The "Bring Your Own Device" Policy
Security and freedom can clash when companies decide which smart phones their workers can use.
For years, the information technology department at Western Union had a policy of issuing and supporting only BlackBerry devices for its mobile workers. The rule was a strict one, because the BlackBerry’s security features were the only ones that met the company’s standards. Then, in September, a new CEO, Hikmet Ersek, took command of the 6,000-employee enterprise and demanded that he be allowed to use his iPhone for work. The demand coincided with a broader corporate strategy aimed at moving faster to offer Western Union’s famous money-transfer service on all mobile devices.
Reluctantly, the chief information officer, John Dick, was forced to comply. “We need to give our employees more freedom,” Dick said at an industry conference last month. But he also acknowledged that it would take several months for the company to fully authorize and support the iPhone and Android devices.
What is your preferred smart-phone platform?
A survey of nearly 200 enterprise IT decision makers shows widening support for multiple operating systems. More than half prefer the BlackBerry today, but three-quarters expect to prefer a different platform two years from now.
Data: Yankee Group 2010 Enterprise Mobility Survey of IT Decision Makers.
The increased diversity, capability, and popularity of smart phones is leading to a fundamental change in the way mobile technology is being handled in large businesses. Once upon a time, you started a job and IT would provide you with a corporate-sanctioned computer and, for millions of employees, a BlackBerry—a device that became synonymous with mobile e-mail. Most important, the BlackBerry gave corporate IT departments control over what employees could and couldn’t do with their devices.
The landscape has shifted dramatically over the past year. The explosion of new devices featuring high-resolution screens, engaging user interfaces, and access to entire app stores has ignited a revolution at the workplace. More and more companies have had to respond to the popular preference for BYOD (“bring your own device”) policies. Sometimes the change comes from the bottom up, but sometimes, as with Western Union, it comes from the top down. Either way, it often leads to a clash between freedom and security, a conflict that’s especially tricky now that mobile phones are used interchangeably for both personal and professional purposes.
At some companies, the IT department won’t budge. ING Investment Management Services issued BlackBerry phones to more than 1,000 employees and prohibited the use of anything else for work. As a global financial firm that manages billions of its clients’ dollars, it is naturally concerned about data confidentiality, and it has spent years testing and implementing BlackBerry security functions. Its BlackBerrys run an app that monitors text messaging, in order to enforce a rule that employees cannot send texts unless they are traveling abroad. Employees’ use of instant messaging is strictly audited.
But with the allure of rival mobile devices, “there’s constant conflict around here,” says Michele Thurston, ING’s BlackBerry administrator. “Sales and marketing want the iPhone because they want to do streaming video, which the BlackBerry can’t do.” She notes that another financial-services company recently started supporting Droid devices, whose main screen makes it easy to access applications such as Skype. “I’d have to have a whole team just to manage all that,” Thurston laments.
Apple’s iPhone, Google’s Android, and Nokia’s Symbian platforms have all made significant progress toward meeting such key enterprise requirements as support for the data synchronization technology Exchange ActiveSync, which offers many security features for e-mail. They’ve also introduced remote data wiping and remote locking in case the phone gets lost. And IT departments can distribute and manage applications on the devices remotely.
With these improvements, IT managers have loosened their restrictions. A recent survey of nearly 200 enterprise IT decision makers by the research firm Yankee Group shows widening support for multiple operating systems [see chart].
This trend is causing some important shifts in policy. “The rules have rapidly changed,” says Mort Rosenthal, CEO of Enterprise Mobile, which helps companies deploy and manage mobile initiatives. Now, he says, those rules call for individual liability and corporate responsibility: employees must be careful not to lose their devices, yet the devices must be equipped with features that let IT departments react quickly if they do.
The database software company Sybase recently implemented a BYOD policy, allowing employees to choose from a list of 20 devices. The employee pays for and owns the device; Sybase picks up the service fees and manages the data apps, such as e-mail, contacts, and its Afaria software, which can be used to wipe the phone if it is lost or stolen. The result: nearly half of Sybase’s 4,000-plus employees have smart phones running the company’s work applications, according to Jim Swartz, the company’s CEO.
Under a BYOD plan, the issue of who pays the bill is a big one. A company would typically pay for a certain number of voice minutes and an unlimited data plan for its employees. The wireless industry’s shift to usage-based pricing for data will require companies to develop new policies, since they surely don’t want their employees downloading movies or games on their nickel. Companies are moving toward giving employees a reasonable allowance to cover the work functions of a mobile device, leaving the worker responsible for any additional costs.
App stores such as the ones on iPhones and Android phones have also helped IT departments, because any consumer-type applications can easily be billed to the user’s credit card through iTunes or Android Market. Business applications can be deployed outside the iTunes framework through programs such as Apple’s MDM, so it’s easier to separate work and personal functions.
This “Chinese wall” concept is the basis of a product from Good Technology, whose thousands of customers include nearly half the Fortune 100. The technology creates a virtual application environment on any mobile device so that it can have separate “personalities” for work and play, each with its own login. When you’re in your personal space, “you don’t want to have to enter a password to access Facebook,” says John Herrema, Good’s senior vice president of corporate strategy.
Herrema cites Starbucks as an example of a company using the virtual application environment to separate the user’s work and personal worlds. This way, when a manager from Starbucks headquarters takes his smart phone into a coffee shop, his boss doesn’t have to know he’s there.
Mark Lowenstein is an independent analyst who specializes in mobile computing as managing director of Mobile Ecosystem, a Boston-based research and consulting firm.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today