IBM Goes Wide and Deep on Mobility
Mobility managers with large numbers of devices and applications to support, particularly those in companies with an investment in Lotus Notes, should keep IBM in their game plan.
I just returned from 3 days at IBM's annual Lotusphere conference in Orlando, and while IBM is focusing primarily on bringing social media concepts into business processes, particularly with their Connections product, there is a mobility element into everything they do. However, IBM doesn't do anything from just one angle, and behind the scenes the company has been developing a raft of mobile security, device management, and applications development tools.
The one problem with IBM's mobility offerings is that they have so many of them and they all have names that provide no clue as to what they actually do. Fortunately I got to spend some time with Rob Ingram, Senior Manager, Mobile Social Business Strategy, who moderated the session "Strategy in Action: IBM Mobile for Social Business", and he walked me through the forest.
First, IBM does offer mobile clients for the Apple iOS and Android platforms under the name Sametime Mobile Client; their partner RIM offers one for the BlackBerry platform. The iOS and Android clients got an upgrade this past August and now offer presence and IM (individual and group with picture capabilities), as well as push notifications, so a user who has been off-line receives alerts regarding text or other items received as soon as they log in. The network (e.g. Apple's Push Notification Server) doesn't deliver the actual message, only the "alert". The user connects to Sametime when they are back on line and the message is delivered directly over a secure connection.
With that upgrade, IBM also included location-based presence on the Android implementation, so the user's location can be provided along with their presence status. For privacy reasons, the user has the ability to limit which colleagues are allowed to see that location.
However, IBM's offerings reach into several other areas of mobility. First, there is Lotus Notes Traveler, IBM's push email and PIM (personal information manager) synching capability. Like Microsoft's Exchange Active Sync (EAS), Traveler also provides some basic mobile device management (MDM) capabilities like policy enforcement, remote wipe (partial and full), plus the ability to block unencryptable transmissions and deactivate the device’s camera (on iOS devices).
For MDM capabilities beyond Notes Traveler, IBM is rolling out the Tivoli End Point Manager. An extension to the Tivoli Management Framework that provides hardware and software inventory and software distribution capabilities for large networks of desktops and laptops, the End Point Manager will extend those capabilities for mobile devices. The product is based on IBM's acquisition of BigFix, Inc. in July of last year, and the Tivoli End Point Manager will support iOS, Android, Symbian, Windows Mobile, and Windows Phone devices.
While it can detect "jailbroken" (iOS) and "rooted" (Android) devices, the Tivoli End Point Manager still doesn't include an "internal app store" function, though IBM has developed (but not yet productized) that capability and uses it on its own internal network. Detecting "jailbroken" or "rooted" devices is critically important for enterprise security because those compromised devices can allow non-sanctioned software to be loaded on someone’s personal device. It also supports application blacklisting to prevent specific applications from being installed.
Further on the security front, IBM is upgrading a legacy mobility product called Lotus Mobile Connect (LMC). Originally developed for laptops, LMC provides a secure tunnel between the mobile device and the corporate network with the ability to maintain that security as the user roams across 3G/4G and Wi-Fi networks; that security is FIPS 140-2 compliant. This is similar to the persistent wireless connectivity provided by NetMotion Wireless. LMC can do clientless secure proxy access for any device, and they are evaluating a future client for Android 4.0 (Ice Cream Sandwich) VPN APIs.
IBM is looking at other options for remote security. In the IBM Labs pavilion, developers were showing a further enhancement to LMC that would provide secure access on an application-by-application basis. Using a VPN secure tunnel connection might not be good enough for all enterprise users, according to IBM; the problem is that once the secure tunnel is established, any application on the mobile device can access the enterprise network through it. So if the user has installed a compromised application, that secure tunnel just gave it access to the entire corporate network.
Most MDM solutions address this concern with application white/blacklisting, but the IBM developers feel that might not be not proactive enough, as there can be a time lag before a blacklisted application is identified. With this capability, access for a particular application can be cut off immediately. This enhancement will work with the core LMC capability, allowing a user to roam across multiple wireless networks with the secure tunnel intact and without requiring the user to reauthenticate.