At Microsoft, Don't Forget Your Password or Your Phone Gets Wiped
Microsoft has famously decided to give Windows Phone 7 devices to all of its 89,000 employees, or at least those who want them.
But it's not all fun and games for Microsoft workers who connect smartphones to corporate systems, whether that's a WP7 device or something else.
"At Microsoft, we have a policy that says if you try to log in on a phone five times incorrectly, we actually wipe the phone," says Microsoft's Brad Anderson, corporate vice president for management and security. "When that phone gets wiped, it doesn't differentiate between what is corporate data and what is personal data. If that happens, the pictures you have on there could get wiped."
I was talking to Anderson at the Microsoft Management Summit in Las Vegas, where Redmond is pitching its next wave of products to help enterprises handle cloud computing and the consumerization of IT.
One of Microsoft's goals, both for its own employees and customers, is to build software that can differentiate between the corporate and personal data on smartphones, and help IT shops manage the two types of data separately. As of today, Microsoft is one of many companies struggling to find the right balance in handling smartphones, especially those owned by employees. But if Microsoft solves the problem, it can not only address its own employees but rake in tons of money by selling a new smartphone management product aimed at security-minded IT organizations. Unfortunately for Microsoft, the company hasn't yet figured out how to build that product.
"That's something my team is definitely looking into," Anderson said. "As far as how it's implemented, I don't know. I know what the problem is, but I'm not sure how we're going to solve it yet."
Although Microsoft's password/wipe policy may seem strict, some companies have taken a far more draconian view of personally owned devices. Wells Fargo, whose executives I recently interviewed, say employees simply cannot hook their own devices up to the corporate network, whether that be a smartphone or a tablet.
"I carry two phones. One for personal, and one for work," says Martin Davis, executive vice president and head of Wells Fargo's technology integration office. "I've got two iPads in my briefcase, for personal and work. We keep it separate."
That's too strict for a company like Microsoft. Smartphones are very personal devices, and it makes sense to let employees to use their devices for both work and play, Anderson said. "There are still some companies that mandate, you can't use a corporate provided device for any personal use," Anderson said. "I think that's a thing of the past."
Many IT shops will let employees bring their own phones to work as long as they meet basic security requirements, namely the ability to force users to type a password to bring the phone up from an idle state; to remotely wipe data from the phone; and encrypt data on the phone.
VMware, a rival of Microsoft, is going even further, building a virtualization platform for Android that will create separate virtual machines on the phone to separate work applications from personal ones.
Although Anderson acknowledged Microsoft hasn't come up with its own solution yet, he didn't back VMware's approach. Virtualization "makes sense to me on a PC," he says. "I'm not sure that makes sense yet on a phone."
Microsoft already has a product called System Center Mobile Device Manager, and an article on Microsoft Technet says new versions can be expected to support iPhones, Androids, Windows Phone 7, and Symbian.
But supporting a mobile device in a management platform isn't the same as being able to manage that device's personal and corporate data and applications separately. Finding a long-term solution will be difficult, Anderson said, because users want to bring their own devices to work and don't want IT making significant changes. Finding a balance that respects the users' wishes and IT security will be the key for Microsoft's product development team.