Steer clear of these BYOD boondoggles

The carpetbaggers are coming! As most companies have now opened up their environments to mobile devices beyond the BlackBerry — indeed, the BlackBerry is fast disappearing as the corporate mobile standard — vendors, consultants, and some media outlets are preying on IT pros not sure how to deal with the heterogeneity of devices and users’ insistence that IT not get in their way.

Playing to a knee-jerk desire among some IT organizations to just make it stop, these carpetbaggers are proposing bad ideas for IT to act on — all of which will help them sell their wares and services. I get that the shift to user-driven endpoint technology is a hard prospect for many in IT, but IT will only damage itself by following these cynical proposals.

[ Learn how not to screw up a BYOD rollout and how to address the legal concerns around BYOD. | Read the InfoWorld special report: “Making sense of mobile device, application, and information management.” | Subscribe to InfoWorld’s Mobilize newsletter for more perspectives on mobile computing. ]

It’s better if IT looks to constructively engage in the consumerization reality. That means not reacting in a fear-oriented manner, looking for some way to put the genie back in the bottle or bind it up with technological red tape — which is what these carpetbaggers typically suggest.

Here are some of the really dumb concerns and ideas you may be pitched — whether you work in IT or for a business unit. Steer clear of them; if you get hoodwinked by these proposals, you’ll look like an idiot. That’s an outcome IT in particular should strive hard to avoid, as it could lose the right to partner with the business on user-facing technology.

Expense management is not IT’s issue

The two most common nontechnology fears I hear expressed from IT people and targeted by vendors is the cost of BYOD in general, and cellular data plans in particular. A corollary concern is the overhead of managing these expenses.

First, if IT is looking to manage departmental budgets, it’s clearly overstaffed and imposing itself way outside of its expertise. Business units and/or a purchasing department are and should be responsible for their own expenses. Cellular service is not a shared infrastructure that IT has to build, then charge back or be accounted for as a general operating expense — the same goes for endpoint devices like PCs, tablets, and smartphones.

The overstated fear over international roaming costs. Some mobile device management (MDM) vendors love to raise fears about huge charges incurred by employees who don’t turn off data roaming before they board an international flight. It’d be great if an MDM tool can alert employees to turn off data roaming when out of the country, but is this really a problem that justifies a massive IT investment? Doubtful. If the business units have to eat these costs, the problem will go away quickly.

Organizations with lots of international travel should already have worked out roaming contracts. Where it’s sporadic, the easy solution — for the employee, not IT — is to get an unlocked device and purchase a local SIM when abroad.

The misdirected fear of overspending on data plans. Another fear is overpaying for cellular services if employees bring their own devices. Umm, if they bring their own devices, they’re paying for their cellular plans, not the company. Certainly, if you provision smartphones and cellular-enabled tablets, you should work out a discount with your preferred telecom providers. You don’t need to buy only one type of device; with the three major carriers in the United States and even some rural carriers, you can let employees choose from iOS, Android, and BlackBerry for the devices you issue. But these are not BYOD devices, even if you let employees choose from a selection of devices; your purchasing group controls the costs.

For BYOD, your company can easily cap any reimbursement it chooses to make to be no more than the discount it’s negotiated. You don’t need a product or a consultant to do this, and there’s no reason for IT to be in this conversation in the first place. If your company gets a $50-per-month plan from its carrier, the max reimbursement to BYOD employees should be $50 per month, assuming they use that device almost exclusively for business. If the company wants to be more generous — great!

Note that most companies aren’t paying less for their “discounted” service than individual employees are. Carriers have long tacked on $10 to $20 for “corporate email access,” which individual users can easily avoid. Plus, employees typically buy family plans, where each additional line is much less costly for the voice portion than the first user’s bill (data is not discounted). A large company might duplicate that savings (a recent Aberdeen study suggests you might save $10 per user), but the real question is not what deal BYOD users can get, but what — if anything — you’re willing to reimburse them; ditto for the device costs.

Finally on data plan costs, companies should remember that very few tablet users get models that even support cellular data, notes Phil Asmundson, Deloitte’s vice chairman and U.S. media and telecommunications sector leader. (Industry estimates are that about 10 percent of units are sold with cellular capabilities.) “Tablets tend to be used indoors, where there’s Wi-Fi, so data plan issues are not so big,” he says. To the extent there’s demand for data plan reimbursement, it’s usually limited to people who travel extensively for work — the same group a company would typically purchase a data plan for anyhow.

The plausible device management cost concerns. Then there’s the corollary of the expense of managing all those devices. There is an IT cost here in the administration of the MDM and related tools — even simply Exchange Server. IT should educate the business about the overhead cost, including any per-device licensing expenses incurred when employees are allowed to access the corporate network and need to have MDM policies applied. That cost should be charged back or allocated to the business units, so they can make the decision as to the value of mobile access.

Obviously, if you use Exchange Server, which covers most MDM bases, your cost per device is quite low. Basically, you start with the initial policy set up by IT, which should be minimal if you use group policies, then designate policies for a group and simply add users. If you use a higher-level MDM tool, you’ll pay per device or per user, depending on what the provider can get away with.

There can also be an IT cost to wiping a lost or stolen device’s contents, as well as to wiping a device when an employee leaves the company. As IT has to go into a management console to remove access permissions for a departing employee, the few minutes more it takes to wipe their devices is a trivial overhead addition.

Whatever the realistic costs, IT should raise the issue of costs for any setup, management, and tech support with the business management, says Larry Dunn, Unisys’ vice president of IT outsourcing solutions. That way, IT isn’t stuck with unbudgeted costs, and businesses can decide the value of enabling mobile access once the costs are understood.

However, IT has to understand that the more control it asserts over mobile devices, the higher the cost it will incur to manage those devices — company-issued and BYOD units alike. The business management should push back to ensure that the level of IT management is appropriate, and not an exercise in control mania. (A simple clue: If more management is asserted over mobile devices than over laptops and home computers, IT is likely overmanaging mobile devices.)

Anyone who thinks BYOD is free is foolish, but in most cases, the incremental IT cost is quite low (a couple hundred dollars per user) and may be easily justified from the productivity or flexibility gains. If the value is shown to not be worthwhile for as many people who want to connect, the business needs to know that too.

The stupid notion of replacing employees’ own devices. One of the dumber proposals I got from a vendor was the notion that by allowing BYOD, companies may be on the hook for replacing broken devices that are out of warranty. The suggestion was to track the warranties of users’ personal devices and … well, that’s where even the PR person couldn’t invent an action. Are you kidding me? If my car breaks, the company doesn’t buy me a new one because I use it for work. If my home computer breaks, it’s on my dime. A BYOD smartphone or tablet or whatever is no different. BYOD means the employees choose to use their own stuff. Let me repeat: their own stuff. Not your problem.

The silly accounting and tax worries. What IT should not worry about is the accounting aspect. I’ve heard from several IT people that reimbursing employees for their devices or data plans will result in hgher taxes because these are considered employee benefits. Or the cost of processing expense reports for data services — if you go that way rather than an automatic stipend for employees in good standing and of your choosing — will waste valuable company resources.

Nonsense! if you’re reimbursing employees — as a stipend, via an expense report, or even as a bump in salary — for their cellular bills, you’re incurring a deductible expense. There is no taxable benefit to the employee, notes Deloitte’s Asmundson: “It’s not a taxable benefit because it’s a reimbursed expense.”

Yes, I know that the device is not used for solely for business, so there could be a nonbusiness value involved — which is how some IT people assume there’s a taxable benefit. Let the accountants do the accounting: The IRS does not care about such incidental benefits, just as they don’t care about the fact that when an employee is reimbursed for a business meal, the employee has been subsidized for the cost of the meal he or she would have had at home. Ditto for how companies handle rembursed home-office phone lines and broadband service back in the day when some companies covered those expenses, notes Unisys’ Dunn. If you give an employee something with real value — a car to keep or an all-expenses-paid vacation, for example — then the IRS will want that reported as a taxable benefit.

Then there’s the shibboleth about the high cost of processing an expense reimbursement. Yes, if data access is the only thing for which your employee submits an expense reimbursement, your company could be paying $10 to $20 in accounting and check-issuing costs to cover that $20 or $30 or $40 bill. But the employees typically reimbursed for such expenses tend to be people who travel, work in the field, or have other regular bills they are expensing, so the incremental cost for the data plan portion is negligible. If your company has lots of folks expensing this one cost regularly, your accounting crew should switch to an automatic stipend. But again, let the CFO worry about running the accounting department.

Mobile devices shouldn’t be managed like PCs

Beyond the money issues, I also see a lot of ignorance and flimflammery around the technical management of users’ personal devices.

First, IT and vendors conveniently ignore the fact that very few organizations actually manage PCs like they want to manage mobile devices. They require encryption on mobile device but not laptops — though the laptops’ data is usually far more valuable and sensitive. Your management and security policies need to be consistent and aimed at risks worth the prevention efforts. Doing it for some devices and some data and not others shows that IT has no real security in place, just busywork pretending to secure the organization. Lock all the exterior doors, not just the ones you happen to walk by.

And realize the technology monoculture largely imposed in the late 1990s is dead.

Firmware and OS updates are not a concern you can address. I shake my head when I hear this pitch from vendors and concern from IT: needing to track the firmware versions and OS patches on mobile devices (which usually means BYOD devices in their minds). Of course, this is not done on employees’ home PCs, but forget that. Focusing on mobile firmware updates and OS updates is a pointless exercise for a simple reason: It is out of IT’s control. Apple makes its iOS updates available to all compatible devices in one fell swoop; luckily, most users apply them in the space of just a few months. Google’s updates are rarely applied by its partner manufacturers or carriers, so the only thing you can count on is that no two Android devices will have the same firmware and OS version. It just ain’t gonna happen.

But it doesn’t matter. What matters is whether the devices comply with your policies. If an app breaks on a BYOD unit, tough luck, just as it would be if a user updated to Windows 7 or OS X Lion, or to Firefox 11 or IE 9, at home and finds one of your Web services no longer works. It’s their device, not yours.

The fact is we don’t see the kinds of OS-rev app breakages in mobile devices that we see in desktop OSes. Mobile apps are frequently updated — much like cloud apps — so most are quickly brought current if there is an OS-caused issue. Part of the reality of a heterogeneous environment is that you can’t control or assure every aspect of it, so you need to focus on the high level and let go of the low-level details. Alternatively, you can choose not to support any user-driven technology.

What you can do, for iOS at least, is join Apple’s developer program ($200 a year for a group license) and get the new versions seeded before release. That way, you can test your own apps and any you’ve as a standard installation. (That’s not an option for Android.)

In any event, if your network and data security is dependent on endpoint devices having specific OS updates or firmware versions, you face a bigger problem. The core’s security simply cannot be so dependent on the endpoints’ state.

Jailbreaking is overrated. Another common fear is over the jailbroken iPhone or rooted Android device. The vast majority of users want to use their devices for fun and work, not hack them. If you’re so concerned about this, then get one of the many MDM products available; the top ones all detect jailbroken and rooted devices to block their access to your resources.

Quality of service is variable. Perhaps one of the hardest issues to deal with emotionally involves quality of service. Several vendors pitch products that can monitor where users have issues with weak cellular signals or their battery is about to die. What exactly can IT do about that? Nothing, in most cases — so what’s the use of paying to monitor this?

Unisys’ Dunn points out that users will still call the help desk when they have such issues. Even if the support technician can’t do anything about the problem, he or she can see what the problem is and let the caller know. Perhaps they’ll suggest the user look for a stronger signal elsewhere or recharge the battery ASAP, as well as remind them of the signal and battery indicators on the device. As a white-glove approach to support, that’s great — but understand you’re paying not to actually support the mobile user but to make them feel better. I suspect this kind of call will diminish over time as people get experienced with using cellular devices. A cheaper approach might be to educate users about the realities of mobile rather than wait for them to call.

There is one scenario where such knowledge could be actionably useful: Say you’re an airline with customer service reps roaming the gates based on where your planes are that day. They use mobile devices to check in passengers or process upgrades, and if they’re in a weak-signal area, they may be unable to work or some transactions may get stored while out of range, only to be found out too late as fraudulent.

By analyzing the patterns of the quality of service on the reps’ devices by location and time, you may be able to detect areas that are problematic and train the reps not to go there or work with the airport facilities staff to improve the radio signal by adding an access point or repeater. This same scenario could apply to a factory, a warehouse, a distribution center, or a college campus. But it’s a small minority of organizations who would have this need. For the rest of you, it’s much better to ask, “Can you tell me what your signal strength setting shows at the top or bottom of your screen?”

IT needs to let go — for its own sake IT has enough on its plate. It doesn’t need to waste time and money solving fake problems or imposing controls or processes that make no sense. It certainly has no business trying to manage the organizations’ budget. I get why the vendors and consultants pitch these kids of concerns — if they fool you or play on your fears, they make more money. But what does IT get out of it? Why do so many in IT have this need to take on everyone’s problems (then whine about how overburdened they are)?

Mobile computing — indeed, the whole consumerization-of-IT phenomenon — is IT’s opportunity to get out of the stupid work, to use the fact of change to think and do smarter. You’ll be happier if you do.

This article, “Steer clear of these BYOD boondoggles,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.