Perhaps you might have heard the term COPE, This acronym stands for ‘Company-Owned Personally Enabled’ and describes those devices that are needed for employees to do their work and they are allowed to use it on a personal level as well.
Related to COPE is the BYOD acronym, it stands for “Bring Your Own Device”. This is used to describe the situation where employees can use their own devices, i.e. smart phones, tablets or laptops to work and access the corporate ICT systems and network.
|Figure 1 BYOD can be quite colorful|
|(photo Liz Henry CC Flickr)|
Both BYOD and COPE have its positive sides and its negative sides. On the positive side for BYOD: for a certain group of employees, most notably knowledge workers who are more flexible and mobile as to where and when they work, there is no need to invest in rapidly evolving devices or technology. Many of the people that are able to bring their own devices are happy that they can choose their own device instead of getting a device from the company without having control over brand, make or model. In the case of BYOD, employees do have to buy their own device. An article in 2012 on InformationWeek.comcites a Unisys study that quotes that 44% of job hunters find a job offer more attractive if the employer allows iPads to be used.
On the negative side for BYOD, managing all those devices at least from a helpdesk point of view is more complex. Rather than having a limited number (preferably one) of brands and a few models you can encounter a multitude of devices, brands and models. The same goes for security, you have less control over the device (since with BYOD it is not yours), how do you manage all these devices with regards to viruses, malware et cetera. With COPE devices the situation is different, you have more control over the device and decide make and model but there is still the personal use aspect that does come with many issues about security and privacy. Can users install a game on the device? Where do you draw the line?
Another thing that is often forgotten is: what sensitive data is on the laptop, tablet or smart phone? Data that can both be private data or company data. In both cases you want the data to remain private, but when a backup is made by the user are private and company data separated? Or stored on the same backup device / cloud? This is a whole (legal) issue that is unfortunately beyond the scope of this article.
A lost or stolen device with inadequate security and control can be at least a PR scandal, if not do serious damage to a company’s reputation. In the case of BYOD devices you have a limited control since it is not your device. You do however want to keep information and data safe. Some devices offer the capability to manage a private and company area.
A recent study by Gartner (October 2014) found that 40 % of U.S. Employees of large enterprises use personally owned devices for work. An article on the Dutch websiteComputable cites a Cisco study from 2012 were a staggering 85% of employees in the Netherlands uses a personal device for work related purposes. Although this may simply be working on a document from home it however shows that BYOD is a reality with all its pros and cons.
You might not yet have a formal procedure in place to deal with COPE and BYOD but it is very likely that your employees are already using personal devices.
The design and implementation of a BYOD or COPE program within a company is something that needs to be done with the utmost care and the involvement of all stakeholders in order to make it successful.
It should take into account the aforementioned legal issues, technical and support issues, security issues, privacy issues, guidelines and procedures and so on. One of the most important questions is: how are you going to manage all of it? How do you enroll users, push or let them find the right applications, how can you revoke access or securely wipe devices when needed?
In order to help you cope (no pun intended) with the reality of both COPE and BYOD devices WSO2 has developed the Enterprise Mobility Manager that offers device provisioning, device configuration management, policy enforcement and compliance monitoring so employees can use devices in a safe and responsible way giving them and you the advantages and less of the drawbacks.
Enterprise Mobility Manager
WSO2 Enterprise Mobility Manager (EMM) is a solution designed to specifically address the mobile enterprise in terms of COPE and BYOD devices. The four components are:
● Mobile Device Management (MDM)
● Mobile Application Management (MAM).
● Mobile App Store
● Mobile App Publisher
Users need to accept the policy agreement, which states all the actions that can be carried out on the device when enrolling with EMM. EMM only controls the corporate data that is present on the devices, while the personal data is left untouched.
EMM enables organizations to secure, manage and monitor Android and iOS powered devices (e.g., smart phones, iPod touch devices and tablets), irrespective of the mobile operator, service provider, or the organization.
Mobile Device Management (MDM)
One of the most important parts is the mobile device management console. This lets users enroll devices and manage them with a dedicated end-user console. Of course it lets you manage both employee and corporate owned devices. Out of the box, a number of standard reports can be generated. The next version of EMM will have the option of using WSO2 BAM to developed tailored reports extending the use of BAM beyond the data analytics that is currently possible.
Currently Android and iOS, the two largest mobile platforms, are supported platforms with support for Windows Mobile and laptop coming soon (expected in the next release, slated Q1 of 2015). It goes without saying that it ties in with your enterprise identity solution (e.g. LDAP or Microsoft active directory) so there is no redundant storage of users.
The end-user has an MDM console for self-service device enrollment and management.
The administrator can create policies in EMM and define the device management rules, blacklisted applications and list of applications that need to be installed when the policy is enforced.
There are three levels where policies can be set: namely user level (L1), platform level (L2) and role level (L3). L3 policies have the lowest priority. L2 policies override L3 policies; while, L1 policies override both L2 and L3 policies.
It can deploy policies over the air, in other words you can push a policy to the end-user if that device has a wireless connection. Compliance can be monitored and if not compliant, a notification can be automatically be generated and sent. Furthermore, follow-up actions can be carried out, like sending a warning message, reinforcement of the policy and so on, based on your requirements.
|Figure 2 EMM Console|
Lost devices can be tracked and located, a handy feature in case of lost devices. If a device is indeed lost the enterprise configuration can be wiped. An enterprise wipe or revocation does not touch any of the personal information on the device.
Below is a list of features along with its availability on the two platforms. The next version of the Android OS (version 5 or ‘Lollipop’) will include a subset of Samsung Knox which will increase the level of containerization and offer a completely containerized environment which will increase the control over enterprise apps from EMM in these containers.
Company mail can be containerized (currently using Nitrodesk Touchdown) and by that effectively isolated and secured on the device.
Mobile App Management (MAM)
It’s easy to deploy your provision applications to enrolled devices based on policies and simple to revoke the same application. The EMM console gives the administrator the possibilities to administer all relevant aspects with regards to users, apps, roles, devices, policies and so on.
If a user uses more than one personal device it can be used for all the devices that are supported and enrolled. For Android it is possible to blacklist applications with support for blacklisting iOS coming soon. The same goes for policy compliance monitoring its supporters and iOS support coming soon.
Mobile App Store
The concept of an App store is very familiar for all smartphone users.
|Figure 3 Recent Mobile Apps|
Since Apple introduced the app store concept in 2008, this has become almost the de facto standard for apps or application discovery with Google and Microsoft following suit.
The Enterprise Mobility Manager uses this concept to enable users to discover and download apps that they want or need in order to do their work. End users can go to the store and select the required apps which are then pushed to their devices. It supports both public and enterprise apps as well as webapps on both Android and iOS. So you can include both the apps that your organization develop yourself (or have had developed) and the regular apps available to the public that might be handy for your employees as well.
The apps in the app Store can be managed using a lifecycle approach, something that is familiar to for instance the WSO2 API Management component that uses the same paradigm.
|Figure 4 EMM Publisher Console|
This is done with the publisher console. An app can have several stages that it goes through. The stages in the life cycle include:
Roadmap for EMM
The next version of WSO2 EMM will be split into:
1. CDM – Connected Device Manager
2. AM – App Manager
The Connected Device Manager will incorporate all functions that are currently in the MDM like:
● Policy Management
● Device Management
And will offer a plug and play architecture, support for any device management and a new component the WSO2 Cloud Device Manager.
Both BYOD and COPE devices have their advantages and disadvantages. It depends on your specific situation if the advantages outweigh the disadvantages, there is no simple answer that applies to all organizations.
Introduction of such programs in your organization is not something that should be taken lightly given the many aspects and stakeholders involved.
The Enterprise Mobility Market is actually quite a young market segment and with the innovation taking place at the device level (new models, new technology, new OS) at breathtaking pace also very dynamic.
Especially the Android platform is less homogeneous than you might think with vendors having the possibility to build on top of the OS their own specific solutions e.g. in security. The iOS platform does not have that problem since it is very much closed. The new version of Android, Lollipop comes with Android (for) Work. This is a subset of Samsung’s Knox, the possibility to use containerization which offers more possibilities to secure personal and company data and give EMM solutions more control over BYOD and COPE devices.
If you are considering introducing a BYOD or COPE program in your organization, contact us and we will be happy to explain the possibility that WSO2 EMM offers for your organization.