Thoughts on BYOD
What is it? BYOD - Bring Your Own Device - is the enablement of employees to bring their own, personal devices to the workplace to access corporate networks and information in place of a traditional corporate PC or mobile device.
BYOD is huge topic of conversation; it has been for a couple of years already. There are varying opinions on the subject, its merits in the workplace and whether or not there really are any true benefits to a BYOD-enabled environment.
As an example, a study by Spiceworks from 2013 shows there is a lot of uptake in the SME sector, a sector where I'd expect to see this given the cost of hardware and difficulties leveraging the bulk deals with hardware vendors commonly seen in large enterprises. On the other hand, some IT Pros are convinced BYOD is doomed before it’s even had a chance to establish itself. Even posts I've written on Google Plus on this subject have seen views from both sides of the argument.
Since the topic has cropped up a few times in the last week around the web, it has led me to think about it. Personally I support the idea of BYOD, I do however appreciate it isn't as black and white as it is sometimes portrayed.
From following the topic for some time, I've seen two oft-suggested benefits to BYOD:
- Cost savings.
- Flexibility to use a wide variety of devices for employees.
Off the back of those, I think there are a few more:
- Devices are the end-user's responsibility.
- End-users can pick the operating system and form-factor they prefer.
- There's an element of respect for personal devices you often don't see with work equipment.
- Improved end-user satisfaction.
Why are these benefits? I'll break it down:
End-users manage their own devices - Software and OS updates are a burden at the best of times. When admins have to additionally take care of devices outside of their typical remit it can get terribly messy. If admins are updating BYO devices, they're then also responsible for fixing whatever issues are caused by the resulting changes.
It is undeniably very important to have an up-to-date system, but placing the onus for updating a BYO device on the end-user not only means admins don't have to update that device, it's one less activity (multiplied by the number of BYO devices) for an admin team that can instead spend time on other tasks.
Of course users may struggle (at least to begin with) to keep their devices up to date and if the corporate network has policies in place to block outdated devices from accessing corporate resources, this can impact their ability to work. It is therefore essential that support and documentation is available to help the end-users get to a point where they're comfortable doing this, but also acknowledge that there will never be a situation where IT won’t be involved in some way. Random issues or difficult situations can hit at any point.
End-users pick their own operating system and form factor - If it were up to me, I'd have a 13" convertible running Ubuntu or similar for work. I find Linux to be more reliable, just as easy to use as Windows (subjectively) and far more secure. That's my choice, others may prefer a Mac or Windows machine in any of a variety of form-factors they get along with.
By not tarring each person with the same brush, you encourage creativity and enthusiasm towards their work. If someone dislikes Windows with a passion, they may not enjoy using or struggle with the hardware provided by the company.
It is however worth mentioning that depending on the role and the tools required for an end-user to undertake his or her responsibilities, it may not be possible to avoid using Windows or a particular piece of software unavailable on a chosen setup. This must be considered before giving the green light on going for whatever they want. They can take comfort still in the ability to pick their preferred form-factor at least.
End-users respect their own equipment - Anyone working in an IT environment, particularly anything field-based, will have seen how devices are returned to the office. By no means is this a universal truth, but it's hardly a secret that many will treat their own personal equipment a lot better than a work device. There's an element of "I paid for it, I must take care of it" with personal devices which isn't necessarily shared for the devices supplied by a company.
Not only is the company not having to repair BYO devices, if a device belonging to an end-user were to get damaged, the onus is on them to get it repaired. This in itself could save hundreds to thousands a year in costs the business would otherwise have to accept.
Choice = Satisfaction - In conjunction with picking their own OS/form-factor, end-users who are able to use their preferred system will generally be happier than those who are forced to use something they struggle with. VMware undertook a survey in 10 Asian countries in 2012 that reinforces this, but it is something I can also personally relate to.
Of course nothing is perfect, some of the issues I can see are:
- Not everyone will want/can afford their own device.
- Mandatory BYOD can be difficult to enforce.
- Corporate data will be held on a personal device.
- For IT, supporting a wider range of devices is a challenge.
- Policies around fair usage, appropriate content, etc.
- Management of devices.
With the above mentioned, I’ve put together some thoughts for implementing a BYOD environment based on my own opinions of the topic:
Planning, planning, planning
Implementing a BYOD environment is no mean feat and, while it may sound obvious, planning is absolutely critical in ensuring the project succeeds.
Before starting any project, the questions “Will it save us money?” and “Is it really for us?” need to be asked and answered. At the end of the day, no business is out to increase financial overhead or cause extra strain on departments unnecessarily.
Do we need BYOD for an office of Desktop PC users? Do we need BYOD if we’ve recently spent thousands on new hardware?
I often tend to start a project the same way; by reading whitepapers on the topic and studying use - or user - cases on the subject matter by those who’ve already done the work and published their findings. There’s no shortage of BYOD material online, a quick Google reveals link upon link of information.
As mentioned above, one of the most popular opinions around BYOD is that it saves money. It isn’t just about the hardware though; the cost of supporting devices, generating and maintaining documentation (policies/procedures/manuals) and the increased load on support teams can all cost the business. This has to be taken into consideration, as well as the potential knock-on effect (should there be one) on day to day activities or other projects impacted by the increased support requirement. You also have to decide on whether or not you’ll keep a reserve of pool devices in case of damage, loss or simply forgetfulness. These machines will also require an element of maintenance and support.
Once committed to the idea, other questions then arise like:
- Do we limit the devices (OS/vendor) supported by the business?
- How do we manage corporate data stored on the device?
- Do we provide subsidised devices?
- Do we maintain loanable devices for emergencies?
- How is data backed up?
- How do we enforce fair-usage on a personal device?
- Will our infrastructure support these devices?
- How will we manage them?
- Should we require insurance policies for BYO devices to cover damage/theft?
All of these (and many more) need equal thought and attention. Some things can be put off, but ultimately a situation will arise that hasn’t been planned for or considered so the sooner the obvious questions are answered the better.
When the time comes to start making BYOD in the enterprise a reality, start with small groups and work out to the wider business. While it will take longer, trial groups will expose issues easily fixable that may otherwise be a nightmare once fully rolled out. It also gives the ability to generate use-cases on the fly, figure out what best works, things that cause problems and more.
Most importantly: Don’t rush the rollout!
Don't force it
From my point of view, there is only one situation in which BYOD can be mandatory without causing problems and that is the requirement for a basic phone that can make calls and send texts. In this situation all that would need to be considered is who is responsible for the expenditure generated through calls and texts. Anything more and issues will begin to surface; perhaps end-users don't have the cash to spend on a device for work? Maybe that promising potential new-hire doesn't wish to use a personal smartphone or tablet for work purposes?
The best possible BYOD environment will be one in which end-users can choose to opt-in (or out). When BYOD is optional and not mandatory, it caters for everyone in the business.
If there's an eagerness to push all employees to BYOD, offering subsidised devices through the company is a great way of lowering hardware costs and responsibility while providing an avenue for those who would otherwise struggle to afford their own device for work. This is the route Corby Business Academy took with their students, requiring they only pay less than 50% of the cost of a Chromebook with the option to pay in instalments.
An opt-in (or out) environment does mean hardware costs will likely not completely disappear, certainly not for a long time. Ultimately however it is the best way to implement BYOD.
Policies, procedures and documentation
In the corporate world, for every action there’s a procedure outlining effective steps towards a reaction. For BYOD there’s a lot to cover and it needs to be done right.
Policies and procedures will define what’s right, wrong, legally binding and how it should be done. There’s no guarantee everyone will always follow these documents, but at the very least the business is protected if rules are broken.
A number of basic policies should be put in place before BYOD is rolled out to the business. It’s a lot easier to tweak existing policies to accommodate discrepancies than to reactively create them and although documentation can take a lot of time, it will be beneficial long-term.
At the very least, the following policies/procedures should exist:
- Acceptable use for personal devices
- Data ownership and storage
- Enrolling and retiring personal assets
- Supported devices
One of the major concerns around BYOD is the extra workload generated for support teams. After all, if end-users can suddenly select any device they want, IT will end up with an enormous range of devices coming through that need to be configured and supported.
There’s far more to it than simply having to know which buttons to press if there’s a problem; each unique device needs to be tested for compatibility with existing infrastructure, any in-house applications, have existing support documents amended to suit the differences (or new documentation generated all together) and so on. I wouldn’t expect a Chromebook to work too well with an application designed for Internet Explorer 6 after all!
Boundaries have to be set. As nice as it would be to be able to accommodate any device ever released, it’s unrealistic to allow this and is exactly the type of scenario that would overwhelm a support team. By limiting the brands or models the business will support, it means the burden on IT is lifted substantially and makes BYOD far more feasible.
Each company is different. Some will prefer HP, some Dell, Samsung, Apple, etc. Whatever it might be, begin there and expand as much as is comfortable to do so. Once the selection has been confirmed, users then have the option to either follow recommendations or accept a device may not be supported by inhouse IT and respective systems.
Another major concern comes down to corporate data on personal devices. Businesses don’t like it at all. Those who can afford it might have a Citrix / VDI environment set up and ready to go to keep corporate information completely separate from personal devices, but what are the other options?
Containers - a number of MDM solutions (see below) allow for corporate data to be accessible via a secure, encrypted “container” on a device, thus keeping personal and corporate information separate. Anything work related can be accessed via an app and once finished, the app can be closed. Simple. Samsung and BlackBerry take this a step further with solutions like KNOX that are built right into the device itself. Data within containers can be wiped through MDM at the click of a button without affecting the device.
Restrictions - another option, again through MDM, is to restrict the ability to save information to device storage all together. Documents received via email can be opened, but not saved to the device. The disadvantage to this of course being that nothing can be saved to storage at all.
Policies - if nothing else, develop specific policies that end-users must adhere to. Here it can be outlined that storing corporate data on a personal device is forbidden and must reside on corporate file servers. The penalties for failing this can be set accordingly.
There’s more to consider with personal devices than storing corporate data though; these are BYOD devices with an emphasis on “O”. End-users may feel they have a right to use a personal device how they wish, including installing applications that may be frowned upon by the business. Being greeted by Facebook Home whenever a user turns on the screen while on a client site is both unprofessional and reflects poorly on the business. Even though it’s a personal device, the end-user has agreed to use it corporately and therefore it becomes necessary to set out guidelines/policies which determine what can and cannot be installed. The same applies to personal files stored on the device.
The point of BYOD is to give users freedom to choose the device they want to use for work, it is not intended for allowing a user to use only one device for everything (personal and corporate). Corporate personal devices shouldn’t be full of personal information, it’s entirely possible that device may be remotely wiped and all data will be erased. The business won’t be responsible for backing up any personal data, so personal data likely wouldn’t be possible to retrieve.
It is however possible that an end-user may only have the one device for work. What happens when it breaks? Should it be policy to require insurance including next-day repair or replace in order to prevent lost productivity for extended periods, or should the business provide loanable devices for these situations?
Well, both. It is in the interest of the business to keep loanables on-hand on the off-chance a personal device fails, just as in any normal situation to keep their employees working. At the same time however, the onus is on end-users to make sure they have a working device and repair it as fast as possible if something goes wrong. Insurance can come in very handy in this case.
If a device does bite the dust, it’s entirely possible some data might be lost if the storage of corporate data is permitted. In this situation having a backup solution on the device itself is a must. For scenarios where data is stored on a remote fileserver, this isn’t as critical.
What about when a device is retired? Usually when this happens - whether the user quits, is fired or simply swaps hardware - the data on the device is securely wiped. How will this work with a personal device? Should the business expect a user to report to IT to wipe it? Depending on the situation that is an entirely reasonable expectation, but IT need to be prepared for a worse-case-scenario and have a backup plan in place. Many management solutions will allow for remote-wipe on a device. Given the destruction this will cause, the possibility of a remote wipe should be stated on enrolling a personal device into the business.
Finally, who’s paying for everything? Should the end-user purchase a SIM and pay for his or her internet, SMS and call usage before claiming it all back on expenses (if that’s an option), or does the business provide the SIM with capped usage?
Both options have merits, although I personally prefer to be provided a SIM with a device. If nothing else, it allows the business to utilise stats from the SIM (charges, minutes used, data used, etc) to get an idea of who’s doing what and when.
Policies and procedures will make up the foundation on top of which BYOD can function. It’s unlikely everything will be known and documented from the get-go, but starting out with the basics and building upon it through trial-runs within the business will allow rapid growth of this foundation and set the business up for a well-managed and well-maintained environment.
Personal devices can't be left to run amok on corporate networks. Just as with typical corporate devices they need to comply with the policies and compliance rules of the organisation. Managing devices on an individual basis is impractical and extremely time-consuming. In order to run a truly seamless, well managed BYOD environment, a Mobile Device Management (MDM) platform is a must.
Just in the same way an enterprise will have some form of asset management solution to keep track of and manage the corporate devices within the business, MDM solutions provide the same functionality for mobile devices including (but not limited to):
- Security enforcement
- App management
- Configuration profiles (network access, email, etc)
- Data usage monitoring
Policies set through an MDM profile can assure only devices which comply with the requirements of the corporation are granted access to corporate networks. That means if the OS is out of date, the device is rooted or jailbroken or filled with questionable (and therefore blacklisted) applications, access is denied and the corporate network is not left open to potential vulnerabilities.
MDM - whether part of an integrated suite such as SCCM + Intune or a stand-alone product such as Fiberlink's (IBM's) MaaS360 or VMware's Airwatch - provides the granular management of mobile devices that the enterprise has come to expect from years of managing Windows devices.
BYOD and MDM go hand-in-hand.
I’ve only touched on the basics here. Implementing a BYOD environment is a complex and time-consuming task, but once it becomes apparent that it will benefit the business, it can be extremely rewarding in the long-run.
I believe that not only will a business see the results financially, the ability to use their own devices will produce a more motivated and enthusiastic workforce to boot.
Even though BYOD has been discussed for what feels like forever, it’s still a relatively new concept that has left the corporate world divided. I’m excited to see the results continued BYOD adoption produces as time passes and look forward to fully implementing BYOD myself in the future.
Have you implemented BYOD or are you part of the transition within your company? What are your thoughts about BYOD, the future of the mobile enterprise and mobile working in general?
Sound off in the comments or join the conversation on Google+