Showing all posts tagged byod:

Management agents

I went to buy some lunch today to eat at my desk, because it's a short week and I'm busy and shut up don't judge me. I got back from my 15' trip to find my MacBook Air fairly propelling itself off the desk with its fan, uncomfortably hot to the touch, and minus 30% of the battery life expectancy that it was showing when I left.

This is why people hate those management agents that corporate IT departments foist on them.

I have this unkillable process (running as root, natch), which creates its own undeletable user account and does Cthulhu only knows what horrible things to the filesystem. Now I don't have a problem with my employer keeping tabs on their machine that is currently assigned to me. Even if you assume all users are honest, someone might make an honest mistake that winds up endangering corporate data. What I do object to is when that process of keeping an eye on things gets intrusive.

This is why I first did the BYOD thing, after all. Unfortunately as Macs went from niche to ubiquitous, the Security Solutions came to the Mac too.

Maybe it's time to go back to doing the VM dance, with the clunky corporate environment sandboxed safely away in a VM that can be shut down when I don't want to deal with its overhead?

Enterprise IT Kill Switch

California has passed a law mandating kill switches for smartphones:

A kill switch is software that allows consumers to disable a phone after the device has been reported stolen and reactivate it only with a correct password or personal identification number. Proponents of the bill have argued that wide adoption of this type of antitheft technology would lead to a reduction in phone theft because it would make it more difficult for criminals to resell stolen phones.

This is all well and good, and if your phone has this functionality available, then you should definitely turn it on now. If stolen smartphones are known to be useless, it will not be worth thieves' while to steal them. Note that this works even if the technology is not perfect. If it turns out that the lock can be bypassed, but doing so is difficult or time-consuming, fences will demand more discount from thieves, making the phones less attractive.

But what is the connection with enterprise IT?

I would be willing to bet that many admins have wished that servers came with kill switches, for instance. Who hasn't had a mis-configured VM running on somebody's desktop hijack DHCP for an entire subnet, for instance? Yes, that one happened to me - although I had some choice words for the OS vendor that chose to make the DHCP server default to on…

Unfortunately, problem servers these days are often not directly under IT's control. This is infamously known as "shadow IT": business units frustrated with the pace or quality of service they get from IT go rogue and obtain service elsewhere. Gartner famously predicted that 35% of IT spending would be happening outside of the IT department's view by 2015.

Depending on your own definition of shadow IT, this prediction may seem more or less realistic. For instance, does shadow IT include rogue BYOD? The same pressures drive both, but BYOD users generally want to use company services. However, nobody can deny that a non-negligible amount of shadow IT is already taking place.

The question is what to do about it.

I got into a Twitter exchange on that very topic, starting from this blog post by the IT Skeptic, Rob England.

IT departments would love to have a "kill switch" for shadow IT. No more rogue users going off and doing their own thing! Back to the good old days of everyone going to IT on bended knee. After all, what alternative did they have - buy their own mainframe? Yeah, right!

Well, the world has changed, and now users do have alternatives. The hell of the thing, from the point of view of an IT department, is that users get better quality of IT service at home than they do at work, and this has changed their expectations at work too.

When a user goes around the IT department, that is a signpost to value that is currently not being delivered by the IT department. No matter how easy it gets to do IT, users would rather someone else were doing it. It's just that the level of effort required to do it themselves has fallen below the point where the returns are sufficient to make it worth their while.

Time was, only the most dedicated people would do the BYOD thing and bring a Mac or a laptop running Linux to work. Now, it's easy enough that pretty much anyone can do it1, and the returns are obvious. We are getting to that point with cloud services, especially SaaS.

Now, I do agree with Rob England that distributed IT is better than shadow IT. Distributed IT simply means IT that is engaged with the business, instead of skulking in their ivory tower ^W^W darkened basement. Where we differ is on how blame is apportioned.

To my way of thinking, shadow IT is an indictment of the IT department's failure to engage with the business. Users should not go rogue, but let us all recognise that there has been some long-term provocation going on. In fact, IT people are shooting themselves in both feet by not engaging with the business, because not only are they losing relevance as the users bypass them wherever possible, but they still get held responsible when something breaks or the company hits the front page of the news for all the wrong reasons.

If you are in IT, talk to your users, figure out where there are bottlenecks, and help remove them. This is no longer a "my way or the highway" world; users have any number of roads, pathways, railways, navigable rivers, gyrocopters and teleporters to get to where they need to go. You need to prove your value, not just assume that users have no choice.

The good thing is that the rewards are also significant. IT can be a differentiator, not just a cost center. Business processes today are entirely computerised, to the point that the performance of IT is the performance of the business in a very real sense. (If you doubt me, try visiting any office when the power is out or the network is down. I guarantee you that not much business is being transacted.) An engaged IT department - distributed, as Rob England puts it - can make a very visible contribution, and stop being lumped with Facilities and janitorial services.

And all you have to do is stop calling them lusers

  1. Or bribe someone else relatively cheaply, one time only. 

We don't have to care, we're IT

Brian Katz comments with his usual incisiveness on Mobile Device Management (MDM) in "IT is in the Experience Business”.

MDM is dead and it’s been dead for a long time.

Oh thank $DEITY. As I have had occasion to comment myself, users don’t want their devices to be managed. They - or in fact we, since I’m a subject of MDM, not an admin - will tolerate a reasonable amount of inconvenience in the name of what we recognise as reasonable security requirements. What we don’t want is for our phones to end up like our Windows laptops, taking half an hour to boot and prone to all sorts of random malfunctions, slowdowns and incomprehensible roadblocks due to the number of “security” solutions they are larded down with.

This is exactly what is driving the enterprise adoption of Macs. Techies had been running Linux and maybe keeping the corporate Windows image around in a VM, but now civilians are moving to the Mac as fast as they can manage. Now we know the answer to the question “how bad do products have to be to drive even Muggles to change platform?”.

IT isn’t just in the solution business anymore. It can’t be reactive and spend months trying to build the perfect thing the business asked for but needed much sooner than IT could deliver. IT is in the experience business. Users need to have great interactions that lead to fantastic experiences that help them get stuff done and move the business towards its goal.

(Emphasis mine)

Exactly right. Enterprise IT apps are all overgrown with feeping creatures, and users can’t get away from them fast enough. It doesn’t matter whether the apps are home-grown or COTS that has been customised, because the issue is not a technical problem but a worldview problem within IT.

Enterprise IT departments have always operated like The Phone Company, but this is now a post-breakup world, and now IT does have to care. Users bring their own tools, their own devices, even their own clouds. Users help themselves and each other; anything to avoid dealing with the hell-desk.

But things don’t have to be this way. Brian concludes his post with this statement of the business of IT:

We’re in the business of providing secure right time experiences that allow the user to (in the words of the army) be all they can be.

Now that is an IT vision that users might actually enjoy.

Missing the point

Another day, another misguided article claiming that "bad attitudes to BYOD put off prospective employes". At least this time they missed out the hitherto obligatory reference to "millennials", whatever more-than-usually-misleading category they might be.

Look, the issue is rarely with BYOD as such. If you're as entitled a know-it-all as to make your employment choices based on whether your prospective employer will let you spend your own money on work technology, there is no help for you. Plenty of companies, my own sainted employer included, offer company-issued Macs and iPhones as optional alternatives to Dells and Blackberries. Wouldn't that be a better trait to look out for?

The problem people have with anti-BYOD policies is that they're generally the tip of an iceberg of bad policy and straightjacketed thinking. Companies that ban BYOD are not far from whitelisting approved executables, restricting admin privileges to users with a "valid and documented reason" for having that access, configuring ridiculously restrictive content firewalls, and so on and so forth. Others have already explained in depth why BYOD is a symptom of unhealthy IT practices. In fact, the BYODers are arguably doing the company a favour by identifying problem areas. As I had occasion to say on Twitter, users interpret bad IT policies as damage and route around them.

BYOD just happens to be the latest buzzword which people can hang their Dilbertian complaints onto, but reversing that one clause would not fix the problem. In fact, a greater worry is a future in which everyone is required to purchase and maintain IT equipment for work use at their own expense. I might be able to do this now, and in fact I did Spend My Own Money and bought myself an 18 month reprieve from lugging the monster Dull around, but I certainly couldn't have afforded to do that when I started out in my career - at least, not without cutting into other areas of my budget, like food.

Stick to the important concerns. BYOD will fix itself, if all the other pieces are in place.


There has been an interesting conversation going on over the last few days. The starting point was Brian Katz' post about Herding Kangaroos, and the follow-up, Where's Waldo.

The gist of Brian's post is this:

The world is truly full of boogey men and if someone desperately wants your data there is very little you can do to stop them in most instances, you may be able to slow them down but that is probably it. The issue I have with this locking down of the enterprise is that it affects the business.


If users aren’t given the right tools, they find what they need anyway and give it to everyone else who wants/needs it long before you have a chance to put a stop to it. It becomes very difficult to play the Where’s Waldo game every day.

Everyone's Waldo

I agree, for the most part. I've been a sysadmin, and I cut my teeth adminning for a department of smart-aleck developers who all needed the root password / security exceptions / special firewall rules / extra disk quota to do their jobs, so the notion that we could have perfect security if only we didn't have to deal with all those pesky users definitely strikes a chord with me.

The problem that IT faces is much the same as the entertainment industry faces. Not only must the security measures in both cases be sufficiently inobtrusive that users don't find it easier just to circumvent them, but at some point you have to give users access to the content you're trying to protect. Just as all those FBI piracy warnings on DVDs have to (eventually) end and let you watch the film, all the encrypted location-sensitive token-based secure content lockers have to let users view the files at some point. Once users have the content, no clever technology is going to prevent someone from doing something IT doesn't want them to do.

Violations can be impressively low-tech. One ex-colleague, a sales guy, printed out his presentations, and then used the same print-out for multiple customer engagements - complete with slides under NDA, embargoed roadmap details, and confidential details on other customers he had previously used the same printout with. How does your Enterprise Solution prevent that?

Or what about users giving up their passwords for candy bars, or entering them in online "password security checkers", or clicking on the link in that e-mail pretending to come from the help desk?

In the end it's not about the device, it's about the users. Technical fixes will only get you so far. Focusing on the people who bring their iPads to work and ignoring the guy walking out the door with a sheaf of dog-eared printouts - but corporate-issued laptop and phone - might follow the letter of the infosec policy, but it's certainly missing the spirit.

Explain to people what your goal is, why it's important (to them), and make it easy for them, and most of them will go along. The ones who won't have other problems anyway.

I brought my device for me, not for you!

Some of the hottest topics right now are Mobile Device Management (MDM), and Bring Your Own Device (BYOD). BYOD was memorably redefined by Vittorio Viarengo on stage at VMworld 2012 as SYOM, which stands for Spend Your Own Money.


Today however I want to talk about the intersection of those two topics. BYOD is not new; even before laptops were a general-issue item, I was building unofficial machines at work out of scavenged parts to run Linux on. Plenty of people brought their own machines from home, even back then when it was a pretty major logistics challenge.

Techies could not easily be prevented from doing things like reinstalling their corporate-issued devices or adding unofficial devices to the network because they were often the same people who were in charge of enforcing any rules. In other words, they either had the root password to do their jobs, or they were the drinking buddies of the people who did. Since installing Linux on a laptop was probably the absolute least amount of mischief these people could get up to with that sort of access, since they knew how to stay much safer than average users even on unofficial systems, and since far from interfering with their jobs, all this often made for happier and sometimes even more productive techies, the Powers That Be tended to turn a blind eye.

I was into it before it was cool

With the arrival of devices as light and as simple as iPads and iPhones, this behaviour has moved from being something a few techies might do to become something anyone might do. I still remember the day my mother, a woman who would invite me to lunch just so she could dictate a few e-mails to me and get me to format and print out some bills for her, asked me a question about her iPad, and I gradually understood that she had upgraded the thing to iOS6 on her own, completely unaided.

With that change in audience came a marked change in attitudes. Suddenly BYOD was visible, because people would show up to meetings with iPads or flagrantly non-company-issue MacBook Airs (yes, that would be me), and so suddenly it was a Problem.

In the Enterprise world, for every Problem there is a Solution, or sometimes a Suite. However most of these Solutions are very short-sighted. The whole reason I went out and Spent My Own Money on a MacBook Air when my employer had bought me a perfectly good Dull was that a) the Air weighed about as much as one of the Dull's hinges, so I could actually carry it without one shoulder ending up lower than the other like some fakir, and b) the Air was not weighted down with all the Security Solutions that meant the (quite powerful) Dull took half an hour from boot to when I could actually use it.

Forcing employees - the most dedicated employees, the ones who spend their own money in order to do their job better - to place that yoke back on their own necks is like the cliché of the drunk looking for his keys under the streetlight, even though he lost them somewhere else, because "that's where the light is". The problem isn't my unofficial MacBook, the problem is that my corporate-issue laptop is unusable.

Thou shalt not have a life

MDM applies specifically to mobile devices, such as iPhones or iPads. Many of these are also brought in by employees, although that tide is beginning to turn as the Blackberry loses its grip on enterprise mobile customers. The problem is that where controls on an open device like a laptop can be fairly fine-grained (write-protect this directory, block that port, prevent services from starting, and so on), with phones the granularity is much lower. Often it's limited to preventing installation of particular apps entirely.

Phones and tablets are even more personal than laptops. Just because I volunteer to read my business e-mail on a device, you want to prevent me from installing Dropbox and sharing pictures with my family? No thank you!


Split personality

One solution which has been proposed is to have "personas" on the device, so that at work the phone goes into work mode and only lets you do work things, and at home it locks up all the work content and lets you do personal things. The problem is that we don't live our lives that way any more. My Twitter feed is about one-third work ("look at my company's cool product"), one-third personal ("guess where I am this week!"), and one-third mixed (friends met through work, professional conversations spilling over into conversations about beer, and so on). Should Twitter be blocked, filtered, or left alone? What about Facebook? Hey, what about Foursquare? Isn't it a security risk to know which customers' offices I'm visiting, or which colleagues I'm travelling with?

Get off!


Look, very little of what I do has wider relevance. If a competitor were to get hold of the sort of documents I might be likely to put in my Dropbox, I seriously doubt it would have any effect whatsoever on their planning. The worst thing that might happen if my entire laptop got leaked is that some customers get annoyed because their name gets associated in public with my employers' without their approval, or perhaps some analysts get miffed because information got out before their turn in the briefing schedule. Our stock price would be completely unaffected.

There are maybe a dozen people in the typical company with access to that type of data - M&A plans, that sort of thing - and a few more who hold data that, while not sensitive in itself, is legally protected - personal data on employees or customers, material that is subject to shareholder or SEC disclosure rules - but there are few enough of these people that they can be handled as an exception, without getting in everybody else's way.

There's an old joke about a CEO meeting his CIO and CFO. The CIO is asking for more budget for training his staff. The CFO asks: "What if we train all our staff, and then they leave?". The CIO shoots back: "What if we don't - and they don't?".

Treat your employees like adults, and most of them will behave like adults. The ones who won't will figure out ways over, around or under any walls you care to erect, so you might as well empower the good eggs instead of annoying them.