Everything your users ever need to know about BYOD
The essential checklist
Back in the old days providing your employees with corporate computer equipment was an expensive business. When I was 19 I was the university holidays PC guy in an office full of RPG III developers; the fact that they thought their System/38 with its 5250 terminals was a pretty neat piece of kit was the only reason they didn't envy the spanking new IBM PS/2 Model 80 under my desk.
Over the past 20 years I have had a succession of expensive company computers: a Macintosh LC that had the same 68020 processor as the Sun-3 kit of which I was sysadmin at the time; the Mac IIfx that replaced it; the PowerBook Duo 2300c that came a few years later. Companies were spending vast amount of money on equipment for their staff.
These days you can buy a really decent corporate PC for next to nothing. In fact, if you fancy moving to thin client you can even make it last five years and use open-source software to keep costs down even more.
Yet here we are in a world where companies are actively encouraging people to bring their own computers to work and use them for their day jobs.
So why is this? And how do you work with them to make sure that both you and your employees get the best from a BYOD (bring your own device) world?
You are used to people having various pieces of standard software on their machines: an office suite, email, calendaring, a web browser.
Some users have role-specific stuff too – project management software, perhaps, or your particular finance application. If a user moves to BYOD deciding what to install on their device is a no-brainer: nothing that is commercially licensed.
Putting licensed corporate software onto users' own machines is a nightmare. The moment one of them leaves (or, even trickier, is fired) you have a problem on your hands because a licensed copy of your software is now floating around in the big wide world.
Yes, you can include clauses in employment contracts insisting that employees who leave must remove any company software and data from their personal devices. But are the clauses really enforceable?
Have workers stolen your property? Probably. But what if you catch up with them and they say: “Oh, [insert manager's name here] told me I could keep it if I went quietly”?
I have seen it done with expensive laptops, so it is bound to happen with corporate software too. It makes your life difficult when the software vendor counts up the copies of its product that are reporting home to its server with your licence key installed.
To give your users access to corporate applications you will need a virtualised infrastructure of some sort – virtual desktops or a Terminal Services-style setup where users log into central servers to run their apps.
This isn't a bad thing to do: it means you have excellent control over operating-system and application updates, and if you are sensible about how you build it you can make it look identical to users whether they are in your office or sitting at home.
In return, though, you will want to enforce some kind of standard, primarily to ensure that your users have a web browser that is sufficiently new to work with any apps you have that are (a) browser-based and (b) available without being connected either directly or via VPN to the corporate network.
And it is fair to do so because with today's auto-updates it is dead easy for them to stay current.
One of the reasons for going for BYOD is to reduce not just your equipment costs but also your support costs. If you own fewer systems you need fewer support staff.
It is pretty obvious where you draw the line between what you support and what you don't. For example, if a user can't connect their Mac to the wireless LAN and you can demonstrate that it is working fine (for instance by showing them that their phone is connected OK) then it is their problem.
Or is it? The result of people not being able to use their BYOD devices is that they can't do their jobs, which means you as the employer are losing out on productivity.
Now, you really don't want to succumb to helping your users out with fixes to their devices. As soon as you have helped one person you will have a queue for the support guys. Then there is the question of liability should someone on your help desk bugger up someone's PC and delete their family photos.
The best approach, then, is to have a handful of thin-client machines in the cupboard which you can give to users whose BYOD machines are out of action, on the strict understanding that there is a limit on how long they can have them for.
On or off the network?
People's own devices need to be outside the firewall; they access applications via the likes of Terminal Services or a Citrix platform rather than via a VPN (which could be used for malware distribution).
You need two-factor authentication to be sure you are sensibly secure. Happily such mechanisms are ten a penny and easy to install these days, so there is no excuse for not doing so.
Oh, and remember we mentioned making the experience the same for users at home and in the office? Well, they are outside the firewall in both cases so you can have them accessing precisely the same interface wherever they are.
Although you are shying away from buying corporate equipment, consider providing screens or keyboards for the users. They last ages and are cheap to provide. You probably have loads left over, even though you have binned your old, obsolete PCs, and they are a genuine aid to productivity.
I am typing this on an ageing MacBook Pro that is fine for just writing stuff, but for my day job as an IT ops manager I crave screen space. I am more productive with project plans, spreadsheets and the like if I don't have to scroll everywhere.
Most of your users' BYOD devices will be laptops, so consider giving them some cheap peripherals.
Hang on to your data
We have already noted that you will be accessing applications remotely, but what about instances when you need to have data on your personal device? The most popular way to work with corporate data on the move is on one's phone.
Of particular interest is email, of course, but given that you can natively access many types of document on Android and iOS devices without needing licensed software, people also want to be able to carry data around with them.
This throws up an interesting dilemma: if you put corporate data on someone's own device, there is the potential for them to stroll off with it when they leave. Happily, there are plenty of answers to this problem, all of them variations on a theme: the sandbox.
The idea is pretty simple. You don't want users to have the data natively on their devices because you have no control over their phones and can't guarantee they will delete it when they leave.
When people leave you can simply turn off their access and be happy that they can no longer see the data
So you run an application on the device which is registered with a server in your organisation and which “corrals” the data within that application.
The application can be configured to render the data inaccessible unless it can contact the server (or perhaps contact the server within a few hours, otherwise users won't be able to read stuff when they are in 3G deadspots or on the Tube).
Hence when people leave you can simply turn off their access and be happy that they can no longer see the data.
These products started with email and calendar access with the likes of MobileIron and Good for Enterprise, but nowadays they are far more complex and support more general ranges of applications. They are also much better at addressing the requirement of having a single, personally owned device for both corporate and personal use.
So packages like Samsung's Knox and RIM's BlackBerry Balance provide the ability to swap between personal mode and corporate mode on a device, the latter being nailed down by corporate security policies.
In some ways it is surprising that it has taken the vendors so long to catch on to this, but we have got there at last. Such packages offer a sensible compromise between controlling corporate data and not allowing the employer to blat personal data when someone leaves the company.
Oh, and you can enforce a sensible password policy on the sandbox just in case someone leaves their phones unlocked and on the train.
Let's just take a moment to talk about device security, as it is an obvious concern. What if your users don't heed any of your warnings or requests to keep their devices secure?
On their laptops and home computers you don't have to worry. As we have already mentioned you will be using two-factor authentication, so each user might have a little plastic token that throws up short-lived numeric passcodes to be combined with their normal corporate login (on which of course you can enforce frequent password changes and complexity rules).
But what about their phones? Well, at least you can enforce security on the sandbox application you have had them install for them to access corporate information.
Remember, however, that they probably care about the security of their own phone because it has their confidential stuff on it.
For example, the iPhone app for one of the major banks' online banking systems requires nothing more than a five-digit passcode before it dishes up confidential information – so you can bet that the more sensible users will have a phone lock code set too.
What about the cloud? One might answer this with: “Well, what about it?” If you have apps hosted in the cloud then your users' experience will be similar whether they are at home or in your office – it is just that the address they point to is somewhere out in the blue yonder rather than the external IP address of your own firewall.
Beware prying eyes
The final thing for users to remember is that having access to corporate data on their personal PC or phone has a lot in common with having the same access on a company-owned device.
What matters is who's looking over someone's shoulder when they are reading sensitive information, regardless of whether it is on a company PC, their own iPhone or a wad of printer paper.
Similarly if they travel outside the country they need to be aware of any rules that relate to the export of the data they have with them – and again the law doesn't discriminate between a paper notebook or an Android phone.
What is different, though, is that with BYOD they can't just leave their corporate world behind when they go on holiday – and if they are anything like me, their personal iPad, phone and laptop will all find their way into their hand luggage when they are heading off for some summer sun.
Points to remember
The message to the users is pretty straightforward, then:
- Your application access will be via a virtual desktop or Terminal Services-style session.
- We will let you know what browsers we support for browser-based packages.
- If your machine blows up it is your responsibility to get it fixed; meanwhile we will lend you something – but only temporarily.
- Wherever you are, you will have the same experience accessing your Terminal Services sessions and other apps – but you won't be natively on our network so you can't infect us with your PC full of malware.
- We will provide a modest amount of cheap kit such as screens and keyboards because that will make you more productive.
- Install this device management software on your iPhone/Android phone and you will be able to securely access corporate stuff without giving us full access to your personal device or data. Oh, and you can't inadvertently stroll off with it when you leave.
- We will secure our bit of your phone as best we can, but have your own phone-level lock as well, if only to protect your own stuff.
- Cloud apps are no big deal – so long as you have an internet connection you can connect both to them and our network.
- Finally, don't forget that your corporate world is now inextricably part of your personal phone – so don’t leave it behind when you get on that flight or that ferry. ®
Sponsored: Global DDoS threat landscape report