Mobile Device Management Policy | Things to Consider When Adopting an MDM Policy For Your Organization – CIOES VRT 1/22/2013

Mobile Device Management policy has a lot of buzz going on about it these days. We’ve been getting a lot of questions about it, so we figured it would be a good idea to host a Virtual Roundtable to discuss it.

For those of you who were unable to attend, we’ve got the video of it, which you will find below, as well as the transcription; however, both of those are rather long and hard to digest. So, we decided to create a “recap” document. It covers all of the ground that we did in the virtual roundtable, but in a clearly laid out, easy to digest, piece of content.

Mobile Device Management – also known as MDM, Bring Your Own Device, or BYOD – policy is a pretty complex topic. If it wasn’t, there would be no need for this post or the corresponding Roundtable, now would there?

So, let’s dive right in! Let’s start with the philosophy behind having an MDM policy.

Philosophy Behind Having An MDM Policy

These days, with mobile devices being so prevalent in everyday life, many companies are being forced to develop policies regarding mobile device use; either to protect it’s proprietary intellectual property or to ensure that sensitive or classified information remains secure.

Some companies have policies that don’t allow anyone to bring mobile devices into the office at all, in an attempt avoid this issue altogether, while others will allow you to bring in your own phone or tablet, but will restrict your ability to do certain things on them via WiFi.

What is your policy for someone wrapping up their class homework for an evening class on their ipad during work hours? What if they are doing it on their cellular 4G network and not the company secured or unsecured corporate wifi. The question doesn’t change really if the device is corporate owned versus employee owned. What does your policy state about these different situations?

No matter what the case is for your company, it is important to have a Mobile Device Management policy – that aligns with your business
needs – clearly outlined for employee reference.

Tablets and Phones: Apple “i” products, Droid Google Products, Microsoft Windows 8 Products and Mobile Policy

With smartphones being as “smart” as they are these days, users have access to web-enabled browsers simply by operating on their cellular network; the user doesn’t have to have their smartphone hooked into the company WiFi for it to surf the web.

With that in mind, you need to consider the fact that those people who bring their smartphones into the office can still access whatever they want without any impact from the firewall. Employees can access restricted websites.

With respect to developing your own Mobile Device Policy you should be very specific about the language you use regarding the following:

  • Whether or not employees are permitted to bring onto company property
  • If permitted, employee use of mobile devices while on the company network*
  • If permitted, employee use of smartphones while on 3G, 4G, LTE, etc. (off the network, but still on company property)

*Many companies that permit employees to bring smartphones onto company property have adopted the policy that, once on the company network, all devices – whether personal or company issued – are to be treated as company devices. The same can probably be mentioned for smartphone use on company property while not on the network (via 3G, 4G, LTE, etc.).

Company Issued Devices

In the last section, we were working within the BYOD framework – the idea that the devices employees are using for work are their own personal devices. However, this is not always the case. Sometimes employees are issued company owned devices to use in addition, or instead of, their own personal devices.

With that said, if you issue your employees company owned devices, rather than using their own device, it seems fairly reasonable to assume that the company would have absolute control over the security of the contents of the device.

But, what happens if/when an employee loses that company-owned device, or worse – it gets stolen?

Remote Wipe

Whether using a company issued device or a personal one, when crafting these MDM policies, we also have to consider that data security is not only a concern for employees using mobile devices while on company property, but also while they’re off-site.

What if that person loses that device? Or, even worse, what if it’s stolen?

Companies need a way to ensure that, in the event that a mobile device is lost or stolen, that the company related data is not compromised.

This is where something called “remote wipe” comes into play. Remote wipe is the concept of being able to erase the contents of a device from a remote location.

There are many tools that will remotely wipe a device if the password is inputted incorrectly a specified number of times to prevent people from attempting to hack their way into the device. There are also tools that simply allow an IT staff member to erase the contents of a phone with the click of a button.

Most people know by now that Microsoft ActiveSynch although convenient does not offer the granularity and discrimination between personal photos and business data. When IT initiates a remote wipe then it must ‘nuclear’ the entire device. There are many plumbing tools that offer this discrimination though. Products like Airwatch, Good Technology, and MobileIron are a couple that offer this discrimination.

Remote Wipe Waiver

I think a good approach  for your Mobile Policy is to have a Remote Wipe Waiver that is a separate and  free standing document for the employee to sign. In it you can explain that  regardless of your IT tool set that you are using that IT will endeavor to use any means necessary to protect data if the laptop, phone, tablet is lost, stolen,  misplaced, etc.

Mobile Data Backup

So, what if an employee loses their phone, IT remotely wipes it, and then the employee comes back the next day, having found their device under their car seat, or in the back of their briefcase, and they want their device restored?

Well, now we have entered the realm of Mobile Data Backup.

If you opt to allow for Mobile Data Backup, there are two ways of going about it:

  1. Encouraging your employees to back up their own devices
  2. The company backing up the devices to its own secure cloud like Venyu for example. RedZone runs the IT department for about 1500 users and we recommend that all mobile laptops are:
    1. Encrypted using Mcafee endpoint encryption
    2. Venyu trickle backup to the cloud

Mobile Device Policy Management

How are you being agile and mobile with adjusting to policies changes that need to happen at the speed of technology?

I would recommend evaluating how you implement your IT policies. Many companies attempt to educate new employees regarding corporate  policies as employees are being hired. Companies that are more compliance mandated or have strong corporate governance, IT and HR department collaboration educate and train employees regarding corporate policies on a more regular basis.

I also recommend reviewing ThunderDG to make the process more seemless and less stressful to the employee and to the department administering these programs. ThunderDG offers three main benefits:

  • Electronic delivery and storage of policies
  • Electronic signing of policies
  • Integrated employee training to ensure complete understanding of the policy

Use of a Company Issued Device While Operating a Motor Vehicle

If your business/organization chooses to issue employees company owned devices, it’s important to consider including something that addresses the use of company issued devices while operating a motor vehicle.

Why? You would think these days with all of the media coverage of the negative impacts of using a mobile device while operating a motor vehicle would be fairly common sense, wouldn’t you?

Well, yes, but people still do it.

With that said, one of our CIO Virtual Roundtable participants mentioned that at a conference he had attended  that a company somewhere in Texas did not include this type of consideration in their mobile policy. Then, one day, one of the company employees was in an accident, as a result of using a company owned device while driving, and was injured to the point that they could not return to work.

This employee then sued the company because it was the company’s device that the employee was using. The company argued that the employee was at fault because he or she did not follow the mobile device policy.

Unfortunately, as the anecdote goes, the employee won the law suit due to the fact that this consideration was never actually included in that company’s policy.

Mobile Devices, USBs, and Storage of Corporate Data

When creating a Mobile Device Management policy, it’s easy to only think in terms of phones, tablets or laptops, but USB thumb drives are also mobile devices that can be used to transport company data. The mobile device can also act as  Not to mention, they’re one of the cheapest types of mobile devices, so – compared to a smartphone or tablet – some people won’t think twice about losing a thumb drive.

To cope with the possibility of an employee losing a thumb drive, a company could always opt to password protect the contents; however, what if an employee takes a USB with them after leaving the company?

Be sure that when you create your Mobility policy, you are taking these types of situations into consideration as well.

MDM / BYOD Policy Samples

Now that we’ve gone over some of the aspects of having an MDM or BYOD policy for your business or organization, you’d probably like to see some examples of such a policy.

Don’t worry – we’ve thought of that too!

Click here to check out part 2 of this workshop, where we explore the legal language of actual mdm policies.