Oscar Wilde has been quoted as saying: “I can resist everything, except temptation”.
IT departments need to understand the weaknesses of their networks and of the people who access them, legitimately or not.
Every company which goes mobile has people with good intentions. IT really would like to support every employee who brings in their own device with great apps and access to the enterprise. But they really shouldn’t. There, I did it. The finger wagging. But really. They shouldn’t. Enterprises have values to protect, and the good ones keep corporate data, data about employees and customers and research and inventions in highly protected parts of the corporate network (and the bad ones end up in the newspapers and better keep reading). That must not change just because employee productivity gets better as employees use mobile apps for work. That must not open up the locks, the network, to just any device. Some people seem to believe it will be enough to just enroll all mobile devices to be used in the enterprise with Mobile Device Management systems, and they’ll be safe and covered forever (full disclosure, I happen to work for a company that sells a popular brand of MDM, Afaria). Alas, it ain’t that easy. Nope. As always, some brainpower needs to be invested into strategizing.
Building categories of distinct levels of access rights to the corporate network may be the first step, and then combining those rights with the degree to which a mobile device or the apps on a device could be protected by IT’s means may be the second step. I’ll give you a visual:
The vertical axis shows increasing levels of access to corporate data, the horizontal axis represents decreasing levels of control IT may have on the behavior of mobile devices that access the corporate network.
On the left you will find devices that have full access to the corporate network, to sales numbers, financial data, stock levels, you get the idea. Only mobile devices fully controlled by the enterprise shall have that level of access. Devices, the company selects and procures for their employees. Corporate liable devices (CL, sounds like a Mercedes class, in my Germanic ears it does, anyway). Senior executives may enjoy the highest level of access rights on “their” CL devices.
In the middle, you will find devices with a lower level of access rights. They may not have access to financial reports. Nor to protected employee data. They may have access limited to email and office apps like calendar, tasks, team collaboration shares, or limited, role-specific apps, say, for field workers. Those devices could be corporate liable (and enrolled in MDM), but the enterprise could allow for their employees to bring in their own devices (yes, that’s BYOD), as long as IT limits the choice of devices to the ones they can protect to the same level, and (and this is an important “and”) as long as IT can provide for the same apps to run on them as on the CL ones. Typically, these requirements can be met by a combination of app-level protections and a containerization of apps that may run on different devices almost as if they were native (did I disclose yet that I happen to work for a company that mastered the tight rope act of offering scalable enterprise solutions for all of the above? I guess I might just as well: SAP Mobile App Protection by Mocana and SAP Mobile Platform / HCPms and yes, you guessed it, SAP Fiori).
On the right hand side of the image, you’ll find devices that should only have very strictly limited access to data or apps on the corporate network. Picture temp workers, who provide for their service entry sheets from their smartphones, suppliers who confirm the receipt of orders, or notify you of a shipment right from the warehouse; or consumers who enter customer service requests as they deal with damaged merchandise, all via dedicated mobile apps that you provide for them, e.g. on the Mobile Place.
Devices to the right of the depicted categories must not be allowed on the corporate network at all. Think of customers at Starbucks, or guests at a hotel, or to your enterprise. As a generous company, you may want to offer public WiFi for those, but that’s it as far as access right go.
Best practices like this you will find in the SAP Mobile Secure rapid-deployment solution, which as an SAP customer you can access and download for free at
Whenever you get started with an SAP technology you are not yet familiar with (and mobile could just be one of those. How about Big Data, HANA, cloud, the network(s)?), despair no more. Use SAP Rapid Deployment Solutions with built-in SAP Best Practices™. They get you started with ease. They guide you through all the new technologies and trends, from trails and proofs of concept implementations all the way to production. They help you know and do the right thing, and then do it!