How Microsoft Handles BYOD
While BYOD still worries infosec pros, vendors like Microsoft are easing concerns by offering authentication and management capabilities.
The "Bring Your Own Device" (BYOD) phenomenon has picked up quite a bit of steam over the last year, matching the uptick in tablet ownership and usage patterns. Tablets have graduated from personal content consumption devices into full-blown productivity tools. With the release of Microsoft Office on the iPad came another influx of users wanting to do real work on their personally owned devices.
Most IT organizations have traditionally been opposed to employees attaching their personal devices to the corporate network for security reasons. The primary reason given concerns the unmanaged condition of these devices and the possibility of introducing a virus that could cripple the entire company. Microsoft offers a number of solutions to protect against this type of threat and to make it easy to incorporate the most popular devices.
Mitigating Network Risks
One of the primary use cases for accessing the corporate network is the creating and viewing of content primarily using Microsoft Office to include Microsoft Word, Excel and PowerPoint. This typically requires that a computer or laptop be joined to the corporate domain to gain access to file shares and internal network resources. Closely related to the use of Microsoft Office is Microsoft SharePoint for collaboration and document management.
Workplace Join is a capability included in Windows Server 2012 R2 which enables any number of different devices to join a domain in much the same way you would with a typical Windows computer. Microsoft's walkthrough guide shows the steps required to join an iOS device to a corporate network with the proper Active Directory Federation Services (AD FS) configuration. Once joined to the domain, you'll have access to internal websites and other corporate resources.
If you have a Samsung mobile device which supports the KNOX standard, you have the ability to complete a Workplace Join to Active Directory and Windows Intune for management. The Samsung KNOX platform provides a virtualized container or workspace where all corporate data can be kept separate and secure from personal data. The list of supported devices includes the popular S3, S4 S5 and Note 3 phones, plus tablets running Jelly Bean 4.3.
Windows Intune is Microsoft's cloud-based device management offering. It's also a part of a new offering called the Enterprise Mobility Suite, which includes Azure Active Directory Premium and Azure Rights Management Services. Individual devices must be enrolled in order to fully enable them for management. This process can be completed in a self-service manner if the management portal is configured beforehand. You also must identify device owners as managed users prior to device enrollment.
Managing iOS devices will require obtaining an Apple Push Notification (APN) certificate. Once obtained, it must be made available to Windows Intune through the management portal. You will need an Apple ID associated with a corporate email account accessible by the IT management staff as opposed to a single individual. Once in place, you should be able to self-enroll any iOS device.
Another option for managing mobile devices involves using System Center 2012 Configuration Manager (SCCM). A Windows Intune subscription is still required, and you must connect your SCCM to that subscription. Once that's done you'll have the ability to manage mobile devices to do things like retire and wipe a device, configure compliance settings like passwords, security, roaming, encryption and wireless communication plus a range of application management functions.
Designing a BYOD Strategy
Microsoft offers a number of resources to help you create an infrastructure that will securely support a BYOD strategy. It's important to identify the types of resources to which you wish to give access and the management approach for each device. For the greatest amount of control, you'll need to install a management agent on each device. This will provide the most security and the ability to deploy apps and remotely wipe a device in the case of loss.
Some users will not want a management agent installed on their device and must accept either a lower level of access or additional authentication requirements. Microsoft has a number of options for two-factor authentication, including an automated call-back service. This provides an additional level of security, which should help ease the concerns of even the most risk-averse IT administrators.
Bottom Line on BYOD
Allowing personal devices to access resources inside the corporate firewall provides a number of advantages if you can do it securely. It makes it possible for employees to use the devices they prefer and to be productive more of the time.
At the same time, it calls for new policies and procedures to make the ground rules clear. Good tools can make a difference in protecting the corporate network, but there's no substitute for good information assurance (IA) training and awareness on the part of employees. Don't forget the human aspect when putting any new capabilities in place.
Paul Ferrill has been writing in the IT trade press for over 25 years. He's written hundreds of articles for publications like Datamation, Federal Computer Week, InfoWorld, Network Computing, Network World and PC Magazine and is the author of two books. He is a regular contributor to ServerWatch.com and several other QuinStreet Enterprise properties.e