In some ways this is not a new scenario for IT. However, in the past, the prevalent use cases on these types of personal devices were limited to the ability to connect to corporate email. Most enterprise email platforms offered some capability to remotely manage the data on the mobile device — or at least remove this data remotely. Thus there was limited risk associated with data loss and IT was comfortable supporting this scenario.
With the explosive growth of personal smartphones over the past few years and with users demanding deeper access into corporate data, IT teams are now dealing with a more disruptive change. IT saw BYOD as a loss of control from the traditional models of governance and control but is starting to see BYOD as an opportunity.
Still, associated with this change in mindset is the need for management with many turning to a mobile device management (MDM) solution. The typical deployment associated with MDM starts with the identification of a solution platform, establishing the platform — in-house or in a SaaS model— and launching a pilot to manage a mixed environment.
However, most MDM initiatives struggle to achieve maturity beyond this point and IT realizes that MDM is only a component of the BYOD puzzle and a lot more is needed to be successful with BYOD.
The BYOD Component Model provides the right framework. This approach focuses on understanding the readiness of each of these components in the organization’s current context and creating a roadmap for successful BYOD/MDM launch. With the component model serving as the backdrop, here are 5 considerations for BYOD success that go beyond a MDM solution:
1. Policies come first, technology second. If your organization has not taken the time to define acceptable use polices for mobile devices; if you have not yet understood the expected user behavior in response to these policies; and if you have not yet defined the governance and control mechanisms around these policies, your organization will struggle to implement an effective MDM solution. It is important to view your MDM platform as a way to monitor and govern understood polices rather than trying to use the MDM platform as a way to roll out mobile device policies. Get your Legal and HR teams on board as you develop these policies; get their approvals prior to trying to manage them through the MDM platform.
2. Be realistic in what you manage. MDM platforms can give IT significant control over mobile devices—in some ways too much control. This can be a double-edged sword. MDM platforms by design have been architected to meet the demands of situations that require a very high degree of “lock-down” to meet regulatory audits. However, this high level of control can easily be over exercised by over ambitious IT groups. As an example, requiring passwords on a device is a capability that can be enforced as part of a policy on a device under MDM control. However, nuances such as; how often the password is changed, how strong the password needs to be, how quickly the device is locked on inactivity, all require a careful balance against the type of usage on the device. In addition many IT teams attempt to close security "holes" on mobile devices, such as the ability to forward documents or copy them locally, even though these abilities (and more) are available on the user's laptop or desktop.
3. Weigh the separation of personal and corporate. Most MDM solutions today accommodate the need to create a separation between corporate and personal data. However, I cannot overemphasize the importance of two aspects associated with this capability.
4. Measure the risk of data breach. A device being used by a member of the board of directors of a company needs to be identified and managed to a different security profile than a user device that occasionally connects to the corporate file system to look up the annual holiday schedule. I advise companies to categorize devices into Trusted, Semi-Trusted, Untrusted and Restricted based on the usage characteristics. While policy creation needs to be done at a much more granular level, this higher level of categorization allows corporate IT to understand the variety of risk profiles of the types of devices to be managed by MDM. The risk associated with the breach of a device in one category may be very different than that in another category. This understanding of the risk can be important in the appropriate level of MDM control that is applied in each category. Correspondingly, users in each category can understand the associated risk and are open to be subjected to a higher level of control by IT.
Communicating and educating users how the MDM solution can maintain this separation. These devices have become very “personal” and the thought of someone else installing software on them generates visions of big brother watching over their usage of the device.
Allowing users to back up personal data and be responsible for their own data. I have seen some clumsy attempts to limit the ability to sync the devices via USB connected mechanisms or over the air sync. Correspondingly the user has no way of backing up their data.
5. Understand the impact on IT support processes. While the MDM platform can see every device that is enrolled under the BYOD platform as well as all corporate devices, IT cannot be expected to provide the same level of support as was typically associated with laptops, desktops, etc. This situation is further complicated by the fact that the IT Help Desk cannot be expected to troubleshoot every possible device OS, wireless carrier related issue, or for that matter resolve questions associated with every possible App that can be downloaded from the public App stores. In several cases creating a way for users to find help by way of self-service resources is an acceptable level of service. However, for critical issues such as a lost device, password reset or other such critical issues, IT needs to be able to provide a clear and easy path to get support. Getting all stakeholders including your service providers, carriers and users can be critical.