supporting workforce mobility: best practices in...

IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING

Supporting Workforce Mobility: Best Practices in Enterprise Mobility ManagementAn ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for FrontRange

October 2013

Table of Contents

©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

Supporting Workforce Mobility: Best Practices in Enterprise Mobility Management

Executive Summary .......................................................................................................................... 1

Trends in Workforce Mobility .......................................................................................................... 1

Essential Practices in Enterprise Mobility Management .................................................................... 3

Asset Lifecycle Management ........................................................................................................ 3

Resource Provisioning ................................................................................................................. 3

Security and Compliance ............................................................................................................ 5

Problem Management ................................................................................................................. 5

Implementing Enterprise Mobility Management.............................................................................. 5

EMA Perspective ............................................................................................................................... 7

About FrontRange ............................................................................................................................ 7

http://www.enterprisemanagement.com

©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com1


Executive SummaryBusiness success in meeting today’s dynamic organizational requirements is dependent on its ability to empower a mobile workforce. Business IT resources – including application, data, and services – must be securely and reliably accessible by every device employed to perform business tasks, regardless of whether it is owned by the business or by an employee. Three key Enterprise Mobility Management (EMM) processes necessary for enabling this include: consolidating the delivery of business IT resources; isolating business IT resources from a user’s personal resources; and enabling end-user self-service. Supporting automated management processes for asset lifecycle management, resource provisioning, security and compliance, and problem management are essential to transforming enterprise IT management processes to deliver IT services that maximize workforce productivity without violating established enterprise policies.

Trends in Workforce MobilityThe ability of a modern enterprise to achieve organizational goals, competitive advantage, and business profitability are dependent on the mobility of its workforce. In order for workers to maximize their productivity, they require flexibility in how, when, and where they are able to access business IT resources. This freedom of IT accessibility allows users to perform a greater number of tasks with less effort by performing their job functions on the devices most convenient or applicable to their job tasks. Additionally, by no longer being chained to a single physical location (i.e. an office desk), workers are able to rapidly respond to any request, increasing the overall agility of the organization to address customer issues, business challenges, and changing market conditions. Enterprises that enable a mobile workforce are also able to improve employee job satisfaction by enabling them to easily perform job tasks remotely (supporting telecommuting and out-of-hours job requirements) and by allowing them to use the devices for which they have a preference – and sometimes obsession – to use.

In essence, there are two types of mobility that enterprises must adopt to empower their workforce. The first relates to the physical portability of devices. A mobile device is any computing endpoint principally designed and used for its portability. Although most people think of smartphones and tablets when they think of mobile devices, the definition makes the descriptor just as applicable to laptops. IT managers often lump laptops in with desktops because they utilize the same operating systems, but they are, in fact, designed for portability, and therefore are mobile devices. Mobile devices allow enterprise users to perform business tasks at any time and at any location. To support this, enterprise IT resources must be made accessible to and operate on a variety of operating platforms, including iOS, Android, BlackBerry, MacOS and various editions of Windows (Windows Phone, Windows RT, Windows Pro, Windows 7, Windows 8, etc.). These IT resources can be segmented into three categories:

• BusinessApplication – including both commercial software and proprietary applications

• BusinessData – including both mundane and highly-sensitive files and records

• BusinessServices – including email, messaging, databases, remote access portals and access to other essential enterprise business resources

But the scope of workforce mobility extends beyond just the adoption and use of mobile devices. The second type of mobility addresses the ability to access common business resources from any device. For

In order for workers to maximize their productivity,

they require flexibility in how, when, and where

they are able to access business IT resources.




instance, users can access the same applications on their home desktop PC (or tablet, or smartphone, or laptop) that they do from their work desktop PC. In this way, the business resources become portable, allowing end users the freedom to employ multiple devices. According to EMA primary research, 87% of all business professionals employ a PC (laptop or desktop) and either a smartphone or tablet (or both). It is unquestionable that today’s enterprise workforce is dependent on multiple devices. Additionally, 98% of business users are reliant on PCs to perform critical job tasks, and there is no indication this will change in the foreseeable future. Smartphone and tablet mobile devices, therefore, are being adopted to supplement, rather than replace, PCs in the enterprise market.

2% 11%

49% 3%

35%

Mobile Device only

Laptop or Desktop PC only

Smartphone and PC

Tablet and PC

Smartphone, Tablet & PC

Figure 1: Multi-platform adoption of enterprise user devices

There is a strong rationale for this multi-device adoption. While some tasks are ideally suited for the portability of a small mobile device – such as email, calendars, Web surfing, and note taking – more complex tasks require the larger, more accessible form factors and faster processing capabilities of a PC. For example, think about creating a graphical presentation, or a large spreadsheet, or writing an extensive research paper. It is just not practical to perform these tasks on a device as small as a tablet. Also, tablets lack graphics cards, large memory cashes, fast CPUs and other system resources necessary to locally run complex applications. Business users have adapted to utilizing the device type most appropriate or most convenient to performing job tasks.

Naturally, this greater freedom of access to business IT resources has greatly exasperated IT management challenges. Nearly all business application, data, and services must now be easily accessible, reliable, and highly available to remote users on a variety of devices and platforms. But these resources must be delivered without violating enterprise security requirements or compliance commitments, and must not substantially increase administrative efforts and related costs. Clearly, the traditional management practices of individual endpoint provisioning, administration and lockdown are no longer sustainable in a multi-device world. To successfully empower a mobile workforce, new concepts in endpoint management must be adopted that deliver secure and reliable IT resources from a centralized management platform to all devices employed for business purposes.




Essential Practices in Enterprise Mobility ManagementEnterprise mobility management encompasses processes and procedures coupled with automated monitoring and management solutions to enable secure user access to enterprise resources from any device, at any location. Management and configuration of mobile endpoints (sometimes called “Mobile Device Management”) is a subset of EMM, but effective and efficient support of workforce mobility requires a broader set of capabilities. There are three core requirements that must be addressed in any EMM solution:

• ConsolidateDeliveryofBusinessITResources – Business applications, data, and services must be delivered to the remote devices from a secured, centralized location. This greatly simplifies administration by ensuring business IT resources only need to be managed (i.e. patched, updated, configured, etc.) in a single location. Additionally, this creates a consistent user experience for the workforce, ensuring they do not need to hunt down resources necessary to perform their job tasks.

• IsolateBusinessResources fromaUser’sPersonalResources – According to EMA research, 58% of mobile devices and 29% of PCs are employee owned. Bring Your Own Device (BYOD) services allow enterprises to secure business resources by segmenting them from a user’s unsecured applications and data. In this way, end users are able to utilize their device any way they wish without introducing risk to the business environment. It should be noted, however, that BYOD solutions are just as applicable to business-owned devices as they are to employee-owned devices, as 90% of all devices are utilized to perform both business and personal tasks.

• EnableEndUserSelf-Service – A portal (or AppStore) must be provided to allow end users to access and provision business services with little or no interaction with IT administrators. Ideally, this solution will provide an approval process to ensure users are authorized to license and run applications or have the security clearance to access sensitive business data.

Delivered together, these enterprise mobility management processes ensure users remain productive without violating enterprise requirements and without substantially increasing management efforts. Nonetheless, several key processes must be adopted to enable user-focused but secured IT resource access. These processes can be logically grouped into the four essential management disciplines described below.

Asset Lifecycle ManagementAll devices (regardless of owner) that access business processes must be immediately detected and identified. For enterprise-owned devices, configuration details – including device type, operating system, installed applications, software licenses, attached devices and system settings – should be collected and stored in a centralized data repository. To ensure accuracy, all asset data should be continuously updated. Assets should also be logically grouped to simplify administration. For instance, a group could consist of all Android tablets or all accounting laptops. Support processes, resource authorizations, and security restrictions can then easily be applied to all members of a particular group. Similarly, operating system and application configurations can be standardized across all endpoints in a group.

Resource ProvisioningAll applications employed by end users for business purposes (both commercial and proprietary) must be accessible from a centralized and secure user portal or AppStore. This single point of access to business software includes all types of applications such as static applications, virtual applications, Web applications, and all related versions, patches, and updates. Two-factor authentication ensures users are authorized to initiate access and/or download of enterprise applications. Additionally, applications that




violate enterprise policies may be disallowed on user devices (black listing) or devices may be restricted to only install specific authorized application (white listing); however, except for organizations with very strict security concerns, these application policies should only be applied to the business use of the devices and should not impact a user’s personal choice of applications and services. There are four principle methods for segmenting business and personal resources:

• Containerization – A “container” is a software-created environment that operates independent of a devices primary workspace. Any applications or data stored in the container are supported by the business and subject to any enterprise restrictions, but no elements outside the container are affected by the business. A container can include an entire workspace, a specific set of resources, or individual applications or data.

• Virtualization – Effectively provides the same functionality as containerization. If a client device is virtualized, a separate workspace is created to support business resources. Desktop virtualization can also be employed to house, secure and manage a user’s workspace on a centralized server, and then allow users to remotely access that workspace from any device they choose. Application virtualization works the same way, but only hosts and delivers individual software elements, rather than whole desktops.

•Wrapping – Enterprise security and management processes are injected into the actual software code of supported applications. In this way, enterprise requirements can be instantly applied to all supported applications across the client support stack without affecting any of the user’s personal applications.

• Tagging – Maintains a list of business applications and data that will be supported by the business. Management processes are only applied to the “tagged” resources.

Figure 2: The secure provisioning of business IT resources




Security and ComplianceSecurity policies must be established and enforced on all devices that access business resources. Of particular focus should be processes that support Data Loss Prevention (DLP). All enterprise data, regardless of sensitivity, should be secured at its source, in transit to the user device, and on the endpoint. Begin by establishing a centralized repository for data, such as a secure user share. Access to this data repository should require two-factor authentication. Often, the two factors employed include a tunneling system (such as VPN) and strong password enforcement, but other methods can be employed as well, such as a network encryption or SecureID cards. A secure method for sharing business data should also be provided, and unsecured data sharing methods should be restricted to prevent unauthorized duplication and transmission of enterprise content. ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) research has determined that more than 90% of business professionals rely on unsecured methods for distributing application. These include email, messaging, DropBox, FaceBook, and other cloud-based services. To ensure any files that do leak out despite preventive measures are also secured, all data should be encrypted so they are accessible only by authorized personnel.

Any data downloaded to user devices must also be secured. On average, one out of every eight mobile devices will be lost or stolen, and if any of these contain sensitive data, the business could be placed at risk. Location detection capabilities can help locate these missing devices, while “lock and wipe” functionality can disable access to business resources or delete them altogether. Data stored on devices are also subject to unauthorized duplication by copying them onto external storage devices, such as USB drives. To prevent this, external drive should be monitored and/or disabled to prevent the removal of data from enterprise control. Data and applications can also be affected on a device by malware (viruses, Trojan Horses, worms, and spyware), so these should be continuously detected and removed. However, regardless of how well these DLP methods are implemented, it is important to realize that users can fully circumvent security restrictions by rooting or jailbreaking their devices. EMA recommends all rooted or jailbroken devices be monitored for and disallowed access to business resources.

Problem ManagementAlthough EMM places endpoint device control principally in the hands of the end users, sometimes difficulties occur that require administrative assistance. Users should have the ability to easily initiate a service request and provide all details of the incident for support personnel to understand the problem. Since users have a wide range of technical abilities, it is often not practical for administrators to talk them through a problem resolution (particularly if the device they are having problems with is the smartphone they are talking on). To simplify this process and enable prompt problem resolution, administrators should have remote access to all supported endpoints, allowing them to see and resolve any issues. In the event a device is damaged beyond repair, all business data on it should be backed up and easily recoverable.

Implementing Enterprise Mobility ManagementTransitioning to these enterprise mobility management processes is dependent on the adoption of integrated monitoring and management solutions that provide a broad range of automation capabilities for all devices in the support stack (including both mobile and PC platforms). This unified management solution must be managed from a centralized console and consolidate data collection and reporting processes. By

Transitioning to these enterprise mobility

management processes is dependent on the

adoption of integrated monitoring and management

solutions that provide a broad range of automation capabilities for all devices

in the support stack.




contrast, point solutions that only support a single or a few device types or provide limited functionality will cause substantial increases in management efforts as organizations will be unable to standardize support processes. Additionally, organizations that employ multiple point solutions are challenged by “swivel-chair management,” where reporting is not consolidated, events cannot be correlated, and administrators must learn multiple complex processes for performing support tasks. With a unified management solution, EMM requirements are met without substantially increasing administrator efforts or operational costs.

As an example of a unified endpoint management solution that delivers critical capabilities for enterprise mobility management, FrontRange offers the HEAT Client Management solution suite that provides fully integrated support for managing mobile, PC, and virtual devices across their entire lifecycle – from initial deployment through final retirement. The FrontRange solution set offers solutions that are delivered both on-premise and in the cloud, allowing management services to be optimized for the type of support they provide. A centralized management console presents real-time views, reports, and alarms on a variety of endpoint devices, including iOS, Android, BlackBerry, and Windows desktop and mobile platforms. All endpoints used to access business IT resources are automatically detected, and detailed configuration information is collected for them and stored in a centralized data repository. Applications can be managed and configured centrally and are distributed via a dedicated corporate AppStore or integration with a third-party AppStore. Applications can also be black listed or white listed to ensure only authorized software is run in the enterprise IT environment, and containerization capabilities allow business resources to be managed separately from user resources. HEAT Client Management also delivers broad security and compliance capabilities, including policy enforcement, malware protection, lock and wipe, location detection, data access management, and memory encryption. To achieve problem and incident management, the solution also enables remote access to supported devices and performs backups for disaster recovery.

Enterprise mobility management empowers today’s dynamic workforce with the freedom and agility to more effectively achieve business requirements. Achieving this transformation of IT operational support services requires adoption of new processes in conjunction with comprehensive and integrated management solutions such as those delivered with the FrontRange HEAT Client Management platform.

Asset Lifecycle Management

Resource Provisioning

Security and Compliance

Problem Management

• Heterogeneous support (mobile & PC platforms)

• Operating system provisioning and updating

• Security policy enforcement

• Real-time status views, reports, & alarms

• Endpoint detection • Patching • Malware protection • Remote troubleshooting

• Consolidated asset inventory & tracking • Application provisioning • Lock & wipe • Backup and Restore

• Configuration management

• Application black & white listing • Location detection

• Data access management • Containerization

• Encryption

Figure 3: Key features of the FrontRange HEAT Client Management solution supporting enterprise mobility management




EMA PerspectiveA common misconception among enterprise IT managers is the belief that smartphones and tablets require completely separate management processes from desktop and laptop PCs. In truth, the same enterprise requirements for maintaining security, productivity, and availability of applications, data, and services are just as applicable to both endpoint types. In fact, the differences between the device types are rapidly diminishing. Many small laptops already look suspiciously like tablets, and some high-end tablets look very much like laptops. The only clear differentiator is the operating system (e.g. iOS and Android are mobile devices, Mac and Windows are PCs), but even these differences are starting to blur as both Microsoft and Apple have been working to develop unified operating systems that support both platforms. It cannot be long before the differences between mobile devices and PCs disappear altogether and we simply use endpoints of different sizes. This evolution of user devices speaks directly to the core precept of enterprise mobility management – that the endpoint really doesn’t matter.

With enterprise mobility management, business IT resources are centrally managed by IT operations and then delivered as a service to any endpoint type the business workers choose to use. For IT managers, this translates into greatly simplified support processes because they only need to secure and manage resources from a single location. For the business, this also means greater workforce agility, productivity, and responsiveness. The devices enterprise workforces use to access business IT resources have evolved dramatically over recent years, and there will likely be additional changes in the near future as mobile and PC technologies continue to advance. But the foundation for ensuring the effective long-term reliable and secure delivery of business IT services (regardless of how the endpoints changes) is laid with the adoption of automated management platforms, like the FrontRange HEAT Client Management solution, that consolidate EMM processes that enable true workforce mobility.

About FrontRangeFrontRange is a leading provider of Hybrid IT software solutions for organizations of all sizes. With its suite of HEAT applications, FrontRange provides, from a single platform, Service Management and Client Management software on-premise and in the cloud. HEAT manages millions of service interactions and millions of devices every day for more than 15,000 leading organizations around the world. FrontRange’s customers deliver world-class service while maximizing operational efficiencies with reduced cost and complexity. FrontRange is headquartered in Milpitas, California and can be found at www.frontrange.com.


http://www.frontrange.com

About Enterprise Management Associates, Inc.Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.

©2013 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

CorporateHeadquarters:1995 North 57th Court, Suite 120 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com2769.092713


blogs.enterprisemanagement.com

http://twitter.com/ema_research

http://www.facebook.com/pages/Enterprise-Management-Associates-EMA/232626436757941


supporting workforce mobility: best practices in...

Documents