BYOD Challenge: How IT Can Keep User-Owned iPhones And iPads Secure In Enterprise [Feature]

BYOD Challenge: How IT Can Keep User-Owned iPhones And iPads Secure In Enterprise [Feature]

One of the challenges of BYOD programs is the need secure corporate data on an employee’s personal device. That usually includes locking down the device and applying varying management profiles to it. This can be as non-intrusive as requiring a passcode meeting certain criteria or it can be very restrictive and limit core features and services like iCloud or Siri on the iPhone 4S.

While there’s a technical challenge to securing employee-owned devices, there’s also a personal challenge. It’s not a small demand to ask for someone’s brand new iPhone or iPad and impose limits on what they can do with it, even if that means something as trivial as enforcing a passcode policy. It shouldn’t come as a huge surprise that employees sometimes object to that intrusion, particularly when it comes to more severe management requirements.

The question is: how does IT respond to this situation?

IT veterans may be tempted to tell users that they must agree to all device management or they won’t be able to use the device as part of their job. It would follow that users who don’t agree will be restricted from accessing an internal wireless network, checking their corporate email, looking up corporate contacts, or accessing any file or document shares.

There are two problems with that approach. It is unnecessarily adversarial and will make all of IT seem like the enemy of progress, productivity, and even of business needs. More importantly, it won’t stop users from bring the device into work with them and using it. You can block someone from a corporate network and an Exchange account, but you can’t stop them accessing the Internet on an iPhone or 3G iPad and you can stop them entering contacts, calendar appointments, and other business data onto their iPhone or iPad by hand or by emailing things between their work and personal accounts.

The reality of the situation is that IT no longer has the practical ability to say “our way or the highway” even if they’ve management has given them the authority to do so, which is becoming less and less likely. Instead, IT needs to develop the political capital to convince users to all management of their personal devices – and there’s no one size fits all way to do that. There are, however, a range of approaches to take.

  • User education – The best place to start is by explaining to staff members what the real dangers are when it comes to device security and privacy. Most people are, in fact, good at heart. If you can get the concerns that device management resolves across to them in everyday language, almost anyone will be more receptive. That often takes one on one conversations and not simply writing and distributing a policy, but it is one of the most effective options, even if it doesn’t get immediate buy-in to the idea of management on its own.
  • Cost sharing – One option for organizations is to share the cost of the device or monthly service. This is a suggestion most offered by mobile device owners. The challenge is that the cost sharing needs to still be cost effective for the employer. Otherwise there’s no real advantage to do BYOD.
  • Purchase assistance – Offering to help employees select a new phone or other device offers multiple advantages for both the individual and for IT. It ensures that employees choose devices that meet enterprise security requirements, offers a chance for IT to discuss security challenges and the need for management, helps ease the selection and purchase process of a device and/or service plan for users how aren’t comfortable with technology, and can offer basic education on using the device as well as ensuring proper device enrollment. One interesting extension of this is for a company to purchase devices on behalf of users, often from a limited set of options, and allow them to pay back the purchase price by payroll deduction (perhaps with a minimal interest rate) or simply to earn the device by using it for work for a specified length of time. The challenge with this approach is that it is very staff-intensive.
  • Tiered access – One approach being taken in some enterprises is to offer BYOD in two or more packages or plans. Plan one is a fully managed device that has access to an internal network, all network resources that a user can access from his or her work computer, and full tech support of the device and business apps on it. Users with completely unmanaged devices can access a guest wireless network for Internet access and possibly an Exchange account or its equivalent. They can use the device but get no direct access to confidential resources or tech support beyond access to the guest network. Varying tiers can be implemented in between… the goal being to encourage users to opt for higher tiers.
  • Reward for enrollment – Similar to cost sharing and tiered access, this means giving the user something in return for allowing access to his or her device. It could be something material but not overly expensive like a gift card for iTunes or Starbucks or a larger display for their work computer. Or it could be something less tangible like a better parking spot, technology advice, the option to leave early once every other Friday. I’ve heard of a couple of companies even offering basic support for worker’s personal computers as a reward.
  • Reward for good behavior – Another approach is to offer rewards to users who follow acceptable use policies. The easiest implementation is to enroll every device in a BYOD program and track whether the devices are being used according to policies via the monitoring and reporting features in iOS. So long as they are, users get something back – one approach (inspired by Allstate’s good driver discount program) is to reduce or remove management policies although other any tangible or intangible item could work.

It’s also possible to extend beyond the common MDM solutions. Good and Accellion, for example, use secure on-device storage in a sandbox approach that encrypts business data and keeps it separate from personal data and apps, which can be wiped without removing personal content. Virtual desktop solutions like Citrix function by never actually housing data on the device itself. These solutions don’t require traditional full device management because they work by creating a secure corporate locker.

The reality of the situation is that there is no single best model for handing the innate tension between the employer’s security and management needs and the device owner’s expected freedom that is part of the BYOD paradigm. Each organization has its own needs, acceptable risks, and employer/employee relationship. The one thing that is imperative for any company is to develop a strategy before opening the BYOD floodgates, even if that strategy will probably need some tweaking along the way.

Related
  • WVMikeP

    ” and you can stop them entering contacts”

    should be

    ” and you can’t stop them entering contacts”

    ——

    ” even if they’ve management “

    should be

    ” even if their management “

    ——

    “Instead, IT needs to develop the political capital to convince users to all management of their personal devices”

    should be

    “Instead, IT needs to develop the political capital to convince users to allow management of their personal devices”

    You guys need an editor.

  • Brandon Dillon

    Ryan, I had never heard of you until recently, but I’m definitely becoming a fan. Keep up the good work.

  • Adam

    It’s possible to address security concerns and still implement BYOD.  What’s needed is to separate the Enterprise apps and data from the personal devices. This can be achieved with a solution like Ericom’s AccessNow, a pure HTML5 RDP client that enables remote users to securely connect from various devices (including iPads, iPhones, Android devices and Chromebooks) to any RDP host, including Terminal Server (RDS Session Host), physical desktops or VDI virtual desktops – and run their applications and desktops in a browser. This keeps the organization’s applications and data separate from the employee’s personal device.  All that’s needed is a HTML5 browser.  No plug-ins or anything else required on the user device.

    AccessNow also provides an optional Secure Gateway component enabling external users to securely connect to internal resources using AccessNow, without requiring a VPN.

    For more info, and to download a demo, visit:
    http://www.ericom.com/Windows-

    Note:  I work for Ericom

About the author

Ryan FaasRyan Faas is a technology journalist and consultant living in upstate New York who has written extensively about Apple, business and enterprise IT, and the mobile industry. In addition to writing for Cult of Mac, he is a contributor to Computerworld, InformIT, and Peachpit Press. In a previous existence he was a healthcare IT director as well as a systems and network administrator. Follow Ryan on Twitter and Google +

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , , , , , , |