In A World Of Bottom Up Technology, Should IT Support Your iPhone?
from the they-might-have-to dept
Back when the iPhone first came out, there were all sorts of stories about how it was no good for the enterprise. While it's certainly gotten better, it still does seem like the Blackberry is the enterprise smartphone of choice. Yet, many people really do like using the alternatives, and while the solution for many is to now carry around multiple devices, others are beginning to push for companies to support their own devices (iPhone or others). And this is becoming a bigger and bigger issue. These days, many technologies used in the office are coming from "the bottom up," meaning that they're personal technologies (hardware, software or services) that individuals are using/buying on their own first, and then realizing they're so useful, that they start using them at work too.And that, of course, raises the inevitable question of whether or not the IT department should support those technologies. The easy answer (which I'm sure we'll hear many times over in the comments) is "of course not." But it might not be that simple any more. Ignoring or holding back those technologies entirely may actually harm overall productivity in some cases, and limit what employees can and should be doing. Now, obviously, I recognize the argument that a large part of IT's job is to keep things running and protect the overall setup from problems -- and letting in any technology and supporting it can make that very, very difficult. But it ignores the flipside of IT's role: enabling companies and their employees to be more productive through the use of technology. And, even if IT officially decides to not allow things like the iPhone, as the article above points out, it might not matter much:
Likely scenario: An employee is denied an iPhone (or possibly any company-provided smartphone) and decides to get his own personal iPhone for use at work. This surreptitious infiltration is actually a bigger concern than a handful of managers; at least with them you still get to control the configuration and deployment process. If you don't know that workers are using iPhones in your company, you can't secure them at all. You can't even be certain what data might be stored on them.So, a flat-out ban isn't going to do the trick, but actively supporting any technology people bring into the workplace is too much to handle and causes too many problems. So where is the middle ground?
And since the iPhone is fairly easy for even novice users to set up -- they can sign onto wireless networks, access intranets, and even gain access to an e-mail server -- it's no stretch to imagine that a lone, unauthorized iPhone could seriously compromise confidential data, as well as access to your network and the services running in it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
If security was your reason for a ban...
We avoid apple's smartphone at my work because it's hard to centrally manage, and expensive on the cellular data (no unlimited plans over here). But there is a lot more lockdown should have already happened if you require the sort of security that would be banning iphones from your system.
To answer Mike's question: I will setup oddball devices for users in downtime, with a 'if it breaks it's not our problem'. Provided of course the device is not going to create issues with other internal systems.
[ link to this | view in chronology ]
Re: If security was your reason for a ban...
[ link to this | view in chronology ]
Re: Re: If security was your reason for a ban...
Most places aren't so spies-r-us that they have to worry about the amount of data someone can feasibly hand copy, data that sensitive is probably behind an additional physical security layer anyway (i.e. a bloke with a gun and a metal detector), and only accessible to highly trusted people.
My attitude to that sort of copy job would generally be "knock yourself out".
[ link to this | view in chronology ]
Three step process
2. Review item for security and management ability, and appropriateness for the work place.
3. Deny request because it would just add to amount of work that needs to be done for the same money since most IT people work only on salary and therefore don't have any incentive to work harder. Tell them it's a security risk or that there are too many support problems with the item. Move on to the next denial.
The truth is I have worked in IT for over 25 years and the above is pretty close to reality. Why because companies still view IT as an expense and therefore try to spend as little as possible on it.
So most corporate IT people work on salary and are expected to work however hard or long to get it done from people that have no concept of how hard it is or how long it takes. So IT people by default (any job would act the same) don't do anything that will add to a pretty full work load since they are not going to get any extra pay for allowing it.
In this technology driven marketplace you would think that companies would start to search for IT people that can add to the bottom line and also pay them what they are worth.
Disclaimer: I no longer work in Corporate IT but instead consult to them because I can get paid for the work I do and the hours I spend.
[ link to this | view in chronology ]
Re: Three step process
On a side note, my company works as the IT department for a lot of small/medium sized businesses on a contract basis (some by the hour, some with an agreement for as many hours as they need). I happily support iPhones, Droids, an HTC Hero, a ton of Windows Mobile devices, several Blackberries (some using the BES, some just using BIS), and at least one Palm device that I know of. Knowing that they're paying by the hour for it makes them a little more careful about the kind of thing that they ask for. I'd support email via pigeon if they really wanted at the prices we charge.
[ link to this | view in chronology ]
Re: Re: Three step process
[ link to this | view in chronology ]
Re: Re: Re: Three step process
[ link to this | view in chronology ]
Also, full in-house support for every smartphone OS would get unfeasibly complicated pretty fast, so employees buying a model without the company's preferred OS would have to have to get it fixed at their own expense and accept some extra restrictions on what they could do with it; sending it back to the manufacturer with commercially confidential data saved to disk is probably not a good idea.
[ link to this | view in chronology ]
They should...
These days? You're showing your age Mike. (Or lack thereof.)
Back in the day, people snuck Apple IIs into the office, just so they could run VisiCalc. Then they started bugging the mainframe staff for data to plug into their spreadsheets and, of course, the IT folk resisted doing the extra work.
"Besides," they said. "Those personal computer things are just toys."
Fast forward a few decades, and it would appear that they're still doing the same type of song and dance. All while people who WANT to be more productive spend their own time and money ushering in the future of communications and connectivity.
[ link to this | view in chronology ]
Re: They should...
I like problem-solving as much as the next IT geek, but there are limits to what I'd be prepared to do without a proper budget for retraining and new equipment.
[ link to this | view in chronology ]
Job 1 - Productivity
Job #1 for any IT person is to make people more productive and anything else is really just background noise. Any time I find myself starting to say NO to someone (or something for that matter), I make sure I'm not violating my #1 rule/job.
Most key decision makers are reasonable and if you explain in plain English the issues, costs, risks, and options, then in most cases you are set. For those that work with that decision makers that aren't, if you are a talented IT person, then it is probably time to excerise your options.
Ironically, most IT people love solving problems and I would think are very "House - TV Show" like. Integrating the iPhone and other devices in a way that the company can except is just another problem to be solved.
Freedom
P.S. I have a sign on my wall that says - don't tell me why we can't, tell me how we can.
[ link to this | view in chronology ]
Re: Job 1 - Productivity
[ link to this | view in chronology ]
Re: Job 1 - Productivity
[ link to this | view in chronology ]
Although some of those measures may be a little draconian for most places (not this one though), the idea of having new devices supported from YOUR budget, not the IT department's is certinately valid. "I'd like to get my iPhone on the network please", "OK, that'll be 6 months and £45,000", "Hmm, maybe I'll make do with this Blackberry..."
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Interoperability
Unless you lock things down to /insane/ levels there isn't any /real/ way you can prevent the workers from taking digital information they really want to out of a controlled setting. Physical things are harder, but are you really going to use trusted computing platforms, encrypted networks and storage, and deny removable media entirely?
End users already have physical access to the systems, and building them to be secure against /that/ threat entails so much big-brother expense and friction as to be likely not cost-effective.
With that in mind, it makes much more sense to give the end user a LITTLE trust, and a lot of GENERAL education on security practices.
Then you can let them access an IMAP account over a secured connection (SSL, well encrypted network, etc) while at work or using a VPN. Suddenly anything with a /real/ network connection and standard mail support can talk to a generic mail-server.
[ link to this | view in chronology ]
Standards
Everyone in the company has the same hardware, generic machines all have the same specs, Developer machines have better specs (but are all the same), Designer machines have their standard specs. Company phones are all the same, exact same model.
There is no hodgepodge of machines and devices, everything is standardized and unified, from the lowest staff members to the CEO (not all staff have smartphones, just those that require them). It gave a consistent image to visitors (and consistent disk images to us!) and keeps everyone happy as there was no "he/she has a better computer than me... waaaah ". Machine upgrades are bi-annually, phone upgrades are annually.
The network is completely locked down, they are unable to connect their devices via wireless (We have an excessively long password string and MAC address safe list) without actually hacking the system (and being terminated immediately if discovered)and we have lockdowns on what USB devices work.
That being said.. if they wanted help with their personal devices, or a home machine fixed.. I have absolutely no problem (nor does the company) with them bringing it in for me to take a look at if I have the time. We even have an isolated port for hooking their machines up to that is independent of our network, should the machines require internet access for updates/patches/drivers etc.
So in short, No iphones for work (they can bring their own for personal use though).
[ link to this | view in chronology ]
Re: Standards
"All machines are the same specs" - yea, right. And when hard drive on one of such machines die, and turn out that this specific model is no longer manufactured, what you do? Replace ALL machines in enterprise? Same apply for keyboards, monitors, memories, motherboards etc.
"everything is standardized and unified" - you clearly dreaming. In Real World, problems are not "standardized and unified", so the hardware and software that solve those problems. _Some_ of your developers will need very specific monitor. Another - more than usual disk; and so on.
"The network is completely locked down" - and cables are what - glued into ports? Or soldered?
"and we have lockdowns on what USB devices work" - unless you use black magic I see no way doing this. Complete waste of everybody's time.
Bottom line: we're talking about imaginary place. Even banks don't have such environment. Even military places (and I worked in such).
[ link to this | view in chronology ]
Re: Re: Standards
At my present client all machines are also roughly the same specs, the users have a choice of a few different models and software groupings but the base OS build is the same for example. We try to manage the options to ensure that there are enough to satisfy virtually everyone (yeah sure there is the odd real exception but if you asked most people they would say we have a standard).
We don't get to the point where hard drives or other components become obsolete with 95% of our kit as we refresh it within a 3 year window, this is usually within extended warranty periods so components are still readily available in my experience.
Previous clients I have had have locked down their networks to various degrees, its not that hard to install network management equipment that verifies a machine before allowing it on the network at a logical level. One of my clients even ran compliance software that checked if machines had up to date patches and signatures etc before allowing them onto the main LAN (I'm not 100% sure how that worked as I wasn't involved but it definitely did the job).
As for controlling USB - that’s easy in a locked down environment, there are a range of options from fully supported methods such as altering the USBStor value in the registry to more hacky options. One bank I've worked at even went as far as also epoxying up USB ports in PCs used in its call centre (but we all thought that one was silly).
Of course an uber hacker with physical access can always circumvent options like this in a variety of ways but the object is to make it harder, follow these sort of steps up with a basic physical security presence and a well published (and followed) policy for how offenders will be treated and you generally don't have many problems.
So yeah, banks definitely have options like this, some more than others. Banks are actually a poor example as most of their really secure stuff happens on mainframe and midrange backend systems on a seriously locked down area of the network which is only allowed to communicate with the front office systems via a very controlled set of ports and protocols. You could in theory install masses of malware on the mortgage advisors PC, and all that would happen would be the usual red faces as dodgy emails are sent around and someone from IT needs to rebuild a few PCs.
Can't speak for military sites but a military supplier I worked for had a secure network that you'd need an oxy-acetylene torch just to access the cables, and disconnect any of the equipment and it wasn't an IT geek that came running!
So yeah - pretty believable, not the norm in my experience but totally doable
[ link to this | view in chronology ]
The imaginary imagined!
Define supported technology standards and take time to manage the much smaller number of exceptions. Some of those exceptions will become standards subject to IT governance.
[ link to this | view in chronology ]
Re: Re: Standards
You've never been in an office with standardized machines? We have spares, and components (which we sell off to staff at the end of our 2 year lifecycle, as well as the ones that were in use after scrubbing the HD's). The machines are well within warranty during that period, and we've never had a problem getting the proper replacement parts (keyboards and mice are probably the only exception where we don't bother and just replace with generics).
All the developers have the same systems and monitors, and yes some are basically getting more than they require spec wise, but we don't dumb down their machines, they are all the same. I guess you've never heard of server storage space? THAT is a variable based on users needs (one of our dev's has 500gb, most of the others are chugging along well within 200gb).
Network lockdown also has MAC authentication, the 'average' user doesn't know how to spoof a MAC address, set a static IP or how to connect a non-domain device to the domain.
the USB lockdown I'm not sure on how it works, it's a legacy program running on the domain from my predecessor, it works though *shrugs* and surprisingly wasn't broken by Vista or Windows 7. (which I'm very thankful for)
Bottom line: Your comments were good for a laugh, I guess there's more security out there than you thought..
[ link to this | view in chronology ]
Re: Re: Standards
it's not impossible. big corps have purchasing power, so they can say to a company like dell or HP that you plan on buying X tens of thousands of units over a 2 year period and you expect a stable build. that gets built into the purchase contract.
also, big rollouts (where you roll a whole company over all at once) usually mean buying pretty much all the PCs over a short period of time (like 3-6 months).
as for changes to components, you just add the change to the standard image and keep moving. most stuff is labeled the same, even if the guts change over time.
[ link to this | view in chronology ]
Re: Re: Re: Standards
And I actually feel a bit sorry for those who don't; IT support in one of those organisations sounds like the most boring job in the world.
[ link to this | view in chronology ]
Re: Re: Re: Re: Standards
You are right though, it does get boring at times.. especially towards the middle of the year... we can always count on the devs to screw up something on their machines (they are the only ones that have local admin rights on their machines, the rest are plain users) but they seem ok now that they have XP in a VM..
[ link to this | view in chronology ]
Depends...
[ link to this | view in chronology ]
Big Brother and the iPhone
[ link to this | view in chronology ]
we do
We decided on this after we found a user forwarding all email to her personal gmail account so she could access it on her iphone. I work in a medical facility, so is a huge never do, ever kind of thing. we fixed it, and now noone is allowed to forward their email anymore. the only way to get email outside the company is through webmail or IT setup smart phone.
[ link to this | view in chronology ]
iphones
At that point, we tell people "look, here's the settings to sync to exchange, but beyond that, I don't care about your iphone. If you can't make it work, its on you, not me."
We also do not support them having itunes on their workstations. If they wanna load up their iPhones, they can do it at home. I'm not gonna be responsible when their pc crashes and they lose their purchased music because it isn't backed up.
[ link to this | view in chronology ]
comes down to politics
if your IT department is politically weak, then someone else calls the shots and if that someone likes arbitrary mobiles, then IT has no choice but to support them.
i'm an IT guy in the latter case, and while it would be nice to say no to people when i don't want to do something, either because it's impossible or it's going to be a disaster, it's really not that tough to support random smart phones.
[ link to this | view in chronology ]
Re: comes down to politics
[ link to this | view in chronology ]
Depending on how much of a workload you already have, you more than likely are not going to get any time for training, more money, or extra personnel. Why on earth would anyone want to risk being the cause of a potential data breach?
That's why IT departments don't want to support user technology. It isn't worth the effort so that one guy can keep an iPhone. Because that one guy's iPhone isn't the problem. It's the menagerie of technology you will now be supporting in addition to the iPhone that you have no background or training in.
[ link to this | view in chronology ]
Let's face it.
[ link to this | view in chronology ]
I do agree that that IT should not be end all be all final word on what items users can and cannot have (my last boss outright refused our mortgage division's request for laptops, and low and behold when that boss was fired about 2 weeks ago the first thing the mortgage manager did was request a round of laptops). However at the same time due to corporate culture if something goes wrong it WILL be declared IT's fault. And frankly speaking if I'm going to be held responsible for then I should have some say so on the decision process. By say so I mean a fair chance to weight in on the pros and cons of the product. We've already been stung a few times when corporate tells us to start introducing some new product (no discussion just "Do it.") and then months down the road when its not all its cracked up to be everyone is tripping over themselves to blame us.
Mike ends by asking about middle ground. To me middle ground is would be when a new product comes up and all parties that would be affected by this product get a fair say on it. If in the end the company ends up with a mix of smartphones no one has any room to complain later.
[ link to this | view in chronology ]
That all said, when the senior/directors ask for X,Y, Z to be set up for them, we don't give them much crap. Other people, email on your personal phone doesn't work? Here's your options, if that doesn't work not our problem.
[ link to this | view in chronology ]
It's all fun and games until someone pokes a hole in their network via a rouge conduit
Bottom up technology is fine, and having a good business justification for having a product like a smart phone is even better. We should as IT personnel support technology and help to nurture it. With that said, If we truly support it then the organization should own it and thus have control of the resource. We should not however give up control and allow personal devices on the network.
Some responses like to hinge on the fact that IT people are lazy... giving some are. Just like any profession, however there are some of us that work diligently and overtime despite our meager salary pay (which is usually offered because there's no way you'll ever get away with doing 40 hours a week, and don't forget about the weekend calls you'd have to pay time-and-a-half or double-time for). There's nothing like that gut wrenching feeling you get when you calculate you divide your salary by how many hours you worked during the year to find out you actually made less than minimum wage. Enough said about that, sure there's outliers to that but for the most part IT people don't just do a straight 40 in organizations anymore especially if they don't want to be outsourced (like any profession, you have your guys that'll get away with murder on the other end and work 20 hours a week to get paid for 40... do us all a favor and fire them for us will you).
If your organization doesn't have a security policy tied to human resource policies in place that covers rouge personal devices like routers, smart phones, personal computers (which are basically just as functional as a smart phone now-a-days) - you're asking for trouble (this should be something that all employees must read and sign). Oh, and don't forget about complete upper administrative support for the policy and enforcement there-of.
There are ways to block these devices from the network access, etc (read my RSM link for details... or just put a filter on the vendor's MAC address for the device if you don't use that vendor for your organization). My answer for someone who tries to connect a unauthorized device to the organizational network is to start disciplinary action. Ask yourself, "Is your organization ready to lose sensitive customer/employee data because someone can't listen or directly disobeys security policy?" The short answer is "No". Seriously folks this is an immature technology especially in the scope of security... just do a search on the web and you'll find that the next "big wave" it protecting these devices with antivirus, etc: http://news.idg.no/cw/art.cfm?id=328604CA-1A64-67EA-E4279C2C9F1EC445
This means right now, personal smart phones are wide opened for malware attacks thus acting as another attack vector on networks. I say personal smart phones, because they may fly under the scope of IT radar if the proper precautions aren't taken.
The efficiencies that smart phones create are far outweighed by the fact that data loss/theft directly and indirectly costs millions and closes multiple organizations every year. Consider this: "The average cost of insider data breaches is $3.4 million per business per year. –Ponemon Institute/ArcSight" Want more read on: http://www.massmailsoftware.com/blog/2009/10/sad-corporate-data-loss-statistics-previous-years/
S o, why such a big deal about security... read this and maybe you'll empathize: http://www.rsmmcgladrey.com/pdf/the_smartphone_and_its_risks.pdf
Saying yes to allowing a personal smart phone on the network can cause just as much stress/work as saying no if you do it properly. To say IT is lazy for saying no to something like this shows a lack of understanding in today's security threats, and what goes into properly mitigating unauthorized access to the network (and this includes the development of security policies).
It also doesn't take in effect that most organization are supporting organizationally owned smart phones officially now... just not personal smart phones. The end result is if you do it properly saying "No" may even cause you more work (and isn't the lazy way out). However, to enforce the "Just say no to personal devices" saying you'll have to develop a policy to disallow personal equipment on the network and enforcing that policy in addition to properly installing countermeasures to the organizationally owned smart phones. At that point what's easier? Developing the policies/countermeasures and enforcing them, or installing iTunes multiple computers and supporting lame/mundane requests like helping them connect to the iStore?
[ link to this | view in chronology ]
In A World Of Bottom Up
World is changing day by day.
We can not live without any latest,modern communication devices.
All these new technological,communication devices has brought many usages among various sections of society.
There may be business rivalry between top companies on market share,competition,applications and pushing their sales from top to bottom levels.
iPhone,black berry will be with us for many more years.
[ link to this | view in chronology ]
Safe way to support iPhones
[ link to this | view in chronology ]
Who owes who?
Companies have to adapt to give themselves the competitive edge, but that doesn’t mean investing in supporting the newest devices.
[ link to this | view in chronology ]
iPhone Support
[ link to this | view in chronology ]