This is the second part in a series designed to help organizations develop their “BYOD” (bring-your-own-device) strategies for personally-owned smartphones and tablets in the enterprise. Chapter 1 of the series, “Building Bring Your Own Device Strategies,” introduced core components of a BYOD program. This chapter compares two technical approaches to BYOD: the walled garden vs. the enterprise workspace.
Summary The “enterprise workspace” approach to BYOD is secure, cost-effective, extends to apps, and drives user satisfaction. It allows IT to configure, monitor, and control enterprise data and access across the mobile device without compromising the native user experience. This is the approach MobileIron takes to BYOD. We will describe this approach in detail in Chapter 3 of this series. The “walled garden”, or container, approach to BYOD focuses heavily on security, but compromises the user experience which is the foundation of a BYOD program. End-users are not allowed to use the native email, PIM, or browser experience of the device and must, instead, download a separate app that tries to replicate those capabilities. This is the approach Good Technology takes to BYOD and it can have several limitations: Low user satisfaction because it forces use of an email app the end-user doesn’t want Limited incremental risk management, especially after Apple’s iOS 5 release Limited ability to support mobile apps High cost of ownership due to upgrade, scale, and maintenance overhead Walled gardens can be attractive in the early generations of a mobile operating system before the native email experience is fully secured and before the mobile device is being used for apps. However, the security capabilities of mobile operating systems like iOS 5 have evolved rapidly. As a result, a BYOD program built around a walled garden email experience is neither required nor sustainable for most enterprises.
User Satisfaction The underlying principle of BYOD is that professionals are more productive on technologies of their own choosing. Allowing employees to bring their personal devices to work, but forcing them to use a different email app or browser than the one they want, puts the entire program at risk. But user experience is subjective, so we recommend testing with a pilot group of users: Give half the group the native email experience with ActiveSync and MobileIron. Give the other half the walled garden experience. Let them run for one week then have them switch to the other approach. Survey them on:
o Overall satisfaction o Quality of email and PIM interface o Speed of email delivery, especially download o Integration with other on-device services, like voice commands Walled gardens like Good compete head-on with Apple, Google, Android device manufacturers, and Microsoft, who are all building integrated native email experiences for their devices. These companies, especially Apple, invest heavily in design. Third-party email providers have difficulty competing with Apple on user experience, and the native email experience inevitably becomes the end-user’s preferred option. User experience is the litmus test for the sustainability of a BYOD program. If control trumps user experience, adoption will suffer.
Risk Management Corporate security programs leverage technology and education to drive appropriate behavior and reduce the risk of corporate data loss. BYOD programs introduce new variables for IT and, therefore, new types of risk. Traditionally, the primary selling point of the walled garden has been to minimize this risk by putting all enterprise data into a single container on the device. But does that actually reduce risk? There are several security requirements to consider: Encryption o Walled gardens encrypt email. o But in 2009, Apple encrypted all new iOS devices and, in 2010, added even an extra layer of data protection for iOS native email content. Apple has also submitted their encryption for FIPS 140-2 certification. o Note that some walled gardens do not use the hardware-based cryptography of iOS, so the only factor used for encryption is the PIN code of the app itself. Such approaches cannot get the same strength of encryption as iOS native email, which can use both hardware cryptography and the device PIN. The only option for increasing strength in this case is to force the user to an unsustainable, extremely long PIN (20+ characters). o Android also now offers encryption, starting with version 3.0 of the operating system for tablets and with version 4.0 for smartphones. o MobileIron monitors all these encryption states and enforces action if the device is non- compliant. Identity o Walled gardens can set passwords for the email client. o But because the device has capabilities beyond email as well, a password also needs to be set at the device level. Having two passwords is a poor user experience.