BYOD Enables Almost-Unmanaged Desktop

Desktop management started out simple. Install a few applications and join to Active Directory. A few lines of login script and the computer was ready for use. Like anything else, desktop management has become more complex over time. Add constant updating of the operating system and applications as well as the need for an up-to-date antivirus application. Then add some corporate requirements for consistency and branding. Finally, layer in some selective deployment of applications to different business units or individual staff. The whole process gets to be a large and complex undertaking. Should we be rethinking this and going back to basics? How little desktop management can we get away with in a modern organization?

We are increasingly letting our staff use their own devices. Personal smartphones and laptops get used for work and carry business data. Usually, we don’t control the whole build of these devices. They belong to our employees, and we just set a minimum standard. This minimum standard is good enough for an employee-owned device on our network. Why do we do better with the devices we own? Why manage and control corporate-owned devices more tightly than the employee devices that we let onto the same network?

Employee-owned devices are a matter of fact for most businesses. Staff want to use their choice of device, and usually IT enables access, provided that a few best practices have been followed. It started with iPhones being used to access Exchange servers. The infrastructure that enabled iPhones can also be used to access Exchange from a personal laptop. With the increasing use of web applications and a sprinkling of VDI, it is easy to get a day’s work done without using a company desktop.

Naturally, there are some limits and requirements on these personal devices. Whatever device you bring must be patched with the latest, or near-latest, released patches. The device must also have protection against viruses and other malware. And usually, there are specific web browsers and Office software versions that are supported. Larger companies will put in place some endpoint checking to make sure everything is installed and updated before allowing network access. Smaller companies will simply write a policy and ask staff to make sure they comply.

This is a long way from the usual management of a company’s desktops and laptops. Of course, we have mechanisms to make sure a device is patched and protected from malware. We usually see a lot of use of Windows Group Policy to control company devices. Locked-down security and a whole collection of settings to protect the device and the user are put in place. Managing the fleet of PCs often involves many layers of control and a lot of complexity.

But is there really any point to this management? We let users bring their own devices and do almost no management of those devices. What would be wrong with applying the same minimal management to company PCs? Companies could use Group Policy to set up updates and have an antivirus application installed and updated. Then, they could hand the device to the staff member who will use it. Let them install applications just like they would on a personal device. Hand over control, and responsibility, to the end user. In mobile device terms, this is called “COPE,” for corporate-owned, personally enabled.

With a COPE device, we manage as little as possible: just enough to protect the business. We allow the user to be responsible for as much as possible and let them use what they need to get the job done. In a way, the idea is to enable shadow IT rather than fight it. Employees are enabled to use the tools and applications they need in order to get their job done. Rather than everything being denied by default, everything is allowed. By making the desktops COPE devices, we effectively make them semi-trusted. Just as with employee-owned devices, they are not fully trusted. This approach allows both device types to reside on the same network. We get a simpler network, as we don’t need to isolate company desktops from employee devices. We also have a much clearer need to treat the network close to users as less trusted than the network inside the data center.

We have moved to “post-PC” computing, which really means PC plus other things. This means that desktop management is not enough, but it could also mean that desktop management is less important. Will your business be better served by managing desktops less?

Posted in End User ComputingTagged ,

Leave a Reply

4 Comments on "BYOD Enables Almost-Unmanaged Desktop"

newest oldest most voted
An interesting standpoint. I suppose the rub of the matter is that if you’re going to hand users control of the device, to install applications etc., then you’re giving them admin access. If you do that, then how do you mitigate against the fact they could usurp any policies set, turn off updates, etc.? Giving them a separate admin account for installations and the like would be a good first defence against hostile malware, but how do you control their level of access to the device? How do you protect them from themselves, essentially? Of course, you could simply make… Read more »
Hello, I would treat each BYOD as an already infected device. Because of that, it is in a trust zone all by itself with enough safe guards to ensure that whatever is on the device does not spread. There are a number of tools (hardware + software) that will make this a reality. The key is to not place corporate items on such device without having safeguards. One such could be to use an application on the device that acts as an encrypted enclave, that does not extend out of the enclave, etc. Should corporate email use the same interface?… Read more »
Simon Bramfitt
No, no, no, no. Adopting an un-trusted network model to address the risk associated with unmanaged devices sounds fine on paper and as Edward said “There are a number of tools (hardware + software) that will make this a reality.”, but you’re now replacing a desktop management solution with a network management solution. Placing the onus of responsibility on the employee to keep their device patched and protected against threats they do not understand is a legal minefield, and punting that to HR as their problem to address will if anything finish up costing more than retaining the status quo… Read more »