How to develop a mobile policy

CIO | Middle East  >  Mobile computing / smartphone / remote worker / digital nomad / BYOD
Jacob Lund / Getty Images

You have number of factors to consider when crafting or updating your organization’s mobility policy, and there isn’t a one-size-fits-all solution. Not only is every organization different, but even within a single organization there’s a need for a broad spectrum of policies to be implemented with surprising granularity. 

Issues with broad mobile policies

Although it’s tempting to issue a broad policy that is applied to every iPhone, iPad and Android device used by employees and executives, that approach has some major problems. 

Problem 1: There is the technical issue that different platforms offer different management capabilities. And different versions of the same OS as implemented across a variety of devices poses real fragmentation concerns. With a single policy applied to every device, you’re going to have to find the lowest common denominator of what’s available. This means that you’re throwing away the option to take advantage of policies based on actual up to date management and security. 

Problem 2: Another major issue is ownership. On a company-owned device, it’s reasonable to limit installable apps, device features like the camera, and restrict access to several device settings. It’s also more reasonable for employees to expect that device and app usage may be monitored for security, content and loss prevention reasons. 

With personal devices, there’s an inherent expectation of privacy and that users can configure their device however they want. There’s a need for subtlety and trust. You are after all asking for a level of control over a device that contains very personal information from family photos to personal contacts to health and banking data. If you try to manage it as you would a company device or a PC, many users will opt to go rogue, unenroll their devices and continue using them with no safeguards or ability to track corporate data used on them  ̶  a far from ideal situation. 

You have a number of factors to consider when crafting or updating your organization’s mobility policy -- and there isn’t a one size fits-all solution.  Not only is every organization different but even within a single organization, there’s a need for a broad spectrum of policies to be implemented with surprising granularity. 

You have number of factors to consider when crafting or updating your organization’s mobility policy, and there isn’t a one-size-fits-all solution. Not only is every organization different, but even within a single organization there’s a need for a broad spectrum of policies to be implemented with surprising granularity. 

Issues with broad mobile policies

Although it’s tempting to issue a broad policy that is applied to every iPhone, iPad and Android device used by employees and executives, that approach has some major problems. 

Problem 1: There is the technical issue that different platforms offer different management capabilities. And different versions of the same OS as implemented across a variety of devices poses real fragmentation concerns. With a single policy applied to every device, you’re going to have to find the lowest common denominator of what’s available. This means that you’re throwing away the option to take advantage of policies based on actual up to date management and security. 

Problem 2: Another major issue is ownership. On a company-owned device, it’s reasonable to limit installable apps, device features like the camera, and restrict access to several device settings. It’s also more reasonable for employees to expect that device and app usage may be monitored for security, content and loss prevention reasons. 

With personal devices, there’s an inherent expectation of privacy and that users can configure their device however they want. There’s a need for subtlety and trust. You are after all asking for a level of control over a device that contains very personal information from family photos to personal contacts to health and banking data. If you try to manage it as you would a company device or a PC, many users will opt to go rogue, unenroll their devices and continue using them with no safeguards or ability to track corporate data used on them  ̶  a far from ideal situation. 

Related: Mobile privacy policy becoming a truly big deal

Problem 3: Then there is the question of what individuals or groups actually need. This will vary across an organization based on department, job role, active projects, location and which side of the firewall a device is on at any given time. If some of those items sound familiar, that’s because they’re some of the ways Windows Group Policies are applied within Active Directory. That existing trove of organizational hierarchy that manages Windows is fair game for mobile devices. 

Virtually every enterprise mobility management (EMM) or mobile device management (MDM) product offers the ability to integrate with Active Directory. This means that you can pull all the user, group, policy and related data and apply it to your mobility approach. You can even get very granular with some solutions and apply conditional access rules that flag or block access based on things like a device’s location, time of day and device state (jail broken/rooted being the chief states you absolutely want to know about) or OS version. 

It’s also important to remember that there are a wide range of policy rules available that not only implement security functions, but also install apps and configure them for use in your organization or segments of it, as well as configure device settings and import enterprise content like contacts. If planned and implemented well, each user should have a device tailored to your organization as well as their specific needs based on the work they do. 

The best way to achieve this goal is to use a range of relatively small or discrete payloads. This means that your overall approach will be to layer policies together using the granularity of your directory and identity solution (typically Active Directory). Much as Active Directory allows you to assign very specific access rights on different criteria that are combined when the user logs in, EMM solutions allow you to apply multiple rules that mesh together to create a tailored experience. 

From a user perspective, once a device is enrolled it should be ready for use immediately with apps, configuration data, security posture and restrictions. The process should be a seamless one that requires no special skills during the enrollment process. 

Related: Keep your mobile workforce safe: understand the threats

So how do you build out all the layers that you need?

This can seem like a daunting prospect and to some extent it will be. There’s no getting around the fact that a fair amount of thought and research will go into it and that it will never be a completed process because the nature of mobility is one of constant change. At the very least, it will be important to revise your approach on an annual basis as major OS releases and new devices come to market. 

There are a few general considerations that will make it more manageable if you plan ahead:

  • Know what types of devices you need to support. For company-owned devices, this is pretty straight forward and at your discretion. For BYOD you’ll need to research what employees are already using.  You can track this by devices connecting to your network or by help desk data about problems related to devices. 
  • Know your OS floor. This means the lowest OS version you’ll support. Each release comes with changes to what can be managed and how. In the case of Android, this also means understanding manufacturer-specific flavors of the platform you’re dealing with. While iOS updates filter down almost immediately, Android can be much more challenging and you’ll need to support more of a spread of OS versions. 
  • Know the capabilities that each platform offers. This means iOS and Android. It also means Samsung KNOX and other manufacturers-specific options. Depending on your organization, you may opt to use EMM to manage additional hardware like Macs, Windows 10 devices not managed by Active Directory, and media devices like the Apple TV. 
  • Understand the organization of your business. If you’re going to be layering policies based on an existing directory system, you should understand how that logical division of information translates to actual departments and employees. This definitely requires a bit of time and research and should involve managers and employees in each department. Working directly with the users you’ll support is critical to building and layering your policies. It also puts a face to IT and makes mobility much more of a collaborative process ̶  and minimizes the level of shadow IT. 
  • Don’t rush it. This is a big undertaking and one you need to get right. Get it wrong and shadow IT will run rampant as workers avoid enrolling devices. Try to work one department at a time and to really work with each department as a team. This gets the job done right, doesn’t burn out your staff, and lets you claim a win with each successful part of the rollout.

Related: Meeting the demands of a mobile workforce

Ultimately your mobility policy will actually be a large number of interlocking policies that are as diverse as your workforce. They’ll give users the best experience balanced with needed security. They will always be a work in progress. You will need to sweat these details. But done right and with the right information ahead of time, you can make mobility a true win for your IT department and your organization as a whole.