With more than 500,000 devices under management, DMI is tackling BYOD challenges for some of the world's largest and most successful companies.
And our services deliver real ROI--saving many of our clients 20% compared to internal management and support costs.
Now we've distilled 9 years of BYOD best practices into a white paper you can download. The paper lays out the critical policy, technology, security and governance issues you need to consider if you’re going to securely manage employee-owned devices.
We offer a full line of Managed Mobility Services: BYOD, MDM, Mobile Helpdesk, Mobile App Development, Mobile Strategy, Security and much more. Please let us know if you'd like to learn more about them on the download form.
1. BYOD:
SIX ESSENTIALS
FOR SUCCESS
The BYOD (Bring Your Own Device) consumerization of IT is here to stay. The allure of incredibly
powerful, easy-to-use handheld devices, constant global connectivity, and an app for everything
have given rise to a stunning consumer-driven transformation of the IT landscape. According to
IDC, 56% of the business smartphones shipped in 2013 will be employee-owned.1 By 2016, up to
85% of enterprise employees worldwide will be using smartphones or tablets—as high as 95% at
many large corporations.2
But as thousands of unmanaged devices connect to networks, CIOs are losing sleep, and IT
organizations are struggling to catch up. In the “old world” of laptop PCs, it was already difficult for
IT to safeguard networks, keep track of corporate data and protect it from loss or theft—even with
near total control of procurement, provisioning and security for PCs. With the BYOD phenomenon,
employees are making their own purchasing and provisioning decisions without concern for security
or support. Without enhanced protection, these devices are less secure than PCs, and their small
form factor makes them particularly susceptible to loss and theft.
This paper outlines 6 essential factors that must be considered to create a successful enterprise-
wide BYOD strategy and policy. It outlines several key issues that must be addressed to arrive at
secure, usable, manageable mobile solutions. This is much more than a technology challenge.
Business policy, legal policy, management and governance are all involved, along with technology
selection and deployment. BYOD solutions will vary widely from organization to organization, but
the issues that all enterprises must address are outlined here.
1
IDC Research, November 2011
2
ABI Research, “Enterprise Mobility Management Services for Smartphones and Media Tablets,” October 2011
DMI WHITE PAPER 1
2. BYOD: Six Essentials for Success
Essential 1:
Understand Your Current Environment and
Business Requirements
Successful execution of a BYOD strategy requires the development of a comprehensive framework
of policies to cover the business, legal, technical and governance issues that arise when integrating
employee-owned devices into the enterprise. But these policies cannot be developed without a
clear assessment of the current environment and a roadmap for future requirements. Gathering
information from management and directly surveying users will help build a meaningful picture of
the current environment and guide the development of BYOD and broader mobile device policies.
A few key questions include:
What is a company’s goal for implementing a BYOD policy? It is employee satisfaction,
flexibility, cost savings, or some other objective?
What distinct segments of mobile users can be identified in the organization?
What information and applications need to be accessed by each of those segments?
What levels of security will need to be applied to this information?
What are the data usage requirements of each user segment?
What travel requirements and other environmental factors need to be considered?
These questions only scratch the surface of the information needed to develop a useful
understanding of the current environment, but they offer a glance at the sort of picture that needs
to be painted in order to develop policies that map to real business requirements.
Once an understanding of the current environment and future requirements is developed, it’s time
to draft the policies that will govern the introduction and use of employee-owned devices within
the organization.
DMI WHITE PAPER 2
3. BYOD: Six Essentials for Success
Essential 2:
Build a Business Policy Framework
Armed with an understanding of user and security requirements, a policy framework can be drafted
to address the following business policy questions:
SOURCING: Can employees purchase devices anywhere or just from preferred vendors? This
policy may well vary based on user segment and location, with varying data usage needs, travel,
environmental, security and other requirements factored in. Executives might be encouraged or
required to purchase from one set of devices, sales from different set, and mobile service personnel
from yet another.
SUPPORTING DEVICES: This is one of the most important but often overlooked aspects of a BYOD
policy. It’s unrealistic to expect your IT team to support every device that could be purchased
by employees. IT will need to determine which devices it is willing to support. It may be that a
tiered structure is called for—no support for “not-allowed” devices, limited support for “allowed
devices,” and a higher level of support for “recommended” devices.
GEO-FENCING: It may be that security or data use requirements necessitate policies to govern
device use within predefined geographical areas. Everything might be allowable in your native
region, but in other areas restrictions might apply that govern data usage levels, data access levels,
or both.
BANDWIDTH THROTTLING: For corporate-sponsored data plans, will bandwidth be limited to a
predetermined level for various user segments? What happens when limits are met? Is data cut off?
Is the employee required to secure special approval or to pay for data use beyond a certain limit?
Which policies apply to which user segments? There could be exceptions to policies, for example
policies for employees who are travelling internationally might be different from domestic policies.
BUSINESS SUPPORT VS. PERSONAL SUPPORT: For an employee-owned device that accesses
personal data and applications as well as business data and applications, how far will IT support
extend? Will the organization support all calls from the employee about the device? What
constitutes a personal support issue vs. a corporate support issue? Does the policy vary by user
segment?
DEVICE LOSS: If an employee-owned device is lost, stolen or broken while being used for business,
what’s the policy? Can data be wiped from the device? How much control does IT have? Can they
try to locate the device? How do you tread the fine line between privacy and security? And for
employee-owned devices, what’s the policy for replacement or repair? Many companies view BYOD
as a cost-saving initiative but based on how these questions are answered it may actually increase
costs.
REIMBURSEMENT: How will employees be reimbursed for devices and/or data plans? A broad
range of options exist, from total coverage of devices and unlimited data, to reimbursing
employees for data expenses up to a certain preset level. Do employees submit a reimbursement
for their expenses or do they get a fixed amount/allowance? What happens when employees
exceed the data plan? Once again, different policies are likely to apply to different user segments.
DMI WHITE PAPER 3
4. BYOD: Six Essentials for Success
Essential 3:
Build a Legal Policy Framework
The introduction of employee-owned devices into the enterprise environment, and the presence
of enterprise data on personal devices, will immediately give rise to legal issues. Policies must be
outlined in advance to avoid costly mistakes.
RESPONSIBILITIES: Does an employee using a device with corporate apps and data have a certain
responsibility to protect the device? What if reasonable or required precautions are not taken to
protect the device? What if they are but information is still compromised?
RIGHTS: What rights does the employee have to protect his/her private data? What rights does
the organization have to protect its data? What if a disgruntled employee leaves the company with
a device that contains—or may contain—sensitive corporate information? What actions can the
company take to protect itself? Can an organization delete information and applications housed
within a secure corporate container at any time without notice? The legal rights of employees
and organizations differ from country to country and have to be customized to meet applicable
regulatory and privacy requirements.
LIABILITY: Is the company liable if some action on its part results in exposure or loss of private
data? Is the employee liable if corporate information is lost? What if the employee is following
the required security policy, like password protecting the device? Does that remove liability? In
a different vein, is the company liable if the employee uses his/her device for illegal/unethical
practices in personal time?
DMI WHITE PAPER 4
5. BYOD: Six Essentials for Success
Essential 4:
Build a Security and Technical Policy Framework
Technical issues abound for BYOD implementations. As is the case for business and legal policies,
no single approach is best for all organizations, environments and users. Regardless of your specific
business characteristics, the following issues should be considered in light of user segmentation
and business and security requirements.
DEVICE ACQUISITION: When employees purchase new devices, technical considerations may
influence policy for device acquisition. Specific hardware or operating system requirements may
favor the purchase of particular devices, may influence the selection of a particular vendor, or
may require a particular vendor to supply devices that have already been provisioned to your
organization’s specifications.
SECURITY: One of the most challenging technical issues in BYOD is balancing security and risk.
A successful IT strategy for BYOD security might involve applying different security policies and
technologies to different user segments. IT security requirements for a typical employee accessing
e-mail could reasonably be lower than those for an executive accessing sensitive enterprise data.
Applying the same security policy to both user segments could be unwieldy and expensive. At the
same time, however, applying multiple policies and technologies can be complicated and must be
carefully coordinated by IT.
A broad range of security technologies can be applied as needed: physical device security; secure
containers and sandboxes to isolate sensitive data and applications; solutions to protect data at
rest and data in transit; solutions to safeguard network connectivity. An in-depth discussion of these
technologies is beyond the scope of this white paper. The point is that these technologies and
solutions will need to be mapped to specific user segment security requirements.
SPECTRUM OF MOBILE DEVICE SECURITY OPTIONS
SECURITY
REQUIREMENTS
BY SEGMENT
This concept is represented in the accompanying
spider chart. Each user segment is likely to have a
distinct security requirements map. One segment
may have a high requirement for secure email and
productivity tools while another may need secure
access to a set of custom apps. All might need a certain
level of security applied to the mobile device itself.
Technologies deployed—and associated costs—will
apply accordingly.
DMI WHITE PAPER 5
6. BYOD: Six Essentials for Success
DEVICE PARTITIONS: This user segment-based approach maps well to the use of device partitions
and personas to support flexible application of security privileges. A growing number of devices
are designed to support multiple user personas. Secure containers can also be used to isolate
the data and applications associated with each persona, simplifying the assignment and ongoing
maintenance of user access controls.
APPLICATION MANAGEMENT AND DEVELOPMENT STANDARDS: Management policies need
to be established to ensure the right level of control on each app based on its sensitivity and use.
Access to certain apps and data could be blocked if they are not relevant to a certain role. Perhaps
an individual app should be geo-fenced rather that the device? What about time-fencing apps so
they are not used outside business hours?
To support the user segmentation-based security and
provisioning model, application development standards will
need to be developed. Securing email is relatively easy. But
to secure mobile apps and data at rest and in transit, apps
should be developed to fit into a more scalable and secure
app model.
One approach is to create a container on the user’s device
which functions as a shield around the data and apps which
reside within it. A composite app resides in that container,
and a set of granular apps sit inside the composite app.
When a user is provisioned, they are granted access to the
appropriate container(s) and composite app(s) based on the
user’s persona. If the container is secure, the apps and data
are secure. The standards and architecture implemented
will impact app distribution, employee-owned device
management and security management.
This container/composite app model can greatly simplify app provisioning and maintenance. But
the standards for app development need to be established up front to ensure that the full range of
enterprise apps is consistent with the model.
DATA ACCESS: Data access policies will also need to be established. This is true for both company-
owned and employee-owned devices, but employee ownership introduces an added layer of
complexity and need for governance. Key questions that will need to be addressed are: Will the
company offer corporate WiFi access to supplement the broadband access being purchased
from a telco? While this may be practical for many organizations, physical layouts, geographical
distribution and building structural issues may drive different decisions. What level of broadband
access is the company willing to pay for, and what are the bandwidth requirements of the different
user segments? Is 3G adequate? Is 4G necessary? For which users?
DMI WHITE PAPER 6
7. BYOD: Six Essentials for Success
Essential 5:
Build a Plan for Successful Policy Implementation
Employee ownership of devices introduces a unique set of challenges and requirements when it
comes to policy implementation:
SELF-PROVISIONING: The most obvious challenge with employee-owned devices is that the
company doesn’t typically have access to the device. So, mechanisms must be set up to enable
employee-owned phones, tablets and other devices to be provisioned by the users themselves.
USER PROFILES: A solution must be in place to link individual employees with their user profiles—
probably based on an AD/LDAP access control system and set of policies around individual
membership in groups and group access to various data and apps.
AUTO-CERTIFICATION: With employees connecting to the network and provisioning their own
devices, the technology and process for automatically certifying that the device has a container
needs to be established. Further, the company needs to be able to ascertain that the device is
connected through the container.
EMPLOYEE SELF SERVICE: Since organizations cannot typically take possession of employee-
owned devices, it is essential that employees can provision and service devices through a “single
self-service window.” Device and data plan management, usage tracking, and access to corporate
applications that are authorized for individual personas all should be included. Without simple,
integrated, single-window service, employees may wind up frustrated and unhappy, while IT is
bogged down in an overwhelming stream of support calls.
TELEWORKING: An organization’s virtual desktop and unified communication strategy should
extend to mobile devices. In fact, mobile devices, particularly those with larger form factors,
provide a logical setting for enabling teleworking. A comprehensive BYOD strategy and policy
should encompass teleworking as well.
Essential 6:
Provide for Ongoing Governance to Maintain and
Evolve Your BYOD Policy
As with any new initiative of this magnitude, a BYOD policy must evolve as new factors and
considerations emerge. To do so, a governance model is necessary – one that measures and
monitors key factors such as cost, security breaches, lost phones, jailbreaks, etc. The definition
of a BYOD governance model is beyond the scope of this paper, but suffice it to say that a BYOD
strategy and policy is only as effective as the measures that are implemented through a
governance model.
DMI WHITE PAPER 7
8. BYOD: Six Essentials for Success
Conclusion
Harnessing the power of employee-owned devices can deliver tremendous advantages to the
organizations that do it successfully. Keys to success include establishing a solid foundational
understanding of the current environment; developing a clear set of business, legal, and technical
policies; executing a well-defined implementation plan; and providing for ongoing governance
and evolution of policies. Experienced enterprise mobility management service providers who have
successfully guided organizations through the creation of BYOD programs can offer vital assistance
in the process, anticipating challenges and opportunities, and avoiding costly missteps. The BYOD
opportunity is here. The right partner and planning can help you seize it.
DMI and Successful BYOD Management
DMI is the world’s leading provider of enterprise mobility services and solutions. We have been
providing Managed Mobility Services for the past 9 years to a growing set of commercial and
government customers.
Our comprehensive Managed Mobility Services portfolio includes:
Mobile Strategy Consulting
24 x 7 Mobile Help Desk
24 x 7 Mobile Device and Solution Management Service
Mobile Device Logistics
MDM Solution Implementation, Upgrades, Health checks and Assessments
Mobility Solution Training
We partner with the leading software and hardware vendors in the industry. Our partnerships
include MDM vendors such as MobileIron, AirWatch, Fixmo, Good Platform, BlackBerry UDS/BDS/
BES, as well as platform and hardware vendors such as Apple, Samsung, Google and Microsoft.
We also build enterprise class mobile solutions that generate results for the world’s top brands
and businesses. Our mobile solutions combine the award-winning user experience design that has
made us one of the top creators of consumer apps, with the deep middleware and engineering
expertise that we’ve used to build and manage enterprise applications for the most demanding
IT departments in the world. DMI mobility solutions improve business processes, tap new revenue
streams, build customer loyalty, and increase employee productivity.
DMI WHITE PAPER 8