Hello it’s Ewan here. I’m delighted to present a series of posts by one of the Square Mile’s most accomplished mobile architecture hotshots, Julian Cooling. Julian has been a regular comment contributor over the years here at Mobile Industry Review and I finally met the chap in person at one of our 361 Degrees Live Podcast events earlier this year.
I do remember buttonholing Julian and demanding he spread the word about the reality of BYOD, mobile device management and so on. There’s only so much hyper positivity I can take from the myriad of vendors. I want to know what it’s really like deploying BYOD/MDM (et al) to hundreds (or thousands) of users, particularly in the financial organisations in and around the City.
Julian’s our man.
Standby for an insightful brain dump of experiences, perspectives and opinions forged in the utter stress of get-it-done-delivery. I think many readers will get a heck of a lot of value from Julian’s experiences. He’s got the scars — alongside the confidence of one who’s consistently delivered for clients.
We’re kicking things off with everybody’s perennial favourite: Bring your own device.
Over to Julian….
– – – – –
In the last six months I have read much wordage about Bring Your Own Device in the enterprise, including Gartner presentations saying 60% of all firms will be 100% BYOD by 2017. Having actually had to put the policy and infrastructure together for what could be described as a large multinational, I think there is gap between what the experts are glibly saying and what BYOD project managers need to be working through. Personally, I don’t think that the public discourse is being controlled by anybody who has had to chat with a corporate lawyer, compliance and risk officer and global telecoms account manager once a week for the best part of a year.
Failure of Imagination #1: BYOD will allow you to shift costs so get this driver right!
Nearly everything I read about BYOD has, at its dark heart, a corporate culture which has an allergy to capital expenditure (Capex) and a corresponding love of operational expenditure (Opex). There are tax and accounting reasons for this and corporations ignore them at their peril. However, article after article, even when it isn’t explicit, assumes that the Opex (including call and data costs) is the company’s problem and the Capex for the device can at last be shunted off to the employees. This can be tarted up into several hundred words — but this is when many analysts’ visions for BYOD stops.
Some analysts suggest all sorts of ways to manage the Opex but, quite frankly, if you are considering BYOD and the breakdowns between Capex vs Opex are the only things on your mind, move on and come back after you have worked out what mobile means for your organisation. The practicalities of making BYOD work will have an impact on your spreadsheets but the realities of BYOD mobility over the next 5 years will have a much bigger impact on business: so get that right as your priority, kids.
They’re Dreamin’ #2: Click through Terms and Conditions are really important.
A basic rule is that you cannot enforce a “contract” if the other party cannot say “no”. Nearly every BYOD analyst’s dream scenario shows BYOD as pretty much compulsory for all applicable employees. This is fine, but that does mean that any Terms and Conditions the employee agrees to must, essentially, be pre-agreed HR policy because the employee will be implicitly (or explicitly) compelled to click “yes”. The T&Cs are unenforceable as “an agreement” or as “a contract” since the employee was forced to agree so they could keep their jobs. Nevertheless, they can be a useful reminder to everybody of the rules for mobile workers in the company. Carefully consider the feasibility of writing the mobile T&Cs into the employee contract/HR manual and then reference them via a hyperlink in the T&C box to which the user clicks “OK” as acknowledgement rather than agreement.
More specifically: on day one of the BYOD project, treat 90% of it as an HR, compliance and legal problem. The actual technical deployment will account for the other 10% (I exaggerate). Your top priority should be getting this sort of paperwork started before you unwrap any hardware or software.
Didn’t See that One Coming! #3: Data Leakage Prevention Technologies, Client Identifying Data and “We have the technology”.
Containers, 8 character passwords with 2 letters and an exclamation mark, secured apps, FIPS compliance and 256 bit encryption are all good things. However, what device are your teams using to call your customers on?
Think carefully here!
Where are the missed return calls, call logs and such things being stored? Even if you put Contacts, Calendar and Email in a container/secured app, the employee’s personal phone is still going to be used to make the call.
You cannot ask your workers to use their own phones without considering how deeply your Data Protection Policy may be undermined. And it is unreasonable to ask you employees to clear out their call logs on their personal phones when they leave.
Also, every decent sales employee is going to work out how to download the entire customer relationship management system (CRM) into their BYOD device on day one. Illegal? Possibly; Unethical? Probably; Against the T&Cs? Yes (if you have squared away with your HR team) — but these are people your firm hopes can close the deals that make real money: They are not 9 to 5 workers for the local Sunday School. They often hold unfortunately realistic expectations that they will get kicked out within a week of starting (through no fault of there own) and so the unified contents of all of the CRM systems of all of the places they have ever worked is one of the ways they can bring new business into the next shop who hires them. Life can be rich in sales but it is tough too and your BYOD systems need to be realistic about the life experiences of the people whole will use them.
Maybe you manage to lock down your CRM. In the end, though, if you are asking people to use their own phones to call customers then be aware of this issue.
Doing it Right
Obviously, BYOD without the phone is a whole lot easier than with it. In many industries in Central London it is illegal (as in “go to jail” illegal) to call clients on a phone unless the call is recorded and the logs kept for 7 years. However, in these companies, there will be masses of other people will have to negotiate complex products, organise events, work on road-shows etc and they must use a mobile. There are ways.
Cunning Plan #1: BYOD – The Clue’s in the Name: it is their own device
The first thing to remember is that the device belongs to the employee, as does the version of the OS, the OS licence, their device replacement insurance, their choice of screen pixel density and screen size. You are just asking for space on it’s storage, a few CPU cycles and some time on its radio aerial. The more you can keep your footprint on the device nicely contained, the better it will be for everybody. If you accidentally even think about randomly making use of the additional device features you are doomed.
Think encapsulation and then encapsulate every service you want to from that device and its OS.
A lovely side benefit is, because you don’t fiddle at all, the employee can support 90% of what they do by using Google and/or their children. It causes no angst because they know it is their device and if they break it they fix it. One reason IT departments have had to support corporate phones so heavily in the recent past is they weren’t ever really consumer devices with proper Google support and then subsequently they were customised beyond recognition and/or usability.
How to Win Friends and Influence People #2: Choose your mobile delivery partner
Containers vs secure apps vs MAM vs MDM can send most intelligent people into a spin. However, some of the big MDM/mobile technology vendors can support your mobile enterprise requirements quite intelligently. Indeed, you can:
* Direct all company data in your apps via your servers (either via per-app secured channels, VPNs or other tricks)
* Support voice over IP and run that back through your own SIP/VOIP servers (whoo hoo — phone services which meet regulatory requirements!)
* It’s the apps, stupid. If you need a service or function device, encapsulate it in an API that you manage and use it to build your apps.
* Deploy your apps directly on the device “desktop”, into a container or a bit of both (depending on what is implemented on your OS, by your mobile support vendor’s technology stack etc etc etc)
It gets more complicated but you may be able to count bytes in and out of devices. If you get clever, you might possibly even calculate a per byte cost (with weightings for roaming and WiFi) and come up with a fair compensation model for your employees. I am not saying it would be easy, but nothing about this is easy. What will shift it from impossible, is your choice of mobile support software vendor. There are some very good ones out there.
Aligning the Stars #3: BYOD is an HR policy not an IT policy
In BYOD circles, there is way too much talk about what your IT security department will say about BYOD and not nearly enough about the views of your Business Risk and Compliance, Legal and HR departments. This is a huge, huge issue.
Penetration tests are important but they are also well understood by anyone who is actually project managing a roll-out like this.
Questions regarding the circumstances that can lead an employee to an accompanied visit to the Southwark Crown Court and what deals the Criminal Prosecution Service might offer are similarly important. An astonishingly few people in an organisation actually know who to ask in order to find out.
And the answers can be very subtle: Some people can leak information freely (public relations!), others will be subject to civil penalties, another group may be subject to criminal sanctions if anything goes wrong and you may find there are departments or groups that are audited hourly. It depends where you work, but find out early and check often.
If the company staff policies need updating, you can pretty much guarantee it will take the full length of the project to get the paperwork through even if everybody agrees.
If a union is involved that will be fine too, but again it isn’t an IT problem no matter which MD is sponsoring the project or who paying for it or how the Return on Investment is calculated. So give HR and their associated departments every possible day the project has before the solution must be turned on.
My Take Home Message:
BYOD is lovely. It may save money, it may not. What it will probably do is transform your employees from desk bound, technology bound people to a far more flexible force where they own their own tools and can treat them as physical manifestations of their other skill sets: i.e. as their own.
This means a BYOD project is not a “technology enabler” such as an Exchange Server 2010 rollout, migrating to SAP or dishing out corporate mobile devices. Instead it is about a controlled and limited transfer of agency and IP from the company to the employees.
The issues you face are not driven by the technology per se, but by the HR, legal and compliance issues relating to such a transfer — not that anybody in the armies of online commentators, paid analysts or company leaders really gets this.
As an project manager on the job, you just have to wink, smile and pull something out of thin air and make the mandatory quip:
“Encapsulation? I have an app for that”.
– – – – – –
Hello it’s Ewan again. Genius, Julian! Absolute genius. Thank you very much indeed for taking the time to contribute this.
If you’ve any questions at all — or comments — please, please do contribute them below as I think the could be very useful to everyone in the wider community, particularly those who’re about to embark or in the middle of a BYOD programme.
Thank you once again Julian! I’m looking forward to your next post.