Pierce County, Wash.’s use of a mobile device management solution helped IT staff better handle security and configuration of iPads.
Using tablets and smartphones for everyday office tasks such as checking email or reviewing documents has become a regular practice for many government officials. But while mobile technology is convenient for end users, the devices presented some deployment challenges for the IT staff of Pierce County, Wash.
The county launched a pilot program in 2011 that consisted of 15 iPads. The pilot was a success and more than 200 tablets were earmarked for distribution to various employees. But manually configuring that many devices was a headache for Kevin Mattsen, system engineer with Pierce County’s IT department. He estimated that during the pilot, he spent 1.5 hours per iPad to assign the appropriate security profiles and certificates to the devices.
Mattsen originally used the Apple iPhone Configuration Utility, which required him to connect each iPad to a computer in order to bring down the appropriate profile for specific user groups.
So when it came time to roll out the majority of the iPads, Mattsen researched mobile device management (MDM) tools that could cut down the amount of configuration time needed for the devices. He evaluated three companies spotlighted by Gartner — Sybase, MobileIron and AirWatch.
The county went with AirWatch’s solution and the technology helped reduce the time spent on iPad configuration to 15 minutes by wirelessly automating the entire configuration process.
“Right now we have 10 different profiles that we’re managing on our devices and once I enroll the device in AirWatch, all those profiles get pushed down automatically,” Mattsen said.
Any security updates or new profiles that are developed by Pierce County’s IT team can be similarly pushed out wirelessly to the iPads. Users who once dealt with a cumbersome process of accessing the county’s network through a VPN now have instant, on-demand access to their files through the iPad.
Another advantage of the MDM tool is the ability to remotely wipe a device. If someone loses their iPad, Mattsen can send out a command that deletes all data on the device. He wasn’t able to do that with the iPhone Configuration Utility.
AirWatch’s tool also has an internal application catalog that gives users a pre-approved selection of apps. While the county isn’t currently whitelisting or blacklisting — automatically allowing or disallowing — certain publicly-available apps through AirWatch, the option exists if needed.
Instead, the county is operating under the honor system when it comes to downloads to someone’s tablet. One of the programs employees are not allowed to use on county-issued devices is Dropbox, or any other similar cloud storage, due to security concerns storing government documents using one of those services.
“We have written policy that basically says you’re going to abide by the rules and you’re only going to download apps from the approved apps list,” Mattsen said. “But we do run inventories on the iPads so we know what apps are on there.”
The limited rollout of iPads in Pierce County may soon expand to offering employees the option of using iPhones and eventually, a full-on BYOD policy.
The county currently has a BlackBerry environment, but Mattsen said IT plans to open it up to iOS devices. The county has no plans to offer Android phones, primarily because IT feels more confident in the iPhone’s encryption and has the management in place to handle the Apple devices. A few iPhones are being tested now.
Pierce County smartphone users should be able to choose between the iPhone and a BlackBerry later this year.
In regard to BYOD, Mattsen revealed that the idea is to use the same county policies, but have the singular device access two different environments, segregating all county data and potentially voice service from a user’s personal information. But a number of challenges exist before that becomes a reality.
For example, Pierce County requires its iPad and iPhone users to have a passcode and 15-minute lockout on the devices. But if it’s a personal device someone is using, the county could receive some pushback from users that wouldn’t want their own devices restricted.
The county is considering the available options on the market that would help them achieve the best of both worlds.
“We’d like to see an app to sandbox that data that would require a pin so that it’s all segregated,” Mattsen said. “I don’t want to have to send a wipe command and accidentally get someone’s personal data, when all I’m worried about is corporate data.”