Coping with COPE with Good Technology’s Phil Barnett.
With enterprise mobility now firmly on the C-level agenda, it’s sometimes easy to forget that it began, at its heart, as a grass-roots movement. The words ‘Bring Your Own Device’ imply a central dictum to employees, that workers were commanded by their higher-ups to bring in their iPhones and iPads.
Really, of course, it began as a natural result of employees’ desire to bring the convenience and user experience of their consumer devices into their working lives. Devices such as, to give due credit to Apple, the iPhone and iPad, combined high-level functionality with slick interfaces in a way that revolutionised working lives.
Corporate-owned, personally-enabled device (COPE) policies can in many ways be described as a reaction to what the workers were doing anyway. The company provides the workers with a device that they will primarily use for work that they are also able to use for their own purposes.
Issuing the device in a way is nothing new – businesses began issuing BlackBerrys to workers back in the early 2000s. But to provide them with a device that they will use in their lives outside work as well throws up new dilemmas.
Assuming that an IT department wants to capitalise on the potential of enterprise mobility, or is being forced to, they face the COPE vs BYOD dilemma. Phil Barnett GM and VP EMEA at Good Technology explains that COPE is most vital for companies where workers need their devices for specific rather than generic functions.
"Instances where we see the corporate-issued device have two main themes. One of those is where that locked device, and only wanting certain functionality on it, becomes a big element of why you’ve made that decision.
"If I think about a major bank doing a pop-up branch at a festival or events offering banking services, then you really want that device just to run the apps that you want it to run and work in the efficient ways that you want it to.
"It makes sense for the corporate-issued model to be prominent in that instance because you want to manage the whole experience end-to-end and a lot of aspects of that experience."
Another circumstance where Barnett suggests adopting COPE is in companies with prominent use of field support staff.
"In that instance, trying to tell a field support force which hasn’t necessarily worked with a connected device in the way that you may think about other workers, getting them to do BYOD from a people point of view is a step too far. Corporate-issued at that point becomes quite important."
Additionally, Barnett believes that where an employee is experienced in technology a BYOD policy might be more appropriate, whereas a corporate-issued device might be when the employee is not.
Barnet explains: "I think it depends to some extent on who the worker is and what they do and what their experience is. If I think about a major bank, we have users in those banks who have 5 or 6 devices that they want to bring, who are very tech-savvy and familiar with it.
"If you move to someone in his mid-50s who repairs high voltage equipment, they are very different types of individuals. Some of the human issues with that become very prevalent when you’re trying to make workers more familiar with the technology. A corporate-issued device in the second instance is [appropriate] as long as it is the right one."
COPE also removes a lot of the legal troubles presented by BYOD; the company now has complete control over its data. These troubles are not imagined, either; in 2013 the Information Commissioner took action against the Royal Veterinary College when a memory card containing personal data was stolen from a camera owned by a member of staff.
At the time, the ICO Head of Enforcement Stephen Eckersley issued a statement explicitly drawing attention to BYOD’s role in the breach:
"It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so it is crucial employers are providing guidance and training to staff which covers this use."
Choosing a device to issue
At a basic level the IT department is faced with its next challenge simply in choosing the device. Buying a huge stock of high-end technology is a major sunk cost and it’s important to do it right. As Barnett explains:
"We had a UK-based utility company which issued a load of Panasonic power-books to their employees and they went on strike. They felt they were being imposed with this technology.
There is a danger then, of a disconnect between what devices the IT department thinks the workforce should be using and the devices that the workers want to use. This will vary to some extent between employees, but some broad categorisations can be made.
Barnett adds: "When they issued the same workforce with iPhones they thought this was a glamorous thing to have and really starting wanting to use it and embrace the technology."
The important thing in this case seems to be that user experience is taken into account, or you might face mutiny as in the Panasonic example.
Security, the perennial thorn in the side of enterprise mobility, is the next dilemma to rear its ugly head. Security is always a compromise, and it is crucial to ensure the right balance of user experience with security concerns.
The Press Association’s work with MobileIron provides a microcosmic example of this balance. The national news agency wanted on the one hand to enable new functionality, allowing journalists to capture content and file stories outside of the office. On the other hand, the risk posed by lost or stolen devices is considerable.
"Years ago, our journalists had to dictate stories over the phone," commented David Reed, Head of Information Services and Infrastructure at PA. "Later, they gained the ability to email files from their laptops — but that required good Wi-Fi reception.
"Today, with 4G mobile devices secured by MobileIron, journalists have the flexibility to file stories more efficiently from a car, a sidewalk or right at an event."
Employees are free to use the devices for personal applications, with MobileIron separating business from leisure.
"There’s no point in having our journalists carry around multiple devices for multiple purposes," Reed explained. "MobileIron helps us protect all of the content on our journalists’ phones and tablets, whether it is work or personal related. And if a device is lost or stolen, we can remotely wipe all the data in seconds — which does wonders for my peace of mind."
Also under the security bracket is the danger of rogue app use. Even if you can issue a device with guaranteed security, you can’t necessarily plan which applications workers will use.
Bret Taylor, CEO of Quip, the enterprise mobility platform provider, argues that the Bring Your Own App trend is "bigger and more important" than BYOD.
He comments: "If work applications don’t meet expectations they’ll download something from the app store. Even though text messaging isn’t an IT-approved app almost everyone uses texts with work colleagues. It’s so easy for people to use unapproved tools."
John Knopf, VP of Product Management at NetMotion Wireless, adds: "From our experience in the market, the most crucial element is the security and connectivity of each application, it doesn’t and shouldn’t matter what kind of device that is on, or who owns it."
The solution to this, according to Knopf, is to implement a solution such as his company’s Mobility 10.7, a mobile VPN which allows IT to manage individual applications running on a company’s network:
"Per-application management gives enterprises the flexibility and control to manage specific data, rather than relying on the security of the end-point device," he adds. "This makes security, authentication and management of business data far more simple, and allows support and IT admin functions to be done automatically."
Can you cope with COPE?
There is no one size fits all in enterprise mobility policy. For some circumstances, such as when sensitive data is being carried on the device or when there are specific functions that the employee needs to carry out on the device, COPE could be the answer. However, these considerations need to be weighed carefully against the risks of the policy, including the considerable cost. –