Creating a mobile data management policy

Have you had a colleague bring their new iPhone or BlackBerry Pearl into the office and ask how to get their work email onto it yet? Chances are you and your business has faced the problem of having or trying to support and deploy services to a myriad of untried and untested mobile devices.

You may be thinking voice over IP (VoIP) and field force automation are tools you want to reserve for specific teams but mobile data is already widespread in your business; you're just not managing it. Plug in a Windows Mobile phone and it syncs the Outlook address book; that might include internal numbers you don't want circulated outside the company, let alone getting left in the back of a taxi.

Budget hotels have free Wi-Fi but business hotels usually charge for access; how many connection charges do you want to see in expenses claims? Flexible working is top of the list for end users and bottom of the list for IT admins; does that mean users are connecting their own devices?

Implementing an overall solutionInstead of dealing with setup, support and security on a device by device and user by user basis, you need a mobile data policy that tells everyone what they can connect with, what they can access, how much they can spend, where they can get help - and what they do if they lose a device.

You don't have to start from scratch; you already have security and remote access policies you can build on. Increasingly mobile management is becoming part of tools you already use; Cisco is integrating management of wired and wireless LAN, helpdesk offerings are starting to include device support, Microsoft's System Centre Mobile Device Manager 2008 will work with Active Directory and group policy.

Even with the same management tools, handheld devices need to be treated a little differently. But smaller screens, limited keyboards, limited processing power and bandwidth issues may mean changes here, especially with virtual private networks (VPNs). The overhead of VPN means it can consume 20 per cent of the bandwidth of a GPRS or 3G data connection, so some enterprises invest in a leased line connected to the mobile network.

If you stick with VPNs, if there aren't IPSec clients for the devices you expect to see connecting, you may need to support SSL VPNs too. Windows Mobile 6 devices can access SharePoint sites and file shares without needing a VPN. What you need to implement your policy depends on the devices in use, so the place to start is with an audit.

What devices do people useIt's not just how many people in your company are using a mobile device you don't know about; devices you've officially issued to staff may not actually be in use. Users will leave a mobile device in the office if they don't like using it or worry that it will infringe on their privacy, so usability studies and a clear understanding about what information you're capturing need to be part of your process. You need to look at usage across departments and business units to make sure your policy is suitable for everyone.

Forrester analyst Maribel Lopez says many businesses are moving from managing users and devices based on the department they work in to looking at the different roles within a company; "People are starting to think about how to change policies to what is the kind of role and what applications might they have access to, maybe even rolling it all the way back into the directory."

You need to find out whether users are reporting lost and stolen devices quickly enough. The natural tendency is to hope the handset will turn up somewhere but waiting to report the issue means that the device might already have been compromised before you can send the command to wipe it remotely - or it might have run out of battery, so the remote wipe won't happen. "People don't like the notion of you wiping their device so they don't report it lost," Lopez warns. "You have to give people incentives to report, that can be anything from a cash reward or a better handset." Locking the device remotely and allowing 24 hours grace before wiping it is a good balance between enforcing security and alienating users. At the other extreme, make sure employees know what the policy is for replacing elderly devices or you may find they're losing or breaking functional devices to get newer hardware.

Once you know what devices you already have to deal with and the business has decided who should have access to what information and in what circumstances (a DSL or 3G phone connection can be safer than the same user connecting using an unknown hotspot or in an Internet cafe), you can consider both your preferred hardware and how you'll deal with devices that aren't on the list.

There are more issues than just choosing which mobile operating system to support, and best practice is to support a mix of devices. Lopez suggests two models of notebook PC, one type of mobile data card, two styles of smartphone and a Qwerty or touch-screen handheld but the policy also needs to take into account other mobile technology - think about how you will handle GPS, RFID tags and sensors and USB-connected entertainment devices with storage.

Mary Branscombe

Mary is a freelance business technology journalist who has written for the likes of ITPro, CIO, ZDNet, TechRepublic, The New Stack, The Register, and many other online titles, as well as national publications like the Guardian and Financial Times. She has also held editor positions at AOL’s online technology channel, PC Plus, IT Expert, and Program Now. In her career spanning more than three decades, the Oxford University-educated journalist has seen and covered the development of the technology industry through many of its most significant stages.

Mary has experience in almost all areas of technology but specialises in all things Microsoft and has written two books on Windows 8. She also has extensive expertise in consumer hardware and cloud services - mobile phones to mainframes. Aside from reporting on the latest technology news and trends, and developing whitepapers for a range of industry clients, Mary also writes short technology mysteries and publishes them through Amazon.