It’s important to acknowledge the difference between mobile device management and a bring-your-own-device program. MDM has been around for years, and what results when a MDM solution is implemented is different then what is needed to simply accommodate users’ personal devices.
An IT department (and, if everything is running smoothly, HR and a few other departments) needs to actively decide what a BYOD program should look like for the company. Is it to save money? Is it to make employees happier, perhaps with a wider choice of device models? Is it mandatory, or is it to allow extra “luxury” devices like tablets into an environment? How much ownership does a company want to leave to each employee? The answers to these questions will determine whether an employee-owned program is true BYOD or simply offloading the cost of mobile devices to employees.
MDM + employees paying for their own phones ≠ BYOD
There are many MDM vendors that say, “Sure, we support BYOD, bring em’ on in!” However, the way this happens with many solutions is quite a bit different from how people most people would want BYOD to work. Most MDM solutions give IT the ability to control phones and tablets very tightly—administrators can prevent users from installing apps, turn off cameras, enforce password policies, remotely wipe devices, and track all the details of everything a user does. Solutions like this have their place, but these controls don’t jive with what most users would expect to happen if they brought their personal phones into work.
Imagine an employee (I’ll call him Carl) at a company that is implementing a BYOD program. Carl enjoys having the latest smartphone, and is glad that he can finally use it for work, instead of having to also carry around the boring IT-issued phone. When Carl switches over and drops off his corporate phone, IT takes his personal phone for a few minutes to get him set up with some cool sounding work apps, along with the usual PIM tools. When IT hands Carl his personal phone back, however, suddenly it now requires an annoyingly long password to be unlocked, the camera has been disabled, and a few apps (that he bought with his own money) have been deleted because they were blacklisted for being insecure. Carl, to say the least, will be a bit unhappy with his company’s BYOD program, especially if it was mandatory.
This is an extreme example, but it shows how heavy-handed use of MDM software under the guise of BYOD could cause some problems. Another negative result could arise for employees that already use company-issued phones for personal use. An employee could be perfectly satisfied with using the phone provided by the company, accepting whatever restrictions are in place because overall the phone is still a benefit of their employment. If a BYOD program is implemented, the employee is out $100 a month that they will now have to pay. A stipend could compensate for part of this, and having more options when it comes to his choice of phone could be a benefit as well.
Optional vs. mandatory
The point of these examples is that if a company uses MDM software to lock down BYOD phones to the same degree as the old corporate phones, then there are very few benefits for the employee. There may be more choices for handset platforms—though these days deploying iPhones and Android phones is just as run-of-the-mill as deploying a corporate Blackberry thanks to a lot of hard work put in by MDM vendors—but it doesn’t take the employee bringing their own device to make it happen. Instead, when an company implements a locked down mandatory BYOD program (quite an oxymoron) only the company benefits because it’s really just running a pay-your-own-bill program.
Where MDM does enable BYOD is in cases where the program is optional. If an employee wants to bring their own tablet into a high-security environment as an extra tool or as a luxury item, they do so knowing that it’s going be controlled under corporate management poicy. In this case the phones in the environment are probably already locked down, either paid for by the company or through a faux-BYOD pay-your-own-bill program.
Manage the data/apps, not the device
In environments that don’t need to be quite that locked down, it makes no sense to try to manage entire devices. Managing one phone per employee is probably fine, because IT departments have been doing this for years. But then in 2009 a few people showed up with iPads. Now there's a deluge of tablets, and who in their right mind wants to first convince all those employees to surrender them to corporate control and then actually implement all that management?
This is not the time to roll out MDM software. For environments that can and want to allow BYOD, concentrate on controlling access to the data, not the devices themselves. After access for all the extra mobile devices is worked out, moving the existing phones to BYOD will be easy.
Models of BYOD
You’ll probably be able to think of where different vendors’ solutions would fall on this list, but I’m going to wait to plug them in until after I’ve talked to all of them.
- Apps only. The corporate apps get to be password protected, encrypted, and remotely wiped when the phone is lost. The rest of the phone can stay untouched, with whatever wild, crazy apps a user wants, no password, personal photos, and all that other stuff.
- Hypervisor/VM. Many of the same benefits as an apps only solution, but this time you get a whole operating system instead of just a suite of walled-off and secured apps. One of the cool things about having a virtual phone is that it makes it easy to have two service plans—users and corporations can be sure that they’re each paying their fair share. The elephant in the room is that the chances of Apple allowing iOS to be virtualized are very slim. Also one of the parties still has to own the device, and whoever owns the hypervisor level will really be the party in control.
- MDM. Good for adding voluntary extra employee-owned devices like tablets to high security situations, and for traditional corporate-liable devices.
- MDM + sandbox. Having an area where the users can do whatever they want would make MDM more palatable, but it still means that the user isn’t in complete control in a BYOD situation. Type-2 hypervisors where the personal device is the guest VM also fall in this category.
It’s important for any parties considering BYOD or MDM to know the differences and what each solution can and cannot accomplish. Mobile device management solutions have their place, but not in most BYOD situations. MDM can be used let employees voluntarily add extra devices to secure environments, but BYOD programs should leave the management up to the user, not the company. Requiring employees to surrender their personal devices to corporate management is simply offloading phone bills, not bring your own device.