The problem that you face as a company is what do you do if BlackBerry goes away? Can you get the same or similar security from Apple’s iPhone and iPad, or the many Android-flavored devices? Is Windows Phone a viable option? Should I adopt a Bring Your Own Device (BYOD) policy and let my employees use their own personal devices?
Full Device Control or Just Control Company Assets?
If your company has adopted a policy that it will not allow the use of personal devices, and will continue purchasing devices for their employees, then the choice of how you secure those devices is easy. You can use the same approach that you do with your BlackBerry devices today, which is to say, full device control. Your IT organization has full visibility into those devices, and full control over them.
Mobile Device Management (MDM) has some disadvantages. One is that it is all encompassing. However, there are other issues that are related to the mobile OS being used by your users. While Apple has been adding great support for the enterprise since iOS4 (2010) that has hooks to allow IT to have visibility, the ability to pre-setup features, and lock down or hide apps on the iPhone or iPad, Google’s Android has not.
So if you decide to support iOS and Android, the ability to control and secure each platform will differ greatly, which may lead to one platform being more insecure than the other.
Samsung has addressed this with their special variant of Android. They have created a secure version of Android that has similar features to iOS, which means that via an MDM console an IT administrator can have similar control over Samsung devices that they do over iOS devices.
If your company has adopted a BYOD policy and you would like to let your employees buy their own devices, then the choice is not as simple. You can still go with a full MDM solution. Full visibility, full control. However, your employees may not like the fact that their personal device is being so heavily controlled by IT, may not like the lock screen password requirement, or may not be happy with IT seeing what apps they have installed.
This is where Dual Persona (aka Containerization) might be a good choice. Dual Persona works by creating a secure container on the personal device. IT has control only over what happens in that container. Only company data and apps live in that container so as a user you can switch between work and personal, keeping your work life locked away until you login to the work container.
If you lose your device or leave the company, the IT department can wipe only the work container, leaving your personal apps and data untouched.
Interestingly, Samsung has a Dual Persona product called KNOX that is pre-installed on some of their devices. This is in addition to their extra MDM policies.
While Dual Persona sounds very attractive, it does have its drawbacks. The vendor who makes the Dual Persona technology may lag behind in updating their mail, contacts, and calendar apps to match the native device apps. Older, less capable devices may struggle with the extra resources needed to run this container.
If Dual Persona isn’t for you, then you may still be able to be far less heavy-handed with traditional MDM, especially with iOS and Samsung devices that have a ton of extra MDM features that can be leveraged to keep work and personal data separate.
Which Mobile Operating Systems To Allow?
Not all mobile operating systems are created equal. BlackBerry created the Gold Standard for mobile operating security -- that is a large part of the reason it took off in the enterprise. However in the majority of situations, supporting iOS, Android, and Windows Phone can be just as secure.
While Apple does not advertise this, they are the leader in the enterprise because of the extra visibility and control they give to IT administrators via an MDM solution. Google’s Android lags quite far behind in the enterprise because of their lack of enterprise features. The choice of what you allow on your network relies on what your end-point policy requires, and whether you are adopting a BYOD policy or company-purchased device policy.
For example, if you adopt a BYOD policy and allow your employees to purchase and use whatever device they want, then you may opt for a Dual Persona solution. With this approach, you can be sure that your IT policies will be uniformly applied across all mobile operating systems.
Alternatively you could keep your BYOD policy but restrict it to only iOS and Samsung devices and use a traditional MDM system. This is because both vendors have a lot of extra enterprise features and allow you to apply a more uniform IT policy across those two platforms. However, this may be a tough mandate to enforce because you are essentially telling your employees to limit their device choice.
Post Date: 1/27/2014