I’ve just read a story on techcentral.ie that discusses a Virgin Media (UK-based ISP) report. It says that 74% of company employees are bringing personal devices into work and plugging them into the company network. This is the sort of thing I was talking about in my previous millenials post. It’s also the sort of thing that has impacted decision making by corporates: personal preferences for a better appliance or utility can improve the working experience, and the corporate decision making process. We have to decide how we respond?
Do we try to block everything? We can try. Group Policy and utilities like DeviceLock can lock down what is plugged into PCs. Network Access Protection (Windows)/Network Access Control (Cisco) can control what is allowed to connect to the network. I’ve taken the device lock approach before. But a valid business case always overrules global policy, and you might be surprised how many people come up with “valid” business cases. Soon the policy resembles swiss cheese, only affecting the minority of users. The result is that IT is disliked – it’s a blocking force once again.
The user-centric approach that we’re seeing with private cloud, App-V, and System Configuration Manager 2012 is an example of how we need to think. My millenials post also suggests a way forward. Maybe we need to allow personal appliances, but use those policy tools like Network Access Control to place the appliances into networks that are not central, kind of like the guest network that is often used. Or maybe we need to change how we think about the PC altogether and treat the entire PC network as a guest network.
The latter approach might work very well with the user-centric approach. If end users are using their own PCs, tablets, and phones, then we cannot apply corporate policy to them. Maybe we just provide user-centric self-service mechanisms and let them help themselves. Or maybe things like VDI and/or RemoteApp are the way forward for LOB client delivery. If everythign was cloud (public/provate) and web-client based then application delivery would be irrelevant. Maybe it’s a little bit from column A and a little from column B?
It’s a big topic and would require a complete shift in thinking … and a complete re-deployment of the client network, including LOB application interfaces.
If the business starts to ‘encourage’ the ue of staffs personal devicves for business purposes, the staff will expect the business to help when support is required ie malfunction, hardware issues, software config help etc
Before you know, IT will be bogged down tryingf to help staff with their tablets, smartphones, laptops etc
A line needs drawn somewhere, regardless of how flexible and agile you want to be.
That depends … if the users appliance is nothing more than a display mechanism, then the user could be told that it is their responsibility to have a working laptop, just like it’s their responsibility to wear clean clothes. If any of this happens, there will be a massive shift of everything.
And I should follow up by saying that I have been a BOFH. I’ve locked things down, in the past, so tight that there was no wriggle room, until the security officer and infernal audit would bypass every policy for anyone with a bit of political clout (or access to it) presented a “valid” business case. In the end, the policies became pointless. Of course, that financial company did make lots of healdines over the last few years, and I think the directors are in a spot of bother these days 🙂
Aidan, I worked with a 3rd party product (I will send you info offline and if you deem valuable I will let you post the link) that allowed you to allow USB sitcks, DVDs / CDs in a very granular manner. You could allow specific devices per user, per machine, per HASH of the USB and or DVD itself. It would also track all documentation copied too and or from these allowed devices by their HASH as well. I worked with this product in 2005 and it has since been re-branded and sold to another company. From what I have heard there has only been improvements to it. There are options out there, but I cannot fathom why Microsoft has not built this into WIN 7 and 2008 R2 already. AppLocker was a great start, but not the solution I would have expected to support Server 2008 R2 and WIN 7, which I enjoy working with.