Every company will have a different path to mobile adoption, and final implementations will vary, depending on the needs of various business functions and on regulations that impact mobile policies. A simple way to evaluate where a business is and where it wants to be is to look at devices in terms of who owns them, and to what degree they may be managed. The result is the 2X2 matrix shown, which identifies the four different environments where one might find devices of any kind in business.
A Journey with Multiple Destinations
On the left are devices that are purchased and owned by the company, just like the majority of PCs and laptops. The right side represents all of the devices that are used for business purposes, yet are purchased and owned by the end user. On the bottom half are devices that are managed by company IT. Typically, that means there is an agent with a set of policies that governs the use of that device. On the top are devices over which IT does not have corporate control. Of critical importance is that companies are able to protect and control access to the business information, while continuing to make it accessible to the workers who need it in order to remain productive. This chart will help to understand the different considerations and approaches required to address those problems in the context of ownership and manageability of the device.
1. The lower left
quadrant is the most familiar, representing the traditional approach to IT. The company provides standard equipment to its employees from a limited set of configurations, and installs agents for full control over configuration, management, and security. For mobile devices, this is no different than for traditional PCs and laptops—if the device is owned, it should be managed.
2. In the lower right, corporate control must be identical to the first quadrant because the requirement to protect data and networks does not change with personal ownership of the device. There is, however, a big difference in liability and expectation of privacy. As long as the controls imposed on the device are not too severe, this can be a good model for both the business and the user. For industries that are more heavily regulated, like healthcare, finance, and government, the required controls and policies will be more limiting and not as reasonable for a user who has purchased their own device.
3. In the upper right, there is no attempt to apply policies or controls over the entire device, as in the lower half. Instead, it recognizes that the information that needs to be protected will generally be accessed and contained within specific applications. Therefore, if there is a way to apply safeguards around the applications in question, there is no need to apply controls over the entire device. This approach works well for organizations that want to move to a BYOD model, yet regulations and necessary policies prevent the full control approach from being practical.
4. The upper left
is an undesirable place to be, where the company owns the devices, yet it has no control (and often no visibility) over them. This frequently happens when an executive uses company money to buy a mobile device and then proceeds to use it for business without informing IT. Devices that are in this quadrant should be moved into one of the other quadrants as quickly as possible, typically by adding a management agent and moving it down to the lower left.