BYOD: You ain't seen nothing yet

Although 2011 was the year that user-driven mobile device usage became the norm, its fallout -- and opportunities -- are just starting

Some IT trends move fast -- way fast. BYOD, the "bring your own device" phenomenon that raised its head in late 2009, is one of them. Like Internet and email, it caught on with users faster than IT and corporate risk management expected. In 2010, businesses were asking the question "Who should own your smartphones?" Today, that question is moot -- more than half of companies let employees use their own smartphones at work, along with tablets. It's amazing how quickly BYOD became mainstream -- it took about 18 months.

Many companies that have accepted the BYOD phenomenon are taking the next step, shifting from a passive acceptance spurred on by employees and executives who would use iPhones, iPads, and Androids anyhow to active exploitation of BYOD to increase productivity and reduce mobile telecom costs. In other words, businesses are learning that not only are mobile-equipped information workers a great way to increase productivity and ROI but that employees will foot much or all of the bill for the privilege.

[ Learn about consumerization of IT in person March 4-6, 2012, at IDG's CITE conference in San Francisco. | See Galen Gruman's presentation on the real force behind the consumerization of IT. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. ]

Thank you, Apple, for the freedom to choose

Most of the BYOD phenomenon was driven by the iPhone, which is fast becoming the new corporate-standard smartphone, as BlackBerry corporate sales have now fallen behind iPhone corporate sales. But Android devices are entering the fray, posing a much more complex management and security challenge than did the iPhone.

The iPad introduced its own wrinkle to the BYOD equation. Where businesses resisted the iPhone or simply weren't sure of its value, they see huge value in the iPad. This is one "consumer" device that both employees and employers love and see strong benefit from, which is why 96% of businesses have at least one in use, says Aberdeen Group, and 96% of all tablet activations among its customers are for iPads, says Good Technology. SAP, for example, has 12,500 iPads in use across a wide range of business groups, and iPads are popular in all sorts of customer-facing businesses, from insurance sales to energy inspection, from health care to kiosks. Ironically, IT is often in the lead when it comes to deploying tablets.

[ Free download: Crafting a successful BYOD and mobile IT strategy ]

Because the iPad uses the same operating system as the iPhone, proactive adoption of the iPad also opened doors closed to the iPhone. As far as management tools are concerned, they are the same thing, and supporting one de facto means supporting the other. (The same is not true for Android devices, which vary widely in security and management capabilities.)

The BYOD carpetbaggers are coming

Despite this BYOD acceptance and even encouragement in 2011, as well as the residual fears about non-BlackBerry mobile devices still muttered in some IT quarters, corporate management of mobile devices has a long way to go. Most companies don't yet use mobile device management (MDM) tools, notes Larry Dunn, vice president of global IT outsourcing at Unisys. Consultancies like Unisys and the dozens of MDM vendors are near-giddy at the prospect of the increase in consulting and tools business as more and more businesses go the MDM route, which is expected to accelerate in 2012.

In fact, the number of consultancies -- from the big names to "who are these people?" firms -- and tech vendors that have recently discovered BYOD is huge. Given that this phenomenon has had a good 18 months of CIO and media attention, I'd stay far away from any vendor that has just tuned in to the opportunity. They may claim they were monitoring the market until IT was ready for proactive BYOD, but I bet most are carpetbaggers who have no real experience or insight, and will simply sell you the same tired security and management products and services they always have. (I'm talking to you, Symantec and McAfee.) Those who truly did bide their time had better have something superior than those who've been in the market for a while.

Here are ways to avoid wasting your time and money on those selling you faux BYOD:

  • Make sure they practice what they preach. Are they using iPhones, iPads, and Androids broadly? Are they using them in the same ways you want to? Or do they have a few pilot deployments or implement BYOD in effectiveness-killing ways such as disabling copy and paste from email or restricting users from installing their own apps? (Yes, in some cases, these are good things to do, such as if you're managing spies, but they should never be the norm.)
  • Make sure they are adding value. For example, dozens of MDM companies offer a management tool for the basic Exchange ActiveSync (EAS) policies built into Microsoft Exchange. You already have that management capability baked into Exchange (on-premise or hosted, including in Office 365), and can get it in the corporate and government versions of Gmail. IBM and Novell offer EAS capabilities for their email servers. Don't buy it again.
  • Make sure they are enabling users, not promoting "no." Consultancies and tech providers should be able to show how they can make your users more productive while keeping your risk levels acceptable. Unfortunately, many play on your fears, saying mobile devices are less secure because employees are likely to lose them. That's false -- analysts tell me that employees are less likely to lose mobile devices they own, as well as the laptops they own. The fact is, the more you wrap mobile devices into security straitjackets, the less secure you are and the higher your costs go. And the less productive your employees are.

MDM by itself is not enough for effective BYOD

The good news is that mobile device management tools are well proven in all sorts of industries, including highly regulated fields such as health care and financial services. There are simple ways to handle tech support for the new generation of mobile devices; plus, it turns out that iOS devices at least are cheaper to support than the traditional BlackBerry. One lesson SAP learned is instructive, and I've heard the same finding from vendors offering mobile support tools: Issues around 3G and 4G cellular networks -- slow speed and inconsistent availability -- form the bulk of employee support questions, even though IT can't do a thing about the carriers' networks. What IT can do is educate users that cellular networks aren't as reliable as corporate networks and design apps to better handle latency and intermittent connections.

The bad news is that the MDM tools don't handle the whole picture. MDM tools work mainly with mobile devices that access corporate email, whose servers validate devices and apply management policies to them. But MDM tools don't address devices on the corporate network that aren't accessing email (nor those accessing email only through Webmail), so effective BYOD management also needs to involve the network in a way that goes beyond the traditional "unguarded inside the building" approach practiced by most organizations.

Also to be figured out is the role of mobile application management (MAM). Right now, this label refers to many things: designing HTML5 apps so that their contents can be managed and secured, managing and distributing native corporate apps on users' mobile devices, and managing commercial apps and their access to content and corporate resources. Then there's the question of whether you should have a corporate app store and how to deal with commercial app stores. There are tools for some aspects of these needs, but there are certainly nothing like best practices yet for what, how, and when to manage mobile apps. Those will begin to develop in 2012, I suspect.

BYOD will evolve beyond mobile devices

For many organizations, the consumerization-of-IT phenomenon and the BYOD phenomenon are one and the same. They are not, though BYOD is the most visible aspect of that larger shift. As companies realize the scare stories about BYOD have not materialized and start to look at how to gain more benefits from the iOS and Android devices that BYOD has let users force into the business, you can expect the "let me choose the technology" trend to grow beyond mobile devices.

Already, most companies support BYOPC, even if they don't think they do. After all, a home PC or Mac is definitely a BYO device, so any employee working from home on their equipment is part of your BYOPC reality. Expect that reality to grow more formalized in the workplace, partly due to the increasing sales of Macs: 11% of new PCs in the United States in 2011 were from Apple, and more than 7% in the United Kingdom and Western Europe. However, keep in mind that people who use computers for the most value tend to be those who work from home and on the road, and they want the same mix of personal and work capabilities on their laptops as they get on their smartphones.

This should result in the same equipment savings that companies have seen in BYOD, but the management approaches to BYOPC are trickier, mainly because most companies manage PCs not at all or to much lower standards than they do mobile devices. For example, despite years of recommendations from security experts, few companies encrypt PCs' drives, whereas on-device encryption is expected for mobile devices by many businesses. There's real hypocrisy at play here: IT and vendors propose much higher controls over mobile devices than over PCs that have so much more data. Notably, 10% of laptops get lost over a three-year period.

As with mobile, there's an uneven mix of security tools, application distribution and management tools, and remote lock and wipe capabilities for PCs. Windows PCs have long had tools to manage the provisioning of apps and lock them down. Nonetheless, the concept of managing the content on those PCs, such as to prevent unauthorized use of data and to lock or wipe compromised PCs, is new to IT (and vendors) in the context of computers.

It would make sense for mobile management tools and computer management tools to merge, but the MDM vendors tell me they get almost no demand for such a unified product, partly because the people who manage mobile devices have nothing to do with the people who manage PCs; in turn, the latter group has little to do with the people who manage back-end systems, networks, and databases. Perhaps Windows 8 will force the issue, as it brings in a truly mobile version of Windows that runs essentially a new operating system (the Metro UI) and makes data movement across devices a fundamental capability for applications -- moreso than Apple's iCloud does.

I suspect this morass of management will take several years to work out, but the direction is to flexibility, heterogeneity, and policy-based management regardless of endpoint.

First BYOD, then BYPOC, and ultimately BYOT (bring your own technology, such as applications, cloud services, and more) -- the technology fabric in our business is undergoing radical transformation at the user end. That's ultimately a good thing, but it will cause a real shakeup in the interim.

This story, "BYOD: You ain't seen nothing yet" was originally published by InfoWorld.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies