*“If only you’d attached my legs, I wouldn’t be in this ridiculous position.”
- C3PO, Star Wars*
Like most successful post-war technologies, the IT innovations that flourish today are those that bring freedom (in the broadest sense) to individuals. From the Italian scooter, to the American refrigerator, or the latest ability to communicate through an almost endless variety of interfaces and models, it is the desire to be set free that drives the commerce of technology.
It might come as a surprise that support for this kind of freedom was built into the concept of CFengine from the very beginning. From its genesis, CFEngine was tasked to handle such complexity – to balance individual requirements with repeatability and predictable behavior. Today, some twenty years later, this same basic need for freedom remains: business advantage, after all, comes through uniqueness and differentiation of services, and this is what now drives IT customization.
Configuration Management of mobile devices
The latest chapter of this story is the touching of two branches of this freedom: the internet information ecology and mobile communications. We are talking, of course, about smartphones and their heavier brethren `pads’. What about configuration management of these devices?
Given that these devices run on small, specialized operating systems with little management, this idea might seem like a long shot. Your smartphone is an unruly, colony of downloaded internet germs, but for an enterprise, corporate standards are a concern, i.e. the need to keep certain promises that maintain business integrity. Business has already become a highly distributed activity – the freedom that personal electronic devices brings has changed the way in which many of us work. So far, however, little has been done to address the basic security issues – except for a rough and primitive sandboxing of untrusted applications.
Issues like the encryption of memory, pin code or password protection, software updates, application version control, are pressing. The sandbox model makes it harder for malware to propagate, but it also makes it harder for positive helper applications, like system maintenance to work. From a technological perspective, the management of mobile devices presents a number of challenges. For instance, a lot of security methodology begins with the notion of physical security – but this is obviously not controllable for a mobile device.
Androids without legs
Phones are offline much of the time, not really suited to traditional models of push-based or bidirectional control, so CFEngine’s lightweight opportunistic methods can be a key enabler here.
Last year we showed how CFEngine could be run on Nokia’s Linux phone (https://cfengine.com/blog/phone) without modification. Today, it is the iPhone and Android operating systems have that achieved widespread popularity for their simple app design that integrates users with an ecosystem of apps and web services.
Had these machines simply been generic Linux machines, it would be possible to provide full access management and security in much the same was as for laptops – but the freedom to develop solutions has been severely curtailed in the smart phones. Even Open Source android does not allow the notion of a privileged monitor on which most management frameworks are built.
I believe that smartphone providers will eventually have to incorporate management frameworks like CFEngine to verify aspects of corporate policy, but this will take time for the pendulum to swing back (as it always does) from closed, specialized devices (like phones) to more open multipurpose systems (like PCs). At CFEngine we are developing proofs of concept in this area today.
App police
Making CFEngine run on Android was not that hard. It is a small and compact piece of code. As a proof of concept, this has already been an important first step for our research and development. Although the capabilities are currently limited by the sandbox model, we can already demonstrate a few simple use-cases where agent based management will work nicely, and we shall report more on these in the coming months. Battery life remains the main concern for applications that run often.
CFEngine is easily small enough to run on an average smartphone (unlike most configuration management systems), and it can be run as an embedded application on Android, but without privilieged access. To the phone, CFEngine is just another app, with no greater administrative power than ‘Angry Birds’. This is presently a long-term hindrance. If a management “Police force” had no special powers, it would be pot-luck who could win in a competition between forces of good and evil. The current approach can only be an interim method however, and the signs are that this is already in a process of change (see http://developer.android.com/guide/topics/admin/device-admin.html). CFEngine will continue explore ways to exploit the options for enterprise management. Moreover, there is already room for using CFEngine’s opportunistic methods to monitor and report on potential issues in a number of non-intrusive ways, bringing value to the partnership.
Mobility is the Real Cloud
The meek might be lined up to inherit the Earth, but do we really want the IT world to be limited to mere `smart phones’ and pads alone? When we label something smart, it is inevitably because we don’t fully believe that this accolade is beyond doubt. The point however is this: the real `cloud’ we should be talking about today is not what goes on in Amazon’s basement, but rather the ecosystem of thin-client mobile devices, laptops and pads that interact with a magical but hidden infrastructure, where there is more intelligence and whose total configuration is the key. Managing this massive total ecology is what CFEngine is uniquely positioned to do.
I think the technology for smart phones has a long way to go before it can reach the level of maturity required for scalable enterprise management, but the principles of distributed management are fairly well understood, based on opportunistic communication and autonomous operation. CFEngine embraced these principles long ago, and is therefore well positioned to deal with these devices.
