This action might not be possible to undo. Are you sure you want to continue?
Building “Bring-Your-Own-Device” (BYOD) Strategies
This is the first part in a series designed to help organizations develop their “BYOD” (bring-your-own-device) strategies for personally-owned smartphones and tablets. This chapter provides an overview of eight components that our customers have found to be the foundation of a secure and scalable BYOD program. Many organizations are considering personally-owned mobile devices for business apps. Their goal is to drive employee satisfaction and productivity through the use of new technologies, while simultaneously reducing mobile expenses. This BYOD trend is one of the more dramatic results of the consumerization of IT, in which consumer preference, not corporate initiative, drives the adoption of technologies in the enterprise. However, many of these technologies were not built with enterprise requirements in mind, so IT teams often feel uncomfortable about security and supportability. Within the MobileIron customer base, we have seen a broad spectrum of BYOD approaches, ranging from topof-the-pyramid, where a small set of executives or technical staff get to use their own devices, to broad-scale, where BYOD is opened up to a larger percentage of the employee base. In many organizations, employees are now offered a choice between a corporate-funded BlackBerry or a personally-funded iOS, Android or other new-generation device. In her Spring 2011 presentation, “Bring Your Own Mobility: Planning for Innovation and Risk Management,” Monica Basso, Research VP at Gartner, Inc., predicted that by 2014 “90% of organizations will support corporate applications on personal devices.” As a result, IT teams are preparing for a mixed-ownership mobile environment. But BYOD is more than just shifting ownership of the device to the employee. It has many complex and hidden implications for which a strategy needs to be defined in advance of implementation. Based on the experience of our customers, this paper outlines eight major components for successful BYOD strategies: Sustainability Device choice Trust model Liability User experience and privacy App design and governance Economics Internal marketing
BYOD is new to most organizations and, as a result, best practices for implementation are just now being developed. One of the traps many fall into is establishing a rigid set of BYOD policies that is not sustainable over the long term. To be sustainable, BYOD policies must meet the needs of both IT and employees for: Securing corporate data Minimizing cost of implementation and enforcement Preserving the native user experience Staying up-to-date with user preferences and technology innovations
© 2011 MobileIron
and the mobile device and apps landscape itself evolves constantly. The acceptance baseline generally includes asset management. the needs of neither the employee nor the company are met – either security is compromised or business value is lost. The most common example is an employee who has a corporate-owned BlackBerry for work. or even quarterly. However. remote lock/wipe. Defining an acceptance baseline of what security and supportability features a BYOD device should support: The goal is to include all employees’ desired mobile platforms in the program. The more advanced list generally focuses on app-related functionality and advanced security such as certificate-based authentication. in a world where consumer preferences shift annually. but a personal iPhone or Android device at home. and regional variances around that baseline: On Android especially. and why: Going BYOD without this clarity results in users purchasing unsupported devices or becoming frustrated that the service levels they expected from IT are not available to them. Building a policy around device choice requires: Analyzing employee preference and understanding which devices they have already bought: A BYOD program that doesn’t support current and intended purchases will have limited appeal. password policy. However. If the BYOD implementation damages user experience or quickly becomes dated. and email/Wi-Fi/VPN configuration. encryption. Developing a light-touch certification plan for evaluation of future devices: Most organizations invest in upfront certification when launching their BYOD program. The device platforms that match the advanced list get access to a higher level of enterprise functionality in the BYOD program. hardware. defining how much choice to allow employees is difficult. User experience is the litmus test for policy sustainability. so speed and efficiency of certification is essential. © 2011 MobileIron Page |2 . The brand name of the same device may also vary by wireless operator. Establishing clear communication to users about which devices are allowed or not. Without these fundamentals. employees will either find a way to circumvent policy or end their participation in the program.BYOD Strategies: Chapter I We see organizations focusing the majority of their time and resources on the first two requirements. it will become expensive and eventually fall behind. so does the program. and would prefer to carry one device instead of two. new devices are introduced into the market every 3-6 months so the certification process must be ongoing and continually evolving. If the process is too heavy. If it breaks. without creating security gaps or support headaches. But the latter two are much more important for sustainability in the long term. the mobile platform is not viable for the enterprise. adding confusion. Device Choice The primary catalyst for BYOD is that employees have personal preferences for devices other than those that the enterprise has traditionally provided them. similar devices may actually support very different capabilities based on the manufacturer and the geographic region. Understanding the operating system. In both instances.
access control. personal and corporate devices will each have different sets of policies for security. like blocking enterprise access. As a result. or for different reasons. otherwise. Someone in IT must become the expert on device and operating system evolution. Privacy policies will vary. a company’s CFO is trusted with financial data on her tablet. BYOD adds another layer to the trust model. even without BYOD. So with BYOD. Establishing the identity of user and device: As device choice becomes fluid. © 2011 MobileIron Page |3 . and neither the policy nor the BYOD program will be sustainable. For example. on a corporate device with a moderate risk compliance issue. The trust level of a mobile device is dynamic. Setting tiered policy: “Ownership” is now a key dimension along which to set policy. followed by a selective wipe of only enterprise data. becomes more important. trust models for mobile add an additional level of complexity because the device itself easily falls in and out of compliance. but not if she inadvertently downloads a risky consumer app or disables encryption. confirming identity of user and device. Defining remediation options (notification. users may accept not being able to use social networking apps on corporate devices. and app distribution. and depends on its security posture at a given point in time. For example. Lending a critical eye to the sustainability of the security policy being instituted: What is the impact on user experience? Will users accept that tradeoff over the long term? If the trust level of the personal device is so low that security requires extensive usage restrictions. But on a personal device. usually through certificates. but that type of policy is unacceptable for personal devices. quarantine. Building a BYOD trust model requires: Identifying and assessing risk for common security posture issues on personal devices: Employees use personal devices differently than corporate devices. as will user expectations. Trust Model Trust remains the foundation for enterprise security: Which users do I trust with which data or apps under what circumstances? Every major organization has gone through data classification to establish this underpinning for its security policies. they download more apps. devices may fall out of compliance with corporate policy more frequently. Because mobile devices are not locked down as comprehensively as traditional laptops and desktops. often multiple times a year.BYOD Strategies: Chapter I Ensuring the IT team has the bandwidth to stay up-to-date: The allowed device list is strongly influenced by user demand and so may change rapidly. the remediation might be an immediate full wipe. the BYOD program quickly becomes obsolete. it may be a less severe action initially. for example. privacy. because the trust level for personal devices may be different than for corporate devices. the employee’s personal mobile experience will be damaged. they fall out of compliance more frequently. However. selective wipe): These options may differ in severity from BYOD to corporate devices. This is especially important when the program moves beyond iOS and BlackBerry to operating systems with more variants. For example.
this creates employee frustration and concern over privacy. So the question is “Does moving device ownership from company to employee increase or decrease corporate liability?” Some considerations around BYOD liability include: Defining the elements of baseline protection for enterprise data on BYOD devices: All companies must protect corporate data on the mobile device. doing a full instead of selective wipe by mistake): Most organizations will cover themselves legally in their user agreement. or other activity. app. However. security and user experience have been viewed as conflicting interests. Each organization should seek their own legal advice on how to frame and assess liability variances between BYOD and traditional mobile programs.BYOD Strategies: Chapter I Liability All enterprises have long-standing approaches to assessing the risk of employee actions and the corresponding liability. the usability of traditional enterprise applications has substantially lagged behind that of consumer applications. For example. Is inappropriate use still a liability for the company. We have seen many large organizations decide that their liability on personal devices is limited to protecting corporate data. Quantifying the monitoring. Financial responsibility may dictate legal obligation. we have also seen other organizations decide that their corporate liability remains unchanged. enforcement and audit costs of the BYOD compliance policy: If liability is lower. and potentially a significant contributor to cost savings. therefore. and that they are not liable for personal web. so most companies avoid this additional complexity. Assessing the risk and resulting liability of accessing and damaging personal data (for example. but at minimum. But different protections may be required on different devices. but this is an area with regional variances. which are designed with user © 2011 MobileIron Page |4 . but not when away from work? The boundaries of work time and personal time blur for many knowledge workers. more protection against over-privileged consumer apps might be required on Android vs. But many times. offsite. full payment of service costs): Many organizations have assumed that the level of payment doesn’t impact the level of liability. User Experience and Privacy BYOD itself reflects a realization that employee satisfaction is a primary goal for IT. BYOD introduces a new consideration: The device on which these actions may take place is not the property of the company. even if it doesn’t affect enterprise data? Assessing liability for usage onsite vs. In other words. Assessing liability for personal web and app usage: The employee’s expectation is that they can use their personal device however they wish. the corresponding compliance costs will also be lower. iOS. Evaluating whether the nature of BYOD reimbursement affects liability (partial stipend vs. Employees will also need clarity around which actions create and limit liability. their corporate liability decreases if they move to BYOD. and inside work hours vs. outside: Should usage be monitored when at work. These actions range from unsecured use of company data to accessing inappropriate applications or websites.
Also. or clear education and communication for employees on what apps are supported on what devices. corporate devices. Therefore.” Defining enforcement levels for app violations (notification. clear communication is as important as the actual policy and outcome. However. User confusion will drive helpdesk calls. or selective wipe): Once again.. many large enterprises have traditionally purchased highly subsidized smartphones. Economics The short-term economic analysis of BYOD generally revolves around eliminating the cost of device purchases and moving from full service payment to a predictable monthly stipend. or clearly communicate to the employee base how and why support is limited. In their minds. e. A shared strategy is more cost effective while a separate strategy can optimize user experience. Committing to the resource investment: There can be incremental investment to support core enterprise apps on personal devices – for example. Updating acceptable use policies: Employees will demand freedom to use a broad range of personal apps on their BYOD device. Some considerations around app design and governance include: Designing mobile apps to match the trust level of personal devices: App development teams will have to decide whether they design apps differently for personal vs. So the app dev team must either support the broad set.g. © 2011 MobileIron Page |6 . apps may now need to support more operating systems and device types. quarantine. But apps involve enterprise data. These differences generally center on how the app handles local data and are driven by the trust level of the target devices. but here are some key dimensions to consider: Device hardware: Not needing to purchase hardware is appealing. any such restrictions that are necessary for corporate security purposes need to be clearly described to the employee. the fact that the device is also being used for corporate apps doesn’t justify restrictions on their personal apps. Modifying app catalog availability based on device ownership: Certain internal applications may not be appropriate on personal devices for security reasons. For example. access control.BYOD Strategies: Chapter I App Design and Governance The trust model and device choice considerations described in prior sections both have a fundamental impact on the apps strategy for BYOD. That implies either a deeper investment in app development and testing by the company. employees will expect internal apps to be supported on all the approved BYOD devices. and why. so the actual savings can be less than expected. BYOD strategies have not been in place long enough at most organizations to definitively assess their economic impact. all devices might have access to the mobile case management app. “App X is known to access and transmit personal contact lists to unknown third parties. and if the trust level of a BYOD device is different than that of a traditional device. organizations assume BYOD is simply a device ownership decision with minimal impact on apps. but only the corporate devices to the mobile financial projections app. But the long-term economics may well come from more unexpected sources. it will affect app design and distribution. not only a subset. At first.
BYOD Strategies: Chapter I Excessive charges: When employees have personal visibility into their usage. and how detailed that auditing needs to be. which is that employees who own their devices are willing to invest time in troubleshooting instead of calling the helpdesk. Employees now have the tools they want to use for the work they need to do. The hidden economics of BYOD center on increasing productivity. They are increasingly knowledgeable about technology and. while others move to a fixed monthly stipend for the user. Many organizations don’t realize the value of this until well after the BYOD program is instituted. the helpdesk may become a last resort instead of a first resort for BYOD users. They use the device more sparingly when roaming. Helpdesk: Traditional wisdom held that BYOD will increase helpdesk costs because of the fragmentation of adding device choice. there may be substantial savings. and they are less likely to lose it. Productivity: It is harder to quantify. This is a great opportunity for internal marketing of both the company’s mobility strategy and the IT team responsible for its implementation and support. especially excess usage. and realizing the value of more responsible employee usage. However. don’t want IT to touch their personal device. Service plans: Some organizations continue paying for full service. However. With the right self-service tools. BYOD drives personal responsibility. If the organization views itself as no longer liable for actions other than enterprise data protection. we have seen a countervailing force as well. many times based on seniority level and function within the organization. personally-funded devices. more importantly. their behavior tends to become more responsible. Implementing new helpdesk policies around full support and “best effort” do create additional complexity. Compliance and audit: The earlier section on Liability posed the question “Does moving device ownership from company to employee increase or decrease the company’s liability?” The answer to this will impact actual compliance costs dramatically. The components include: Communicating why the company is moving to BYOD: Is the desired perception “to shift the cost burden to the employee” or “to let employees use their favorite devices at work”? © 2011 MobileIron Page |7 . Internal Marketing BYOD offers an opportunity to improve the company’s internal perception of IT’s role and value. negotiating leverage with the wireless operator can be lost if the billing model does not provide any consolidation. Tax implications: Some regions have different tax implications for corporate vs. The ROI of BYOD programs is a combination of the above variables weighed against the value of employee satisfaction and productivity. managing the cost of complexity. The cost of the BYOD program will be affected by whether the company has the obligation to tie reimbursement to a percentage estimate of business use. but access to corporate functions on the employee’s preferred device instead of the company’s preferred device drives not only satisfaction but also increased productivity.
The reality of the BYOD program needs to match its marketing. but it’s often not. an innovator. the real value of a well-designed BYOD program is increasing employee satisfaction and productivity. while speeding up the rate of technology adoption in the enterprise. productivity. we’ve discussed several considerations for building a program to address some of these issues. While many organizations look at BYOD as a possible way to reduce costs. and culture across the company. BYOD holds tremendous promise across multiple dimensions. The goal of this paper is to provide an initial framework for that early preparation. Conclusion BYOD seems simple. a source of best practices for mobile? IT can prove itself an end-user champion and ahead of the curve on technology through a BYOD program. choose and provision the device. communication. In this paper. and potentially migrate to new devices each year. Supporting the brand message with appropriate action: BYOD puts the burden on IT to provide a positive end-to-end experience to users. Thinking through the internal marketing strategy up front will influence communications and decisions in a way that can improve IT’s standing with its internal customers. who need to easily understand the program. and recruiting? Defining IT’s “brand”: Is IT a user advocate. troubleshoot problems.BYOD Strategies: Chapter I Understanding BYOD is an HR initiative as much as an IT initiative: What is the desired impact on company culture. BYOD gives IT a unique opportunity to impact perceptions. The initial adoption of the BYOD program will depend on effective preparation. © 2011 MobileIron Page |8 . Shifting the ownership of mobile devices has many complex implications for how a company conducts business. while its long-term sustainability will depend on the ongoing quality of the employee’s end-to-end experience. many of which have limited precedent.
Let them run for one week then have them switch to the other approach. but forcing them to use a different email app or browser than the one they want. We will describe this approach in detail in Chapter 3 of this series. Give the other half the walled garden experience.BYOD Strategies: Chapter 2 Limitations of the Walled Garden This is the second part in a series designed to help organizations develop their “BYOD” (bring-your-own-device) strategies for personally-owned smartphones and tablets in the enterprise. PIM. and drives user satisfaction. monitor. This is the approach MobileIron takes to BYOD. a BYOD program built around a walled garden email experience is neither required nor sustainable for most enterprises. Survey them on: © 2011 MobileIron Page |1 . User Satisfaction The underlying principle of BYOD is that professionals are more productive on technologies of their own choosing. It allows IT to configure. download a separate app that tries to replicate those capabilities. Summary The “enterprise workspace” approach to BYOD is secure. puts the entire program at risk. so we recommend testing with a pilot group of users: Give half the group the native email experience with ActiveSync and MobileIron. or container. Allowing employees to bring their personal devices to work. approach to BYOD focuses heavily on security. As a result. But user experience is subjective. and control enterprise data and access across the mobile device without compromising the native user experience. However. extends to apps. especially after Apple’s iOS 5 release Limited ability to support mobile apps High cost of ownership due to upgrade. This is the approach Good Technology takes to BYOD and it can have several limitations: Low user satisfaction because it forces use of an email app the end-user doesn’t want Limited incremental risk management. The “walled garden”. This chapter compares two technical approaches to BYOD: the walled garden vs. “Building Bring Your Own Device Strategies. the security capabilities of mobile operating systems like iOS 5 have evolved rapidly. scale. and maintenance overhead Walled gardens can be attractive in the early generations of a mobile operating system before the native email experience is fully secured and before the mobile device is being used for apps.” introduced core components of a BYOD program. instead. or browser experience of the device and must. End-users are not allowed to use the native email. cost-effective. the enterprise workspace. Chapter 1 of the series. but compromises the user experience which is the foundation of a BYOD program.
If control trumps user experience.0 for smartphones.BYOD Strategies: Chapter 2 o o o o Overall satisfaction Quality of email and PIM interface Speed of email delivery. therefore. Apple encrypted all new iOS devices and. The only option for increasing strength in this case is to force the user to an unsustainable. Apple has also submitted their encryption for FIPS 140-2 certification. so the only factor used for encryption is the PIN code of the app itself. User experience is the litmus test for the sustainability of a BYOD program. Android also now offers encryption. These companies. in 2010. which can use both hardware cryptography and the device PIN. o o o Identity o o Walled gardens can set passwords for the email client. new types of risk. Third-party email providers have difficulty competing with Apple on user experience. Google. Such approaches cannot get the same strength of encryption as iOS native email. and the native email experience inevitably becomes the end-user’s preferred option. Note that some walled gardens do not use the hardware-based cryptography of iOS. BYOD programs introduce new variables for IT and. Android device manufacturers. Risk Management Corporate security programs leverage technology and education to drive appropriate behavior and reduce the risk of corporate data loss. starting with version 3.0 of the operating system for tablets and with version 4. like voice commands Walled gardens like Good compete head-on with Apple. invest heavily in design. especially download Integration with other on-device services. © 2011 MobileIron Page |2 . But because the device has capabilities beyond email as well. Having two passwords is a poor user experience. MobileIron monitors all these encryption states and enforces action if the device is noncompliant. But does that actually reduce risk? There are several security requirements to consider: Encryption o o Walled gardens encrypt email. especially Apple. added even an extra layer of data protection for iOS native email content. and Microsoft. who are all building integrated native email experiences for their devices. a password also needs to be set at the device level. the primary selling point of the walled garden has been to minimize this risk by putting all enterprise data into a single container on the device. adoption will suffer. Traditionally. But in 2009. extremely long PIN (20+ characters).
they try to get out. Walled gardens limit an organization’s ability to use mobile apps because these apps almost always fall outside the boundaries of that walled garden. MobileIron’s compensating control is to monitor apps that might access attachments and take automated action to block email flow if the risk is deemed too high. though given Apple’s investments in enterprise security over the last two versions of iOS. but because they just want to get their work done efficiently. limited apps expansion.BYOD Strategies: Chapter 2 Saved attachments: o o Walled gardens prevent users from storing email attachments on the device. whether native or web. the MobileIron Sentry inline proxy) for enforcement of access control.” (from Forrester Research’s “Mobile Management Takes a 180-Degree Turn” August 2011). This restriction is not yet available within native email clients. As a result. User cooperation o When you put a person in a straitjacket. that most organizations deploy. not because of any malicious intent. Mobile apps. But as Forrester says. though this is an area that will resolve over time. future versions of Sentry could include policy-based content filtering as well as integration with existing Data Loss Prevention (DLP) systems for risk assessment. We see this same movement in Android. after voice. Note also that all email to the device flows first through MobileIron (specifically. like copy/paste. Apple has consistently improved the security of the native email experience on iPhones and iPads. user and in most organizations this information can also be accessed from the desktop or web. it could well be added to future releases. In every release of iOS. In other words. However these are generally acts of the malicious. We expect this to continue. The stronger the business demand for apps. They actively undermine the BYOD security program. © 2011 MobileIron Page |4 . Moving to Apps Email is the first mobile function. while the cost to the organization remains constant: low user satisfaction. o o Malicious action: o There are a handful of other possible ways to misappropriate email content. as well. “Corporate app stores will become the intranet of the future. will become the employee’s window into his or her company’s business processes. the additional risk management value of the walled garden diminishes. An unfortunate side effect of the walled garden is that well-intentioned users try to go around the system to get the experience they want. As native email security increases. Mobile isn’t the only potential source of such data leaks. the true value of mobile as a computing platform will be realized as companies move beyond email to apps. the faster an organization moves away from a walled garden toward an approach that can include enterprise app store and security capabilities for both internal and public apps. not well-intentioned. and high operational overhead.
on the other hand. This indicates a basic architectural issue with the product that increases the total cost of ownership with every major operating system upgrade. Third-party email apps with proprietary protocols are expensive for the vendor to maintain and customers to buy. supports 20. o o Single point of failure o o o Good Technology has the same external NOC-based architecture as RIM. especially Good Technology. o o o Scalability o Our customers tell us that each Good Technology server can only support 1000-2000 devices. © 2011 MobileIron Page |5 . The burden of this upgrade fell directly on the helpdesk and the end-user community. When iOS 5 was released in Fall 2011. large deployments incur substantial infrastructure and ongoing operational costs. and even fewer (600) if using the Good browser. In other words. customers of Good Technology faced a serious helpdesk and user issue: Every mobile device using Good Technology’s email app had to be reregistered. Therefore.000+ devices per server. Legacy technology o o Good does not use ActiveSync. Upgradeability o o Core changes in the underlying operating system can break the Good security solution and require a re-registration of every deployed device. primarily excess staff. on the other hand. Therefore.BYOD Strategies: Chapter 2 Cost of Ownership Walled gardens. The native iOS email experience. Our customers have also told us that operational costs for ongoing management of Good are three times those for ongoing management of MobileIron plus ActiveSync. MobileIron. which is the de facto standard for mobilization of email. Maintaining service levels will require additional monitoring of the Good infrastructure and investment in the tools to do so. while native email apps are free. has no interruption in service and no incremental operating cost when the mobile operating system is upgraded. email performance and availability is dependent on Good’s infrastructure and is outside the control of IT. have a high total cost of ownership. each end-user had to manually delete and reinstall Good Technology’s email app.
In a BYOD world. launch of the original iPad in April 2010 and first availability of Good Technology’s iPad-optimized email app that November. and high operational overhead that results. but it’s often not. each new device make and model needs to be certified by the third-party email vendor. there was a seven month lag between the U. as well. o Conclusion We concluded Chapter 1 of this series with the statement “BYOD seems simple. any incremental risk management the walled garden may offer for BYOD is countered by the low user satisfaction. For example. because it is always certified by the manufacturer before device launch. © 2011 MobileIron Page |6 .S. At first. check the devices supported and the historical time lag between device introduction and email app certification. If you are considering a walled garden email app.” That is the case with the walled garden approach for BYOD. This is not an issue for the native email experience. However. it seems like a good fit for the security needs of an organization. limited apps expansion. device diversity grows over time.BYOD Strategies: Chapter 2 Device support o o o o Because email is a complex app. Users become frustrated when they cannot get corporate email because the walled garden email app does not yet support the make and model of their mobile devices.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.