Over the past few years, consumer devices have flooded the enterprise, and with them has come about a change in mobile device policies. In enterprise mobility’s infancy, most companies took a corporate-liable (CL) approach: all devices and monthly contracts were paid for by the enterprise, and IT chose which brands and models were supported. With the increased consumerization and democratization of smartphone use in the enterprise, the individual-liable (IL) device policy emerged: employees connect their personal devices to the enterprise network, and their companies choose to reimburse some, all, or none of the cost of the devices and monthly contracts.
With more consumer devices coming to market each month, and with the introduction of the iPad and all the tablet computers that followed, more employees want the freedom to choose which devices they connect to the enterprise network. Are enterprises accommodating this desire, or are they sticking to their CL roots?
To answer these questions, we conducted an online survey in March 2011 with Mobile Enterprise subscribers entitled “Are Your Mobile Devices Corporate-Owned or Individual-Liable?” The 117 enterprise executives who responded represent corporations, government agencies, healthcare organizations, and educational institutions in North America across a range of verticals and all corporate sizes.
The mobile device liability models covered in this survey are defined as: corporate-liable (employer provides employee with device, pays all bills); individual-liable/fully reimbursed (employee buys device, monthly contract is fully reimbursed by employer); individual-liable/partially reimbursed (employee buys device and receives fixed monthly reimbursement from employer); completely individual-liable (employee pays for device and monthly contract and receives no reimbursement from employer), and hybrid (a combination of CL, IL/fully reimbursed, IL/partially reimbursed, and completely IL).
Device liability by the numbers
This survey is a follow-up to a similar survey that we conducted last year on the same topic, and there were some staggering differences. The biggest difference was in which mobile platforms are approved and supported by enterprise IT. While the percentage of enterprises that support Apple iOS, BlackBerry, Symbian, webOS, and Windows Phone were similar to last year, more than twice as many enterprises now support Android. The percentage jumped from 21.6% in 2010 to a whopping 45.2% in 2011 (see Fig. 1). That is due to the increased number of Android devices on the market and its emergence as a strong competitor to BlackBerry and iOS in the enterprise.
But who pays for these devices? Overall, 35.9% of respondents said that all of their smartphones are CL, down from 39% last year, and 11.1% do not use the CL model for any of their smartphones (see Fig. 2). IL devices increased across the board from last year’s numbers. For many respondents, a hybrid approach to mobile device liability is used.
Device liability varies across the disparate mobile platforms as well (see Fig. 3). The majority of BlackBerry devices, 74.5%, are CL, a number equal to last year. CL Windows Phones have decreased to 32.0% from 46.3% last year. Android and iOS are about equal in CL devices in the enterprise, with 36.6% and 31.8% respectively. The big news here is that Android jumped almost 10% in CL devices from last year, when it was only at 27.5%.
It’s clear from these numbers that increased consumerization has affected the enterprise. More employee-owned devices are connecting to the enterprise network, and not only that, more enterprises are choosing non-traditional enterprise OS devices for their employees. But how do enterprises choose which device liability model is best for them?
The case for CL
CL device policies are driven by tight security requirements. They are seen in heavily regulated verticals such as government, financial, and healthcare. Their need for tight access control, security, and regulatory compliance steer these enterprises to the CL model.
The case for IL
Corporate executives are responsible for the IL model. CXOs tend to have the latest and greatest electronic devices, and when they bring their own mobile devices to the office, they expect to be able to connect them to the enterprise network. IT was then challenged with finding a way to connect disparate mobile devices to the enterprise network.
Cost is a big driver of the furthering of the IL device model. Enterprises transfer some (or all) of the cost of the device and contract onto the employee, and in addition to the cost savings, they get increased employee satisfaction and productivity while enabling a broader number of employees to gain access to data and services due to the lower overhead enterprise costs.
Munson Healthcare, Traverse City, Mich., is a regional, non-profit healthcare system with seven hospitals located throughout northern Michigan. All told, Munson is comprised of 5,000 employees.
Joe Dechow, manager, IS infrastructure, is in charge of the mobile devices across the entire healthcare system. Several years ago, Dechow and his team switched the healthcare system from a CL device policy to IL.
“We put this policy in place several years ago in order to be compliant with the IRS as well as to place controls on cell phones,” Dechow explains. “There were abuse issues, a lack of responsibility, and the costs were getting quite out of hand. And that was prior to widespread adoption of wireless in our area or having smartphones with much capability.”
Dechow and his team manage 450+ cell phones, about 150 of which are smartphones. “The devices are used by a wide variety of staff in nearly every area,” Dechow explains. “The need is general, based on the job duties of the person and how important it is to keep them in close contact. Since many of our staff have duties at more than one location, this becomes pretty critical.”
A strict approval process is in place for employees who want a personal phone to be corporately subsidized. “Anyone that believes they should have one assigned has to petition their chain of command for it based on need, and an administrative-level person must approve (VP or better),” says Dechow. Due to funding restrictions, these requests are not always granted. However, once approval has been granted, users have to sign agreements regarding expectations and reimbursement costs.
“A person also has to agree to and sign a service level agreement (SLA) that binds them to the expectations and to their financial share of the cost,” says Dechow. “They are required to pay their share via payroll deduction so there is minimal paperwork and never any gap in payment.”
Dechow’s advice for transitioning to an IL plan? Put clear policies in place including SLAs, get corporate buy-in, and automate as much of the process as possible.
“Get clear and full buy-in from the executive level,” Dechow says. “Even our VPs have to get a signature from their boss, the CXO they report to. And the CXO folks even sign the SLA.”
Also ensure that the person that handles the billing is well trained. “We all know how accurate any kind of phone bill is (read: it never is right, and you have to monitor the carriers as well as the users),” Dechow explains.
The case for a hybrid approach
A hybrid device model combines CL and IL models into one mixed model. This has come about due to enterprises transitioning from a CL device model to an IL model. Many enterprises have found that it makes sense to keep one business unit CL while allowing other employees the freedom to choose their own devices and let those employees be IL.
Stanley Black & Decker, a manufacturer of hand and power tools, has approximately 30,000 employees globally. It has more than 7,000 corporate-owned devices in its organization, but it also has a policy allowing certain employees to connect their personal devices to the enterprise network. As such, the company has a hybrid strategy regarding mobile devices within the enterprise.
Jennifer V. Crawford, corporate manager, Wireless & Mobility Services, is employed in the Global Infrastructure & Operations Services Organization at Stanley Black & Decker’s Towson, Md., campus. Within this organization, she develops Stanley Black & Decker’s mobile device strategy. “We have many drivers on strategy, from the top down as well as the bottom up,” explains Crawford, “but the holistic strategy is synthesized, deployed, and managed through Mobile & Wireless Services department.”
Prior to the merger of Stanley and Black & Decker last year, both organizations had the CL model. “We have used the CL model for over 10 years,” explains Crawford. “The CL model allows us sole control over the mobile numbers and the total dollars spent. By consolidating the business, we have had success in negotiating discounts and contracts with the carriers.”
Most of the corporate-owned devices are used within the executive, field sales, marketing, and field technician workforces. Job function and manager approval are the determining factors in who receives a CL device.
If an employee is not eligible for a CL device, Stanley Black & Decker has a policy in place that allows the employee to connect his/her personal device to the corporate network. “We allow some personal devices to connect but only if they agree to certain criteria, i.e. password protection, wipe upon exit, self-support and backup, and no reimbursement,” explains Crawford.
Crawford finds it difficult for the company to manage both CL and IL devices. “It’s like herding cats,” she says. “We are challenged with security issues—password requirements and wiping don’t seem to be enough. Device volatility is another issue—maintaining a high support level for the constantly changing devices within the environment is essential but difficult to keep up with.”
Crawford has strong recommendations for those who are looking to embark on a hybrid mobile device policy. “Have a policy that is clearly defined,” she says. “Remain consistent across the board on approval processes, and know as much as possible about who’s accessing your environment.”
In spite of the challenges, Stanley Black & Decker is satisfied with the hybrid approach to its mobile devices. “It allows us the best of both worlds,” says Crawford.
Device liability isn’t only about who pays for the devices—it’s also about the data. IT needs to have the ability to distinguish between personal data and corporate data on an IL device. IT also needs to respect the privacy of the users. In the year ahead, location-based policies will emerge that will safeguard end-user privacy while implementing all of the same security features that exist today to protect the security of the data.
Companies that want to remain CL but also want their employees to have a wider choice in devices to satisfy their needs will expand the number of CL device types they support to two or three platforms. They will see the employee satisfaction gains of the IL model while retaining the strict security and policy regulations of the CL model.
Healthcare System Uses Individual-Liable Mobile Device Policy
Stanley Black & Decker Chooses Hybrid Device Management
About this survey:
This online survey, “Are Your Mobile Devices Corporate-Owned or Individual-Liable?,” was fielded to Mobile Enterprise subscribers in March 2011. The 117 respondents represent enterprises of all sizes and span a range of industry verticals. The mobile device liability models covered in this survey are defined as: corporate-liable (employer provides employee with device, pays all bills); individual-liable/fully reimbursed (employee buys device, monthly contract is fully reimbursed by employer); individual-liable/partially reimbursed (employee buys device and receives fixed monthly reimbursement from employer); completely individual-liable (employee pays for device and monthly contract and receives no reimbursement from employer), and hybrid (a combination of corporate liable, IL/fully reimbursed, IL/partially reimbursed, and completely IL).