BYOD Advice

B

brokenarrow03

[H]ard|Gawd
Joined
Nov 20, 2007
Messages
1,655
We are looking down the bring your own device path in addition to giving some of our users a corporate phone. We have decided since we already have a Blackberry Enterprise server we are going to continue to issue Blackberries to those that want a "corporate provided" phone, but want to have the ability to let people use their Android and iOS devices if they want to have email but would rather have their own plan and phone.

Our issue is we are having a little problem with developing a policy that addresses acceptable use, phone requirements, liability, and security requirements on the phone before we will deploy your email, contacts, and apps to your personal device.

Does anyone care to share what they have for a "legal agreement" between users and corporate that addresses this? We are basically looking for a jumping off point and are interested in seeing what is out there. Also if you have any products you might recommmend. We have looked into GOOD, but have not set up a demo. We are "demoing" the active sync function that Exchange provides for myself and a few other IT people.

Any help is appreciated!!
 
The last two company I have worked for all used the active sync function for exchange. The only agreement we had with end users is, if for anyreason they are no longer with the company their phone will be wiped. But of course anyone to removes the SSL connection before departure we can no longer wipe their phone.
 
In BYOD scenarios, it can be common to have an agreement that you can use activesync to nuke the device from orbit, but there's also a TON of other considerations with regards to the security of the devices. I'm not sure what industry you're in, but BYOD is a royal pain in the rear for most.

Overall considerations -

Rooted/jailbroken phones
Encryption at rest
Cloud backup
Data leakage
Password controls

Right now, there's not a great all in one solution to address mobile security. There's dozens of vendors with dozens of products that do many different things, but none of them are comprehensive at this point. Your best bet would be to start with your policy and compliance requirements with regards to data that would be accessed via BYOD phones and then determine what level of protection the data would require and shop for products accordingly. If you just go product shopping, you'll end up buying somethign that doesn't give you the coverage that you need.
 
BYOD only works when you clearly understand what you want to give access to.

If your first step is to offer them their Exchange account then Activesync will cover you for most of what you want to do. You can remotely wipe devices and also require them to have an unlock PIN and require the unlock PIN to be changed whenever needed.

With that in mind it's then about education, telling employees what they have a choice of doing and making them aware of remote wipe capabilities and when you would implement that.
 
I implement BYOD for several small businesses and just use ActiveSync to enforce security and remote wipe. If the user has me configure the phone, I verbally warn them the capacity exists to remote-wipe the phone. I leave it up to the employer to create, disseminate and enforce policy- I only provide the tools.
 
adam30k said:
BYOD only works when you clearly understand what you want to give access to.

If your first step is to offer them their Exchange account then Activesync will cover you for most of what you want to do. You can remotely wipe devices and also require them to have an unlock PIN and require the unlock PIN to be changed whenever needed.

With that in mind it's then about education, telling employees what they have a choice of doing and making them aware of remote wipe capabilities and when you would implement that.
Click to expand...

ActiveSync is a good start with regards to lost devices, etc, however, it doesn't give you any control over the content once it reaches the device. Also, last I checked, is that if the device doesn't support certain ActiveSync features (i.e. password lock, encryption, etc), then it won't prevent the device from getting company data.

It also doesn't give you control or any assurance over content that gets downloaded to the device. Lets say you have an email that has HIPAA, PCI or MA resident PII data on it, it gets downloaded to the device, saved, opened as an attachment, and then gets whisked away to iCloud on Apple's servers (or Box.net, dropbox, whatever). At that point, you've got an unintentional leak of data to a third party which consitutes a security breech by definition. Automated backups can accomplish the same thing - backup your iPhone through iTunes to your computer, and you've got that data sitting unencrypted and likely unsecured on that person's home computer, regardless of the controls you have in place on the device.
 
Schro said:
ActiveSync is a good start with regards to lost devices, etc, however, it doesn't give you any control over the content once it reaches the device. Also, last I checked, is that if the device doesn't support certain ActiveSync features (i.e. password lock, encryption, etc), then it won't prevent the device from getting company data.

It also doesn't give you control or any assurance over content that gets downloaded to the device. Lets say you have an email that has HIPAA, PCI or MA resident PII data on it, it gets downloaded to the device, saved, opened as an attachment, and then gets whisked away to iCloud on Apple's servers (or Box.net, dropbox, whatever). At that point, you've got an unintentional leak of data to a third party which consitutes a security breech by definition. Automated backups can accomplish the same thing - backup your iPhone through iTunes to your computer, and you've got that data sitting unencrypted and likely unsecured on that person's home computer, regardless of the controls you have in place on the device.
Click to expand...

You need to look at your own requirements and understand what the products can do yes. Email should not contain confidential information in the first place however although it can be argued that users on the same Exchange server are okay to send content to each other. IT will (should) already be aware if they are using email in this manner.
 
Thank you for the insight. We are looking into the GOOD type product. Anything else like GOOD out there?
 
AirWatch, MobileIron, Boxtone are all good enterprise MDM solutions. I did a 5,000 device AirWatch implementation recently, with a pretty good mix of iOS, Android, and WP7, and it is a great value, especially if you use their SaaS model.
 
Schro said:
In BYOD scenarios, it can be common to have an agreement that you can use activesync to nuke the device from orbit, but there's also a TON of other considerations with regards to the security of the devices. I'm not sure what industry you're in, but BYOD is a royal pain in the rear for most.

Overall considerations -

Rooted/jailbroken phones
Encryption at rest
Cloud backup
Data leakage
Password controls

Right now, there's not a great all in one solution to address mobile security. There's dozens of vendors with dozens of products that do many different things, but none of them are comprehensive at this point. Your best bet would be to start with your policy and compliance requirements with regards to data that would be accessed via BYOD phones and then determine what level of protection the data would require and shop for products accordingly. If you just go product shopping, you'll end up buying somethign that doesn't give you the coverage that you need.
Click to expand...

MobilIron addresses all of those issues you mentioned.
 
You must log in or register to reply here.
Back
Top