App-centric handhelds are maturing rapidly, and the path to secure adoption is more straightforward than it may seem.
By Galen Gruman
Given the passion for mobile computing among users and the tech industry, it is easy to get swept up in the excitement and see mobile as the solution for everything. It’s also not hard to write off the technology as a fad that will run its course. We’re betting the first camp is more on target, given the rapid adoption of mobile technology by business users and consumers with fervor reminiscent of the early PC days.
In conversations with CIOs and other IT leaders, PwC sees a sea change in attitude toward mobile devices. Once viewed as an oddity to be kept at arm’s length, they’re now seen as a platform for enterprise value through their existing functions and ones not yet invented.
The key reason for this change in attitude? The new generation of devices, represented by the Apple iPhone and handhelds that use Google’s Android operating system, is evolving from a messaging platform into an application platform, making the devices more versatile for business needs—that is, more like a PC. So much so that Standard Chartered recently switched to the applications-oriented iPhone.
As the mind-set shifts from “containing the newfangled devices” to “getting business value from them,” enterprises are discovering they’re not yet familiar enough with the technologies they need to understand and exploit. This article sorts them out.
There are also shifts in the interaction between businesses and their employees and customers that will affect the design and management of mobile enterprise applications. This shift involves the acceptance—even the embrace—of a certain amount of device heterogeneity; that is, employees and customers use their preferred tools and businesses seek to exploit the special characteristics of the more popular devices while providing a baseline of enablement for the others.
Heterogeneity extends to each individual device, which due to its personal nature will mix personal and business data and functionality, and will require a different management mentality by IT. Technologies now under development may ease efforts to support this heterogeneity.
The big issue has been control: Can the business ensure information security in mobile devices if they are used for both business and personal matters? This is a real concern, especially because the platforms igniting the most passion— Apple’s iOS and Google’s Android operating system—have been slow to provide control mechanisms. Recent changes to both indicate the control issue will be resolved in the next year or two. As control issues are resolved, IT will be able to focus on value-creating efforts, exploiting the emerging mobile technologies along the way.
Solving the control requirement with new technologies
When businesses began to use BlackBerry devices (and later Windows Mobile, Nokia Symbian, and Palm OS devices), IT realized the need to secure the messaging and server access they provided. Management tools similar to those used for PCs were soon available, along with on-device capabilities such as at-rest and in-motion data encryption, remote management, and policy-based administration.
Because the focus was messaging, mail servers were the main conduit between the device and the data center, which simplified the deployment and management effort. Mail servers also tapped into Active Directory and other policymanagement servers, allowing IT to extend those services to mobile usage.
Most companies viewed mobile devices as messaging clients and standardized on the BlackBerry, giving themselves just one platform to manage. Some companies used the ability of Windows Mobile to run specially built applications, such as for field forces, and added that platform as the standard for certain classes of users. Microsoft made it easy to do so by extending its widely deployed Windows Server applications to manage these devices.
This situation remained stable until about 2007, when the debut of the iPhone redefined mobile computing to encompass more than messaging and field force applications. It first skewed toward personal use, with its tie to the Apple iTunes service, but users quickly began to use it for business e-mail if they weren’t restricted from doing so.
Now enterprises are taking the next step.
“Everybody wants to tell their employees, ‘You don’t have to carry a corporate phone and a personal phone,’” says David Goldschlag, vice president of mobile technology at McAfee. “The iPhone changed the whole world, because all of a sudden the people within the enterprise were demanding that the iPhone be used. And then it became the CFO’s job or the CIO’s job to say yes, rather than to say no.”
Security was the stumbling block. Apple was slow to add enterprise-class security capabilities, but it did so in the summer of 2010, providing operating system–level services and application programming interfaces (APIs) that let the mobile management vendors—AirWatch, BoxTone, Good Technology, MobileIron, Symantec, the Afaria unit of SAP Sybase, Tangoe, Trust Digital, and Zenprise, among others—deliver management tools similar to those for BlackBerry and Windows Mobile.
Four of the six major platforms can now be managed to the standards of most businesses; in order from most capable to least, they are BlackBerry, Apple iOS, Windows Mobile, and Nokia Symbian. Although, as Forrester Research has noted, Google has not yet focused on security management, and there are tools to give IT assurance over Android devices—such as NitroDesk TouchDown and Good Technology’s Good applications for Exchange messaging, and the forthcoming IBM Lotus Notes Traveler for Notes messaging. Google is likely to develop competitive management and security capabilities soon. Microsoft’s new Windows Phone 7 does not yet have such third-party tools to fill in some of its security deficiencies, but Microsoft has said it will enhance its security capabilities in 2011. For enterprises that have the highest security requirements—such as the Pentagon— BlackBerry and Windows Mobile are the two options, due to their militarygrade encryption and support for two-factor device-based authentication.
Another shift easing the control burden is broad adoption of the Microsoft Exchange ActiveSync (EAS) protocol for managing and enforcing device permissions. Microsoft’s devices and servers support it, of course, but so do Apple’s devices and mail clients, Google’s corporate Gmail service, and, to lesser extents, the Google Android, Hewlett-Packard/Palm webOS, Microsoft Windows Phone 7, and Nokia Symbian operating systems. IBM’s Lotus Notes recently adopted EAS, and Novell has released a beta mobile server add-on based on EAS for GroupWise. This near-universal adoption of EAS should allow consistent policy definition and management for IT. The “Mobile device management products” sidebar compares the mobile device management options—EAS and otherwise—the main vendors have made available.
Mobile device management products
As smartphones and tablets become commonplace, and as employees make the case to bring various kinds of devices into the workplace, IT faces the challenge of managing access, usage, and security across multiple mobile devices. To address that need, many vendors have developed mobile device management (MDM) tools that provide a central console to manage multiple devices over the air with a common set of policies, ensuring consistent policy enforcement and providing auditing capabilities as well. Common capabilities include remote wipe and lock, password enforcement, device encryption enforcement, restricted access to designated virtual private networks (VPNs) and Wi-Fi networks, and remote policy installation.
These tools use one of two approaches, and sometimes both: they use policy profiles, typically based on the widely used Microsoft Exchange ActiveSync (EAS) protocol, and they use a client application on each supported device to provide the managed, secured workspace and additional policies. Those that support the BlackBerry work with Research In Motion’s own tool, BlackBerry Enterprise Server (BES).
Differential management supports mixed devices
The July 2010 release of Apple iOS 4 (for iPhone, iPod touch, and iPad) also untied iOS management from the natively supported mail server (POP, IMAP, Microsoft Exchange, Google Gmail, and Apple MobileMe), so devices could be managed according to user sign-on—for example, in a hospital where devices are shared but e-mail accounts are not necessarily issued to users.
iOS 4 also introduced differential management in which applications and data are tagged so each server owns whatever it provisions. Thus, on an iOS device that had corporate and personal assets, the corporate server could reach into the device and lock, restrict, or delete the assets it provisioned, leaving other assets untouched. BlackBerry OS 6, released in August 2010, brings the same approach to Research In Motion’s newest smartphones. Mobile management vendor MobileIron says the operating system for Google’s Android is likely to have similar capabilities in the next year or so.
Even without differential management at the asset level, most smartphone operating systems use the concept of sandboxing, in which applications have private space for their data. Thus, the applications can control access to that data by other applications, and management tools can apply greater controls to such applications than the operating system might provide. This is the case in Google Android, which currently has no on-device encryption and does not have a management API outside of support for a limited set of EAS policies. But individual applications, such as Notes Traveler and TouchDown, can encrypt their sandboxes and allow themselves to be managed by IT-controlled servers (Lotus Domino and Microsoft Exchange, respectively).
The differential management approach pioneered by iOS and BlackBerry OS is a major step in ensuring security and compliance— and it’s more than a corporate laptop or home PC can do today. Although technologies such as client virtualization were proposed in 2006 to give PCs the same level of safe business/personal dual use, they haven’t been productized. Mobile’s much more intense personal nature and corporate IT’s concerns have pushed mobile ahead of desktop in this area. Table 1 compares specific security and management capabilities by operating system.
Virtualization for enhanced security and app delivery
Vendors are working on virtualization technology to let enterprises partition business assets from personal ones on the same smart device. These approaches could also enable IT to deliver single-application instances to multiple mobile operating systems rather than re-creating the application for every supported device.
There are many virtualization approaches, but for mobile vendors the focus is on client virtualization (VMware), thin clients (Citrix Systems), and hypervisors (Open Kernel Labs). These approaches separate applications and their data at a deep level on the device, so that barriers are harder to breach than with sandboxing and source tagging.
Client virtualization creates a runtime environment for applications and their resources—similar to Adobe AIR, Adobe Flash, Microsoft Silverlight, and Oracle Java, which can run applications on Windows, Mac OS X, and sometimes Linux. Thus, users don’t need to switch from one environment to another as they did in early desktop virtualization products. Instead, they can launch an application that happens to run in its own virtual environment, using the host operating system’s user interface and shared services.
Client virtualization could be used to develop VMware applications that run natively on iOS, BlackBerry, Android, and Windows Phone 7 (assuming operating system vendors and wireless carriers permit it), so IT would need to create just one version of the application, says Srinivas Krishnamurti, VMware’s senior director for mobile solutions. Client virtualization also could be used to run native applications in their own environment. Doing so would isolate their data and services from other applications and services on the device, thus providing a high level of security and data protection, he says.
The thin-client approach runs the application using the data from a server; the mobile device is just the screen and input medium for the computing performed in the data center. Data and application components may be temporarily loaded to the mobile device in a cache for processing efficiency, but they are never stored beyond the session. Thin-client applications are already widely used in financial services and other industries that require a strong separation and protection of resources. Typically, Windows applications are run remotely from a desktop PC that never stores the information being used. Citrix is hearing from such firms that they want to extend the use of thin clients to iPad tablets and the coming set of new tablets, says Kim Woodward, vice president of corporate marketing at Citrix.
The flaw with the thin-client approach is that most applications are designed for desktop screens and are difficult to use on a smartphone. That’s why Citrix reports most of its mobile usage is on a tablet, the iPad, a trend it expects will accelerate when other tablets begin to appear in 2011, Woodward says.
The mobile hypervisor approach is similar to client virtualization, except that it doesn’t run on a host operating system; it runs underneath the host operating system, communicating directly with the device hardware. That approach offers the greatest possible separation of resources, because the guest operating systems and the applications that run on them are isolated from each other—and from the host operating system and its applications. Figure 1 illustrates the main differences between the three types of mobile device virtualization.
Open Kernel Labs notes that Motorola has shipped the Evoke, which runs the Binary Runtime Environment for Wireless (BREW) and Linux cell phone operating systems simultaneously. Users see a unified interface because the Open Kernel Labs technology allows the device maker to integrate user interface (UI) elements, deciding at a granular level the degree of separation across the operating systems, notes Steve Subar, the company’s CEO. Like client virtualization, the hypervisor approach could be used to run multiple operating systems, multiple instances of the same operating system, or a combination of the two on the same device.
All three vendors say current smartphones have the processing power and memory to support these technologies. But they’re not yet implemented because mobile operating system makers are deciding to what extent they want to support alien operating systems and whether they want to add the extra layer. PCs don’t have this level of internal safeguard, so adding it to mobile has not proven urgent.
Of the three approaches, the thin client most likely will soon be widely available for segregating applications from the mobile device’s other applications and data; the Citrix Receiver thin-client application is already popular among mobile users, the company reports.
The path to broad adoption of the other forms of virtualization is less obvious. As the next section explains, Web-based applications can provide similar universality without the overhead of virtualization. It’s also not certain that mobile platform providers will support the VMware or Open Kernel approaches; today, for example, Apple prohibits the use of non-native runtimes such as Adobe AIR and Flash and Oracle Java on its iOS.
Extending corporate apps to the mobile environment
Virtualization could help IT tap legacy applications and create new “write once, run all” applications for a heterogeneous environment, but there’s a simpler approach in many instances: Web-based applications, including cloud applications. Using Web-based applications has several advantages.
The supporting infrastructure is improving rapidly, as solid-state storage, processing, compression, and bandwidth improvements make Web applications richer. These advances, plus advances in virtualization and user-interface mapping between mobile devices and desktop-oriented server applications, also make the use of thin-client computing—such as through Citrix, Microsoft, or Wyse terminal services—more attractive where the Web application approach is ill suited.
The networking infrastructure also is improving and can support the need most Web applications have for continuous network connectivity. Wi-Fi networks are increasingly available in public and private buildings, and 3G and emerging 4G cellular technologies are approaching availability and speeds that reliably fill most gaps between Wi-Fi networks. The issue of not having reliable connectivity is fast receding. On the provisioning side, highercapacity servers and storage media for general uses, such as thin-client access, and specialized uses, such as video streaming, allow the back-end infrastructure to handle provisioning to hundreds of millions of data-capable mobile devices already deployed.
Third, in many instances, IT can avoid native application development on multiple mobile platforms by using the draft HTML5 specification, which Apple, Google, Hewlett- Packard/Palm, Nokia, and Research In Motion have adopted in their mobile browsers. Microsoft has not joined the HTML5 bandwagon, but says it will add HTML5 support to its new Windows Phone 7 operating system at some point.
The local storage facility in HTML5 can help Web applications continue to function even when disconnected from the Internet, at least using the data cached on the device before the connection is broken. HTML5 also supports location data, which lets Web applications tap into one of mobile devices’ key information streams.
Although HTML5 is several years from final status and ratification, major components are already implemented in most popular mobile and desktop browsers, providing an opportunity for IT to test and use the capabilities over time. Box.net CEO Aaron Levie summarizes the ideal scenario: “It would be my preference as a developer that we will do this all in HTML5, and everything is going to be much more Web-based across all these platforms.”
Futurist and interactive media consultant Mark Pesce figures that 90 percent of mobile application development could take place in HTML. “HTML is your low-hanging fruit,” he says. “So you’ll think about how to farm out your 10 percent to a tiny little app that’s not going to take much development time to deploy, but does just this one thing that you can’t do in HTML5.” Figure 2 considers that scenario, associating application types with the kind of development needed for that type. According to those such as Pesce who are close to the topic, HTML5 methods can cover the vast majority of application needs.
Current and future HTML technologies are likely to be used by vendors of software as a service. Salesforce.com, SAP, Netflix, Box.net, and others have already created mobile applications with such technologies. So IT can likely extend any cloud service effort to include mobile users.
Other Web-style application approaches include client environments such as Adobe AIR, Adobe Flash, Microsoft Silverlight, and Oracle Java. However, these clients are not universally supported. And none of these clients has facilities for re-rendering the user interface automatically for the client device, so such applications will require significant redevelopment for mobile, even if the underlying process logic can be used. (The user-interface issue is less acute on tablets, due their larger screen sizes.)
But screen size is not the only user interface mismatch. These client technologies as yet do not support the rich gesturing capabilities of smartphones and tablets. As a result, interactivity generally consists of mouse-style actions, which usually are more limited than gestures and require more precise motions than finger-based gestures allow.
Thus, PwC does not expect such clients to be a significant mechanism for providing multiplatform applications, at least not until they better handle the gesture approach of mobile interfaces. Adobe Systems has said it is working to revise Flash to support such standards, whereas Microsoft has built such capabilities into Silverlight for Windows Phone 7 but not for the desktop version of Silverlight that would play on a Web site.
As an interim step, IT can use such clients to make existing applications available to compatible mobile devices. After all, mobile users are familiar with using regular Web sites on their devices and adjust their expectations accordingly; the same principle applies to using Flash or other client applications.
Web-style applications are particularly suited for information consumption and for lightweight content creation and transactions, what PwC calls “engagement”—the same kinds of use cases for which Web and cloud services make sense. Because mobile devices are best suited for such information consumption and engagement, we expect most businesses to focus on these Web-based application development and delivery technologies to support most mobile users.
The new breed of mobile applications
HTML5 and client environments are useful for porting existing services to mobile devices and for enabling content-consumption and engagement applications, but they are less useful with mobile-specific attributes. One reason for this is that each mobile operating system has unique functional and/or interface capabilities that the more generic Web technologies can’t take advantage of. Another is that existing technologies don’t have mechanisms to handle common sensor data from the devices—such as acceleration, spatial orientation, ambient light levels, and proximity detection—that could be used for new classes of services and applications.
Thus, developers will also need to create native applications on mobile platforms that users or customers favor. That support means more than simply having a “skinned” Web application for the devices. Users form strong allegiances to the way their smartphones work, and they expect the key applications they use to follow the same approaches and tap into what they consider special about the devices. “A native mobile app should provide a user experience that is difficult or impossible to provide via the Web,” says Pesce of FutureSt Consulting.
To go native means to honor each platform’s user experience even if it means providing different functionality, says Srini Koushik, CTO of Nationwide. In some cases, such as Apple iOS, the operating system creator enforces adherence to such standards, while in others, the creators promulgate but do not enforce design guidelines. “There’s a lot of benefit to that, especially when you get into the customer market, where people use technology but they don’t want to worry about the details of technology,” Koushik says. “When I started working with my application developers to put out mobile apps on these devices, a key question was, ‘How do I make sure that the experience—and the customer’s perception of Nationwide—is a good one?’”
PwC sees two additional rationales for developing native mobile applications:
People have their mobile devices in situations where they don’t have their PCs, creating the opportunity to apply technology in new domains for employees, partners, and customers. Current examples include scanning bar codes of products to look up more information or check pricing elsewhere, providing maintenance staff current status on work requests when they’re in the field, and acting as remote controls for Wi-Fi-enabled devices such as TVs, building automation systems, and security cameras.
Mobile devices have built-in sensors—cameras, microphones, location detectors, accelerometers, ambient light sensors, compasses, and proximity sensors—that provide the opportunity to tap into contextual information for new types of applications. Current examples include pedometers that calculate energy use, routing tools to direct drivers to their destinations based on current conditions, and visual heart-rate monitoring. Sensors can be added via near-field wireless networking for continual blood pressure and glucose monitoring.
Early adopters already see advantages in such novel uses. For example, InterContinental Hotels Group (IHG), which manages 45,000 hotels globally, has provisioned iPad tablets to concierges so they can help clients get information or book reservations anywhere quickly, and not be tied to a kiosk while doing so. Another IHG application allows guests to book and manage their hotel accounts while on the go, increasing mobile bookings by 500 percent in less than a year, says CIO Tom Conophy. And IHG is testing an application that uses the smartphone’s speaker to emit an audio code to unlock a guest-room door, so guests don’t even need to check in to get a key.
Conophy says IHG is using different devices for different purposes, based on fit for the job for internal applications and customer demand for external ones, which in turn requires a more flexible planning and deployment process than has been typical.
Nationwide has also deployed several mobile applications. A popular one for its agents lets them take photos of an accident site and upload them to the claims management system, which speeds claims processing, says Koushik.
Standard Chartered is now investigating what applications would benefit its staff. “We don’t want to create an app just because it’s neat; we want it to be something that will add value to the bank and make people’s lives easier,” says Todd Schofield, who leads a mobile development unit for the bank. His unit is looking at the use of location-based services to tell what’s going on in an office or a city, and at the bar-code-reading feature of the iPhone for asset-management tracking of PCs and to track bar-coded paperwork.
In some cases, multiplatform software development environments, such as the one by the Eclipse Foundation and commercial products from Appcelerator and Rhomobile, will ease the development of multiple native versions of an application. But PwC believes that the richest applications will need to be developed on the native development tools provided by each mobile operating system creator. Even today, a mix of applications exists depending on the degree of desired nativeness, and PwC sees no reason why that fact will change.
The rise of mobile device usage by employees and customers has the potential to introduce transformative capabilities into business, but at a cost of accepting platform heterogeneity and sharing ownership of devices with employees.
Although the current stable of mobile operating systems is daunting, PwC expects the number of viable platforms will shrink to a manageable four to six, and most companies could focus on perhaps three.
Still, that reality will mean being more focused on application functionality, rather than trying to deliver Swiss army knife–style “do it all” applications. And it will require knowing when using a common technology such as HTML5 is a workable approach versus creating native applications for your target platforms.
The heterogeneity of mobile devices and the rapid change in enabling technologies such as HTML5 mean that companies will need to rethink how they adopt and deploy them. Application development and platform adoption time frames need to be flexible and short.
Applications—both client and back end—need to be modifiable to take advantage of new mobile capabilities as they appear, without massive reprogramming.
User interface expertise will become critical, because mobile devices are fundamentally different from PCs on this score. Also, because users and platform developers are still figuring out what works best, best practices are unclear, requiring more ongoing attention on UI issues than is typical for corporate application development.
Above all, experimentation is important because users are just starting to figure out what they can do with these versatile devices that are always at hand, and technologists keep inventing additional capabilities. PwC does not expect this opportunity providing instability to settle down for some time yet. In fact, as the timeline in Figure 3 points out, the series of developments we anticipate over the next decade will likely provide plenty of opportunity, not to mention instability.