mobile device policy

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."

John Girard

To the Point: Mobile Device Policy Essentials

http://pvs.gartner.com/technology/about/policies/usage_guidelines.jsp

http://pvs.gartner.com/technology/about/ombudsman/omb_guide2.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Strategic Planning Assumption

80% of mobile professionals use two+ personal devices to access business systems & data.

By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices.

More devices … today

... More diversity tomorrow

Supporting the SPA: • BYOD pressure is obvious

• Companies can't finance personal diversity

• Innovation driven by choice

Alternate viewpoint: • BYOD complicates compliance

• Smart device security still weak and largely proprietary

• Worldwide, uptake is patchy


Question

How do you deal with mobile device diversity?

Select the one response that fits best …

• We have a policy and it is "no BYOD"

• We only allow personal iPhones and iPads

• We allow users to bring a wider range of personal devices to work


Fully Managed Semimanaged Special Services

Ownership Enterprise End User (BYOD) or

Enterprise

End User or

Enterprise

Security Trusted/Lockdown Untrusted/Isolation Untrusted/Manual

Support IT 10/90

IT/End-user Split

IT

Responsi-

bility

100% IT 50/50

IT/End-user Split

100% End User

Managed Diversity: A Core IT Policy


Mobile Policy Framework

Accountability and Liability

Existing Policy Practices

Company Controls

Personal Controls

External Controls

Legal/Regulatory Obligations

Qualifying Devices

MDM Life Cycle

Policy Breadth

Device Manageability

Version Controls

Support Policies

Help Desk

Security Policies

User Auth

Containment Options

Data Protection

Web Protection

Diversity Policies

Business Alignment

Financial Compensation

Company Controls

Personal Controls

External Controls

Qualifying Apps


Define Workforce Segmentation

Business Requirements

Co

mp

an

y

Dire

cto

ry

Ora

cle

F

inan

cia

ls

SA

P E

RP

Cu

sto

m F

ield

A

pplic

ation

Piv

ota

l S

FA

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Locations

Te

lew

ork

er

Off

ice

Bra

nch

Offic

e

Ma

nu

factu

rin

g

Ro

ad

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Executive Management

Research, Design, Planning

Marketing

National Sales Directors

Regional Sales Managers

Direct Sales

Field Service

Warehouse/Dock

Facilities

Manufacturing Maintenance

Manufacturing Supervisors

Profile

X

Work Styles

Ale

rts

Me

ssag

e

Form

s

Kn

ow

ledg

e

Po

we

r

X

X

X

X

X

X

X

X

X

X

X

X

X

Laptop, Tablet, Smartphone

Laptop (High End), Tablet





Smartphone

Tablet (Ruggedized)

Smartphone

Smartphone


Target Devices


Not All Devices Are Equal: Example Matrix

iOS Ent. Liable

Samsung Ent. Liable

iOS BYO

Android BYO

Win Phone Ent. Liable

File Sharing (Casual)

Productivity Suite

(App Y)

(App X)

Email/ Calendar/PIM

Docs and Workflow

As Available

As Available VDI Only

VDI Only

VDI Only

As Available

VDI Only

As Available

As Available

As Available

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓


Policies to Regulate Mobility

Costs

Compliance

People Technology

Security

Operations

Provisioning,

De-commissioning, Auditing,

Reporting, Self-service,

Patches/Upgrades,

Maintenance, Levels of

Support (E.g., User Portals,

Trouble Shooting).

Mobile Data and

Corporate Server

Protection (E.g.,

Monitor and Filter

Accesses to

Servers).

Application Delivery

(E.g., OTA Sw

Distribution, Private

App Stores).

Containerization of

Corporate Footprints

on Personal Devices.

Liability, Contracts,

Compliance, Health

and Safety,

Ownership, Benefits,

Taxes, Accessibility.

E.g., Email Archiving

and Retrieval; Local

Data Encryption.

Internal Communication,

Demand Management,

Privacy, Policy Sharing,

Training, Work-life

Balance, Rewards.

Voice/Data Costs,

Insurance, Warranty,

Device Costs, Deployment

Costs. Policies Include

Inventory, Reporting,

Alerts, Policy Enforcement.

Supported Devices,

Data Plans, Applications,

Services, Infrastructure

and IT Integration.


Question

Do you provide economic incentives to encourage better cooperation and control of mobile devices? (Select one)

• Yes for company-provisioned devices but not personal

• Yes to both

• No to either


Policy Choices: Mobile Security Risk and Liability

Tier of Risk: HR and IT Take the Lead: • Allowed business functions in a mobile setting

• Applications and data distribution

• User authentication: Local device, company network, business app

Boundary of Liability: HR and Legal Take the Lead: • Compliance requirements: Government, industrial,

business partner, contractor, intellectual property, supply chain, customer

• Employee and supervisor must sign acceptable-use policy

• C-level "exceptions"

• Business unit and employee are responsible for compliance

• External media access and encryption

• International travel exposure, mitigation requirements


Policy Choices: Corporate and Personal Baseline

All Devices: IT and Operations Take the Lead:

• Minimum/maximum device level (hardware, firmware, OS)

• Opt-in to company-administered MDM

• PIN length, retry, timeout rules

• Zero-tolerance "no hacking" rule

• Digital signatures for email, apps, Wi-Fi, VPN, and so on

• Data encryption and cleanup

• Loss/theft reporting responsibilities and response escalations

• Contractor exceptions (may not be able to opt-in)

Personal Devices: IT and Legal Take the Lead:

• Company may choose to filter sensitive data

• Employee will accept company lock/wipe decisions

• Kiosk-level or concierge-style access alternative


Policy Choices: Support and Administration

Support/Help Desk: Operations Takes the Lead:

• Self-help wiki

• Limits on supported devices/models

• Personal device assistance and potential chargeback costs

• Certificate installation and revocation for signed apps, services

• Lock, wipe and restoration processes

• Exceptions — especially for C-level

Administrative: Operations Takes the Lead:

• Reporting requirements for lost, stolen or discarded devices

• Network connection control (including Bluetooth, Wi-Fi)

• Synchronization/roaming control

• Logical and physical disposal


Don't Forget These Policy Considerations

• Reimbursement policy and process

• Impact of privacy laws

• Acceptable use definition

• Union employee policy

• After-hours device usage policy

• End-user training program


Question

Where is primary authorship and responsibility for mobile device policies in your company?

(Select the closest choice)

• HR

• IT

• Each business unit

• Interdepartmental team

• CFO

• Other


Recommendations

Establish policies under a mobile center of excellence encompassing IT, HR, risk, legal, and key user departments.

Don't treat all users the same way — segment your base according to geography, platform, required business apps, data needs, security, and costs.

Use the boundaries set in policies to create a tiered support structure for mobile devices as well as a company liability shield.

Tool up! Select mobile defenses using a spectrum of trust.


Recommended Gartner Research

Use Managed Diversity to Support the Growing Variety of Endpoint Devices Ken Dulaney (G00214702)

Toolkit: BYOD Mobile Device Policy Template Leif-Olof Wallin and Ken Dulaney (G00233049)

Toolkit: Enterprise-Owned Mobile Device Policy Template Ken Dulaney and Leif-Olof Wallin (G00234943)

CFO Advisory: How to Mitigate and Manage Mobility Risk Leif-Olof Wallin and Nick Jones (G00238823)

Seven Steps to Planning and Developing a Superior Mobile Device Policy John Girard (G00225405)

For more information, stop by Gartner Research Zone.

http://www.gartner.com/document/1759314?ref=QuickSearch&sthkw=G00214702






















mobile device policy

Mobile

gartner services

integrity of gartner

personal smart devices

mobile device diversity

end user managed diversity

personal iphones

mobile professionals

itenduser split