Hi fellow IT folks!
I’m finalising our new BYOD policy document (edit: for mobile devices which will not have access to the corporate network, i.e. iPhones with Exchange ActiveSync etc.), and am a little stuck, and wondering what the good people of Spiceworks’ views are.
I’ve added this line:
“Usage of personal devices to access company resources can and may be monitored to ensure compliance with company policies”
And I’ve been told that I need to clarify what will be monitored…
It’s a good question, what should I really be monitoring here? Realistically I’m thinking that we don’t really have the right to monitor anything other than email account and perhaps files on the device too. Don’t think we have any justification for monitoring anything else i.e. apps, contacts, location, etc.?
Thanks in advance
17 Spice ups
Will they be using your wifi to access the internet via their phones/tablets? same Web filter rules and access controls should apply.
6 Spice ups
That’s a good point - well, mostly no, but yeah for those who are I need to cover this off; thanks for the tip!
This.
The web filtering should be similar to inhouse devices. I suggest VLANing and then filtering. I’m gonna say ALL network access to/from those devices needed monitored just as much as a company owned device. It’s still on your network, using your resources and your responsibility if one of those BYOD is used for illegal activities.
4 Spice ups
wileeric
(Eric Wile)
5
That’s why we have 2 networks one for guests aka BYOD’s and a corp if your SID isn’t associated to the Domain access denied.
1 Spice up
What’s your BYOD policy covering? Mobile Email access? Entire Corporate Network access?
2 Spice ups
cgadmin
(cgadmin)
7
I’d say that if you are using personal devices with company systems then anything you do could be monitored. Its possible that even where you have no interest your systems may accumulate data on personal use that traverses them in some manner (e.g. personal use on personal device connected to corporate network). I think this is fair - it would be irresponsible to turn a blind eye to misuse of corporate systems just because such use can be deemed to be personal.
That said I’d also include some language in your policy to restrict monitoring to a specific scope such that gratuitous monitoring of irrelevant personal use is prohibited.
I think you want to acknowledge the technical reality that if staff mix personal devices\use & company systems its possible that data will accumulate on such use and that in certain cases this data may be reviewed (depending on local law you may even be compelled to produce it, e.g. law enforcement requests or FOI requests) BUT you also want to guard against this very wide net being abused by unscrupulous managers further down the line (to the extent that you even can).
Lastly (maybe obviously) I suppose you need something, probably in another policy, that strictly defines the extent to which users are permitted to employ corporate systems for personal use.
I don’t think that the fact that the owner owns the device particularly complicates monitoring policy. If they are using their own device connected to corporate systems then all use may be monitored (goes without saying?) and if they aren’t using corporate systems then you are talking about Joe blogs accessing his personal gmail on his personal broadband on his personal phone and as such you have no interest in monitoring, no?
Every single packet that crosses the companies network.
If they don’t like it, they can use their precious data.
6 Spice ups
adamsharif
(Adam Sharif)
9
Thanks for the suggestions with respect to VLANs & filtering - these are things which are planned, I’m more interested right now to know how to draft this policy document just so we are covered from that perspective.
@koaladomingo Mobile email access mainly, however we will be using an MDM solution going forward and so I need to be specific on what we will be monitoring. Staff may have access to a segregated Wi-Fi network, however they will not have corporate network access.
In regards to the drafting of the policy, I would just make it concrete that ANY network traffic, including email traffic, streaming, website traffic, etc. would be monitored on the network level.
2 Spice ups
Our policy is that no personal devices are allowed on the company network, period. We have a 6Mbps DSL line that is our guest network. Thats what personal devices can use. Its too much of a security risk for us (or just a risk we wont take) to allow personal devices on the company network.
5 Spice ups
adamsharif
(Adam Sharif)
12
Ok, I think I’ve neglected to give enough information here - here’s a bit more background: some staff are currently using their own mobile phones to access Exchange email accounts since our company only provides Managers with company-owned BlackBerry handsets.
We are looking at implementing an MDM solution, and staff will need to enroll their devices, and so I need to be clear within this policy document as to what we will be monitoring through MDM.
To be clear I am talking about personal mobile phones / tablets, without access to the corporate network.
cgadmin
(cgadmin)
13
In that case you will be monitoring use of Exchange (as normal) plus whatever device-state stuff your MDM solution requires, eg. whether or not the device is rooted, possibly a/v definition update level etc. Possibly installed apps to guard against malicious installs harvesting the corporate address book etc. In terms of this sort of compliance stuff I think as long as its spelled out in policy and everyone knows the bargain they are striking by enrolling their device then you get to draw the line more or less wherever you like. How hardcore do you want the requirements to be?
Aside from Exchange usage and the device compliance stuff I don’t think you’d have an interest in monitoring anything else?
2 Spice ups
If BYOD is allowed the only thing you could actually monitor without impeding on the user is the network activity, and good luck figuring out who’s device it is if they change the name from the default. You can stipulate what they can do on the network and what company data can be stored on the device but as long as its the users device you can’t verify anything against policy in reality.
1 Spice up
Oh! That’s easy then. Just right a policy for something like… “By connecting to XYZ company’s wifi, please be aware that you consent to traffic monitoring including to but not limited to internet and app traffic. No session caches will be captured.” and then for the email “By accessing XYZ company’s email on your personal mobile device you accept the following terms and conditions. 1. Your mobile device MUST have a password and it MUST time out for inactivity. 2. You consent to the same email policies as applicable to the office environment. 3. You accept that, at any time, without notice, XYZ company may remove their data from your phone remotely. If unable to remotely, you accept the responsibility to produce the phone to the IT department of XYZ for removale within # hours. (I give my users 4 hours.)”
That’s the basics anyway. Add whatever you need to for legal or industry compliances and off you go!
cgadmin
(cgadmin)
16
@Keenan2853 Apr 16, 2015 at 4:29 PM
If BYOD is allowed the only thing you could actually monitor without impeding on the user is the network activity, and good luck figuring out who’s device it is if they change the name from the default. You can stipulate what they can do on the network and what company data can be stored on the device but as long as its the users device you can’t verify anything against policy in reality.
Haha - yes there is something about expectation management when it comes to your superiors there too.
You don’t want to get hit with a request from on high to produce detailed reports on all sorts of activities just because your policy says that in principle anything is monitor-able when in practise trawling packet logs is likely to be impractical.
I’m suggesting that you (doesn’t apply to the OP now though I suppose) claim in policy that anything traversing the corp network (regardless of who owns the device \ and whether its personal use or not) may be monitored is really just a CYA thing firstly (by design your tech may indiscriminately gather some sort of data that could be construed to relate to “usage” in some way) and a scare tactic secondly. I’m not really proposing that you actually try and monitor all of that garbage.
I suppose local law may also limit your ability to do this though - privacy of employee personal may be mandated regardless who owns the systems?
Chris,
How long do you think it will be before, for whatever reasons, that policy gets changed on you by your management and they want to have employee BYOD devices connected for enterprise apps access?
1 Spice up
It wont happen. We give all employees that require one, a corporate mobile device.
I’m getting more and more inclined to believe that this BYOD is a fad destined to dwell forever with “client-server”, “cooperative processing” and all other great ideas buried away on the technical jargon cemetery.
Whenever I read it, I think BYON (Bring Your Own Napkins). If a company is cheap enough to not issue their staff the technology they require to do their jobs, it’s not really a good place to work.
Our policy for BYOD? Free wifi.
Secluded, distinct SSIDs that flow through an UTM for both staff and guests. We just tell them the key of the month and there they roam, happy with their iThingies.
Make sure they patch their devices regularly also, you may want to include something about an expectation that the user will be running system updates within x days of their release.
I used to work for an investment firm who used Mobile Iron, of course the customers couldn’t be trusted to update on their own so we would ultimately have to revoke the e-mail certificate for their mobile device a couple weeks after each update was released. We would check the release notes and if there was anything security-related that could potentially apply to our corporate operations, we’d notify staff of the cut-off date a few weeks ahead of time, and because of the high customer service expectations, pretty much every day up until the cut-off. The daily reminder emails and office visits apparently weren’t enough, so of course when that day rolled around, they’d contact us all pissy that their devices stopped working.
But it got the job done and all of the device software was up to date. thumbs up
1 Spice up
