Government agencies and their employees like BYOD because it gives employees mobile access to work email and documents, on their favorite devices, without having to allocate IT funds for hardware.
Mobile device management (MDM) solutions have been touted as the simplest, most cost-effective way to reduce security threats from BYOD phones. Yet many government IT pros who’ve deployed MDM regret what was supposed to be a cost-cutting measure once they realize all the tradeoffs they’re making, including in the area of security.
Here’s three reasons why BYOD and MDM simply don’t go well together in government.
1. MDM Is a Great Solution for Some, Not All
MDM does exactly what the name says: it manages a mobile device through commonly provided APIs, with a single policy for personal and work use of the device. But it’s not the device that cybercriminals and spies are after: it’s all the data on that device that they want, including behind-the-firewall data accessible from the applications on the device.
Since MDM manages your device as one security perimeter, it fits use cases where there is one owner of data: a corporate-liable device either as COBO (corporate-owned, business only), CYOD (choose your own device), or even COPE (corporate-owned, personally enabled). It treats the whole device as part of the corporate policy (albeit relying on native device security), with no differentiation between personal and business data, applications, and perimeters.
In BYOD, however, users will complain about having to enter your mandated complex enterprise password just to answer a personal text or play a game on their phones. The great benefits of two-factor authentication for access to work apps will be offset by all the inconvenience for personal use. Also, if a BYOD user unlocks the device just to let a friend or family member make a quick call, you will find your corporate gates open and your security exposed.
With MDM, you’re also relying heavily on device-level security, so if users are bringing a mix of Android, iOS, BlackBerry, and other devices, you end up with a complex and uneven security posture and increased security risks or costs to manage your mobile security.
There doesn’t seem to be a middle ground between government-grade security and end-user happiness with MDM in BYOD. Rather, a completely different approach is needed in this situation.
2. Dual-Owner Dilemmas
MDM can’t address the fact that there are two owners of data in a government BYOD scenario: the user owns personal data, and the agency owns the work data. Each type of data has different requirements for security controls, privacy, and usability, and by putting a barrier around the entire device, there’s no way to separately meet those requirements.
Many employees unhappily view MDM control as a potential invasion of privacy, but they’re really upset when they leave the organization or lose their device – and your security wipe of business data also wipes their personal data.
3. MDM and Help Desk Headaches
MDM also creates problems when users get locked out of their devices until their password is reset. Can you guarantee help desk support fast enough to reset their password in an emergency? One government health ministry CISO told me that this is a concern for its leadership. The ministry’s doctors are extremely frustrated when they are locked out of their personal devices, because they are responsible for many time-sensitive, private issues, and the inability to immediately use their device in emergency situations could lead to a personal loss.
Even if it’s not a matter of life or death when users temporarily can’t use their phones, you can guarantee increased help desk costs, loss of productivity, and unhappy users. Additional headaches come from the complexity and cost of using MDM to support all the different operating systems and interfaces employees bring to the workplace. Solving a simple problem will look different for every type of handset, which can decrease business productivity, satisfaction, and data security for the IT team and users.
Mending The Fence With BYOD
The best way to manage BYOD and the resulting dual data ownership situations without compromising organizational security, data privacy, or end-user experience is to trade your MDM software for a unified endpoint management (UEM) software or solution, like BlackBerry Unified Endpoint Management, which includes MDM plus mobile application management (MAM), mobile content management (MCM), identity and access management (IAM), and mobile security and containerization.
BlackBerry UEM puts work applications and data in a container walled off from personal data, meaning you can control business data and applications without interfering with users’ personal data or device use.
By migrating to BlackBerry UEM, you’ll be prepared for upcoming data-privacy regulations, as well as be able to maintain consistent security policies, make users happier and more productive, and decrease IT support costs and hassles. We have enabled customers of different sizes, industries, and regions to successfully migrate to BlackBerry UEM from MobileIron, AirWatch, and other common MDM products.
For more information about how you can join these leading governments and enterprises in gaining protection, productivity, and compliance in your enterprise mobility solutions, visit BlackBerry for Government.
About Sinisha Patkovic
VP Government Solutions. I work closely with Government and Fortune organizations' CEOs, CIOs, CISOs, and their boards on improving Cyber Governance, and enabling them to achieve their goals of Faster, Smarter, and Better delivery of services to their customers. I have been alo actively engaged in public-private dialog on emerging issues spanning cyber-security, e-commerce, and privacy across mobile and IOT services.