Four Zones of Mobile Success (or failure): Part 4, Device User

 

This is the final installment in my four-part series discussing four zones of Mobile Success.  The first post discussed the enterprise zone: the enterprise back end, including mail servers, messaging solution and directory services. The second zone is the enterprise security zone consisting of firewalls, VPN’s and reverse proxy. The third zone I covered was the Internet. All of these function as points of success or failure in mobility.

The final zone is the device user zone, which is probably the zone most prone to failures. The zone consists of the user, device, applications and the local wireless carrier. For many reasons, new devices, replacement devices, provisioning, re-provisioning with the carrier messaging system and enterprise often result in a issue and call to the help-desk. The vast majority of interactions occur in this zone, and the more interactions there are, the more opportunity for errors.

From part three of the series, the Internet Zone; data travels the course of the wireless carrier’s wire, fiber, switches and routers until it reaches a wireless tower associated with a device. Then the tower transmits the data to the device. Because a mobile device is an “always on” device, the associated tower can change and must be maintained throughout the day as you travel to different locations.

In short, the meeting notice I mentioned in part 3 leaves the enterprise and finds the first wired network on-ramp to  a devices carrier, traverses their network to the tower near the device and then wirelessly sends the meeting notice to the device.

How does all this magic happen?  When the phone or tablet is turned on, it looks for a tower to associate with.  Once that happens the carrier notes that user Juanita Doe’s device can communicate through tower XYZ, regardless of where a message traffic originates.

As for points of failure, any of the following could apply at the device level:

  • Failing device hardware
  • Battery that’s low or spent
  • Device out of coverage, weak or no signal
  • First time use or replacement, not provisioned or properly provisioned with the carrier
  • First time use or replacement, not provisioned or properly provisioned with the enterprise
  • Encryption or decryption failures, expired keys
  • Incorrect password
  • Corrupt application service books, policies or certificates on the device
  • Incompatible OS level

Below we have the complete picture of the basic mobile enterprise network again. As demonstrated by the discussion in this series, so much technology has to go right for the basics of wireless and mobile applications to work. It takes even more for an enterprise wireless strategy to be effective and successful. For a strategy to be effective it must include mobile management processes, such as procedures and tools including predictive analytics to detect problems, alert the enterprise administrators and help isolate any issues or failures in the enterprise mobile ecosystem.

As mentioned in Part 1 of the series, As an Architect in Mobility for over 17 years now, I have found this diagram and discussion to be extremely valuable tools.

I believe the 1st incarnation of this was in 2003 when an IBM colleague (Scott Symes) and I had the blackeye’s as we experienced the effects of issues in different zones.  It was BlackBerry at the time, hence we gave it the nickname of “BlackBerry Blackeye” chart.  But, as other technologies have come to market, the essentials are still true today regardless of device manufacturer, operating system or application.  The diagram has been updated and expanded reflect some of these changes as Android, IOS Devices, Messaging, Monitoring and MDM/EMM (Airwatch, IBM/Fiberlink, BlackBerry/Good, MobileIron, Tangoe, Zenprise, etc.) have come along. Others have disappeared or been consolidated.  However, the fundamental issues and the concepts remain constant.  There are many points of success and failure in a Mobile enterprise infrastructure.

A well designed, planned and implemented strategies, infrastructures and applications will prevent  lost sales due to abandoned carts, increase customer loyalty and repeat use.  Will increase employee productivity and prevent  lost investment in the failure of application adoption

In the simplest of terms, success equals good high quality uninterrupted service.  Applications that consider the diverse screen real estate and user interaction. Unresponsiveness due to back-end servers, load balancing or firewall issues, internet network congestion will be seen as the fault of and blamed on the application.

Mobile success, like beauty, is in the eye of the beholder or in this case the user.  Therefore, the success of a mobile enterprise infrastructure and whether or not you get a “black-eye” depends on how well these points of failure are understood and managed.

It’s my hope this series, revised from original publication at IBM Mobile Insights, has been and will be helpful to you.  Please leave comments below or contact me on  LinkedIn.

Four Zones of Mobile Success (or failure): Part 3, Internet

Internet

This series of articles describe the four zones of success or failure (points of failure)  in an end-to-end mobile enterprise infrastructure.  In the first part  I discussed the enterprise zone—the enterprise back-end, including mail servers, messaging solution and directory services. In the second part I covered the enterprise security zone, consisting of firewalls, virtual private networks (VPNs) and reverse proxy.

The third zone in the journey is the zone where the enterprise has absolutely no control, the Internet zone! The Internet zone stretches out, encircling the globe, a mysterious cloud with an army of routers, switches, wires, fiber and wireless carriers that provide the infrastructure and plumbing to carry your data packets from end to end. It’s the big hop between your enterprise and devices.

Within the Internet zone are two key add-ons: push notification services and network operations centers.

Push notification services: Non-BlackBerry solutions require integration and connectivity to the Apple and Google push services for Apple iOS and Google Android device support.

Network operations center (NOC): Some of the mobile enterprise solutions make use of an NOC concept. The two most notable are BlackBerry and Good Technology. In these solutions all traffic related to their solution passes through the NOC. This has the advantage that the enterprise’s security zone only needs firewall rules to the trusted NOC. The NOC integrates all communications from devices on the various carrier networks.

Like any other link, a broken link affects the chain. However, the NOCs are highly redundant, fault-tolerant configurations that are rarely down. They are so reliable that when an incident occurs the disruption often makes the evening news. As far as point of failure, it is far more likely that your local network connection to the NOC will fail rather than the NOC itself.

The second to last leg of the Internet zone is the wireless carriers (that is if the device is not WiFi connected). Interestingly enough 99 percent of the path of a meeting notice going from server to wireless device is not over wireless. The notice will follow the wired or fiber connections of the Internet and wireless carrier until the meeting notice hits the cell tower nearest the intended device. Wireless carriers have a vast array of switches, routers and wired or fiber networks before anything goes wireless.

Once again, any of these elements can create a point of failure in the communication path. The user perception will be that the mobile device or application is at fault and failing again. As in the first two zones, some monitoring and mobile device management (MDM) or Enterprise Mobility solutions provide tools to help determine these issues.

2017 Update: Today various Mobile analytics tools are available to assist in the identification of a failing node in the network, point of failure.   Don’t let the term analytics put you off.  Often significant data and analysis can be done with just a few lines of code and the tool will do the heavy lifting.  Please refer to my article Demystifying Analytics and a short video example

The next and final zone in the series will be the user zone.

I hope this was helpful, Please leave comments below or contact me on  Linkedin and stay tuned to finish out the series republication.

What Do Sneakers and MDM’s have in Common? The One Thing You Need to Know about Mobile Device Management

It has never been about the device!

To be current, MDM’s, Mobile Device Management systems have evolved beyond Mail, Calendar and Contacts into Enterprise Mobility Management (EMM) Suites by including Content, Access and Application  Management with Device Management at the cornerstone.

However, one simple fact remains,  it has never been about the device.  It has always been about the data.  What data can be accessed? by whom? How can it be done to ensure integrity and security.

This becomes absolutely obvious in events that occur every day: a device is accidentally dropped in the dishwater, is fumbles out of your fingers and breaks on the concrete, or is run over by a car.    At that point, do we really care about managing the “device”?   No, from an individual perspective we really only care about the inconvenience but mostly  that we may have lost contacts, pictures and other data that can’t be restored to a replacement device.

The Enterprise concern about a “broken” device is replacement and lost productivity.   A security issue does not exist.  An enterprises main concern is  about the device that’s lost, stolen or compromised so things like this can’t happen.

We all have moments where we temporarily misplace a device or it falls between the bed and night stand.  That’s why there are apps to  to have the device ring out, come find me.  But, at the point that we frantically discover our device is truly missing,  lost or stolen the action we take is is to immediately request that the device be remotely disabled, data wiped and service canceled.   The answer proves once again that it’s not the the device itself that’s important but the data it contains and can access.

From an MDM/EMM perspective, for all intents and purposes the device you carry is simply a black box.  An MDM/EMM is really a means to protect data or securely rendering content on the device by manipulating device features through security policies that control access to the data, should the device get into the wrong hands. Now that was a long sentence, with a lot of meaning, so let me break it down:

  • We’ve already established that what’s on the device that can’t be restored is more important than the physical device itself.
  • What is of real concern is what data can be accessed or transferred by the device, in the right or wrong hands.

Whats needed is :

  • An understanding of how to manage, secure and protect a device and it’s data.
  • To understand the business, it’s data, concepts and assets that need protection.
  • To adopt a business strategy determine the processes and data to extend to mobile employees.
  • A mobile strategy to utilize the most appropriate software, tools, methods and devices to securely implement the business strategy.
  • Understand the various employee roles and associated access needs to business processes, applications, data, and the protection needs for corporate and employee owned devices.

Discussing MDM is not really much different than when friends and family who know I work at IBM ask me, “What computer should I buy?” or “What’s the best smartphone to get?” My first question to them is, “What to you want to do with it?” For my wife and a couple of cousins, a mobile device is only used to make phone calls. No texting, no apps, nothing.  For them, why get a smartphone and data plan? Another cousin wants a device to support her medical research. In that case,  how about a reasonably powerful laptop with sufficient storage?

Again, It’s not about the device—the phone, smartphone, tablet or 2 in 1 computer.   It’s about you—what you need to do as an individual or business, what data and applications you will be working with, what and how much needs to be protected, who needs access, where and when. These things will be the foundation of a strategy, which will determine the applications and supporting software infrastructure needed, which will determine which devices best render that data to your employees and customers, which will lead you to the MDM solution that allows you to seamlessly provide protected data to those who need it, where they need it, when they need it.

The bottom line with MDM: it’s never been about the device. Just as Cosmo (Ben Kingsley) told Marty (Robert Redford) in the 1992 movie “Sneakers” , “It’s not about who’s got the most bullets [the tools]. It’s about who controls the information. What we see and hear, how we work, what we think … it’s all about the information!”

Its the same with MDM, the enterprise needs to control or manage “the information”, the data, it’s content and access.  I helped establish these services while at IBM using IBM and Vendor MDM/EMM tools.

It was “Cosmo’s” dream come true, “It’s about who controls the information”, and with MDM/EMM’s,  YOU manage,  protect and control the enterprises information.

To learn more, ‘Gartner’ typically a publishes an MDM (now EMM) report annually called the “Magic Quadrant” containing details about product and service providers.  A free copy of the current (2016 )report can be viewed at this link or from EMM Vendor websites.

I hope this was helpful, Please leave comments below or contact me on  Linkedin or any means appropriate for you.

Including comments about the movie ‘Sneakers’.  Full Disclosure,  I loved the movie, I own a copy,  Dan Aykroyd‘s character,  ‘Mother’ is too funny.                 My voice is my passport, Verify

The Four Zones of Mobile Success (or Failure): Part 2, security zone

 The Security Zone

In my initial article, I introduced the idea of four zones of a mobile enterprise network: Enterprise, Security, Internet, and User zones.  All four areas contribute to the success or failure of a mobile enterprise, and all must be working properly in order to ensure success. In the first post we discussed the enterprise zone, consisting of the enterprise back end—mail, messaging solution (example) and directory services as points of success or failure in mobility. In this second post of the series, we’ll talk about security.

The enterprise security zone is the next zone of focus; it is still within the control of the enterprise but not of the typical mobility service team. The security zone is typically set up and managed by the enterprise networking team.

The enterprise security zone’s intent is that networking, server and application access behind the firewall is “Private”.  However, since is Internet connected for employees and customers “Privacy” is “Virtual” and the zones purpose is create a secure “Gateway” to ensure corporate network access to is only done by those allowed.  The Security Zone is typically made up of routers, switches, proxy’s, anti-spam or virus and other networking devices to create an enterprise network security firewall directly in front of the back-end enterprise infrastructure or network.   The zone often includes a second firewall directly attached and facing the Internet. If you have dual firewalls in the zone it is called a demilitarized zone (DMZ).   BlueCoat Products is a major supplier of such devices and appliances.

Depending on the mobility solution, there may be other servers sandwiched between the two firewalls. This diagram simply shows a Virtual Private Network (VPN) and a reverse proxy server. The VPN allows secure administration, browsing and mobile application access. The reverse proxy can broker requests so that outside entities only talk to the proxy and never actually have access to an infrastructure server.

Often existing servers are used for mobility solutions by updating the settings, ports and rules based on the inputs of the mobility team specific to the solution selected.

The enterprise security zone is a key, complex area. Typically the internal firewall is set up only to allow traffic from the IP addresses of the proxy and VPN to access the specific IP of back-end servers such as messaging, and only over specific ports. Messaging and back-end servers communicate over specific port numbers that vary from application to application. Similarly, the front-end firewall is the initial filter restricting all traffic to the enterprise, including to mobile devices and applications.

This can be difficult and confusing to get correct initially. Many applications use and require ports not documented in materials or not easily identified. It is typically a “set and forget” procedure to establish but still requires diligence as new network, server infrastructure or other changes requiring updates to the firewall may affect existing ports and rules.

If there is a mistake in updating ports and rules it can create a point of failure in the communication path. The user perception will be that the mobile device or application is at fault. The firewalls and security zone are normally managed by Enterprise Networking team. Separated from Mobility the only the Networking team has access to security dashboards, tools, controls and ability to update setting.  Obscured from this data  mobility teams to isolate messaging issues due to an issue within the security zone. Some monitoring and mobile device management (MDM) solutions provide tools to help determine a firewall issue.

I’m not really a firewall and security guy, My experience was more at the Physical layer network in my early career with IBM.  Such as, which pins on the connectors perform which functions and how data packets flow across the network.   But Feel free to share your thoughts or questions.  A good deal of network and security information can be found at Infrastructure Security Services .

In the first two zones discussed the Enterprise has complete control on what and how much to implement to ensure Success or Failure, load balancers, fail-over or cluster servers.  In Security, firewalls, proxy’s, devices and network appliances.

In my next next post of the “four zones” series, I’ll begin to  discuss the last two zones where the enterprise has “no direct control”, starting with the Internet zone.