User experience is generally defined by 'BYOD groups'. Group membership will be dictated by both the user role and device support. Users are generally split into two parent BYOD groups; domain users and non-domain users.
Domain users - Domain users should get a smooth process that automates the delivery of the WLAN profile. This may require agreement to T&Cs regarding use and disk encryption, strong password, remote-wipe, etc.
Non-domain users - Non-domain users will accept that they need to be authorised by a sponsor before being on-boarded. So they will wait for that to be done, or if arriving for an event would hope it was done in advance by the organiser. In most security conscious businesses the trade-off is to get some contact details for the user. Ideally their credentials are sent to them via SMS, guaranteeing a valid contact number. Alternatively, and more commonly the credentials are emailed or printed. An important note for non-domain users is that their account should be time-limited.
- Use a captive portal landing page for new users.
- Use device profiling to define the user's device.
- Use Active Directory to validate domain users.
- Use an MDM client-side app to auto-configure profiles and manage device security.
- Use 'non-domain' Certificate Services for WLAN security.
- Assign employees to VLANs by AD security groups.
- Use a single SSID and Change of Authorisation (CoA) to apply VLAN ID.
- Apply QoS using WMM, DSCP and L7 application awareness.
The above approach is a 'perfect world' scenario. However, not many WLAN vendors offer ALL of this and you will need to review both your WLAN and MDM vendor before finding the right solution and price for your chosen BYOD model. Pen-testing is also likely to be a prerequisite for selection in high-security organisations.
As I'm writing this I have realised that I should really write another blog on the different WLAN vendor approaches, look out for BYOD blog part.... 4!
"BYOD improves productivity" we see this mantra everywhere in Wi-Fi. However, BYOD doesn't necessarily improve productivity. Many organisations have introduced better workflows through mobile apps and systems that work just fine over 3G/4G.
The question sometimes becomes "How will BYOD improve upon existing 3G/4G productivity?". Well, BYOD improves productivity over 3G/4G in these scenarios:
- My signal is terrible, there isn't enough throughput in areas where signal actually exists.
- Most of our BYOD users have Wi-Fi only.
- I want to use voice or video apps, I have a local VoIP gateway that supports SIP clients.
- I want to use Bonjour services - AppleTV in meeting rooms.
- I want my trusted WLAN devices to access local file and print servers.
Many organisations see BYOD as a logical next step up from guest services, and often use the same DMZ for BYOD - pushing traffic directly to the Internet. In my opinion, BYOD must offer LAN access to maximise productivity and truly differentiate from 3G/4G. 3 out of the 4 scenarios require LAN access.
The key takeaway here is that access to local networks is a game changer. For employees, having access to printing, file shares and media services is where BYOD makes headlines. So, it's important to get the blend of usability and security right… remember, execs want Apple TV in the boardroom - just make it happen.
Here are a few tips for a productive BYOD design:
- Consider traffic flows.
- Decentralise WLAN architecture for trusted devices.
- Don't over-engineer device security.
- Develop tablet optimised corporate apps.
- Develop a secure cloud service for mobile focused apps.
The Social Media Meltdown
Finally, the elephant in the corner…. Social media. Is it a threat to productivity? I hear mixed opinions on this…
Access to social media via the corporate network depends on the culture of the business, and many businesses encourage the use of Twitter and Facebook. Though I do think it's fair to say that many employees will see BYOD as an avenue to their 'personal' digital lifestyle. This could result in the loss of a fair few hours of productivity if staff begin spending an inordinate amount of time in the toilet... Which is why I have patented the 'Simkins Faraday Cubicle' in 65 countries :)
Joking aside, using a L7 aware security appliance and profiling you could create profiles based on security groups for approved Twitter and Facebook users. Then limit standard users to say 30 minutes per day. But is that really necessary?
Thanks for reading! Next blog will cover the WLAN and MDM vendor options for BYOD.