Jamf Nation Community

Nothing stops them, it's their device. What I'd recommend here is setting up a WiFi network specifically for your BYOD folks and then set whatever restrictions / monitoring are needed in that network.

A good rule of thumb is to treat BYOD machines like you would an employee's personally owned home machine.

We have a large base of BYOD Macs here. We don't manage them… at all. Other than supplying them with a pkg to install our company internal Wi-Fi profile so they can connect. My advice is don't manage them. While that might not be what you, or management would like to here, its the most sound advice I think anyone can offer. As soon as you start restricting, locking down, etc on their personally owned device, you tread into murky legal waters. Ownership trumps most things, so I advise not to do too much to control their device. While many users may be OK with some areas being locked down, it only takes one squeaky wheel to upset everything.

Something we do here is tell BYOD Mac users that they are basically on their own as far as support goes. IT techs are instructed to offer best effort initially. but as soon as something goes beyond simple fixes, we direct them to an online company Mac community for support - users helping users essentially. We really can't be responsible for support since every BYO Mac is going to be setup in an unpredictable way. This makes standardized support much more challenging and would eat up many techs hours trying to troubleshoot someone's Mac that they've customized to the 9's. They understand this is a trade-off to not having a company issued Mac that may have restrictions in place.

HTH.

My first question would be: why BYOD? Is it being pursued because it's a hot IT industry buzzword, or is there an actual problem to be solved or a need to be addressed? From there, you can think about whether or not BYOD is the right solution.

It's been on our IT roadmap for years now, but we have heavy compliance requirements and to us, BYOD basically means converting a personal device to a corporate-managed device. Users don't want that: they would have the benefits of a corporate device, but with restrictions on personal use and without the same level of support. This doesn't really benefit anyone.

Personally, I would look at the driver for BYOD and decide if BYOD is the best approach.

I would recommend putting aside the relative merits of a BYOD environment for this discussion; the simple fact of the matter is that the admin/engineer may have little to no input into the decision to head down this path. It may very well be a top-down, business decision.

However, that does raise a question: Are there any specific requirements set before you? What MUST you deliver to a BYOD Mac? I mean more specifically than email, do they get webmail only or a native client? Are you providing them with a license for something if they don't have it, like Office for Mac? Are you going to require a certain level of client "fitness"? Do they have to have up-to-date anti-virus? OS patches? You'll want some requirements before you start trying to build anything, otherwise you're just shooting blind at a moving target. That would suck.

In broad strokes, I'd probably shoot for a self-service, user-driven approach to providing software and configurations. Enroll the Macs, group them off, and scope some BYOD-specific policies to just those devices (something for network access, installers for apps you plan to provide, some handy links as SS plugins). You'll also have to work out how you exclude them from policies that only make sense for company-owned Macs.

You'll also have to work out how you exclude them from policies that only make sense for company-owned Macs.

I was thinking about that as well. JSS version 9 of course makes it easier to add "exclusions" to policies. You could drop some kind of identifier either on your company owned Macs, OR on the BYOD ones. Basically something that will distinguish one from the other that can get picked up by an Extension Attribute. Then make a Smart Group or groups based on that information for exclusion.

If you're still on version 8.x of Casper, this is going to be a huge pain, since you'd have to add some additional criteria to every Smart Group scoped to settings or policies that would try to exclude those Macs.

The common thread I think we would all agree with is that communication with your folks is key. In our case, the majority our managed Macs are BYOD so it has been a support reality from day one. Moreover these are VIPs, so non-support is not an option. As such, we approach the BYODs by trying to offer support in familiar thick or thin varieties to ensure as close to a "no compromise" choice as possible. Color me one of the few that do not view BYOD as a passing fad.

Thin (recommended)
Direct folks to remote Citrix apps, eliminating VPN concerns, same experience on Windows/Mac/tablet. Loved by IT for all the usual centralized/standardized reasons, but often not an option for our traveling jet-setters who need access to email on the go.

Thick
Mirror as close to possible a fully-managed Mac, informing folks that the cost of local email/Office/etc is an AD-bound, fully encrypted, patch-managed machine. All our Macs are named by asset tag which (instead) are given a BYOD designation in appropriate JSS field, then filed into a BYOD Smart Group. That BYOD group can then be used to scope (or de-scope) to any given Casper policy, MCX, or Configuration Profile as needed. Again, differences are minimal, though I do split MCX up into a core security settings and company settings, such that I can stack core+company on company owned assets, just core on BYOD.

How the the BYOD Mac comes to us really defines how we approach the "imaging" of the Mac:

1) Many arrive direct from the local Apple Store, nearly still in packaging plastic. That makes it easy to simply pull out of the box and deploy a image-less Casper Admin configuration that includes just our standard Microsoft/security/settings layer, keeping the as-shipped OS. This is basically the "zero-imaging" approach advocated by Greg Neagle and others.

2) If owned/used previously, with accounts, etc we ensure it matches up within basic hardware lifecycle, indicate that folks must backup/remove any data they have on it, and wipe/reimage the machine. As indicated by others, that may some times be a deal breaker, but is often not. Most folks can understand the idea of a sound basement (secured OS) in support of a liveable house (working Mac).

Thanks for a great discussion. We already have a guest network, but the issue really comes from users just plugging their machine into the network and working. We are looking into a way to force these machine on to a guest wired network.

Full time staff aren't so much the issue, it is the freelancers that are with us for a short period of time. They come in and just want to "get on with it."

I am sure Bring Your Own Device is here to stay, especially as some departments still use PCs and users would prefer to use their Mac instead. I also think Bring Your Own Device can cover two types of machine. One, the user bought through the company Bring Your Own Device policy and it is brand new and we can build it for them, and the second one when it is already built and setup by the user.

As ever a lot of this isn't an IT issue, but a management issue. If managers actually came to us and asked us to help with the users machine we could help, but we don't see what is being plugged in.

You would have thought the line managers would ask themselves, I wonder where user x is saving their work!!

I appreciate the feedback.

Cheers

Michael

It sounds like you are going to need network infrastructure and some sort of authentication that can direct systems to the appropriate VLAN.

We've implemented 802.1x on our wired network and I'm sure there are a ton of options out there for something like that. If management is truly wanting to segregate traffic for BYOD systems (I assume for security reasons), that should be done at the network layer and not on the client. With a managed BYOD scenario you still won't be capturing unmanaged devices (such as contractor systems), and it sounds like they will still be a concern in your situation.