As BYOD explodes, IT managers learn to cope
- 23 April, 2013 15:28
Pity the poor IT manager trying to get his arms around the bring-your-own-device (BYOD) movement.
Even the most cutting-edge tech leaders -- those who are working to make mobile devices secure and productive corporate tools -- are feeling overwhelmed by the frenetic pace of change in the marketplace.
While Apple iOS devices have dominated the landscape, the surging popularity of Android phones and tablets and the emergence of platforms like Windows 8 and BlackBerry 10 promise to open the floodgates to an even wider range of personal devices vying for corporate resources. For IT, that means new and more complicated support and security challenges ahead.
The clock is ticking, says Christian Kane, an enterprise mobility analyst at Forrester Research. "Now is the time to figure out how to embrace [BYOD] by defining a strategy, determining who is eligible and what they have access to, and by becoming familiar with the platforms that can facilitate device management," he says.
Specifically, the pressure is on to devise a solid mobile device management (MDM) strategy, says Kane. At the same time, he acknowledges that tools and policies are still evolving. "This is just the start of a long journey," he says. "It's not as simple as saying, 'We will now allow employees to bring their devices to work and connect.' Requirements will continue to change."
With that uncertainty in mind, here's how five IT departments are mitigating BYOD-related pain points while plotting long-term strategies for mobile device management.
Booz Allen Hamilton:
Policy and Privacy Top Concerns
" Organization: Booz Allen Hamilton, McLean, Va. Delivers management, technology and engineering consulting services to government agencies, corporations and nonprofits.
" Key numbers: Approximately 25,000 employees; between 12,000 and 16,000 mobile devices in use -- some are corporate-owned and others are employees' personal devices.
" Devices supported: It's a multiplatform environment at Booz Allen, which provides mobile devices to a few thousand corporate executives. Those company-issued tools include iPads, iPhones, Android devices and BlackBerries, all of which are managed and supported by the IT department. Other employees may use personal devices for work, but they're primarily on their own when it comes to fixing problems -- unless the issue is something the help desk can address fairly quickly, says Joe Mahaffee, executive vice president and chief information security officer. About 10,000 employees currently use their own devices, he estimates.
" How BYOD happened: A year ago, Booz Allen had an informal BYOD program, which made IT leadership uncomfortable. "People were using their own devices in the environment, and we didn't really understand who was connecting and when, and if they were compliant with corporate security policies," says Mahaffee. "We recognized we needed to get out in front of this before a problem did occur."
" How it's coping: Booz Allen put corporate policies in place and then deployed an MDM system, according to CIO Kevin Winter, who declined to name the MDM platform.
Corporate policy now requires mobile users to have encryption and password protection on their devices -- and the MDM system automatically enforces those policies. "As soon as the user registers with the MDM, it checks to see if the device is compliant with our security controls," Winter says.
The biggest pain point now involves users' lingering concerns about privacy, he says. "Users are concerned that if they take their personal device and connect to the corporate network, the business can see their personal data, listen in on conversations with loved ones or see pictures of their kids," Winter says.
We want to keep [employee] privacy intact while still providing flexibility.
Kevin Winter, CIO, Booz Allen Hamilton
In particular, users are uneasy about the requirement that they must agree to have their devices wiped if they're lost or otherwise compromised. But Winter points out that the MDM system allows IT to selectively wipe devices so only corporate data and apps are erased. "Our message is we are not interested in acquiring or looking at your data," he says. "We want to keep your privacy intact while still providing flexibility."
" What's on the horizon: Expanding the MDM program with an app store is next on the docket, as is adopting additional encryption and security measures that will be critical as Booz Allen broadens its mobile app portfolio beyond email and calendaring to include HR-related tools, time capture functionality and apps that help track travel expenses. "We're trying to be as accommodating as we can to give the workforce what they need to perform their job as effectively as possible," Mahaffee says.
Corporate Apples? Yes. BYOD? No.
" Organization: Massachusetts Convention Center Authority (MCCA), Boston. Owns and operates Boston's major conference and exposition venues.
" Key numbers: 450 employees (some part time); about 250 mobile users.
" Devices supported: A total of 331 employer-owned Apple devices, including a variety of iPhone and iPad models, all of which are supported by the internal IT team.
" How BYOD happened: It didn't. Since the MCCA is a state agency, there was no way IT could mandate or even encourage union workers to bring in their own mobile devices, according to Steven Snyder, the agency's CIO and CTO. Because officials didn't want workers to take matters into their own hands -- and because mobility was an obvious way to increase employee productivity in cavernous convention facilities -- the MCCA decided to standardize on the latest Apple mobile technology in an attempt to give users what they'd likely choose on their own.
"We try to be really proactive about providing the tools that people need and want to do business," Snyder explains. "So far, we haven't had anyone showing up at my door with a [Samsung] Galaxy saying they want to use that instead."
Mulitplatform Support Headaches
MDM and MAM to the Rescue
Until recently, there was a dearth of mature technologies to help IT tackle the headaches of multiplatform device support. That's starting to change with the rise of mobile device management (MDM) and, more recently, mobile application management (MAM) software.
A wide range of MDM systems, now available from dozens of specialty vendors as well as mainstream software providers, give IT visibility into and control over diverse employee- and corporate-owned mobile devices connecting to the network. These packages give IT the tools to enforce security policies, control access to corporate resources and remotely lock and wipe devices that have been lost or stolen.
MAM pushes the technology a step further by allowing enterprises to manage and secure not just the physical device, but the data and applications hosted on the hardware.
According to Gartner, 90% of enterprises will have two or more mobile operating systems to support through 2017, and 65% of enterprises will start using MDM technology over the next five years.
Standardizing on one mobile platform was also critical for simplifying development and support -- an important point when budgets are tight and resources are limited. "By mandating one platform," Snyder says, "we can develop one app and not have to support all those additional permutations of devices."
" How it's coping: Even though the MCCA supports only one mobile platform and supplies the devices, mobile device management is still critical for control, Snyder says. The agency uses the AirWatch MDM system to build user profiles, shut down devices if necessary, wipe devices if there's a problem and push out apps.
Users are not restricted from using the corporate-owned iPhones or iPads for personal reasons -- they're even allowed to tie the devices to their personal iTunes accounts. "We're not going to be Big Brother, but if we need to wipe it, we're going to wipe it, and it's too bad if you don't have your stuff backed up," Snyder says. IT doesn't get much pushback on that policy, he says, because the procedures are clearly spelled out in the policy manuals, and users are generally thrilled to be working with a high-end device on the company's dime.
" What's on the horizon: Beyond delivering access to standard email, contacts and calendaring tools, custom app development is a top priority at the MCCA. The IT group has five people who focus on mobile app development. Some apps are built internally, and some development work is contracted out to third parties.
Currently, the agency has mobile apps designed to let service reps book conference rooms or serve up work orders to contractors while on the convention center floor, and more are in development. "We have a lot of things in the works to better our service delivery processes," Snyder says. "We're looking at how to make it easier to triage things [so that] 90% of the time you don't need to make a phone call."
Three-Pronged Approach to MDM
" Company: Clif Bar, Emeryville, Calif. Maker of organic food and beverages.
" By the numbers: 335 employees; 250 company-supported mobile users.
" Devices supported: 250 company-owned Apple iOS devices, including 200 smartphones and 50 tablets, which are fully supported by the four-person help desk. Other users can bring in their own phones or other mobile devices, but they aren't allowed to access company information or email.
" How BYOD happened: The wake-up call came in early 2011, when talk of BYOD was just getting started, according to Gary Hensley, Clif Bar's IT director. While some IT leaders were excited about the possibility of opening up device choice, Hensley says he was nervous about the resulting support demands that would fall to his already strapped 13-person IT team.
Resolving to deal with BYOD before it got out of hand, Hensley worked with Clif Bar's CFO and the rest of the IT team to map out a three-pronged approach to mobile device management that includes formulating usage and security policies, creating a business case for the use of mobile devices and an MDM system, and creating processes to oversee and manage the devices.
" How it's coping: The team settled on Apple devices because "they were the best in practice for manageability," Hensley says, but the choice also reflected what users wanted.
Users who meet the justification criteria and get management approval to use a mobile device are given a company-issued iPhone or iPad and get access to email, contacts and calendars in Outlook Exchange. Employees approved for mobile usage who opt to purchase their own Apple device can also port their personal number to the company plan and will be able to maintain their original refresh cycles on the hardware, Hensley says.
Currently, the company is using Microsoft ActiveSync for MDM, which Hensley says provides visibility into who is accessing company information and gives administrators the ability to block access if necessary. Using the Bomgar remote help desk platform, Clif Bar has automated remote provisioning and activation of devices. Bomgar can also walk users through the process of connecting the device to the corporate network.
[We're] listening to users to determine what their needs and wants are. It's a constantly evolving challenge.
Gary Hensley, IT Director, Clif Bar
" What's on the horizon: While a base MDM platform and standardization on Apple iOS have served the company well, Hensley is aware that users may demand support for additional devices. To prepare for such requests, Clif Bar is evaluating more-robust MDM platforms that could more easily handle myriad devices and provide more granular wipe capabilities.
"We're bringing in test devices, figuring out how to integrate them into the environment and listening to users to determine what their needs and wants are," Hensley says. "It's a constantly evolving challenge."
Keeping BYOD Simple
" Organization: Novation, Irving, Texas. Provides healthcare supply chain expertise, sourcing services and information and data services to more than 65,000 members of leading national healthcare alliances, including VHA and UHC.
" Key numbers: 2,000 employees; 1,500 mobile users.
" Devices supported: Novation doesn't officially issue smartphones or tablets to employees, but it has adopted a new mobile policy under which workers are allowed to use any device on the job as long as they follow proper security protocols. As a result, employees are bringing in a variety of gadgets, including iOS and Android phones and tablets, to access corporate email and calendars, even though Novation's IT group doesn't provide formal help desk support for personal devices.
" How BYOD happened: On the day of the first iPhone release, Novation's CIO issued a memo advocating caution in allowing the devices into the enterprise. "The memo went out at 10:30 in the morning, and we had to answer back that it was too late -- users had already bought them, hooked them up to Exchange and were accessing corporate email," says Guillermo Ramas, vice president of commercial solutions, part of Novation's information data services function. "Two months later, the CIO had his own iPhone."
" How it's coping: Employees who legitimately need to use a smartphone for work simply buy devices and sign up for service on their own and then bill some or all of their expenses to the company; the amount is subject to the approval of their managers.
Novation needs a formal strategy governing what corporate resources can be made available to employee-owned devices and how that can be done securely. Currently, mobile users can connect to corporate email and calendars via Microsoft Exchange Server ActiveSync, but that setup doesn't give IT the ability to carry out remote wipes, deploy password protection tools or take other steps to enforce security protocols.
" What's on the horizon: Novation is prototyping an MDM strategy using the AirWatch platform, which will provide important security controls, including the ability to identify devices, block jail-broken equipment and perform remote wipes. Eventually, Novation would like to move to "agentless" MDM, which doesn't reside on the client device, Ramas says. This option would still provide critical controls like passcode enforcement but would be slightly less onerous from the user's point of view, because it would allow IT to perform selective wipes but wouldn't leave users feeling as though IT is policing their personal data. "We're looking for a happy medium," says Ramas, noting that use of mobile devices would decline if IT was too strict about security.
Riverside Medical Center:
Dispensing MDM to Prevent Data Leaks
" Company: Riverside Medical Center, Kankakee, Ill. A 325-bed hospital that provides both inpatient and outpatient care.
" Key numbers: 2,400 users; 300 company-supported mobile units.
" Devices supported: Riverside owns and manages some 300 mobile devices, a mix of Android tablets and phones and iPhones and iPads, all of which are supported by IT. Some users, including visiting doctors, also bring in their own devices; depending on their role, IT may provide them with some base support.
" How BYOD happened: If BYOD is what doctors and medical staff are demanding, then Riverside has little choice but to ride the wave. "We have to support anything because the hospital three blocks down the street does, and doctors and nurses have a choice of where to work," says CISO Erik Devine. "We have to be flexible -- it's almost like a recruiting tool."
" How it's coping: Some users, including home healthcare professionals, are issued corporate tablets, secured and managed via McAfee's Enterprise Mobility Management (EMM) software. EMM lets the IT department restrict the apps and content that can be loaded onto a device, deploy two-factor authentication and remotely wipe devices if they are misplaced or stolen.
Other employees can use personal devices to access corporate resources like email and certain areas of the hospital's healthcare management system -- provided they sign an agreement and install EMM on their devices, according to Devine. Doctors on temporary assignments at the hospital may access noncritical resources through the guest network, as can workers who want to use their own devices but don't want to install EMM.
The biggest concern with BYOD is data leakage, Devine says. Even if visiting doctors install the requisite MDM client to gain access to hospital systems, Riverside has limited control over what they do with that information later on. "When a doctor comes in and accesses resources to do the job, we don't know what they do with the data after they're done," he says. "You have to open up doors for BYOD, but essentially you're opening doors you closed a couple of years ago."
[If] we have to manage 600 devices next year... I want to find a robust system that hits all my points.
" What's on the horizon: Development of a captive portal for the guest network is in the works. It will give IT more control by, among other things, making it possible to capture more data about devices that log on to the hospital network. Riverside is also evaluating MDM alternatives that will support more granular security policies and more readily accommodate new devices.
"EMM is aimed at iOS, not Android, and many MDM solutions are aimed at Microsoft devices," Devine points out. "If [BYOD] explodes and we have to manage 600 devices next year, I don't want to have to go through three different systems. I want to find a robust system that hits all my points."
Stackpole, a frequent Computerworld contributor, has reported on business and technology for more than 20 years.