IT Management Blog: my thoughts about putting the "i" in IT

Bring Your Own Device (BYOD) - mutual benefits requires mutual trust and responsibilities

BYOD is all about the mutual benefits (WIIFM) for the organisation on the one hand and the employee on the other hand.We change from personal computing to personalised computing.

Companies have started implementations of a BYOD strategy. There are a variety of reasons why you would want to do this:

  • Young people have grown up with personal computing at school and at home. They expect their new employer to be flexible in that respect and meet their individual demands. A corporate provided device might not be as powerful and up to date as what employees have at home and expect to be available at work. In order to attract skilled Gen-Y employees, you just need to meet their demands. For example, I was explained that one organisation setup a new office in Asia and BYOD was the basis for the provisioning of PC's for that office. Specifically if you start fresh, you have the option to create the corporate culture and define the type of employees you want to attract.
  • On the other hand, employees like to use the extra capabilities that mobile devices bring while this is not strictly a requirement of the employer. For example, I like to have my work and private calendar integrated on my smart phone so I always have a complete overview of my appointments when away from my desk. I also like to check in the morning what the day has in store for me before I go to work. Linking my personal phone to the corporate network allows me to do this without carrying multiple devices around. It is the reversal of the coprorate issued device that also can be used for private use.
  • Strongly related to this is that employees and business managers feel more and more that they should decide what technology (including type, brand, make and model) is best suited to perform a certain task and that this should not be driven by the IT department.
  • The ability to reduce the number of devices that people use and carry around as a response to the increased number of devices that are available such as smart phone, tablet, notebook or PC while providing a single point for private and business use.
  • Another reason is that there are more and more devices and all in different variations. Besides that people have preferences for the make, model and type, the different devices also have there strengths for different business purposes. Managing all those different types of devices makes it expensive for the IT department to support. 
  • BYOD inherently increases the mobility of the work force and also has the side effect that the IT department will be able to provide coprorate issued mobile devices easier because much of the technical procedures and infrastructure will be in place.
  • BYOD is sometimes also seen as a business opportunity to reduce costs. However I am not really clear whether this can or should be a driver of the strategy. BYOD is all about "what's in it for me" (WIIFM). If the company tells employees to use their own device for business purposes, employees will be quickly to respond with the question for the company to sponsor the device. WIIFM in this case goes both ways. As an organisation you look into the benefits why you would support BYOD and employees will chase their own benefits.
Photo and skin design by Claire Sambrook
IT departments have long resisted employees to bring their own technology. One of the reasons is that they can expect in the end that they will need to support technology with which they have limited skills and knowledge and have no arrangements in place with suppliers with respect to support and spare parts. Another reason has been the security of corporate data and the risk that virusses and other malware could infect the corporate network via the device that is not under control of the IT department. And finally the business risk that information is leaked or compromised.

However, these days BYOD is more opportune, considering that:
  • people are getting more savvy with respect to the management of these devices (young people have been responsible for their laptop since high school);
  • the stability of the operating systems has increased signficantly over time;
  • devices have a shortened lifespan;
  • the recplacement cost is relatively low compared to maintenance costs which means if there are hardware issues, very quickly a full replacement is the most cost effective strategy (have you ever had a hardware issue with your iPhone? - Apple will not try to fix it and simply gives you a new one);
  • advancements in mobile device management technologies allows the IT department to excert sufficient control over the device to protect corporate data and distribute required business applications (the app store concept is a popular for this);
  • advancements in remote access technologies, virtualisation technologies and security technologies make access to business data and business systems possible via any device anywhere and in a controllable and secure way,
Taking the above points into consideration, it means that in certain circumstances it makes sense to use personal devices for business use.

Mutual benefits brings also mutual responsibilities. The company can expect the employee to ascertain that the device will work according to predefined requirements and that this will become an integral part of the employees responsibility to perform his job. The company will be responsible for assuring that the technical environment facilitates this and that for example the employee's privacy and control over the device is warranted. Though there is much to do around the technology for BYOD, it is foremost about policies and procedures.

The employee is expected to assure that the company's data, operation and reputation is not at risk, but the company must basically assure the same with respect to the employee's private data. If I allow my employer to install mobile device management software on my device, how will the company give confidence it will not access my private emails and that it will not erase my data on the device without my permission?

The key to all this is a mutual agreement between employee and employer about the use. Policies in combination with signed agreements will control the implementation of BYOD. The agreement supported by policies between employee and employer will cover:
  • for whom and when BYOD will apply (you will have different rules to allow people to connect their smart phone to access email and calender compared to the use of a personal laptop instead of a coporate provided PC);
  • the employee will be responsible to assure that he has a device available according to certain specifications that operates correctly so he will be able to perform his job - the specification should not say exactly what brand, make or model but more about its capability (e.g. ability to run MS Office 2010, memory capacity, speed, etc.);
  • how the original device is funded (you consider that the employer pays for the original device such as a laptop but that ownership is with the employee - if the employee leaves the origanisation within say 3 years, the employee will pay the employer a pro rata fee - the employer funds to a maximum value but the employee can of course contribute as well to buy something more advanced or powerful than strictly would be required for the job);
  • how hardware issues are resolved (e.g. employee needs to take the device to the original store) and how a replacement device is funded (e.g. employer could contribute a first time within a certain time period such as 3 years and in all subsequent cases the employee is fully responsible);
  • the employee agrees that specified software is installed on the device and that the employer can control at least that corporate software, data and connectivity with the network;
  • the employer agrees that the personal data remains private and won't be accessed by the employer.
The above is more specifically written towards a device that is required to perform the duties of the job. In other cases, the own device is just an "extra" device such as in the example I gave earlier. Though I can do my job very well without a smart phone where I have personal and company calender integrated, I personally feel it makes my life easier and therefore feel that I function better with this solution.

If you expect employees to use their own device for business purposes, you can expect you will need to pay for this. And since there are also new technology controls that you need to put in place, cost savings might not always directly be achieved. On the one hand, you avoid buying a personal and corporate device so between employee and employer, money is saved. On the other hand you will introduce additional devices. While in the past you provided the employee only with a PC, now you will provide a smart phone, a tablet and whatever the future has in store for us.

There are a few items you need to look into specifically such as software licenses.The device will come with its own operating system, but other software such as MS Office software require a bit more thought. Does your license agreement allow you to install your licensed software on a device not owned by your company?

Another item to consider is the support process. For what issues can the employee call the IT support desk and what issues would they need to resolve themselves? What if the device is not working? Will you provide the employee with a temporary replacement device?

There are different levels and ways to implement a BYOD:
  • as a replacement strategy for the necessary corporate device such as the PC or laptop where the employee will own the device instead of the company;
  • as an additional device that assists with mobility where this is not strictly required (e.g. a smart phone or tablet);
  • the employee picks the brand, make and model but the company still owns the device (not strictly BYOD);

Technically, you can implement the BYOD in a variety of ways and they will also depend on the type of device and what it is used for. In reality you will find that you will need to provide a mix of the various solutions.

For example for a laptop, you can use an installed virtual environment that comprises the full business environment. The advantage is that the virutalisation technology hides the acutal hardware from the corporate SOE and therefore you can still provide the SOE to the employee. In addition to the virtualisation technology such as from Citrix, you might need additional software to remotely manage this installed virtual environment on that device. The benefit of this whole solution is that the virtual installed environment is a blob on the device and is fully secured and isolated from the normal private use. Since you can always set the virtual environment to always go to sleep, starting this environment can go extremely fast and therefore not impact the user experience. Within the virtual environment, a VPN connection can be made to the corporate network. To certain extend, this solution is more secure than an employer provided laptop that is also used for private use.

The benefit of an installed virtual environment compared to remotely accessing Citrix with installed desktops and installed applications, is that you can also use it when you don't have an Internet connection and you avoid potential problems due to slow Internet speeds. But depending on the intensity and the requirements, standard remote access to a Citrix environment can be the or be part of the solution. The benefit in that case is that not data is stored on the device.

For other devices such as smart phones and tablets, other mobile device management solutions are required. In many cases the use of business data is limited to email, calendar and contact data and then the issue is limited to assuring that this happens in a secure way, enforce pass code to use the device and to assure the company has the option to wipe out the corporate data in case the device is lost. In a large number of scenarios we talk about the "additional device". However the technology and solution would in essence be the same when the device is a coprorate provided device. In the latter case the question is than if the device can also be used for private use. In order to control the corporate interest, mobile device management software can be used.

Similarly to the laptop with the virutalisation solution as described before, you would like to segment the private and corporate use on the mobile device and assure that unauthorised access to this is blocked and that corporate data does not leave the corporate segment. It will depend on the device and the mobile device management solution that you use and how this will be done. Technically you can consider (this won't be an exhaustive list):
  • Controlling the network connections (e.g. to which Wifi and Bluetooth networks you can connect and how)
  • Use of separate (Wifi) networks for private and corporate devices
  • Encrypting data transmission
  • Encryption of corporate stored data on the device
  • Enforcement of pass codes and controlling the complexity of those
  • Virus protection
  • Considering if you allow the native email client to be used for private and corporate use or enforce the use of separate email clients
  • Similarly for other applications: use different applications for corporaate and private use
  • Segmentation of data stores for corporate and private files/data
  • Controlling which apps can be installed, how, when and by whom
  • Block untrused devices such as jailbroken devices from the network
  • Remote wiping of the whole device versus wiping the corporate data only
  • Remote backup of the device or treating the device as a consumption device only (does not contain newly created data in any significant way)
  • Enforce user authentication for applications that connect to the business systems each time that these are activated
  • For iPads and iPhones: on which computer iTunes runs (corporate or home)

The IT department ideally replicates what they can do with the Blackberry and its BES server where IT has full control over the mobile device. In that sense, the Blackberry is the ideal corporate issued mobile device. However for BYOD you need to give up some of the control in order not to negate the benefits of BYOD and accept a certain level of responsibility of the employee. Technically it also will become more and more difficult to control everything. The IT department is in that sense not much different than governments trying to control the Internet. Due to the fast technical changes and use of the technologies, technical control is always running behind. The solution must primarily sought in rules and regulations.

Another typical issue is that Apple made consumer devices and made them purposely simple. It means that there much you cannot do with respect to configuration. This is core to the success of Apple's products. But this is exactly why IT departments found it difficult to control security for the devices. Andoids are again the opposite and very open technically. This allows for more options to create technical solutions to control the device, but on the flip side the nature of the device is much less secure. While IT vendors are resolving the issue for Apple's products, other technologies will emerge for which you won't have an answer.

The new technology for mobile device management is all brand new and companies only now start using it and building up experience while vendors still need to address teething problems. With the speed of the developments and the fact that many companies have started to look into BYOD, I think that vendors will soon have resolved these teething problems and that organisations will have developed mature strategies and managemet models.

The consequence is that IT for organisations will have radically changed and that we have shifted from personal computing to personalised computing.