Banish the fear of Big Brother when you bring in BYOD
The magic of MDM
As I have said before, bring your own device (BYOD) can be a difficult concept to sell. After all, you are basically saying to users: “We want you to supply your own IT equipment but we want to be able to control the corporate data and applications that go on it.”
Yes, you can sweeten the pill by offering a financial incentive – namely, contributing to the purchase of the device in the first place – but there will still be concern about the Big Brother aspect.
How, then, can you allay your users' fears and help them accept, and even embrace, the idea of using their own phone under corporate control?
Although I will mention Casper Suite from time to time, most of the points I will discuss are down to the capabilities of the device operating system rather than the mobile device management (MDM) service itself.
If you have a personal PC running Windows 8 Pro, part of the operating system is a chunk of code that allows it to join to an Active Directory domain. If you are a home user you probably don't care about this as you are unlikely to be using a domain at home, but the features are there.
Now, if you have an iPhone running a reasonably recent version of iOS you may well never have visited the “General” section of the Settings control panel and explored the “Profiles & Device Management” subsection (or its equivalent in earlier versions).
Yet this is the iOS equivalent of that under-the-hood domain funkiness in Windows: it is the client-end component of a mechanism for deploying and controlling settings from a central server, and it is a standard part of the iOS software.
(If you are interested in finding out more, incidentally, you can get started here.)
Not only that, but if you want to define and deploy profiles from a central location you can do so with Apple's own Apple Configurator application, which you can download free from the App Store.
Packages such as Casper Suite provide additional functionality besides the basic features you get with the Apple freebie, but all of these systems are using functionality that is standard in iOS.
Users need not, therefore, fret that some wild new extras are being forced onto their devices to take over their world: actually they already have everything they need on the device, and all you are doing is whacking on some configuration settings in the form of a profile.
One of the key features you want to impart is the ability to wipe the user’s device remotely. The thing is, though, that with MDM packages that allow partial management of devices the remote wipe function is not quite what a user might fear.
Indeed, in the Casper Suite the function has a more sensible name: “Wipe institutional data”. And that is what it does – it tells the device to remove only the items that were placed on it as a result of installing the MDM profile.
The server application doesn't have access to blow away anything from the device apart from the items that are on there as a result of the profile you delivered to it.
So users need not worry that you can blow away their data because you simply can't. Oh, and if you have convinced them of this but they then worry about you being able to see their private applications, well, there is no need.
Although you have visibility of, and control over, the apps and data you push to the device, you can't interrogate the personal stuff that they have installed separately. So their secrets are safe.
The point about BYOD is that the device is the user's own, so users can in theory do whatever they wish with their devices. One of the things a user may decide to do is to remove the manageability settings so that the institution can no longer manage it.
In an iOS world, you do this by removing the profile from the device (we mentioned Settings → General → Profiles & Device Management earlier: that is the place to look).
When you remove the profile it will blow away any of the settings that it configured, including de-configuring any email accounts, Wi-Fi settings, VPN connections and the like. Settings that were not managed via MDM will remain and the device will no longer be available to the institution via the management GUI.
It is as simple as that, then. If users want their device to become unmanaged all they need to do is blow away the profile.
The only potential difficulty is entirely contractual – that is, if your employer has helped you buy your device there is probably something in the contract that obliges you to actually use it for your work.
The final important aspect that can help you sell the idea of partial MDM on personal devices is that it can actually make users' lives easier and their devices more secure.
Packages like Casper Suite, for example, let you enforce the requirement that users have a passcode on their device, that the passcode must be suitably complex, that the device must auto-lock after a given period of inactivity and that users avoid re-using old passcodes.
Although you are enforcing these rules with the aim of protecting your institutional data, the user is also getting the benefit: if the device is nicked the user's personal data as well as the institution's will be protected by the security policy.
When users trade up to a new device they can just rattle through the enrolment process
As for making users' lives easier, well, if someone has kindly given them an idiot-proof way to set up their device to talk to all the systems they need to access, then it has probably saved a couple of hours of their lives that would otherwise have been spent mistyping server addresses and passwords on teeny touch-screens.
And my favourite usability bonus comes when users trade up to a new device – they can just rattle through the enrolment process and leave the MDM system to do all the boring stuff.
MDM on personal devices is actually pretty easy to sell to users in my experience because it is a fairly convincing three-factor sell.
All you are doing, at least in an iOS setup, is configuring features that the device already has built in. You are not adding dodgy-sounding back-door software that gives some magic new access that doesn't already exist.
Where the institution uses a package such as Casper Suite, then assuming the user enrols his or her device with the “personally owned” box ticked, the most the institution can blow away is the stuff it put there in the first place.
MDM may also make personal use of the device easier and more secure.
And if it comes down to it, the user can always change his or her mind: blowing away the profile gives Big Brother the cold shoulder. ®
The Register is running a series of BYOD workshop articles in association with Jamf.