BYOD Enables Almost-Unmanaged Desktop

Desktop management started out simple. Install a few applications and join to Active Directory. A few lines of login script and the computer was ready for use. Like anything else, desktop management has become more complex over time. Add constant updating of the operating system and applications as well as the need for an up-to-date antivirus application. Then add some corporate requirements for consistency and branding. Finally, layer in some selective deployment of applications to different business units or individual staff. The whole process gets to be a large and complex undertaking. Should we be rethinking this and going back to basics? How little desktop management can we get away with in a modern organization?

We are increasingly letting our staff use their own devices. Personal smartphones and laptops get used for work and carry business data. Usually, we don’t control the whole build of these devices. They belong to our employees, and we just set a minimum standard. This minimum standard is good enough for an employee-owned device on our network. Why do we do better with the devices we own? Why manage and control corporate-owned devices more tightly than the employee devices that we let onto the same network?

Employee-owned devices are a matter of fact for most businesses. Staff want to use their choice of device, and usually IT enables access, provided that a few best practices have been followed. It started with iPhones being used to access Exchange servers. The infrastructure that enabled iPhones can also be used to access Exchange from a personal laptop. With the increasing use of web applications and a sprinkling of VDI, it is easy to get a day’s work done without using a company desktop.

Naturally, there are some limits and requirements on these personal devices. Whatever device you bring must be patched with the latest, or near-latest, released patches. The device must also have protection against viruses and other malware. And usually, there are specific web browsers and Office software versions that are supported. Larger companies will put in place some endpoint checking to make sure everything is installed and updated before allowing network access. Smaller companies will simply write a policy and ask staff to make sure they comply.

This is a long way from the usual management of a company’s desktops and laptops. Of course, we have mechanisms to make sure a device is patched and protected from malware. We usually see a lot of use of Windows Group Policy to control company devices. Locked-down security and a whole collection of settings to protect the device and the user are put in place. Managing the fleet of PCs often involves many layers of control and a lot of complexity.

But is there really any point to this management? We let users bring their own devices and do almost no management of those devices. What would be wrong with applying the same minimal management to company PCs? Companies could use Group Policy to set up updates and have an antivirus application installed and updated. Then, they could hand the device to the staff member who will use it. Let them install applications just like they would on a personal device. Hand over control, and responsibility, to the end user. In mobile device terms, this is called “COPE,” for corporate-owned, personally enabled.

With a COPE device, we manage as little as possible: just enough to protect the business. We allow the user to be responsible for as much as possible and let them use what they need to get the job done. In a way, the idea is to enable shadow IT rather than fight it. Employees are enabled to use the tools and applications they need in order to get their job done. Rather than everything being denied by default, everything is allowed. By making the desktops COPE devices, we effectively make them semi-trusted. Just as with employee-owned devices, they are not fully trusted. This approach allows both device types to reside on the same network. We get a simpler network, as we don’t need to isolate company desktops from employee devices. We also have a much clearer need to treat the network close to users as less trusted than the network inside the data center.

We have moved to “post-PC” computing, which really means PC plus other things. This means that desktop management is not enough, but it could also mean that desktop management is less important. Will your business be better served by managing desktops less?

Posted in End User ComputingTagged ,