COPE with security: Enabling the mobile workforce
IT has long been keen on control – and for good reason.
When you’re responsible for the security and management of an entire environment, control – over devices, applications, and so on – is one way to limit risk.
Or at least it used to be.
Now, a push for control might create an even less secure environment as users skirt controls to simply get their jobs done and work efficiently.
But it doesn’t have to be that way. By reassessing your environment and the administration tools at your disposal, you can empower your users with a corporate-owned, personally enabled policy without compromising security or overly complicating your network. The biggest hurdle is a change in mindset.
So if you believe control is the key to maintaining an efficient work environment, we have a question for you: Why?
Paradigm shift from the mobile side
The paradigm shift in mobile devices from BlackBerry to iPhone saw companies relinquish what was once total control.
In the heyday of BlackBerry, you could lock those devices down to the point where no one could browse any site but your intranet. It was a corporate device through and through, and only personal if an administrator explicitly allowed it.
The shift to iOS and Android was driven in no small part by employees who wanted to use their more capable device to work on the go, including access to resources traditionally on the corporate network. The only method of really controlling those devices was mobile device management (MDM), which had fairly limited reign when the devices first launched.
Now that the idea of managing mobile devices with MDM is mainstream, there’s been a big push over the last two years to give users their personal choice of computer as well. And here’s the thing: Contrary to popular belief, the adoption of this policy is actually a good thing.
Corporate-owned, personally enabled devices can go beyond mobile
You might argue that phones are a different story than computers. iOS is very secure. You never have to worry about someone plugging in flash drives, MDM can detect jailbroken phones almost immediately, and so on, while with computers, it seems like it’s more a question of, “what can’t you do with it?”
But as long as an administrator manages the system properly, employees can have their personal data on their device and keep it separate from the secure company data. The notion of “corporate-owned, personally enabled devices” isn’t limited to phones. All it takes are the right tools.
Jamf is industry-known as the leading Apple management platform, allowing you to write whatever policies you want. Additionally, Jamf integrates with Microsoft Intune, the leading Windows management platform, allowing administrators a single pane of glass to view their environment. You can send out a profile that says certain Macs can only run applications from the App Store, where everything is certified by Apple. You can identify developers with certificates, and if someone is signing a piece of malware with their own certificate, Apple can easily revoke it and prevent the application from running.
Keep in mind, attitudes and policies are shifting on many platforms. The old way, of binding machines via Active Directory, is going away on every platform for one simple reason: How many organizations have computers that just sit in one building all day?
Jamf and Intune step in with the ability to remotely manage devices outside of your immediate network, taking care of any machine anywhere, including remote configurations without the machine needing to be on your network. With Apple Business Manager for your Macs (and iOS devices), along with Autopilot and Zero Touch for your Windows 10 machines, you can set up machines fully remotely and add the policies you need, all without it even arriving at a corporate helpdesk.
“Need” is an important word. Because the more you tell users no, the more likely they are to go around you.
Users will find a way
If you tell an individual they can’t do something without giving them a comparable and convenient alternative, they will find a way.
When Dropbox came out, a lot of organizations blocked it as a potential security hole. Some built what they thought was a comparable alternative, except it didn’t work as well, it wasn’t accessible on mobile devices, and you had to VPN in to use it.
Instead of using that, employees were more likely to simply email files to themselves, which is potentially a bigger security risk – email is typically secured only with single factor authentication, can be accessed from anywhere in the world, and all you could see is whether that’s happening; there’s no way to undo the damage once it’s done.
Don’t be a technology blocker. Be an enabler. Assess your environment and your tools – is everything in place to empower users with the best policies for their job, or are you overusing some features for the sake of control?
In the end, it comes down to trust. Trust in both the platforms and management tools in use today, and trust in the people in your organization. MDM has allowed you to give employees machines they feel comfortable with while providing them with the right amount of flexibility and freedom.
Make sure your policies match up with what technology can protect, and create an environment for everyone, from a CIO to a part-time salesperson. Your systems stay secure and simple to manage, and your employees work harder, work better, and will stick with your organization longer. That’s good for business.