July 9, 2013
Posted by Jay Gordon in Mobility-as-a-Service, Windows Phone
Mobility is increasingly recognized by business and technology leaders as a major source of innovation and competitive advantage. In fact, according to a 2013 survey of more than 2,000 CIOs by a leading analyst firm, investment in mobile technologies ranks second on their Top 10 List of Technology Priorities.
But in the rush to get ahead of the mobility curve, many companies underestimate what it takes to effectively support mobile employees. Lack of adequate planning to ensure fast deployment and responsive support can seriously undermine productivity and overwhelm IT workloads. These kinds of formidable headwinds make it difficult to show return on mobility investment. Below are a few ways to navigate these pitfalls.
Top Three Methods for Maximizing Mobility ROI
There are numerous ways to think about measuring return on a mobile investment. Regardless of what metrics are used, it ultimately comes down to whether or not the devices that employees depend on are up and running when they need them. When considering how to shorten the payback period for mobility, business and IT leaders should focus on the following three best practices:
1. Avoid Delays in Delivering Devices
The benefits of providing employees with mobile access to email, critical business apps, and collaboration sites can be powerful. Still, these potential gains in productivity are entirely dependent on getting employees a fully configured and personalized device in as little time as possible.
For example, if a provider says it’s going to take a year to get 500 iPads configured and shipped (this timeline is more common than you might think), your organization foregoes the prospect of more productive and satisfied remote workers during that time. And, of course, there’s the risk of investing in technology that’s already a year-old by the time employees can use it. Given the pace of innovation in the mobile market, a lot can change in the span of 12 months.
2. Provide Responsive, Mobile-Optimized Support
In my view, one of the biggest oversights in mobility planning involves helpdesk setup and management. Truth is, most enterprise IT administrators are either too busy or lack the specific domain training and expertise to properly support mobility deployments. Some companies make the assumption that, because the majority of their employees have smartphones and tablets for personal use, they’ll require minimal technical support for their work device. This leap of faith often backfires, with far reaching implications for productivity, mobile adoption rates, and IT efficiency.
When mobility helpdesk calls come flooding in, overburdened IT staff are forced to shelve other high-priority projects. Or, worse yet, if they’re unable to resolve the issue in-house, they need to send employees to sit in telecom carrier call queues. Outside of their company’s normal business hours, or when no one in IT is available to assist, employees have few options but to wait. This situation never bodes well for productivity and can often sap morale over time.
3. Streamline Device Repair and Replacement
Over the years, enterprise IT groups have found ways to expedite the process of getting newly reimaged laptops into the hands of employees. Yet, when it comes to replacing and reconfiguring mobile devices, the prevailing assumption seems to be that waiting up to two weeks for a handset manufacturer or other vendor to deliver a new device is an acceptable norm. Of course, during this time, employees have to revert to their previous way of doing things—the cumbersome processes that mobile access was intended to fix.
In their haste to capture the benefits of mobility, business and IT executives often underestimate what it takes to adequately support mobile workers. The most commonly overlooked factors include fast time to market for mobile devices, the need for a dedicated, 24x7x365 mobile helpdesk, and standardized, SLA-driven timelines for device repair and replacement. To realize rapid return on investment in mobility, it is imperative that companies address these needs. By working with a mobility services provider, companies can streamline mobile deployments and remain focused on these priorities—while easing the burden for their IT team. This ultimately means that mobile employees can spend more time collaborating with colleagues and customers, and less time waiting.
Read more about how Enterprise Mobile can help support your mobile workforce to maximize productivity and accelerate ROI.
June 28, 2013
Posted by Marco Nielsen in Enterprise mobility, Mobility Strategy, Windows Phone
A lot of companies launch devices, build or buy mobile apps, or enter into mobility-related contracts without thinking about how those pieces fit into the greater whole. The result? The new stuff may be exciting for employees, but it doesn’t work well within existing environments and/or support long-term goals. Those companies are sacrificing efficient use of resources for a short-term productivity boost.
Just as with any other area of business, getting it right in the mobility space requires planning. Smart companies take into account not only device and app choices, but also infrastructure and management considerations before implementing mobile solutions.
Before delving into the nitty-gritty, consider taking a few key steps:
- Think about how mobility fits into your overall business strategy. What are your objectives and requirements? By linking mobility directly to your business strategy, you’ll focus on the right long-term solutions and budget avenues.
- Conduct a mobile platform risk assessment to understand potential risks and see which could be showstoppers and which have workarounds.
Devices. For a lot of companies, it is easy to decide which devices to use. And the growing momentum of the bring-your-own-device (BYOD) trend may remove some decisions altogether. You may want to raise the following issues prior to adopting a BYOD policy:
- What level of risk does your particular company assume by letting corporate data live on personal devices?
- What is the right balance between usability and security? How much do you want to lock down devices? What are the right security solutions (e.g., Network Access Control) to protect data while still allowing usability for your employees?
- What do you need in order to support a variety of devices, platforms, and operating systems?
- Does your budget cover security for solutions in a BYOD environment? If not, what sorts of investigation and assessment efforts are needed to make the right financial decisions for your organization?
Apps. With 50 billion downloads in six years from the Mac App Store and 48 billion downloads in even fewer years from the Google Play store, it’s clear that it’s all about the apps. And the growth of business-focused apps has just begun. Ask yourself a few questions to make effective app choices:
- How will your business-critical data be used on mobile devices?
- Have you conducted an application risk assessment to understand how and where your data is protected and, again, to determine the right balance between usability and security?
- Are you going to use off-the-shelf, browser, and/or custom-developed apps?
- How will you support employees as they use those applications?
- If you’re leaning toward custom development, what platforms, development cycles, budget requirements, and support mechanisms should you put in place?
- Do you want to take advantage of application security features, such as app wrapping (where you can dedicate specific requirements around existing applications) or custom APIs (where you can designate tasks, such as secure data transport, remote application control, and single sign-on)?
- What sort of workflow will you follow to purchase, deploy, and update applications for your corporate and/or BYOD mobile devices?
Infrastructure. As you drill down into your mobility strategy and solutions, it will be important to look into the IT infrastructure requirements necessary to properly support them. Mobility projects often start small and quickly grow to take up a major slice of the infrastructure pie. Understanding which mobile solutions easily scale and which come with additional budget and infrastructure requirements is part of identifying the full cost of a solution:
- Can your company support fully hosted/cloud solutions, or do you require high-security on-premises solutions?
- Do you have the necessary IT staff and resources to support your desired mobile solutions?
- Do you have a content management strategy for your mobile workforce so that you can provide secure access to stored information?
- Are you protected from BYOD risks through Network Access Control, secure email and browsing, etc.?
Management. Determining what is business critical for the lifecycle management of your mobile solutions will help you ensure that today’s decisions have a positive effect on tomorrow’s productivity. Without proper management, mobile solutions will be short-lived, wasting valuable financial resources and failing to give your employees the tools they need. It’s critical to address the following:
- What level of help-desk services will employees have, and will you accommodate different VIP/CxO service levels?
- Do you have the staff and processes in place to handle a large number of employees requesting new devices, needing device replacements, or wanting answers to mobile plan questions?
- If you are a global organization or have employees who travel internationally, can you be staffed 24/7 with proper resources who have the right technical knowledge?
- What is your financial strategy for mobility management? Would you rather pay to staff your own help desk to cover peaks or pay a service provider a fixed monthly fee?
As you can see, it isn’t easy to put all the right components of a mobile strategy in place. Many companies either have a hard time staying up-to-speed or would rather focus on their core competencies. They choose instead to rely on mobility-as-a-service (MaaS) providers to put a mobility strategy on track and implement best-in-class management solutions.
Read more about what Enterprise Mobile can do to help you reduce costs, adjust strategy, and keep your business growing.
November 12, 2010
Posted by Mort Rosenthal in Device Management, Enterprise mobility, Windows Phone
The arrival of Windows Phone 7 devices in the U.S. means consumers have even more choices to consider when they compare smart phones – whether they want them for business use or personal use or both. After a disappointing experience with the unsuccessful Kin family of phones, it’s exciting to see that Microsoft has built a compelling next-generation mobility platform. As a result, the first wave of Windows Phone devices offers consumers a new type of smartphone experience.
It also means that enterprise IT will need to prepare to manage and support a new mobile platform because several aspects of WP7 are critical to enterprise mobility. For instance, the platform provides device management capability that allows smart phones to comply with corporate policies. Version 1 is not perfect (there’s no encryption, for example), but it does provide for a basic ActiveSync compliant device. By allowing users to transition easily between their work and personal lives, Windows Phone 7 will enable employees to carry one device around the clock. In addition, by making it easy to develop cloud-based enterprise-specific apps for this platform, Microsoft has taken steps to appeal to consumers who have grown accustomed to having a wide array of smartphone apps to choose from. Based on these and other characteristics, I believe Windows Phone 7 will make it onto many approved lists very quickly.
The advancements that Windows Phone 7 brings to the smartphone market will further spur innovation in a market that shows no signs of standing still and make the ever-evolving and increasingly diverse mobility market even more interesting. Really.
October 20, 2010
Posted by Mort Rosenthal in Device Management, Enterprise mobility, Windows Phone
We all know the importance of having access to information right at our fingertips. It’s become second nature to grab your phone to access email or search for that song you can’t think of to save your life. The ability to get answers quickly and accurately makes our personal lives easier. In the business world, it can make a huge difference – helping companies gain and maintain competitive advantage.
One industry that is reaping mobility’s benefits is retail. Instead of printing and lugging around paperwork, retail and merchandising employees can use mobile devices to collect valuable data and easily feed it to centralized databases. Managers can then access the most up-to-date information to monitor store performance and streamline the reporting process. Just as consumers use their phones to get things done, mobile technologies allow retailers to boost productivity and get more out of their workforce.
Why then aren’t all retailers making a mad dash for mobility? Learn more about the obstacles to adoption retail faces and how those obstacles can be overcome in this article in Chain Store Age magazine by Mike Anderson, Enterprise Mobile VP, Operations.
September 29, 2010
Posted by Mort Rosenthal in Device Management, Enterprise mobility, Windows Phone
Increasingly, companies are deciding that an Individual Liable approach to mobile devices makes sense and that appears to be a trend that’s here to stay. Compelling, exciting choices in platforms and devices drive companies to allow the use of employee-owned mobile devices on the job. Today, more and more people are using the same device for business and personal activities.
As employees gain greater freedom in their choice of mobile devices for business use, they experience a range of benefits, while IT faces some real challenges. The situation is a combination of The Good, The Bad and The Ugly.
The Good is that the broad range of smart phones and the innovation they provide are truly empowering users. Platforms are increasingly enterprise-aware, providing ways to meet corporate security and manageability standards. Yet these same choices lead to a lack of standardization, which is the Bad. And it all leads to the Ugly – what happens when choice gets ahead of the company’s ability to handle it. What results is a mess.
To learn more about how to deal with the Ugly and embrace the diversity among mobile platforms and devices, check out this article I recently wrote for Mobile Enterprise magazine.
April 15, 2010
Posted by Mort Rosenthal in Windows Phone
The iPad has indeed arrived. You can’t head to a news site or check out the latest on the tech blogs without seeing a mention of Apple’s newest device. You know what I’m talking about – with its debut recently, the iPad has seemingly taken on a life of its own. From reviews in publications like The Economist to an article on application development in the New York Times, the media and the public alike are abuzz with its possibilities.
Before too long, some of the early users, who are now just getting comfortable with the device, will find ways to use it to perform job-related tasks. After the iPad 3G comes out, users and application developers will already have begun turning iPad into a serious enterprise device.
I expect that enterprise users will embrace the iPad for many of the same reasons they took to the iPhone (attractive design, ease of use and range of applications). Its form factor makes it suitable for tasks for which a laptop would be unwieldy, but a phone interface would be limiting. The iPad will especially appeal to mobile workers who need to access information and complete relatively simple data entry on the go. Salespeople will likely be early adopters since the lightweight device will be easy to carry on road trips and will provide a flexible platform for presenting product demos, photos and other graphical information. The iPad should also be put to good use in the medical field, providing doctors and other health care staff access to patient records and other information on an easy-to-carry device.
My advice to IT is this: apply the lessons learned from the iPhone and plan for iPad deployments. Anticipate how your end users might employ the device. Then consider what types of controls you’ll want to put in place to manage it effectively. In other words, treat the iPad like a smartphone or a laptop. It promises productivity benefits but will undoubtedly challenge your staff. They are not going to have a lot of time to come up to speed before end users start connecting the iPad to your network.
We’ve been hearing from more and more companies that lack Apple expertise but need to deploy iPhones to considerable numbers of users. In recent engagements we’ve applied our mobility tools and best practices to get fully loaded iPhones into the hands of our customers’ corporate users. By adapting our iPhone mobility services to the iPad, we’ll be ready when the iPad comes into the enterprise, whether it’s supplied by IT or brought in by enthusiastic users.
March 3, 2010
Posted by tomasv in Windows Phone
As you may have heard, today Enterprise Mobile announced the availability of a Hosted Device Management solution for iPhone and other mobile platforms. It is powered by technology from MobileIron, a partner that we have been working with very closely for a while now. I am personally excited about this for several reasons:
- Hosted DM is faster to implement – no design reviews, no security committees for our customers to deal with.
- It can be scaled up and down very quickly – if you are hiring 1333 merchandisers for a holiday season, no problem – you only get charged for the 2 months they are employed.
- No ramp up for a company’s IT staff is required.
- Coupled with our other services, it enables a full mobile deployment instantly.
I could go on to say why this is sexy. I could call it cloud computing, SaaS, the ASP model, hosting, outsourcing or any of the other labels that trendy now. The descriptors aren’t as important as the capabilities that hosted device management provides. Of course, we all know that beyond the benefits I mentioned there are challenges with a hosted model that should be considered. User/authentication can be more complex as the identity of users either has to be replicated or re-created with the hosting provider, and some services may be limited in terms of integrating into an existing on-premise infrastructure.
However, I do believe that when you combine our services and capabilities you get more benefits than pitfalls with the hosted model. Of course, if you don’t share that view, you can take advantage of the installation and services on premise. That way you can enjoy looking at the silver appliance in your data center and Enterprise Mobile takes care of all the support, ongoing management, provisioning or even end user support for you. Give us a call…
August 7, 2009
Posted by tomasv in Business, Enterprise mobility, Windows Phone
Cancelled Sendo WM device
I have started to work with smartphones sometime in 1998. I even have a mint prototype of what supposed to be the first Windows Mobile powered phone by Sendo – project that got canceled in 2002. Read more about it here.
Anyway fast forward to 2006 and any IT executive that was thinking about deploying mobile email / PIM and mobile applications basically had two basic option RIM/Blackberry and Windows Mobile. Each had its advantages and issues but once you had your requirements and made your decision, there was a good chance for you to run homogeneous platform. IT Helpdesk and Support, Training, Security and other departments became aware of the platform of choice and while international presence may posed a challenge with availability and the Symbian disruption (especially in Europe) the job was quite easy.
But something did happen in 2007 – the Apple released iPhone and stirred the pot. While the first generation was not suited at serious business use, the second one in 2008 added support for Microsoft Exchange and history started to repeat itself. IT managers were asked by their executives to figure out how to support iPhone, instead of their Blackberries. Regular employees started to bring their own devices and peer support helped them to get corporate email enabled. And the numbers grew.
Today with the introduction of Palm Pre into the mix, the bigger use of ruggedized devices that almost exclusively run Windows Mobile OS, over 30 new smatphone devices running Android planned for release before the end of the year and iPhone being on its 3rd generation, the 2006 homogenous era looks like a something that will never happen again.
The reality is that most if not all IT departments and business owners have to consider supporting multiple platforms and consider the impacts and risks of all of them. There are some tools that serve multiple platforms well but most are just in their infancy. Also how to make a decision on which support and which just allow /enable but don’t provide any support?
Enterprise Mobile has been building mobile expertise since 2006. If you have any questions about what to do why don’t you send quick email or attend one of the great webinars
June 4, 2009
Posted by Marco Nielsen in Windows Phone
As I have blogged about previously, there was some interesting webcast sessions on Windows Mobile, Security and Device Management on TechNet recently.
If you were unable to attend you can also catch a glimpse of one of the speakers I know, David Field here on TechNet Edge:
Dave Field spoke at TechEd on mobile security and gives us some insight into mobile phone security on topics such as:
- Areas where Windows Mobile security is strong against the competition
- Scenarios where companies will want to look to 3rd party solutions for mobile security
- Recommended ways to implement 2 factor authentication for phones
The Windows Mobile security whitepaper Dave mentions is available here: http://www.enterprisemobile.com/resources/white-papers.htm
May 8, 2009
Posted by Marco Nielsen in Windows Phone
There appears to be a lack of public information regarding the inner secrets of successfully navigating and configuring the proxy and work exceptions on the Windows Mobile platform. My fellow Enterprise Mobile colleague, Patrick Salmon, has broken through and made some very interesting observations and facts about how to get it all configured correctly. This article contains all of the material and information Patrick has researched.
Most of this boils down to how the Windows Mobile Connection Manager is handling the connections and the decisions it makes to route the traffic. The Connection Manager is well aware of the native L2TP and PPTP connection methods in Windows Mobile, but appears to lack direct support for the Windows Mobile 6.1 Mobile VPN that is used by SCMDM 2008. See more information here: http://msdn.microsoft.com/en-us/library/ms879581.aspx.
This article assumes you are already well familiar with the SCMDM network routing requirements and how to configure Group Policies.
Proxy Issues Today
1. If you set the proxy via the SCMDM 2008 Group Policy you may observe that the necessary connectivity to the SCMDM Device Management server and WSUS services break.
2. Trying to use the Work/Internet capabilities as currently documented breaks the SCMDM VPN.
Although http://technet.microsoft.com/en-us/library/dd261930.aspx does explain some of the necessary steps. Also on http://technet.microsoft.com/en-us/library/dd261921.aspx it also states to make sure that the SCMDM Gateway server is listed.
3. No visibility on the client of what is configured.
The Windows Mobile Connection Manager internally uses something called a URL Mapping Table to decide if a specific URL is destined for the Internet or the corporate network connection. It can use a URL pattern which we will go into in more detail below. Please see http://msdn.microsoft.com/en-us/library/aa455992.aspx.
Where to set the Proxy server setting in the SCMDM 2008 Group Policies:
The solution is to correctly configure the Internet proxy setting and also specify the routing of which URLs go to the “Internet” and through the configured proxy, and which are internal or go through “Work” back through the VPN connection.
Overall best practices
Keeping things as simply as possible will go a long way. The basics are:
1. “Internet” bound traffic = Route via proxy if defined, otherwise use Default Gateway on SCMDM Gateway Server.
2. “Work” bound traffic = Route traffic directly to internal network using local routing tables on SCMDM Gateway Server.
3. If the FQDN of the Proxy is part of an internal domain do not put the FQDN in the Proxy configuration!
This will not work, as it will be detected as an Internet domain, due to the dotted name and you won’t see it working as you think. The solution is to use the direct IP address. Example: instead of “proxy_host.company.com:8080″ use “172.16.1.1:8080″.
Where to configure the specific Internet/Work routing is done through a “hidden” existing Group Policy setting:
The dialog window has two areas. One for the Internet domains (which will be routed to a proxy if configured so) and at the bottom for Work domains (not routed to the proxy if configured). This is what the default values are:
Next we will go into how to configure these entries in more detail.
Connection Manager URL Mapping Pattern
The Windows Mobile Connection Manager uses a general *://*.*/* URL type format. This can be further broken down into these examples:
- “*” & “?” can be used anywhere.:
- “*” = Zero or more of any type of characters.
- “?” = Can take the place for any single character.
- *:// = Any protocol (usually http or https).
- /*.*/ = Any FQDN namespace
- /*/ = Any NetBIOS/WINS name
- *://servername/* = specific NetBIOS server name
- *://*.company.com/* = Any host in a FQDN domain called company.com.
- *://host1.company.com/* = Only host1, any protocol, any website on target.
- *://host?.company.com/* = All traffic to host[a-z, 0-9], any website.
- https://host1.company.com/home = Only https requests to host1′s “home’ directory.
Some things to think about when defining you own URL Mapping table:
- Obey classic firewall rules – most granular is processed first
- Define your targets and know your internal name space
- Put in sequence (most specific first, least specific last)
- Decide whether traffic goes via the “internet” or “work” network routing from your SCMDM Gateway Server
Example and Outcome
Here is what a working example of URL Mapping Filter entries could look like:
Please note the above setting details:
- *://www.company.com/* – Externally hosted Internet site
- *://mdmvpn.company.com/* – Route SCMDM Gateway Server access through Internet
- *://*.company.com/* – Internal work namespace
- *://*.*/* – Catch all for all other Internet requests
- *://*/* – Catch all for all other internal NetBIOS/WINS requests – However, not found to work in testing, and removed so Internet requests are not caught by it!
Outcome with the above setting details:
- SCMDM VPN will connect correctly through the Carrier/MO/ISP on the device
- SCMDM Device Management and WSUS traffic will require no further invention.
- Internal Line-Of-Business application traffic will go direct.
- Internet bound traffic will go to the corporate proxy (if defined in separate Group Policy).
Internal namespace sans WINS
Since most companies are well on their way to totally get rid of WINS and have put in place DNS suffix search order standards. Another solution is to push a default DNS suffix to your Windows Mobile. Brian Puhl from Microsoft IT blogged about this last year here:
So this could ensure proper name resolution to a FQDN for internal names used on the Windows Mobile device. In the example above this could be routed to the “work” side of things by the *://*.company.com/* URL Mapping.
For more information on creating custom ADM templates for use in SCMDM 2008 please see: http://enterprisemobile.com/2008/10/writing-custom-gpos-for-scmdm-2008/.
SCMDM 2008 SP1 Source-based Routing
Another feature that can be used to better assist with the complex nature of network routing, proxies and Internet access is the source-based routing feature present in SCMDM 2008 SP1. Some details can be found here: http://technet.microsoft.com/en-us/library/dd252779.aspx
The source-based routing option on the Gateway Wizard:
One example of how this could work is instead of having the default gateway on the External NIC of the Gateway Server, you place one on the Internal NIC. You can then configure the source-based routing option to an IP address of an external firewall that is accessible from the Internal NIC. Now Internet IPSec traffic will come in and terminate on the external NIC, but return back to the device through the Internal NIC and the IP address of the source-based routing, back to the Internet. Now any traffic from the Windows Mobile devices not configured to the proxy will default out to the Internal NIC gateway. This could be useful for applications that are not proxy aware, or if you won’t want to use any proxy but direct all traffic to the internal side and to be taken care of there for either internal or external Internet routing..
Another idea that could perhaps assist in some architectures is the use of split-DNS. In the Gateway Wizard you can specify the DNS server the Windows Mobile clients will use to resolve hostnames. Many simply use the existing DNS server present internally and make sure connectivity on TCP port 53 is open to it. Another idea could be to use a separate DNS server that contains hostname zone entries that could be similar but resolve to different IP addresses to better resolve network routing or DMZ issues at hand. DNS forwarding could still be used to forward remaining requests to the primary internal DNS servers.
Another Enterprise Mobile colleague, Dave Field, also points out:
“Please note that if you have a proxy setup on the device and you partner the device to a desktop that has “automatic” setup for the Connection setting, it will auto-configure the device proxy and overwrite whatever you have. It will configure it for port 80 automatically too.”.
At this of this writing I’m not sure if the Group Policies will automatically refresh the settings again down to the device. A work around may be to disable the tethering functionality all together if this is a big concern.
The final best advice is to have patience in troubleshooting and testing the proxy and network routing. It can be complex and quite difficult to get setup correctly in a large organization. Logic flow, re-verifying settings, and looking at logs could be your best friends.
Thanks again to Patrick Salmon for getting the answers together. Also a thanks to Wayne Phillips and David Creedy from Airloom for their feedback and corrections!
Please leave a comment or contact me directly if you have additional findings or feedback on how these settings work and act for you!
Reference links – for additional information:
Default URL Mapping values in Connection Manager:
How Connection Manager works:
How the Mapping Index works and what are some of the high-end catch all values:
Using Connection Manager URL Mapping:
SCMDM Forum thread discussion on these settings:
Updated on May 12, 2009 with some corrections.