Developing an Effective BYOD Policy & Support Structure

Written by Andy Rivers

Since it first roared onto the scene several years ago, BYOD (Bring Your Own Device) has remained one of the IT industry’s biggest hurdles. Educause, for example, points directly to this ongoing challenge, ranking it seventh on its “Top 10 Issues for 2015” list. Perhaps the biggest challenge around BYOD is that it is constantly changing. In fact, in many ways it is no longer BYOD at all, but rather the expanded BYOE: Bring Your Own EVERYTHING. The secure management of an ever-growing list of devices – from laptops to tablets, smart phones to e-readers, gaming consoles to TVs – has proven to be a monumental task. Indeed, it appears everything is vying for a spot on our networks.

Define Your BYOE Policy

When strategizing a BYOE policy, it is important to understand how you are going to manage and support these devices. The policy must be both flexible and sustainable. You do not want, for instance, a policy that requires update each time a new device type is released. Conversely, though, the policy must be substantial enough that action can be taken when necessary.

Define Your Support Model

Just as your policy must be defined, so must your support model. More traditional models dictate user-reported issues with company-owned devices be worked all the way through to completion, whether the solution is as simple as a restart or extreme as a system rebuild. Either way, the issue contained within certain parameters: a company employee working on a company supplied resource. The support path was simple – work on an issue until it is resolved.

As support for user-owned devices becomes the norm, however, the path to resolution is no longer so simple. You may be willing to provide some base level support, but would rather not expend company resource on rebuilding each and every personal device. It is at this stage when the definition of the extent to which support will be provided to these devices must be determined. Below are a few high-level recommendations for defining effective support models:

Tier 1: All Users of Company-Related Resources

Whether from a personal or company-owned device, users at this stage are attempting to access company resources to complete (hopefully) valuable work-related activities. So, unless it is in direct violation of policy, you will want this to continue, and thus support this activity. This level of support typically extends only to those items that can be resolved within an initial call. When the support required exceeds this boundary, further discussion should be held to determine where the line should be drawn on a company level.

Tier 2: Personal Devices that Add Value to the Business

It is between Tiers 1 & 2 that demarcation occurs in most organizations. If the Service Desk cannot resolve an issue on the first call, for example, the general recommendation is to attempt access through a company-owned device. Some organizations, however, view this level of support as a value add and provide it to all users. For example, it may be viewed as a perk of the job if individuals can obtain technical support from company IT staff. Or in the case of higher education, service may be extended to include rebuilding student desktops. Point is, this needs to be a decision based upon business value, not a situation in which continued support is assumed simply because it was provided in tier one.

Tier 3: Problem Management

Though Tier 2 is provided through some companies as a value-add, Tier 3 should be viewed as support for company devices alone, as it is made up of top tier Subject Matter Experts whose time should be well managed and dedicated to providing the most business value. One exception to this is Problem Management. For example, an issue limited to one user’s inability to connect to Citrix from a personal device should never be escalated to Tier 3 but if 100 users lose access, Tier 3 should be tapped to investigate, as an issue so widespread is likely to be escalated to Problem Management, thus meriting Tier 3’s expertise.

Security Incidents: Level of Exposure

One hugely important piece of BYOD support structures is determining how compromised personal devices will be handled. If users are permitted to access and store sensitive company information in their personal devices, provisions necessary for analysis and forensics of these devices should they be compromised must be included. This is another type of support that can easily be provided for company resources, but less so for personal devices. I recommend working with your organization’s legal department to incorporate appropriate language around potential breaches into company policy. Additionally, response procedures should be developed up front, not after a potential breach has occurred.

The very nature of BYOE suggests its constantly evolving nature. Management of these policies will require diligent monitoring and occasional adjustment, but robust, definitive policy and support levels can make the process much less painful.

Looking for a deeper dive?
Andy takes on the details in this webinar.


Originally published March 03 2015, updated December 12 2019