by Craig

Bring your own device!

Sounds a bit like “pick your own” doesn’t it? It’s not a dissimilar concept really. You pick your own strawberries (or other) because the farmer saves money/time by not doing it for you and an IT department can save money/time by not buying you a piece of equipment for you to work on. Or does it?

There are lots of things to weigh up here and it will depend on your organisation’s strategy before you can really get into whether “BYO” is for you or not. Some of it is actually an internal conversation which could be forced on IT by the business, for their own reasons, or it might be something that is put in strategically by IT to reduce costs. Anyway let’s look at some of the points.

Bring your own device is kinda cool

I like it! No really I do. The idea that you can bring whatever piece of IT gear you like to work on brings further the idea that you are just a contractor selling your time to a company. It allows you to work the way you want, a little bit, without making you conform to a certain piece of equipment.

This is really a good thing if you are travelling, developing, presenting, marketing or whatever else it is you do that means you need a piece of equipment that suites your style. You can go out and get the tool that is right for your job.

Plus if you like the shiniest toys you can go off and buy it under the excuse that you need it for work. Macbook air anyone?

You can’t expect IT to help with the device

Macbook Air

A MacBook Air, what I would quite like for my next works laptop

Not only is it “bring your own device” but it is also “bring your own support” meaning that you could go off to Apple/Dell/IBM and pick up a device as well as the support for it. You would also be expected to know how to configure said device to work with company systems or troubleshoot it when it doesn’t. If not then you will need to rely on the support you purchased along with the piece of IT equipment. Of course the IT department would give you all the correct configurations for your device and these may include your device, or they may not….

The upside for this in the IT department is that you don’t really have to support end users building them new systems and getting things to work. A single, standard, document on how to set something up is pretty much it and if you want something else then you need to make it work! If this doesn’t work for a particular individual then IT could also to supply a laptop as a company and be paid for it. This would be a laptop of their choice and would cost the appropriate amount but would already be set-up.

IT need to present everything as a service

It’s all very well bringing your own device to work but IT need to respond in a way that makes services into consumables with none of the smoke and mirrors that you sometimes get. As such each service that is produced by IT would need to be documented and available (presumably on an intranet) for the end user to install and consume. I would anticipate the legacy applications being deployed using Citrix as a delivery mechanism but there are other’s that certainly would not be; email for example.

A developer might demand the latest Alienware PC![/caption] What’s great about this is that a new user doesn’t have to wait for a piece of company equipment to appear before they can start productive work. The environment is set-up and working all that an end user requires is a logon and the ability to read some manuals.

This, of course, leads the way into Virtual Desktop where you actually work on a server hosting your desktop rather than your local machine. This could be useful in certain situations (such as call centres) but it would depend on your situation rather than being a general good idea.  

Virtual Desktops - the quick paragraph

This is a big big subject which I wont go into right here in detail but there is an option to totally host a desktop for an end user. To the end user it would appear as if something were “taking over their machine” when they login to it but in actuality it is a presentation veneer filling their entire screen. This desktop is actually running, virtually, on a server within the company’s data centre controlled and monitored by IT. These desktops can be cloned, reset, deployed, updated and generally managed on mass by IT in it’s data centre. If you are thinking “yay this is great” you might want to do some more research, it’s an option but there are many things to consider and it would be remiss of me not to mention it.

IT would retreat and “protect the core”

Essentially this is saying that anything outside of your core network is untrusted. So for every office you have and for every user that is connecting in via VPN you are actually treating them as if they were from the internet. VPN and the like encrypts traffic between a user and the edge firewall but does not guarantee that the user is on a trusted machine. Similarly if a user brings in a machine from home and plugs it into your corporate network you have very little chance of knowing if it’s secure without some very expensive edge devices watching your network. The BYO device would mean anyone could plug anything, deliberately or otherwise, in into your network from Malware, Virus’, DDoS tools and Trojans to actual hacking tools attempting to discover information held within your servers. As such there needs to be an access control device (firewall) between your core server/services and any network edge such as an office or a remote user. I would think that this firewall would be configured to only allow access to known resources and deny others, for instance:

  • Access to file sharing on the file server but nowhere else
  • Access to remote desktop on development servers but nowhere else
  • Access to SMTP/POP/IMAP on the exchange server but no other ports
  • No access to SQL ports anywhere
  • etc etc.

That’s obviously not an exhaustive list and would require some time to set up all the various combinations whilst ensuring that too much is not allowed through. It isn’t any easy tasks which is why most organisations don’t do this unless they are truly large and can afford them time and effort required.

Where this could be a good idea and where it isn’t so much

The final word on this is where this would really shine and where, maybe, you might want to think twice. Establishments that are more or less fixed with little opportunity for growth such as utilities, governmental offices or anywhere that there is a long established company with a static set then leave this alone. If you are in a company which is expanding rapidly or a higher education facility or anywhere with a changing user base then this might be a good idea. For my part I was involved in a rapidly expanding company with a rather small IT department. This sort of solution would allow any new company instant access to corporate systems without the worries of core security. Budgets would also not have to be completely redrawn with new user requirements each time as they would just be an increment on a central licence count rather than a bespoke piece of hardware. Of course there is a huge investment in the core of the network but it only has to be done once.

Final thought

This might seem like a really bad idea to you or it might not do but there is no escaping the explosion in connected devices we have seen over the last few years. As IT professionals we have to adapt and change to accommodate our user base rather then sitting in our entrenched positions.  After all if we don’t change and adapt then another service provider will step into the gap between us and our users and provide them with word, excel, calendars and email…..