So ... you're an IT director tasked with ensuring that your expanding fleet of more than 100 smartphones can adequately protect the information that they're storing. Sensitive e-mails, files, client contacts, and other necessities that make daily business life flow are all stored on these devices. Further, you need to provide efficient central management and policy enforcement, given your limited staff. Oh, and you need to support Windows Mobile, Palm, iPhones, and possibly some newcomers like Android or the Palm Pre sometime down the line.

Think it's hopeless? You may want to give Trust Digital's Enterprise Mobility Management (EMM) platform a look. We did just that in this final installment of our smartphone security Rolling Review, and found EMM can ably provide centralized security for organizations that have a wide array of mobile devices.

Currently, there are somewhat limited options available for pulling iPhones into the enterprise management fold. Generally speaking, for initial phone provisioning, Apple's iPhone Configuration Utility can be used to create the initial profiles with which to deploy the phones. Settings can include passcode requirements, Wi-Fi settings, VPN profiles, e-mail settings, and the like. For ActiveSync use, the configuration of Microsoft Exchange can be used to enforce password policies, set an inactivity timer, and implement remote wipes.

Admins using Microsoft's and Apple's offerings can attain reasonable functionality and manageability, particularly for smaller, homogeneous deployments. However, if the enterprise starts expanding or if your particular environment has diverse phone types, EMM's benefits start coming into their own.

The system is based on a three-tiered component model that includes the phone, a compliance filter, and the EMM server on the back end. The client itself typically has an agent that's used to enforce policies, implement security controls, and communicate with the home server.

The compliance filter lives on the perimeter or DMZ, usually on a system such as an Exchange front-end server (with optional ISA support), and monitors all communications to the mail server. The compliance filter not only reports on the types of devices seeking access but can actually block access if the source device doesn't comply with stated policy requirements -- much like a traditional network access control (NAC) device. The filter helps administrators to quickly identify things such as blocking valid users that are running unauthorized mobile phones to access corporate resources.

The back-end server is where all configuration, policy creation, logging, and administration tasks are performed. It's on this device that administrators log in to the server and perform their various tasks for the mobile devices.

Much of what you see on the back-end EMM is generally what you'd expect from what is essentially a mobile device element manager. The Web user interface is clean and provides tiered administration of the information with preset roles for administrators, help desk users, report access, and the like. The heart of the security settings comes with the creation of the policies and the mapping of these policies to Active Directory (AD) groups. The policy settings allow for encryption settings, authentication controls (including support for smartcards), device communication settings (i.e., Bluetooth), and numerous other options.

Even in a diverse phone environment, a single policy can be created and rolled out to all users associated with that policy regardless of their phone. This policy consistency can be a double-edged sword, however, because only the implementable controls will be applied, resulting in an "effective policy" that may include only a subset of controls. For example, since Trust Digital doesn't currently support encryption for the iPhone, these policy settings would be ignored for iPhone users. Although there is documented mapping of supported policy controls for the different phones, this visibility hasn't yet been mapped into the software. Clearly understanding which parts of the policy are being implemented is something that we believe to be important and would like to see in future releases.