So, you want to adopt BYOD?

What you need to know before integrating employee devices on your network

Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your company resources, but is BYOD right for you? Can you make mistakes when developing your BYOD policies? Can you really let any device connect to your resources?

Lets look at a few top issues that you should be aware of.

What devices should your BYOD policy include?

BYOD used to mean Bring Your Own (Smartphone or Tablet) Device. The BYOD movement started through the failure of BlackBerry to keep up with Apple and Google as they began to dominate and revolutionize the mobile landscape with more capable devices that had much faster CPUs, more memory, larger screens, and desktop web browsing capabilities.

BYOD has now morphed into Bring Your Own (Smartphone, Tablet, or Laptop) Device. But what devices do you want your BYOD policy to include? Do you want to limit it to smartphones and tablets, or do you want to include laptops?

iPhone and BlackBerry Q10

Which smartphones and tablets should you allow?

Today the market is awash with smartphone and tablet choices from Apple, Google, Nokia, Microsoft, Samsung, HTC, Motorola, LG, and even Amazon — to name but a few manufacturers. If you adopt a BYOD policy that includes smartphones and tablets, can you really allow your employees to bring in any device they want, and expect that the device is secure enough?

The answer is no, not all mobile devices can be secured to the same level. (Nor should you ever assume an employee's home device is safe.)

Apple leads in the enterprise because it has built strong and flexible APIs since 2010 (starting with iOS 4.0) that allow Mobile Device Management (MDM) vendors to tightly secure, control, restrict, and monitor iOS devices. Those controls have improved greatly with iOS 7. Google's Android mobile operating system is not as popular in enterprise because Android does not provide many built-in controls and is perceived as insecure — even though that isn't really the case.

Vendors like Samsung have made radical additions to Android to try and make it more secure. For example, some Samsung devices support Samsung Approved For The Enterprise (SAFE) and Samsung Knox that allow similar kinds of controls as what is found in iOS. Windows Phone and Windows RT tablets presently lack the kind of secure compartimentalization that is available on iOS and Samsung devices.

So as you think about which devices you should allow, you need to consider how each can be secured. You can either limit the device choice to iOS and a limited selection of Android and Windows Phone/Windows RT devices, or you could use a method of device security called Containerization that we discuss in its own section below.


Will you allow laptops?

If you allow your employees to bring their personal laptops, which ones will you allow, and how will you ensure that they are secure? Some MDM vendors do offer laptop management, but you may choose to use virtual machines instead. Virtual machines allow you to create a "company secure build" of Windows, and have that virtual machine run on personal Windows, Mac OSX, and Linux laptops.

Mobile Device Management (MDM) or Containerization?

The traditional method of securing smartphone and tablet devices is to use MDM. This allows the IT staff to have full control over the entire mobile device if they decide to, or only control the company data and apps.

Your employees may not appreciate that you have full control over their mobile devices, even if you have chosen not to exercise that that power. Your employees may prefer that you only have control over part of their device, leaving their personal data alone.

Containerization (also known as Dual Persona) is the solution for two issues. The first issue is that of providing that same security policy across all Smartphones and Tablets no matter what operating system they are running. The second issue is that of personal and company separation.

By keeping your company email, contacts, calendar, and apps in a separate, secure, encrypted container on the Smartphone and/or Tablet, you have no way of having visibility into their personal device, apps, and data. You are limited to controlling only the container. Dual Persona is increasingly becoming the go-to choice for BYOD since it provides peace of mind, and truly separates personal and company data.

Lumia 920 company apps

Bring Your Own App (BYOA)

BYOA is a movement that leverages the popularity of containerization, but to the app level. The idea is that you take your company's apps and wrap them in a secure container, and push them to your employees' personal devices. You only have control over the app in the container, and not entire parts of the device. The app is secured in its container, and may have access to data behind your firewall via a secure connection from the container.

This truly separates corporate and personal data at the app level.

Monthly voice and data costs

When you allow your employees to use their own devices, you should consider whether you want to compensate them in some way. Do you want to take the approach that since they would be paying for voice and data anyway, that you do not need to provide a monthly stipend. Some employees may argue that they pay for the voice minutes and data usage based on their personal use, and do not have unlimited data plans. In this situation, they could argue that their voice and data usage will increase when they start accessing company resources.

You need to decide whether to offer a monthly voice and/or data stipend, and how much to offer.

If employees need to travel internationally for work, how will you handle international voice and data rates?

Support costs

When you adopt a BYOD policy, you will need to decide whether you want to provide support for your employees, and how much support. Your employees may be bringing devices running multiple mobile operating systems (and in the case of Android, many variants of that operating system).

What type of support will you be offering through your help desk? How will you effectively train your support staff to deal with the device diversity, and will you need to hire more people to provide that support?

iPhone secure workspace

How do your current laptop security policies translate to mobile?

Most companies already have well established security policies that they apply to company provided laptops. These include password policies, hard disk encryption, two factor authentication, limited web browsing, and blocking of eternal storage to name a few.

While your may want to simply use those same policies on smartphones and tablets that access your resources, it may not be practical to do so. Some policies that work on laptops, may not translate to mobile, and policies that do translate may be too invasive or limiting. Plan on using a subset of your current end-point polices for mobile.

Nobody ever said BYOD would be easy

As you can see, creating a BYOD policy encompasses many different areas, and there are many decisions to be made so that your BYOD policy does not fail. Making it too restrictive or intrusive could lead to rebellion by your employees. Making it too relaxed could lead to exposed company data or data leakage. Not accounting for all variable could actually lead to an increase in cost, instead of the decrease you were hoping for.

BYOD has benefits and detractions that you need to weigh when considering implementing it for your business. But done right and the benefits can far outweigh the costs.

Craig Johnston
  • Not very smart in hospital environment. If the employee uses his/hers own device to access patient accounts then the accounts follow him/her and breach is just waiting to happen. Not to mention when brought home, I am pretty sure that family members would use/share the device. Another breach.. Sometimes its good to have devices provided and just leave them at work and lock it up when not used. Posted via Android Central App
  • Documents don't have to be stored ON the device and the access level does not need to be the same depending if the device is on premises or connected remotely by VPN. Patient records for example could be accessible only when a device is connected locally with strong authentication such as 802.1x certificate to the company LAN/WAN and not remotely by VPN from the employees house or a coffee shop. Leaving other less sensitive resources available by VPN such as employee schedules, expense reports, etc. A properly planned BYOD initiative take this into consideration. HIPAA compliance can still be achieved with BYOD.
    Providing devices has it's own downfalls such as they can still get lost or stolen and need to be managed just like a BYOD. Tracked and secured by people who know what they are doing.
  • I'm very intrigued at the fact there is an iPhone and a BlackBerry in the same pocket! Someone really has guts to take that picture! Nexus 5...enough said
  • I am confident you are going to see more Knox like things popping up on HTC, Sony and LG. What needs to happen is for it to be part of the initial setup and if you want to go from one to the other, it requires a factory reset. Sounds harsh but it is a small price to pay, and way better than being forced into it like knox -------------------------------------------
    You really should see the crap I don't post. Sorry if honesty offends you
  • 3rd option rarely discussed in BYOD scenarios is remote control apps or remote access apps like Citrix. These allow a user to login to a system that stays within the corporate confines and data never travels to the devices. There is less support needed for the user (essentially the client app and that's it) and IT retains full control over the data. They can lock or delete access thus cutting off the user/ex user if needed. Some MDMs have clients that create their own "walled garden" such as Good Technology and Mobile Iron. These are a bit more useful for smartphones since they don't rely on the manufacture's system (such as Samsung's Knox). These systems usually cost more, but they are compatible across many more devices and OSes.
  • This is why china has dual sim One sim is for personal phone usage and the other is for your work. I still don't understand why phones here in the states have never supported the dual sim options.
  • My company supports Android, but only if you use a crappy 3rd party client for Exchange. The reason? They have an EAS policy to do with limiting size of a text preview of an email. Apparently, Android default email client doesn't support this (the other clients don't, they just reply saying they support everything). The stock Email client supports remote wipe, encryption, etc but not this tiny little feature that basically prevents the awesome stock email client from working. Instead, it forces you to use a 3rd party clients which has potential security holes/phone home ability.
  • BlackBerry still out of date a bit for Customers, however BB10 with 'Balance' means fully ready for BYOD. [...] first ever London smartphone story:
  • As someone who has implemented and manages a BYOD program for a large multi-national company with an eye to compliance for the medical industry (i.e. HIPAA and FDA regs) I can say it's not that complex. Be sure you have a solid End User Agreement that has been verified by all your domestic and international legal resources. Good communication to all the stakeholder teams is key. HR, Legal, Infrastructure etc... The technical part is really the easy part.
  • Not to be a shill, I don't work for Cisco but work with their products almost exclusively.
    Cisco ISE provides BYOD. It's not a simple product and requires a lot of careful planning...
    Then again, security is hard to do right.
  • Men Cisco's product was not ranked very high by harnter in their magic quadrant. For as big as they are its a product that's way behind the curve. Look elsewhere!
  • Really? Oh wait you said HARNTER. I don't know who they are... I thought you said Gartner.
  • As a consultant I see two versions of this at once. My consultancy: Exchange for email, which enforces an always on PIN and remote access to wipe my device. My university used to do the latter, but the former I mind much more, I hate being forced to put in a PIN all the time for work emails so I declined and access them via a PC (they rarely email anyway). My client: Good for Mobile. This keeps calendar and email behind a password protected app and allows the company to disable the app should they choose to, without affecting the rest of my phone. Whilst Good isn't the greatest app, this is my preferred solution out of the two. Posted via Android Central App
  • It's heart warming to see intelligent people interacting in the comments.
    Now for the advice meant for dumb people and the tech-savvy but not to geeked out people. [no disrespect intended]
    (BYOD is high level thinking stuff. If you don't understand it research it or leave it alone. One of these choices is SMART, the other is LAZY. If you happen to fall into the LAZY category, just use two phones.)
    This has been a public service announcement to LAZY people that try to be smart.
    Posted via my SPARK enabled Sprint LG G2, that's constantly laughing at my wife's T-Mobile Galaxy Note 3 with borked sdcard support on 4.4.2...
  • No chance in Hell I will log into my employers network. We are required to login with our corporate gmail account which allows them to wipe your device. During early adoption several employess lost all their contacts. I can still access email differently and can access wifi but no way will I go the directed way. I also don't like to have a password protected device.
  • I agree. My company doesn't work with client EHR or credit cards, or anything really very sensitive. Management used to have a very permissive attitude towards devices, basically "don't be an idiot". Then they adopted a BYOD policy that was so ridiculous it technically prohibited employees from accessing the company's public website from an unmanaged device. It also included a remote wipe clause that is solely at the company's discretion. F* that. I'm not against remote wipe under certain conditions, like if the phone is lost or stolen, but all of my personal data is not going to be under Damocles' sword so I can get work emails on the weekend. So I didn't sign the BYOD, and have several times now not receive after hours emails from my boss. I always reply with a reminder that I don't have access to push email since the BYOD went into effect. Most employees didn't opt to BYOD under those terms, or adopted technical loopholes like touchdown. Really it's critical to think about what you want from your BYOD. If you don't want employees using their own devices, it's easy. But if you do, then you have to craft a policy that balances the interests of the company with those of the users.
  • Easy solution: Make everyone buy a AT&T Samsung device. You can't even root it, let alone hack. Posted via Android Central App
  • AT&T or Verizon samsung device.*
  • This is why I use Touchdown to access my work email, calendar, and contacts. IT can only touch Touchdown and can't wipe my entire device.
  • Actually they can do an entire device wipe if they want to. They just don't have to.
  • Note: Would love to see a Good vs. Touchdown article. :)
  • Touchdown is an Email Client. Good is a Mobile Device Management (MDM) system. Apples and oranges. Though I agree, it would be nice to see more business related articles like this! We are a Hipaa organization and its true, you need a solid policy that employees must sign. Place the responsibility in their court, but still have the capability to wipe out company data when necessary. Posted via Android Central App
  • different style systems here. Touchdown is terrible. GOOD is a compartmentalized solution. Actually surprisingly enough the best one that I have seen so far is the BlackBerry BES client on Android. Similar to GOOD but a lot better. AirWatch (MDM) also offers a similar compartmentalized solution. Touchdown is a crutch for EAS. Not to pump iPhone, but they went the right way when they decided to provision for native EAS out of the box.
  • If you really want to do BYO you should use an expert. I've had great results from Vox Mobile, they're the leading Gartner ranked company to help with BYO implementation. My company saved a bucket load and it was so easy.
  • I work for a Gartner Magic Quadrant designated company that works daily within BYO and building BYO programs for companies across the country. What we see, on a daily basis, is that with the right UA and the right security policies in place, you can be extremely successful in BYO. But there's a catch. Cost. A lot of companies make the move to save on cost, and as the article mentions, with the increase in device selection for employees your help desk will be pushed to its limits. Even within Android there are multiple different device types with their own little quirks that make setting up devices difficult for a under trained team with both MDM containerization. Regardless of whether you go with containerization or an MDM, end user privacy and a separation of work and personal is the only way to make the user feel at ease that their company isn't snooping around at what they do in their off time. Even if possible, your agreement needs to be transparent about the access level of the company to the device.
  • "Today the market is awash with smartphone and tablet choices from Apple, Google, Nokia, Microsoft, Samsung, HTC, Motorola, LG, and even Amazon" You forgot to add Sony. Srsly?
  • And BlackBerry! Lol, btw Craig can you post something similar in Crackberry? Posted via Android Central App