BYOD @ Lboro - Bring Your Own Device at Loughborough

Got a policy on Bring Your Own Device (BYOD)?  Here's ours...  I'd love to hear back from people who are trying to embrace and support BYOD in their organizations.  Does what we are proposing work for you?  Have we left out anything you consider essential?  Take a look, and leave a comment below.

Many thanks to my colleague Phil Richards for all his hard work in putting our BYOD policy together with the support and encouragement of the University's IT Committee.  As the language of the document is fairly formal, I thought people might appreciate the Dilbert video above.  This shows what can happen to the unwary employee attempting to BYOD in a less enlightened workplace!

1. Executive summary

A relatively new range of consumer mobile tablet devices, of which the iPad is best known, and whose provenance is from the consumer marketplace, has proved well able to support users in both private/home/social and professional/work IT

This has led to a transformation of user behaviour, with proficient users owning such devices demanding that they be allowed to make good use of them in the workplace – it is becoming virtually certain that BYOD will be at the heart in a new paradigm for desktop-style services, replacing the previous ‘monolithic central desktop’ model

Loughborough already provides good support for BYOD, for students and staff, via: Acceptable Use Policy that embraces user-owned devices; extensive Wi-Fi network; information systems designed to work on a range of user devices (e.g. Learn and my.Lboro); student and staff user device support via the PC Clinic and the ITSAs, and also in some Schools; automated scripts and security policies for iPhone operating system (iOS); legally robust licence agreements with some third party cloud data storage provider (Google Apps for Education); a virtual desktop service; and a unified communications (modern phone) system with extensive BYOD potential

A particular concern around Value for Money has been that tablets are typically owned in addition to desktop/laptop and smart phone (BYOND); the newest range of powerful, hybrid devices gives the potential for BYO1D, and a more economical Total Cost of Ownership

It is suggested that Loughborough continues and develops its BYOD service, adapting it to the marketplace which is likely to shake down for the next couple of years, and focusing in particular on allowing students to undertake learning and other University activities, and also on shaping the behaviour of staff, to ensure it does not breach data protection, research licences and other legal constraints, while also encouraging a VFM approach and tracking of costs

IT Committee is asked to support this BYOD approach as the market settles

IT Committee is asked to support efforts to encourage use of cloud storage services by BYOD staff that are consistent with legal imperatives

IT Committee is asked to support in principle the phasing in of MDM systems that enforce: lock code; lock when idle; remote wipe capability; device encryption

2. Definitions

BYOD – Bring Your Own Device
BYO1D – bring your own one, single device (i.e. what the Director of Finance would like us to do!)
BYOND – bring your own N devices, where N is as large a number as possible – this is how device manufacturers wish us to behave
MDM – Mobile Device Management – technical systems to enforce security policies on BYOD devices

Taken literally, the above definitions relate to who purchased the device, employer or employee. In practice in a University, BYOD can refer to a particular category of consumer mobile tablet device, which my either be employee owned, or owned by the University (e.g. in the case of senior academics funded from a research grant etc.). For the rest of this paper we take the pragmatic University definition, relating to device type, rather than the literal one of who owns the device.

3. The emerging BYOD marketplace

The BYOD market is relatively new, and still in a state of flux. Apple (iPhone and in particular iPad) has held the leading market position, though that is under threat from a number of competitors (e.g. Samsung).

Apple continues to adopt a ‘BYOND’ strategy, refusing e.g. to ‘dilute the tablet concept’ by creating hybrid devices. This encourages enthusiastic Apple customers to buy one each of an iPhone, iPad, iMac and often desktop Apple Mac. Given that total cost of ownership is 2, 3 or even 4 times the initial device purchase cost, the Total Cost of Ownership of BEYOND usage be become significant at a University, and not in accord with the present financial climate. [1] notes that BYOD approaches are often more expensive, and BYOND is part of the explanation of that.

Fig 1 - BYOND typical device ownership
Competitors are now introducing hybrid tablet-based devices, which may for example have a better mobile keyboard than an iPad, and docking station functionality by design, to utilise properly the very powerful CPUs that tablets now contain, and also act as a client for a virtual desktop service. Thus it may be possible for a single hybrid tablet device to fulfil the roles of tablet, laptop and desktop in the BYOND model, and meet user requirements at lower TCO.

Fig 2 - BYO1D retains BYOD utility while reducing TCO
It is too early to be certain how the BYOD marketplace will finally shake down, but the opinion is offered that it will move in the direction of hybrid BOY1D devices such as the above based on one or more of the leading three platforms at present:

  • iOS (iPad and iPhone)
  • Android (Google)
  • Windows 8 (ex-Windows Mobile)

At this stage we should therefore aim to provide services that support and span these three main platforms, as we keep the market under continual review.

4. Risk issues

The risk involved in student BYOD tend to centre around hosting of inappropriate services on student-owned hardware via the University network (e.g. illegal music or film download torrent servers). These issues are well understood and controlled by IT Services, and while we are not complacent, the fact is that there have been no major incidents arising from student BYOD use in the last few years.

The major risks regarding staff BYOD use, as noted by Gartner in [2], are:

  • The transfer of any personal data to third party storage cloud service providers favoured by many University iPad users (e.g. Dropbox under standard consumer licence) is almost certain to breach data protection laws
  • The transfer of research data to the same storage services may also breach confidentiality or similar clauses in research funding agreements, particularly in the case of commercially-funded research
  • The failure to use BYOD device pin or password protection, and automatic device wipe function (including at device disposal) also risks the above information

The above constitute potentially substantial financial and reputational risks to the University, and have been duly noted in the University-level Risk Register for the first time this year.

We have received clear legal advice that use of approved cloud storage services (e.g. Google Drive under the Google Apps for Education licence as opposed to a consumer licence) mitigate these risks, and the simplest way to mitigate these risks is to mandate the use of such an approved service (e.g. Google Drive for Education) by policy, then reinforce that by a publicity and user education campaign.

Even when approved cloud storage service providers are used, there is still a risk of confidential data loss when BYOD devices are lost or stolen. Evidence that suggest that individuals who are cautious with passwords on desktop systems may not set even a simple lock code on their tablets or phones, even though they may contain similarly sensitive information.

Best practice, indicated by [2] and elsewhere, suggests the following ingredients of:

  • Device lock code (4 digit PIN or complex password, latter preferred, former likely to be more palatable to users in practice)
  • Automatic device lock on idle
  • Remote device wipe function, including its use at device disposal
  • Device data encryption

5. MDM solutions to implement the above security best practice

Policies for secure configuration of iOS devices (iPhones and iPads) have been produced and publicised informally by IT Services, over the last 2-3 years. While these are used by ITSAs when supporting BYOD (see below), their use has not been mandated.

The Casper tools emerging as a strong candidate for the system to underpin a light-touch Mac desktop service also provide full MDM functions for iOS, so this would be an additional reason to move in that direction.

The SCCM system that currently underpins the staff and student Windows 7 desktop service contains full MDM functionality for Windows 8 tablet and mobile devices

The Android tablet and phone operating system is now the most popular in the world, with numerically more devices using it than iOS. Android devices tend to have the lowest purchase cost, at least at this point. Android is part of the Google empire, and Loughborough has invested in Google Apps for student email etc. However, Loughborough currently does not have an infrastructure, real or emerging, to provide MDM functionality for Android. Nevertheless, it is suggested we need to embrace Android, because of its growing use by students, and its potential to provide the lowest cost BYOD experience in future.

It is therefore suggested that IT Services develops MDM systems for all three of the above BYOD platforms. In the case of iOS and Windows 8 it is obvious where this will emerge from. In the case of Android, it is suggested that the Web Systems Team, who look after the technical aspects of Google Apps, are best placed to take on the responsibility for Android MDM.

In the first instance, IT Services needs to develop MDM tools on a pilot basis, then come back to IT Committee and ask for its authority to mandate their use for all staff using BYOD for any University business. At that point, staff use of any platform other than iOS, Android and Windows 8 for BYOD access to any University information would breach acceptable use policy; a corollary is that it would cease to acceptable for staff to use Blackberry devices for University email etc. from that time.

6. BYOD and the virtual desktop service

We now have a safe, secure virtual desktop service that can be accessed from clients on all three of our suggested BYOD platforms. These store no information on the device. Therefore, for any particularly sensitive operation that a staff member may be seeking to undertake on a BYOD platform, the advice would always be to do that via the virtual desktop. This is also in accord with best practice referred to in [1], [2].

7. Purchasing and support for BYOD

Some Schools already provide support for BYOD and staff-owned hardware in general, resourced as the School sees fit to meet its needs. ITS intends to work closely with Schools providing such services in developing new MDM services as above, and in building consensus with this Schools as to the best way forward.

For Schools that do not choose to resource BYOD support, and support services, such support is available from the ITSAs at the PC Clinic in Haslegrave. We will continue to ensure the ITSAs use MDM tools available, and configure BYOD devices in line with best practice and emerging policy.

It proposed that, while the BYOD market is still shaking down, it would not be possible or appropriate to undertake procurement for a small fleet of BYOD devices, along the same lines as we currently do for desktop and laptop computers. This may become feasible over the next year or two, and we will monitor the situation via the IT Purchasing Group (ITPG). In the meantime, it is suggested that development of MDM tools around three supported platforms, and phasing in of policy changes to enforce their use and mitigate risks around inappropriate cloud storage services, will provide a sufficient change challenge for both central and School-based IT staff.

8. References

[1] Bring Your Own Device: New Opportunities, New Challenges, Gartner, August 2012
[2] Address the Risks of BYOD within Higher Education, Gartner, July 2012