Who Should Own Your Smartphone?

snydeq writes "The great corporate barrier against employees using personal smartphones in business contexts has been breached, writes InfoWorld's Galen Gruman. According to a recent report from Forrester Research, half of the smartphones in use among US and Canadian businesses are not company-issued equipment. In fact, some organizations are even subsidizing employees' service plans as an easy way to avoid the procurement and management headaches of an increasingly standard piece of work equipment. Gruman discusses the pros and cons of going with a subsidized, employee-owned smartphone plan, which is part of a larger trend that sees IT loosening its grip on 'dual-use' devices, including laptops and PCs."

It can be a blurry line

[levell]

Even though I own my own smartphone, where I work (a very large IT company) there is an increasingly lengthy list of requirements and checks for any device connected to the corporate network.

I value my choice and don't want my employer to get me a phone but if I use it for work it is an increasing amount of hassle

Re:It can be a blurry line

[iamhigh]

As far as "connecting" to the network, I have no issue with what you use, assuming it isn't a device made for malevolence. However, when you come running into my office at 4:56 wanting help with your $latest_awesome_phone, that I know nothing about, then I start to wonder if letting you use your home device for work was a good idea. Or when you want me to enable IMAP because that's all that a single employee's phone supports (and we use Exchange/MAPI like most similar companies), then again, I wonder why we let people use personal devices.

But it is great to think of dumping all the procurement/management onto the end user...

Re:It can be a blurry line

[j-turkey]

Even though I own my own smartphone, ...where I work (a very large IT company) there is an increasingly lengthy list of requirements and checks for any device connected to the corporate network...

This is the big issue with ownership & management - requirements for devices to utilize company resources (and whether or not the device needs to utilize company network resources). If the device will connect to the company network, the IT department has a very good case for managing (and/or owning) the device. It really comes down to network security, and disallowing rogue devices from connecting to the network. In a large company with many IT resources (and many to protect), it's far easier to say that the company owns and manages the device. In a small or mid-sized company, where there is less IT infrastructure to protect, or less need to weigh security against usability/ease-of-management, there is a better case to be made for user owned and managed devices.

Re:It can be a blurry line

[ducomputergeek]

Granted, we're a smaller company, but we've taken the opposite approach. In the office, you either have a Mac Mini or an iMac. But when people are hired, we pay them a $3,500 signing bonus with the expectation that it is to buy a new laptop of their choice. Overwhelmingly they buy MacBook Pro's and add XP or Windows 7 with VMware/Parallels and we add $45 to the first paycheck of the month to cover data plans and "business" minutes/texts on their cell phones.

We find that they usually take much better care of the laptops when it's "their" laptop and it beats having to carry two cell phones.

Re:It can be a blurry line

[beelsebob]

Or when you want me to enable IMAP because that's all that a single employee's phone supports (and we use Exchange/MAPI like most similar companies), then again, I wonder why we let people use personal devices.

You know, because ticking a single box to enable IMAP is hard. And because you wouldn't want to allow pretty much every device under the sun, rather than a few in the exclusive have-paid-microsoft/are-microsoft club to connect.

Re:It can be a blurry line

[Runaway1956]

Well - under these conditions, it becomes your responsibility to educate the poor fool. Really, you MUST launch into a tirade/lecture, informing him that impulsive buying, without even researching what the hell he needs or wants is the sign of a seriously diseased mind, and that his status as an employee is in jeopardy. Offer to help him, and when he agrees, reach into your desk for the 3 pound hammer, smash the damned phone, and tell him that it just your little secret - you won't tell management that he's a senile moron who is losing his tenuous grip on reality.

At this point, you inform him of the half dozen best choices for a personal phone, and usher him out of your office/cubicle/dungeon.

Re:It can be a blurry line

[beelsebob]

Sorry, to self reply, but I realise that the point I'm making here is rather cryptic. Your job as a sysadmin is to make sure that people can do their job in as straightforward a way possible, that means that you should be bending for your users. If your users want to use something you don't yet support, it's your job to figure out how to support it.

I appreciate that there are times where you get a higher payoff by saying "fuck that one guy with the weird kit, we'll get more by giving benefit to those 100 guys over there instead", but not ticking the IMAP box is not one of those times. By ticking the IMAP box you get to let everyone work how they want, and lose nothing.

Re:It can be a blurry line

[Red+Flayer]

That's absolutely ridiculous, you must be crazy.

Offer to help him, and when he agrees, reach into your desk for the 3 pound hammer, smash the damned phone, and tell him that it just your little secret - you won't tell management that he's a senile moron who is losing his tenuous grip on reality.

Who amongst the horde of slashdotters can lift a 3-lb hammer, let alone use it to smash something?

Re:It can be a blurry line

[lukas84]

EAS supports the enforcement of policies (device MUST have password, device MUST be encrypted). IMAP does not.

Also, many phones do not support IMAP/TLS, but support EAS over HTTPS. Using unencrypted IMAP for your corporate mail seems like a very bad idea, no matter how you put it.

Re:It can be a blurry line

Your job as a sysadmin is to make sure that people can do their job in as straightforward a way possible, that means that you should be bending for your users. If your users want to use something you don't yet support, it's your job to figure out how to support it.

Provided that it fits into the existing security framework & other policies for auditing, yes.

We don't allow IMAP/POP connections either. In our company, if you're allowed remote access to email, you have an RSA token for outlook web access, a blackberry, or a company-owned laptop with vpn access.

Allowing arbitrary IMAP connections makes brute-forcing/denial-of-service possible, and makes it easy to transfer large amounts of email to non-company owned devices (with unknown security).

Not everyone cares about this sort of thing, but some of have to.

Re:It can be a blurry line

[Thinboy00]

I don't know what GP was thinking... BOFH-tactics usually involve electricity and/or Halon.

Re:It can be a blurry line

[h4rr4r]

enable IMAP because that's all that a single employee's phone supports (and we use Exchange/MAPI like most similar companies),

Sounds like you are the problem. That is not a standard documented protocol.

Re:It can be a blurry line

"If your users want to use something you don't yet support, it's your job to figure out how to support it."

WRONG. It is the job of IT to help the business make money. If the cost of supproring a SINGLE user getting their toy working exceeds the benefit to the business of getting said toy to work, then it is the rational decision to say no.

And you might think that. Just tick the IMAP box. Except then you suddenly need to pay attention to any announced vunerablities in the IMAP service. You might suddenly have passwords going clear-text across the internet. And your phone might not support the SSL versions of IMAP. And supporting SSL IMAP might mean servers that didn't previously have to be set up SSL (with certificates) now need to. Never mind opening the firewall ports up. And the whole extra service to remember to configure and maintain next time there's a server upgrade. Another thing to document - the cost is far more than just 'tick a box'.

Never mind that chances are your toy phone doesn't support it. And if there's an issue with your phone sending email, who are you going to blame? Yourself, or the IT Dept?

See, what you also don't realise is that people want the IT dept to support *their phone* and tell them how to set it up on their phone. This means that IT, instead of having to know everything about phones they support, have to know everything about every phone their employees might potentially buy. YOU might be able to self-support, but most employees simply can't.

Bitter? Perhaps. But supporting single user flights of fancy is not necessarially rational. You don't know the aggregate load that all these litte features palce on people.

Re:It can be a blurry line

I'll let the 'environment control me' when I get a budget large enough to take on whatever the end-users can throw at me. Until that unlikely day occurs I will continue to control my environment, extending it as much as my budget allows. To do anything else is fiscally irresponsible and simply bad for business regardless of what you think.

Re:It can be a blurry line

[Imagix]

I can't agree with you. IT's job is to keep the network and devices running. Not to be jerked around by the latest whims of the users. IT has responsibilities beyond making the users happy. If that can be accomplished while continuing to ensure the safety and security of the network, fine. But dropping a random device into the network is irresponsible. And unencrypted IMAP may not be acceptable use to some companies. So it's more than "just ticking a checkbox".

Re:It can be a blurry line

[fedcb22]

Name a phone that supports EAS over HTTPS but not IMAP/TLS.

Re:It can be a blurry line

[costing]

Oh, but then what does the mighty IT department do? Actually many devices support the Exchange-only servers, but enabling IMAP+SSL would probably cover all devices currently on the market (even my 2y old HTCs). And it's not a single user usually, once enable many could profit. And updates come automatically these days. So, dear admins, do the magic of checking the box and then you can get back to reading /.

Re:It can be a blurry line

[BrokenHalo]

Provided that it fits into the existing security framework & other policies for auditing, yes.

On the other hand, if you own your own phone, you get to decide how you use it. You are not obliged to answer it at any time of the day or night on the PHB's whim, and you are not subject to corporate restrictions on what you use the bandwidth for.

Some people find it necessary to carry their work around like a parasite on their backs, but IMO life is better when I can leave work on my desk and come back to it when I'm ready.

I prefer complete independence, thanks

[elrous0]

The personal phone I carry is none of my IT department's business, and I like it that way--thank you very much. I don't want to EVER get into a situation where my workplace has a legal case for subpoenaing my personal phone.

Re:I prefer complete independence, thanks

[nurb432]

Sadly, if they subsidize your phone, they may actually incur legal liabilities of your actions.. For both parties it should be 100% separate. Just makes business ( and personal ) sense.

Re:I prefer complete independence, thanks

[L3370]

You have no idea how many people are completely willing to do what you want to avoid.

We have a ton of people with their own blackberries signing up. They all are informed several times by us that their phone is open for legal discovery and a possible remote wipe if needed.

As the IT person, I DON'T use my personal phone. And I'd rather not. I don't understand why my company is ok with the use of personal phones...it just seems like so much unecessary liability and extra work. Personal devices aren't just a security risk, its an administration nightmare. Try providing technical support or troubleshooting a single error for 15 different platforms. It sucks. And it eats up time.

Re:I prefer complete independence, thanks

[nahdude812]

I'm with you. So far I've never had a job where I was asked to carry a smartphone as part of my job, and I'm glad for that (I wouldn't say no, but I wouldn't like the idea).

If I ever was asked to carry a smartphone attached to my corporate email, I'd at least think about using my own device so I don't have to carry two. I definitely don't want to do my personal business on the company-owned device, so I'd want my own, but depending on what degree I'd be able to keep my work and personal stuff separate on my personal phone, it might be a better option than two-fisting it. But if they were going to try to claim any access to my phone at all, the deal would instantly be off, and I'll dual-wield, thank you.

Re:I prefer complete independence, thanks

[bigstrat2003]

Personally, I'm not so concerned about the "company could assert some ownership over my device" angle, so much as the "I'm not on call so my Blackberry is at home, good luck reaching me" angle. I try to keep work out of my personal life as much as possible, no way in hell am I going to get work mail on my personal smartphone.

Depends on usage

[syousef]

I would always want my own unrestricted phone under my own control. If, as the case is now, that phone gets light-moderate work related use, that's fine since it beats the other option of having 2 phones. Also, if I drop or break it, there's no drama (apart from having to replace it). Now if I was using the phone for hours each day, I'd be wanting a separate work phone.

Re:Depends on usage

[Platinumrat]

Funny you say your boss can call you on your personal phone in an emergency. In Australia (state of Victoria), privacy laws prevent your boss from doing just that. The HR department is obligated to maintain your personal details, but not to give it to your boss/manager. There might be exceptions for life'n'death situations, but then the HR or safety representative would still do the contacting, not your boss. Having said that, there's nothing stopping said manager from using the White Pages to find your details, however, I'd pretty much be pissed off if that happened. That's why I don't give my personal numbers to my manager. I have a company phone, but only for use while on company business.

Re:Depends on usage

[syousef]

I find it much more convenient to maintain a single phone. I accept that my boss can then call me on it. If I objected to that yes I'd get a company phone, and keep my private number unlisted. But support is part of my job and I'm happy to help in a genuine emergency providing that it isn't abused. So far I've only received one unexpected call when I wasn't on support for the night in 5 years at my current job.

After some consideration...

[geminidomino]

I'm going to have to go with "Me", Regis.

I have no problem using or not using it for work. If they want something specific, they can feel free to shell for it.

Security and restrictions

[Enderandrew]

Do you care about securing smartphones, laptops, etc? Do you want to reserve the right to restrict their use?

If they can access and store company information, introduce infections into company systems, or pull customer information, then maybe you should reconsider the cost-saving approach.

Another Reason to Love My Employer

[CrankyFool]

The rule where I work (Netflix) is simple:

1. We give you a Blackberry or an iPhone (you pick)
2. We pay for the plan
3. You use it responsibly
4. You figure out what "responsibly" means.
5. There is no Rule 5

Been there, done that

[ATestR]

I worked for a year and a half (not in the IT industry) in a position where I had to carry a company phone... and I also carried my own phone, because the company phone was strictly business. It is a hassle having to juggle two pieces of gear, especially since the job did not involve sitting at a desk.

That said, I'm all in favor of using my own phone for company business, as long as it doesn't burn through my minutes. Since my current job does involve a desk and a land line, that isn't really an issue.

Call Forwarding

[zero0ne]

Current setup:

Work phone is a crappy blackberry pearl (the "keyboard" on it sucks).

Personal phone is a HTC Hero.

I simply have the blackberry forward all calls to my personal cell phone. This way if I ever leave the company, the HTC is still mine, if they need the work phone back because they are investigating something, I simply remove the call forwarding setup and give it back to them.

Only downside is if you miss a call that was forwarded to you, when you call back they get to see your personal cell phone number. This could be avoided by instead having the work phone forward to a google voice account #, and then on the personal phone, just use google voice to return calls.

Still not protected.

[gillbates]

Anything of yours can be subpoenaed in a lawsuit. Northwest Airlines subpoenaed the *personal* computers of their employees when they suspected their employees were getting too uppity^H^H^H^H^H^H, I mean, striking by calling in sick.

It hardly matters if you use encryption, etc... the legal discovery process can violate whatever privacy you thought you had. It only takes a credible allegation of wrongdoing - not even "beyond a reasonable doubt" - to discover all of your personal files, etc... and, because only money is involved, the plaintiff needs only show guilt by a "preponderance of the evidence", or more succinctly, that it is likely that you did it. If you think you can get smart by encrypting your files, it's likely you'll be held in contempt of court, and have a summary judgment entered against you.

The only thing paying for the hardware means is that you'll eventually get it back, usually.