Bring your own device, or as its most commonly known “BYOD”, is easily becoming the hottest topic in IT of 2012. The views on what IT should do are definitely divided as some companies are very adamant you must use a corporately purchased device, while other companies are more liberal and allowing of employee liable devices. What side of the fence are you on and do you have a plan to change?
BYOD isn’t a fad, it’s something that’s transforming the way enterprise IT is looked at as consumer devices are able to update much quicker than traditional enterprise. It leaves enterprise IT scrambling on how to allow these devices securely onto corporate networks and how to secure the data that’s being left on them. More and more employees are coming to your help desk asking “How can I get my work email and calendar on my [insert device]”. In a recent Blackberry Innovation Forum (#BIF12) held in Edmonton last week, when asked the question how many people have a BYOD policy, maybe one or two hands went up in a room of 250 people.
It’s clear that many companies, at least in my circle of influence, do not have a well defined plan to support BYOD. So what are some of the things you should be thinking when drafting a BYOD policy? I’ll put a few points and some colour around them below however this list won’t be exhaustive.
- What devices do you support? iOS, Android, Windows 7, Blackberry, etc… Do you even care? What does the support structure for these devices look like? What is Help Desk responsible for?
- What security policies are you enforcing? Enforcement of a lock screen policy, are you going to limit access to the app stores, limit the use of the camera, etc… These are pretty basic policies however with a proper MDM (Mobile Device Management) solution you can get a lot more granular depending on your needs
- Adding to the above, will you allow corporate data to be stored on the device? Some MDM solutions provide a carved out section on the device that is reserved only for corporate data, email and other items of that nature. This helps specifically with personal data, you’re able to manage only the data you care about, leaving the personal data alone.
- Typically you’ll want to make mention of your Acceptable Use Policy which would still be in play for any devices connecting to your corporate network. A BYOD policy should simply be an extension of your AUP.
- What other technology do you need in place to support BYOD? Do you require a NAC solution? Those can be costly and add an additional management layer to your network.
- Can you support the additional device IP addresses being consumed on your network? Check your scopes, chances are you could be on the verge.
- Do you require more VPN licenses? Most devices will have some sort of VPN connectivity and this needs to be taken into consideration
- If personal devices are going to be connected, do you require the end user to sign a release stating if you do wipe all data, the corporation is not responsible? I’ve read in a few places this can be a major cause for concern if the proper policies are not in place.
- Make sure you have clear expectations of what services are being provided and what are not.
These are just a few things to think about when creating a BYOD policy and some of the other items of note. To end things off, do you have a BYOD policy? If not why not and do you plan on having one in the near future? Or will your enterprise IT department continue to rule with an iron fist?