22
Wed, May
2 New Articles

Key Considerations for Establishing a BYOD Policy

Mobile - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Bring Your Own Device is considered a lower-cost way to equip employees with mobile devices for business. Before you go that route, there are numerous issues of which to be aware.

The proliferation of mobile devices is transforming the way we live our lives and, similarly, the way we do business. Mobile devices can make employees more productive and more motivated, as well as help streamline many routine business operations.

It's generally accepted that there are three ways any enterprise can approach mobile devices: ignore them and endure the risks of employees using them clandestinely, bite the budgetary bullet and equip anyone who needs one as a means of controlling device use as much as possible, or the "compromise" position of adopting a Bring Your Own Device (BYOD) policy. Particularly for smaller companies, BYOD can reduce costs by letting each employee use their device of choice (although it's wise to limit the choice to a select list), and there are numerous other benefits.

However, rather than debating the pros and cons of each approach, let's assume your enterprise has decided on BYOD. To make the advantages outweigh the risks, the experience of early adopters of BYOD has shown it's best to establish a strong and comprehensive policy from the outset, train all staff in the policy's use and implications, and enforce the rules once you've formulated them.

Getting Ready for BYOD

Before you start that, you should first assess the size of the task. Is your corporate culture ready for using mobile devices and adapting to the blurring between work and home life that will inevitably follow? How open are your employees to a BYOD policy?

You should lay the groundwork for such a policy by being completely clear about its implications. Begin by deciding which employees really need mobile devices to better perform their jobs. Document the present workflow between those employees. Understand whether there are any regulatory rules for your kind of business (e.g., GLBA, HIPAA, PCI-DSS) or the corporate roles of those using the mobile devices (e.g., SEC). Think about what apps these employees will need to access, how well they follow rules right now, and how difficult it might be to support those who might frequently be on the road.

Be aware that the federal Fair Labor Standards Act, employment laws in your state, and other legal considerations might come into play. For example, non-exempt employees checking email after hours can qualify as overtime. Consider not letting exempt employees access company services after hours. Suppose your company is involved in litigation. If there are electronic discovery requests, that could affect files stored on employee devices.

Next, decide what your IT department policies about BYOD are going to be. How responsible for maintaining and supporting employee-owned devices is your IT department is going to be? When employees have a hardware or software problem at the office, it'll be the course of least resistance to turn to IT. If the answer is "not much," what's your official attitude going to be if an employee is gone for several business hours consulting with his or her personal provider? Will IT troubleshooting extend to personal apps if their malfunction is preventing use of the device for business purposes? Will you offer loaner devices if a BYOD is out of commission?

What BYOD devices will be allowed? What configurations will be permitted? Should certain corporate apps be placed out-of-bounds for remote device access because of potential (e.g., iOS) porting security or wireless downloading limitations?

It would be ideal to handle device or application connectivity through a VPN, which gives IT control over access. (The last thing anyone wants is a BYOD user accessing company files from an unsecured WiFi hot spot at an airport coffee shop.) Is that an option?

Decide how you will handle device OS upgrades, which can be frequent. (Ignoring them really isn't a good idea because updates include security patches and other improvements.) If you want to export specific enterprise apps to mobile devices, or update them, IT needs a way to do it that involves as little employee participation as possible to ensure that function actually takes place today (instead of falling victim to busy employee intentions to do it "tomorrow").

What About Security?

What security policies will you require? Antivirus software for each device, surely. Two-factor authentication? Strong passwords? Periodic password changes? Early BYOD adopters learned that complex passwords are trouble, so think about a four-digit PIN for accessing the device itself (requiring re-entry if the device is inactive for a set period, say five or ten minutes) and a more complex password for accessing data. Employees should also be required to encrypt company data stored on a device in case of unauthorized access. Prohibit offline access to highly sensitive or secure docs because downloading them to a device risks hacking or other intrusions. You'll also need a way to back up employee-generated files and data from remote devices.

Part of adopting a BYOD policy will include the need to reassure employees that the company won't somehow access their personal data, which could include personal emails and messages, photos, usernames and passwords for non-business activity, personal contacts, financial data, and medical information. But then, what happens if a device gets stolen or destroyed? The company will need a remote wipe or disable capability, but the downside of that is using it will wipe out employee personal data as well. Employees must understand this potential, and they should be trained in how to back up personal data and apps so they're not lost if the device has a catastrophic problem.

The most common answer to this particular difficulty is partitioning, sometimes also called containerization. The idea is to set up two partitions on the mobile device, one for business, another for personal. Then, if the need for deletion arises (the above situations, or the employee leaves the organization), just the business partition contents can be wiped out.

Speaking of departing employees, there should be a policy and operational checklist established for that eventuality. This should include removing network access, disabling email, and removing company files from a device.

There are software packages that can help with many of the challenges just outlined. Various flavors include enterprise mobility management (EMM), mobility device management (MDM), mobile application management (MAM), and mobile content management (MCM) software packages. EMM and MDM products generally offer the administrative tools like partitioning, remote wiping, encryption, and connectivity controls that deal with the challenges stated above, plus features like logging suspicious events. MAMs can encrypt apps and data before they're broadcast to devices and also let IT whitelist (i.e., make a list of the only approved URLs a device may access) or blacklist (i.e., make a list of forbidden URLs, but good luck thinking of them all). MCMs let the enterprise push apps and data to devices without employee participation and can let employees store data on their devices with authentication access. It's beyond the scope of this article to go into more detail, but there are numerous products in all these categories that can cure these and other administrative headaches. Individual products may include features from any of these categories. Other tools, like Google Apps, can control which devices can access email and limit what a particular device can do.

What you shouldn't do is install on employee devices an agent that monitors all communications because this is probably a violation of federal wiretapping laws. Found so last year by the U.S. Sixth Circuit Appeals Court, the present ruling says injured employees can sue both their employer and the maker of the software. While this may one day be overturned, do you really want to be the test case for your circuit? Don’t do this; instead, use agentless options for BYODs.

What about consultants? Intellectual property created by them doesn't belong to the employer the way work created by a direct employee traditionally does, so consultant contracts will need to address this issue if the consultants are going to be BYODing.

Will there be an employee reimbursement for BYOD devices to cover part of the device cost or monthly data charges? Industry practice varies widely—some companies offering this, some not, and some allowing those costs to be expensed rather than directly reimbursed.

Don't forget to include mobile devices in your periodic testing of business continuity plans.

And finally, it's a good idea to require periodic reauthorization of all mobile-device users.

Writing the Employee Rulebook

So now you're finally ready to write the formal rules for employees to follow. This will bring you up against a sticky paradox. On the one hand, the policies should address every point mentioned in this article that you feel is pertinent to your enterprise. On the other, experience with early BYOD adopters shows that policies need to be as simple as possible; otherwise, employees won't follow them. Worse yet, you have to try to anticipate as many scenarios as you can so you don't later have to take away what employees will have come to view as privileges.

Another important concept to understand is that it's going to be the employees themselves who will be the prime enforcers of BYOD policy, not the IT department or line managers. Therefore, the staff must understand the rules, specifically be trained in them, and sign a document that states that they acknowledge them. Maintaining a Q&A about policy on the company intranet is recommended as new situations arise that need clarification.

Enterprises should consider having the rules include acceptable-use policies, forbidden actions, and even some common-sense admonishments. Customized rogue devices can load malware and should be banned. Forbid texting while driving. Device losses must be reported as soon as possible. If you are using administrative software that includes a device locator, employees should be told that their whereabouts can be scoped.

How explicit do you want to be about accessing games, Facebook, and recreational websites? What if employees illegally download pirated music or movies? What if they transmit sensitive or inappropriate material, even inadvertently?

What are the consequences for violating these policies? Do there need to be different consequences for different types and levels of violations? These should be spelled out rather than left for judgement after the fact.

Early on, IT should audit mobile-device activity carefully to watch for non-compliance, and you should commit to re-evaluating procedures every 6-12 months. It's just a plain fact that with mobile technology morphing as fast as it is, and user savvy with it, a "set-it-and-forget-it" BYOD policy could become as obsolete as Barack Obama's Blackberry before you know it.

Moving Forward

While there appear to be many pitfalls, BYOD is a viable policy that can save enterprises significant money in the long run. It's just a matter of being smart about setting up policies and procedures in advance and sticking to them.

The following links offer a few templates for setting up policy rulebooks and similar documents, including one from IBM, which can give you some models for getting started.

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$0.00 Raised:
$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: