© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
John Girard
To the Point: Mobile Device Policy Essentials
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Strategic Planning Assumption
80% of mobile professionals use two+ personal devices to access business systems & data.
By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices.
More devices … today
... More diversity tomorrow
Supporting the SPA: • BYOD pressure is obvious
• Companies can't finance personal diversity
• Innovation driven by choice
Alternate viewpoint: • BYOD complicates compliance
• Smart device security still weak and largely proprietary
• Worldwide, uptake is patchy
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Question
How do you deal with mobile device diversity?
Select the one response that fits best …
• We have a policy and it is "no BYOD"
• We only allow personal iPhones and iPads
• We allow users to bring a wider range of personal devices to work
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Fully Managed Semimanaged Special Services
Ownership Enterprise End User (BYOD) or
Enterprise
End User or
Enterprise
Security Trusted/Lockdown Untrusted/Isolation Untrusted/Manual
Support IT 10/90
IT/End-user Split
IT
Responsi-
bility
100% IT 50/50
IT/End-user Split
100% End User
Managed Diversity: A Core IT Policy
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Mobile Policy Framework
Accountability and Liability
Existing Policy Practices
Company Controls
Personal Controls
External Controls
Legal/Regulatory Obligations
Qualifying Devices
MDM Life Cycle
Policy Breadth
Device Manageability
Version Controls
Support Policies
Help Desk
Security Policies
User Auth
Containment Options
Data Protection
Web Protection
Diversity Policies
Business Alignment
Financial Compensation
Company Controls
Personal Controls
External Controls
Qualifying Apps
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Define Workforce Segmentation
Business Requirements
Co
mp
an
y
Dire
cto
ry
Ora
cle
F
inan
cia
ls
SA
P E
RP
Cu
sto
m F
ield
A
pplic
ation
Piv
ota
l S
FA
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Locations
Te
lew
ork
er
Off
ice
Bra
nch
Offic
e
Ma
nu
factu
rin
g
Ro
ad
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Executive Management
Research, Design, Planning
Marketing
National Sales Directors
Regional Sales Managers
Direct Sales
Field Service
Warehouse/Dock
Facilities
Manufacturing Maintenance
Manufacturing Supervisors
Profile
X
Work Styles
Ale
rts
Me
ssag
e
Form
s
Kn
ow
ledg
e
Po
we
r
X
X
X
X
X
X
X
X
X
X
X
X
X
Laptop, Tablet, Smartphone
Laptop (High End), Tablet
Laptop, Tablet, Smartphone
Laptop, Tablet, Smartphone
Laptop, Tablet, Smartphone
Laptop, Tablet, Smartphone
Smartphone
Tablet (Ruggedized)
Smartphone
Smartphone
Laptop, Tablet, Smartphone
Target Devices
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Not All Devices Are Equal: Example Matrix
iOS Ent. Liable
Samsung Ent. Liable
iOS BYO
Android BYO
Win Phone Ent. Liable
File Sharing (Casual)
Productivity Suite
(App Y)
(App X)
Email/ Calendar/PIM
Docs and Workflow
As Available
As Available VDI Only
VDI Only
VDI Only
As Available
VDI Only
As Available
As Available
As Available
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Policies to Regulate Mobility
Costs
Compliance
People Technology
Security
Operations
Provisioning,
De-commissioning, Auditing,
Reporting, Self-service,
Patches/Upgrades,
Maintenance, Levels of
Support (E.g., User Portals,
Trouble Shooting).
Mobile Data and
Corporate Server
Protection (E.g.,
Monitor and Filter
Accesses to
Servers).
Application Delivery
(E.g., OTA Sw
Distribution, Private
App Stores).
Containerization of
Corporate Footprints
on Personal Devices.
Liability, Contracts,
Compliance, Health
and Safety,
Ownership, Benefits,
Taxes, Accessibility.
E.g., Email Archiving
and Retrieval; Local
Data Encryption.
Internal Communication,
Demand Management,
Privacy, Policy Sharing,
Training, Work-life
Balance, Rewards.
Voice/Data Costs,
Insurance, Warranty,
Device Costs, Deployment
Costs. Policies Include
Inventory, Reporting,
Alerts, Policy Enforcement.
Supported Devices,
Data Plans, Applications,
Services, Infrastructure
and IT Integration.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Question
Do you provide economic incentives to encourage better cooperation and control of mobile devices? (Select one)
• Yes for company-provisioned devices but not personal
• Yes to both
• No to either
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Policy Choices: Mobile Security Risk and Liability
Tier of Risk: HR and IT Take the Lead: • Allowed business functions in a mobile setting
• Applications and data distribution
• User authentication: Local device, company network, business app
Boundary of Liability: HR and Legal Take the Lead: • Compliance requirements: Government, industrial,
business partner, contractor, intellectual property, supply chain, customer
• Employee and supervisor must sign acceptable-use policy
• C-level "exceptions"
• Business unit and employee are responsible for compliance
• External media access and encryption
• International travel exposure, mitigation requirements
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Policy Choices: Corporate and Personal Baseline
All Devices: IT and Operations Take the Lead:
• Minimum/maximum device level (hardware, firmware, OS)
• Opt-in to company-administered MDM
• PIN length, retry, timeout rules
• Zero-tolerance "no hacking" rule
• Digital signatures for email, apps, Wi-Fi, VPN, and so on
• Data encryption and cleanup
• Loss/theft reporting responsibilities and response escalations
• Contractor exceptions (may not be able to opt-in)
Personal Devices: IT and Legal Take the Lead:
• Company may choose to filter sensitive data
• Employee will accept company lock/wipe decisions
• Kiosk-level or concierge-style access alternative
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Policy Choices: Support and Administration
Support/Help Desk: Operations Takes the Lead:
• Self-help wiki
• Limits on supported devices/models
• Personal device assistance and potential chargeback costs
• Certificate installation and revocation for signed apps, services
• Lock, wipe and restoration processes
• Exceptions — especially for C-level
Administrative: Operations Takes the Lead:
• Reporting requirements for lost, stolen or discarded devices
• Network connection control (including Bluetooth, Wi-Fi)
• Synchronization/roaming control
• Logical and physical disposal
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Don't Forget These Policy Considerations
• Reimbursement policy and process
• Impact of privacy laws
• Acceptable use definition
• Union employee policy
• After-hours device usage policy
• End-user training program
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Question
Where is primary authorship and responsibility for mobile device policies in your company?
(Select the closest choice)
• HR
• IT
• Each business unit
• Interdepartmental team
• CFO
• Other
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
Establish policies under a mobile center of excellence encompassing IT, HR, risk, legal, and key user departments.
Don't treat all users the same way — segment your base according to geography, platform, required business apps, data needs, security, and costs.
Use the boundaries set in policies to create a tiered support structure for mobile devices as well as a company liability shield.
Tool up! Select mobile defenses using a spectrum of trust.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
Use Managed Diversity to Support the Growing Variety of Endpoint Devices Ken Dulaney (G00214702)
Toolkit: BYOD Mobile Device Policy Template Leif-Olof Wallin and Ken Dulaney (G00233049)
Toolkit: Enterprise-Owned Mobile Device Policy Template Ken Dulaney and Leif-Olof Wallin (G00234943)
CFO Advisory: How to Mitigate and Manage Mobility Risk Leif-Olof Wallin and Nick Jones (G00238823)
Seven Steps to Planning and Developing a Superior Mobile Device Policy John Girard (G00225405)
For more information, stop by Gartner Research Zone.