There is no doubt that a new reality is setting in for IT.
The focus on management of PCs has been steady ever since Group Policy was introduced with Microsoft's Active Directory. There were other tools before this, but the perfect storm of security threats, viruses and Internet connectivity brought the cold reality of endpoint management to the forefront.
More in this series on device control
Seemingly in unison, most IT departments used the power of Group Policy and associated tools for enterprise device control, ensuring that screensaver passwords were updated and that applications and operating systems received patches.
Traditional endpoint management tools have focused on customized OS deployment, software distribution, patch installation and asset management. These were dependent on domain-joined computers (a requirement for Windows) and an expectation that the nodes exist on the corporate LAN. Sometimes a client for Linux or Mac would be thrown in, but usually for a subset of the overall products.
While we were taking care of Windows desktops and securing servers, new network nodes snuck in the back door. If you don't believe the numbers, check your Dynamic Host Configuration Protocol server database and see where IP addresses are going.
More non-company devices than ever before have access to the enterprise network and data. Personal laptops, smartphones and tablets are everywhere, and everyone wants to use them to access work data with unmanaged software and operating systems.
The latest mobile devices offer additional productivity through apps, Web services and the cloud. IT must respond to the challenges of maintaining proper access control and security as sensitive data traverses public networks and various devices. Some devices will adhere to these controls, but IT must distinguish between sensitive company data and personal data. It's much more difficult to justify complete device control over a personally owned device, even if it is accessing company data.
The incoming generation of users expects to need fewer devices to work, rather than tote a laptop, a notebook, a tablet and a smartphone. A unified infrastructure must take into account authentication, software installation and patching, malware and antivirus controls, and licensing.
Some IT managers have been fighting against bring your own device (BYOD) policies because they claim that company-owned computers and mobile devices are key to ensuring data security and regulatory compliance.
Employees, however, are taking consumer and company-issued devices and forging their own BYOD practices. For example, they may use a cloud app for sharing files with clients, a USB stick for a PowerPoint presentation and a tablet for note taking. End users likely log into enterprise email and webmail with their own smartphones, too.
Fulfilling the promise of BYOD
BYOD has become a desirable option for many employees. From simple email access to full admittance to internal resources, users expect to connect any smart device to their work resources. How can the IT department do that while still keeping the security and control it built over the past decade?
There are two distinct points of interest to making a BYOD initiative work. One is the endpoint device, and the other is company data. This distinction provides a way to look at your resources with the correct perspective. You will obviously need some kind of device control because the devices will exist on your network and will need to be trusted in some fashion, but it's more important to worry about the data.
Data can exist in multiple places, from internal file shares to external cloud apps. Decoupling data from the server, application or endpoint is necessary to cope with the reality that data is portable and often duplicated.
Ask where your data will rest. If you handle endpoint management properly, it should be fully accessible from numerous devices, both corporate-owned and personal.
The shift from desktops and laptops to mobile devices has spurred a move toward lightweight management techniques. Outside the corporate firewall, users may not need to log into Active Directory or scripts that run upon boot. They may run as preloaded agents in the background, initiating contact with an on-premises management system or one that lives in the cloud.