Apple devices only? That’s not BYOD

In its third year, the BYOD battle rages on, though most organizations allow some form of bring your-own-device these days, even if just for email, calendar, and contacts access. The fight occurs at several levels: employees seeking freedom from technological micromanagement and for tools that work best for them as individuals; IT seeking to reduce risk and/or assert control around issues of compliance, legal exposure, and sometimes paternalistic business culture; and management wanting to have its cake and eat it too relating to freedom and risk avoidance.

As a result, some companies want to boil the ocean — trying to validate, document, and actively support every Android device an employee might choose. Alternatively, they impose draconian restrictions through mobile management technology on what devices can do (leading to unsafe work-arounds by employees) — or, less often, give up and do nothing. Bask Iyer, CIO of Juniper Networks, has a different approach: Formally adopt Apple technologies as IT standards as co-equals to Windows PCs and BlackBerry smartphones.

[ Subscribe to InfoWorld’s Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld’s updated in-depth “Mobile and BYOD Deep Dive” PDF special report. ]

Iyer said this week his company judged that when employees asked for BYOD, they really meant they wanted Apple products: Macs, iPhones, and iPads. Rather than open up to a true, heterogeneous BYOD environment, Juniper decided to simply give employees Apple products if they wanted them.

That’s a very IT point of view — formalize something as a standard and tell users to accept the standard or, if there are several co-equal options, one of them. As I’ll explain, IT today could indeed pull off OS X as such a formal standard. But such an approach misses the impulse underlying BYOD, which is that users choose endpoint technology, not IT. Although I like Apple’s current products and believe they would do well for many business users, that’s not the point. The point is IT shouldn’t dictate devices; it should focus on policies instead regardless of endpoints.

Today’s Apple portfolio is quite manageable by IT It’s true that the nonstandard devices that have made real headway into business environments are all from Apple. Android smartphones outsell iPhones widely among everyday users, but few make it into corporations, even with the progress in support security and management needs in Google’s Android 4.x OS and the extra capabilities provided by both Motorola Mobility and Samsung on their smartphones. Whatever the reason, the reality is it’s Apple’s product suite that business IT is dealing with as the new frontier.

So why not formalize that and issue Macs, iPads, and iPhones as standard corporate equipment, with the equivalent controls, restrictions, and (if any) freedoms allowed Windows PCs? Apple has come a long way in its enterprise support, even if most IT organizations don’t know that. Through its configuration profile capabilities and its full-disk encryption introduced in OS X Lion and strengthened in OS X Mountain Lion, IT can manage Macs very much like Windows PCs.

With the major networking vendors adding management capabilities for Apple’s chatty Bonjour networking protocol — the backbone of AirPlay streaming for presentations and videos and AirPrint for driverless printing from any Apple device — the Apple lineup not only plays well in traditional corporate environments. It also provides real value by making collaboration easier for not just in-the-office workers, as well as hoteling and mobile workers, contractors, and business partners.

The vendors realize it, and pro-level Mac-management tools are now available from AirWatch, Centrify, MobileIron, and Symantec. More are coming from vendors like AppSense and AT&T (via its partnership with OpenPeak), as security and management vendors see both the user demand and the native capabilities in OS X and iOS to satisfy most businesses’ needs.

Yes, it’s more work for IT, but given how many IT organizations are still freaking out because they equate BYOD support with having to support anything and everything (not my definition, by the way), it’s a lot less work than the alternative. Many organizations have gone this way with the iPad — in fact, business adoption of the iPad has been more driven by the business than BYOD-seeking employees, unlike the case for smartphones. Why not extend that philosophy to Macs and iPhones?

The formalized Apple approach may not be the complete solution If your organization has strict management over equipment and information, then the Juniper approach is the right answer. By “strict management,” I mean:

• You do not let employees use home PCs (or Macs) to access the corporate environment, including email.
• You do not let employees install their own software (like iTunes or GoToMeeting) on the company-issued PC.
• You restrict access to at least some websites (including Webmail) and perhaps use the network to block or filter access to file-sharing and personal email.

It’s these organizations that freak out the most about BYOD because the heterogeneous nature of the devices and apps means you simply can’t achieve strict control. If you must be that strict, then be that strict. OS X and iOS allow it with the proper tools, just as Windows does with its panoply of third-party tools.

But most companies aren’t that strict, and that’s where the Juniper example is too simplistic an approach. For example, if you let people work at home on their own PCs, you’ve already accepted the risks of malware and information loss. You’re actually safer from a malware standpoint if you allow OS X and iOS usage rather than Windows (and Android usage); if malware is your concern but you allow home-PC use, you certainly won’t create more risk by allowing non-Windows devices into the at-home mix. You may even decrease it.

If you allow people to use their own PCs, then you have BYOD whether you know it or not. And if you’re a reasonably well-managed larger company, you already have some technology in place to monitor access and even filter some of that access at the network level. Those approaches work for mobile devices, too.

Ask yourself why you allow people to use their own PCs. The answer is probably around cost savings and employee convenience. Well, that’s why you would also let employees access email, some network services (via VPN, I hope), and files (presentations, employee evaluations, and all the similar work many white-collar employees tend to do in the peace and quiet of home) on their mobile devices. If you use segregation technologies like virtualization or policy-based containers (like AppSense’s Strata Apps), you can do the same on mobile.

Now ask yourself why people want to use their own equipment rather than yours. The old standby of not wanting to tote around a heavy laptop is a weak excuse these days, given the lightweight options available. Their answer probably boils down to artisanship. Like chefs with their knives, contractors with their tools, and doctors with their medical bag, many knowledge workers pick a tool set they prefer because it “fits” them. Choosing to use a Mac or Windows 7 PC (if XP is the norm at work), an iPad or iPhone, or an equivalent Android or Windows mobile device, is the same thing. Ditto on choosing to use Office 2010, iWork, or LibreOffice at home even if the company uses Office 2007.

This rationale for BYOD won’t be satisfied with going from one choice to two. Take my company, for example. It has long formally supported both Windows and Macs; employees get to choose, except for a handful of people in finance or HR, which uses core apps not available for OS X. Yet many employees have brought in iPads, Androids, iPhones, and so on that the company doesn’t provide as standard equipment beyond sales and some top execs. Why? Because we regular employees find them handy for how we work, so we invest in them on our own dime.

Our IT group’s approach has been to allow such devices if they meet the technical policies for security (such as encryption, passwords, and auto-lock) imposed through Exchange Server for email, calendar, and contacts access. Some of our internal tools are accessible via VPN, so if a device supports our VPN, it’s permitted. Some devices support only some of those policies and capabilities, and they get less access than the ones that support them all (meaning iOS devices).

Analysts say that’s the sensible approach to BYOD. As users, we know that’s the way it works, so if someone really prefers Android, he or she knows that means no VPN access — and decides from there if it’s an OK loss when on the road.

As for information, we’re all knowledge workers and need to manipulate documents, presentations, budgets, contracts, and so on. The company has to trust us. If it doesn’t, we won’t work there anymore and lose access to all networked resources when we leave. There’s a risk of data loss from document copying or forwarding, but in our case, that’s an acceptable risk given that you only get that access if you’re trusted in the first place. To me, this approach is the classic BYOD model.

Its motivation is not merely about wanting a Mac or iPhone or iPad. If your employees are really seeking freedom to choose and adjust their own tool set, simply providing them Apple products formally probably won’t satisfy their underlying desire for long; they’ll end up wanting a new device that hasn’t been invented yet or an app (cloud, mobile, or desktop) that you haven’t thought about yet. Yes, go ahead and add Apple’s product portfolio to your standard-equipment list, since that will satisfy many employees and give your IT group a nice management base to start from. Just don’t expect that will end the desire for users to work with their own stuff.

Not all companies can satisfy that desire, for legitimate reasons. And employees at such companies know (or learn) that and will be grateful for a wider technology choice, even if closely managed. But for information-oriented companies that don’t have a reason to impose such strict control, offering choice is great but won’t be sufficient.

That’s where the human-centered, policy-based approach to BYOD comes in. It’s not a free-for-all as many in IT fear, but neither it is the controlled ecosystem many have spent years creating and maintaining. Sorry, but it’s true.

This article, “Apple devices only? That’s not BYOD,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.