Interested in implementing a bring your own device (BYOD) program in your organization? We aren’t surprised — you’d be joining the growing number of companies with a BYOD policy of some kind. BYOD has proven that it’s not a trend for trendiness sake: there are a number of reasons (as reported by Zippia) why these programs make sense:
- 75% of employees are already using their personal devices for work purposes
- Productivity increases by 34% once you add smartphones as a work device
- BYOD can save companies money — about $250 per employee with a BYOD plus stipend policy
Despite these benefits, there are a number of important considerations organizations have to grapple with when starting a BYOD program, such as:
- Protecting corporate data being accessed on non-corporate devices
- Balancing user privacy and data security
- Overcoming employee fear of surveillance and mistrust when their personal devices are managed
- Supporting a variety of device types
In other words, users want the convenience and familiarity of their own personal devices, without feeling like their IT department is watching their every move. For organizations, this makes securing their data more challenging — after all, if you don’t know what users are doing on their device, how do you know your data is in the proper hands?
Thankfully, there’s no need to surveil your employees for the sake of security, nor is there a lack of guidance on how to overcome the challenges BYOD programs offer. Let’s get into it.
NIST guidelines for BYOD security
The U.S. National Institute of Standards and Technology (NIST), has historically provided a cybersecurity framework used by countless organizations to develop their cybersecurity policies. The framework lays out cybersecurity best practices, standards, guidelines and other resources. The second draft of NIST Special Publication 1800-22B is a collaboration between NIST and industry leaders dives into BYOD security, discussing architecture, security and privacy analysis, providing examples and more.
This publication identifies six security and privacy goals organizations need to aim for when implementing a BYOD program:
- Separate organization and personal information
- Encrypt data in transit
- Identify vulnerable applications
- Prevent or detect malware
- Trusted device access
- Restrict information collection
Let’s take a look at each of these and talk about how Jamf and Apple can help your organization achieve these goals while maintaining a high standard of compliance and user privacy.
1. Separate organization and personal information
BYOD programs can blur the lines between personal and work devices. Organizational data is at risk as it travels outside internal networks and systems, while personal data is at risk if organizations capture data not needed for work purposes from employee devices. By restricting the flow of data between unmanaged personal apps and managed work apps, sensitive data can be kept in the right hands.
Employees gain access to corporate resources by enrolling into Jamf Pro via user enrollment. When users log in to their device with their managed Apple ID, this launches the service discovery feature, which then directs the user to the Jamf Pro enrollment portal.
With user enrollment on iPhone and iPad, all data on the device is separated into work and personal accounts — only the work part of their device has management and data collection. This means the personal data stays personal while company data is restricted to only approved apps and secure communication channels. IT can’t see any personal information, usage data or logs, take over management of a personal app, access device location or remove any personal data.
Related reading: Account-driven User Enrollment + Service Discovery
2. Encrypt data in transit
Since users are using BYOD devices outside the workplace, these devices often connect to unsecured networks, putting corporate data at risk. Organizations can mitigate this risk by requiring VPN or similar connections that encrypt all data before it’s transmitted off the device.
Jamf Connect and Jamf Protect combine to provide ZTNA. With dynamically created microtunnels unique to each app, ZTNA secures data in transit by segmenting traffic after user identity and device health have been verified. Unlike traditional VPN, ZTNA doesn’t give devices holistic access to company networks once the user logs in once. Since this is on an app-by-app basis, this also means only work apps go through company networks — personal traffic is routed directly to the internet.
Related reading: No trust assumed: strengthen cybersecurity with ZTNA
3. Identify vulnerable applications
Employees have free rein to install the apps they want on their personal devices, even apps that have security vulnerabilities. Organizations should separate work data and personal data on the device so compromised personal apps can’t affect work apps. And to limit vulnerabilities, work apps should always be patched to the latest version. This combination of up-to-date work apps and the separation of work and personal data insulates company data from vulnerabilities on the user’s device.
As mentioned before, Jamf Pro cannot see or delete personal apps on an employee’s device. However, it can ensure work apps are updated and only connected via secure network. If a vulnerability is detected within a work app, Jamf can suspend access until the app is patched or removed.
Related reading: A holistic approach to security: app management
4. Prevent or detect malware
On personally-owned devices, employees can download apps from third-party stores, increasing the chance they download malware. Organizations can deploy malware protection within the work profile or managed applications to identify or remediate malicious software or code on the device. Companies can also leverage an OS version with built-in security features that help prevent or detect the installation of malware onto the device.
Apple’s security and privacy frameworks offer inherent protections on your devices. For example, since iOS apps are sandboxed, the likelihood of a vulnerable app gaining unauthorized access to other data on your device is significantly reduced. Jamf products build on this native security and give organizations the tools they need to implement security measures. The Jamf Trust app can be installed on BYOD devices, notifying users when their device has an out-of-date operating system that may not have the latest vulnerabilities patched.
Related reading: Apple Device Security for Beginners
5. Trusted device access
With the proliferation of remote work, BYOD devices are connecting to corporate resources beyond the network perimeter from unknown networks and locations. Organizations should have a method to strictly identify and authenticate devices and users that enroll into MDM. After a device identity is confirmed, a user can establish their identity with their credentials and MFA, ensuring only verified devices and users are connecting to company resources.
Beyond Jamf’s robust support of User Enrollment, Jamf leverages Apple’s Declarative Device Management feature to ensure the integrity of each enrollment and provide real-time insights around OS and security patch status. When using ZTNA, Jamf Connect verifies user identity while Jamf Protect ensures the device is in good health, keeping data in good hands.
Related reading: Declarative Device Management
6. Restrict information collection
Depending on how BYOD devices are enrolled, your MDM solution may collect beyond the necessary data about application inventory, device information and location information — including physical and IP addresses, geographic coordinates, SSID, serial number and phone number. This information can reveal private information about an employee; MDM solutions should use privacy-preserving BYOD frameworks that prioritize user privacy, instead of simply turning off features or ignoring certain data collection.
We talked about how BYOD devices enrolled in Jamf have distinct work and personal containers, and that data stays in each container. User privacy is paramount at Jamf: personal user data is never collected. Again, corporate IT is incapable of:
- Seeing personal information, usage data or logs
- Accessing inventory of personal apps
- Removing any personal data
- Taking over management of a personal app
- Requiring a complex passcode or password
- Accessing device location or unique device identifies
- Remotely wiping the entire device
- Managing Activation Lock
- Accessing roaming status
- Enabling Lost Mode
Related reading: Misconceptions about mobile BYOD
- Employees already use their personal devices for work; a good BYOD policy can help your security posture
- BYOD programs require a balance of security and user privacy to be successful
- A well-implemented BYOD program requires employee trust, which requires user privacy protection
- With Jamf, IT maintains full control over work data without access to any of the user’s personal information
Secure. Private. Discover Jamf BYOD. Find out more in Mobile BYOD with Jamf and Apple.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.