Is the world ready for the BYOPC / employee-owned PC?

We've written quite a bit about the Bring-Your-Own-PC (BYOPC) / employee-owned PC concept over the years. (Check here and here if you're not familiar with the concept.

We've written quite a bit about the Bring-Your-Own-PC (BYOPC) / employee-owned PC concept over the years. (Check here and here if you're not familiar with the concept.) Now that Citrix and VMware are getting closer to releasing their client hypervisors and the economic recovery means that we'll have to start fighting for good employees again, I wonder: Are we ready for the employee-owned PC?

The concept looks great on paper. Employees are happier because they get to use whatever type of laptop running whatever OS they want. IT is happier because they don't have to deal with the daily minutiae of managing the employee's laptop. Sounds great!

But is it really so simple?

The biggest logistical question is whether IT can really get away with not supporting an employee's personal environment. Sure, IT can technically make a policy that says they only support the corporate VM and not the underlying OS. But just imagine how often you'll hear "I don't care that you don't support it! I need my photos back now!!" coming from the IT cubie area.

In the intro to this article, I alluded to the fact that client hypervisors might help the employee-owned PC even though they're not specifically designed for it. Just image: the client hypervisor means that IT can now get back "under" the employee-managed OS. Not only is this great from a security and performance standpoint (in that the corporate VM can run on a secure host and be guaranteed a minimum level of performance), it also means that the employee guest could be more easily patched and backed up (as much as we don't want to have to do that).

Of course client hypervisors are not the only thing driving the employee-owned PC concept. A lot of people are looking at this as an Echo Generation / Gen Y thing. This group (which turns 30 this year!) is less willing to accept cheap plastic boring Windows laptops for their work computers while they get to use Macs at home. In the old days we used to be able to say, "Fine, if you don't like it, find another job!" But as the economy starts to recover and this slice of the workforce has a choice of employers, we'll have to do everything we can to fight for them. And offering them a Mac and an iPhone instead of a Dell and a Blackberry might be a good step in that direction.

My point is that while a lot of us have thought about the concept of the employee-owned PC, it looks like it's soon going to be time for us to decide whether this is something we want to support or not. So to best make our own decisions, I ask you: Is anyone using the employee-owned PC concept at your company? If so, how does the program work? What products are you using, and what problems have you run into? What would you do differently?

And for those who aren't doing the employee-owned PC thing yet, do you ever think you will? If so, when? If not, did you try it? Why did it fail?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I am anxious to see some enterprise IT folks chime in on this.  However, as both a vendor in the space and an end-user, I have seen myself go from skepticism to cautious optimism on this topic.  Based on the handful of conversations I have had with IT teams on BYOPC, I think two things will really need to happen for it to take off:

- Client hypervisors must become mainstream (i.e., more common that they are there already on the PC than not) and prove themselves to be useful and beneficial to end-users—not just IT.

- Apple needs to change their licensing policy to allow the standard version of OS X to be virtualized (even if it is still restricted to Apple hardware).

I believe that both of these will happen, but the time it will take to get there will likely make BYOPC something that IT shops investigate and pilot in 2010 with an eye towards rolling out in 2011 or beyond.

I think the progression over time will be:

- IT teams start by using client hypervisor technology to manage corporate-owned PCs to make sure it meets their needs to begin with (before getting into the business of putting it on someone else’s PC).

- A subset of these organizations will offer both corporate and “personal” environments on the client hypervisor enabled corporate PC.

- As a follow-on to early success with client hypervisors, IT teams will do small pilots of BYOPC with advanced users using a non-destructive dual-boot installation mode (employee boots native OS at home, hypervisor w/corporate OS at work).

- Once IT shops develop confidence in the ability to convert native OS to personal VM (or just boot the personal partition as a VM the way some Type 2 products do), avoid personal OS support issues, and remove the hypervisor non-destructively if the employee leaves, they pilot the end-state (convert non-IT created personal OS to VM and run both concurrently).

The technology to get to the end state is here today, but I think BYOPC adoption will need to follow adoption of client hypervisor approaches to replace the current corporate PC management model.  Otherwise, it will be too big of a leap for both IT and end-users all at once.



Reading through the Apple EULA here:

I can't see the bit where you can't run OSX virtualised on Apple hardware.  What am I missing?




Re: Running the Mac OS X client in a VM, I'm with Jim on this. I think it's fine to run a single instance of the client OS in a VM on Apple hardware.


For the actual concept of BYOPC - technically this can be done today, and pretty much any organisation that supports remote access to the network and to applications can take advantage - e.g. SSL VPN, IPV6 and HVD/TS as we currently know it - as a baseline you basically treat your BYOPC users as remote users - then maybe customise from a security/integration standpoint - for differing users and roles.

But as for the specific adoption of Type 1 Client hypervisors - there are couple number of deployment challenges that I can think of -

1 - How is the actual deployment of the type-1 hypervisor going to be managed? - Do we have to rely on OEM manufacturers? or will it have to be a P2V type exercise?

2 - If IT has to do the deployment - how many users are really gonna let their IT dept let rip on their precious personal device? With all their personal data and family pics etc.

3 - Additionally what will be the governance or standards that mean I can use my machine at company X with their platform, but then if I move to company Y what will happen? - Will there be cross vendor support from a type-1 client hypervisor perspective? – will all hypervisors be equal? Will they all be implemented in the same way - making correct and appropriate use of the hardware? OVF is great but not yet fully proliferated and that’s even before Citrix/Microsoft vs VMware format etc



As a small nonprofit company in the medical field, I don't envision us deploying byopc at any point in the future.

For us, byopc raises too many security compliance issues in addition to creating a larger 'footprint' in both hardware and software for us to support.  Overall, it just seems to complicate everything and it's nearly always better to KISS.

In my opinion, there are few  use cases for byopc.


@Jim, @Brian

I'd say the licensing stuff is a grey area. If it's that cut and dry, why do both Parallels and VMware Fusion support OS X Server but not the regular client OS?  Don't get me wrong, any grey area we will interpret to our most favorable advantage.  However, if I am a Wall Street CIO contemplating a BYOPC program, I probably want a more explicit affirmative statement from Apple than this before I start writing checks for employees to buy Macs.


Your point about employees being concerned about having their system monkeyed with is definitely valid. I think the fact that most companies will provide subsidies for the PCs gives them some implicit license to bring the PC into a corporate management framework.  However, as you point out, I think the employees need to have the assurance that if they were to ever leave their PC would continue to be usable elsewhere (or at least, at home).  I think eventually there will be cross-hypervisor interoperability.  However, to start a think it is non-destructive install / uninstall from the client hypervisor vendor.  From there it progresses to self-management tools on the client hypervisor.  At Virtual Computer, we have so far focused on a model where the virtual desktops are managed centrally by IT, backed up to a central console, etc.  However, if we augment that over time with additional tools for users to reinstall/maintain their personal OS more easily, take snapshots, backup personal files like music, pictures, etc. to local media, the client hypervisor remains useful / an improvement over the native OS on a stand-alone basis.

Customers will eventually force us vendors to create interoperability among our products, but at this point the market hasn’t yet developed to a point where all of the vendors have their own management stories sorted, so it will take a while for cross-hypervisor management to become a reality.  I will say that we are open to it when the times comes.


I don't believe client hypervisors should really form a part of BYOPC.   I see client hypervisors as being more of a tool to allow user flexibility on a corporate owned asset.

In order for BYOPC to be as useful as the car allowance schemes that are analogous, then corporate IT cannot be responsible for any aspect of the user's device.   The company simply provides an allowance and some guidelines on the device to be purchased (e.g. must be less than 3 years old)

BYOPC devices should be treated as untrusted, just like home PCs coming in via remote access.  This probably means segmenting them when they come onto the corporate network (e.g. Wifi only behind firewall), and only offering published resources (most likely Desktop from XD or XA).

In the real world this would probably also mean some sort of switch level protection to prevent untrusted devices from being plugged into the corporate network by ethernet cable.  (but then I guess we should be doing this already to protect us from the vendors/visitors machines).


I agree with Simon on this.  In the Healthcare industry we aren't going to have long to accept the fact that physicians are going to use whatever device they want to.  Whether Healthcare companies want to admit it or not, Docs are already doing it behind the scenes and they are jumping through hoops to support them.  This is essentially a BYOC program without putting it down on paper.

As Simon mentioned these devices should treated as untrusted and using whatever NAC/security solution to segregate those however the IT department normally would for vendors/visitors.  From there you’d allow those machines to connect into your HVD/TS infrastructure to get the corporate services.  The nice thing about this solution is that you don’t have to worry about managing the personal environment, pictures, etc you just need the remote connectivity client (ICA/RDP/etc) to access the infrastructure.  I think this is step one to formally supporting BYOC and a lot of companies are doing this and just not documenting or calling it BYOC.  Client hypervisors come in for the work force that need to be able to work disconnected and as other have mentioned add a life cycle management that would be needed to be successful.   Unfortunately the maturity of the products isn’t anywhere in the near future to support BYOC as being discussed in this thread.  I don’t think client hypervisors will be used for BYOC programs until they are successfully used internally within an organization to manage their own devices which to me makes it a year or two away.


While the idea is interesting I think there is too much Kool-Aid being passed around. No matter what approach you use there is going to be something that can go wrong with the endpoint and as Brian already mentioned and user isn't going to care who's problem it is. Honestly I think this approach to end user computing is far from a silver bullet and I don't see any true value to the enterprise. This is just going to be another way of shifting around your current problems to inherit new ones.

What I do see is a shift in the way end user computing is done by using one of the many new technologies entering the marketplace but I firmly believe the enterprise is better off owning and managing standardized endpoints.


From an enterprise IT perspective, BYOPC discussions consistently fail to include the answer to the question of "What about the network?".  Even in a client hypervisor scenario you would theoretically have an unmanaged device on the corporate network.  In a large corporate enterprise that is not a small point of discussion, even with some sort of ssl vpn solution in place to provide policy based access.  When you add the cost of of moving to a VDI type of infrastructure with the cost of makaing a fairly major modification to the overall network design you lose a fair bit of ROI/TCO benefit.  You effectively have to take your current RAS strategy and extend it into the internal infrastructure and really sharpen the security focus on that solution to make sure you are controlling promiscuous devices along with OS's that are not necessarily traditional for a large number of corporate environments.  

BYOPC will have limited adoption (IMO) until the InfoSec and Network guys can reconcile a change that significant with the realities of their respective infrastructure.  Not that it can't be done but think back to the early days of RAS and the major uphill battle those discussions were, and then have them all over again only with a focus on "you want to allow what on my internal corporate network?".

And as far as supporting those client OS's, that is a reduced challenge in a client hypervisor scenario but in a straight VDI setup where its laid down over the existing OS reality is that yes support will now have to look after a bunch of unmanage devices of various OS flavors and types.  TCO goes to hell in a handbasket.  Just dont see it happening.


I discussed this and the UIA idea (user installed apps) on this post here:

You guys seem to be forgetting/ignoring or simply not being aware of the legal implications this may have. Read my post for some real examples of what legal implications such approach may have.


If/When the technology really becomes available, perhaps the entry point is simpler for IT and helps lower some pain.

How many administrations are supporting employee owned PCs today.  Not paying for the PC, but simply adding the PC to the domain after ensuring there is some form of anti-virus installed?  I'm not talking large enterprise here.  

Woudn't it be less work/risk/etc to slip a hypervisor underneath and support them in a separate VM?  Maybe this isn't BYPOC the way it has been pitched, but I can see this as how it gets started.


" And offering them a Mac and an iPhone instead of a Dell and a Blackberry..."

LOLLLLLL .... I have a dell and a blackberry, provided by my company. They are on a locker on my office for months ... and I use a Mac, and an iPhone, owned by myself.

I have the corporate windows XP within Fusion on OSX, but I normally don't use it (normally do everything on OSX)

Not sure if it is a company policy, but looks like nobody cares (but an I an IT guy, so I normally don't need any support).


Here are a few random thought I have here: (sorry for the scattered thoughts)

I think the BYOC paradigm is mis-understood at some points.  The way we talk about BYOC is:

The user has one computer for work and home. They have the same usability that they are used to in each case.  They have the choice to load, delete, modify anything they wish.

The user OWNS the laptop and can configure it anyway they see fit as long as they meet certain hardware requirements, warranty, and run anti-virus.

We use XenApp to deliver the applications (they also have access to XenDesktop if they choose).

They come in to the office network via VPN, even if they are in physically the office.  BYOC users are to only use VPN to gain access to company assets.  NAC is a great way to insure this.  

I cannot stress enough about planning the BYOC programs.  You have to make sure policies are there and that butts are covered.  We planned our program for months and had everyone from C-level down to deprtment Directors involved.  IT cannot (and should not) plan a BYOC program alone.  Legal, HR, and different departments need to be involved from the get-go because every department has certain needs and uses that need to be addressed.  

If companies are worried about file security, then file access tools and logs are the way to help.  

The program we implemented was catered to technology savvy people who grew up with TiVo, MySpace, IM, and such.  IT just supports the software they deliver via XenApp(XenDesktop) and the client software. So supporting client hardware decreases.  

We did not intent for the entire company to go for the BYOC program, but we wanted to give employees a choice.  If they like the laptop they are given by the company, and they like the service offerings from IT, then they can choose that route also.  

Client hypervisors are just a "more secure" way of allowing any PC on the network. I personally cannot wait for the releases of these to test it out.  

I am sure there are companies that have higher security standards like government, banks, healthcare records, etc. that can take advantage of a client hypervisor, but it is not imperative to have to run an AWESOME BYOC program.

The fact is BYOC is all about choice. We have given the users a choice and we have planned the program well because we thought of all use cases and made sure there were policies in place to make this work and not be too constrictive to the user whilst keeping compliance.  

Our program has been a great success and it keeps going to this day.  

If you are running a XenApp environment (or XenDesktop) then I highly suggest you plan a program and run a 250 user pilot.  This gets your feet wet and you can make changes to the program as you discover issues.  

We rolled out in phases:

1) 250 pilot users in the USA

2) Rolled out full USA enrollment (everyone in the US had a chance to enroll based on dept budgets, etc)

3) roll out EMEA (we took a bit of time making sure we addressed different laws and such for the countries there)

4) roll out in APAC

We constantly sent surveys to the BYOC employees to gather information on roadblocks, issues, and took feedback to cater the program even more.

We still have a great program and it is growing weekly.  

To close this comment,

Remember when laptops entered the workplace?  we were all worried about data being stored on the laptop and the security concerns there (even thumb drives, CD-R's).  Eventually we found a way that the users could use them and have a pleasant experience doing it.  

This is just the next phase of the evolution of IT.

I wrote few few blog posts on the subject at

tedd fox


For a perspective from "the enterprise".

And again we've come up with a solution as we still scramble to define what the problem is.

Why do employees want to use their "own" PC?

What isn't the corporate environment giving them?

These are the real questions we need to have an answer to. Is it:

Empowerment? MAC OS? iTunes? Skype? gmail? Facebook? Twitter? MySpace?

Everything that corporate doesn't give them.... surely VDI doesn't dilute any companies legal & licensing obligations though?

Why can't the corporate environment give their customers (yes, some call them "users") what they want? Surely an IT Dept should simply provide for their customers in accordance with a governance policy that protects the company asset and reputation....

If people want OSX at the corp desktop.... Why not? Support, Management and all those other excuses IT has been using for years ???

As for the "network" discussion... It's pointless to control the network edge.... Where is the edge? What is internal and what is external?

Secure the data centre and treat everything as untrusted. It's also cheaper to build the walls around your data centre rather than your network edge.

In the absence of a stipend, I still find it astonishing that someone would keep the corporate laptop in a locker and use their personally owned/purchased MAC (~$2000) instead. Is MACOSX that good?

my $0.02


@Simon Jackson makes a lot of sense above.

The comparison to the car scheme is a good one. The company car when unavailable can stop an employee from being effective in their role but you don't see a whole lot of mechanics on staff. Simply keep it current and in warranty.

Am I over-simplifying it?? Why do we make it so complicated?


Get back 15 years ago... What was the discussion regarding VPN's (L2TP, L2F, IPSec, GRE, SLL) at this time ? Not secur ! Never for me ! not proven !... Have a look now...

Same for BYOC... Don't say never. Just say : wait for more proof for my business. I'm BYOPC user for 2 years (early bird) and very happy about it. Get my own personnal config and will now update my personnal servers with the money...


The discussion seems to be getting more and more intresting guys...:)


@Clayton - Is MACOSX that good?

Umm, yes. On the whole, it IS that good.

I think that it, and the associated stability and intuitive user experience, is one of the biggest drivers behind the whole BYOPC as the increasing number of users look to their IT department (perhaps naively) to harmoniously marry the Mac experience with the traditional 'tools' they need to get their job done. In fact, maybe we should call it BYOM - Bring your own Mac! Personally, the prospect of BYO Wintel PC when I'd normally be provided one anyway holds little to no interest.

It might be interesting to run a poll to identify levels of interest between BYOPC vs BYOM.

I actually stand in the camp of those that believe a BYOPC/M program is an IT compliance / security / management nightmare for larger enterprises that need to give a crap about all that stuff.

Having said that though, there's a chance it could be inevitable - just look at how the iPhone has pervaded the corporate arena, despite never really being intended for that audience. In many cases, IT has simply been forced to work with / integrate it as best as possible. And here's $2 that says the iTablet / iSlate will damn near repeat history in this sense.

Interesting times.


We at MokaFive are seeing quite a few of our customers adopting the employee-owned or BYOC model. I believe that a client Type 2 hypervisor based virtual environment is a much better model for BYOC. It resolves most of the challenges raised in this discussion such as, the need for a forklift upgrade for BYOC in case of a client type 1 hypervisor or the need to be offline in case of a VDI model.

The deployment works as follows.

1. Company gives a stipend to the employee to purchase a machine of their choice (often Windows or MAC).

2. User downloads the managed standard corporate environment, which is a VM running on MokaFive with a Type 2 hypervisor and starts using it locally on their machine.

3. User can connect to the corporate network only through the managed virtual environment and updates to the corporate environment are automatically distributed and applied to the end points.

This model also works for companies who are looking to provide their employees/contractors access from existing personal machines. Since it is a non-intrusive approach, once the corporate image is defined the provisioning of the virtual environment is very rapid.

The advantages are two fold. 1) The underlying system does not have to be managed 2) Single click installation of the virtual environment of the employee-owned machine  (no need to do a Type 1 forklift upgrade)



I guess everyone is different and personally I use an OS for......not much (Win7 seems to boot and shut down quick which I like).

To me the OS is becoming more and more irrelevant but when people talk MAC it certainly stirs emotion. So maybe OSX will start to make the OS relevant but in ways that are non-traditional (eg. Staff retention).

A person once said to me that a MAC is a "lifestyle choice". One that he made and never regretted.

Maybe one of our Citrix friends can share the % breakdown of their program. About 18 months ago I saw their breakdown and like you I was suprised that some people actually went XP, Vista and I guess now Win7.

Natalie Lambert would have these numbers...... and also has a real passion for BYO.


I've already got clients doing it.  You don't need a hypervisor...just XenApp and let it rip.  Why is everyone overcomplicating this!!!!!!!!


Fully agree on comments about OSX being "that good".  Now if ONLY the Citrix OSX client was "that good"  Seriously, it's the largest market share next to Windows and it's like the ugly red headed stepchild.  Even the iPhone gets more loving and it's way less useful.  Ok, I'm done ranting now.



I have been a proponent of this for many years. The modern "knowledge" worker asking for computers and phones from his employer is analogous to a carpenter asking for tools when he shows up on the job site.

I think this analogy works because the GC provides raw materials and utilities, and a company could view providing IT services instead of devices in much the same way.

I don't know where on the org chart you start, but if at some level the company accepted responsibility for the delivery of services, and the employee was responsible for acquiring and maintaining the devices necessary for him/her to perform the job; then I can forsee the IT cap and op ex number for CompanyX dropping substantially. Depending on the head count this could be a big number.

I imagine that HP, Dell and Apple would pick up the bulk of desktop support, and the help desk at CompanyX serves as escalation when its services are implicated.

I think this is viable in many sales, communications and management positions today. Probably idealistic, but I think the financials of the BYOPC concept could be compelling to some orgs. Robert


only through attrition will this work.  I have been with my company for many, MANY years.  This type of forward thinking is hard for my IT director to understand.  

We have implemented Citrix XenApp and after we got our farm up and running, I broached the thought of BYOPC.  The response was, but the users will have company data when they leave.  I disagreed and showed why.

It is a Generational issue and won't change until manaement changes with the next generation.