Desktop management started out simple. Install a few applications and join to Active Directory. A few lines of login script and the computer was ready for use. Like anything else, desktop management has become more complex over time. Add constant updating of the operating system and applications as well as the need for an up-to-date antivirus application. Then add some corporate requirements for consistency and branding. Finally, layer in some selective deployment of applications to different business units or individual staff. The whole process gets to be a large and complex undertaking. Should we be rethinking this and going back to basics? How little desktop management can we get away with in a modern organization?
We are increasingly letting our staff use their own devices. Personal smartphones and laptops get used for work and carry business data. Usually, we don’t control the whole build of these devices. They belong to our employees, and we just set a minimum standard. This minimum standard is good enough for an employee-owned device on our network. Why do we do better with the devices we own? Why manage and control corporate-owned devices more tightly than the employee devices that we let onto the same network?
Employee-owned devices are a matter of fact for most businesses. Staff want to use their choice of device, and usually IT enables access, provided that a few best practices have been followed. It started with iPhones being used to access Exchange servers. The infrastructure that enabled iPhones can also be used to access Exchange from a personal laptop. With the increasing use of web applications and a sprinkling of VDI, it is easy to get a day’s work done without using a company desktop.
Naturally, there are some limits and requirements on these personal devices. Whatever device you bring must be patched with the latest, or near-latest, released patches. The device must also have protection against viruses and other malware. And usually, there are specific web browsers and Office software versions that are supported. Larger companies will put in place some endpoint checking to make sure everything is installed and updated before allowing network access. Smaller companies will simply write a policy and ask staff to make sure they comply.
This is a long way from the usual management of a company’s desktops and laptops. Of course, we have mechanisms to make sure a device is patched and protected from malware. We usually see a lot of use of Windows Group Policy to control company devices. Locked-down security and a whole collection of settings to protect the device and the user are put in place. Managing the fleet of PCs often involves many layers of control and a lot of complexity.
But is there really any point to this management? We let users bring their own devices and do almost no management of those devices. What would be wrong with applying the same minimal management to company PCs? Companies could use Group Policy to set up updates and have an antivirus application installed and updated. Then, they could hand the device to the staff member who will use it. Let them install applications just like they would on a personal device. Hand over control, and responsibility, to the end user. In mobile device terms, this is called “COPE,” for “corporate-owned, personally enabled.”
With a COPE device, we manage as little as possible: just enough to protect the business. We allow the user to be responsible for as much as possible and let them use what they need to get the job done. In a way, the idea is to enable shadow IT rather than fight it. Employees are enabled to use the tools and applications they need in order to get their job done. Rather than everything being denied by default, everything is allowed. By making the desktops COPE devices, we effectively make them semi-trusted. Just as with employee-owned devices, they are not fully trusted. This approach allows both device types to reside on the same network. We get a simpler network, as we don’t need to isolate company desktops from employee devices. We also have a much clearer need to treat the network close to users as less trusted than the network inside the data center.
We have moved to “post-PC” computing, which really means “PC plus other things.” This means that desktop management is not enough, but it could also mean that desktop management is less important. Will your business be better served by managing desktops less?
An interesting standpoint. I suppose the rub of the matter is that if you’re going to hand users control of the device, to install applications etc., then you’re giving them admin access. If you do that, then how do you mitigate against the fact they could usurp any policies set, turn off updates, etc.? Giving them a separate admin account for installations and the like would be a good first defence against hostile malware, but how do you control their level of access to the device? How do you protect them from themselves, essentially?
Of course, you could simply make them responsible for not screwing the device up with appropriate HR sanctions for violators. That does, though, raise complex legal issues that thankfully won’t be the remit of IT.
It is interesting though – my current project has a split between those who need to be managed and those who wish to manage themselves. Accommodating both is difficult and challenging.
Cheers,
JR
Hello,
I would treat each BYOD as an already infected device. Because of that, it is in a trust zone all by itself with enough safe guards to ensure that whatever is on the device does not spread. There are a number of tools (hardware + software) that will make this a reality. The key is to not place corporate items on such device without having safeguards. One such could be to use an application on the device that acts as an encrypted enclave, that does not extend out of the enclave, etc. Should corporate email use the same interface? Should corporate documents use the same interface?
This is not a new concern, the technology exists, the real question is whether the user education exists to protect themselves and therefore the organization.
Best regards,
Edward Haletky
Assuming we have addressed the need to allow unmanaged and untrusted devices that we don’t own then why not apply the same lack of control to devices that we do control.
The flip side is that if we cannot accept this with devices we do own then should we be accepting the lack of control of devcies we do not own?
No, no, no, no.
Adopting an un-trusted network model to address the risk associated with unmanaged devices sounds fine on paper and as Edward said “There are a number of tools (hardware + software) that will make this a reality.”, but you’re now replacing a desktop management solution with a network management solution. Placing the onus of responsibility on the employee to keep their device patched and protected against threats they do not understand is a legal minefield, and punting that to HR as their problem to address will if anything finish up costing more than retaining the status quo once the legal bills come in (a lawyer friend of mine is a strong advocate of BYOD for this reason alone). Then there’s matter of organizational efficiency that needs to be considered; exchanging a handful of experienced desktop support professionals for thousands of inefficient amateurs may shorten initial service times but is unlikely to do anything to reduce demand on the Service Desk.
Most significantly though, you seem to be implying that it it is possible to exachange a fully managed desktop for lightly-managed desktop as a simple choice of one or the other. It isn’t. Add just one enterprise app to the mix, and the whole edifice collapses. One app that must be updated across every desktop for security, regulatory, or just version control reasons, and you still need your old-school desktop management platform to ensure that it gets out there when you needed to and not when the employee remembers. VDI or RDS is not a solution here as it does no more than move the point of management from the endpoint to the virtual infrastructure.
Yes of course, it’s lovely to be able to say to an employee that they can bring their own device and plug it into our network, we all like to be seen to be accommodating. But really, every program to adopt BYOD or attempt a lightly managed desktop has done no more than move the management challenge from being a mature, well understood, discipline, where the necessary technical skills and best practices are widely available and understood, to one that puts us back where we were 30 years ago, making shit up as we go along.
Not that I have any strong feelings on the subject.
Regards
Simon