BYOD or Bring-Your-Own-Device is more than shifting devices to employees. It has complex and unexpected implications that you should define before implementation. The following are some key components of a successful BYOD strategy:
Device Choice for BYOD
Employees wanting choice is the primary motivator for a BYOD strategy. The employee may have a smartphone or tablet that they would prefer to use versus the device provided by your company. Because the most popular smartphones change rapidly, managing the mobile devices and apps makes defining employee choices difficult.
Build your BYOD policy considering what devices employees already have, along with what they will likely want in future. To be a viable device for your BYOD policy, the devices should include:
- Asset management
- Encryption
- Password policy
- Remote lock/wipe
- Email & VPN configuration
If a device will not support the above, it should not be permitted in your policy. The app related functionality permitted by a device will be adjusted based on the level of enterprise functionality that it supports.
Understand that the Android operating system varies by manufacturer and the wireless carrier. Sometimes, the same brand and model has differences depending on the revision! You want to support devices that you certify. Since new devices come on the market every three to six months, you must commit the resources to accomplish this. Be very clear with your employees about which devices are allowed or not, as well as the reason. You want to prevent employees from buying devices that you will not support.
Someone on your IT team has have the time to be an expert on device and operating system evolution. Otherwise, your policy will become outdated by the time you release it!
Trust Policies for BYOD
Enterprise security is all about trust. Which users and apps are trusted and under what circumstances? Trust policies for BYOD are more complicated because a device, itself, can fall in and out of compliance. Mobile device trust is fluid and changing.
For example, a senior manager could download a risky consumer application that shuts off his/her device encryption. Or a user may want to use Facebook or other social networking apps on their device, but blocking this would not make for an acceptable BYOD policy.
So what must your Trust Policy include?
- Identify and measure the risk for BYOD devices that fall out of compliance with policy
- What action do you take for falling out of compliance? Notification? Blocking enterprise access? For enterprise owned devices: selective wipe.
- Tiered ownership policy: personal and corporate owned devices should have different policies for security, privacy and app distribution.
- Use of certificates to identify users and devices. You need to know who is using what device.
- Thoughts to how you will sustain the policies. Any policy will be a compromise between user restrictions and security
In our next posting, I will discuss BYOD:
- User experience and privacy
- App design and control
- Costs
- Internal marketing of your BYOD policy
If you have questions or need assistance with BYOD and MDM policies, please contact SD-WAN-Experts.
