Do you remember the first time you saw a laptop? Shiny bright LED screen, pixels individually visible, about the size of a breeze block. Portability probably didn’t concern the IT department because nobody in their right mind would try to carry one out of the office. But they did. Quite quickly, laptops became smaller and …
If you love something, set it free
In my experience, the more locked-down a company's IT systems are then the more incompetent the IT department. There are obvious and justifiable exceptions to this but as a rule of thumb I find it works. The reason is that if you have a nice, simple, restrictive network then users can do very little to screw it up. It takes an IT manager with a bit of nous to provide flexibility to the users without compromising their functionality.
Telling them that they must or must not do something is an equally obvious no-no. Of course, education is important so they don't do really stupid stuff like browsing for pr0n or warez at work but the aim surely must be to provide for the users, not dictate to them.
Mobile computing is harder work for all the reasons mentioned in the article, but the point remains. You have to restrict a bit of stuff, obviously, but anything that causes problems to the users and makes their life harder is destined to fail, usually because they will find ways to circumvent your silly little security policy. And, going back to my rule of thumb, if you're a stupid IT manager and have bolted everything to the floor with a nail-gun, you probably haven't put in a very good IT system to begin with...
Laptop??? No way...
First portable PC I saw was an IBM model P70 (that's a portable Model 70 to you) - weighed in at something like 26lbs and didn't have a battery - needed mains power wherever you were. If you put it on your "lap" - as in "laptop" - your legs cooked and it was unbearably heavy too...
Kids today don't know they're born!
Aye, remember that and it's 40x30 resolution... Great days when we finally got LCD screens.
The first portable I used was a Compaq Portable 3 - mains-driven lump with a gas-plasma screen. You could put full-length ISA cards in ours though, which meant we could set a demo SCO Xenix system up on it with an ISA serial card for terminals. You wouldn't want it on your lap though, probably break your legs.
At about the same time, the company also had early Toshiba portables with plasma displays. Weighed a ton, and there was no battery.
I had a Toshiba T1200 for a while. 80x24 blue LCD, battery was more of a UPS than a way of working away from mains.
Not exactly portable
A colleague of mine reviewed an early portable back in around 1985 (ish) for one of the computer rags. As I recall it had a tiny screen in one corner and looked more like one of the lab's oscilloscopes than a computer until the detachable keyboard was brought into play. The review started something along the lines of: "this computer is less portable than luggable ..."
While I'd agree with your position on locking down policies for a sub 1000 user organisation, That rule of thumb is completely flipped when you scale up to multi-site, and even globe spanning organisations where helping the temp receptioninst 200 miles away get her machine to run smoothly because she's installed yet another browser toolbar, simply isn't practical, and training for a role like the callcenter staff with such a high turnover is simply a black hole.
For such low level staff as this, turn-key reliability is key. For machines such as this, which make up the vast majority of nodes in large organisations, a profile for the job it is required to do must be created and replicated. Let us not forget that the biggest singular threat to security is the user (and therefore any executables they click) running with admin rights.
A highly competent admin can create a machine profile that allows the user to perform any and all duties involved in their job role, while at the same time locking it down so well that any support call regarding said machine can nearly always be attributed to catastrophic hardware or software failiure, for which automated response systems are in place.
But getting back to laptop specific issues, the two biggest challenges presented are data access, and automated resource configuration.
Data acccess is simple with a desktop within your firewall. It's on the server, and rightfully, that's where it should stay. Laptops force you to make compromises. One of the most logical solutions is external access. FTP is an all-out insecure disaster waiting to happen, and more often than not, too complex for a great many sales reps who, let's face it, were hired for their people, not IT skills.
VPN is a much more elegant and secure solution if done right, and is relatively transparent in use to the end user, but can (and often does) fail if whatever net connection has ports blocked, or worse still, if the user cannot gain access at all. 3G coverage is by no means all encompassing.
For the hard-core roamers, this leaves synchronisation, which is frankly, a pain in the arse. Completely side-stepping the blatantly obvious security implications, every IT bod who has had experience with Outlook will know that the most common failure point is the offline cache stored within its .pst files. Other forms of synchronisation are no different, especially when both offline and online versions of files are modified between syncs, I could go on (and on)...
The other challenge is resource configuration. Things like printers, proxy settings, and network drives that differ between site and domain. The user who has already been conditioned to expect such resources to 'just work' within the desktop environment, now expects them to dynamically adjust wherever they go. Woe betide if Word takes a full 40 seconds to load because it's timing out waiting for a disconnected network printer to respond.
The real kick in the teeth is that there is no ideal solution, even in a theoretical environment. Data access is an obvious AND/OR compromise, but dynamic resource configuration also eats away at CPU time the more frequent the checks (startup/logon is no longer adequate, thanks to suspend/hybernate and sometimes not even that between changing sites). Because of this, portable machines will always be a higher maintenance cost by several factors than their desk-chained counterparts.
Off-premesis computing. Hmmmm.
Ah remote users. The bane of many a help desk's existence. As was stated above, the more locked down the IT in a company is, the less resources IT feels it can devote to support. In some cases this is due to competence, in others, this is due to chronic understaffing.
The reality is that remote users (and all notebooks eventually become remote user support scenarios,) have completely different support requirement from equipment that is always on-premises. The reason is that IT has really no way to control or lock down the information on those notebooks. You have to trust (horror!) in the competence of your users. (You left what on the bus? With how many credit cards?)
Much to our chagrin, users are not complete idiots. They simply care about different things than IT does. They don't care about the potential risks of that spreadsheet getting into the public domain, or of your company's competitor getting access to all the contacts in the company contact list. What they do care about is that it is their god-given right to install anything on their notebook that they choose to. Not necessarily because IT has not installed something they wish to use, but out of the sheer principle of the thing. Knowing that people are clever beings, it is only a matter of time before they themselves (or someone they know who is "good with computers") finds a way around your security and either copies a file locally that they shouldn't, installs a trojan, or otherwise does something exceptionally negative to those lovely remote devices. Regardless of company policy, the user will always believe that they "own" their notebook, and that the company has no "right" to tell them how to use any data that is on it.
You can't fight this belief, and I believe it is futile to even try. IT should treat all notebooks as completely untrusted devices. Do not try to lock a user's device down, control what they can do on it, or implement complicated VPN or other access procedures. Instead, treat that notebook the same way you would treat a public access kiosk in a cyber-cafe, and just move from there.
The issue at hand is not whether IT can "control" the device, but whether IT can "control" the DATA. IT needs to set some basic categories for data, slot as much of the data the company produces into those categories, and determine access rules for that data. Some data you may only be allowed to access via an on-net secured, (and IT-controlled) computer. This could be an implementation of VDI, a local desktop, or a secured notebook. (If such a thing exists.) Some data you don't care if it falls out into the public eye and that is data that users can download onto their "unsecured personal notebooks." There are likely a myriad of categories in between.
The point is that it is not the notebook itself that you need to control, nor the user's actions and behaviour, but rather the flow of data that needs to be tightly secured. Approached with that attitude, you'll find that you can give users the flexibility they desire while imposing the data flow constraints that the company requires.
Grenade because many IT departments feel that supporting notebooks is like dealing with a live one.