Discussion in 'Business & Enterprise Computing' started by j3ll0, Aug 8, 2010.
Might as well not buy them in that case
We had been looking at this for my environment to manage the Macs on site as well as the iPads, but decided not to go with it at the moment. Personally I think MDM's only work well in an environment where you control the app development, as without VPP in Australia, deploying paid apps from the app store is a big pain, especially if you're trying to meet licensing.
using sophos mobile control. basically you set rules to access email apps etc that are business related once device is jail broken or something is installed which i have defined as a problem exchange setting are wiped/stop working
for business supplied devices i have it set stronger so all they can do is business releated work. emails, i can choose if they can goto the app store and even upload apps to the device
Has anyone used an MDM in a BYOD type situation? What kind of restrictions do you place on personal devices for security?
I'm working through some sort of policy at the moment. Ideally the main thing we'd want to ensure is that the users device being an iPAD/Phone would be secured with a password and cant be removed. We'd also want to be able to remove the exchange email account via the MDM and "unmanage" it once they have left the business to purge any emails on the device.
Is this kind of solution possible?
Yes, you can create configuration profiles (via iPhone Config Utility, MDM, etc.) that include connectivity information (VPN, email, wifi, whatever, password policies etc.). You set this profile to be user-deleteable. Then you tell users that if they want to BYOD and use it for work purposes, they must install this configuraton profile.
Once it's installed, they can then access work email or whatever. But if they remove it, they can't any more. They can remove it at any time, but once they do, so goes the VPN/wifi, email passwords or whatever secure information that was required for connecting to work resources.
If you use an MDM, you can also remove it remotely.
Basically, you want to think about setting up a BYOD policy that says, "if you want to use your own device, it's your own problem and we won't support it, AND you have to install this profile which will harden (tighten up, make more secure) your device."
Note though that BYOD does not mean lower costs to business as it increases risk and manageability issues that, regardless of whether you really want to support them or not, increases your IT workload.
This is the point I make yet people still push the idea. I just don't get it...
BYOD = Less CAPEX More OPEX.... accounts seem to like the idea...
Administrators not so much, it has its place and in mobile devices I think its valid. Especially when settings up an MDM solution is relatively simple and low cost in the grand scheme.
Yeah but what's the point of a BYOD system if it has to be one of a group of devices, has to be locked down etc. Might as well just deploy them via the IT department and save the time. Give people the option of an android or iOS or Win7 device if you desire.
Sure it saves money out of one cost centre, but it ends up costing more in another. False economy IMO. Problem is that it 'looks' like it's saving money.
Anyway sorry I'm dragging this OT
At this point staff just want access to their emails from their personal Smart Phone. These are staff that don't have company supplied devices. They're not looking to claim back against the company for costs incurred. Just want the "privilage" of having access from their devices to their work email.
Fair enough then, not really BYOD though.
Not fully BYOD but I still require some hardening of the security on their devices ensuring they have pass codes enabled have access to VPN etc..
Yeah place I'm at does exchange on personal devices if they meet certain criteria, have to be iOS on specific versions, have to have a passcode, have to have wipe after x failed attempts etc
Too much effort, cbf
BYOD only really works if you commit to it fully. By this I mean:
Users need to understand the delineation between what's the employees responsibility and what IT's responsibility is, which is simple: The device needs to be able to connect to the network/internet - everything up to here is the users' responsibility. The business simply delivers a virtual desktop for the user to use. If this doesn't work, then its IT's fault.
I know this is a bit simplistic, but it needs to be that simple. Its the users responsibility to maintain the device in good working order, so that it can connect to the network to receive the corporate config or virtual desktop.
Without those boundaries in place, you'll have a nightmare trying to manage users, expectations and service levels... not to mention piss off your staff
Which only applies in the scenario of a BYOD environment where users have to run a VM or remote into a server
My interpretation of 'true' BYOD is the users machine alone is used for everything without VM's.
Still doesn't kill the inherent security risks and whatnot. Like I said though, different thread for this chat
Citrix Receiver is an app for iOS that delivers Citrix hosted apps/desktops to the iOS device. These days it's not just VM's, and BYOD is not just limited to the desktop paradigm any more. Regardless of the platform, it is important to know how to secure it.
Which is quite an outdated approach, especially with the popularity of 'mobility' devices such as tablets, etc.
Point being if you're going to deploy a thin solution to a users pc, this requires configuration anyway.
In fact it's impossible to have a BYOD setup without continued effort from IT to maintain the assets.
If you can mitigate the security risks this entails, give the users an incentive to purchase their own machines, keep them running (or be at least prepared for the fact that they will break), and all at a price point that doesn't invalidate the reason for having an SOE and standardised equipment in the first place good on ya I reckon.
Awful paragraph/sentence there but anyway...
The citrix app publishing is pretty neat though
We're looking at BYOD (Victorian Government Department) in the context that newer / younger staff expect to be able to use the devices they already own and simply connect into basic work IT systems where necessary - this is normally instant messaging, email, contact lists, and calendar synchronisation. Normal users don't need to VM, Citrix, or remote desktop into servers or PCs.
The argument for BYOD seems to be that a lot of people already have their own iPad or iPhone and there's no sense giving them a work-specific one and asking them to carry around two (phones/iPads).
My thinking is that if they actually need a phone/iPad for work reasons, they should be given one and they can retire their own device to the drawer/kids/partner/friends/OCAU for-sale forums. Same logic as a company car.
If they don't actually need a phone/iPad for work reasons, then we can provision a secure profile to allow them access - but give no support whatsoever for it.
We're still debating it internally though. Right now I'm dealing with the fact that VIPs here (and we're talking the most V of VIPs) all will be using iPads soon and we need to have a solid support and service offering around them.
And on that I agree somewhat. In theory love it, it's offered at my work.
But, I didn't take it up. Why? Because it's my personal device, and as soon as I start whacking work stuff onto it then I'm carrying work around with me.
As I don't need to, I have no intention to
But heaps of people here use it, we are supporting ipads and iphones and adding work exchange mail to it. Pretty handy, wish there was a way to get just my calendar without having to have all the security stuff added.
I'm not disagreeing with you at all with regard to BYOD being a PITA.
Yeah, I think I went off on a bit of a tangent there