This post originally appeared on TechSoup.org's blog and was written by Jim Lynch, Co-Director of TechSoup's GreenTech program.
It's happening in nearly every office – employees are using their own mobile phones and tablet computers for work email and countless other work things. The trend is called "Bring Your Own Device" (BYOD) or the consumerization of IT. Having all kinds of diverse devices and software floating around in the workplace wreaks havoc with IT systems. What's an organization to do to get a handle on this?
Many nonprofit and library workers and volunteers get work email or access databases or use the organization’s intranet using their personal devices. IT systems are expected to open their systems up for this, but in doing so, they tend to lose control of important organizational data, need to support additional applications that serve personal devices, and face legal liabilities in case a personal device is lost or stolen.
Organizations with government grants or who are involved in healthcare are especially liable for organizational data going all over the place. And so the question of ownership of devices like mobile phones and tablet computers and control over their use becomes very important. On the one hand, people are more productive when they use their personal devices for work. On the other hand, it’s an IT headache.
Getting a Handle on BYOD
In looking at the literature on the subject, it looks to me like the logical approach is to limit BYOD users in two ways: the types of personal devices they can use for work; and to limit the number of people IT needs to heavily support.
In terms of limiting devices, it’s much easier for an IT department to support a few types of devices than all devices. If lots of workers have iPhones and iPads, and another significant group has Android or Windows mobile devices, then companies seem to be opting to limit support to two or three types of personal devices, and they may opt to define what apps on each platform they support for accessing organizational email, for instance.
In terms of limiting users, IT departments seem to be thinking of their employees in terms of segments or tiers. TechSoup itself has adopted a tiered user policy. This simply means that mission-critical and frequent mobile users like remote workers are fully supported both in terms of IT and perhaps also in getting subsidies for paying for mobile service. Occasional BYOD users or people who spend most of their time in the office get less support.
InfoWorld's Guide to a Successful BYOD and Mobile IT Strategy recommends this approach (free PDF download, but requires a registration):
For example, you might segment your staff as follows:
- Those who use the most sensitive data get company-paid, company-managed devices.
- Those who work extensively away from their desks receive subsidies for most or all of their personal device charges.
- Those who work away from their desks occasionally receive a partial subsidy for their personal device use.
- Those who rarely work away from their desks receive no subsidy, and you may consider locking their devices out of your systems altogether.
How BYOD Affects Workers
Perhaps the most controversial thing about such policies are the amount of ownership that an organization takes over personal devices. The most dramatic example of this that I’ve found is a news story by National Public Radio entitled Wipeout: When Your Company Kills Your iPhone. It’s a sad tale of a woman who was getting work email on her phone, and then suddenly the phone went dead. It turns out her company mistakenly did a "remote wipe" of her phone that erased everything on it. She was understandably irate about her IT department doing that to her phone that she pays for every month. The moral of the story, as Galen Gruman put it in the InfoWorld guide linked above: “Employment policies boil down to ‘if you access business communications like email from a personal device, you give us the right to manage, lock, and even wipe that device, even if you end up losing personal data and apps as a result.’ This is often codified with a written agreement that spells out management expectations for both parties.”
I’m sure this isn’t the end of the story, but it sure is a scary beginning.