20 Comments
-
Not sure directory is the holy grail Phillipe, but directory services sure can make things easier in the management environment, across the sprectrum not just in mobility as you infer. Security gets a little trickier though, and reliable LDAP and/or AD data may or may not be in place to truly help. In fact, securing directory services is really important, because, well, who needs a compromised quasi-linchpin?
1 
0-
I wouldn’t suggest that it’s THE holy grail, but I will argue that it’s a must have….and to your point, for managing the total spectrum of the enterprise and not just mobile. You raise however a very important point that the directory services themselves must be secured.
0 0
-
-
Hey Cornholio – Breakin the law – breakin the law – Directory services ARE key to the equation and the first step to integration into enterprise mobility – all great enterprise Apps begin with authentication (AD, LDAP, OpenLDAP, etc) and IT can leverage that transaction on the backend reporting and analytics in terms of user behavior and support.
1 0-
Yes, IT can certainly leverage it, but I guess my point is also that “it” (whatever “it” is) doesn’t have to always originate from IT (take my HR scenario as a prime example).
0 0
-
-
You are absolutely correct that real time, direct (no manual intervention) integration with Directory Services are central to Mobility Management, but even more so for Mobile Security.
Much of mobile security is really DATA MANAGEMENT. What data are you allowed/not allowed to access, when and how are you allowed to access the data, under what conditions can you access the data…. you get the point. Directory Services provide the policy framework for the Enterprise that is needed to make all of those decisions. They must be made in real time and they must be made without manual intervention or you will introduce errors and time delays which = security risks.
This becomes even more apparent when you throw scale into the equation. Mobility is about delivering data/apps to people when and where they want them. Future mobile deployments at large enterprise will be measured in the hundreds of thousands of devices not the thousands. Then you will multiply that by 4-5 apps per device, each app more mission critical than the last. Absolutely NO way that this can be done without integration and automation to existing enterprise Directory Services for both Device and Application Management. Even if an enterprise had the funds to sustain the cost the manual process, they could not sustain the risk.
0 0-
@asnyder – Isn’t Mobile Security part of Enterprise Mobility Management?
0 0-
It is, but I make the distinction because there are large parts of mobility management (infrastructure, incident and problem mgmt) that are not Policy related and therefore not tied to Directory Services. Then there are parts of mobility management, such as Mobile User Service Quality and Support, that are connected to Policy, but also depend on other factors like application criticality and infrastructure performance. Mobile Security (aka. MDM) is almost entirely tied to Policy and therefore Directory Services.
0 0-
I feel compelled to chime in that MDM and Mobile Security (as you know) are two very different things. http://bit.ly/jkfosV
0 0-
You are absolutely right, they are very different. They are related and dependent items, but very distinct.
Unfortunately most of the market does not see it that way and so Perception becomes Reality. In a moment of weakness I gave in to the Perception…
2 0
-
-
-
-
-
Happily, I think we’re all 100% on board about the importance of identity (sourced via infrastructure like AD). I can’t think of a MDM/EMM solution that doesn’t link do AD and define policies around individuals/groups. Policies – security and otherwise – are layered. Some are specific to workgroups and individuals (requiring AD). Some are specific to devices, their state (settings, jailbreak etc) and their capabilities (encryption). And yes, some may layer policies based on whether IL/CL. These other layers won’t take advantage of AD, but there is a very new cool use-case relative to mobility = Apps. Finance? Workgroup setting recommending/pushing a certain array of Apps. Sales? Different set for you. And yes, AD will likely be sourced by access control systems at the data center boundary (evoked by the Application/host and/or front-end network security).
0 0-
@nturner – I think it’s more a question of looking at how they are integrating (and to what depth) with Active Directory – and then what the implications are of that integration.
0 0 -
This is where not all MDM products are created equal. Most MDM (not all) use AD for basic Authentication (checks that you are a user in the system). Once you go beyond Authentication things are not as clear. Some examples:
Authorization – do you use AD to determine what the User, Device and Application is allowed to do and under what conditions can it be done? It is VERY important that you look at User, Device and Application since they are all related and provide the layers of security and policy required to do this correctly.
Real time – do you access AD on a real time basis for ALL changes to User, Device and Application? Any delay or latency produces the opportunity for error and security holes.
Bi-Directional – do changes in AD ripple out to the User, Device and Application? Do changes at the User, Device and Application level go back and check policy and security setings?
Automatic – Does the MDM product do all of these things automatically and without any manual intervention?
Grouping – Does the MDM product make changes one User/Device/Application at a time or can it make changes to entire groups?
One System of Record – Does the MDM product use the existing Directory Services as the only system of record or does it duplicate the Directory Services within the MDM product and synchronize on a periodic basis?
You would think that everything I have listed above is standard for an MDM product to be enterprise class, but that is far from reality. This will only get more complicated as Applications proliferate and you have many more deployment permutations.
3 0-
You are dead on Alan.
0 0 -
Great summary of AD concerns, Alan. Thank you. I may have to print that post into a 6′ banner to wave in front of the various MDM vendors, not to mention Apple and Google.
1 0-
I would highly encourage you and everyone else to hold all of the MDM vendors (BoxTone included) to account for these capabilities. They are necessary to fully solve the security and management challenge. Customers will figure it out sooner or later. I believe that sooner is better for everyone
0 0
-
-
-
-
Agree 100% with Alan. * Blushing * I confess to believing that all MDM vendors fulfill on Alan’s list!
2 0 -
So for clients without an MDM deployment (not everyone is willing to take on the overhead of an app on every handset, and not every handset is a smartphone…) I would think that some smart guy out there could write one hell of a good white paper on how to do this!
GREAT topic and a really solid Ah Ha!
THANKS
0 0-
No – not every handset is a smartphone….but they will be eventually IMO. With regards to the white paper, if you find a smart person, let me know
0 0
-
-
Brilliant Philippe! We couldn’t agree more. It’s why we’ve integrated against LDAP for our DM solution just so we can permit enterprises to assign users the appropriate rights and roles based on the very attributes we could obtain from LDAP. Techology, and thus devices, will continue to change, however the responsibility of managing people and their actions will always be constant.
0 0-
First, welcome to The EMF! Second, per Alan and Nick’s points, connecting to LDAP/AD is a given….but the level of connectivity is what makes the difference.
Cheers!
1 0
-
The Linchpin Of Enterprise Mobility Management
Over the last few years, I have spoken at countless conferences and events, or been interviewed for an article where I get asked what I think is the most important part of enterprise mobility management. Is it mobile device management, wireless expense management, security, etc.?
I have always given the same response, which is to say that they are all equally important and that organizations need to leverage solutions for all the pieces of enterprise mobility management AND mobile life cycle management. I think that I have seen and (more importantly) recognized the error of my ways.
Now don’t get me wrong, I still believe that organizations need to manage their devices, the applications, the security, the expenses, blah blah blah of mobility in the workplace, regardless of who owns or pays for the devices in question. That’s all fine and good. But here’s what will make them SPECIAL.
Directory services. I’m talking about LDAP and/or Active Directory.
Hunh? Are you on crack Philippe? What does this have to do with enterprise mobility management???
Actually, it has everything to do with it….especially if you have real-time access and connectivity to the directory services (as opposed to doing regular imports of the LDAP/AD data).
How else can you manage who has access to corporate email or other enterprise data, or decide which kinds of applications your employees can use from a work perspective? You need that LDAP/AD connectivity. What if an employee either gets terminated or leaves by their own choice? Wouldn’t it be a lot easier for HR to make the change on their ERP module and that instantaneously permeates through all the other systems so as to lock down their email account, wipe off all the work applications they had etc., as opposed to having to make sure that HR calls IT and gets it all done as quickly as possible?
What if the employee doesn’t leave the company but simply changes roles or geography in the organization? It’s still a HR issue and they are the ones who will be doing all that stuff….so why not base mobility management off that HR perspective? I’m not going to spend any time here today talking about the legal as well as governance, compliance and risk management issues, because I think (hope) that it should pretty obvious that they too will be directly impacted by real-time access to the employee directory.
Here’s the other funny point about all this. Enterprise mobility is NOT about technology! It’s – like Nokia loves to say – about “Connecting People.” The technology is about automating what people are doing to help them be more “productive” as well as automating things to prevent “bad” people from doing things they shouldn’t be doing (security) or “dumb” people from doing things they shouldn’t – like download a HD feature-length movie while roaming on 3G (wireless expense management). You can control all these things by deploying enterprise mobility management solutions….but you are still controlling what PEOPLE are (not) doing.
And hence why I will now start saying during conferences and interviews my opinion that real-time access to directory services is the key for maximizing the value of an organization’s investments in enterprise mobility management solutions.
Update: I just asked a question in the Q&A section of the site about best practices for directory services for enterprise mobility management. Feel free to chime in there as well.