Making BYOD work

A Bring Your Own Device policy isn't so much a choice these days as a necessity for many companies it's the only realistic response to the ongoing consumerisation of IT. Implementing one can make a company more flexible, and bring all kinds of benefits to an organisation. There's the obvious reduction in hardware costs, but also the productivity gains you see when your employees use devices and apps they're familiar with, and have made personal investments in. Adopting BYOD can also help the people within a company access company resources at any time and from anywhere, giving the freedom they need to make things happen even when they're away from their desk. It can help them work the way they want to work and that's often good for the business as a whole.

Of course there are downsides. Security is the most obvious concern, as it's a lot harder to implement robust security on a device owned by an individual than it is on one provided by the business. What's more, BYOD has a nasty habit of making it easier for employees to take poorly protected and sensitive data out of the office. BYOD can result in lower hardware costs, but it can also increase the burden and expense of administration. Suddenly you're supporting more devices with less upfront control, and they might not all work with the same management tools. Think managing a fleet of Windows laptops is hard? Now imagine a constantly changing mob of Windows, iOS and Android smartphones, Ultrabooks and tablets.

It's a challenge. Do too little, and you have major risks on your hands. Do too much, and the policy will fail. Gartner estimates that by 2016, 20% of enterprise BYOD projects will fail because administrators have deployed mobile device management measures that are too restrictive.

What, then, can you do? How do you design and implement a BYOD policy that works? Basically, it comes down to finding a balance between flexibility, support, security and management. Get it right and you'll give your workers what they want without driving your IT manager into an early grave.

1) Do your homework

Before you start to roll-out BYOD, try to work out the roles or user-cases that fit your company. Determine which network resources each role needs, and which devices or apps you may need to support to help them do their job. Define your roles and ensure that all employees in the organisation fit into one of them, and it becomes a lot easier to work out who should get access to what, and what devices and apps you'll allow within the company, and which you won't.

2) Prepare your infrastructure

Adopting BYOD might increase the demands on your network and infrastructure. Do you have ample wireless connectivity in the office? Do you have printers that will work with a wide range of devices? Do they support Wi-Fi Direct communications, cloud-based printing and NFC, or do you need to make extra provision? How are you going to keep any apps or data stored on these devices backed up? This preparation even comes down to support. Do you have in-house expertise for iOS and/or Android, or do you need to invest in consultancy or training?

Most importantly, you need to decide upfront how you're going to store and separate business as opposed to personal data. Will you keep business data on the device, or on local servers, or in the cloud? Is there some way you can containerize it, so that it's clear what is personal data and what is not? Should you think about using cloud-based applications or virtual desktop infrastructure (VDI) to control where any data resides? If you're thinking of moving to a cloud-based IT strategy, then a move to BYOD can often work hand-in-hand with that.

3) Define how things are going to work

Your policy needs to be available to employees, and it needs to set the ground rules down as clearly as possible. You need to define what devices you will permit on the network, and which you won't. You might decide that iPads and iPhones, Windows 8 tablets and specific Android devices are acceptable, but not specific makes or models where you feel support will be too challenging or put security at risk. You might put in mandatory requirements on operating systems and updates, and if you're sensible you'll refuse to allow rooted or jailbroken devices on the network.

You also need to define acceptable use policies, so that users know that if they're using network resources, certain behaviour or material will be unacceptable, and so that everyone is aware what the consequences might be, both for them and for the company. You should also be clear about who will pay for what. Will you cover call costs or data costs during working hours? Run this stuff past your legal team or HR if you need guidance or clarification.

4) Think about setup, exit and apps

You also need to think carefully about how you'll handle the introduction of new devices to the network. You may want to physically inspect new devices, check security, restrict network passkeys to the IT team and even install mobile device management, security or line-of-business apps. If users are unwilling to accept these measures, then you should be unwilling to allow their devices on the network.

You should also define what apps or what classes of apps will be permissible or blacklisted, and you may even want to setup a company portal or app store where users can find and download business-focused apps. Finally, you need to define and agree in advance what will happen when a user leaves the company. What measures will you take to block future access to the network or resources? Can you reset or wipe their personal device if you need to?

5) Enforce security

Security is even more critical on a personally-owned, mobile device than on the average laptop, so you need to define a stringent policy. Make it clear that non password-protected smartphones and tablets will not be acceptable, and define the kind of security measures they need to take passwords, pin-codes or face recognition and any requirements for these. Any business should have a strong password policy in place, and this needn't be much different for smartphones or tablets as for PCs and other devices. You might also want to enforce the encryption of any work-related data stored on the device, and you may want mandatory installation of mobile device management software, so that the IT team can lock or wipe a device remotely if it's lost or stolen.

6) Clarify what you will and won't support

BYOD can bring added burdens for IT support, so it's a good idea to define upfront what aspects of the hardware, software and apps you'll support and which you won't. Will you provide any hardware support? Will you provide loan devices while a personal device is being repaired or serviced? If you're going to adopt BYOD, you and your employees need to know.

7) Whitelist and Blacklist Cloud Services

The temptation with BYOD is always for users to adopt apps and services without checking-in first. One minute you have everything protected and backed-up on on-premises equipment, the next they're sucking corporate email into Google Mail, storing and sharing files on a personal Dropbox account and hosting meeting notes on Evernote. You need to make it clear what apps and services particularly those that use cloud-storage are acceptable and which are not, and if you're smart you'll keep data away from any personal accounts, and provide company-owned and managed services instead. Dropbox, Google, Microsoft, Box.com and others all provide manageable, secure and business-focused cloud services, though there is some onus on you to ensure that using these complies with EU data protection laws. Give your users something they can use, and you'll stop them from using something worse.

8) Monitor and Manage

Monitoring and management is everything. You need policies or tools that can tell you exactly which employees are using the network, what devices they're using and what they're trying to do. You need security policies that raise alarms should someone go off-piste, and you need strategies and tools in-place to check it doesn't happen in the first place. Most importantly, you need good, centralised, cross-platform management tools in place, and preferably tools that can cope with different operating systems or platforms. For small businesses, this could be something as simple as mobile management software and existing Windows tools. Larger enterprises, meanwhile, might look at integrated solutions such as HP's own BYOD Solution, based on the company's Intelligent Management Centre software.

These are sensible cornerstones for a BYOD policy, but there may be other issues that you or your business need to consider. Luckily, there are templates available (you can Google them and find them online) and you can also find advice in the published policies of some organisations, from Fortune 1000 companies to UK public services to The White House.

For more advice on transforming your business, visit HP BusinessNow

Stuart Andrews

Stuart has been writing about technology for over 25 years, focusing on PC hardware, enterprise technology, education tech, cloud services and video games. Along the way he’s worked extensively with Windows, MacOS, Linux, Android and Chrome OS devices, and tested everything from laptops to laser printers, graphics cards to gaming headsets.

He’s then written about all this stuff – and more – for outlets, including PC Pro, IT Pro, Expert Reviews and The Sunday Times. He’s also written and edited books on Windows, video games and Scratch programming for younger coders. When he’s not fiddling with tech or playing games, you’ll find him working in the garden, walking, reading or watching films.

You can follow Stuart on Twitter at @SATAndrews