The best First Step in any BYOD policy is to make the cultural shift from managing devices to managing data. It is in IT’s best interest to set connection standards and then focus on the data rather than the hardware used to access/create it.
At the core of your solution is your chosen Mobile Device Management (MDM) software – regardless of the vendor (MobileIron, Good, etc), we would recommend taking a sandbox approach. Isolating data on the personal device in a separate stack eliminates many of the worries around virus infections, data theft, and accidental mixing of personal and business information. This also makes remote wiping of the device a near non-event: it can be done remotely, on command, and without interfering with the user’s personal apps and data. This solution is great for email, calendar, and contacts management.
For deeper corporate access, consider something like Citrix Receiver. It provides full access to a corporate desktop and applications while maintaining tight security over the connection. Access is easily controlled at the Citrix server side and no data is stored on the personal mobile device. Another win for security management.
As far as the hardware goes, IT should be agnostic about manufacturers, yet specific about rev levels. Promote a list of approved OS’s and sample devices. For instance, set minimum requirements such as iOS 4.1 or Android 2.2, not iPad 2 and up or Motorola Droids only. It’s in a company’s best interest to list a handful of tested devices as acceptable, but don’t officially ‘approve’ any specific device. Devices obsolesce so quickly that it’s hard to keep up, but OS requirements tend to hang around for years (you still test for IE6 compatibility, I bet).
When it comes time to isolate a device from the network, your best bet is to block the MAC address. This is a one-stop solution that will kill all but the most devious ex-employees’ attempts to illegally access your network. Combined with a remote wipe through your MDM, you can eliminate a threat with just a few keystrokes.
On the HR/legal side, a signed copy of your AUP sets the stage for you and your employee. A clear statement that employees are responsible for their conduct on ALL devices, corporate and personal, and acknowledgement from all users, will cover the company when blocking and wiping becomes necessary. Spot checking by your security team and annual re-education covers acceptable-effort requirements.
In the end, moving to a data-centric vice device-centric mentality will make your BYOD policy implementation quite smooth and you will likely find it one of the easiest technical initiatives to manage in your shop. BYOD and mobile device management sounds like the newest challenge in an ever-changing tech world, but IT shops have been managing remote laptop access for years. BYOD is nothing more than an evolution of the same sensibilities.
If you’d like some help integrating BYOD into your environment, contact GHS today!