BYOPC misconception: If your users have admin rights, then you're already doing it.

Bring Your Own PC-BYOPC-is something that lots of folks (myself included) have been talking about for a few years now. It's the term applied to the concept of end-users "owning" their own laptops while IT resources (such as apps, data, and backup) are provided as a service.

Bring Your Own PC—BYOPC—is something that lots of folks (myself included) have been talking about for a few years now. It’s the term applied to the concept of end-users “owning” their own laptops while IT resources (such as apps, data, and backup) are provided as a service.

The thinking is that as today’s workforce becomes more comfortable with computers in general, end users will inevitably want to do things that IT doesn’t want to support (like installing their own apps and storing personal data). Today's tech-savvy users also want some personal choice in which type of laptop they use. (Mac v. PC, Big v. Small, etc.)

BYOPC (a.k.a "EOPC" or "EOIT") wasn’t really an option until recently since there was never a good way to cleanly separate “work stuff” from “personal stuff” on the same laptop. But now thanks to client VMs, application streaming, seamless server-hosted apps, and the like, it’s actually relatively easy for IT to provide their apps and desktops as a service and for users to “own” their own laptops.

Personally I think the BYOPC concept is brilliant, and it’s something that I feel the majority of users should be able to enjoy. But as I discuss the BYOPC concept with customers in the real world, I’m surprised by how many say that BYOPC won’t work for them because they could never have corporate data on personal devices. (Or they say that their company would never allow end users to bring in their own unmanaged laptops.)

My next question to them is, “Do your users have admin rights on their laptops?”

Probably 90% of people I ask say, “Yes.”

“Well my friend, if your users have admin rights on their laptops, then you’re already doing BYOPC.”

At this point I usually get protests in the form of, “No, the company owns the laptop.”

But it doesn’t matter. If a user has admin rights on his or her own laptop, then that user “owns” the laptop. I don’t care what name is on the asset tag or who literally paid for it—if users can do whatever they want to a laptop, then they own it.

And that’s a good thing.

What’s it mean to “own” something?

There’s a big misconception with the whole BYOPC concept, namely, some people think the “own” in BYOPC refers to how the laptop was literally purchased. Wrong. The “own” in BYOPC is about who “owns” the control of the laptop. Sure, some companies want to implement BYOPC programs so they don't have to select, buy, and manage the laptops (i.e. the program is a slick way to shift more expenses onto the workers), but the majority of companies who've implemented BYOPC still buy the laptops for the users. In practical terms there are several ways the "own" can happen in BYOPC:

  • The employee owns the laptop. They literally bring in whatever they want.
  • The employee owns the laptop. IT sets a minimum set of specifications the device must meet.
  • The employee owns the laptop. IT specifies certain makes and models they will support.
  • The company owns the laptop. Employees are given a stipend to buy whatever they want with the allotted amount. The employee can spend above and beyond as he or she chooses.
  • The company owns the laptop. The employee has no choice about make or model, but the employee has admin rights and can install whatever he or she chooses.

I'd argue that the last bullet is the way that laptops are managed in the majority of real-world companies anyway.

So next time you hear someone talking about the (many) benefits of BYOPC, remember that there are multiple ways it can be implemented, and before you write it off, consider that you might already be doing it!

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Brian - your analysis has a lot of merit.

There are some very large Enterprises, I'm talking Fortune 10 companies, that actually do "BYOPC" but if you call it "BYOPC" they might throw you out of the room.

For some, "BYOPC" (the term) has a negative association primarily from a security perspective. What's ironic is those same companies who are opposed to at least the term "BYOPC" don't seem so "violently opposed" to the concept or term "BYO-SmartPhone"

If you want to use an iPhone, Android, or some new BlackBerry that the company does not officially own/support, they will probably help you get the device integrated, managed and secured by their IT systems so you have email, contacts, and calendar access.

I think it's just going to take a little more time and maturity of tools (e.g. secure, well-managed, portable, encrypted desktop virtualization offerings) before BYOPC as a concept and then a term becomes acceptable by the mainstream.

But you're right, companies are doing BYOPC (in a broader sense), they just won't admit to that term.  They instead use terms like Companion Mobility, Netbook alternative, Virtual Agents, Work At Home Telecommuting, Secure Mobile Computing, Secure Remote Access, Business Continuity, etc.

BYOPC just sounds too radical and scary for some companies but it is happening slowly but surely.


Bring Your Pwned Computer.


Hmm - I think you're muddying waters tbh. You've highlighted two issues - "ownership" of 'a thing' and management and administration of 'that thing'.

Its a common misconception that by owning "the thing" you are "more in control". This is not true - as, as you say, all the concerns around stability and security of data are out of the water if you give users full admin rights. Can you own 'the thing' and cede control responsibly? Well there are from the likes of Avecto or Viewfinity; Appsense are working on URM piece as well...  there are options.: in fixing that "user control" you've a more stable environment, less likely to lose data, less likely to lose productivity.  

There's a misconception if you let the user 'own the thing' then you enable greater responsibility, productivity and 'happier users'. and another misconception that by not owning it you introduce deadly risk. Having the user own "the thing" is more than just technically "how to you keep your data secure" - there's a whole host of issues around availability, tax, health and safety, T&Cs that need to be thought through here - as well as the concept of how does this impact on who and when people work. The 'de-risk' techie part can be relatively straightforward - provided you have an infrastructure already geared to supporting it.

I think the concept of BYOC is relatively simple. I don't think you're already "doing it" by giving full admin rights: that's a different issue you've got there - there you've got badly managed User rights - manage them better.

Either way - how is what you've got now bad, how will changing it make stuff better and/or cheaper?


I agree with Brian that the BYO concept have been quite around in many forms way before the catch-frace.

Security guys says Pwned and savvy users say Freedom. Doomsday and rosy gardens.

As I see it, this is a PC (Mac too) thing. You know, the things 99,5% of companies use as opposed to the half percentage or using VDI - where it IMO pretty fast becomes an oxymoron


Whether Corporate IT cares to admit it or not, providing users with physical access to their workstations allows them to "own" it.  There are a wide variety of boot tools and other utilities that allow a person to take administrative control of a device via Physical access.  You can try to prevent this with disk encryption, O/S protection and lockdown utilities but it's a losing battle.

 Additionally, when companies provide a network port at a user's desk that provides unfettered access to the corporate WAN, they've allowed the user to "own" the network.  What is to prevent a user from connecting their personal device to the corporate network?  You can implement NAC/NAP or other solutions, but this may just delay rather than prevent unauthorized activities.

 If a company is truly concerned with their desktops being owned by the user, then an architectural change might be necessary.  Use of Virtual Desktops, thin-clients and gateways would make it possible to keep workstations away from the prying fingers of users.  But, would this actually be viable?  Or would this reveal a wide variety of business processes that depend on users having local admin rights?  If you adopt this "untrusted endpoint" model, why not allow users to bring their own PC's and remotely connect to the secure desktops?

Security is always a trade-off.  The age old question still applies --Which is more important: productivity or security?