Why BYOD? Let’s see the benefits of BYOD on both employee and employer side.
As a BYOD user, here are the specific benefits they can gain to make their work easier.
Now we knew the benefits. There are also concerns. To rollout a successful BYOD program, the first priority is privacy protection. Nowadays mobile phone is a gadget storing personal and sensitive information which we cannot live out with. Phone location and personal app list are also considered sensitive. You can definitely tell why location is private information. Personal app list can disclose sensitive information such as what bank app a phone owner is using.
We have to make sure personal information is well protected, not touched and separated from work data. We can only talk about productivity while privacy is guaranteed. And even more important, make people feel 100% comfortable and respect to join BYOD.
Reference: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2212/UEM_Managing_Devices/GUID-Privacy4BYODdeplo
As important as privacy, mobile threat detection is also one of the priorities.
Protect mobile devices from phishing and application, device, and rogue network originated threats. Powered by Lookout, VMware mobile device security integrates with Workspace ONE.
In addition to privacy and security consideration, here are TOP BYOD FAQs.
Q1 Does Activating BYOD mean I give up control over my phone?
No, not at all. You still own and control your device and all of your personal apps, emails, photos, etc.
It is always your phone and your phone number belongs to you and they stay with you.
You have the right to opt-out BYOD at any time.
Q2 Can my company see my personal apps, emails, photos, WhatsApp messages, videos and track my location?
Privacy controls are built in to restrict companies from being able to see personal information or breach your privacy.
The device OS also has built-in privacy controls at OS level known as “Sandboxing”.
All personal apps are kept separate from managed apps. Personal apps cannot be managed, viewed or monitored because they are running inside of their own sandbox.
Q3 Am I expected to work more if I do BYOD?
No, it is expected your work hour does not increase but your efficiency does. You may find yourself multi-tasking in random mobile moments - such as waiting in line for a coffee, or for your train in MTR station - which is actually helping you free up your day to be more productive and improve your work life balance.
Q4 How will BYOD look on my device and can I use Face ID/Finger Print to open company apps?
It will look just like any other app on your phone and you can use Face ID/Finger Print to open company apps.
Q5 What should I do if I lost my phone?
Device PIN code policy should apply to both BYOD and corporate phones to protect them from unauthorized access. This is the first level of protection. Both your data and corporate data are protected by this first line of defense.
Q6 What happens if I leave the company?
It is your phone, so you take it with you. IT department will remove all enterprise apps and data from your phone leaving all of your personal data untouched. The phone will go back to exactly how it was before your BYOD.
If you cannot find your phone, you should notify IT department so they can initiate a enterprise wipe to remove all the corporate data.
Not we also knew the concerns. We are ready to start a BYOD project.
WSO UEM is by design to cope with various business requirements. If you have already using it to manage your corporate device fleet, you can extend it to cover BYOD.
There are two options when it comes to BYOD implementation: MDM and MAM. Enterprise audit compliance and regulatory rules must be considered during decision making. For example, If device PIN and device level data encryption is required by the rules. MDM is the way to go.
Use case is also important. If you want BYOD to use per-app VPN with apps other than WSO WEB, device must be MDM.
WSO WEB was built to connect to WSO per-app VPN tunnel natively. You can have WEB tunnel enabled through the security policy or by creating a separate profile.
Let‘s walk through BYOD MAM mode.
1. BYOD with MAM mode. WSO UEM allows device enrolled without being fully managed. UEM visibility to MAM enrolled device is limited to apps only. Device level information including device brand, serial number is not available.
This is how to enable MAM in your OG. Now you can enroll your device into MAM mode using HUB agent.
If you want to allow Boxer/WEB/Content standalone mode enrollment, please enable this:
To allow apps to run on MAM mode, have the managed access disabled in app assignment as well. Otherwise, the app will refuse to run on a MAM device. It only runs on a MDM device.
All protections are now implemented at app level. For example, device PIN is now app PIN. Device data encryption is now app data encryption. Device data wipe is now app data wipe. MAM Device compromised detection triggers app level data wipe but not device level data wipe. Remote app uninstall is replaced by app data wipe in MAM.
This approach provides the highest privacy protection. However, this approach is only applicable to WSO productivity apps including Boxer, Content and Web. In order to extend MAM control to other apps, apps must be built with WSO SDK. As you can imagine, this is limited to internal apps only. Please refer to this for more details on SDK apps. You will
also find the steps to have MAM enabled.
It is also possible to enroll with WSO apps directly. Please watch this video on how to use Boxer in a standalone mode by MAM enrollment.
Let’s look at the MDM approach.
2. Using MDM mode with appropriate privacy control and policies with enterprise data protection but at the same time user friendly. For example, imposing complex device PIN and frequent password change increase device security but it also make it difficult for the user.
MDM devices are marked as UEM managed on the console.
Option 1 and 2 are not mutually exclusive, you can leave the choice to user. For example, BYOD user wants per-app VPN can choose to enroll into MDM. User wants only Boxer can choose MAM.
For enterprise currently only manage corporate owned device, ownership is often set to corporate owned only. This has to change to allow BYOD user to enroll device with appropriate ownership: Employee owned. This helps to identify corporate owned and personal owned device and to apply the right policies and right resources.
You can think of the level of privacy protection of a corporate owned device is 0. Increasing privacy protection by adjusting corporate device policy to a level accepted by the employees. The level at which people are comfortable to have their devices BYOD. The level which balance both enterprise data security and personal privacy protection.
Data collection should also be kept to minimal. Location information and personal app inventory collection should be disabled if possible.
Device PIN restrictions should be enforced but relaxed on settings like password complexity and password history if possible.
Remote device wipe must be prohibited. Un-enrollment is allowed so people can choose to have his device opt-out from BYOD.
Let’s look at best practice common to both MDM and MAM approach.
Regardless the approach, an enterprise should have participants understand agree to an enterprise EULA
and privacy notification.
User can read privacy notice in his activation email. In case of MDM, a privacy app will be installed and this allows user to review the privacy policy at any time.
There are other considerations which are more related to operations, managements and regulations.
1. To what device type and OS version BYOD is open to? From a security and manageable point of view, It is a good practice to only allow the latest 3 OS to enroll. For example, given that iOS 15 is the current OS today, you should consider open BYOD to iOS 15,14,13. Same rule apply to Android.
2. Which user is allowed to BYOD? The Enrollment Restriction Policy provides a granular control on enrollment management.
2. How many devices per user is allowed? There is no limit on number of devices per user. The concern is more on the enterprises as it is important to make sure licenses are not abused.
3. Do you want to do a close enrollment?
Doing close enrollment allow IT help desk to pre-register a device with serial number. IT help desk can also assign tags for policy, app and resource assignment. Please note that close enrollment is applicable to MDM enrollment only as it requires device‘s identifier such as serial number for device pre-registration. MAM does not have visibility to device serial number.
4. Do you want to have a different OG for BYOD devices ? This can get corporate owned and BYOD separated. In most of the cases, this can make management easier as you don’t mix policy together.
5. What are the apps to be used in BYOD? One of the goals of BYOD is to help people to increase their productivity in order to promote a higher level of work life balance. You should consider collaboration apps such as Boxer and Zoom. Why Boxer is a good companion to Zoom? Boxer and Zoom together can take the enterprise mobile collaboration to the next level.
You can quickly click on a Boxer widget to open an event. If it is an online Zoom or other meeting, Boxer will allow you to launch your meeting by “one-click” quick access. You won’t have to look for the meeting link as it is shown with a eye catching icon. Pressing the icon will take you to the meeting app to join a meeting automatically.
Line of business apps and internal apps are also good candidates. Secure web browser for internal web accessing is also a top choice.
6. BYOD campaign, promotion and workshop should be setup to help staff to opt in to the program. Rolling out BYOD without assistance is not a good practice. Once the organization adopts to BYOD, people can handle device enrollment by themselves.
Comments