Bring Your Own Devices : working with them

Forums › IT Pro and developers › Bring Your Own Devices : working with them

1101

3141 posts

Uber Geek
+1 received by user: 1143

#205131 31-Oct-2016 10:34

Hi There
Just wondering, how does everyone deal with firms who allow/want 'bring your own devices"

Staffers personal laptop: often wont have Outlook, just MS Office Home (if that). thats 1 issue:
So need buy/install outlook : buy just Outlook, or latest Office

AV : next issue : what if they have paid for a useless AV that needs to be replaced
home PC/laptop : real security issues as the whole family will be using it, incl kids/dads on Porn/piracy sites . Can you insist
on the same internet usage rules as work PC's ?

Issues with home OneDrive being mixed up with Work one drive a/c's ?

Personal ph's used for work email. Do you tell the user that Work may have the option for remote wipe of their personal ph ?
Insist on some sort of ph passkey be setup ?

Any good strategies ?
Is it just a best effort that is 100% dependent on the companies/staffer attitude to all this .

Dynamic

4015 posts

Uber Geek
+1 received by user: 1851

ID Verified

Trusted

Lifetime subscriber

#1661290 31-Oct-2016 10:58

Larger corporates can dedicate resources to making BYOD work well and kinds securely. SMBs doing it place themselves at risk IMHO.

We discourage BYOD for SMB business use, advising there is little to prevent a staff member copying data to elsewhere on the laptop and you have no real right of audit on the personally owned device to check it when they 'exit the company'.

For the rare client that wants to stay with BYOD (we actually have none who do it as policy, but there is a rare personal laptop on business networks), I advocate taking a firm line on this.

Company supplied antivirus (absolutely non-negotiable - I would walk away rather than waver on this)
Company has remote access to the laptop for support/troubleshooting ( again non-neg)
Multiple OneDrives sounds like a headache - dump the personal one if they don't use it.
Separate profile for work stuff if you can.
PIN number on mobile phone after idle for a couple of minutes.
Remote wipe capability on phone (dress this up as being able to wipe phone if lost/stolen)

If the company requires Outlook then the company will need to supply it. I suggest Office 365 Business plan so the company can revoke the license.

If you consider the risk is too great, you have the option of walking away. To limit the backlash if it turns to custard, you can advise the risks and your concerns on your own letterhead, email a cop, and courier a copy, keeping a printout with a copy of the courier tracking number on file. This has sometimes resulted in the client seeing we are serious and coming around to our way of thinking.

Good luck!

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

cisconz

cisconz
1348 posts

Uber Geek
+1 received by user: 179

ID Verified

Trusted

Lifetime subscriber

#1661299 31-Oct-2016 11:11

Remote Wipe (On MS anyway) only wipes the synced data, not the whole phone.

Hmmmm

tatbaird

142 posts

Master Geek
+1 received by user: 8

#1661303 31-Oct-2016 11:18

Is there any sort of a domain there? If so you can have the user log in while at work with their domain account and enforce whatever you want. You don't care what they are doing at home, but there will still have to be some pretty good AV compliance when bringing their malware ridden laptop to work. In terms of blocking porn/torrent sites etc, that can be handled by an edge device on the corporate network. Again, you don't care what they do at home, so control the traffic getting into your network only.

I don't believe that the end user has any say in security policies if they bring their device and connect it to a corporate network. You have to set the policy and anyone that wants to use their own gear will have to follow that. Anyway, they just want it to work and have good access to their stuff.

The Office 365 suggestion is a good one. There are various MDM management tools around for phones.

Well let me just quote the late-great Colonel Sanders, who said "Im too drunk to taste this chicken." -Ricky Bobby

mrdrifter

589 posts

Ultimate Geek
+1 received by user: 294

ID Verified

Trusted

#1661307 31-Oct-2016 11:25

As others have mentioned above, a set of good policies is mandatory to ensure people know what restrictions/limits are in place.

I would recommend O365 for productivity applications and you also have the ability to extend this with Conditional Access and Application Management, this can allow controls such as only allowing users to copy/paste/save work related information into managed applications/locations.

These services used to require dedicated hardware and management on premises, but many features can now be delivered from public cloud services such as Microsoft Office 365 and Azure.

cisconz

cisconz
1348 posts

Uber Geek
+1 received by user: 179

ID Verified

Trusted

Lifetime subscriber

#1661314 31-Oct-2016 11:39

tatbaird:

Is there any sort of a domain there? If so you can have the user log in while at work with their domain account and enforce whatever you want.

Unless they have Windows Home not Pro and are therefore unable to connect to the domain.

Hmmmm

tatbaird

142 posts

Master Geek
+1 received by user: 8

#1661319 31-Oct-2016 11:41

Yep good point. It would have to be a requirement though. If you can't join it to the domain, you can't use it.

Well let me just quote the late-great Colonel Sanders, who said "Im too drunk to taste this chicken." -Ricky Bobby

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

1101

3141 posts

Uber Geek
+1 received by user: 1143

#1661378 31-Oct-2016 13:09

tatbaird:

Yep good point. It would have to be a requirement though. If you can't join it to the domain, you can't use it.

There are ways around even that though. Some companies still buy WinHome PC's for their domain network : its do-able .

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#1661391 31-Oct-2016 13:33

For a smaller business, assuming they have most of their stuff in the cloud now, Azure AD Join is something to look at for just this scenario.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#1661442 31-Oct-2016 14:51

cisconz:
Remote Wipe (On MS anyway) only wipes the synced data, not the whole phone.

I've done this for android, iPhone and Nokia from exchange - they all factory reset the devices.

With regards to BYOD I advise against it. Better to supply the hardware. If someone requires a laptop go and buy them a proper device that you can dictate control over.

You're not on Atlantis anymore, Duncan Idaho.

cisconz

cisconz
1348 posts

Uber Geek
+1 received by user: 179

ID Verified

Trusted

Lifetime subscriber

#1661453 31-Oct-2016 15:08

We must have good policies then - never had it wipe the whole phone for me

Hmmmm