Should IT let users bring their own laptops and smartphones? [podcast]

Should IT let users bring their own laptops and smartphones? [podcast]

Summary: We've been talking about the consumerization of IT for years, but it's now reaching an inflection point. Is it time for IT to accept it and adapt?

SHARE:

We've been talking about the consumerization of IT for years, but it's now reaching an inflection point. Is it time for IT to accept it and adapt?

The Big Question is a joint production from ZDNet and TechRepublic that I co-host with Larry Dignan. Larry is traveling on the west coast this week so he couldn't make it, but he'll be back next week. My colleague Bill Detwiler, TechRepublic's Head Technology Editor, pinch-hit for him this week.

You can play this 29-minute episode from the Flash-based player at the top of the page or:

If you enjoy this podcast, please go to to our iTunes page to rate it and leave a short review.

Stories discussed in this episode:

Topics: Browser, CXO, Laptops, Mobility, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

68 comments
Log in or register to join the discussion
  • Let our users?

    This is a problem we face every day in my organization. I honestly wouldn't care but time and time again there have been security issues in allowing this. We have had everything from computers coming in with viruses and spyware that attempted to sneak on our systems to teachers having folders shared on their laptops where students have accessed them remotely and stole answer sheets to tests. We have even had a few of these devices left unattended and stolen the that teacher/staff member wanted to make the school district responsible for.

    If my school district would pony up the cash for some sort of Network Access Control device similar to what many colleges I have seen use that would install some sort of client on the machine that could check for installed and up to date antivirus/security software along with other security measures like up to date patching and network security settings then let them come in. Up until this year we had a completely open wireless system and it was felt by my director of technology that the web content filter and firewall were more than enough security. I had to fight and fight to get these restrictions in and it wasn't until a parent that works in IT Security made a big stink and showed how information could be taken right out of the air (literally) on the open wireless. Now we have Enterprise WPA2 level encryption along with access points that distribute multiple SSID's for and even a guest network that requires authorization for access (similar to what some hotels use) all controlled by wireless controllers. It made many of the teachers mad because they would bring in their devices and now they have to go through extra steps to get access. We still have no way of checking these devices for proper security and there is no policy in place to basically say that the district is not responsible for their personal devices. My director of technology is so lax that he thinks we are just being paranoid or controlling. I tend to put security before convenience because I am a realist and I know bad things happen.

    That being said I work in a pretty well off school district and see little reason for them to bring in their laptops. Every classroom has at least 1 computer (most have 2 - 3) and there are plenty of labs and computer work areas so despite the teachers claiming there are not enough computers there are. We have shown them the average utilization of labs and work areas and overall the usage is less than 40% during the normal school day. It fluctuates a bit but there are plenty of open computers to work on all the time. It seems one of the biggest complaints is mobility so I wrote a proposal to start phasing out the 2 -3 desktops per classroom and assigning each teacher a laptop. I thought that would give them more freedom to work in their classroom or virtually where ever they wanted since the wireless is pretty strong in our schools but I was told based off a survey that not enough teachers wanted a laptop so they could not pick and choose since not every teacher has their own classroom so they would still need a desktop in the classrooms.

    When it comes to smartphones we have no problem having them set up their email, contacts, calendar, etc.. to sync with their phones via activesync from our exchange server but we do not give priority support to people asking. We have some difficulty with the less friendly devices like Blackberry and older Palm based phones but WinMobile and the iPhone work great and we have control to remotely wipe them if we need to.

    So if it can be done securely for both the user and the organization then great but all things must be considered. It's a cruel world out there and data and identity theft happens and we can only have so much control over personal devices.

    The only other thing to consider is how much support (if any) does the organization provide to these people with personal devices. I am not sure how it goes in other places but we do have people bring in their laptops and smartphones and the expectation of free support when they have a problem is a huge issue. They make outrageous claims that they cannot do their work and despite being told their is a fully functional computer right there next to them they still complain that they have to log in and that takes such a long time and it doesn't have all the programs they "need" to use yada yada yada. The funny thing is it literally takes under 30 - 40 seconds to log in on most computers and when they say the need other programs they mean their personal games and entertainment applications. It is almost like I am dealing with children.
    bobiroc
    • How "firable" is your director of technology

      Apparently he is kind of witless. He must be good at finances and politics, because based on your description, technology is not his forte.

      Having said that, I have an issue with "client applications" that check there is an antivirus. Specially in a school environment.

      Don't get me wrong, I am not against checking that Windows computers have a certain service pack and patch levels and an antivirus, but what about teachers or students preferring Mac or Linux or a different OS? There the antivirus should be part of the email system and firewall.

      I really feel for you with such director that thinks that clarifying use with policies is just make work. A fair policy doesn't have to be cumbersome. You don't want to be like Dilbert's "Mordac the preventor" but lack of policies just creates a liability and confusion.

      What about using seeding some parents into the board meetings to push to replace the Director of technology?
      rarsa
      • Been Tried

        [i]Apparently he is kind of witless. He must be good at finances and politics, because based on your description, technology is not his forte.[/i]

        Not good at finances because he screws up the budget every year but must be good at politics or being a BS artist because they keep him around. He retires in a year and a half so that is good.

        In response to your other points I think good security should be in place for no matter what OS they choose. Most of the NAC (Network Access Control) devices I have looked at that basically have an installable client that checks for such things have a Windows, MacOS, and some even have clients for linux distros such as Ubuntu. While having Antivirus/Antimalware may not be as important for the latter OSes having up to date patching and checking for other security such as having open shared folders and other network vulnerabilities is. We do have antivirus on both the email and firewall and it does a great job and all of our district owned computers (including the Macs) have antivirus software on them and if you read the logs on the Policy server that controls the A/V clients you would spin your head seeing how much it catches. I guess I can see a scenario where a personal device gets compromised in some way and the teacher/Staff member blames the school district or even worse a student device gets compromised and little Johnny's parents threaten to sue.

        I am all about using technology to it's full potential, but I am not willing to jeopardize the security of the school district or the Teachers/Staff and Students that are there.

        The hard part is explaining this to my director which is a former science teacher (no offense to teachers) and has no IT background what so ever. Basically is one of those that thinks he knows technology but is really one of the worst at it. I could go on for hours about his stupidity but that is a topic for another time and place. As far as pushing him out, that has been tried. He is not a favorite amongst many teachers and they actually filed a formal complaint and all that happened was a letter went into his file. Basically he is the type of person that gets "WOWed" by a new shiny thing and will impulse buy it and then make the tech staff find a use for it. Instead he should find out what the teachers/staff and students need and find the right technology to fit that need. Basically he does it @$$ backwards.

        Other than that it is basically a handful of whiny teachers (again no offense because not all teachers are that way) that want to use their personal computer so they can goof around or go hide somewhere where no one can find them. I hate to use the word force but I almost wish the would force the teachers to have a individual laptop that they can use at work and at home. Not only would it cut down the number of computers we would need it would save licensing costs and give the teachers pretty good mobility to work where they want. Of course there would have to be some liability on the teachers like if they lose it or damage it and it is from neglect but overall seems like a better plan. In today's game with educational discounts a laptop just as powerful as our desktops is maybe $150 more. Some days I just have to say "I just work here" and do the best I can.
        bobiroc
    • Your technology director

      is a former educator, no?
      NickNielsen
      • Yes

        And I meant no offense to any teacher when I mentioned that he used to be a science teacher. Most of his problem is his personal lazyness and poor attitude and work ethic. He is not very well liked and from what I heard he was not a very good teacher and always took shortcuts and cut corners and stole other people's ideas.

        To be honest our Technology department is very large and I think the directing should be split into two positions. One position for a person with a strong IT background to manage mainly the hardware and infrastructure and another with an education background but also strong in technology so a collaborative work effort can be made to address both sides of technology needs. Like I mentioned in my earlier post, my director gets distracted by shiny new things and buys them with little or no discussion and tells the IT staff to Make it work or find a need for this. Instead he should find the needs of the teachers, students and staff and get the right technology to fit that need.
        bobiroc
  • RE: Should IT let users bring their own laptops and smartphones? [podcast]

    I won't watch the podcast for two reasons, it is way too long to sit and watch on my work computer, and I have no say in what happens anyway.
    From a user's point of view, access, even remotely, with a non company owned device would be nice. Email can be checked over the internet with any capable device, now. I understand it is easier to control security using only company owned devices that are checked for malware and updates installed, etc., whenever connected directly.
    dhays
  • You have no choice...

    You brought this reality upon yourselves with your drunken orgy of information prevention (Dilbert reference intended) policies. Examples include no "unauthorized" apps (and if you can't understand it, it unauthorized), non-essential websites banned, timed Internet access of even essential Internet access, ...

    We lowly peasants cannot perform the work that we were hired for unless we use our own hardware. Having to buy hardware to do the company's work is not our first choice, but we will perform our job function.
    tmccorm
    • I think your perception is skewed.

      I do not believe that you 'cannot perform your work', I believe you may not be able to 'perform your work in your PREFERRED fashion'.

      Perhaps you are functionally fixed in your worklow. Perhaps there is a tool in place, YOU need to learn and do your job.

      Hopefully that does not involve creating some kind of God forsaken Excel OLAP cube.
      bill.kunkel@...
      • Perhaps

        You are full of shit. I've been there myself MANY times. It's annoying to say the least to have to use my OWN laptop to do job related work because I can't get what I need to work with the company computer. The biggest headache yet? Blocking usb ports. Oh that was just BRILLIANT whoever thought up that one. Try docking an appliance you really NEED to do your job without that ability. Oh yeah, purchasing will let you buy the appliance. But you can't dock it to the company system even if the company does own the device. Nice.
        blueskip
        • What can't you get done

          Really, we want to know. I know places that block USB ports. You want to know why? So that some idiot does not bring a virus in on a flash drive and breach security. Why don't you PROVE you cannot do your job on the company computer. I hear that one too. "I can't do my job...wah wah wah!!" Yet when they are asked to outline in detail why they cannot so the IT department can address it all I get is "Uh..well...uh...because you know..."
          bobiroc
          • What I can't get done...

            I have (authorized) SW that requires a usb key, doesn't work even tho it is authorized. Different issue: after 9 months, I finally got approval for SW I need. But in that 9 months, there was a major SW upgrade. The new SW I got is not authorized so they won't install it. (Like Office 2003 was authorized, but 2007 isn't - duh) Yes, it's installed on my personal laptop. I am already 6 months behind schedule - don't have time for this carp.
            I do presentations and training. I can't of course hookup my personal laptop even to a co. projector. So it sure would be nice to put the ppt on a usb key instead of dragging around a separate CD/DVD with my laptop. I have 4 gigs of email archives on my work PC that I must keep. Doesn't fit on my network drive. Can't use an external hard drive to do backup any more. Like I'm going to use the CD???? With what multi-volume backup solution that works without corrupting a pst??? And I'll be buying my own media, too??!?

            Everything is a freakin workaround that depends on my resourcefulness and my funding to get done. I don't have an hour or two to wait for you to install the latest version of flash or firefox or Adobe reader (and because of the latest sec flaw), I refuse to wait until you get around to it next week. Assuming your push works.

            Wait, you can't manage malware threats on your network, you need to install something on my PC? What, you're lazy or poor or what? At least our networks can stop those threats. I accept responsibility for keeping my personal laptop updated, but it part of my rules of behavior anyway. Failure means I don't get to use the network.

            And 30-40 seconds to login is ridiculous! Does it take 5 minutes to logoff, too? My co. laptop does.

            Bigger picture: IT operations is a service and if you can't perform the service to the satisfaction of the paying customers, then you will not continue to operate. Customer dissatisfaction is already apparent if people are bringing their own equip. People expect a commodity to work the same at home as the office, and why shouldn't they? Who the heck are you to tell me to learn to do my job your way?

            We have been here before when the glass house thought it ruled the world. Offices bought PCs, programmed them to do what they needed, and *poof* no more MIS. You are probably too young to remember.

            Or to make it simpler, if you aren't part of the solution, you are part of the problem.

            Yeah, you touched a nerve alright.
            jonniva
          • If it is a legit need

            Then it should be accommodated and I am all for that but I will try to address your points best I can.

            Your first point about the USB key and the authorized software it sounds like you have a challenge there and I am not saying that sometimes IT staff are not difficult because they are. If someone came to me and had a legit reason for needing something I generally accommodate them. If Office 2007 is "Not Authorized" then the IT or management better have a good reason like it is not properly licensed or there is a known conflict with another major system etc.. and I would hope they have a reason such as that. That all being said I feel that many end users do not convey their reason for needing access because of attitudes you are exhibiting in your post about you think we are lazy which brings me to your next point.

            We can manage a good deal of malware threats but do you understand how malware works. Do you realize that some malware can "phone home" over standard ports that if they were blocked on the firewall would really make work that much harder. How often new malware comes out that has different characteristics that you may not be able to account for on a computer that some user let their Anti-Malware software expire or does not have any at all? I don't think you do. I know they make network appliances and software that can detect signatures of certain things and we have one and it cost $22,000 and is about $6,000/year for renewal and support. I uses deep packet inspection and gives a good layer of security along with the ability to block non-organization required applications and access to certain sites. For example we can block logins to facebook, myspace, twitter, whatever based on the certificate signature no matter if they found some alleged backdoor site that is not facebook.com or the official home page of the site they are trying to get. We can block unauthorized IM even if they try to change their port connections to port 80 or 21 or some other commonly open port. Maybe you are a better employee than most and you follow the rules but the statistics show that the majority of employees do not and in my case working in High School education we have HS students to deal with which are all about breaking the rules or looking for someway to stop "the man" from letting them get to their MyTweetBook sites. So you may accept responsibility but most do not. Hard fact jack.

            When it comes to logins yes most of our logins are about 30 - 40 seconds on network and log off is about the same. Mainly because we do not use roaming profiles and such and each student or teacher/staff gets basically the same desktop and start menu across the board to keep things consistent so when they call and say Email is not installed you can easily walk them through finding the correct icon on the desktop or start menu for example. We have a couple things that follow them around like their favorites using folder redirection so that anything they save to documents or whatever is actually going to their network storage. That being said there are handful of users that need elevated rights to their computers and those logins are about a minute to a minute and a half. I will say when my laptop is off site it can take 2 -3 minutes to get in and Windows 7 is much faster at all of these than XP is.

            Satisfaction is sometimes a personal issue. You may not be satisfied with the Dell PC running Windows on your desk and you would rather use your MacBook running MacOS so therefore you are not satisfied. But like I mentioned if there is a real, honest, legitimate reason you cannot do your job due to a restriction then you need to properly express it. I find most people just walk in and say "I can't work like this..." and when you ask why you get a lot of Ums and Uhs and blank stares. Put it in constructive form and I would have to say that IT and/or your management will find a way to get it done. Especially if you can prove that it is costing them time and money. So what you are trying to say is that you EXPECT the computer at work to have unlimited rights and access just like your personal computer at home and I am sorry my friend that is not how it is. Sometimes there is no accounting for the "human error" and companies and IT have to take steps to try and prevent that so if something bad does happen they can prove that in the court of law. They cannot just walk in and say "oh we let all our staff be full admins" because tomorrow that company would be out of business and you out of a job.

            I love your last lines [i]"Or to make it simpler, if you aren't part of the solution, you are part of the problem"[/i] because I use that one all the time to my users that complain when they say they cannot work "like this" and have no real reasons to back it up.

            So it can be unnerving for both parties involved but that's life my friend.
            bobiroc
          • Re: What can't you get done

            There is a long list of examples. An few examples:

            - The company I work for manufactures custom hardware. It would be nice to install it on a PC or two before we ship but virtually no one in the org has the admin rights required to install the device drivers and software

            - A customer has an application that they authored to support our hardware. We need to run this app to support relations wit the customer but "no unapproved software" (never mind the lack of admin rights)

            - I occasionally need to travel for business. Travel websites are either forbidden (Expedia etc) or time limited (Delta etc)

            This list could go on for a while, but I will spare you. Suffice it to say that there are needs in our organization (and probably many, many others) than can only be meet with outside hardware.
            tmccorm
          • Along with my post above read this

            [i]- The company I work for manufactures custom hardware. It would be nice to install it on a PC or two before we ship but virtually no one in the org has the admin rights required to install the device drivers and software[/i]

            Does your company have a quality control method in place to test such devices before they are shipped to the customers or places they will be sold? If so then it is a moot point if you can do it or not.

            [i]- A customer has an application that they authored to support our hardware. We need to run this app to support relations wit the customer but "no unapproved software" (never mind the lack of admin rights)[/i]

            Well then IT should assist with that. If they just handed out admin rights what is to stop you from installing your favorite game or other applications you probably do not need. Not to mention full admin rights opens the door for security threats and liability issues like I mentioned above in earlier posts. Just because you feel you can do it yourself doesn't mean you should automatically have the right to do so. Heck I feel I can fly a plane because I played a flight SIM before...should I have access to the airfield and to any plane I want?

            [i]- I occasionally need to travel for business. Travel websites are either forbidden (Expedia etc) or time limited (Delta etc)[/i]

            I guess the operative word there is occasionally and if you need to travel I would hope they have ways to accommodate you on that. However, I am sure it is done that way because once upon a time Sally Secretary spent a lot of time on travel sites dreaming of her tropical get away. The moral of the story here is it is usually a small group of bad people or a bad situation of the past that put these more strict policies in place. If everyone had high moral values and followed the rules it would be a perfect world. It is also very hard to be selective amongst Employee A which might be an exceptional employee and Employee B who kind of likes to goof off now and then and if we gave him/her the ability they would. But if they say to the good employee you can go to those sites or do that procedure the bad employee would file a discrimination suit now wouldn't they.

            So I guarantee you my list could go on longer than yours.
            bobiroc
          • One suggestion

            Our test departments have several systems that are off the network or on a test network not connected to the main one. We in IT have no problem with giving those employees Admin access to those test systems.

            While I don't allow users Admin by default, I recognize there are times it's needed. Some IT departments may have draconian 'one size fits all' policies, but we aren't all like that, any more than all users are click-happy phishing respondents.
            CharlieSpencer
          • I think many would be surprised

            on how they can be accommodated if they would just convey their reasoning for needing the extra access. Sometimes rules/policies need to be adjusted on a situation by situation basis and most times that can be done. For example we have a policy in place that only allows staff level user account to log into 2 computers simultaneously but there have been situations where up to 60 logins were necessary and we can temporarily or permanently grant that. But we have to keep it strict because we find that many staff neglect to log off a computer or log in students and other people because they do not see the threat of just handing out their login credentials.
            bobiroc
    • Mordoc at work

      Yes, in some cases Mordoc may be at work, really screwing you up.

      But that is not the fault of the policies, there can be sensible policies with sensible exceptions.

      At my work many years ago, they decided to lock down all the computers. No admin rights for anyone.

      I was a senior developer at the time. It quickly became obvious that we could not unit test and debug applications in our assigned computers as we couldn't change the registry or install libraries, etc.

      Some just raised their hands and complained privately. Some of us decided to request admin rights getting approval from our VP and go on with our day.

      The policy is still in place. The cost of supporting users that were breaking their computers installing crap just went down, but now, there is also a formal process so developers that need it can request it.

      So, if you have a business case, don't just complain, bring it up. Maybe you'll find a Mordoc who draws pleasure on your suffering. Most likely they'll grant you what you need or explain why their reasons override yours in a way that makes sense to you.
      rarsa
    • RE: You have no choice

      This comment of yours really tears me up: [i]You brought this reality upon yourselves with your drunken orgy of information prevention (Dilbert reference intended) policies.[/i]

      Then I must ask you, [b]who[/b] is expected to protect the companies' data and systems from users who do stupid things? (L)users????

      I do not think so. We recently bought up another company. Its management, was, to say the least, incompetent. No one there had any intelligence as to IT security; and before we connected their PC's to our network, we scanned them. Most of them were infected with malware, and a few had appreciable amounts of [b]porn.[/b] In our company, downloading porn using a company computer results in [b]immediate termination.[/b] There is no reason why people should be visiting Facebook and Tw@tter during working hours.

      To me, it is obvious that you just do not have a clue. Perhaps [b]you[/b] want to be the one to have to explain to the boss [b][u]why[/u][/b] your company suffered a serious data breach?
      fatman65535
      • Get rid of IE first

        Then the rest of your b.s. arguments are just that. Ok people shouldn't be allowed to download porn, but immediate termination for it is also retarded to say the least. As far as visiting Facebook and Twitter during working hours piss off. You are a tard. Who cares so long as productivity is acceptable. People are not robots.

        Perhaps you need to learn what being a normal person instead of a jerk is.
        blueskip
        • Productivity is not the issue

          again with the stupidity. What part of the company is responsible for what happens on their network don't you understand? If some idiot posts a hateful comment or tweet on one of those pages the company allowed to happen and could be involved in some sort of lawsuit. It is the company's network and if there is no business value in certain sites they have the right to prevent them. Again prove these sites are needed for your job? That goes for anyone. Now take your sob story somewhere else.
          bobiroc