A "wildly successful" pilot test in August 2010 of Apple's first-generation iPads at Bank of New York Mellon quickly turned problematic for technology and compliance staff at the large custody bank. Testing produced "an instant hit," in which iPads swiftly became "the hot device that every executive had to have," says Tony Lalli, infrastructure architect at BNY Mellon. But the bank lacked a long-term way to remotely secure and control the tablets.
A stop-gap measure using Microsoft's ActiveSync for calendar/contacts synchronization and email delivery with Apple's iPhone configuration utility enabled the bank to install a profile on the devices with passcodes to limit exposure of data on lost or stolen devices. But iPhone's configuration lacked remote manageability, and the only way the iPads could be activated at the time was via iTunes, which, being a music site, was blocked on the bank's network.
"So we had the potential for executives out there with essentially unmanaged devices running email - not something you generally want to do," Lalli says. "We had to immediately close that gap."
The bank sought the familiar model of RIM's BlackBerry Enterprise Server (BES). Known for having enterprise management capabilities enabled out of the gate for BlackBerry handhelds, the BES system enables administrators to remotely delete data, apply passcodes and encryption and enforce corporate policies.
An influx of iPhones and iPads carried into the enterprise by employees has forced firms to seek solutions that let IT manage, control and secure these devices in keeping with compliance and policy mandates, which hasn't always been easy.
When BNY Mellon first started looking at mobile device management (MDM) solutions, for instance, "there was no Gartner Magic Quadrant listing all the different vendors," Lalli says.
Lalli estimates there are 50 MDM vendors. Gartner spotlights 20 of 60 vendors it lists in its most recent Magic Quadrant. But both Gartner and Lalli emphasize that there are no differences in how MDM vendors manage Apple iOS products, because of Apple's tight-lipped nature and strict support guidelines.
So to manage iPads at BNY Mellon in an initial workaround, the bank swapped out the iPhone configuration utility for a cloud-based MDM trial solution by a vendor Lalli would not name, and used the tool with ActiveSync. Doing so bought the bank six months of time, during which it completed about a dozen demos and five proofs of concept.
Lalli wanted to remotely manage email, apply security and corporate policies on iPads, oversee distribution of applications and up-to-date content like financial analyses or sales pitches, but also be able to extend such capabilities - like remote data deletion - beyond tablets and mobiles to PCs and laptops. Because he expected consolidation in the space, Lalli also sought tools he could easily toss, "so we're not locked in bed with a particular vendor."
Any solutions would have to be managed under the assumption that BYOD, or "bring your own device" will eventually hold sway: So far iPads fully managed and paid for by BNY Mellon have been restricted to senior executives, asset management salespersons, app developers and support staff. "We anticipate all devices ultimately will be owned by the end-user," Lalli says. "We didn't want to open the floodgates that the company would own a ton of devices at the end of the day."
The bank ended up tapping two solutions, because BNY Mellon like any enterprise must deal with a mix of both personal and corporate-funded mobile devices. So in May 2011 the bank launched Good Technology's enterprise MDM to manage personal devices with which users do a portion of BNY Mellon business. And in January, the firm began using Fiberlink's MaaS360, a cloud-based MDM tool for corporate devices that the bank fully manages.
With fully managed solutions, banks can use Microsoft's Active Directory via internal "cloud extender" software to authenticate and manage iPads and other handhelds, which connect only into the network operations center (NOC) of the MDM provider (i.e., the "cloud" part) versus directly into the bank's network.
Not all is satisfactory: Lalli is still pressing for improvements he says Apple and the MDM providers need to provide the bank. Specifically, he wants to be able to more thoroughly manage the native email client on iPads, and seeks more seamless secure access for end-users via enhanced virtual private network and corporate wireless integration. He also wants the ability register devices with certificates to track whether a handheld belongs at the bank or not.
BANK: BNY Mellon
PROBLEM: How to manage execs' favorite new toys without roiling compliance?
SOLUTION: Run them in the cloud, off the network.