Bring Your Own Device, or BYOD, is all the rage these days. However, any given organization is likely going to have some use-cases where BYOD is feasible and some use-cases where different mobility strategies are a better fit. For most enterprises, a homogeneous mobile infrastructure consisting of several different mobility strategies is going to produce the most effective, productive employees while still maintaining the levels of management and security necessary to keep sensitive corporate information safe.
Thus, companies need to look beyond BYOD and understand their total mobile story. For many, BYOD will likely be a part of the equation, but just one part. The following matrix is a simple and useful way of looking at and understanding the complexities of enterprise mobility. Again, most companies will likely find that they fit into more than one of the quadrants below.
On the left are devices that are purchased and owned by the company, just like the majority of PCs and laptops. The right side represents all of the devices that are used for business purposes, yet are purchased and owned by the end-user. On the bottom half are devices that are managed by company IT. Typically, that means there is an agent and a set of policies that governs the use of that device. On the top are devices that IT does not have corporate control over.
Note that, although we are discussing the security and management of smartphones and tablets, it is ultimately not the device that companies should care about nearly as much as the data that resides on and passes through these devices.
The lower left quadrant is the most familiar, representing the traditional approach to IT. The company provides standard equipment to its employees from a limited set of configurations and installs agents for full control over configuration, management and security. For mobile devices, this is really no different than for traditional PCs and laptops; if the device is owned, it should be managed.
To the right, in quadrant two, the corporate control is identical to the first quadrant, but applied to a system or device that has been purchased by the user, primarily as a personal device. Typically there is some sort of agreement that the user accepts when submitting their device over to corporate control. As long as the controls and limitations imposed on the device are not too severe, this can still be a good model for both the business and the user. This is a common approach in education and other industries with little or no regulation and where imposing a password and not much else is sufficient.
The problem with this, however, becomes apparent in industries that are more heavily regulated, like healthcare, finance, government and other organizations that are very risk averse. For these companies, the controls and policies that would need to be applied will be more severe and not as reasonable for a user who has purchased their own device. For this scenario, we move to the third quadrant in the upper right.
In the upper right, there is no attempt to apply policies or controls over the entire device. Instead, it recognizes that the information that needs to be protected will generally be accessed and contained within specific applications. Therefore, if there is a way to apply safeguards around the applications in question, there may not be a need to apply controls over the entire device. This approach works well for organizations that want to move to a user owned model – for financial, user satisfaction or other reasons – and the users want to use their own devices, yet regulations and necessary policies prevent the full control approach from being practical.
The upper left is an undesirable place to be, where the company owns the device, yet has no control – and often no visibility – over them. This frequently happens when an executive uses company money to buy a mobile device then proceeds to use it for business. IT may never have any visibility over what happens on the device. Devices that are in this quadrant should be moved into one of the other quadrants as quickly as possible. This can typically be done by adding a management agent and moving it down to quadrant one. After all, the company owns it.
For each situation, there are essential tools to manage devices, protect information and assure productivity. At Symantec, we continue to build on the broadest, most complete solution set for enterprise mobility to ensure each company – and each unique need within every company – can be addressed and satisfied.