Who Should Own Your Smartphone? 129
snydeq writes "The great corporate barrier against employees using personal smartphones in business contexts has been breached, writes InfoWorld's Galen Gruman. According to a recent report from Forrester Research, half of the smartphones in use among US and Canadian businesses are not company-issued equipment. In fact, some organizations are even subsidizing employees' service plans as an easy way to avoid the procurement and management headaches of an increasingly standard piece of work equipment. Gruman discusses the pros and cons of going with a subsidized, employee-owned smartphone plan, which is part of a larger trend that sees IT loosening its grip on 'dual-use' devices, including laptops and PCs."
It can be a blurry line (Score:3, Informative)
Even though I own my own smartphone [nokia.com], where I work (a very large IT company) there is an increasingly lengthy list of requirements and checks for any device connected to the corporate network.
I value my choice and don't want my employer to get me a phone but if I use it for work it is an increasing amount of hassle
Re:I prefer complete independence, thanks (Score:4, Informative)
We have a ton of people with their own blackberries signing up. They all are informed several times by us that their phone is open for legal discovery and a possible remote wipe if needed.
As the IT person, I DON'T use my personal phone. And I'd rather not. I don't understand why my company is ok with the use of personal phones...it just seems like so much unecessary liability and extra work. Personal devices aren't just a security risk, its an administration nightmare. Try providing technical support or troubleshooting a single error for 15 different platforms. It sucks. And it eats up time.
Still not protected. (Score:3, Informative)
Anything of yours can be subpoenaed in a lawsuit. Northwest Airlines subpoenaed [zdnet.com] the *personal* computers of their employees when they suspected their employees were getting too uppity^H^H^H^H^H^H, I mean, striking by calling in sick.
It hardly matters if you use encryption, etc... the legal discovery process can violate whatever privacy you thought you had. It only takes a credible allegation of wrongdoing - not even "beyond a reasonable doubt" - to discover all of your personal files, etc... and, because only money is involved, the plaintiff needs only show guilt by a "preponderance of the evidence", or more succinctly, that it is likely that you did it. If you think you can get smart by encrypting your files, it's likely you'll be held in contempt of court, and have a summary judgment entered against you.
The only thing paying for the hardware means is that you'll eventually get it back, usually.
Re:It can be a blurry line (Score:2, Informative)
EAS supports the enforcement of policies (device MUST have password, device MUST be encrypted). IMAP does not.
Also, many phones do not support IMAP/TLS, but support EAS over HTTPS. Using unencrypted IMAP for your corporate mail seems like a very bad idea, no matter how you put it.
Re:It can be a blurry line (Score:3, Informative)
Your job as a sysadmin is to make sure that people can do their job in as straightforward a way possible, that means that you should be bending for your users. If your users want to use something you don't yet support, it's your job to figure out how to support it.
Provided that it fits into the existing security framework & other policies for auditing, yes.
We don't allow IMAP/POP connections either. In our company, if you're allowed remote access to email, you have an RSA token for outlook web access, a blackberry, or a company-owned laptop with vpn access.
Allowing arbitrary IMAP connections makes brute-forcing/denial-of-service possible, and makes it easy to transfer large amounts of email to non-company owned devices (with unknown security).
Not everyone cares about this sort of thing, but some of have to.
Re:It can be a blurry line (Score:5, Informative)
enable IMAP because that's all that a single employee's phone supports (and we use Exchange/MAPI like most similar companies),
Sounds like you are the problem. That is not a standard documented protocol.
Re:It can be a blurry line (Score:3, Informative)
"If your users want to use something you don't yet support, it's your job to figure out how to support it."
WRONG. It is the job of IT to help the business make money. If the cost of supproring a SINGLE user getting their toy working exceeds the benefit to the business of getting said toy to work, then it is the rational decision to say no.
And you might think that. Just tick the IMAP box. Except then you suddenly need to pay attention to any announced vunerablities in the IMAP service. You might suddenly have passwords going clear-text across the internet. And your phone might not support the SSL versions of IMAP. And supporting SSL IMAP might mean servers that didn't previously have to be set up SSL (with certificates) now need to. Never mind opening the firewall ports up. And the whole extra service to remember to configure and maintain next time there's a server upgrade. Another thing to document - the cost is far more than just 'tick a box'.
Never mind that chances are your toy phone doesn't support it. And if there's an issue with your phone sending email, who are you going to blame? Yourself, or the IT Dept?
See, what you also don't realise is that people want the IT dept to support *their phone* and tell them how to set it up on their phone. This means that IT, instead of having to know everything about phones they support, have to know everything about every phone their employees might potentially buy. YOU might be able to self-support, but most employees simply can't.
Bitter? Perhaps. But supporting single user flights of fancy is not necessarially rational. You don't know the aggregate load that all these litte features palce on people.