Nothing like a juicy political scandal to bring clarity to a geeky tech issue! The abridged version is that Hillary Clinton maintained her own email server instead of using a State Department account while she was Secretary of State because she didn’t want to carry separate phones for work and personal use. It’s a big story and well-respected journalists have editorialized on the situation. We can all mostly sympathize with Hillary, apparently a pioneer of the Bring Your Own Device (BYOD) movement! After-all, who would want to carry and use two different devices for personal and work usage?
But only the geekiest (or most scandal-plagued celebrity target) among us would go through the hassle and expense to create and manage our own email server to work around it. So for the rest of us, that left two options: pollute your work device and account with personal correspondence and content, or circumvent your company’s policies by mixing work content on your personal device.
Hillary’s conundrum felt quite familiar to me. At the time, before VMware had instituted their BYOD policy, I had opted for the former and the opposite of Hillary. Like other execs, I had a corporate owned and paid for Blackberry, but I used it for personal email and phone calls as well as work, while my personal device (an old but chic Motorola Razr) languished in a drawer. Then Steve Jobs passed away and in his honor, I succumbed to one of my carrier’s promotions and upgraded my ancient phone to my first iPhone. After a week of having a real mobile web browser experience I was hooked! A couple of months later VMware instituted its BYOD policy and saved me from my brief interlude with carrying 2 devices around. I transferred my well-known VMware mobile number to my iPhone and never looked back.
Now I had switched camps; mixing work content with personal content on my BYOD device. At the time, the only corporate management of the device was that VMware could wipe my Exchange-compatible Zimbra mail box/device cache, enforce that I use a password and deactivate the corporate login; however, anything else was unmanageable and invisible to the company. That included work content on various cloud services I used. Sure, we had other approved corporate mobile services, but they had usability challenges, the result of which ranged from hurting my productivity to being entirely unsuitable for the job.
Which leads me to a classic example of this clash between productivity vs. corporate-supported tools that I experienced first hand and which demonstrated the driving force behind consumerization of IT. I was frequently delivering customer presentations and a common request was for me to share a copy of my slide deck. But my graphics-rich decks were usually larger than the corporate email attachment size quota. Corporate IT’s suggestions were impractical: either I should 1) delete some slides from my decks to make them smaller or 2) send out USB sticks via the U.S. mail. So I became an avid user of consumer file services such as Dropbox and Box. A true story!
The solution today for managing BYOD is the maturing Enterprise Mobile Management (EMM) space. While I was VMware EUC CTO, I have to admit that I was a bit ambivalent about EMM and especially its predecessors Mobile Device Management (MDM) & Mobile Application Management (MAM). I held strong opinions about the proper balance between what would be acceptable restrictions for BYOD users on devices they own vs. necessary and appropriate levels of IT control. MDM ceded too much control to the company. I was among the users who felt that “I paid for my device, I’ll configure and run what I want on it. And my personal content on a device I own and pay for is just as important to me as the business content is to the corporation.” MAM was also limiting, which typically meant running inferior, out of date mail clients, web browsers, and other applications. so that the company could manage the content. Fortunately, EMM is getting better. Both Apple and Google have implemented finer-grained corporate control mechanisms in their platforms and current commercial EMM solutions make use of these primitives so as not to be as draconian as their predecessors.
But why do we need mobile management anyway? My attitude was and is quite close to Brian Madden’s. The assumption that IT needed to manage our devices was rooted in the PC world, where OS and application image drift, security vulnerabilities, and management complexity necessitated IT involvement in keeping everyone productive. The modern mobile OS’s learned from these architectural shortcomings of Microsoft Windows and have designed in much stronger application isolation (aka sandboxing), update strategies with fewer moving parts and a more stateless platform design perspective, making corporate device management far less needed.
What is actually needed? I believe the answer is selective content-based tracking and protection for important proprietary or regulated corporate information such as medical records, legal briefs, product designs, business strategy documents or perhaps State Department correspondence with other governments. However, even when such controls and regulation is obviously needed, as vendors and IT professionals we have an obligation to make sure the solution is convenient and straightforward to use. Because if it isn’t, we will fail at achieving the intended information security objectives as our users will circumvent the controls and policies in order to be more productive. Just like Hillary and I did!