Shawn Bass and I recently wrote a blog post (and did a webcast) which was a guide for IT workers who suddenly need to support the majority of their users working from home. We answered viewer questions for about 30 minutes after the webcast, and quite a few of the questions were about BYO devices, and how IT can handle them during this emergency. So this blog post will be my quick and dirty guide to BYOD.
The BYO Background
“BYO” in this context stands for “Bring Your Own”, and in IT now it’s become shorthand for “employee-owned” computers or “employee-provided” equipment. In the context of this current emergency, the question arises from how companies should deal with employees who are now working from home, and who either (1) do not have company-provided equipment (meaning the employee will have to use their own or buy their own), or (2) where the user’s company devices are locked up in an office which is now closed.
The reason the BYO conversation is even a thing is because company-owned equipment typically has more restrictions placed on it versus an employee’s own equipment, and companies tend to have more powerful admin rights / owner capabilities on company-owned hardware.
For example, a typical company-owned Windows laptop is most likely domain-joined, runs lots of security software, has hardware and software specs and versions which someone at the company has approved, has policies which prevent typical users from doing certain things (maybe they can’t install new apps, or can’t remove mandatory security software).
But now that so many users are working from home, for those who do not have company-furnished equipment, they essentially have to find some kind of device to use on their own. So what are the options for them, and for IT? Let’s dig in!
Here are the issues that you’ll have to think about.
First, think about what applications users will need access to, and think about what kind of access they’ll need. For example, everyone is probably going to need email, and email works fine on a phone. That said, a phone is not an ideal platform for writing long emails, and there’s a good chance that users won’t want rely on their phone being the only way they can access their email, so that’s why you have to think about how the application will be used in addition to whether it’s actually possible to access from a certain type of device.
You also need to think about the various ways that app can be delivered to the device. Using email as the example again, you might think that the “desktop” version of email requires Microsoft Outlook, which now you have to think about how you get installed onto a user’s home machine, etc. But remember, there are web versions of Outlook (which are enabled by default in Office 365 subscriptions), and the web version of Outlook is pretty decent these days. So figuring out how to deploy “Outlook” for desktop email users might be as simple as sending a web link to your users. Remember there are web versions of Word, Excel, and PowerPoint now too, though they are not exact copies of their desktop counterparts and they tend to be pretty slow. But they’re great in a pinch, work on most browsers across platforms and don’t require anything to be downloaded or installed. (Also remember that some of the other applications you use might have web versions you could transition to.)
If you have Windows applications that users will need to use from home, you’re going to need to figure out another way to deliver them to the user.
The first thing to think about is to make sure the user has a device with a large screen, a proper keyboard, and some kind of mouse or trackpad. No sense trying to deliver a Windows app to a user if all they have is an iPhone.
If you already have a VDI or RDS environment in place, that’s great because you can pretty much just point your existing home users to it and they can work pretty normally. (This assumes that you have the licenses, bandwidth, VPN connections, and other technical infrastructure in place already.) VDI/RDS apps are nice because you don’t have to care about what type of device the users has (as long as it’s got the big screen and keyboard). So a Windows computer is fine (even an older one not running Windows 10), and Macs are fine, and even iPads if they have the keyboard case and a Bluetooth mouse (which you can configure in the Accessibility options of iPadOS 13 and then uses with your remote Windows session).
If you don’t already have an environment like that set up, but you do have a lot of desktop computers at the office that now no one can use, you can install VMware Horizon and configure it in a way that your users can connect from home and then attach to their own work computer remotely. One of my VMware colleagues, Graeme Gordon, wrote a guide showing how to do this, leveraging his knowledge and some free tools from colleagues Andrew Morgan and Chris Halstead to help get this implemented quickly. (VMware has also extended the free Horizon trial from 30 to 90 days and allows it to be used for up to 100 users.)
Another option if you want to use VDI or RDS technology but you don’t have it set up today (or if you do but it’s full), then this work at home period will most likely go on long enough that it’s worth your time to set up a new cloud-based / DaaS virtual desktop environment. This will give you a whole bunch of Windows VMs running in the cloud that you can fully manage as if they were company-owned PCs, so you can have your own image, you own apps, all your security tools, they can be domain joined and have GPOs and logon scripts and all that. Even getting Horizon installed and setup in the cloud / DaaS is pretty straightforward these days.
The biggest challenge here will be getting the connection (whether physical or VPN) from the cloud provider to your own on-prem environment, since you’ll want to be able to federate logins, provide access to file shares, etc. VMware has also extended our Horizon Cloud for Azure trial from 30 to 90 days, and also allows you to use it for no charge up to 100 users now.
If you don’t want or are unable to use one of the DaaS / RDS / VDI options, and you want to run Windows applications locally on your users’ personal computers, you will potentially have a lot to deal with.
First is the fact that even though Windows 7 is mostly gone from the corporate world, it still has a pretty big foothold in the home market. Home versions of Windows 7 are no longer supported, which means any type of security analysis you’re doing for those machines will probably fail, so you’ll have to either (1) relax your security requirements, or (2) try to walk your users through upgrading their machines to Windows 10. I really don’t like the upgrade option since there’s so much that can go wrong and you’ll be on the hook for support as far as your users are concerned, but if you need to run a Windows app locally then that might be your only choice.
You could consider giving the user a corporate VM that runs your proper Windows 10 image (and is fully controlled and locked down). This is pretty straightforward but will require that (1) your users are savvy enough to get the whole “desktop within a desktop” thing, and (2) whatever random computers your users have are beefy enough to be able to run a VM.
(If you have Mac users and you want to run Windows apps locally, you’re probably looking at using something like VMware Fusion regardless.)
Frankly the idea of installing corporate Windows apps on a user’s home computer is pretty scary to me. The only thing I’d really feel comfortable doing is maybe a browser and Office. (Which, in 2020, maybe that’s all you need? I can literally do 100% of my job with a browser and Office, and it doesn’t matter if I’m on a Windows or Mac machine.)
What about BYOD mobile?
Using “BYO” mobile (often called “BYOD” for “Bring Your Own Device”) is something that a lot of companies already do, and in 2020 it’s far more common than BYO Laptops. So hopefully this is something you already support. 🙂
Mobile devices (defined as those running iOS/iPadOS or Android) are very different than desktops and laptops since the mobile OSes are over a decade newer, and they’re generally designed to work well anywhere in the world.
Again, the first thing you should think about is what apps your users will need from their mobile devices, and then think about whether you want your users to find and install the apps on their own, or whether you want to provide a custom app catalog and/or automatically install or “push” the users’ apps to their devices.
When it comes to actual management of a device, your basic options are:
• Tell the users which apps to get and have them get them on their own.
• Provide some management of corporate apps, but do not manage the entire device
• Enroll the user’s personal device for full management.
The first option is pretty simple. Just do nothing. You’ll have to support some app configuration things (What’s our email server config? What is our Concur company code?), but that’s easy enough to do with a few FAQs. The downside is since you’re not managing the entire device, there’s a chance a user could have a jailbroken or rooted device or have some other kind of malware that could jeopardize the integrity of whatever work stuff they’re doing. (This is far more rare on mobile devices versus laptops, but it’s definitely a non-zero risk.)
The second option, where you manage certain corporate apps, but not the users’ personal apps, is pretty easy to set up and easy for the users to understand. For example, if you’re using VMware Workspace ONE, you can actually direct the user to download our Intelligent Hub app (which you can provide to them via a link, QR Code, etc.) Then the user logs into that app and they’re presented with a list of other corporate apps which you’ve pre-configured with Workspace ONE. This can vary by group, so only the right users see the right apps, and you can pre-configure each app’s individual settings so users don’t have to stumble through that on their own. The Intelligent Hub is cool because you can also deploy links to web apps, VDI/RDS/DaaS apps and desktops, and other corporate resources like a People Search contact lookup, helpdesk ticket integration, virtual smart assistants, etc. During the emergency, many of our customers are also using the Intelligent Hub’s notification capabilities to provide critical communications to employees (update on office closings, call for masks, etc.).
So managing apps with the Workspace ONE Intelligent Hub is much more powerful and elegant than just telling the users to find the apps on their own, and users are typically okay with it because they know the company is just managing the company apps—they don’t have to worry about the company wiping out their entire phone or snooping on their personal text messages or GPS location. The downside, though, is the same as the Do Nothing approach—since IT isn’t managing the low-level device, it’s possible that a user could be a risk due to a compromised device or malware.
The third option is most similar to “classic” MDM where the user enrolls their device for full management, essentially giving their company full control over their phone. (This is what I have personally done with my BYO iPhone as a VMware employee.) This is the most secure option for the company since the company has total control, though some users might not feel as comfortable with it since, in theory, the company could wipe the users’ phone and potentially cause personal information to be lost, or the company could “spy” on the user by looking at personal things they shouldn’t.
VMware Workspace ONE includes a Privacy app that you can deploy to your users’ mobile devices which explains in clear lay terms what exactly the company can and cannot see. This app connects back into the Workspace ONE management system and shows details based on your company’s actual configuration settings. For example, when I fire up my BYO iPhone which is fully managed by VMware, I see that VMware IT cannot see text messages, personal email, photos, or personal apps, while my IT department can see user details and work apps. While the privacy app is great, if you have users who really don’t trust IT, then they’re probably not going to trust the privacy app that IT uses to assure them of what they can’t see.
The full device enrollment is absolutely the most powerful option for IT. It gives IT detailed control and management of a device, and lets them have the highest security and confidence that the devices around the world are functioning properly.
(By the way, VMware has also extended our Workspace ONE trial from 30 to 90 days if you want to try it during the emergency.)
The good news is that when it comes to working from home with personal, BYO devices, you really do have a lot of options. The important things to think about are (1) what types of apps your users will need, (2) what types of devices your users will want, and (3) where you want to land on the security-versus-management trade-off. Fortunately, the world has been working on BYO quite a bit for the past decade, so figuring out your options here should be one of the more straightforward things to do while you figure out how to support so many home workers.
Each day over the next few weeks, we will be rolling out a series of posts and resources around business continuity. We also hosted a business continuity webinar, Pandemic Preparedness and Response: How to Quickly Set Up a Remote Workforce for Success, that you can watch on-demand.