Recent research into mobile device deployment in the workforce showed that 7% of UK companies, for example, rely on ‘bring your own device’ to deploy devices in the workforce. 38% of companies offer a hybrid model, providing company owned devices alongside BYOD. What does this show? BYOD isn’t coming - it’s already here.
However, the research also showed that a third of businesses have no enforceable policy in place to manage these mobile devices, especially worrying given the variety of device deployment methods in the IT landscape. With the number, and scale of ICO fines levied on public and private sector organisations in the last year, the financial cost as well as the potential damage to reputation of a data breach is not an issue to be ignored.
There are, however practical, concrete steps that allow efficient incorporation of employee-owned devices into a deployment whilst ensuring secure protection of corporate infrastructure and data.
Step 1 - Define your it requirments
Devices & Form Factors
To begin, you must select the types of devices and operating systems that you are willing to support. It is not possible to standardise management for mobile devices since each operating system and even the hardware itself can impact IT capabilities. For your Mobile Device Policy, here are the baseline criteria to use for assessing operating systems and device types:
Security
£ Built-in encryption
£ Identification of jail broken or rooted devices
£ Enforceable passwords
£ Geolocation capabilities
£ Remote Lock/Wipe
Manageability
£ An API that enables Mobile Device and/or Mobile Application
Management
£ Extended MDM API via hardware vendor
£ Support of Exchange ActiveSync policies that comply to company
standards
Apps
£ A broad range of commercially available productivity apps
£ Support for developing and deploying custom apps
£ Availability of key apps specific to form factor
Based on these criteria, you should be able to define the list of form factors and operating systems you will support.
Network Accessibility
Next, you must create an environment that will support employee-owned devices during the enrolment process. The simplest solution is to set up a guest wireless network that is separated from the internal network. This can serve as the enrolment network for employee-owned devices. Once enrolled, your MDM solution should automatically evaluate and assign privileges based on the policies you have created.
Basic privileges include access to company email, company Wi-Fi, and VPN configurations. These privileges should be tied to a policy that defines the security requirements of the company. Devices that do not comply with the security policy should be blocked. For instance, devices that are jailbroken, rooted of have blacklisted apps installed.
Provisioning access through your MDM solution benefits the organisation and the employee:
£ Employees receive access immediately
£ IT doesn’t need to manually provision devices
£ Wi-Fi passwords are not shared with employees
£ Remediation of future violations will be automatic since access is
tied to the security policy
Management Policies
The final component for IT readiness relates to management policies and restrictions to employee-owned devices. This is broken down into three basic considerations:
£ Policy-based management: Employee information is already
organised within directory systems such as Active Directory or
Open Directory, including departments, geographies, and job titles.
Save yourself a lot of time and base your device policies on these
groupings.
£ Security: Create a baseline security policy that enables automatic
remediation when devices fall out of compliance. Other criteria
should be identified and implemented including company
passwords and app blacklists.
£ Document Management: Unless you provide employees with
a means to securely access corporate documents, they will invent
their own. The best practice is to provide a centrally administered
document repository that manages file availability by policy, while
allowing IT to delete files as necessary. This is the best model to
secure company data while respecting device ownership and
user experience.
Step 2 - Define your legal requirements
The most significant challenge associated with BYOD is the balance IT must maintain between respecting the privacy of the employee while securing the corporate network and any data contained on the device.
Since this is essentially collaboration between the employee and the organisation, it’s best to put it in writing.
Mobile Device Policy
This is a comprehensive document that should incorporate the specific requirements of your organisation, based upon guidance provided by various internal stakeholders including general legal counsel, IT, Human Resources, employees and others.
Each policy is unique but generally should address some or all of these aspects:
Criteria
£ Defines accountability and responsibilities
£ Defines process for policy violation including consequences
£ Focuses on a set of standards without including details such as
device type and operating system
£ Sets expectation that standards will be updated periodically
User & Funding
£ Defines how devices will be used by employees
£ Defines how security requirements will be communicated to
employees
£ Whether a technology stipend program is needed and if so, who
will pay
£ If required, defines the reimbursement process for recurring costs
to employees
£ Support for contractors using their own devices on the corporate
network
Legal Considerations
£ Enforceable
£ Whether regional or country data privacy laws will restrict security
measures available to IT and consents required
£ Rights to audit and monitor activity on personally owned devices
and any limitations based on local laws and regulations
£ The ability to distinguish liabilities between users and the
organisation for usage of features, licenses, apps, etc.
£ Consent for the company to access the device for business
purposes
£ Sets out how to remove devices from the population and how
sensitive data and company property are removed
£ Obligations on employee to report loss of device and employer’s
right to wipe it
Human Resources
£ Details of control over information of control over corporate
information stored on employee-owned devices
£ HR policies that can govern the use of personally owned devices
for personal use during work and non-work hours or in a work or
non-work environment
£ Contract language to incorporate independent contractors and
vendors and their compliance with the Mobile Device Policy
£ Employee awareness and training
£ Details of employee payment plan if the employer is initially paying
for the device and employee is paying it down in installments
Employee Mobile Device Agreement
This is a simpler document with the sole purpose of acknowledging each employee’s acceptance and agreement of the terms associated with the corporate Mobile Device Policy. By accepting the terms, the employee acknowledges that IT will have the legal right and ability to secure their device and the data it contains if required.
The employee opt-in is important in order to mitigate any future scenario where an employee may claim they were unaware of the policy. Since employee acceptance allows IT to perform security measures including the deletion of some or all data from a device (depending on the nature of the corporate policy) potentially
seizing a device, it’s important that the company can prove its
right to carry out this type of security activity. Employee
agreements should be preserved and available for future access as required.
Step 3 - Implement mdm software
Now that you have all of the internal requirements identified and in order, you need to select the appropriate software application that
will allow you to properly manage and secure corporate- and employee-owned mobile devices.
Similar to the criteria you applied while assessing the different types of operating systems and form factors, you need to ensure the solution you select is able to deliver some baseline and supplementary capabilities.
Platform Flexibility
£ Easily Installs within existing environment
£ Leverages existing security and network infrastructure
£ Minimal adaption required
£ Consolidation: Able to manage all IT form factors and operating
systems via a single console (ideally to include desktop and
laptop computers)
Administration
£ Role-based administration so technicians can be assigned to
specific user groups with defined management privileges
Mobile Apps Management
£ Distribution of in-house and commercial apps
£ Apps management capabilities to support and automate user
self-service
£ Support for the Apple ASVPP Program (if you purchase Apple apps)
Security
£ Application of multiple policies per device, for example an umbrella
security baseline for all devices but separate privileges or
restrictions per department or user role
£ Automated remediation of non-compliant devices
£ Secure document distribution and management
£ Remote freeze and wipe capabilities
£ Enterprise password support.