Establishing a BYOD Program in a Diverse Tech Landscape
Remember the days before iOS, Android and Microsoft phones and tablets?
The world of enterprise mobility was much easier to manage. All you needed was a corporate BES and a corporate laptop and/or desktop for each employee. Users could choose from whatever BlackBerry devices we had available. In later years, we allowed them to purchase their own devices (BYOD) and enroll it in our BES. RIM (now BlackBerry) gave us many different options to lock down on the device.
What it didn’t give users was the functionality and “coolness” factors they wanted.
I can only imagine if we had BYOD back then. Managing different hardware would be a struggle, not to mention the many different operating systems. What if we had to support different versions of Microsoft Windows, Mac OS and the many flavors of Linux? Consider the amount of staff needed to support all of those. It would not be possible in many instances.
Laptops and smartphones and tablets, oh my!
Fast forward to today and the assortment of devices users are bringing into the enterprise. Even companies that allow only iOS and Android devices still have to deal with a vast array of versions. For example, iPhones older than the 3GS do not have hardware-based encryption. Do you allow them to access corporate data? We try to steer companies away from it.
Android devices are a whole different ballgame. There are so many different versions of the operating system that run on an even wider range of devices compared to their iOS counterparts. Each phone vendor and each cellular provider comes out with their own flavor to accommodate the nuances of their network. They also come out with updates quickly and on a regular basis, which is both good and bad. It’s great when an update fixes known bugs or improves system or battery performance. It’s bad when the update breaks something that is a corporate asset like email.
There is not really an effective way to block these updates with technology. Typically, the most effective way to control upgrades is through corporate education. It is important to note that in today’s world, users have the freedom to update their device or applications whenever they want. They see the notification, click on it and then take the action to update. This freedom can create a nightmare for IT Support and Security teams alike when it comes to enterprise mobility.
With all of that in mind, there are several options corporations can take for a BYOD program.
Limit device types and enable constraints. For example, support only iOS devices running version 5.0 or later. That would rule out iPhone 3G and its predecessors. Once iOS 7 has all the bugs worked out, setting it as the minimum would also effectively reduce your field of eligible devices and eliminate the iPhone 3GS and the first generation iPad.
With Android, setting the minimum version to 4.0 and later adds much more functionality, including the ability to enforce encryption of the device. Many of the MDM providers can put these limits in place for you as well as provide much more capabilities than just proxiying or pushing down ActiveSync settings alone.
For example, some Android devices and OS versions can’t get an exchange profile pushed to the device. Some of the MDM providers now have their own containerized email client similar to TouchDown by Nitrodesk.
Set strict device password policies. We have covered encryption for iOS and Android but what about the password length and how often people need to enter the password, the complexity and history?
Often times, it’s hard to get employees on board with strict password requirements. Many times, they don’t want to be bothered with putting in a complex password every 15 minutes. Unfortunately, I see this most often at the C-level. These executives usually have fewer security restrictions compared to the traditional knowledge worker when best practice tells us it should be the opposite. This is a hard, but necessary battle for companies to fight.
In one particular engagement, a company launched a BYOD program using one of the big MDM solutions. They gave out enrollment instructions and let users have at it. In the end, ten users enrolled. Ten.
The problem was users did not want to have to put in complex passwords on their device just to take a picture and upload it to Facebook. By the time they entered the password correctly, the photo opp was over and the moment lost. They also didn’t like the fact that their device could be wiped. Plus, users were not getting any subsidy for their device. If it was going to interfere so much, the employees preferred not to get corporate email on their personal device.
It’s a balancing act. Get to know your audience and find out how much security you can push without too much negative user feedback. If the data is that sensitive, there are many other viable, secure approaches to consider - securing the data via secure containers, purchasing corporate devices or using virtualization.
Also, it’s important to consider whether implementing BYOD is even necessary. Corporate-owned devices come with many advantages with few disadvantages. While standardizing to one device or operating system may ruffle a few feathers - you’ll always have the Android vs. iOS argument - think of the impact on the Help Desk. Choosing a corporate standard device will greatly simplify troubleshooting and support.
It also allows companies to use shared plans for minutes, text and data. There are many companies now that have Telecom Expense Management (TEM) services that look over the monthly bills and help to cut costs. And if the employee still wants their own device, there is nothing stopping them from carrying two devices. It’s not the optimal solution to carry two devices, but it’s definitely not uncommon these days.
BYOD vs. corporate-owned mobile devices can be a difficult decision, especially if you’ve already established - by choice or not - a BYOD program and want to put a stop to it. By investing the time and doing the research, companies can find a solution that allows them to get the most out mobile devices while reducing the risks associated with them.