Home > Blogs > VMware Consulting Blog


How to Set Up a BYOD/Mobility Policy

By TJ Vatsa, Principal Architect, VMware Americas Professional Services Organization

TJ Vatsa

Smart phones have surpassed one billion worldwide for the first time in 2012 and that number will likely double by 2015, says Bloomberg. Smart phone sales are even surpassing desktop and laptop sales, according to IDC’s Worldwide Smart Connected Device Forecast Data.

Rolling out a bring-your-own-device (BYOD) policy and infrastructure to handle the influx of personal devices can be a harrowing journey if it’s not well planned. With users today demanding anytime access to business productivity apps, devices, and data on personal devices, not having a policy in place can be even more detrimental.

The first step to implementing a BYOD policy is to think about the devices themselves, how you’ll manage them, and the applications that are being used. VMware’s Horizon EUC (End User Computing) suite can act as the broker and management platform between devices and applications to ensure that the corporate network stays secure. (And users stay happy.)

The recent acquisition of AirWatch makes VMware the undisputed leader in the space of BYOD and mobility, providing the most mature EUC solution portfolio on the market today. This solution portfolio includes some of the key capabilities, such as:

  1. MDM: Mobile Device Management
  2. MAM: Mobile Application Management
  3. MCM: Mobile Content Management
  4. MEML Mobile Email Management
  5. SCL: Secure Content Locker
  6. And a plethora of additional features and functionalities

Now, having touched on the “why” above, let’s take a look at the “what” and “how” of the BYOD/mobility policy.

What: Devices, Applications, Management, Customizations

Below, I’ll lay out general steps to think about in your BYOD policy and tips to putting it in place. That said, every policy requires its own customizations: there’s no-one-size-fits-all approach. Healthcare has different requirements than a financial institution would, for example.

First Step: Devices and Access
With many solutions in the market, customers and integrators can overlook design. So the burning question an architect needs to ask is: “What kind of access for what types of devices?” For the purposes of this blog, we’ll look at the three most typical categories: LAN, VPN, and public network access (see chart below). You can use the sample matrix below to better assess the access you’d like to grant.

For instance, you’ll put devices on the X axis and network access on Y axis. Your LAN will need to be the most secure; therefore, only company-issued devices will have access. But BYOD devices can still gain network access through VPN or a public network, just no access to the LAN itself. These access and device controls need to be driven by your corporate security policies.

How: Design Dos and Don'ts (Devices & Access)

 

Second Step: Features and Capabilities
Once you’ve figured out access levels, next create a matrix to assess the desktop features and capabilities you’d like to grant. Public network settings will be the most stringent, but VPN and LAN will provide the security you need to enable most desktop features. You’ll want feature category on the X axis against network access on the Y axis, like so:

How: Design Dos & Don'ts (Features & Capabilities)

With your LAN, multimedia redirection is another consideration. If a user is accessing a desktop on the corporate network, audio and video capabilities might require provisioning on the end device. In certain cases, WAN bandwidth may cause an issue accessing corporate recordings. The same issue may happen with printing as well. Ensure that you comply with corporate IT policies while evaluating and enabling such features.

Third Step: Applications
Last, consider your applications entitlement. It’s easy to restrict applications through the catalog of applications provided in the Virtual Workspace Catalog, and the entitlements can be adjusted by department–so your finance department will get access to a different catalog of applications than HR would. Or you can restrict application entitlements based on security rules. For instance, Active Directory GPOs (Group Policy Objects) can be effectively used to enforce business/department specific security policies.
image4-Entitlements-Vatsa-4.18.14

As you can see, creating a BYOD policy doesn’t need to be daunting. If you think through the various steps, you’ll have a secure network access, happy end-users, and a policy that ensures a successful and a mature adoption of your enterprise BYOD/mobility strategy.

I hope you will find this information handy and useful during your BYOD/mobility architecture design and deployment strategy.


TJ Vatsa has worked at VMware for over four years, with over 19 years of expertise in the IT industry, mainly focusing on the enterprise architecture. He has extensive experience in professional services consulting, cloud computing, VDI/End-User Computing infrastructure, SOA architecture planning, implementation, functional/solution architecture, and technical project management related to enterprise application development, content management, and data warehousing technologies. Catch up with TJ on Twitter, Facebook, or LinkedIn.

3 thoughts on “How to Set Up a BYOD/Mobility Policy

  1. Pingback: Practical Tools from VMware Consultants: Mobility Policy, Horizon + Lync Architecture, and vCOps Dashboard | VMware Consulting Blog - VMware Blogs

  2. Pingback: Basics of BYOD for SMB: What You Need to Know!

  3. Kevin Fitzsimmons

    Have we updated this info to reflect the newest Horizon-Airwatch integration? I have a customer that is considering a move in this direction. They’d also like to talk to someone that was involved in VMware’s move to mandatory BYOD.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*