We're well into the first quarter of 2015, and are starting to see some of the big numbers coming out of Q4 2014.
· Apple sold over 21 million iPads in Q4 alone
· Apple also sold over 75 million new iPhones during the same period
· SlashGear estimates that 3.4 million Android tablets were sold in Q4
· Nokia sold out of the first four runs of its new N1 Android tablet.
· Microsoft shipped two million Surface tables in Q4 2014.
Driven in part by Christmas sales, there are a substantial number of portable computing devices in active circulation, with most in the hands of your employees! How many of them are accessing corporate email on these new devices and how many are unmanaged? Are you seeing demand for corporate apps to be made available on these new devices? Do you have a plan to handle all of that?
The whole concept of Bring Your Own Device (BYOD) walks the fine line between personal and business. The employee owns the device, but since they want to use it to access corporate data, the business wants and needs to control it. The challenge is finding the right line and where to draw it, especially since the ultimate corporate fail-safe, the remote wipe, will destroy someone's personal data at the same time as it deletes business data. Each company must come up with the right mix of policy and technology to meet their needs, but all companies must consider the following.
To BYOD, or not to BYOD…that is the (first) question
The question all companies must ask and answer first is whether or not to allow BYOD. Of course, that assumes you can still ask that question and have a choice in the matter, since BYOD is very often a foregone conclusion, and is often driven either by stealthy back-door adoption or by executives to whom you cannot easily say no to. The sooner you accept BYOD, the sooner you can look at how to secure it to the degree your business requires.
Policy needs to be in place to define not only what is and is not acceptable, but where support limits are. If you have a mobile savvy support desk and they are willing to take on all manner of phone and tablet, that's great, but if your team knows Apple and doesn't have time to learn Android, you may want to make clear what devices will be fully supported and which will not. There are ways to lock down and secure devices through existing server settings, but there is no distinction between personal and business, so in the case of a remote wipe, you wipe everything. Any policy needs to lay that out clearly, so that when an employee connects, they know what would cause a remote wipe and that it will wipe everything, and that employees accept this.
Policy should also lay out what the business requires for corporate, employee, and customer data. Things like device encryption, timeouts, PIN requirements, etc. should all be spelled out in the written policy and set up in the technical policy.
When it comes to securing BYOD devices, the good news is you have many choices. Most businesses are using Microsoft Exchange, either on-premises or in the cloud, and can use Exchange ActiveSync (EAS) policies to control phones and tablets. EAS policies are very good, and are a part of the EAS protocol used to access Exchange. You have the ability to use them now without additional software, licences, or other costs. But they are also very broad, and there is no distinction between BYOD and corporate-furnished equipment. If you remotely wipe an EAS device to protect company data, you also may wipe the only pictures from an employee's child's birthday party. EAS policies are also push only, meaning that they can push down and configure certain settings on a device, but cannot really assess its state or report on things like patch levels.
Mobile Device Management (MDM) solutions, on the other hand, can do just as the name implies. They can manage mobile devices. MDMs use an agent that can assess a device for an operating system and patch version or what software is installed, and can be used to deploy software to a mobile device as well. MDMs can also partition a device, so that corporate data can be kept separate from personal data. This means a remote wipe only applies to corporate data. That one-of-a-kind photo of a child blowing out the candles is safe. Of course, MDMs are not free, and can be quite costly. They also require that an agent be deployed, which may mean touching each device – a potentially time-consuming and potentially costly activity given that each person in your organisation may have both a smartphone and a tablet that need managing.
Whichever you decide, EAS or MDM, you can provide your users with access to email on their mobile devices and secure that data from unauthorised access. If you need to keep the business data separate from the personal, or want to push or publish apps, an MDM solution is the way to go. Either way, you can securely support MDM, which will make everyone happy!
Contributed by Sergio Galindo, general manager, GFI Software