How an acceptable use policy and app control can improve BYOD success
Organizations that adopt BYOD should have an acceptable use policy to help with security and app control. When users know expectations and consequences, BYOD gets easier for IT.
As app control and security become top concerns in the BYOD era, more organizations find that an acceptable use policy can help IT and end users alike.
IT already knows about the risks associated with lost or stolen devices, but the risks that mobile apps pose in a bring your own device (BYOD) setting are less clear, and app control remains a work in progress.
App control: Whose device is it anyway?
When it comes to employer governance over employee-owned devices, controls that minimize loss or theft benefit both parties. But app control and BYOD policy enforcement are more difficult. Employees expect to be able to install personal apps on their smartphones and tablets, and users rarely welcome IT controls that block app installation or use.
Any BYOD initiative that will control mobile apps should utilize an acceptable use policy that identifies conditions, risks, controls and processes. Establishing expectations up front will improve your BYOD program’s success. For example:
- If you intend to stop users from installing apps from their devices’ app stores, the acceptable use policy should include consequences of violating this policy. IT can immediately unenroll or remotely wipe a device in violation of the acceptable use policy.
- If you plan to continuously inventory apps installed on personal devices, the acceptable use policy should explain why -- for malware detection, troubleshooting or other reasons.
- If you want to auto-quarantine non-compliant devices, the acceptable use policy should explain how IT will notify employees and what steps users must take to regain access to their devices.
Next, decide how to enforce your acceptable use policy. Mobile device management (MDM), blacklisting and whitelisting are three possible approaches.
Application installation
Available management options depend on device type and operating system version. For example, IT can configure Apple iOS 5 devices to permit or deny App Store use. Admins can also configure Android devices to permit or deny installing apps from outside Google Play (previously known as the Android Market). Unfortunately, these coarse controls are rarely practical for devices that employees use for both personal and business tasks.
Alternatively, consider using a mobile device management (MDM) or mobile application management tool to auto-install enterprise apps on personal devices and recommend safe public apps that employees can install. This approach is not likely to cover all programs of personal interest to your workers, but it’s a convenient way to deliver passive guidance. Users tend to welcome this kind of opt-in help. When recommending paid apps, using a volume purchasing program can help IT avoid the hassle of reimbursing users.
Blocking bad apps
Another tactic for app control is blacklisting, which lets IT admins take action when users install unwanted or risky apps on their personal devices. A blacklist is a list of apps that users should avoid because of security concerns or other reasons, and many MDM systems support this method of app control for iOS and Android devices. MDM agents can either monitor installed apps continuously or inventory them periodically. If the MDM system detects a blacklisted app, it can send an alert to the admin or user, prevent email, virtual private network and Wi-Fi access, change the device’s passcode, remove enterprise apps and data or even perform a full device wipe.
Blacklists can be a good way for IT to quickly detect malware or mobile apps that consume too much wireless network bandwidth. But maintaining a long blacklist of apps is costly, given the rate at which new apps become available. IT should also tread lightly when taking actions that impede personal use of an employee’s device. Treat blacklisting as a power tool to be used sparingly.
App control with whitelisting
Whitelisting is the opposite of blacklisting. Admins can create a list of approved or recommended apps. When an MDM agent detects an app that isn’t on the whitelist, it can take action against that app.
In theory, this approach to app control is easier to maintain because whitelists are shorter, and IT can easily identify the apps needed for business users. But in practice, whitelists require constant care to keep up with new and updated apps. Whitelists also tend to become riddled with exceptions: Workgroup A needs this app, workgroup B needs that app, the CEO gets any app he wants and so on.
When it comes to personal devices in the enterprise, whitelists are almost always impractical. IT can’t identify every permissible personal app, and it wouldn’t make sense for IT to police a long list of employee-requested apps. Such practices can be practical for devices used exclusively for business. But even then, whitelisting is most effective with purpose-built mobile devices such as barcode scanners and point-of-sale handhelds, not personal smartphones and tablets.
Some MDM systems provide a variation on whitelisting that checks for the presence of listed apps and takes action when apps are missing. For example, the MDM agent can repeatedly remind the user to install IT’s preferred antimalware app from the device’s app store, eventually locking the device if it remains non-compliant. For this reason, look closely at the app control capabilities of your MDM system. There may be additional controls that could help your company automatically enforce your BYOD acceptable use policy.
