iOS--and to control support costs over the long term," adds Mellis.
Stanford is now beginning the transition to a commercial product, but it's using the lessons learned from its own MDM foray to make some changes particular to the university's approach. "Even today, the self-service model we adopted isn't available from the commercial products," says Mellis, "and that is an area where we expect to extend our commercial system."
Case Study: Goshen College
Key Takeaway: Although it's currently deploying only iPads, the school wanted an MDM product with the flexibility to support other operating systems.
Last fall, all 200 freshmen at Goshen College, a liberal arts college in Indiana, received iPads. By 2014, the whole campus will have them. "In planning this, we knew we would need an MDM solution," says Seth Unruh, a desktop architecture specialist. "We looked at Apple's Profile Manager, but it didn't seem to have enough tools and was not easily configurable at that time," he says.
The school ultimately chose AirWatch, because of its easy user interface. Goshen uses AirWatch to register and control the iPads, distribute application codes for fee-based commercial software, and direct students to free software that the college wants them to download. For instance, the school is pushing out an internal campus app created by students.
Initially, Goshen deployed a version hosted by AirWatch, but the school has since shifted to an on-premise solution for financial reasons, says Unruh. Even though Goshen is currently committed to iPads, Unruh likes the flexibility that AirWatch provides. "We just bought some Android tablets to experiment with," Unruh notes, "and we got them enrolled with AirWatch without any problems."
|
Finding the Right Fit
Even if commercial products don't offer a flawless soup-to-nuts solution, the pressure to handle the influx of mobile devices is forcing many schools into the MDM market anyway. But they should be sure to evaluate the pricing closely. The costs associated with MDM solutions vary widely, according to consultant Silva, with some vendor pricing models ill suited to colleges and universities. "You should look for per-user pricing rather than per-device pricing," he suggests.
Most universities are looking for a similar set of core functions from MDM vendors, although needs will vary depending on whether a school intends to support just one OS or a variety, and whether support will extend only to university-owned assets or to personal devices as well. The following list, based on a 2012 University of Massachusetts request for proposals, is reflective of the needs of most colleges:
- Over-the-air (OTA) configuration: The ability to assign different security settings, applications, and configuration policies to different work segments
- Intelligence, troubleshooting, and support: The ability to specify scheduled or event-based actions for troubleshooting and support, in addition to real-time monitoring
- Real-time inventory: The ability to provide real-time information on system configuration, installed applications, and security configuration; it should also be able to perform automated real-time remediation
- Reports: The ability to generate reports on devices that do not meet compliance policies (e.g., jailbroken/rooted, passwords, encryption)
- Remote-control capabilities: The ability to manage the system from off-site
- Employee self-service portal, including such features as backup and restore, wipe, remote wipe validation, locate, "find me" sound/alert, and password reset
At the very least, adds Silva, universities need the capability to locate, lock, and wipe employee devices that have access to sensitive data. But he also wags a cautionary finger about central IT becoming too heavy-handed. "You don't want to wipe a whole device and erase that last picture of Grandma," Silva explains. "That type of thing happens and it leads to lawsuits, so the less devastation you can cause the better."
And just how far do universities extend their reach? Do universities need to offer MDM solutions for students' personally owned smartphones, for example? Silva claims it really comes down to the level of service the school wants to offer students. The same way they offer disk space and e-mail to students, many universities are starting to offer some level of device tracking that extends to smartphones brought by students to campus, he says, but is up to the students to decide whether to take advantage of it or not.
MDM Vendors
Here is a list of major mobile device management vendors and their products:
|