How to create a BYOD policy

Dimension Data’s CIO, Ian Jansen shares his experience and essential tips on how to create a bring your own device (BYOD) policy that works.

It began with a trickle and now, for many organisations, it’s a flood. That rising tide of employee-owned smartphones, tablets and laptop computers threatens to drown already weighed-down IT leaders around the country, but all is not lost. In fact, with a little planning, the flow of BYO devices — while not diverted — can in fact be harnessed for the betterment of employer and employees.

For the last year or so, Dimension Data’s CIO, Ian Jansen, has been working hard at tackling BYOD within his own organisation. Through breaking down the BYOD problem into smaller, more manageable chunks, and through implementing specific IT projects to facilitate BYOD management, the company now has a stable platform from which to both manage BYOD but also reap the benefits of a more mobile workforce.

Jansen says DiData’s successful approach — the company has between 30 and 50 per cent uptake among staff and BYOD devices under management number in the hundreds — is based on tackling BYOD in three phases: Acceptance; Refine and Baseline; and, Accelerate and Benefits Realisation.

“Acceptance may sound very obvious, but it is accepting the fact that BYOD will be in our future and will be part and parcel of what we do and will change the way we work,” he explains.

The next phase, Refine and Baseline, is about a normalisation of infrastructure and policies in order to be able to support BYOD, Jansen says.

BYOD 101: Creating a BYOD user policy

The hidden costs of BYOD

“What we have done is to baseline a whole bunch of capabilities within our organisation,” he explains. “That extends to everything from policy to establishing Citrix platforms to improving wireless capability to ‘single number reach’ — a whole world of stuff to facilitate both mobility and BYOD.

“The third part is ultimately about connecting all the data in the back end of your business to all of these devices which are in the front of the business — in a native mode — which will change the way you do business and operate. I like to use the example around information we can make available to our clients or markets which we would not have previously gone after as a result of mobility and BYOD.”

Discussing the Acceptance phase in more detail, Jansen says the most important step — aside from realising that executives will want to use their own gadgets whether IT likes it or not — is engagement with the business and soliciting feedback during BYOD policy formulation.

“After I had written the policy and published it not the business and invited feedback I was blown away by how passionate and how enthusiastic people were to comment or an opinion. It is something which touches everyone,” Jansen says.

“People were writing me two- or three-page discussions on various points like the registration of devices or on how our policy stated when we could wipe information from devices.”

Having gained valuable insights from the business Jansen set up a BYOD policy which, rather than focus on specific devices, focuses on three core elements: Security, operational, and support.

“What we did was define the minimum requirements for smartphones, tablets and computers. That removes the whole emotional argument around this device versus that device,” he says.

“Ultimately we don’t care what the device is so long as it meets the minimum requirements in each of those three areas — our security policy, our operational requirements and our support policy.”

Operational Policy

Under the operational policy, Jansen says it’s worth considering issues such as how decisions about which network a given devices is allowed onto. “For example, if you walked in with your BYOD computer, can you connect to the corporate network, or only Wi-Fi, or do we establish a specific network with specific characteristics?” Jansen says.

Device enrolment is another consideration, Jansen says: If an employee brings a phone or tablet to work are they allowed to immediately start using it or should it go through an enrolment process?

“We make people aware of certain things: That they need to view the policy; that they understand if they lose their device and we decide to wipe the corporate data on there; that they may lose their personal data such as their phone directory, personal email or photos,” he says.

“In having people enrol you can remind people of what they need to be mindful of.”

Licensing, too, is also a consideration given that BYOD devices are inevitably Wi-Fi-connected and new apps are but a few brief taps away. Jansen says there are plenty of questions to ask in this area: “Can someone purchase a licence and can they claim that back from the company? If people load applications onto a device, who is responsible for them? What corporate licensing are we making available to them and are we doing it in a particular way, such as through Citrix? The question is what licensing burden the corporation is taking on versus the individual.”

It’s also worth considering what happens when an employee or executive turns up with a device that isn’t supported and whether they will be allowed to participate. Consider too the cultural aspects, or how the relationship between a device and its owner changes when the device is used for work.

“We also started to think about the fact that once someone begins replicating corporate information onto a device the company starts to have an interest in that device and how it is used – even if it belongs to the employee,” Jansen says. “Because some of the data belongs to us we start to have an interest in whether the device has encryption, for example.”

Over the page: Security and support policy considerations, and IT projects to support BYOD.

Page Break

Security and support policy

Under the security policy umbrella, Jansen says IT leaders need to be mindful of the fact that devices will get lost or stolen. How then will the organisation protect the organisational data that’s stored on these devices? One option is remote wiping, but then that could seriously fray IT’s relationship with employees.

Does IT also need to have a say in whether a device which has been used for BYOD purposes can be gifted or given to a third party. What happens to the business applications and organisational data which could still be on that iPhone handed down to a child or relative?

Other security questions the security policy should answer include whether or not to use authentication, PINs, and remote backup, Jansen says. “How do you back it up and can you use options like the Cloud for it? What happens if I replicate information from the corporate network to the iPhone and then back that up to the cloud, do you know where that data has gone?”

Security doubts have resulted in DiData prohibiting its staff from backing up into the Cloud, Jansen says.

Under the maintenance and support umbrella, Jansen says IT leaders should consider whether to insist on employees having their own maintenance and support programs for smartphones, tablets and laptops. This is because without support, the burden and cost of helping employees with their BYO devices falls on IT. In addition, staff productivity could be affected.

“If I have a corporate device, what kind of support can I expect if I call up the help desk? If I have a personal device, what can I reasonably expect?” Jansen says are some of the questions that should be asked.

However, he warns that things can get tricky when the organisation makes corporate applications available on BYO devices. “For example, we have our online training available on iPhones and iPads. Can people expect support on that if they call up our corporate helpdesk?” he says.

IT projects to support BYOD

Turning to the second and third phases of DiData’s BYOD approach — Refine and Baseline (or normalising your IT environment for BYOD); and, Accelerate and Benefits Realisation (or, ‘Now what can we do?’) — Jansen says probably the most important project the company ran was its Citrix implementation.

“We call it a baseline project and it has been a runaway success,” he says. “What it gives us is the ability for anyone to use any device. I can control the security and application experience [employees] have and they can run any corporate application regardless of the device.”

The next major BYOD supporting project was a mobile device management (MDM) implementation. According to Jansen, MDM forces employees and guests to enrol into DiData’s BYOD program, which then gives IT influence and control over those devices.

“We can now detect whether someone is using a jailbroken device, for example, or if they have overridden the operating system,” he says. “We can also forbid devices that don’t have PINs — which is in our security policy. We can disconnect them from corporate email or stop them from accessing corporate networks.”

When selecting an MDM provider, Jansen advises IT leaders to spend the time assessing options on the market and to consider selecting one which will install a light rather than thick or heavy client on users’ devices.

“If corporate IT makes it too difficult to use that device then the [BYOD] program will fail,” he says. “We made sure it is very light touch but that it gave us the security which we require.”

Given that BYOD devices are invariably Wi-Fi capable, it naturally follows that company Wi-Fi networks also have to be capable of handling a serious uptick in data usage. In DiData’s case, Jansen says the company essentially took its existing Wi-Fi network and threw it out in favour of a new one capable of handling multiple devices. “Right now, the average number of devices per person is three — a computer, a phone and a tablet — and it won’t surprise me if that increases,” he says.

Jansen also suggests that ensuring BYOD users can also gain access to the organisation’s telephony setup is also an important consideration influencing the success of a BYOD program. To this end, DiData implemented a mobility client.

“If someone called my desk phone, my iPhone would ring — not because I’ve diverted the call — but because the iPhone is integrated into the corporate network so that there is ‘single number reach’,” he explains.

“Recently, I was in Europe and I didn’t make a single call back to Australia as I could connect via Wi-Fi back to our corporate telephony In Australia and placing an outbound call from there.”

Lastly, Jansen says DiData has also made use of Microsoft SharePoint quite heavily. “SharePoint has something called SharePoint Workspace,” he explains. “What that does is allow us to replicate data or files from your computer to the network. That by itself is not that fantastic, but when you combine it with Citrix you get full data mobility and you have a form of backup as you have a copy of the file on the network.”