The case against MDM

Many Australian organisations that have embraced the first generation of mobile device management solutions have found them lacking in maturity and offering a poor user experience, according to 25+ CIOs interviewed for ‘The True Cost of MDM’ solutions study.

As described previously in this blog series, Mobile Device Management solutions hit the spotlight over the past four years as IT managers grappled with a rush of new consumer devices being brought into the workplace built on software platforms (iOS, Android) for which there was a distinct lack of management tools.

Organisations concerned about the nth degree of IT security on mobile devices — such as banks and government authorities — have used MDM solutions extensively in an effort to embrace a BYOD strategy or some other program of device choice whilst securing corporate applications and data.

But a large number of enterprise IT buyers — including DEEWR and Australia’s Department of Treasury — have pulled out the first generation of MDM solutions they purchased to manage these devices and have actively sought out new alternatives. Several others told iTnews they were on the cusp of doing the same.

Nearly all of the CIOs canvassed for the study expressed concerns that there was a lack of maturity in the enterprise mobility management solutions on the market today.

Concerns ranged from:

• Poor performance and end user experience
• Concerns over value for money
• Greater complexity in terms of setup and support

I’ll explore each in turn.

THE END USER EXPERIENCE

The primary reason for dissatisfaction with the current crop of MDM solutions concerns the end user experience.

The first generation of MDM solutions applied controls at the firmware level and have been deemed inappropriate for BYOD deployments as the solutions give IT administrators the ability to disable or wipe personal data as well as corporate data. The crudest among them also require the device to be set-up by the IT department rather than over-the-air.

Similarly, MDM solutions that rely on security features of the mobile ActiveSync protocol to secure email are not only adding little value, but deemed by some security experts (the DSD, among them) to be at risk from man-in-the-middle attacks.

Security-conscious IT managers have opted instead for containerised solutions, in which mobile applications such as email are viewed in an isolated ‘container’ on a user’s device, with native features of the device (such as copy and paste or even forwarding of emails) locked down for data within the contained environment.

One local council IT manager told iTnews he opted to go as far as using these solutions to prohibit users from sending emails from the device, allowing them only the option of reading corporate email when out of range of the company’s Wi-Fi network.

While these solutions tend to narrow an organisation’s risk profile, a cursory glance at user reviews on the Apple App Store and Google Play Store suggests the containerised solutions come at a cost in terms of the end user experience. Some comment that they’d prefer to go back to two devices — a corporate Blackberry and a personal iPhone/Android device — if it meant enjoying the native experience of their device of personal choice.

As Deloitte CIO Tim Fleming explained in an interview for this study:

“If you’re giving end users an email client that comes as part of the MDM solution, it is instant legacy, in my opinion. If a new version of iOS7 comes out with new features in the email client, your staff can’t use it because you’re stuck with what you purchased as part of the MDM.”

CIOs and IT Managers attending the Touch Tomorrow roadshow around Australia were each asked to list the drivers behind their enterprise mobility projects. In highly competitive industries — such as banking and financial services or oil&gas — attracting the next generation of worker (or retaining good staff) were often listed in the top three drivers. One IT manager in the finance said the cost of training a new graduate was calculated as being equal to six months of wages. There is clearly pressure on to keep these users happy.

IBRS analyst Dr Kevin McIsaac saw this as an indication that “user experience is king.”

“Everything else comes second,” he said.

“If you use MDM to lock down mobile devices to such a degree that it is no longer enjoyable to use and if users hate the email client, you won’t see adoption. There has to be a balance between user experience and security."

Read on for what CIO's think about the cost of MDM solutions, and the model organisations like Bankwest use to determine what level of support to provide for BYOD.

Value for money?

As prior posts in this blog have demonstrated, a basic MDM package represents only a fraction of the cost of provisioning mobile devices to employees. The security solution usually costs between $120-$150 per user, per year in the context of a total annual price of $1000-$1300 per user, per year (including device, voice, data and MDM).

CIOs nonetheless struggle to see the solutions as providing value for money.

“There is no way I could justify that sort of price for MDM,” said Vito Forte, CIO of Fortescue Metals.

“Any cost-benefit analysis around MDM hasn’t come close to stacking up for us,” said the client computing manager of one university in New South Wales.

“The ROI will take multiple years and quantifying those figures into a Benefit-Cost Analysis is too much effort,” said the IT manager at a WA-based engineering firm.

Dr McIsaac argues that “Airwatch, Mobile Iron and the like have grossly oversold their value.”

He feels MDM should eventually be bundled as part of every corporate mobile connectivity plan at little more than $0.50 per user, per month. Indeed, just as this blog goes to print, another of the MDM vendors have annnounced short-term discounts.

Cost offset

The costs of providing MDM can easily be cancelled out in a business plan, however, depending on the organisation’s broader enterprise strategy.

There exists a temptation for many organisations to use a “BYOD strategy” to remove the cost of provisioning smartphones and tablets to staff.

“We sometimes state a requirement in our job advertisements that staff must have a reliable vehicle,” said one IT manager, working in secondary education, at a Touch Tomorrow event. “Might we one day reach that point with computing? We say - here is a reliable standard of device, you need to meet it as part of your job description.”

MDM vendors argue that because their solutions and services cost comparatively less than the cost of provisioning a device, organisations can use a BYOD project to provide mobile access to applications for a greater number of staff than those currently on fleet plans.

But this assumes that the organisation’s CFO won’t view the BYOD policy as an excuse to bank any savings that result, reducing the total client computing budget rather than investing those cost savings in enabling wider enterprise mobility.

Mobile application management

As previous posts have demonstrated, basic MDM packages tend to cost less than the Blackberry Enterprise Server (BES)-based solutions deployed in the past. But extend an MDM solution beyond firmware and basic email, calendaring etc, and the solutions start to cost more.

Enter Mobile Application Management (MAM) — the concept of extending the security framework developed by the MDM vendors to other mobile applications.

MAM varies in complexity between the various solution vendors and has become the latest means of differentiation. Some users, such as the Rottnest Island Authority in Western Australia, have embraced these solutions to enable users to not only view documents in a secure mobile container, but also edit them.

Joe Robens, IT strategy manager at Australian export success Aristocrat, told iTnews he has avoided container solutions as he is a “big advocate for using the native features of the device.

“I don’t want a tool that detracts from the power of the device,” he said.

He believes Mobile Application Management is a more mature approach.

“We should be looking at what’s going to be on the devices, not think about protecting the device itself,” he said.

The right approach was for access credentials to apply to access to data, without any data resting on the device.

“It’s a different layer of security - a different thinking,” Robens said. “If we encrypt the data and applications, we’ve got security, regardless of whether its a fleet device or a BYOD device.”

But Robens cautions that MAM must be demand-led, and he has worked in relatively few organisations that have a genuine requirement.

“Things like app-wrapping - having those security features with the native feel - is certainly something I’d push towards when we get closer to needing it. But at the moment, there isn’t a demand. If the maturity isn’t there in your organisation, you’re doing it for the sake of doing it. We’d need a good business case to justify putting the time in to get it done."

Indeed, few CIOs found business units knocking down their door for mobile access to a wider set of applications.

Most said their mobility use cases rarely stretched beyond secure email and device management.

Andrew Cann, CIO at the West Australian Department of Sport and Recreation, said that in his experience with past employers, MAM features were found to be “extra options we didn’t need.”

“We could have considered TRIM integration [in addition to MDM],” he said, “but that couldn’t justify the extra spend.

“There is a limited number of third-party applications integrated with [MDM vendors] so far.”

SET-UP AND SUPPORT COSTS

Organisations deploying MDM also must bear the cost of setting up the solution. Even if the MDM solution is a cloud-based, subscription service, it nonetheless tends to require changes be made behind the firewall.

The CIO of an Australian retailer told iTnews that unless your enterprise has a large IT shop, some attention should be paid to the skills requirement.

“We looked at purchasing the software perpetually versus the cloud — we chose the former and actually ended up paying more in long run,” he said.

“There is a cost associated with setting it up and working it all out that is hard to calculate from the outset. If you can absorb that cost in your current headcount, that’s fine. But if you’re running lean like a lot of IT shops are, I’d be wary. A better approach would be to bundle MDM with your mobile contracts and pay per OpEx model.”

From there the organisation must consider the additional cost of each platform that needs to be supported under the enterprise mobility plan.

CIOs from several organisations seeking a new MDM solution told iTnews they were trialling Blackberry’s new device-agnostic Enterprise Server, in the hope that sunk costs in this infrastructure and associated skills might reduce the cost of supporting a greater variety of devices. But being that this new tool is new to market, the jury is still out on this product.

Most see Blackberry’s move as “too little, too late”, but are prepared to try out the tool in the hope of avoiding the cost of setting up a new infrastructure.

The cost of supporting each additional mobile platform, above and beyond the devices an organisation might provision, is where many CIOs feel the rubber will hit the road.

No studies have been done to date on the additional cost of supporting each new mobile platform.

Bankwest, one of WA's biggest and most innovative IT employers, supports BYOD and the IT department "advocates flexible working options" for staff, according to CTO Nick Lewins.

The bank provides staff a standard Dell laptop with a standard operating environment (SOE) that makes connecting within its activity-based workplace a breeze, and also a choice of Samsung Galaxy 4s or Blackberries.

But staff can choose to access their corporate applications via BYOD laptops using virtual desktop infrastructure (VDI) access or email from other smartphones using a containerised MDM solution. Staff that insist on using BYOD devices can recoup around $30 per month in their expenses.

While Bankwest provides support for the devices it provisions, the VDI access and containerised mobile solution, this doesn't mean (and perhaps shouldn't) that staff can take a BYOD device to the helpdesk and expect hardware or other software support.

None of the CIOs canvassed for this study said they intend to provide hardware support to mobile devices owned by staff.

Dr McIsaac has a simple solution for those that are burdened with this issue. He recommends IT shops set a minimum standard of one or two mobile operating systems, rather than devices, and keep in stock a few devices that represent the absolute lowest common denominator for each of those platforms.

That way, when a staff member seeks support for their own choice of device, the IT department can offer an inferior smartphone or tablet for a two or four week period to ensure staff remain productive, but leave the onus on the staff to have their choice of device fixed elsewhere.

Somewhere along the line, Forte stresses, users have to understand that BYOD is a "program of choice" for which support is limited.

Have you investigated the cost of supporting multiple mobile devices? Do you provide hardware or applications support on BYOD devices? Have your say on our enterprise mobility survey.