BlackBerry (previously called Research In Motion), created the smartphone market segment. Early BlackBerry devices had no phones, cameras, multimedia capabilities, or real apps, they just did email and later contacts and calendar, all over a dedicated data network. Arguably, before the BlackBerry, carriers had a hard time selling data services to people. BlackBerry spurred on the usage of mobile data services because the BlackBerry was a “killer app.”
BlackBerry keyboards were (and still are) the most well designed and usable keyboards on mobile devices today. The combination of keyboard, and fast email, contacts, and calendar became the force that propelled mobile devices from phones to smartphones.
The phone industry became very stagnant however – designs did not progress at all. In 2007, Apple revolutionized the industry with the iPhone. Apple used technology that others had invented earlier, but they used it in a well thought out, and well executed package that just worked. It was a massive leap forward in thinking, and it was so good, in fact, that other vendors started copying its exterior design and functionality. We know that in 2007, Google’s Android mobile OS was being prepared to run on devices that looked like BlackBerrys. Physical keyboards and no touch screen, but after the iPhone, Google retooled Android for the touch screen. A good move on Google’s part of course. We also know that Samsung copied the exterior design of the early iPhones for its smartphones too.
BlackBerry didn’t think this was a good idea. Their position was that people wouldn’t want to type on a pane of glass, or watch videos on their phones, or run apps, or browse the Internet on desktop-capable web browsers. BlackBerry said that people want physical keyboards and minimal data usage (which essentially means a terrible web experience).
This then, was the beginning of BlackBerry’s downward slide.
Today BlackBerry has realized, far too late, that all of that was a huge mistake. The problem is that they are now very late to the smartphone revolution party. BlackBerry has released a rushed-to-market Mobile Device Management (MDM) product plus a Dual Persona product (that they call Secure Workspace), both managed by their BlackBerry Enterprise Server 10 (BES10).
The problem that you face as a company is what do you do now? Can you get the same or similar security from Apple’s iPhone and iPad, or the many Android flavored devices? Is Windows Phone a viable option? Should I adopt a Bring Your Own Device (BYOD) policy and let my employees use their own person devices?
Full Device Control or Just Control Company Assets?
If your company has adopted a policy that it will not allow the use of personal devices, and will continue purchasing devices for their employees, then the choice of how you secure those devices is easy. You can use the same approach that you do with your BlackBerry devices today, which is to say, full device control. Your IT organization has full visibility into those devices, and full control over them.
MDM has some disadvantages. One is that it is all encompassing. However, there are other issues that are related to the mobile OS being used by your users. While Apple has been adding great support for the enterprise since iOS4 (2010) that has hooks to allow IT to have visibility, ability to pre-setup features, and lock down or hide apps on the iPhone or iPad, Google’s Android has not. So if you decide to support say iOS and Android, the ability to control and secure each platform will differ greatly which may lead to one platform being more insecure than the other.
Samsung has addressed this with their special variant of Android. They have created a secure version of Android that has similar features to iOS which means that via an MDM console, an IT administrator can have similar control over Samsung devices that they do over iOS devices.
If your company has adopted a BYOD policy and you would like to let your employees buy their own devices, then the choice is not as simple. You can still go with a full MDM solution – full visibility, full control. However, your employees may not like the fact that their personal device is being so heavily controlled by IT, may not like the lock screen password requirement or not happy with IT seeing what apps they have installed.
This is where Dual Persona (aka Containerization) might be a good choice. Dual Persona works by creating a secure container on the personal device. IT only has control over what happens in that container. Only company data and apps live in that container so as a user you can switch between work and personal, keeping your work life locked away until you login to the work container. If you loose your device or leave the company, the IT department can wipe only the work container, leaving your personal apps and data untouched.
While Dual Persona sounds very attractive, it does have its drawbacks. The vendor who makes the Dual Persona technology may lag behind in updating their mail, contacts, and calendar apps to match the native device apps. Older, less capable devices may struggle with the extra resources needed to run this container.
If Dual Persona isn’t for you then you may still be able to be far less heavy-handed with traditional MDM, especially with iOS and Samsung devices that have a ton of extra MDM features that can be leveraged to keep work and personal data separate.
Which Mobile Operating Systems To Allow?
Not all mobile operating systems are created equal. BlackBerry created the Gold Standard for mobile operating security that is a large part of the reason it took off in the enterprise. However, in the majority of situations, supporting iOS, Android, and Windows Phone can be just as secure.
While Apple does not advertise this, they are the leader in the enterprise because of the extra visibility and control they give to IT administrators via an MDM solution. Google’s Android lags quite far behind in the enterprise because of their lack of enterprise features. The choice of what you allow on your network relies on what your end-point policy requires, and whether you are adopting a BYOD policy or company purchased device policy.
For example, if you adopt a BYOD policy and allow your employees to purchase and use whatever device they want to, then you may opt for a Dual Persona solution. With this approach, you can be sure that your IT policies will be uniformly applied across all mobile operating systems.
Alternatively you could keep your BYOD policy but restrict it to only iOS and Samsung devices and use a traditional MDM system. This is because both vendors have a lot of extra enterprise features and allow you to apply a more uniform IT policy across those two platforms. However, this may be a tough mandate to enforce because you are essentially telling your employees to limit their device choice.
If you decide that you need to support BlackBerry 10 devices then you are further restricted. If you want to support BB10, you have to use BES10. BES10 allows for the control of BB10 devices, plus iOS and Android. It doesn’t however, make use of the extra Samsung MDM features, and it doesn’t support Windows Phone.
One fact that may be in your favor however, is that BES10 supports Dual Persona on BB10 (in the form of BlackBerry Balance) and on iOS and Android (in the form of Secure Workspace).
The Cost Factor
How much money you spend on your new solution may limit your choices.
There is certainly a free option. That option relies on your companies existing ActiveSync server(s). ActiveSync is free in most situations when companies purchase Exchange. This allows your IT department to create ActiveSync policies that provide limited security (mostly password related), and the ability to remotely wipe a device if it is lost or stolen.
Apple provides free tool that you can use to create an augmented device policy that can pre-setup features (like corporate Wi-Fi, and connections to Exchange for example), but also restrict apps, features and even block the camera.
This is likely great for small business who have a low mobile user count. This is because each iOS device must be activated on a specific computer so that it becomes “supervised.” If you have a large mobile user population then MDM or Dual Persona are likely a much better choice.
The pricing for MDM and Dual persona solutions varies but many are based on either per device per month, or per user per month. The latter pricing model does not count the number of devices the user uses so it is theoretically unlimited.
What About BB10 and BES10?
While we talked more about how you move away from BlackBerry to iOS, Android, or Windows Phone, it wouldn’t be fair not to mention that BlackBerry does have a solution.
With BES10, your organization can control BB10 devices, plus iOS and Android. While it is not as feature rich as products from other vendors, it does work. BES10 also allows for a Dual Persona solution in the form of Secure Workspace for iOS and Android. This addresses the issue we saw earlier of non-uniform IT policies between iOS and Android.
One final note about choosing a solution to migrate to is to make sure that you pilot and test a few solutions before deciding on the one to buy. Piloting and vetting out a solution is extremely important because you need to make your mobile users happy, your Helpdesk support personal happy, and your IT department happy with how the system works on the mobile device, and how easy it is to mange from the consoles.
Craig Johnson is a Mobile Strategist at NTT DATA. Craig Johnston has been designing and managing large scale enterprise networks since 1989, including massive BlackBerry, iPhone, and iPad deployments in Fortune 500 companies. An avid podcaster and writer, you can find his books on Amazon and follow him on Twitter @ibanyan.