EXECUTIVE OFFICE FOR ADMINISTRATION AND FINANCE
Information Technology Division – ITD
Enterprise Technology Office
Enterprise Mobile Application Strategy
Version DRAFT 0.4
January, 2013
DRAFT for
discussion
Section 1: Introduction
The Enterprise Mobile Strategy for the Commonwealth of Massachusetts has been developed to address
the complexity introduced into the Commonwealth’s computing environment by the growing presence of
mobile devices (Commonwealth issued and personally owned) and mobile access to Commonwealth
environments. The long term goal of the Commonwealth’s Mobile Strategy will be to enable and deliver:

A strategic plan that is fully integrated with IT and Business Strategy of the Commonwealth

Systems and practices that are proactive and flexible to evolving technologies and opportunities

Device independence

Relevant and complete policies, standards and architecture documentation
Section 2: Executive Summary
The Commonwealth of Massachusetts is not alone in its attempts to plan for, support and implement
Mobile Application based technologies.
The current Commonwealth landscape and the larger industry indications show that some areas can and
should be adopted (standards like HTML5 and frameworks such as JQuery and Dojo) while others
(Mobile Enterprise Application Platforms) should be held off on until market leaders can be identified.
Current efforts should be focused on implementing appropriate policies and infrastructure to support the
growing trend in Mobile Application development. These efforts should take into serious consideration
the increased movement towards decomposing applications into components that are exposed as
services. According to market research, this movement will require that the Enterprise provide the
capability for supporting a broad array of technologies across disparate systems and previously silo-ed
disciplines.
Section 3: Business, Technological and Social Drivers for Mobile Computing
The growing use of smart phones and other mobile devices as the primary means of doing business
including providing core communications, require that the Commonwealth Technology and Security
Offices define a strategy for providing governance and oversight, policy enforcement, and management of
a comprehensive mobile application plan. The goal is to provide the Commonwealth’s mobile device user
community with implementation guidance, technical support, and compliance mechanisms to achieve
their business needs and meet security objectives and obligations when deploying and managing mobile
applications. Areas requiring additional research and review that will fall outside of the scope of the
current strategy include an assessment and possible implementation of a common mobile gateway server
and the management of personal devices in the workplace (Bring your own (mobile) device –BYOD).
Subsection 3.1: Overview of Current State of Mobility and Remote Work
At this time, the Commonwealth is seeing an increase in usage of a wide range of mobile devices. This
has resulted in updates to Enterprise Policies, Agency Policy, research into device management tools,
and lots of communication from Technology Office customers across all branches of government and
external entities. Mobility initiatives have begun to play a key role in:
Business Continuity
Supporting business continuity plan that enables staff to work from home or alternate locations if
required in case of an emergency, such as extreme weather, pandemics or terrorist attacks. Mobile
devices are a key mechanism to providing off hour or emergency contact capabilities for critical
support staff
Remote Access
VPN access for home/mobile connectivity facilitates work to be effectively carried out remotely.
Page 2 of 10
Medium Sensitivity
Policies and Standards
Enterprise Information Security Policy; Enterprise Access Security Policy and Standards; Enterprise
Technical Reference Model (ETRM) and Technology Advisories have all incorporated and should
continue to incorporate guidance and requirements around use of mobile devices.
Current/Relevant initiatives
It is recognized that both Commonwealth-owned and personally owned devices need to be provided
for and that such support will require some device management tooling to be introduced into the
Enterprise Service Offering at some point in the near future.
ITD as well as other agencies have been exploring a handful of mobile device initiatives. Including:

Mobile Device Management RFI

Good Technologies POC

MassDOT RFQ (MobileIron & Airwatch POC’s)

Mobile Application POC
Subsection 3.2: Technical Drivers
Many of the services typically associated with enterprise mobility are becoming commoditized such as:



Mobile Device Management Tools
Mobile Application Development Tools
Mobile Application Capabilities as part of Standard Application/COTS bundle
To support the evaluation, implementation or adoption of technologies in these areas; a reference
architecture should be developed and published.
Subsection 3.3: Social Drivers
Personal Preference
Many employees have their own equipment and services they personally subscribe to that are as good as
or better than those issued by their employers. Often, employees prefer to use their own devices for a
wide variety of reasons including convenience, familiarity and preference. Supporting employees’ ability
to access and perform many of their duties using web-based interfaces and applications is a growing
expectation across the user community.
Social Pressures
Remote working can be promoted to reduce carbon footprints and to reduce the need for expensive
facilities. When moving to flexible office environments, the need for in-office mobility rises drastically. With
increased global communication, workers must "always be connected" to accomplish cross-border and
cross-time-zone teamwork.
However, these social pressures must be reconciled with enterprise needs for cost containment and
security.
To effectively address the social drivers; policies, standards, and user agreements will need to be
updated and adopted.
Section 4: Demand
Demand for mobile access and device usage originates from the user side. However, the Mobile
Technology Roadmap will identify options, technologies and services that exist or are planned for, and
how they can be leveraged by the organization.
Page 3 of 10
Medium Sensitivity


The number of mobile devices connected through Active Synch is approximately 2,500.
The number of users that use VPN for remote access exceeds 7,000 today.
These numbers indicate that users will and do actively seek out mechanisms to connect to the
Commonwealth’s network resources. It is imperative that the Commonwealth have in place a flexible and
responsive strategy that continues to support and grow as the business needs expand and evolve.
Section 5: Supply
In order to satisfy the demands of the organization the Enterprise Mobile Strategy needs to deliver the
following mobile capabilities.
Mobile technologies and architectures
Infrastructure
Virtual Private Network (VPN)
Over 7,000 VPN accounts exist today. Approximately 11% of these accounts are associated with
tokens providing an enhanced level of security for mobile devices.
As the Commonwealth looks to replace the current VPN service provider, the following
capabilities should be considered to enhance mobile application support in addition to the
standard security feature sets.








Persistence: Allows applications to remain active across sessions.
Roaming: Virtual connection remains active across wireless network boundaries.
Security: Enforcement of encryption standards and authentication of a device as well as
the user.
Acceleration: Optimization and data compression to enhance performance.
Management Console: Ability to display status and segment devices.
Policy Management: Enforces access policies for connected devices.
QoS: In depth management of application/device prioritization.
Mobile Analytics: View of how wireless networks and devices are being used.
Enterprise Mobile Communication Gateway (EMCG)
These platforms are generally integrated into large-platform unified communications and
collaboration (UCC) systems. They are used to connect to the local area network and allow VoIP
PBX system calls to pass through to the mobile network instead of a VoIP provider or landline
service. It would be expected that as the unified communications efforts would implement a
Mobile Gateway as needed on behalf of the Enterprise.
As the Commonwealth’s UCC implementation matures, the following capabilities should be
prioritized:





Open-standards and Session Initiation Protocol (SIP) support
Voice call continuity (among wireless and/or wired networks)
Telephony user interface applications
Support for at least three mobile OS platforms
Access support for WAN (cellular), WLAN (wire voice over IP [wVoIP]) and/or wired LAN
Federated Enterprise Service Bus
The federated enterprise service bus pattern already exists with regards to the Enterprise XML
Gateway and agencies like EHS and DOR, and expected in the future possibly with DOT.
However, as the Commonwealth’s SOA foundations become more established and business
Page 4 of 10
Medium Sensitivity
users begin to fully expect the advantages of an SOA-based infrastructure; service expectations
will evolve as we have already seen.
The best example of this scenario is the City of Boston’s citizen-facing application for reporting
issues (e.g. potholes, graffiti, non-functional street lights, etc.) Citizens are not familiar with city
boundaries and expect the “government” to handle the information appropriately.
Forward looking, the following capabilities will need to be supported:






Route incoming requests from a common, mobile-accessible interface to multiple backend service providers, e.g. back office tools like CRM systems.
Route requests from multiple systems to a specific system.
Integrate across organizational, physical, and government boundaries which may require
additional infrastructure to ensure appropriate interoperability with ESBs like BizTalk,
Oracle, Apache ServiceMix, etc.
Enhanced identity authentication, and specific security enforcement across federated
partners
Integration into an Enterprise Identity management solution or a localized federated
identity partnership using standards such as SAML or OpenID
Reviewed of OpenID for possible adoption in the ETRM
IP Management
The Commonwealth will need to ensure that the IP Management Services (IP Address Range
Assignment and Domain Naming) offered today evolve in line with IPv6 and Mobility IP adoption,
allowing mobile device users to move from one network to another while maintaining a permanent
IP address.
Mobile Device Management
Mobile Device Management (MDM) has become a widely recognized need for organizations that
allow for personally owned devices to connect to the Commonwealth’s information resources. As
this trend continues to grow introducing user owned devices at exponentially higher rates into the
Commonwealth’s computing environment; the Commonwealth is scrambling to identify the right
solution.
Multiple agencies have embarked on implementing MDM solutions.
ITD – Good Technologies
Overall the POC team demonstrated that the Good environment and Mobile Computing
System could successfully execute standard email functions to the MassMail
environment.
The team also however demonstrated that the Good environment and Mobile Computing
System could NOT pass standard performance testing, specifically in the metric to
perform opening attachments.
Therefore the overall POC was considered a failure and a result the POC team does not
recommend ITD go forward with the Good Technology as the Mobile Device
Management solution.
ITD – ActiveSync
“ActiveSync” will be used as the first phase of implementing an MDM (though less feature
rich) with consideration for supplementing ActiveSync’s functionality by leveraging
McAfee where possible. Further research needs to be done in this area to able to
articulate a recommendation.
MASSDOT – Airwatch, Mobileiron, and Verizon
Page 5 of 10
Medium Sensitivity
MASSDOT evaluated many products that resulted in identification of 3 leaders: Airwatch,
Mobileiron, and a Verizon SAAS solution.
MASSDOT found that Verizon Software As A Service seems a little immature, and even
the corporate process to try to get evaluation to be a bit prohibitive. The process of tying
the various components together to comprise a solution is a little rough still.
Airwatch and MobileIron were both highly rated giving the advantage to Airwatch due to
an excellent management interface.
MASSDOT planned to begin a subset implementation of Airwatch in December, 2012.
The Commonwealth will need to track this implementation closely in order to gain as
much benefit from MassDOT’s early adoption efforts as possible.
Technical Specifications, Paradigms and Frameworks (JQuery, JQuery Mobile, Dojo and Twitter
Bootstrap are technical frameworks, not specifications. In addition, REST is a paradigm/architectural
style rather than a specification, much like Service Oriented Architecture).
HTML5
Hypertext Mark Up Language 5 (HTML5) is a set of markup tags that are used to describe
document content so that it can be presented and used within a web page. As the mobile
application market continues to grow, so will the use of HMTL5. Therefore, in order to ensure
that the Commonwealth’s mobile application development roadmap is consistent with the need to
support more complex web applications including standardization for video, audio and scriptable
2D image rendering; HTML5 will need to be evaluated further and most likely adopted as part of
the ETRM standards.
When evaluating; it will be important to explore how HTML5 introduces new capabilities
associated with features that allow users to store data locally within their browser, thus replacing
the use of cookies. Good guidance around the use of this capability may prove highly beneficial
from both performance as well as security standpoints.
It is also important that an evaluation of HTML5 takes into consideration the impact introduced by
varied support from browsers. Some browsers will be more compatible than others http://www.html5test.com and http://www.findmebyip.com/ (these two links useful for compatibility
testing). For example, IE8 does not work particularly well with all features of HTML5.
REST
Representational State Transfer (REST) is an architectural style of designing lightweight
communications between different components of a networked application. Using RESTful
principles, it is possible to publish web services. These implementations rely directly on the HTTP
protocol’s support of GET, POST, PUT, and DELETE methods – used for reading, creating,
updating and deleting resources, respectively.
Because of its lightweight nature, many mobile applications rely on RESTful web services. There
are significant areas of governance that have not yet matured in REST, of notable interest are
standards for metadata definition and authentication. Therefore; as the demand increases the
call for support of RESTful web services; the Commonwealth will need to articulate a clear and
enforceable standard to ensure that the data and security specifications can be supported by
organizations looking to consume, produce or interact with RESTful web services.
SOAP
Simple Object Access Protocol (SOAP) is the technical specification currently adopted by the
Commonwealth today and is used to structure information that is exchanged during web services
transactions. It is based on the use of XML and is a well-established and mature standard. It is
expected that SOAP would remain the preferred standard for supporting web services even in
light of the possible adoption of REST.
Page 6 of 10
Medium Sensitivity
CSS3
Cascading Style Sheets 3 (CSS3) is used to apply the look and feel to information that is being
presented through a web-based interface. The current update to CSS introduces media queries,
which let the presentation of content be tailored to a specific range of output devices without
having to change the content itself. This feature is required in support of responsive web design.
JSON
JavaScript Object Notation (JSON) is a humanly readable data interchange format, derived from
the object literal notation used in JavaScript. Frequently, RESTful services use JSON as a
representation format, especially if the exchanged data is processed within client-side JavaScript
code. However because there is no metadata validation/description like there is for XML, the use
of JSON has not yet been adopted in the ETRM. In order to support mobile application
development; the Commonwealth will need to reconsider this position.
Ajax
Asynchronous JavaScript and XML (Ajax) is a set of techniques for accessing RESTful and
SOAP-based web services asynchronously from a web page, without interfering with the page
display/interactivity. Although XML is a part of the name, it is possible and often primarily used to
exchange information formatted as JSON instead of XML. Given this link to JSON, the use of
Ajax has not been adopted in the ETRM. Like with JSON; the Commonwealth will need to
reconsider this position.
Frameworks (JQuery, Dojo & Responsive)
All three of these frameworks are JavaScript-based libraries and support client-side (browser)
scripting of HTML. They are all free (MIT and BSD/AFL licenses, respectively) and open source
libraries, supporting multiple browsers.
JQuery & JQuery Mobile and Dojo & Dojo Mobile are well established JavaScript libraries (see
comparison: http://en.wikipedia.org/wiki/Comparison_of_JavaScript_frameworks). In addition
both support “mobile” versions with HTML5 support and built-in components that render well in
mobile devices (e.g. sliders, lists, forms, etc) and therefore can be delivered without dependence
on a specific device or OS.
Responsive Frameworks: Responsive design is a term coined by Ethan Marcotte to characterize
the web application design approach using “fluid grids, fluid images/media & media
queries.” With responsive design, the web page resizes and rearranges the screen layout
(“fluidly”) to fit the user’s screen dimensions.
Examples of responsive frameworks include Twitter Bootstrap, and Foundation from ZURB. A
good list can be found in: http://designshack.net/articles/css/which-is-right-for-me-22-responsivecss-frameworks-and-boilerplates-explained/
Note: It is important to note that the Mass.gov team created a responsive design for the
Mass.gov web portal and it being debuted in January of 2013. The work done by this team will be
advantageous to any organization that has been “portalized” and will serve as a strong business
incentive for organizations that have not joined the Mass.gov portal to do so. While this may be a
minor point it should be recognized that this work will not be able to be repurposed outside of the
portal because the solution was developed in house and did not use a standardized framework
that could be easily repurposed.
Platforms
Page 7 of 10
Medium Sensitivity
As demonstrated by the illustration from Gartner below; the current Mobile Enterprise Application Platform
(MEAP) marketplace is still maturing. According to Gartner’s William Clark, “Mobile AD entered the
mainstream for software development during 2011 to 2012. Yet, the technologies, vendors and business
drivers shaping it will remain in a state of flux through 2015. Platform immaturity will remain, as there is no
clear consensus yet on how a multiparadigm/multiplatform tool should work (e.g., whether the IDE model
is right, or something else is needed), and new technologies such as speech recognition, augmented
reality browsers, new sensors and new OS APIs will be added to the tool mix.”
At this time, it is not recommended to select a single mobile application development platform. Rather the
Commonwealth’s focus in the next two to three years should be on building the support capabilities at the
infrastructure level. Once the MEAP market has stabilized and clear market leaders have emerged; it will
be more beneficial to standardize on a single or selection of platforms.
Source: Gartner (February 2012)
Section 6: Roadmap
In order to effectively implement the Commonwealth Mobile Strategy, it is imperative that the technical
target state is understood. This will be defined in terms of functional capabilities rather than technical
specifications because the organization needs to be able to make decisions based on research,
outcomes and evolving market factors. To better understand the most basic capabilities that the
Commonwealth would need to support in the near term, the Enterprise Technology Office conducted a
small proof of concept.
Proof of Concept:
The POC focused its efforts exclusively on “mobile web applications”, as opposed to “hybrid mobile
applications” or “native applications”.




Relied on existing web enabling infrastructure such as the Enterprise XML Gateways and on a
Windows 2008 Server VM for the deployment of a full web application stack.
Was implemented using open standards and using well-established, freely available open source
frameworks, such as JQuery Mobile, Symfony2 (PHP framework) and Twitter Bootstrap.
Did not investigate advanced mobile features such as use of the accelerometer, geo-location,
camera integration or use of local device storage.
Did not include “hybrid mobile applications” or “native applications”.
Page 8 of 10
Medium Sensitivity
POC scenarios simulated web publishing efforts by an agency of the Commonwealth with the following
objectives/limitations:
Publish non-sensitive data
 Access to static or service-accessible content
 No requirement for personalization/login support
 No integration with social media (Facebook, Twitter, etc)
Success Criteria
Prove that existing static content can be published in a mobile friendly manner.
 Identify viable frameworks that work across multiple platforms
 Validate that HTML5 with JavaScript libraries are mature enough for adoption
Analyze different architectural paradigms being used in the Commonwealth today.
 Understand how the model view controller pattern can/has been extended to support
business goals
 Understand how web services can be used to facilitate data access
 Understand the use case for prioritizing native application over mobile web application
development approaches
Document case studies of three different mobile implementation approaches.
 Mass.gov (Adaptive Modeling)
 City of Boston (Native Applications)
 Massachusetts Legislature (Extended Model View Controller Paradigm)
Target State


Articulation of the target technical capabilities and implementation to support Mobility across the
Commonwealth and its business partners
Clear device and security controls
Migration Recommendations


ITD’s immediate focus should be to build support capabilities at the infrastructure level.

Implement policy that requires mobile solutions to use Web-based standards when
possible over proprietary, native software development kits (SDKs).

Perform further POC’s to understand impact of increasing mobile application support on
network bandwidth and storage requirements.

Implement a repository as a layer between application services and the underlying
infrastructure to track and manage the services and data used in the construction of
mobile apps.

Keep Mobile Application requirements in mind when evaluating related or supporting
infrastructure solutions such as VPN, Enterprise Mobile Communications Gateway,
Federated Enterprise Service Bus, IP Management and Mobile Device Management.
ITD should not recommend adoption of a singular Commonwealth Enterprise Mobile Application
Platform solution until the marketplace has matured further.

Page 9 of 10
Once the Mobile Enterprise Application Platform market stabilizes and clear market
leaders emerge, standardization on a single or selection of platforms should be
reevaluated.
Medium Sensitivity

Mobile application platform exploration at the Secretariat/Agency level should be done in
collaboration with the Commonwealth Chief Technology.

Secretariats/Agencies will need to conduct thorough testing of their own internal critical
systems any potential Mobile Application Platform approaches, including acceptance of
the risks that are introduced before considering implementing a mobile application
platform.
Section 7: Risks
Security, of course, will always be a paramount concern, and is usually governed by a separate security
policy. For the purposes of this document, we will discuss possible disrupting factors to the proposed
strategy.
Potential Disruptions to the Strategy
The primary risk that looms large on the Mobile Application landscape is best stated in by Brian Prentice
in a Gartner document entitled, From Mobile to Post-PC ERP. “MEAPs promise of "write once, run
anywhere" ultimately commoditizes Apple's and Microsoft's platform efforts. They will not succeed in the
market unless the software that runs on their devices takes advantage of the unique capabilities they offer
(e.g., Siri voice control on iOS or the Metro look and feel on Windows RT). Additionally, given both
providers' absolute control of their public app store distribution systems and their largely opaque approval
processes, they can, at anytime, unilaterally choose to choke off any apps at a moment's notice.”
In response to this issue; the biggest danger that the Commonwealth faces as we traverse the mobile
application landscape is an up cropping of rogue, custom, nonstandard-based approaches to
implementing mobile application development. While all in-one-solutions may introduce complexity to an
eventual cohesive fabric, use of standards-based specifications that expose the mobile application by
breaking it into discrete services through an API will minimize the impact of such issues. However, as
with any Enterprise based approach the more difficult barriers are introduced when organizations use
nonstandard technologies to support a narrowly focused business goals.
In addition to the use of nonstandard technologies; another concern will be ensuring that the
infrastructure is well positioned to support the use of an eventual MEAP. Implementing a repository as a
layer between application services and the underlying infrastructure will help set the stage for a smooth
migration by allowing for tracking and management of the services and data used in the construction of
mobile apps as the assets. It will provide agencies with a context to view this new paradigm as opposed
to seeing the apps themselves as parts of the agency or enterprise's application portfolio.
Page 10 of 10
Medium Sensitivity