Post edited 11:51 am – August 2, 2011 by Joe Pappano

Traditionally, IT only supported corporate-liable devices, which are mobile devices where the company pays for the device and its associated monthly plan. To manage support costs and telecom expense, corporate-liable devices were only given to a small percentage of the workforce. Companies also prohibited the use of personal devices to minimize security risks. But while many companies have a policy prohibiting access to company data on personal

devices, employees-owned smartphones  and tablets are making inroads into the company regardless of IT’s policy. Even if IT diligently secures access to email and business applications, employees are working around these restrictions by forwarding email to their personal email accounts. The growing popularity of smartphones and tablets such as the iPad means IT can’t ignore the issue any longer. A company can either choose a restrictive policy that creates opportunity for a security breach or it can put in place policies and controls that allow IT to embrace employee-owned smartphones, tablets and other upcoming devices.

Many firms already have policies and management procedures to support corporate-liable devices, however these policies need to be revised to account for employee-owned mobile devices. While there are numerous areas in a mobile policy, the inclusion of employee-owned devices changes at least 10 sections of a company’s security and management policy. When building or revising a mobile policy, IT's policy should including the following:

1.  Who is eligible?

What type of employees can access the company’s network (e.g., certain job titles, roles, etc.)?

2.  What data and services can be accessed?

Should the company allow employee-owned devices to access email, a subset of business applications, all mobile available applications or only business applications that are web-enabled?

3.  How will apps and services be delivered?

Does the solution require a desktop client to deliver applications or will apps be downloaded from a site? Can IT push applications to the device over the air? 

4.  What does the company pay for?

Will the company reimburse 100% of the monthly cost, a fixed stipend, the cost of the data plan or a percentage of the voice and data plan?

5.  Which operating systems and devices?

How many platforms will IT support (e.g., Android, Bada, iPhone OS, Linux, Meego, RIM, Symbian, Windows Mobile, etc.)?

6.  How is the device secured?

What security measures will be enforced on employee-owned devices (i.e., passwords, device encryption, remote lock, wipe, etc.)?

7.  How is the device managed?

Will the device be maintained over the air or via syncing with a desktop or web app?

8.  What support is provided?

Will IT assist in the first time device set-up? Will IT provide first or second tier support?

9.  What are the privacy issues?

Is the employee’s data private? What is the treatment of an employees data (i.e., is it stored? How can it be used? etc.)?

10.  What are the legal concerns?

Is use of a personal phone by non-exempt employees considered overtime? What is my responsibility as a corporation if I discover illegal activity?

In my discussions with CIOs and IT managers, they listed increased security risks and support costs as a key concern with enabling employee-owned mobility. Both are valid concerns. IT leaders tell me it isn’t the increase in the volume of users that troubled the staff but it was the variety of platforms that need to be supported which worries IT.

In my opinion, IT must secure and manage employee-owned devices in the same manner that it would a corporate-liable device. This may require the addition of third-party software to deal with all the various operating systems or working it may require working managed service provider for mobility management. Some companies I spoke with use a combination of solutions and services. As I mentioned in the last post, enterprise mobility management includes at least four categories:

1) An easy way to provisioning users

2) A simple way to distribute updates

3) Troubleshooting tools that tell IT if the problem is a device or network-related issue

4) Basic security such as password enforcement, remote lock, and remote wipe

I would also add a fifth category, which is mobile inventory, usage and expense management.

To take advantage of an employee’s desire to bring their own devices into the office, IT should revise its mobile policy, assess the strengths and weaknesses of each mobile operating system and define a set of approved devices. Once this is done, IT will need to add mobility management solutions that provide security, over the air maintenance and management as well as expense management. These solutions will help reduce support costs and will improve IT service quality. The mobile market will continue to be a complex, rapidly evolving landscape. IT needs to provide a foundation for success through dynamic policies and mobility management solutions that can shift to meet these ever changing requirements. In my next post (part 3), we’ll discuss securing the mobile enterprise.  Until then…all the best!

Read Part 3: Mobile Security: Tips on what should you be looking for…

Evaluate MaaS360 for Mobile Devices