Every once in a while a new set of acronyms come out and promise to change everything. In the early 90’s ATM (Asynchronous Transfer Mode) was going to take over as the protocol for device communications. Articles written at the time talked about how “ATM to the desktop” was inevitable. Well, ATM still exists but not in the way that was predicted by so many.
Two new acronyms – BYOD (Bring Your Own Device) and MDM (Mobile Device Management) are being marketed vigorously, promising huge savings and increased productivity. In health care and education, I see the need for a strong MDM implementation, using shared devices to perform a number of tasks securely, with the knowledge that at any time I can remove access to the device and remove any corporate data that may be on the device.
Are these actually new concepts or:
Is BYOD just be another name for RAS (Remote Access).
Is MDM is analogous to Active Directory Global Policies, or Network Access Control.
Let’s talk a little bit about what is needed from an Infrastructure standpoint to support any Mobile devices within the 4 walls of your corporation..
Start with a secure and robust wireless Network. Create at least two profiles on that network, Corporate and Guest. The Corporate network should be secured with layered authentication, ensuring that both the user and the device is a known entity. Issuing Certificates via Active Directory is a good way to accomplish this. Some organizations may use a third party Access Control method to do this by inspecting the device connecting and ensuring it meets the minimum requirements, or has a specific registry entry. However you choose to do this, you are ensuring that only devices you manage and know about get onto your corporate network. The Guest network can be secured using WPA with just a passphrase/key and additionally secured via a web redirect to an authentication page or a “terms and conditions” page. The Guest network is isolated on a VLAN that only has access to the Internet. This solution in itself is a valid BYOD solution. Promoting the use of personal devices for internet access while at work, and at the same time ensuring these devices do not compromise the security of your corporate network.
The idea of layering MDM on top of this would enable the use of these devices on the corporate network. The security policies of the corporate network do not change. You still need to ensure only the devices you authorize get on, and they still have to be inspected for compliance. This is where MDM comes in. The ability to load a corporate profile complete with Application access, Email access, block app store downloads, even block access to the camera it applicable. The features are endless…. Well not really! There are a lot of features but they vary between platform OS’s. This is sure to change as the market matures, but until it does the market is too fractured and lacks standards that will be needed to provide consistent support across all Mobile Operating systems.
BYOD and MDM individually are good ideas and quite doable. However the two together seem to be at odds. Would you, the proud owner of a new iPad hand it over to your IT department so that they can load some software on it that would allow them to erase your device? Or track your whereabouts? Or lock you out of your games? All so you can use the iPad for your work!
If a device is corporately owned I see and support the vision of MDM. If the device is privately owned I see and support the vision of BYOD. The two do not coexist, at least not today.
How do you know if you need either a BYOD or MDM Solution, maybe you need both? Either way, you have to start with the infrastructure and it cannot be an afterthought. A solid wireless infrastructure is key to the success of any mobile solution. Then you have to sit down and write a policy or two or three. What devices will you allow, who owns them, what level of access will they be granted, do your applications support all devices? Then and only then will you be able to determine what BYOD and MDM solution you need.