Q&A: Mobile device management and the give-and-take of BYOD
Sales representatives for Universal Melody Services in Texas, like sales reps everywhere, started using their personal iPhones for work a while back without consulting the IT department. That didn't worry the company's CTO and IT manager, Kevin Martin. It didn't worry him, that is, until one rep left the company unceremoniously, taking with him his iPhone and the sensitive company information it held.
With three stores in Dallas, three stores in Houston and an online business, Universal Melody outfits many of the school bands across Texas with their musical instruments. To protect competitive data from falling into the wrong hands via employee-owned devices, Martin recently implemented a mobile device management solution that allows him to lock devices, wipe content and issue other commands via his Active Directory infrastructure. In an interview with FierceCIO, he explained his approach to BYOD and why he opted for one of the many "good, free solutions out there" when it comes to mobile device management.
FierceCIO: Tell us about the day you realized you needed mobile device management.
Kevin Martin: It had come to my attention that there were users on the network who had iPhones and such, and they were connecting to our corporate exchange without IT's permission or knowledge. That didn't raise a red flag with me until we had a user who was forced to leave the company. Since he had been in kind of a supervisory position, he had email on his phone. The store manager asked me if there was any way to login to the email account because he may have emails he needed to follow up on. We potentially had a situation where this guy, who was a sales guy, had pricing information on his email.
FCIO: Do you have a BYOD policy?
Martin: All of our people in the field bring their own devices. There are maybe 20 ad reps and sales reps in the field, and we're looking at close to 50 or 60 users. Before, there was a limited number of people who had access to email via their phones. Most of the time, they probably went to Web Outlook from a computer. Now, if employees want to have company email on their phones, we allow it.
FCIO: Do you support any BYOD phone?
Martin: It's mostly an iWorld. We do have a few people--maybe 10--who use Android phones.
FCIO: What are the main issues--security? compliance?--that you are trying to address with your mobile device management?
Martin: In Texas, we are the premier provider of musical instruments to school districts for rental, purchasing and repair. Some school districts purchase the instruments from us. In a lot of band programs, it's up to parents to fund the instruments, and we allow them to rent. People in the field may have price listings that our vice president may send them. That's not something we'd want to give to a competitor. We want to be in control of that. When an employee leaves the company, I issue a wipe command to their phone.
FCIO: Do you have a policy on segregating company data from personal data?
Martin: We tell employees to back up their stuff. If they want to enable their phones to receive email, there's a give and take. We had our legal department draw up a policy that states that if you are using your personal device for company use, the information on the phone is the company's. I will always try to remove the profile first, but if I feel there's foul play, I'll just go ahead and wipe the phone.
FCIO: How did you select the mobile device management solution you're using?
Martin: We first signed up for a beta test with Centrify, and it worked well. We're using Centrify's cloud-based mobile device management through Active Directory application. It allows me to get to the application from anywhere in the world. I can always login to the Centrify website and issue my commands from there.
FCIO: How hard was it to sell your senior executives on a mobile device management solution?
Martin: I'm using Centrify's free solution--it was a cost-effective option! The people up top said we don't want to spend money because it's not important enough to us. It's not important until something breaks, that is, and I don't want it to get to that point.
This solution is only partly free because you do have to install a server on your local area network that the cloud solution can talk to. I have a server in my facility that houses my Centrify information. There are tons of good, free solutions out there. If you like one facet of their product, they're certain you're going to pay for something else.
FCIO: Do you have any concerns about the performance or reliability of cloud-based services?
Martin: The redundancy is good with this cloud solution because you're running a server. If [the provider is] down, you can issue commands through Active Directory. I'm very comfortable with cloud solutions. You've got to do your homework though. Before I enter into any deal, I usually call the provider and talk to their tech support to get a feeling for what type of security they're running.