BYOD – Bring Your Own Device and System Center Configuration Manager ( SCCM )
Like most people in this space, I have heard a lot about BYOD lately.
Of all the great bits of information that I heard at the Microsoft Management Summit 2012, the one that really jumped out at me (and I may be a little off in the precise numbers – but you’ll get the idea) went something like this:
A poll was taken among IT departments and then among end users asking what percentage of end users are using their own devices to perform their jobs.
- IT folks said: 40%
- End Users said: 60%
Then, same week…
Here is an abstract from an excellent article written by Camaille Tuutti BYOD continues to challenge agencies struggling to develop policy Federal Computer Week April 18, 2012, on how BYOD is affecting the Public Sector
“…Nearly 60 percent of public-sector agencies allow all personal mobile devices to connect to the enterprise networks,
…
But the same percentage also said their agency didn’t have the appropriate tools to handle non agency-issued mobile devices on the network.
…
More than 70 percent of the respondents stated they were either somewhat or very confident in knowing which personal mobile devices had access to their agency’s network. However, close to one-fifth don’t know how many or which personal devices are accessing their agency’s network, and nearly 3 percent said “I have no clue” of the personal devices that access the network. …”
20% don’t know. 3% - no clue. Ouch.
So, this blog entry is far from exhaustive, but I wanted to share some of the biggest concerns and some solutions that the SCCM and QMX combination offer to those tasked with managing mobile now – in addition to everything else. After we check off the “does QMX provide seamless console integration for inventory through Resource Explorer and native SCCM reporting” questions (Yes and Yes), the conversation goes immediately to security and control/flexibility, so that is where we’ll go now.
What about security? What happens if a device gets lost?
If your option is only to completely wipe a “personal” user device that has your company’s profiles and apps on it – that’s not so good.
Putting this in perspective - explain to this person why you completely wiped his device.
Image may be NSFW.
Clik here to view.
Other questions to consider: Why did we hire him? What were the candidates he beat out for this job like?
Instead, you need the option to selectively wipe profiles and apps, to lock the device and to clear the passcode – all of which are provided with an SCCM / QMX / MDM combination but not via ActiveSync. Further, a large part of “security” is really a matter of how you put stuff on the device and how you take it off. It’s a balance.
How do I balance control and flexibility (and security)?
One of my recent presentations was attended by an Apple SC who works in the enterprise mobile device management space. He gave me a great tip that I want to pass on to you. Create multiple profiles. The more granular you are with profiles that QMX will push out, the more granular you can be in removing profiles with QMX. Let’s look at that a bit.
Think of this in these steps.
- Create profiles that you can “layer” on the device
- Package and deploy profiles
- Remove Profiles
This allows for profile layering and selective removal
Creating Profiles:
If you haven’t done so yet, you owe it to yourself to download (free) the iPhone Configuration Utility for Windows. It shows you precisely what components can be included in a profile.
Some examples:
- Profiles concentrating on configuration/settings including: configuring WiFi, VPN, email and so on. (How many calls does the helpdesk get asking, “What is my SMTP server setting”.)
- Profiles concentrating on Restrictions including: Allow/Disallow App installation, bandwidth hogging YouTube and Facetime, iTunes (think Acceptable Use Policy compliance), enforce encrypted back up, disallow explicit material (EEO issue mitigation) and more
- Profiles pushing out webclips to your internal resources (including an app portal?) and external websites (Skype, UPS, SalesForce, ADP…)Image may be NSFW.
Clik here to view.![iPhoneConfigUtil.png]()
Screenshot: Some options available on the iPhone Configuration Utility
Package creation and deployment
So, you created profiles. Now you use QMX to deploy precisely those packages you wish to install on a specific collection of devices. In education for example, you may have a basic profile for all devices and then separate ones to layer on for teachers' devices (grading system web clip) and for students' (not the grading system, not downloading apps). In retail you can lock down the sales associates’ demo iPad from YouTube while not restricting the CEO from anything.
Remove Profiles
The QMX profile removal process is almost exactly the same as the deployment process. Same wizards - easy - and you can do so selectively
Apps
Deploying apps via QMX is available only for iPad and iPhone as of this posting (I’ll keep you posted on Android). Again, you use the same easy wizards for app deployment and removal as are used for profile deployment and removal. for The cool thing is that you can create your own portal (any expert app portal creation folks out there I can reference?) and/or use the app store when deploying apps with QMX. When taking the AppStore route, apps can be purchased individually by the user, or you using a redemption code when enterprise licenses are purchased. Note that, whereas you can bundle profiles and distribute them, apps are only deployed individually.
If necessary – for example if someone is maybe asked to leave your company, you can selectively delete your company provided apps.
Image may be NSFW.
Clik here to view.
Our friend keeps his own stuff and nobody gets hurt. Zombie apocalypse avoided
SCCM 2012 mobile offering
This is probably a good topic for another blog – probably when we get closer to SCCM 2012 R2 - but, it is important to point out that, while SCCM 2012 will add native support for iOS and Android via ActiveSync, it will not support.
- Profile deployment
- App deployment
So, in addition to complementing native SCCM in that respect, QMX also:
- Works with 2012 and 2007 versions of SCCM
- Extends SCCM to 120 other cross-platforms like Mac OS X (with OS deployment), Cisco, VMware, Unix, Linux and more. 250 SCOM extensions, too.
In summary, I hope this gave you some options to consider as your organization confronts the BYOD question. It’s only going to accelerate this year. And I hope you take a good look at QMX in the process. If you already began using QMX years ago for other platforms, you are “already ready” for mobile device management right now – and for the next “big thing” in the future. So, don’t forget to tell your boss to take credit for your excellent decision.
Videos | Free Trial Download | Contacts
Check out the QMX Videos
Check out the new Android extension: Security features include Remote Wipe, Lock and Reset Passcode; Inventory information showing installed applications and device/OS properties; set password requirements via profile distribution and more.
Check out the new iOS extension: All of the above and app deployment, too!
Other Helpful Links
Questions?
Contact SystemCenterSales@quest.com
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.