On the face of it “Bring Your Own Device” (BYOD) is great.
Organisations don’t have to buy and manage devices,
Staff get to use their device of choice, and
Staff don’t need to carry two or more devices.
Win/win, right?
Well, kind of.
It all comes down to your organisations IT security risk profile and the nature of the systems used.
If:
All your systems are web browser or remote desktop based,
Have no IT system compliance requirements (check your insurance policies about Cyber Security claims),
You don’t need to enforce device policies; or
You don’t have critical IT business systems
Then you can probably allow staff to use whatever device they like, assuming they meet your defined minimum system specifications.
However, if you need to comply with:
Government tender requirements that specify IT system security protocols,
Organisation memberships or government security programs,
IT security or data protection legislation or regulations; or
Internal policies, standards or run 3rd party software
Then you need some sort of managed environment.
Now, it is possible to enrol personally owned devices in “Mobile Device Management” (MDM) systems such as Microsoft Intune, Jamf or other solutions, however this raises several potential issues:
1. Implementation of Policies
What policies will your staff allow you to implement on their personal devices?
For example:
The removal of administrative rights
Limiting the ability to install new software
Tracking and reporting on website or other system access
Forcing updates or removal of unapproved software
Implementing blacklisting or whitelisting
Allowing IT support personnel to remotely access the device, at any time
Allowing IT support personnel to remotely wipe the device should it become lost, or the staff member leaves the organisation under unfavourable circumstances.
In our experience, most end users do not want these types of policies on their personal devices.
2. Lack of Compatibility and Standards
Whilst most web-based solutions will work well on web browsers from various devices, it is far from guaranteed. For example:
A tablet with non-standard or low screen resolution may not be able to display an interactive web page properly;
A staff member shows up with an iMac but then needs to use 3rd party Windows based software (or vice versa); and
Personal devices often have differently licenced software – the end user may have an Office 2010 licence that they don’t want to upgrade or replace, but it may not provide the functionality required.
3. Manageability
There are many issues around the manageability of these devices:
IT support personnel need to be prepared to support and troubleshoot a much wider variety of equipment. Where a corporate SOE is in place, a wipe and rebuild can be accomplished relatively easily, but if an end user’s personal device has their 2TB movie library on it, recovery time and associated cost can be greatly impacted;
End users often subscribe to anti-virus software and/or Microsoft Office that is offered with their device. This software may have different features and usually can’t be centrally managed by IT support personnel and may conflict with software deployed by the organisation;
Remote support of Apple, Android and other BYOD devices cannot be guaranteed as the support tools used by IT support personnel may not easily provide the required functionality;
When staff leave the organisation, they often retain corporate data on their devices. This may be addressed by enrolling the device in MDM, but the organisation needs to ensure that end users enrol their personal device and the solution needs to be designed, implemented, and managed properly. If an appropriate exit procedure is not followed when the staff member leaves the organisation, then that data may not be dealt with appropriately; and
Supported MDM features are not the same across all devices. Where one device might support full MDM features, another device might not. For a small organisation, it is largely impossible to test all possible combinations of phones, tablets, laptops and desktop operating systems and guarantee that the MDM solution will work for the old ones and any new ones that are released.
To top it all off, here’s an example of an issue that doesn’t neatly fit into any of the above.
When a staff member unpacks a new Microsoft Windows computer, they are prompted to create a Microsoft Account to use to login to the computer. This personal Microsoft account comes with a variety of features including OneDrive which is configured for use by the personal OneDrive app. This becomes even more of an issue if they purchase a personal Microsoft Office subscription that has different software applications to those provided by their corporate licence.
If your organisation issues the staff member with an Office365 subscription, they also get another OneDrive account which can be used to synchronise data via the OneDrive business app.
Accessing various Microsoft features may require them to login either with their personal account or their corporate account. Many staff do not really understand the difference and sometimes find themselves storing corporate files in their personal OneDrive, or vice versa. Also, working within a web browser can be problematic as they may find themselves trying to access resources via one set of credentials, when they needed to use the other set.
4. Recommendations
None of these issues are insurmountable, but they do require additional training and understanding on the part of end users and an acknowledgement by management that the environment will be more difficult (and thus more expensive) to manage.
Generally, for the most seamless working environment, we recommend staff be issued with a device that has been configured with the corporate Standard Operating Environment (SOE).
For organisations with a higher security requirement but that also require BYOD capability, we recommend:
A virtual machine owned and managed by the organisation be configured on the personal device; or
A remote desktop server be utilised to allow staff to work in a standard environment.
Most smaller organisations allow the use of personal phones for email. However, if your organisation is highly concerned about email data and/or the staff member needs to download and access corporate data that should be managed, then it may be preferable to issue a standard model phone that has been tested and can be enrolled and managed via an MDM solution.