A short while back I had a conversation with someone I know regarding Bring Your Own Device and just how much control a business may have over a personal device in a normal BYOD environment. He wasn’t shy to admit he had no experience on this topic and was shocked to realize a business can completely wipe any device under corporate management and return it back to factory settings. Files, photos, contacts, songs, messages – All gone with the touch of a button.
“How could anyone consent to BYOD?” he asked.
With that in mind, I wanted to know how many people in my circle of friends and family were equally unaware of the control a business may have over any corporately managed smartphone accessing confidential information.
Over the course of a weekend I spoke to a further 12 people. I was concerned to find 9 of them had no idea that anyone but themselves could have administrative control over their own personal device. 5 of those were using either a corporate, managed device or were using their own personal smartphones to access corporate data (read: Exchange in all cases).
For those with corporately managed devices I asked, already having an inkling of what they’d say, whether they had read and understood the policies regarding access to corporate data their respective employers should have provided for mobile devices (all businesses do that, right?!). I was met with a unanimous “no”. More concerning was hearing those with Android devices had completely ignored the standard, in-built security prompt – which states they’re offering a business administrative control – that appears when adding an Exchange account.
It’s no secret that we’ve slowly become conditioned to blindly accept T’s & C’s over the years, an act of which I’m equally guilty of, so I suppose it shouldn’t be hugely surprising to learn employees aren’t aware they’re not only handing over the administrative rights to their smartphones, but potentially giving employers access to private information, too.
I realize this may sound rather disconcerting, but before you throw your smartphone off a cliff I’d like to explore this from both sides.
A full wipe is typically a last resort
To immediately clear any misunderstandings, employers typically see completely wiping a personal device as an absolute last resort, rather opting for an “enterprise wipe” for any devices enrolled onto a mobile device management platform. An enterprise wipe, unlike a full wipe, will only remove applications and information initially distributed by the company such as a VPN application or a corporate email account. It’ll leave all personal information intact.
For managed devices the only occasion a device may be completely wiped is on loss or theft after first having a discussion with the device owner. Even then it may be postponed as while the device remains enrolled on the management platform its location can be tracked.
Unfortunately for devices managed solely through Exchange there is no enterprise wipe (yet). Procedures tend to differ but of the companies I’ve spoken with, a number of them enforce the same policy I do; providing there’s proof the device is no longer carrying corporate information, there’s no need to perform a wipe. Typically that would entail a trip to IT for the employee but a screenshot of the Exchange-free device may also be accepted.
The objective for IT is to make sure there’s no corporate information on the device when the presumably soon-to-be-ex employee walks out and while corporate accounts can be (and are) revoked, any email on the device before said account is disabled will remain on the device indefinitely unless removed manually.
Obviously ex-employees may not be feeling overly compliant. In that case as along as the employer has made their intentions clear, they have an obligation (and likely a signed agreement) to protect their IP. A full wipe may be the only way of guaranteeing that.
Before it even gets to that point though:
The employer should make their policies known
Having suitable documentation to support a BYOD environment is crucial to making it work.
These policies should include the amount, type and frequency of data collected from devices to give employees a transparent view of the information they’re providing to the business as well as making employees aware a full wipe may be carried out under certain circumstances. If location data is also being collected, it’s critical to make sure employees are aware and agree to it.
It’s vital that employers put their policies front-and-centre before every employee wanting (or having) to enrol their device(s) on to the management platform. They should equally be accessible at any point for reference; it’s no use having them collecting dust on a private file share somewhere!
Employees should read, understand and question the policies
The requirement to manage a device is perfectly common in any forward-thinking, mobile-friendly business.
A company wanting to gain administrative control over a device will be at the very least expecting to be able to wipe and password-protect it; They’re two key assets in protecting corporate data and set the bar for what is essentially a “managed” device. They may also need to track device location, see what applications are installed, know when the device was last active, monitor data usage (even as far as the domains enrolled devices visit), etc. For an employer managing corporate devices this information is invaluable.
With this in mind it’s incredibly important an employee reads, understands and questions the policies around the solution on which they’re enrolling before they do so. There’s rarely an “opt-out” for the various reporting capabilities with these platforms so while it wouldn’t be possible to request exclusion from providing access to a list of installed applications for example, it can aid in the decision-making process over what device an employee can enrol (explained below).
“How could anyone consent to BYOD?”
Coming back to the original question, the two scenarios in which BYOD commonly exists are:
- Voluntary: you opt in to BYOD because you want to.
- Mandatory: as a condition of employment.
On paper BYOD provides an opportunity for both employee and employer to benefit; Employers lower outgoings by reducing the requirement to buy and maintain their own hardware (though this may not offset the perceived increased support burden) and employees can use any device they want. Between an old BlackBerry and a nippy new iPhone, I know which I’d prefer.
It’s a common occurrence to see employees opting to use their one-and-only device for everything, but BYOD doesn’t stand for “Bring Your Only Device”; depending on the corporate policy (which should be read!) an employer may opt to provide a SIM to be used for work purposes or offer to cover the cost of using a personal SIM, instead of providing a corporate device. In both cases all that would be required is an unlocked, SIM-free device.
I’m definitely not the only person who has amassed a number of devices over the years, some of which aren’t very old (rather replaced due to upgrades or, in my specific case, because I review a lot of devices). In this situation I wouldn’t use my daily device, instead opting for a spare I have lying around that I’d use either with a company SIM or with a new PAYG SIM (providing the employer has offered to cover the cost) for work use.
For those without a spare device, another option to avoid using one device for both personal and corporate use is to buy one. A basic smartphone can be picked up new for around £70 and for less 2nd hand. Of course, you get what you pay for so it’s always worth ensuring a device is fit for purpose when deciding on what to buy.
Obviously the latter is an investment, but at the end of the day how much is separating business and personal information worth? To top it off you’ll still get to use a device of your choosing, which may be much better than your employer may offer.
In any case, if you’re worried about losing personal information, be sure to back your device up regularly.