Wednesday, May 21, 2014

Five Steps to Build an Effective BYOD Program

This post originally published at Mobile Business Insights, an IBM MobileFirst blog, by Justin Ndreu on May 20th, 2014.

If you asked a hundred different business colleagues or clients for their definition of bring your own device (BYOD), there’s a high probability that you would receive a hundred different answers.

BYOD has been one of the most used buzzwords in IT since 2012, and yet I continue to meet with organizations that are only now starting to define their mobile enterprise and BYOD strategy.

Here are five steps to enable a seamless and automated BYOD workflow for your users:
Click here for larger image.
1. Onboard the device.

Getting a personal device securely connected to the corporate network should be as easy as using the public WiFi at a hotel or coffee shop.

Enterprise users should be able to authenticate using existing credentials (such as a Microsoft Active Directory account) through a captive portal in their web browser. Contractors and guests should be able to leverage the same portal using options to self-register or request access in an automated fashion.

Once the user is authenticated, network services should automatically capture device type, location and other pertinent information and apply a role-based access policy for the session. At the same time, you can provision a certificate and automatically push it to the device along with a WiFi settings profile, allowing the device to seamlessly reconnect to the secure enterprise network using TLS-based 802.1X. As an optional step for personal computers, add a Network Access Control (NAC) service to provide endpoint posture assessment and remediation capabilities to prevent compromised devices from accessing the network.

This entire one-time process is completely automated, does not require users to know anything more than their corporate username and password, and should take no more than five minutes to complete from start to finish.

2. Secure the device.

Once you’ve securely onboarded the device, you’ll need a mobile device management (MDM) platform to enforce compliance with any required IT policies.

The MDM platform should be tightly integrated with network services to automate the enrollment process and further enhance network access policy enforcement. For example, if the MDM agent detects that a user’s iOS device has been jailbroken, network services can be automatically notified of this potential policy violation and apply a new policy to prevent the device from accessing the corporate network.

3. Deliver the workspace to users.

Now that the device is connected and IT has appropriate visibility and control, users will need access to their enterprise applications and services.

Again, the MDM platform can be leveraged here to automatically provision essential services such as email, calendar and contacts, as well as business applications. Secure workspaces are now commonplace, allowing enterprise applications and sensitive data to be sandboxed and isolated from unsecure personal applications and storage. Deploying a secure workspace will also provide the ability to remotely wipe the corporate apps and data without affecting the user’s personal content.

Secure browser, email and application gateway options are also available to provide encrypted access to corporate file shares and other services.

4. Provide seamless access.

Users are of course mobile and will therefore require access from various locations including the enterprise WiFi network, public WiFi, home office and cellular 3G, 4G or LTE networks.

Seamless access means that users should not have to change the way they connect or use their device if they roam to a different network. However, roaming to a different network may automatically change and enforce different access policies.

For example, a physician connected to a hospital WiFi network may have access to view electronic medical records. If the same physician using the same device was to connect from a coffee shop, access to those same medical records could be automatically blocked if it is deemed to be inappropriate to view that information in a public setting—even if the device is using a secure and encrypted connection.

5. Manage the mobility environment.

To maintain a high-quality user experience, the network must be capable of delivering guaranteed mobile application performance across a diverse set of endpoints.

If ten enterprise users are all connected wirelessly and sharing the same access point, and one user is monopolizing all of the available bandwidth with bit torrent downloads, how can you control that? How will you even know when it happens?

IT administrators need appropriate tools to give them visibility into the types of devices and, more important, the types of data flows that are passing through the network. Quality of Service (QoS) mechanisms must also become application-aware to be able to prioritize the enterprise data over personal data, even when they are running on the same mobile device or accessing cloud-based services.

BYOD is here to stay. A workflow-based approach to providing your users with the required connectivity and resource access will increase adoption and reduce the burden on IT.

How is your organization preparing to implement or expand your BYOD program? Connect with me on Twitter @JustinNdreu to ask a question or learn more.