BYOD @ Lboro - Bring Your Own Device at Loughborough



Got a policy on Bring Your Own Device (BYOD)?  Here's ours...  I'd love to hear back from people who are trying to embrace and support BYOD in their organizations.  Does what we are proposing work for you?  Have we left out anything you consider essential?  Take a look, and leave a comment below.

Many thanks to my colleague Phil Richards for all his hard work in putting our BYOD policy together with the support and encouragement of the University's IT Committee.  As the language of the document is fairly formal, I thought people might appreciate the Dilbert video above.  This shows what can happen to the unwary employee attempting to BYOD in a less enlightened workplace!






1. Executive summary

A relatively new range of consumer mobile tablet devices, of which the iPad is best known, and whose provenance is from the consumer marketplace, has proved well able to support users in both private/home/social and professional/work IT

This has led to a transformation of user behaviour, with proficient users owning such devices demanding that they be allowed to make good use of them in the workplace – it is becoming virtually certain that BYOD will be at the heart in a new paradigm for desktop-style services, replacing the previous ‘monolithic central desktop’ model

Loughborough already provides good support for BYOD, for students and staff, via: Acceptable Use Policy that embraces user-owned devices; extensive Wi-Fi network; information systems designed to work on a range of user devices (e.g. Learn and my.Lboro); student and staff user device support via the PC Clinic and the ITSAs, and also in some Schools; automated scripts and security policies for iPhone operating system (iOS); legally robust licence agreements with some third party cloud data storage provider (Google Apps for Education); a virtual desktop service; and a unified communications (modern phone) system with extensive BYOD potential

A particular concern around Value for Money has been that tablets are typically owned in addition to desktop/laptop and smart phone (BYOND); the newest range of powerful, hybrid devices gives the potential for BYO1D, and a more economical Total Cost of Ownership

It is suggested that Loughborough continues and develops its BYOD service, adapting it to the marketplace which is likely to shake down for the next couple of years, and focusing in particular on allowing students to undertake learning and other University activities, and also on shaping the behaviour of staff, to ensure it does not breach data protection, research licences and other legal constraints, while also encouraging a VFM approach and tracking of costs

IT Committee is asked to support this BYOD approach as the market settles

IT Committee is asked to support efforts to encourage use of cloud storage services by BYOD staff that are consistent with legal imperatives

IT Committee is asked to support in principle the phasing in of MDM systems that enforce: lock code; lock when idle; remote wipe capability; device encryption


2. Definitions

BYOD – Bring Your Own Device
BYO1D – bring your own one, single device (i.e. what the Director of Finance would like us to do!)
BYOND – bring your own N devices, where N is as large a number as possible – this is how device manufacturers wish us to behave
MDM – Mobile Device Management – technical systems to enforce security policies on BYOD devices

Taken literally, the above definitions relate to who purchased the device, employer or employee. In practice in a University, BYOD can refer to a particular category of consumer mobile tablet device, which my either be employee owned, or owned by the University (e.g. in the case of senior academics funded from a research grant etc.). For the rest of this paper we take the pragmatic University definition, relating to device type, rather than the literal one of who owns the device.


3. The emerging BYOD marketplace

The BYOD market is relatively new, and still in a state of flux. Apple (iPhone and in particular iPad) has held the leading market position, though that is under threat from a number of competitors (e.g. Samsung).

Apple continues to adopt a ‘BYOND’ strategy, refusing e.g. to ‘dilute the tablet concept’ by creating hybrid devices. This encourages enthusiastic Apple customers to buy one each of an iPhone, iPad, iMac and often desktop Apple Mac. Given that total cost of ownership is 2, 3 or even 4 times the initial device purchase cost, the Total Cost of Ownership of BEYOND usage be become significant at a University, and not in accord with the present financial climate. [1] notes that BYOD approaches are often more expensive, and BYOND is part of the explanation of that.

Fig 1 - BYOND typical device ownership
Competitors are now introducing hybrid tablet-based devices, which may for example have a better mobile keyboard than an iPad, and docking station functionality by design, to utilise properly the very powerful CPUs that tablets now contain, and also act as a client for a virtual desktop service. Thus it may be possible for a single hybrid tablet device to fulfil the roles of tablet, laptop and desktop in the BYOND model, and meet user requirements at lower TCO.

Fig 2 - BYO1D retains BYOD utility while reducing TCO
It is too early to be certain how the BYOD marketplace will finally shake down, but the opinion is offered that it will move in the direction of hybrid BOY1D devices such as the above based on one or more of the leading three platforms at present:

  • iOS (iPad and iPhone)
  • Android (Google)
  • Windows 8 (ex-Windows Mobile)

At this stage we should therefore aim to provide services that support and span these three main platforms, as we keep the market under continual review.


4. Risk issues

The risk involved in student BYOD tend to centre around hosting of inappropriate services on student-owned hardware via the University network (e.g. illegal music or film download torrent servers). These issues are well understood and controlled by IT Services, and while we are not complacent, the fact is that there have been no major incidents arising from student BYOD use in the last few years.

The major risks regarding staff BYOD use, as noted by Gartner in [2], are:

  • The transfer of any personal data to third party storage cloud service providers favoured by many University iPad users (e.g. Dropbox under standard consumer licence) is almost certain to breach data protection laws
  • The transfer of research data to the same storage services may also breach confidentiality or similar clauses in research funding agreements, particularly in the case of commercially-funded research
  • The failure to use BYOD device pin or password protection, and automatic device wipe function (including at device disposal) also risks the above information

The above constitute potentially substantial financial and reputational risks to the University, and have been duly noted in the University-level Risk Register for the first time this year.

We have received clear legal advice that use of approved cloud storage services (e.g. Google Drive under the Google Apps for Education licence as opposed to a consumer licence) mitigate these risks, and the simplest way to mitigate these risks is to mandate the use of such an approved service (e.g. Google Drive for Education) by policy, then reinforce that by a publicity and user education campaign.

Even when approved cloud storage service providers are used, there is still a risk of confidential data loss when BYOD devices are lost or stolen. Evidence that suggest that individuals who are cautious with passwords on desktop systems may not set even a simple lock code on their tablets or phones, even though they may contain similarly sensitive information.

Best practice, indicated by [2] and elsewhere, suggests the following ingredients of:

  • Device lock code (4 digit PIN or complex password, latter preferred, former likely to be more palatable to users in practice)
  • Automatic device lock on idle
  • Remote device wipe function, including its use at device disposal
  • Device data encryption


5. MDM solutions to implement the above security best practice

Policies for secure configuration of iOS devices (iPhones and iPads) have been produced and publicised informally by IT Services, over the last 2-3 years. While these are used by ITSAs when supporting BYOD (see below), their use has not been mandated.

The Casper tools emerging as a strong candidate for the system to underpin a light-touch Mac desktop service also provide full MDM functions for iOS, so this would be an additional reason to move in that direction.

The SCCM system that currently underpins the staff and student Windows 7 desktop service contains full MDM functionality for Windows 8 tablet and mobile devices

The Android tablet and phone operating system is now the most popular in the world, with numerically more devices using it than iOS. Android devices tend to have the lowest purchase cost, at least at this point. Android is part of the Google empire, and Loughborough has invested in Google Apps for student email etc. However, Loughborough currently does not have an infrastructure, real or emerging, to provide MDM functionality for Android. Nevertheless, it is suggested we need to embrace Android, because of its growing use by students, and its potential to provide the lowest cost BYOD experience in future.

It is therefore suggested that IT Services develops MDM systems for all three of the above BYOD platforms. In the case of iOS and Windows 8 it is obvious where this will emerge from. In the case of Android, it is suggested that the Web Systems Team, who look after the technical aspects of Google Apps, are best placed to take on the responsibility for Android MDM.

In the first instance, IT Services needs to develop MDM tools on a pilot basis, then come back to IT Committee and ask for its authority to mandate their use for all staff using BYOD for any University business. At that point, staff use of any platform other than iOS, Android and Windows 8 for BYOD access to any University information would breach acceptable use policy; a corollary is that it would cease to acceptable for staff to use Blackberry devices for University email etc. from that time.


6. BYOD and the virtual desktop service

We now have a safe, secure virtual desktop service that can be accessed from clients on all three of our suggested BYOD platforms. These store no information on the device. Therefore, for any particularly sensitive operation that a staff member may be seeking to undertake on a BYOD platform, the advice would always be to do that via the virtual desktop. This is also in accord with best practice referred to in [1], [2].


7. Purchasing and support for BYOD

Some Schools already provide support for BYOD and staff-owned hardware in general, resourced as the School sees fit to meet its needs. ITS intends to work closely with Schools providing such services in developing new MDM services as above, and in building consensus with this Schools as to the best way forward.

For Schools that do not choose to resource BYOD support, and support services, such support is available from the ITSAs at the PC Clinic in Haslegrave. We will continue to ensure the ITSAs use MDM tools available, and configure BYOD devices in line with best practice and emerging policy.

It proposed that, while the BYOD market is still shaking down, it would not be possible or appropriate to undertake procurement for a small fleet of BYOD devices, along the same lines as we currently do for desktop and laptop computers. This may become feasible over the next year or two, and we will monitor the situation via the IT Purchasing Group (ITPG). In the meantime, it is suggested that development of MDM tools around three supported platforms, and phasing in of policy changes to enforce their use and mitigate risks around inappropriate cloud storage services, will provide a sufficient change challenge for both central and School-based IT staff.


8. References

[1] Bring Your Own Device: New Opportunities, New Challenges, Gartner, August 2012
[2] Address the Risks of BYOD within Higher Education, Gartner, July 2012

14 comments:

  1. Seems like this is missing the point of Bring Your Own Device, more only bring pre-approved devices the University has sanctioned. Why not go a step further dictate which OS they run, then lock them down and control the patching. You could call it a Managed BYOD service. It also kind of runs contrary to all the work that is being done to open up services through things like eduroam, VPNs and federated access.

    I also don't see why TCO comes into this. Why should the University be concerned with the TCO of BYOD? The O in BYOD is a clue here, "Own". I have an android tablet, I bought it myself, with my money. Therefore what has TCO got to do with it? Also the document mentions "Given that total cost of ownership is 2, 3 or even 4 times the initial device purchase cost". Do you have a references to back that claim up because I can't see how the TCO of my tablet is going to cost me 4 times the purchase price.

    The document also mentions the approach of hybrid devices lowering TCO. Again this completely missing the point of why I bought my own tablet. I bought the device I did because it fits the requirement I have. I don't want a POS hybrid device, I have a laptop for serious work. I buy my devices because they fill a particular need. I prefer to have the right tool for the job, rather than some multi tool which does everything badly.

    On the MDM front. I don't want MDM on my personal device, if that was forced upon me then I would remove University services like e-mail from my device. This means I'm less productive as I will no longer check my e-mail when I'm away from my desk. I except I already have some MDM as you are forced to accept remote wiping when you add an exchange e-mail account to android. However if this was some third party software I would stop using University services on my personal devices.

    There is mention of third party services like dropbox breach data protection laws. However I would say staff and students are forced down this route by poor provision from the University. For example I have a 10GB file I need to transfer to another party what provision do the University provide? or I want to automatically backup my files (15GB lets say) from my linux box what options do the University provide? Dropbox provide me nice python scripts which make it easy.

    ReplyDelete
    Replies
    1. Good points! I think there are a couple of key themes here...

      1) How can we support and add value to BYOD without screwing it up with heavy handed policies and management technology.

      2) BYOD in the truest sense of people's own devices, versus "BYOD" in the modish sense of institutional use and ownership of tablets and smartphones. For some reason these two seem to get blurred more often than not, but they are quite different things.

      As one of my colleagues notes separately on Twitter, we have actually been bringing our own devices since the personal computer revolution of the 1980s...

      Delete
    2. 1) Improve the cloud services on offer (particularly cloud storage). A 5GB google drive isn't going to entice users to a) not store things locally on their device and b) not use some other non-university approved cloud storage.

      MDM seems routed firmly in the ways of old, lock it down and control it centrally. Take the aproach of bigger carrots of decent amounts of storage with clients for many platforms (something google drive and msoft live drive don't offer). Educate users about encrypting their devices. Make services less app based more web/cloud based (therefore there is no data on the device to be stolen). Educate users about the dangers of data stored on their mobile devices. The stick of MDM seems to me to be from the mindset of those who don't understand why users bring their own devices in the first place (i.e. they want a device that is useable, and customised to how they like to work, not locked down).

      Delete
    3. Thanks for the comments, Anonymous reader!

      I think a lot depends on where you are coming from, e.g. 25GB Gmail quotas are pretty neat if you are chafing under the sort of quota that an institution can typically offer on its own equipment.

      I'd be the first to admit that if you have pimped your way up to 50GB of Dropbox storage, then the prospect of (someone) having to pay real money to do the equivalent on Google Drive is going to be less appealling. I expect that a referrals scheme will eventually emerge for Google Drive too, although not necessarily for organizational Google Apps accounts ;-)

      We should also keep in mind that Google Drive (and its API) haven't been around for as long as Dropbox. So there are lots of web services and apps that have Dropbox integration right now, but no Google Drive integration as yet. A good case in point that I am aware of is the iAnnotate app for the iPad, which I know is much loved by a number of our academics. Expect this to change dramatically over the next six months, for both apps and web services. We may even see the fabled Linux client for Google Drive!

      In terms of risk and the need for "MDM", I think it is fairly self-evident that Universities are in a rather different space to the typical corporate. We are all now being strongly encouraged to open up most aspects of our activities - e.g. educational resources, research data, publications, course marketing information, details of equipment available for sharing. It could reasonably be argued that we should be putting more and more effort into making sharing more frictionless, since this is now a significant part of what gets us brownie points. I think this message will take time to percolate throughout our institutions though...

      Delete
  2. There was a lot of discussion at EDUCAUSE on BYOD, the expectation is that wireless networks need to be improved to acomodate between 4 and 7 devices per user.

    The core of the enabling activity are
    - service oriented architecture
    - web delivery
    - security and compliance training (especially for staff)
    - and support for extended wireless usage,
    once the offering is changed to provide these things then there are great opportunity both in the areas of user experience and TCO.

    ReplyDelete
    Replies
    1. Thanks, Alex - fascinated by those 7 devices per user cases :-) Do you think someone is mixing up ad-hoc Bluetooth networking (Nike trainers etc) with 802.11 type Wifi infrastructure?

      Delete
    2. smartphone, tablet, laptop and portable games console .... for the tech lover, seems about right. 7 devices though? that'd be more of an interesting challenge. I too, would like to get more info about that driver/reason! :-)

      Delete
    3. Check out MG Siegler's TechCrunch iPad mini piece, which I have to confess I originally thought was meant to be satire:
      http://techcrunch.com/2012/11/02/should-you-buy-an-ipad-mini/

      Top prize to the first commenter for this... (continues in a similar vein!)

      "For portability though, it's best to carry a Macbook Pro, Macbook Air, iPad, iPad Mini, iPhone, and iPod Touch. You might point out that the iPod Touch is a bit too much in this combo, but what if your iPhone runs out of battery and you're at a Starbucks with access to free Wifi? Depending on the situation, if you're there for a short time, you wouldn't want to whip out your iPad(s) or Macbook(s). Just use your iPod Touch so you don't look like a douche."

      Delete
    4. That surely must be satire, Martin?!

      I agree with this comment, from James Fisher, Cincinnati, Ohio "Woah. First world problems!"

      Delete
  3. Students and staff alike have been bringing their own devices for decades, so the fact that this is making the headlines gives me some concern. Why would senior members of the University suddenly show such an interest?

    Maybe, the University sees an opportunity to save money by phasing out the 'monolithic central desktop' and the support costs that go with it. Replace this with a BYOD model and perhaps you can shift not only the cost of the device, but the cost of its support to the user too? Okay, the end user isn't going to swallow this so you give them a budget for the device but nothing for support; after all these are consumer devices, who needs support anyway?

    So what do you do when the device breaks? If you bought it from John Lewis it probably came with a 5 year warranty and they'll probably give you another one whilst yours is repaired. Buy if you got it from Amazon, expect nothing. Clearly that just won't wash so the University will need a pool of these devices as spares so that users aren't bereaft of the their tools for days/weeks on end. However, you can't hold spares of every device, so to minimise your spares inventory you need to dictate the devices that end users can buy. At his point you might as well provide the device as well.

    Providing the spare is all very well but if all the users data was on their old device they are little better off. Here is were cloud comes in. In order for this model to work you need to move all the end users data from the local device into a web based service (aka cloud).

    There is little chance of the University having the resources to make all of their in-house services web based and work with iOS, Andriod and Windows devices. Furthermore, if they did so they would have to provide the support too, and that would be costly. Far cheaper to use third party services, especially if you can get them for free.

    So are BYOD and cloud services just a way to remove the desktop and service support costs from the University? Maybe they aren't very good anyway and those third party providers would be more responsive? Have you asked Google / Apple / Microsoft to modify their service so that it works in the way you'd like it to? Or perhaps you'd like them to keep service X running a little longer as you haven't had time to migrate all your data from it?

    For students, BYOD is old hat, for staff I'd like to see a solid business case; I haven't seen it yet.

    ReplyDelete
    Replies
    1. Thanks for this, anonymous reader - you raise a number of well made points!

      Commodity cloud based services are already quite a bit deal here - see my blog posts about our work with Google Apps. We've had formative input into a number of Google products and services, including most recently a fix for Chrome that will let you deploy it across a campus network that uses Windows folder redirection for user storage. Will our priorities and Google's always be in sync? No, of course not.

      Re device support - virtually all our "corporate" apps are actually web based already, with a number hosted externally - including careers opportunities, library catalogue, online tendering and service desk. My experience has been that our hardest platform to support in these web apps is actually Windows + Internet Explorer, because of the plethora of Internet Explorer variants out there, each with their own quirks.

      However, as a University we have a huge investment in specialist software and hardware for research and teaching that is not readily transferable. I hope we will be able to weather the storm (more of the new fees regime than BYOD it must be said!) and, as a byproduct of the introspection prompted by this experience, refocus on extracting the maximum value from the systems and services that the University buys into. In my mind this means a much greater role for documentation and training and first line support. I hope the opportunity to do this will follow naturally from a winding down of the number of "fat" Windows client PCs we support.

      I will stick my neck out here and say that I think by 2020 (end-of-life for Windows 7) our standard setup will be Android based, with a virtual desktop option for legacy Windows apps. I'll blog some more about the March of the Penguins under separate cover...

      Delete
  4. Hi Martin
    Interesting stuff, thanks. A couple of things have been bothering me about the 'own' part of BYOD, so I wondered whether you'd come across them. I'm thinking of devices that an individual owns and uses for both business and personal purposes. So when you/they point the device at the 'approved' cloud for backup then you are going to have a mix of personal and business information turning up there. And when you remote wipe the device when it is lost (or when the user decides to hand it on to their significant other/child/etc.), the user's personal information is going to be wiped too, so you need some way to put (only) that back again, I think? Or are these non-issues in your experience so far?

    ReplyDelete
    Replies
    1. Thank you for your thoughts on this, Andrew - I think you are bang on about the collision between the 'business' and 'personal'. Although we collectively have a lot of very bright people working for us, I bet that everyone knows someone who has been caught out by something as simple as not realizing that they were keeping their calendar and contacts on the institutional system (be it Exchange, Google Apps or whatever) and losing them as they move to a new employer and their institutional account is zapped.

      There have been some real steps forward recently, e.g. support for multiple user profiles on the latest release of Jelly Bean and FreeTime on the Kindle Fire. However, I think some punters will simply opt out of any system that imposes new external rules on how they use their own device. Just look at the stats on the numbers of jailbroken iPhones and homebrew Android ROMs and bootloader hacks - e.g. over 3m running Cyanogenmod alone.

      Delete
  5. Thanks for that, Mark - there's a lot to be said for crowdsourcing policies :-)

    I think the article on the Reg is really looking at native app development versus "mobile web" type development, for apps that you were going to develop anyway. In that context it should really take into account the role of cross platform Javascript/HTML/CSS based frameworks like Phonegap/Cordova and Appcelerator Titanium, where the bulk of your app is actually made of web stuff in the first place - so no need to learn Java to code for Android + Objective C to code for iOS.

    So should we all go out and learn how to write (web) apps? I don't think so, but I certainly wouldn't want to discourage anyone who has an interest in this. We are a University and should make it easy (or at least easier) for people to follow their interests and develop new skills, where these are relevant to our work. I think there are a number of lessons we could learn from Internet era firms here, and this is something I'll come back to in the near future on the blog.

    ReplyDelete