So, you want to adopt BYOD?

Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your company resources, but is BYOD right for you? Can you make mistakes when developing your BYOD policies? Can you really let any device connect to your resources?

Lets look at a few top issues that you should be aware of.

What devices should your BYOD policy include?

BYOD used to mean Bring Your Own (Smartphone or Tablet) Device. The BYOD movement started through the failure of BlackBerry to keep up with Apple and Google as they began to dominate and revolutionize the mobile landscape with more capable devices that had much faster CPUs, more memory, larger screens, and desktop web browsing capabilities.

BYOD has now morphed into Bring Your Own (Smartphone, Tablet, or Laptop) Device. But what devices do you want your BYOD policy to include? Do you want to limit it to smartphones and tablets, or do you want to include laptops?

iPhone and BlackBerry Q10

Which smartphones and tablets should you allow?

Today the market is awash with smartphone and tablet choices from Apple, Google, Nokia, Microsoft, Samsung, HTC, Motorola, LG, and even Amazon — to name but a few manufacturers. If you adopt a BYOD policy that includes smartphones and tablets, can you really allow your employees to bring in any device they want, and expect that the device is secure enough?

The answer is no, not all mobile devices can be secured to the same level. (Nor should you ever assume an employee's home device is safe.)

Apple leads in the enterprise because it has built strong and flexible APIs since 2010 (starting with iOS 4.0) that allow Mobile Device Management (MDM) vendors to tightly secure, control, restrict, and monitor iOS devices. Those controls have improved greatly with iOS 7. Google’s Android mobile operating system is not as popular in enterprise because Android does not provide many built-in controls and is perceived as insecure — even though that isn't really the case.

Vendors like Samsung have made radical additions to Android to try and make it more secure. For example, some Samsung devices support Samsung Approved For The Enterprise (SAFE) and Samsung Knox that allow similar kinds of controls as what is found in iOS. Windows Phone and Windows RT tablets presently lack the kind of secure compartimentalization that is available on iOS and Samsung devices.

So as you think about which devices you should allow, you need to consider how each can be secured. You can either limit the device choice to iOS and a limited selection of Android and Windows Phone/Windows RT devices, or you could use a method of device security called Containerization that we discuss in its own section below.


Will you allow laptops?

If you allow your employees to bring their personal laptops, which ones will you allow, and how will you ensure that they are secure? Some MDM vendors do offer laptop management, but you may choose to use virtual machines instead. Virtual machines allow you to create a “company secure build” of Windows, and have that virtual machine run on personal Windows, Mac OSX, and Linux laptops.

Mobile Device Management (MDM) or Containerization?

The traditional method of securing smartphone and tablet devices is to use MDM. This allows the IT staff to have full control over the entire mobile device if they decide to, or only control the company data and apps.

Your employees may not appreciate that you have full control over their mobile devices, even if you have chosen not to exercise that that power. Your employees may prefer that you only have control over part of their device, leaving their personal data alone.

Containerization (also known as Dual Persona) is the solution for two issues. The first issue is that of providing that same security policy across all Smartphones and Tablets no matter what operating system they are running. The second issue is that of personal and company separation.

By keeping your company email, contacts, calendar, and apps in a separate, secure, encrypted container on the Smartphone and/or Tablet, you have no way of having visibility into their personal device, apps, and data. You are limited to controlling only the container. Dual Persona is increasingly becoming the go-to choice for BYOD since it provides peace of mind, and truly separates personal and company data.

Lumia 920 company apps

Bring Your Own App (BYOA)

BYOA is a movement that leverages the popularity of containerization, but to the app level. The idea is that you take your company's apps and wrap them in a secure container, and push them to your employees’ personal devices. You only have control over the app in the container, and not entire parts of the device. The app is secured in its container, and may have access to data behind your firewall via a secure connection from the container.

This truly separates corporate and personal data at the app level.

Monthly voice and data costs

When you allow your employees to use their own devices, you should consider whether you want to compensate them in some way. Do you want to take the approach that since they would be paying for voice and data anyway, that you do not need to provide a monthly stipend. Some employees may argue that they pay for the voice minutes and data usage based on their personal use, and do not have unlimited data plans. In this situation, they could argue that their voice and data usage will increase when they start accessing company resources.

You need to decide whether to offer a monthly voice and/or data stipend, and how much to offer.

If employees need to travel internationally for work, how will you handle international voice and data rates?

Support costs

When you adopt a BYOD policy, you will need to decide whether you want to provide support for your employees, and how much support. Your employees may be bringing devices running multiple mobile operating systems (and in the case of Android, many variants of that operating system).

What type of support will you be offering through your help desk? How will you effectively train your support staff to deal with the device diversity, and will you need to hire more people to provide that support?

HTC One accounts

How do your current laptop security policies translate to mobile?

Most companies already have well established security policies that they apply to company provided laptops. These include password policies, hard disk encryption, two factor authentication, limited web browsing, and blocking of eternal storage to name a few.

While your may want to simply use those same policies on smartphones and tablets that access your resources, it may not be practical to do so. Some policies that work on laptops, may not translate to mobile, and policies that do translate may be too invasive or limiting. Plan on using a subset of your current end-point polices for mobile.

Nobody ever said BYOD would be easy

As you can see, creating a BYOD policy encompasses many different areas, and there are many decisions to be made so that your BYOD policy does not fail. Making it too restrictive or intrusive could lead to rebellion by your employees. Making it too relaxed could lead to exposed company data or data leakage. Not accounting for all variable could actually lead to an increase in cost, instead of the decrease you were hoping for.

BYOD has benefits and detractions that you need to weigh when considering implementing it for your business. But done right and the benefits can far outweigh the costs.

Craig Johnston

Craig Johnston is a Mobile Strategist at NTT DATA and has been designing and managing large scale enterprise networks since 1989, including massive BlackBerry, iPhone, and iPad deployments in Fortune 500 companies. An avid podcaster and writer, you can find his books on Amazon and follow him on Twitter @ibanyan.

  • I'm sure it's a great article but lost me when you said "Apple leads in the enterprise because". Maybe you mention BES10 or BB10 somewhere later in the article but to start off with that comment makes me want to skip to the next article.
  • You are right my friend. Posted via the Android iMore App!
  • My job is a mobile strategist and I speak to companies of all sizes ( and government agencies ), and they are all migrating away from BlackBerry to something else. One could argue that the whole BYOD movement was sparked by this trend. BlackBerry is trying hard to fix this and BES10 is their answer, however (and again this is from real world experience), it doesn't match up to MobileIron, AirWatch, and the other big players in this space. So when we discuss BYOD, we have to be realistic. Realistically, BES10 is not a big player in the BYOD space, and neither is BB10.
  • BES has more customers than MobileIron, Good and AirWatch combined.
  • You may be correct, but these are BES installations that have been there for a decade or so. While they are still there, most companies I talk to are migrating away from BES slowly. So imagine that a company has decided to adopt BYOD and have deployed MobileIron. Presumably all of the BlackBerrys have 2 year contracts. It would then take about 2 years to migrate each BlackBerry user to iOS, Android, or Windows Phone at the end of their 2 year contract. My point is that in a couple of years, the number of BES-supported BlackBerrys will be inverse to the number of MobileIron-supported users.
  • You might be right since BES now supports managing Apple and Android devices. If you think there are more BB's used for business now than there are Apple, Android or Windows devices then you need to go back to your sources and demand new numbers.
  • Are you talking functionality or popularity? I do realize BlackBerry is in trouble but go and compare BES10 to other MDM solutions and see how it stacks up. Don't forget, in the real world, companies still use BlackBerry's.
  • Yes companies do still use BlackBerry and BES 5. Some companies have even decided to use BES10 and BB10. But the vast majority of companies are migrating to iOS/Android/Windows Phone and so the current BES installations are seeing usage reduce as users are migrated off BES. On the BYOD front however, BES10 from is nowhere near as feature rich as MobileIron, AirWatch, and others. If a client came to me and said that they wanted to allows iOS and Android devices using a BYOD policy, I couldn't recommend BES10. If they wanted to support Windows Phone, it would impossible to recommend BES10.
  • Craig I completely agree with what you said and Ospost and subsequently Sager-Naji didn't read the article very well. RIM now Blackberry dropped the ball in 2007 and the constant delays of BES 10 didn't help their cause. BES 10 is a really good MDM and it is multi-platform. These two individuals seem to have missed that. Apple has taken the Mobile Enterprise very seriously with iOS. I don't disagree that the Blackberry has some really great features with BES 10 and the newer devices that are running Blackberry 10 but sadly they missed the boat. Now it is all about the Value Added Developers that are writing applications and Blackberry just doesn't have them. Matter fact I would argue that they are in forth place in this arena behind Windows Phone. Another MDM to look into is XenMobile from Citrix. They use to be Zenprise until Citirx purchased them. I did an eval of AirWatch, MobileIron and Zenprise back in 2011 early 2012. Airwatch could get thier product to even work in my environment, MobileIron didn't have some of the features that I wanted. Zenprise did the best and had great support. Not sure about them now that they are Citrix.
  • This is a great article. This has to be shared with IT departments. Sent from the iMore App
  • Great article. BYOD has been a hot topic for a while now. BYOD has morphed to have many different forms. I'm always interested to speak with people/companies who have adopted this. In my experience many have considered BYOD but very few have gone that route. Sent from the iMore App
  • My company use mobile iron for iPhones. But they want us to disable features like Siri, no access to control centre unless authenticated, no fingerprint scan. Without these useful features that I use everyday my iPhone 5s becomes an iPhone 3. So it's not an attractive proposition. Sent from the iMore App