How to craft an MDM policy BYOD workers will actually follow

The bring-your-own-device (BYOD) trend has long since moved from being an outlier to the norm for most companies and employees. But with all those devices come a wealth of potential security problems. Rogue apps, malware, data breaches are sometimes just a click or swipe away.

Even with that reality, crafting policies for employee and executive devices remains a challenge because most people resist interference with the most important devices that they own — their smartphones, tablets and laptops. The challenge isn’t one of technical capabilities; it’s more about understanding how to apply the mobile device management (MDM) solutions already available and effectively communicate corporate guidelines and rules to users.

Here’s how to crack the problem of errant users and ignored corporate policies.

Communication and transparency are a must

Let’s start with the most important issue: communication.

Communication isn’t an area where IT departments typically excel. Most communications from IT to users is one way, short of details, and likely to — at best — be glanced at before being discarded or deleted. (It doesn’t matter whether it’s an urgent email or an agreement that employees click through without reading.) This presents a couple of challenges, the first of which is getting employee attention and holding it long enough for workers to understand the message.

Typically, users are instructed to enroll their smartphones or other personal devices during the onboarding process. This makes it easy to let Human Resources talk about current BYOD and IT policies and assume the matter’s been dealt with. But most HR folks don’t understand BYOD issues in depth and they’re already charged with providing so much information to new hires; IT rules are likely to be lost in the shuffle, even if they are effectively communicated.

A BYOD policy statement is more important than other policy descriptions because IT has to deal with how an individual’s primary device will be viewed, monitored and managed. In most cases, this is seen — somewhat accurately — as IT invading one’s very personal space.

Privacy is often the most important concern users have involving BYOD, and for good reason. Our smartphones and related devices now contain some of our most personal details, everything from health information to location data, family memories, and even banking and legal information. Asking a user to allow employer access to all that information raises red flags.

This is why it’s important to communicate up front that privacy is sacrosanct (and make sure it is) and repeatedly reinforce the message through different mechanisms. The policy and a privacy statement needs to reach users in whatever form they might digest the message. That means written policies, reminder emails, one-to-one meetings and any other form of communication needed.

The obvious time to convey MDM policies is during the device enrollment process, something now supported by all major EMM solutions. There’s still a good chance users will just click through without reading or absorbing what they see. A welcome email is another good time, but it, too, might be skimmed or not read. Having someone explicitly talk about corporate policies (IT staff, HR, managers, even fellow co-workers) is a still-better option, even if it’s a simple orientation video or during an all-hands meeting. It’s also important to reiterate policies over time and crucial to communicate changes as they arise.

So what exactly needs to be communicated? A privacy policy that makes it clear what IT can monitor, record, manage or erase on a user’s device. Each piece of the policy should detail the reasons for its inclusion and the real-world situations where it might be used — remotely locking a device and selectively wiping corporate data if it’s lost or stolen; tracking a lost device’s location; configuring access to email and various cloud services; and information on what data will be deleted when the employee leaves the company. (These are examples; the specifics will vary from company to company.

Managing with surgical precision

Ten years ago, when devices and device management tools beyond the BlackBerry were a nascent part of the IT stack, device management was usually heavy handed — and almost absolute. The adage that “if the only tool you have is a hammer, every problem looks like a nail” was a great analogy for mobile management when Apple first highlighted it next to the original iPad and the iPhone 4.

Times have changed.

Today’s enterprise mobility management (EMM) suites go far beyond all-or-nothing policies. Most significantly, they demarcate a line between user and business apps and content. Going further, policies can now be applied selectively to a device as a whole, to all managed apps, to specific apps, and even to specific app features under certain conditions.

This approach, known as conditional access, moves management from the overall device to individual apps. The best example is Office 365, which supports granting privileges based on a range of criteria — a particular device, a user’s account and group membership, specific times of day, location (both within a network and around the world), app version, and configuration data. This is essentially an extension of the conditional rights that can be managed for PCs, translated into the mobile world.

Not all apps have conditional access capabilities built-in to this extent. But this level of management can still be possible by setting restrictions on a user’s account and/or on the network and cloud resources to which they connect. This allows true app and data management, regardless of device or device type.

App-level management is also important in that specific apps and their data can be installed or restricted by an EMM suite with or without an enterprise app store. In many cases, specific app configurations can be applied, too, either through capabilities built into the apps themselves or by creating configuration data that can be implemented with an app.

If app level management isn’t available or reliable, then containerizing business apps is the next best option. That applies security and configuration across a range of apps without affecting a user’s personal apps, accounts or data.

You’ll notice that I haven’t mentioned things like whole-device policies (disabling a smartphone camera, for example). That’s because a goal of good management in general — and BYOD in particular — should be as much restraint as possible. You should rely on device-level restrictrictions only where a less restrictive solution isn’t a technical or realistic option. The goal is to have device management be as seamless and transparent as possible. Ideally, a user shouldn’t even be aware of the management in daily use. The more their device feels like their device without IT intrusion, the better. This helps ensure users don’t go rogue and unenroll their devices.

It’s also important to note that EMM suites support using enterprise user and group data to apply policies. It’s best to avoid monolithic policies that contain configuration and access data for multiple apps and device features. Each user account or group membership is a way to apply a specific policy, just as file permissions can be restricted narrowly for desktops. It’s perfectly appropriate to combine a large number of specific policies manage individual access and capabilities. This, in fact, is more appropriate than having a limited number of policies that include dozens of rules and restrictions. (EMM policies can often be created around existing access groups within the enterprise directory system.)

Putting it together

As I’ve noted, the real challenge for an effective BYOD management isn’t so much a policy issue. The management software and policies needed to lock down devices and data is readily available. It’s the user that must be the focus of IT MDM efforts. Providing transparency to the user so that they understand what comes with your BYOD program is crucial, as is making the policies as light and granular as feasible. This applies regardless of platform or EMM solution.

This discussion applies specifically to BYOD devices. If you discover that you need more significant control of devices than can be applied in this manner, you’ll need to consider whether it’s time to invest in corporate devices instead. In addition to making broader policies and restrictions more acceptable to users, iOS and Android both offer a more stringent set of controls for devices that are company owned and purchased from select vendors. If you opt for the company-owned option, you may want to consider a CYOD (choose your own device) model, in which users select from a set of devices and are encouraged to use them for personal as well as business purposes.