BYOD: Get Your MDM Off My Device

This article title has a couple of those oh, so wonderful acronyms we love to throw around in the tech industry. BYOD = Bring Your Own Device and MDM = Mobile Device Management. These two acronyms go hand in hand.

For years now, enabling BYOD has been a goal for many organizations. Those working as IT professionals have probably heard that in the past, IT has been the department of No and today, modern IT teams need to be the department of Yes.

Executives and vendors tout that end user's and particularly younger talent, want to work on their own devices. It has been suggested young talent will turn down jobs from organizations with what they deem antiquated technologies and workflows.

You can no longer just provide a desktop or laptop with a standard company image and managed set of applications. Restricting the users from downloading and installing anything they damn well please is a thing of the past. (We're also not meant to call them users anymore)

The way we all managed our end user's and their devices in the past to keep the organization's data and assets secure, as well as empowering the user in a way that also protected them from themselves just isn't going to cut it anymore.

We must remove roadblocks and restrictions, we must allow users to do whatever it is they want in order to feel empowered. We must provide a service tailored to both their needs and wants. We must not force feed them whatever it is we decide is best for them to consume. If they want their own device and the ability to manage it themselves through self-service, we must be able to provide this for them.

WE MUST! WE MUST!

 

New Approach, Same Expectations

The catch here is that the end results for the organization must be the same as when you had control over your user's data and assets. You need to ensure the organization's data is secure and provide the software and access required to keep the employees productive on a device which the organization doesn't own.

Administrators now live in a world trying to corral all kinds of different devices, running many different apps and various different operating systems. The Android devices alone have a wide range of different operating systems and a near endless list of apps which may be on them. You won't know what people have until you have to support them. It's quite the conundrum. Remove all safeguards whilst also keeping our data secure on a device we don't own. It's the plot of a Dilbert comic strip!

How can you achieve all of this?, why, with MDM of course! Some of the leading MDM products on the market today include VMware AirWatch, MobileIron, Microsoft InTune and Citrix XenMobile to name a few. MDM products, unlike many of their Electronic Software Distribution predecessors, are designed to work across many different device types and operating systems including smartphones, tablets, laptops and desktops.

The onboarding workflow consists of an employee downloading the MDM app on their phone and selecting to enroll into their organization through the app, usually by providing their company e-mail and password.

For mobile devices such as phones, tablets and laptops it is of crucial importance to protect all company data in case the device is lost or stolen. You don't want a thief getting a device which has access to sensitive customer information. You want to stay off the evening news!

Good MDM products allow you to set criteria your user's device must meet in order to enroll into the organization and enable you to enforce your own security policies and set mandatory compliance policies for user's to follow, which you can update and change at any time. Theoretically securing your data on the employee-owned device.

With these MDM products you can push apps to user's devices and even control configuration settings for new and existing apps. This takes care of the need for deploying and managing the orgs software on the devices.

All sounds great, right? You have enabled the end user to use their own device, which is what you've been told they wanted. They no longer have the restrictions placed on them through your attempts to safeguard the company's data and assets from what is often user created problems. Job done! BUT WAIT, it's not that easy.

All That Glitters is Not Gold

Think of this from an employee perspective. Not as an administrator, not as a manager, not as an executive and not as a business owner.

What if your organization decides that if you want to enroll your own device for accessing your company e-mail, you must set a 6 digit pin on your phone. Do you have a 6 digit pin? If not, you'll have to set one to get your e-mail. What if in a few months, you get prompted that the company has decided that you must now  encrypt your device with an 8 digit pin? How often do you look at your company e-mail on your phone? How often do you look at your phone for things other than company e-mail? It doesn't matter, you'll now always have to put in a 6-8 digit pin anytime you want to use your phone.

What if like me, you have your own personal Office 365 account for your e-mail and the company provides you an Office 365 account for your work e-mail but with a policy that to access this e-mail through the Outlook app, you must enroll with their MDM? In theory, the two accounts shouldn't cross streams. The organization's data retention policies and protection policies shouldn't interfere with your personal data BUT the security policies can still have

In theory, the two accounts shouldn't cross streams. The organization's data retention policies and protection policies shouldn't interfere with your personal data BUT the security policies can still interfere with how you use your phone, such as when I went to Thailand for 2 weeks and could no longer log in to my corporate e-mail as the multi-factor authentication wouldn't work from my location. I started getting prompts every 15 minutes that Outlook needed me to authenticate again. Eventually, after it drained my battery, I ended up removing my company e-mail account to stop the notifications.

With most MDM products an administrator also has the ability to remotely wipe your phone. Usually there's an option to just wipe all company data from the phone but there's also an option to wipe all data. This is sometimes used in the case the phone has been stolen.

As pointed out by Jarian, even if you don't enroll with an MDM product, if you access company e-mail your data can still be wiped remotely. You should consider that when choosing whether or not to use your personal device for work e-mail.

I recently had a discussion about using personal smartphones for on-call work purposes with an employee of a large tech company. In cases, to protect the corporate data they prevent the ability to debug phones via a PC with a USB cable as part of an MDM security policy. Personally, that's where I draw the line. If you want to prevent me from debugging my own phone to protect your data, it's not worth me having access to my work e-mail and apps on my devices. I will un-enroll and you just won't be able to reach me when I'm not in the office.

The Hard Truth

Whilst there's a narrative that BYOD is about enabling workers to use the devices and have the workflow that they want, there's really something else at play. Organizations want you to pay for your own PC, laptops, phones etc. You save them a lot of money in the long run. In certain organizations with a BYOD strategy they don't pay for devices, they pay less on licensing for operating systems and they offset some of their support onto you. As always, this isn't a decision-based in the best interests of the workers, this is a decision based on money.

Lots of companies still pay a stipend toward your phone bill. Many will also still pay toward whatever device you'd like to purchase for yourself. My advice to those considering a role with a BYOD policy, make sure they pay for your device and you should still plan to have your own personal devices free from your employer's eyes and mandates. I'm glad we still have Microsoft RDS, Citrix XenApp, VMware Horizon Apps and Parallels Remote Application Server when I want to access my work email and apps, I can still do remote through published applications, SaaS applications and virtual desktops.

Images sourced through:

NeONBRAND jesse orrico Domenico Loia

Sponsors

Rory Monaghan

Microsoft MVP in App-V.  Citrix CTA.  VMware vExpert.  Unidesk Certified Engineer.

Partners