Skip to content

Bring your own Device (BYOD) Baby Steps

The Matrix

As someone who spends a lot of time talking to CIOs about the Consumerization of IT (CoIT) and mobile, I get asked a lot about BYOD strategies.

I also recognize that you’re likely to get a different strategy from every person you ask.  To quickly recap how we got here over the last several years, the rise of BYOD is a result of more compelling devices in the marketplace combined with the move from Corporate-Liable (CL) to Individual-Liable (IL) device ownership policies.  Typically, I like to take baby steps on this one because you don’t have to boil the ocean in order to respond to this mega-trend all at once:

Baby Step 1:  Oh, it’s too late.  This step was already taken while you weren’t looking.  Your employees are already bringing their own smartphones and tablets into the enterprise.  In an Individual-Liable scenario, they’re using their own data plans to surf the mobile web and use apps.  Don’t freak out because you haven’t given them access to anything yet.  At worst, you might have employees that are distracted and not giving you their best work since they’re playing Angry Birds.  On the other hand, they may already be more productive because they’re using public information on the mobile web to solve corporate problems.

Baby Step 2:  Your employees want to get their email on their smartphones and tablets.  No surprise here.  Since I’m a person that believes CIOs and IT Directors should get more value for their dollar, I won’t ever recommend one-off, point-solutions to satisfy the need of each different mobile platform, because that’s wasteful.  During the middle of the last decade, I watched in horror as Microsoft began to license the Exchange ActiveSync (EAS) protocol to all its competitors.  At the time, I was worried we were giving away one of Windows Mobile’s competitive advantages.  Fast forward to our consumer-driven world of today, EAS is the one thing that every smartphone and tablet has in common.

Exchange ActiveSync

While not every organization uses Exchange Server, most do.  Some are even sidestepping the management of additional servers buy running this in the cloud via Office 365.  What this means is that you can instantly give push email, calendar, contacts, and tasks to your employee’s iPads, Android devices, Windows Phones, Symbian smartphones, and iPhones via a single technology that you probably already have.  If you’ve ever used Outlook Web Access (OWA), then your organization is already setup to securely deliver this value to most every device over SSL.  Okay, at a basic level, your employees can now get elements of their ‘information work’ done anywhere at any time which makes them more productive.  They should also be more responsive to your customers as well.

Baby Step 3:  Uh oh, someone told you that security could be an issue.  You’re now thinking that there’s no free lunch in mobile.  While you may not be able to beat the security you get on your heavily-managed Windows laptops and tablets with BitLocker, there is some light-management that you get for free and you probably don’t even know it.  Remember the EAS protocol from Baby Step 2?  Well, it gives you some light device management in the form of policy enforcement in addition to the email stuff.  While there are a lot of great device management packages out there that can give you complete control, when dealing with devices owned by your empowered employees, heavy device management may not be appropriate.  The notion of installing a device management agent on each employee-owned device is a huge undertaking.  So how does Exchange ActiveSync sidestep this?  Well, it’s already installed on their smartphones and tablets and it does things like enforce complex PINs, password expiration, and allows you to remotely wipe a device if it gets lost or stolen.  You get this for free and it works the same way across many popular smartphones and tablet.  Whew, you now have a basic line of defense in play.

Baby Step 4:  Supported device matrix.  While EAS provides email, calendar, contacts, tasks, PIN enforcement, and remote wipe to the majority of smartphones and tablets your employees might own, some devices might fall through the cracks.

The Matrix

That’s why it’s important to let your employees know which devices and mobile operating systems meet the minimum EAS standards to create your BYOD baseline.  It’s a list that looks similar like this:

  1. Windows Phone 7 and higher
  2. iOS 5.0 and higher
  3. Android 2.3 and higher
  4. Windows Mobile 6 and higher
  5. Symbian S60

As you can see, this covers the majority of devices that consumers are buying today with the exception of the Blackberry, which has its own device management system.

Baby Step 5: Your employees are now asking for enterprise apps so they can perform other elements of their job remotely from their devices.  It’s too soon.  I know your IT department has been developing desktop apps for decades, but your BYOD baseline isn’t ready for this yet.  The heterogeneous mobile diversity created by BYOD makes cross-platform native development inefficient and costly.  There are too many programming languages, IDEs, MEAP vendors, app security, and deployment issues for you to think about during this early Baby Step phase.  Don’t worry, you’ll get there later.  For now, I want you to keep it simple, and follow my theme of using the same technology over and over for every smartphone and tablet to realize training and cost efficiencies while shortening time to market.  The Mobile Web is your key to cross-platform success.  Today’s devices all have web browsers that support many of the features that comprise HTML5.


By continuing to build web applications like you’ve been doing for your company Intranet since the 90’s, you can target every device via a single code base, through a single engineering effort on the part of your internal or outsourced developers.  Since your employees will be accessing your web servers via their device browsers, you’ve effectively sidestepped software deployment and patching issues, blacklisting/whitelisting users and groups, as well as data-at-rest concerns.  WebKit, Opera, and Internet Explorer all provide the same SSL-encrypted experience you get on the desktop when you’re doing online banking.  Oh, and make sure to use Basic Authentication on your web servers since it’s the only auth method guaranteed to predictably prompt users for credentials and work across all device browsers.  To make things more competitive with native apps, the faster JavaScript engines of today’s mobile browsers make business logic and Ajax calls to your backend web services infinitely faster.  While your employees will securely get the data they need in the palm of their hand, it doesn’t mean I want them to access internal web servers via the corporate Wi-Fi network.  The BYOD baseline I’m creating for you doesn’t include secure CorpNet access because the necessary level of device trust hasn’t been established.  Publish your internal web servers out to the Internet using reverse proxy servers or through a public cloud where your employees can access them via their mobile operator’s data network.   The HTML5 mobile web is your no-brainer strategy for cross-platform mobile development until further notice.

Bonus Baby Step:  Speaking of Wi-Fi, the tidal wave of folks bringing in their consumer-focused, individual-liable devices are facing new caps on their previously-unlimited data plans and they’d like you to help.  While I remain firm that you haven’t done enough in your BYOD baseline to trust devices on CorpNet, you can throw your employees a lifeline by giving their devices access to a ‘Guest’ Wi-Fi network that only allows them to go out to the Internet.  Many companies have a segmented ‘Guest’ Wi-Fi network for visitors.  If you already have something like this in place, consider allowing your BYOD legions to ride on this network using Wi-Fi Protected Access (WPA2) for security.  Think of this as a ‘Give-Get’ since you’re publishing corporate HTML5 apps out to the public Internet without accommodating the data usage fees for employees to use them.  Now employees can use your mobile web apps from the office without eating into their mobile operator’s monthly data allotment.

Is this everything you need to know?  No.  But it quickly gets you out of the paralysis of not knowing what to do about this tidal wave of devices flowing into your enterprise.  Once you have this BYOD baseline in place, you begin to thoughtfully look at topics like encryption, containerization, wireless security, enforcing a larger list of policies, software distribution, inventory, corporate network access, enterprise apps, data, MEAP, and many more.

Right now, I want you to feel a sense of accomplishment by taking the first Baby Steps towards creating a mobile strategy for your organization.


Sharing my knowledge and helping others never stops, so connect with me on my blog at , follow me on Twitter at and on LinkedIn at

Sign Up for my Newsletter and get a FREE Chapter of “Mobile Strategies for Business!”

[mc4wp_form id=”5975″]

4 thoughts on “Bring your own Device (BYOD) Baby Steps”

  1. Rob,
    Your baby steps tips are great to help IT managers get out of reactive mode.

    At Intel IT (I’m the social media manager for IT) we haved embraced the consumerization of IT.

    We have some interesting stats in our 2011-2012 Intel IT Performance Report:

    58% of handheld devices in the enterprise environment are employee owned. From 0 personally owned devices in 2009 to 17,000 personally owned devices in 2011.

    We also share our IT best practices on our site There is a white paper on a quick evaluation process to bring on new devices, which allows us to keep up with what employees actually want to use.

    Hope some of the resources are useful.

    Kelli Gizzi (intelITsme)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.