Why BYOD doesn’t matter (nearly as much as we think it does) and we can all stop talking about it

BYOD gets all of the attention in the mobile management world, but what really matters is that no matter who owns the device, the most important task is keeping corporate apps and data secure while protecting the user experience and privacy of personal apps and data.


BYOD gets all of the attention in the mobile management world, but what really matters is that no matter who owns the device, the most important task is keeping corporate apps and data secure while protecting the user experience and privacy of personal apps and data. Once we figure this out, though, we realize that who owns a device matters a lot less than we might have previously thought. Let’s find out why.

First, let’s look at why we need to keep personal apps away from corporate data. Unfortunately many of the apps we love have can leak corporate data. Some apps that have access to contacts, photos, email, and other resources might innocently or maliciously export data, and other apps make it easy for users to leak data on their own by cutting and pasting text or opening corporate attachments.

To solve this these problems, IT has a few basic choices. First, they could try to keep the data safe by locking down everything else on the device. Risky apps might can be blacklisted (which, by the way, is not an elegant process with iOS and most versions of Android), or IT can simply turn off access to app stores so that users can’t install anything on their own. The only problem is that if you try this technique on any personal devices, chances are you’ll have a user revolt on your hands.

When iPhones first came into the enterprise, most of them came in as personal devices. But things are different now, and many companies are issuing corporate iOS and Android devices to their employees. It would be easy for them to think, “Well, we’re dealing with iPhones belong to the company now, so let’s just lock them down. They still get to use the devices they want, right?” And of course that would course that would cause a user revolt, too!

That’s because an iPhone is an iPhone no matter who bought it. Even if it corporate-issued, users will expect (or at least really want) to be able to use all their favorite apps in the ways that they would if was a personal device. And if they can’t do this, then they’ll turn to back to BYOD or FUIT, or in any event be frustrated.

Fortunately, to deal with this issue, we have techniques for separating work and personal worlds. Dual-persona mobile app management—where corporate apps are secured and can communicate with each other while keeping the personal apps out—is well established. Other vendors are hoping that mobile virtualization will solve the problem, too.

Now all this isn’t to say that device ownership is completely irrelevant. The party that owns a device has a vested interest in what happens to it, so that means that control around corporate devices may be a little bit tighter. But this control should mean asset tracking or perhaps expense management—not having to lock down the user’s entire experience of root around in their apps in order to keep corporate email safe.

It’s also worth pointing out that this conversation applies mainly to users’ primary devices. There are legions of second-tier personal devices that may get treated a bit differently. Think of e-readers that may only get used to check work email once in awhile, or devices of friends and family members that somebody might use to do a quick work task on occasion. But in these cases, it’s simply a matter of dialing down access to corporate resources, not deploying a whole new solution stack.

Returning  to users’ primary mobile devices, though, we’ll find that no matter the ownership model, corporate apps need to be secured in a way that allow employees to use the rest of the phone as they desire and see fit. And once we realize this, then the issue of who owns the device becomes much less important. There’s no need to deploy one solution for corporate devices and then another completely different stack for BYOD—they can be almost entirely the same.


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This is what people like Brian Katz and Claudio Rodrigues have been saying all along, and I totally agree. Where BYOD does matter is with issues like liability and expenses, not device, app and information management.



I don't think you can go as far as saying it does not matter...

Strategic drivers like cost reduction, or increased agility can matter a lot.

Most importantly it matters in regards to licensing costs with many software packages as well as data security compliance rules that can get very specific.

BYOD is more than handling the applications and other technology bits. It's just as much about how and where an organization can and should allow it, and what the liabilities involved are.

I like the premise that you should use a similar light-hand approach to locking down your corporate desktop and treating it more like a personal device, but it's not the only path, and sometimes it's the wrong one.


I don't why organization wants to be in the business of owning devices for their employees, except for very niche use cases. It's a huge drain on resources. Buy the device for the employee if you want and then hold them responsible for loss, and stick to managing what's important on the device which is not the device.


Of course it matters, it is about the users....Ownership of a device matters, it is an emotional thing not a technical.


@DionMes - I agree to a point. Ownership is huge, but the problem of device ownership in the workplace can be overcome.

Separating corporate resources from the device, but making them available on the device is the key.

Then you could have your device for personal use (when you want that), and just use a secure connection app to log in and get all your corporate apps/data on that device (when you want that).. a light client would be easy enough to download to those other devices mentioned (like friends devices, thin clients, etc), but for online use, HTML5 is really going to change this whole scenario. (Working offline will still be an issue for some, but for the majority, this scenario will work.)

If you can just get everything through the browser, then who cares what device you're using, or who's? just log in, and get to your corporate resources if you have too.

There are some companies who are doing this already (or soon), like Citrix, desktopsites, etc.

With one of these types of solutions in place, there is no ownership issue because the corporation gets to secure its data, and the user gets to use the device for personal use as well.

Security issues solved, user revolt averted. Sounds like a good day to me.



When I look at BYOD, it is not only the freedom with the device, it is besides the ownership also the choice. So choosing your own device will help to get users to be more involved/attached to their device.

I think a higher percentage of users;

- will try to understand the device better and even go so far as rtfm, which will lighten the burden on your service desk.

- will solve their own problems with the device. which also results in less strain on your support desk.

- will use the device more intensively resulting in higher productivity (although marginal).

- will keep a closer eye on their device, resulting in less loss and damage to the devices.

Though these differences will probably not be shocking compared to users with company owned devices, just a higher percentage of users.


@Jack - I think your article is spot on, but unfortunately for a variety of reasons, including great marketing, many IT executives believe MDM is their panacea to their BYOD mobility challenges.

I recently started my blog partly to help people understand that the approach to an effective BYOD program that meets the organisations security needs, and the devices owners rights and desire to use their device how ever they see fit when it comes to personal use - need follow three principles.

1. Secure corporate data at rest and in transit using encryption

2. Prevent corporate data leaking to consumer apps and web services that are outside your sphere of visibility and control

3. Enforce string authentication for access to corporate apps and data, with complex passwords at an app level, and possibly multi factor where relevant.

I'm encouraged to see more and more folks starting to understand that MDM - whilst can offer value for certain mobility use cases - is not the answer to BYOD.

I've recently found your blog but expect I'll become a regular reader. Thanks for a great post.

@the_kano -

HTML5 still has three issues in my mind. 1. user experience is not as good as a native app. I am confident this will be addressed over time.  2. app to app integration - just can't happen. moving data from one app to the next, just is not there yet, 3. as you mention, no offline access (but this will become less and less of an issue)

and re 'get everything through the browser' - there are still significant security risks to be addressed. If the device your using has a screen capture or key logger running in the back ground, you could run into some serious trouble.  not so likely in the controlled eco system of iOS, but more and more a risk on Android and Windows.

Funny that this still applies in 2017.