Some of the hottest topics right now are Mobile Device Management (MDM), and Bring Your Own Device (BYOD). BYOD was memorably redefined by Vittorio Viarengo on stage at VMworld 2012 as SYOM, which stands for Spend Your Own Money.
Today however I want to talk about the intersection of those two topics. BYOD is not new; even before laptops were a general-issue item, I was building unofficial machines at work out of scavenged parts to run Linux on. Plenty of people brought their own machines from home, even back then when it was a pretty major logistics challenge.
Techies could not easily be prevented from doing things like reinstalling their corporate-issued devices or adding unofficial devices to the network because they were often the same people who were in charge of enforcing any rules. In other words, they either had the root password to do their jobs, or they were the drinking buddies of the people who did. Since installing Linux on a laptop was probably the absolute least amount of mischief these people could get up to with that sort of access, since they knew how to stay much safer than average users even on unofficial systems, and since far from interfering with their jobs, all this often made for happier and sometimes even more productive techies, the Powers That Be tended to turn a blind eye.
I was into it before it was cool
With the arrival of devices as light and as simple as iPads and iPhones, this behaviour has moved from being something a few techies might do to become something anyone might do. I still remember the day my mother, a woman who would invite me to lunch just so she could dictate a few e-mails to me and get me to format and print out some bills for her, asked me a question about her iPad, and I gradually understood that she had upgraded the thing to iOS6 on her own, completely unaided.
With that change in audience came a marked change in attitudes. Suddenly BYOD was visible, because people would show up to meetings with iPads or flagrantly non-company-issue MacBook Airs (yes, that would be me), and so suddenly it was a Problem.
In the Enterprise world, for every Problem there is a Solution, or sometimes a Suite. However most of these Solutions are very short-sighted. The whole reason I went out and Spent My Own Money on a MacBook Air when my employer had bought me a perfectly good Dull was that a) the Air weighed about as much as one of the Dull's hinges, so I could actually carry it without one shoulder ending up lower than the other like some fakir, and b) the Air was not weighted down with all the Security Solutions that meant the (quite powerful) Dull took half an hour from boot to when I could actually use it.
Forcing employees - the most dedicated employees, the ones who spend their own money in order to do their job better - to place that yoke back on their own necks is like the cliché of the drunk looking for his keys under the streetlight, even though he lost them somewhere else, because "that's where the light is". The problem isn't my unofficial MacBook, the problem is that my corporate-issue laptop is unusable.
Thou shalt not have a life
MDM applies specifically to mobile devices, such as iPhones or iPads. Many of these are also brought in by employees, although that tide is beginning to turn as the Blackberry loses its grip on enterprise mobile customers. The problem is that where controls on an open device like a laptop can be fairly fine-grained (write-protect this directory, block that port, prevent services from starting, and so on), with phones the granularity is much lower. Often it's limited to preventing installation of particular apps entirely.
Phones and tablets are even more personal than laptops. Just because I volunteer to read my business e-mail on a device, you want to prevent me from installing Dropbox and sharing pictures with my family? No thank you!
One solution which has been proposed is to have "personas" on the device, so that at work the phone goes into work mode and only lets you do work things, and at home it locks up all the work content and lets you do personal things. The problem is that we don't live our lives that way any more. My Twitter feed is about one-third work ("look at my company's cool product"), one-third personal ("guess where I am this week!"), and one-third mixed (friends met through work, professional conversations spilling over into conversations about beer, and so on). Should Twitter be blocked, filtered, or left alone? What about Facebook? Hey, what about Foursquare? Isn't it a security risk to know which customers' offices I'm visiting, or which colleagues I'm travelling with?
Look, very little of what I do has wider relevance. If a competitor were to get hold of the sort of documents I might be likely to put in my Dropbox, I seriously doubt it would have any effect whatsoever on their planning. The worst thing that might happen if my entire laptop got leaked is that some customers get annoyed because their name gets associated in public with my employers' without their approval, or perhaps some analysts get miffed because information got out before their turn in the briefing schedule. Our stock price would be completely unaffected.
There are maybe a dozen people in the typical company with access to that type of data - M&A plans, that sort of thing - and a few more who hold data that, while not sensitive in itself, is legally protected - personal data on employees or customers, material that is subject to shareholder or SEC disclosure rules - but there are few enough of these people that they can be handled as an exception, without getting in everybody else's way.
There's an old joke about a CEO meeting his CIO and CFO. The CIO is asking for more budget for training his staff. The CFO asks: "What if we train all our staff, and then they leave?". The CIO shoots back: "What if we don't - and they don't?".
Treat your employees like adults, and most of them will behave like adults. The ones who won't will figure out ways over, around or under any walls you care to erect, so you might as well empower the good eggs instead of annoying them.