Bring Your Own Device still relevant?
Posted by FastFredNL@reddit | sysadmin | View on Reddit | 122 comments
My manager keeps putting the implimentation of BYOD on the agenda. Since I'm both server admin, network admin and security guy, I'm against this. I want to move to a system were we only allow company data and apps/accounts on compliant devices. A compliant device being issued by the company and monitored and managed through Intune.
I feel like BYOD is a thing that was nice 10-15 years ago to save on costs but in todays day and age of needing to secure everything having to provide support for people using whatever device they want is a pita and a data leak waiting to happen.
I know that MAM exists and we've played with it in the past but it's no guarantee.
Wondering how other company's are handling this?
Wolphin8@reddit
BYOD is a tradeoff... you are trading convenience for security.
IMO: BYOD is fine in a small company, which has a small attack surface, but only if it is managed correctly, and policies are enforced, especially MFA and preferably ZTA, and a MDM is configured. Usually, it ends up not
A detailed risk analysis should be done, so that all the reasons for each side can be given. OP is against it (more risk/exposure), but their management wants it (more convenient). Once the detailed risk analysis, maybe bring it to the compliance and legal people to add their say on it, as they would be able to expand on the exposure it brings.
Then bring it to the management (and even the shareholders), to see if they are fine with the added risks exposed, including the brand/reputation exposures. I doubt that it would be approved when its laid out how much more it would cost to maintain (so they can know it's not just "we don't have to buy cellphones" and how it is very likely also will have more support tickets, so increases that support costs), and the exposure to attacks.
Separate-Fishing-361@reddit
My company uses Intune to manage employees’ personal cellphones as well as all company devices. It imposes some annoying limitations on copy/paste between apps, but supports my personal and company access and maintains compliance. I think some Android flavors support hard partitioning.
A guest WiFi policy that discourages permanent connections encourages employees to enroll their phones.
If your security policies use zero trust concepts, you can limit mobile access for sensitive apps/data.
Cool_Intention_161@reddit
we killed BYOD last year and honestly the support ticket volume alone justified it. half our issues were "my personal phone won't sync email" or "I can't access teams on my iPad" and we had zero visibility into whether those devices were even patched.
Intune managed devices only now. users pushed back for about two weeks then forgot about it. the security posture improvement was immediate. is your manager pushing BYOD for mobile only or laptops too?
fdeyso@reddit
MAM policies + we still don’t support personal devices.
Cool_Intention_161@reddit
MAM without allowing personal devices is a solid middle ground honestly. you get the app-level control without having to deal with the full MDM headaches. we went full company-issued and the hardware cost was worth it for the sanity.
Cool_Intention_161@reddit
alright
Cothonian@reddit
I always treated BYOB like a guest network - no access to internal resources.
No need to have someone connect their infected cellphone to a secure network and compromise everything.
0hurtz@reddit
AWS workspaces, Azure AVD, Citrix and AWS Appstream would make BYOD easy and compliant. We use this in Medical, Financial and DoD environments.
45_rpm@reddit
As a sysadmin, working in IT, it is not your place to dictate what the business needs or doesn’t need. What it wants or doesn’t want. What it can have or not have. You need to remember you are in a position of customer service nothing more. The business is your customer and you will provide them what they want or you should find yourself another job..
Zerowig@reddit
This thread is like I stepped into r/ShittySysadmin. Yet, “BYOD” threads usually are. 80% of this thread are the same people that will cry when they get laid off wondering why. The old school-ness and misinformation here is wild.
There’s nothing wrong with BYOD if you manage it correctly. If you’re worried about company data making it on personal devices and your strategy is a strategy of “no”, then you’ve already failed. Because users will always find a way.
Expensive-Rhubarb267@reddit
With modern security requirements it's really hard to see a place for BYOD.
ncc74656m@reddit
I have execs who have forced my hand on it, and because I pushed back, they're forcing me out, but at least I'll die knowing that when our clients die, it won't have been my fault.
Expensive-Rhubarb267@reddit
Yeah execs tend to be the worst for this because for them the boundary between work & home is so blurred.
ncc74656m@reddit
They want everything with no protections, and because I no longer have any exec backing having just forced out the last person who introduced them to reality, I can't do anything anymore. Unfortunately I also can't just let it happen and keep my mouth shut, so I'm getting shown the door.
Expensive-Rhubarb267@reddit
Sorry to hear that- sounds really rough.
It'll be all the more satisfying when you're long gone & hear they've had a critical security breach.
Frothyleet@reddit
While BYOD is almost always a crap option, I actually think that it's way better today than it was 10+ years ago. There are way better options for managing access as well as sandboxed MAM for keeping a walled garden around corp data even if the device itself isn't managed.
Plus baseline security for consumers is just better than it used to be, although not necessarily for consumer-friendly reasons.
But, like anything in IT, it always will depend on your business requirements whether or not its viable in your environment.
Expensive-Rhubarb267@reddit
Yeah I'd agree with that. I don't have loads of experienced with MAM but as long as users know that they can use their own devices but there is a trade off of 'yeah you can use your device but we need some kind of visibility & control'.
I'd say that's not strictly full fat BYOD, it's BYOD lite
Frothyleet@reddit
Caveat, my experience is limited to Android and its "Workspace" functionality, but there really isn't a tradeoff from an end user perspective (other than your work getting free use of your personal device).
It's basically invisible, there's no insight into personal data or settings outside of setting certain indirect requirements (e.g. requiring PIN login or OS versions). Corporate visibility and control is otherwise limited to the sandbox carved out for their applications and data.
Training_Yak_4655@reddit
I along with colleagues was expected to use personal phone for any needed company 2FAs, including MS Authenticator. Though I did get a $150 annual allowance for miscellaneous home kit. The company only funded dedicated phones for managers and consultants.
Expensive-Rhubarb267@reddit
I personally don't mind using my personal phone for 2FA - I hate having to carry around 2 devices. But each to their own!
pm_me_domme_pics@reddit
People say the same thing about keyrings when I offer them a hardware token as an alternative
dustojnikhummer@reddit
Agreed, so do I, but it has to be optional, not mandatory. I can get a work phone + work SIM or just a work SIM. We use Work Profiles anyway, so I just set up that for my work apps
ncc74656m@reddit
For MFA it's rarely a serious concern - I am certain there is some form of attack if not now, then in the future where this could be a risk, but it's a narrow one for sure. We had a few people push back on that and the alternative was a Yubikey that would need to remain in office, meaning that they would have to work exclusively from the office, and no remote work was possible. Everyone agreed, remarkably enough!
FastFredNL@reddit (OP)
I wouldn't mind it for MFA, I also have PRTG set up on my private phone because I always carry that phone with me. My work phone is turned off when I'm not working. Only my IT co-workers have my private number in case of emergencies.
GullibleDetective@reddit
Its still extremely common for mobile at least
Kaligraphic@reddit
BYOD was never nice, just cheap - and that was because someone else was paying. It was always a security, compliance, and liability quagmire.
CharcoalGreyWolf@reddit
Exactly this, and it’s why only cheap managers want it. That, and the manager that wants to make you get their specific oddball device on the network.
Jethro_Tell@reddit
It’s only cheap under 100 devices though, for any small org, it probably costs less to buy 100 of the same phone and manage them all the same then to be trying to set up an MDM for every random device under the sun.
ilikeme1@reddit
We dropped BYOD support about a year ago and issued company phones (Pixels) to those that did not already have them. Has been a lot easier to support and is more secure.
Kuipyr@reddit
MAM for IOS and Work Profile for Android, only acceptable BYOD IMHO.
Flabbergasted98@reddit
byod is a security nightmare.
You need to have a very real conversation with your boss to discuss the risks to the business if your servers are comrpomised and a malicious actor wipes them.
Whole_Hand862@reddit
My place does BYO. They require MDM which enforces encryption, passcode, and auto-wipe on multiple login failures.
Support is pretty limited. Not working? Wipe and rebuild/rejoin MDM.
What you get: email, MFA, a couple internal apps, WiFi access. Without MDM, your mobile gets no access.
They do stipends and company devices. Many of us prefer the stipend, since the company device is always the lowest cost 3-4 year old model available.
HerfDog58@reddit
I have employees at my workplace that pitch a fit about installing/using an MFA app on their personal phone. These same people have no problem setting up their work email on that phone "because it's easier for me" and connecting that phone to the company provided WiFi to access their personal email, social media, streaming platforms. "That MFA app is going to track me, so I won't put it on!!!" Yeah, like the authentication app is the one you need to worry about tracking you, not Amazon, nor Google, nor Facebook...
Just once, I'd love it if someone complained about "being made to use their personal device for work" and I was allowed to block their access to WiFi, email, etc. from that device. And then laugh at them when they complain they can't get on social media or streaming is too slow.
Professional-Heat690@reddit
Byod > cpc | avd
SpaceChimps98@reddit
Are you guys talking about BYOD for mobile devices, or BYOD for things like laptops? Because our company provides company laptops but mobile devices we give the option to enroll via Intune.
ledow@reddit
No, I wouldn't allow BYOD.
Managed devices are the only compliant method if you care at all about GDPR, etc.
You can't just let people do business data download, processing and access from some unmonitored device they bought secondhand off a flea market.
I'm sure there are plenty of big companies out there that allow it, but I wouldn't.
MissionSpecialist@reddit
BYOD with MDM+MAM (and preventing corporate data from being stored locally on the device outside the protected apps) would seem to solve these concerns entirely, at least for mobile OSes.
That's not to say all employees would be willing to enroll their personal devices in their company's MDM, but I see no downside to offering the option, and indeed have several thousand users who choose to avail themselves of it rather than manage two devices.
ledow@reddit
And now they can't use that machine for personal use AND you have to manage it for them AND you have to support it.
Might as well just buy them a laptop that you can at least ensure is up to the task, supported and serviced, which you can retire when it's obsolete, and not get a hundred calls about "But this machine doesn't have a TPM, you mean I have to go out and buy another now?!?!! Can't I just stay on Windows 10?" etc.
If I'm having to manage a machine top-to-bottom anyway, why would I choose to do that with random junk people bring in, rather than just assign them a serviced and supported machine obtained at bulk discount with an homogenised fleet?
Sorry, but I don't want to be diagnosing why YOUR webcam is the only one that doesn't work properly. I just want to be able to take your machine off you, throw it into the "to be repaired" pile and give you another off a stack of identical machines that are all ready to roll.
Everything else is just a false economy where even saving a portion of the price of a new laptop can be sucked up with just one unique problem coming in through the helpdesk for that one user.
Note to mention more minor things like electrical safety (people taping up their adaptors rather than splash out for a new one), upgrades every few years, corporate image (Do I really want you using a piece of junk in front of an important client? No. Do I want you blaming your laptop because the wireless in it is shite in a Teams meeting? No.), firmware updates, device compromises, having to keep a stock of spares on hand anyway, etc.
It might be "simpler" but it doesn't make any economic or business sense, and never has.
No_Dog9530@reddit
Honestly BYOD should never be allowed on laptops need to be company issued enterprise laptops in order to provide end to end support.
MissionSpecialist@reddit
Certainly BYOD is a lot more complicated for Windows or macOS. I wouldn't be eager to go down that road either, which is why my response specified mobile OSes (Android and iOS). A number of people in this thread seem to be opposed to even offering that for, as far as I can tell, no particularly good reason.
ledow@reddit
That's an option that my users wouldn't accept.
Those machines are just not meaty enough to do what's necessary and the app- and web-based services are often inferior. There's a reason that even Outlook is getting pushback on its new desktop-based version (which is basically a web-wrapper), let alone OWA.
For some things, mobile devices are great. I am LITERALLY typing these replies on a Samsung phone via DeX, for instance.
For anything serious? I want a laptop, not a mobile device. So do my users, even if they aren't power-users.
I work in an industry (education) where we have both... and for "home" devices, nobody chooses mobile devices, or has ever even asked about the possibility. The kids might use them, but we see even them "outgrow" them quickly. They might use them in-class, in huge sets of them, hundreds and hundreds of them.
But when it comes to adult staff, back-end admin, real work (not just browsing) and even the older children... mobile devices are still perceived as toys of limited utility (right or wrong! My phone is more than powerful enough to do most of what I do... but honestly... it's still... clunky, awkward, doesn't feel designed for it, apps are cut-down and tricky even in DeX / desktop modes, web apps aren't my preference even on a desktop, etc. etc. I'm not alone in this.)
No_Dog9530@reddit
Luckily our company discontinued support for BYOD in 2022, now everyone gets an iOS device issued by the company, been amazing for support
FastFredNL@reddit (OP)
Agreed, iOS is great for end-user support because it's all so universal. We used to have Samsung company phones (back in the day of the Galaxy S3, so a while ago) and MDM was in it's infancy. It was a mess and costs so so much time to just keep it running. When we switched to all iPhones and only iPhones it freed up loads of time for us to do other stuff.
tankerkiller125real@reddit
These days I prefer Android when it comes to work things, the MDM solutions are basically sorted at this point, and if a user really insists that they don't want a second phone, and their current phone is Android we can just load in an isolated work profile where all the work apps and data lives (fully encrypted and separate) that we as a company have full control of., including the ability to wipe the work profile from the phone entirely when they leave, or lose their phone.
EventPurple612@reddit
BYOD only works if you don't care about data security. Like, not at all. Tell them users are going to be downloading trojans on open café wifi before firing up the VPN and ask him how are you to prevent, defend, trace, correct such an event chain. He's going to be responsible for every single breach coming from a hybrid device.
enforce1@reddit
It was never good. It’s not now, but it used to not be good, too.
bjmnet@reddit
What is their reasoning for wanting BYOD? From a security standpoint it's not ideal, and the only advantage I really see is users have one device instead of personal and work. My wife (WFH) has a work only laptop, and her personal one. With a nice USBC dock it literally takes 10 seconds to swap them. She has access to her work email on her personal iPad, beyond that zero crossover.
BananaSacks@reddit
Do you have a security dept/CISO? This really shouldn't be your fight. Someone, somewhere, likely wants to fight costs. It should then go to the security house, and the C's (or equiv) fight it out. If BYOD wins, it then goes on the risk register and all documentation captured and approved at the highest level.
If then, it still wins. Well, feck it, time to start working with security and internal audit on policy & framework.
AnDanDan@reddit
The only BYOD we have is for WFH. Everyone in the company is issued a machine, laptop or desktop. Laptop users VPN into the network from the machine, using one policy, and desktop folks have the option to BYOD, install the vpn client on their home machine, and remote in with a separate, much more restrictive policy that only allows RDP traffic. Their accounts are also restricted to accessing network drives from internal machines only, their home machines cannot touch the network drives.
Plane_Brief4197@reddit
BYOD only for 2FA MFA.
natefrogg1@reddit
They will bring the most shit 4500rpm Costco special and expect me to spend way too much time getting it update and connected, please no
mr_data_lore@reddit
BYOD would make it impossible for us to comply with CIS and other requirements. We'd have to put management and monitoring tools on every BYOD which essentially just makes them managed company devices. Once you take into account all the other headaches, it's just cheaper to issue company owned devices.
MetalEnthusiast83@reddit
BYOD is relevant for mobile devices and common. You can absolutely use intune and force compliance checks for access to company resources.
I have never seen BYOD used forlaptops or desktops though. That would be wild.
Nnyan@reddit
Just no to BYOD.
deadnerd51@reddit
Yeah BYOD is just a GDPR nightmare waiting to happen.
ZaradimLako@reddit
50% GDPR Nightmare, 50% tech nightmare. Everyone has different phones and laptops from different vendors with different specs. And there will be a sizeable amount of people with dinosaur samsung phones or laptops/pcs have specs like my gaming computer.... from 2012. And it alllll becomes your problem now
deadnerd51@reddit
Yeah, thats a big one. People always forget that not everyone cares to have the most modern, most powerful hardware. In fact, some of the people who you would expect to have the nicer things (high earners), are often the most stingy when it comes to investing in tech. The amount of times I have had to recommend a user update their phone because their current one isn’t supported or no longer getting security updates is just silly.
MalletNGrease@reddit
The senior signatory authority at my last company used a flipphone so we had to come up with a MFA strategy that didn't involve Phone/SMS tokens.
Frothyleet@reddit
Respect to them! They are probably the only one there using phishing-resistant MFA.
Assuming the strategy was "get them a Yubikey" and not "have the MFA code sent to their assistant."
MalletNGrease@reddit
It was a Duo shop, and we did get him a yubikey. Standard was Duo Push.
Moontoya@reddit
I retired a server 2000 box and a couple of "pizza" box apple servers last summer
They had been in daily use up til then
Tech Scrooges tbh
realgone2@reddit
Bingo!
MysticalNinja1991@reddit
MAM works well (although has it's nuances) on Android and iOS, but lacks on Windows.
Thedguy@reddit
I don’t think I will ever have confidence in MAM on Windows. A personal device with no security? No way!
Consistent_Research6@reddit
BYOD is for the loser's that only use job phone as a personal phone and job also, because they were "raised" this way by the company, most of these douchebags are managers. BYOD should be illegal in 2026......security liability and data leak.
MissionSpecialist@reddit
There's no security liability with a proper MDM in place, and who wants to carry two phones like an early 2000s drug dealer?
(As long as we're doing dumb caricatures of the other position)
Consistent_Research6@reddit
Let's use the company phone because were are to lazy to have a personal phone and a business phone in the backpack, for work situations. When the company will replace the company phone, the unlucky sap in the IT dept. must move also the users vacation photos and the old gradma photos, the user had saved there also.
MissionSpecialist@reddit
Oh, so the opposite of what I was thinking; someone who has no personal phone and lives their whole life on their company-issued phone? Yeah, that's... Certainly a choice.
In my org, we would not help those users with any personal content. Personal use of the device isn't forbidden (it legally can't be in many civilized jurisdictions), but nor is it supported.
You need leadership coverage to take that path, and IME the best way to get that coverage is to quantify how much time (read: company money) would be spent on supporting personal issues.
travelingnerd10@reddit
I think that BYOD as a strategy for a company is something that may be an option during a very early startup phase (such as when the employees number less than 10). However, from a security and compliance point of view, that very quickly goes away as reality sets in and the organization "grows up".
That said, a form of BYOD will continue to exist because large organizations will still need to securely handle consultants, contractors with their own devices, users who access email from home computers, etc. So, you should still make plans on how to handle those situations. Generally, whatever policies or rules you make for those would cover any BYOD as well, as those policies are all dealing with untrusted or untrustworthy devices.
For example, for consultants and contractors on their own devices, apart from the contractual obligations that cover data security and access, you may also say that they can only access your network via a virtual desktop or a managed browser.
For the user at home with their personal computer wanting to check email or their calendar, you may stipulate that they must use a managed browser or a CASB-proxied web session that blocks downloads and cleans up cache in a timely manner. Technical policies can be used (such as Entra Conditional Access Policies) to block the use of desktop apps or other features in such situations.
Within those contractor and home use policies, BYOD devices would get covered as untrusted sources that now have policies that prevent their use as fully fledged members of your network.
SystemGardener@reddit
Very well stated.
itguy9013@reddit
We allow BYOD for mobile devices only.
Doing BYOD for endpoints is a nightmare.
tankerkiller125real@reddit
We allow BYOD for a select few users... In the sense that we allow them to access a fully controlled and managed AVD/Windows 365 environment from their browser, and we don't allow copy paste or anything else like that between the actual machine and said virtual environment.
BYOD where company data is stored/managed on the actual users device? FUCK NO!
Pristine_Curve@reddit
My experience with BYOD, is basically BYOVC (Bring Your Own VDI Client).
Actually using random whatever hardware for endpoints has never been a good idea, and is only suitable when two things are true.
The business is operating in an unregulated environment with no confidential data.
There is no expectation of support from the end users regarding their personal devices.
It is possible for both to be true, just exceedingly rare. Far more common, is you get people assembling a random pile of cheap computers from Amazon and expecting IT to instantly know how to secure and maintain them to a high security standard.
me_groovy@reddit
We have some staff use BYOD simply for our 2FA app.
Some of their phones are now too old to get security updates and not supported by the 2FA app. Can't exactly tell someone they HAVE to buy a newer phone.
rileyg98@reddit
I wouldn't even use a specific 2FA app on a non-work device these days. You want 2FA, you give me a TOTP I can put on my VivoKey Apex, a yubikey, or a work phone. Because last I recall a lot of 2FA apps now want you in MDM and I don't do that.
Nate379@reddit
What 2FA apps require an MDM - have not seen that.
I see the point of hating BYOD for anything outside of 2FA, but 2FA itself is fine IMO.
rileyg98@reddit
I feel like Microsoft authenticator wanted MDM or at least could be enabled
Nate379@reddit
Never seen that, use it extensively accross many orgs. Not saying not possible, but never seen it.
Authenticator is supposed to be non-intrusive so that this isn’t a concern. I agree though that anything that requires MDM or similar should not be forced on employees on personal devices.
Emergency_Ad8571@reddit
Holy smartphones, Batman! I’m reading through these comments and am shocked. Yes BOYD has a place, front and center! I honestly can’t recall the last time I saw a company that doesn’t do BOYD unless it’s some classified government thing. I’m not sure I ever saw one.
It’s not a money thing, people don’t wanna carry around two phones.
MDM when deployed well will be data-centric, you don’t manage devices (or even care about devices$, you manage data. You’ll need data classification platform such as purview - but if you’re GDPR complaint you probably already have one.
GDPR subjected data is simply disallowed on any mobile devices. All other data access depends on a basic compliance policy. That’s it, it’s not that hard, it doesn’t take up a lot of work once it’s been set up, you can achieve those in intune.
bpadair31@reddit
In this day and age, most employees need access to at least email and calendar and whatnot on mobile and the vast majority of people do not want to carry multiple devices.
BYOD for phones, tablets, and whatnot has been the default for so long that I am honestly shocked that this is a question. There are plenty of tools to support this, and if you don't people will work around it and you won't know until there is an incident.
Koutro@reddit
Right now we mostly buy separate phones for users and slap them into the MDM.
And for our small IT dept, I'm basically BYOD, having a separate company profile on my phone with Company Portal enforcing certain conditions like passcode requirements, etc. Anyone who doesn't want to carry around 2 phones has this alternative route as well.
BYOD is a lot cleaner and easier if it's in the hands of someone who understands what's going on a bit more. I don't blame any user who would get confused about it otherwise, it's a mess.
KittensInc@reddit
I noticed that you live in The Netherlands. It might be relevant for you that it is illegal for a company to force its employees to use their personal laptop for work. Similarly, you're going to be in serious trouble if you set up any kind of "remote wipe" - considering you'd also be deleting the user's private data. There are also going to be restrictions on the kind of management and monitoring you are even allowed to do: Dutch law in general is already quite strict about it, but this goes doubly so for privately-owned devices.
At first glance this seems like a reasonable policy to me - if you're trying to go for malicious compliance. Make it painfully clear that enrollment will mean permanent deletion of all personal data currently on the device, and that the device will be completely wiped (including permanent deletion of all personal data stored on it afterwards) when they leave the company. No sane person would accept this, as you're essentially renting your device to the company for free. Seems like a good solution to allow BYOD on paper but ban it in practice.
FastFredNL@reddit (OP)
We don't force our users into using personal devices, it's just that we currently allow the use of personal devices (allthough not hooked up to company network). The only company smartphone we work with is iPhones. We have about 280+ of those but only 20 percent of them are managed through Intune because we only just started doing that with every new phone we give out.
There is not a snowballs chance in hell that people can come up to us with whatever private device they have to be put into Intune. If that ever becomes the standard I'm leaving.
MissionSpecialist@reddit
We allow BYOD for mobile OSes, and I don't see any reason not to have that available as an option.
Users are made aware before enrolling their personal device exactly what we can and cannot see/do (Intune handles this automatically, but we also have a wiki page about it), what device settings we enforce (inactivity timeout, minimum PIN length, supported OS version, device encryption, not rooted/jailbroken), and that any IT support for personal devices is strictly "best effort".
Changes to policy are communicated in advance, and users can choose to unenroll their device at any time, with no IT intervention required.
Our BYOD/Corp device split is roughly 80/20 globally. A bit lower in Europe (although not much), and a bit higher in the US (although again, not much). People strongly prefer to BYOD, and as the Intune admin (one of my many hats) it makes exactly no difference to me who owns the device.
dustojnikhummer@reddit
Europoor here, I have had management ask for BYOD about 4 times in the past 2 years. Every time they drop it when I say exactly this. "During their stay the laptop would be controlled fully by company, including full wipe when the person starts and leaves". At that point they always went "okay lets just buy a cheap work laptop then"
czenst@reddit
Exactly, let the users do the talking - make sure it is clear that once you are in MDM it is not a personal device anymore.
DisjointedHuntsville@reddit
You better support Apple products as standard issue then.
BYOD is a thing purely due to miserly plastic crapware that passes as work devices in all windows shops.
descartes44@reddit
As far as phones, sure--create an SSID on your wireless for them, call it "staff" or something. Then lock that down to just internet and limit the bandwidth. Secure it with WPA2 or such and let them connect to it. There you go, sane and secure, BYOD...laptops and other devices? No way.
Mindestiny@reddit
The network is not the problem with BYOD devices, you're just describing a guest network. The problem with BYOD devices is company data on unmanaged, personally owned devices with no way to control or monitor it.
CEO loses his phone and doesn't have a passcode on it because "that's too much work"? Now you have a major data security incident. Someone with access to customer PHI does the same? HIPAA violation, reportable data security incident, and potentially millions in fines.
rileyg98@reddit
If you're not paying for my device, I'm not using it for work. Simple.
Dear_Studio7016@reddit
I wish people at my hospital had this mentality.
rileyg98@reddit
My condolences. I imagine hospitals would be horrid.
realgone2@reddit
My place scaled back, but still does it. Public school district. They're too cheap to buy all the teacher's aides laptops. Yet, the admins of the schools keeps piling more work on the aides. So, many of them bring in their personal device. It's such a pain in the ass.
Top-Perspective-4069@reddit
If we're talking endpoints, fuck no. Mobile gets a lot trickier because it's usually both impractical and wasteful to give everyone in an organization a managed phone.
MAM can be weird but if you define your needs clearly and limit your scope, it gets you where you need to be in all but the strictest of compliance requirements.
aCorporateDropout@reddit
FWIW as a counterpoint, I worked at Microsoft until November and they allowed BYOD. I used my personal MacBook(s) the whole time I worked there, unless I was meeting with a very senior exec then I brought my Surface.
BYOD can work and well, but you need a lot of expensive tooling.
TightBed8201@reddit
Arent you in the conflict of interest being security and infrastructure at the same time?
You are basically pushing security agenda which you have to implement.
Implement BYOD in a way where you control every app installated (only business ones needed) and wipe devices when they are not needed anymore. They will drop BYOD policy soon enough
FastFredNL@reddit (OP)
1 day a week I also do end-user support so.... We are a small team. And actually I think managing servers, networking and security together is great. I don't wanna be just a security guy that can only read a list of vulnerabilities and then send it to someone else who can actually look into or fix it.
rileyg98@reddit
Has been mentioned both of those are illegal in OPs country.
Fritzo2162@reddit
You just deploy work profiles from Intune on BYOD. This enforces security requirements on the user’s phone and you can lock it down so info can’t be shared between work apps and personal apps. This is our standard setup and it works very well.
EggElectrical669@reddit
BYOD still exists but most places I’ve seen are moving toward managed devices for anything sensitive. It just cuts down a lot of risk and support headaches compared to trying to secure random personal devices.
marcelojarretta@reddit
totally agree with you on this one. BYOD made sense when companies were broke and phones were $200. Now with compliance requirements and the security landscape? hell no.the "cost savings" disappear real quick when you're dealing with janet's 2019 iphone that can't run your MDM properly, or worse - trying to do forensics on personal devices after an incident. MAM is better than nothing but yeah, it's still lipstick on a pig.your manager probably sees the device stipend costs and thinks BYOD saves money. show them what one data breach lawsuit costs vs buying proper hardware. that usually changes the tune pretty quick.
talin77@reddit
1800 users here all with BYOD. users here get an budget for 3 years and can choose from a set of recommended devices, Dell, Apple etc and choose their own OS, we provide an MS licence for office apps and ESET,manuals for VPN and settings. Devices are not domain joined. They have to enable some settings and provide evidence of that. and they are on their way. Yes it is a IT company and the users are somewhat knowledge. We (IT) admin the servers and network as a main job.
rileyg98@reddit
Not sure I'd call that BYOD though, just a lack of management.
FastFredNL@reddit (OP)
Most of our users can just about tell the difference between a mouse and a keyboard. And we have 1 guy on IT support who is basically at that same level. So this is a far fetch to us.
JakobSejer@reddit
Bring your own disaster you mean? No thanks
user975A3G@reddit
Fuck BYOD, it adds too much workload trying to manage all the different version of OS, different phone brands etc
BYOD phones if you only have a work SIM card and an MFA is OK, once you start adding any more than that, it should be a company issued device
FerretBusinessQueen@reddit
I don’t and my security dept fully supports me not. Personal and work devices shall never meet. That’s not just for my protection, it is for my job’s as well.
czenst@reddit
Big guys I have seen do Citrix and people having virtual desktops where they cannot copy data, have all traffic MITMed, no admin accounts on those desktops, then they can do BYOD all they want.
Obviously people can always screenshot stuff or just snap a pic with phone or just retype...
You can also manage BYOD with Intune and also disallow non compliant ones from accessing company properties.
matroosoft@reddit
Are teams meetings then also running through Citrix? And VoIP / Softphone?
czenst@reddit
Yeah Citrix can pass audio/camera.
Teams are slow if you have not much resources for desktop, but teams is slow on anything I guess.
geryatric@reddit
Research a Zero Trust architecture.
Infninfn@reddit
The objecting user's argument will always be, if you want to manage my device, pay for it. And then you counter with, if you want to access corporate data on your phone, we are required by policy and regulation to manage the security of it.
There are quite a few edge cases with MAM and unmanaged BYOD that you want to avoid, unless you love pulling your hair out. Best bet is get them managed with MDM + MAM + Defender /your suite of choice. Less headaches that way.
Regular_Strategy_501@reddit
imo BYOD is fine for things like Peripherals (within reason) or things like Fancy chairs (of course the office should contain decent chairs, speaking about special stuff here), but not Computers, be that phones laptops or desktops. This is a data leak waiting to happen.
midasza@reddit
My feeling is quite clear - if you need it for work, work must supply it.
BYOD we personally only use as a perk - as in we provide limited WIFI at work because offices are often in bad coverage areas and giving the staff wifi for personal use (segregated, firewalled and sometimes on a separate line) is a nice perk.
But we don't want anything work related to rely on a device that:
Could be old, full, faulty.
Could be dropped, broken or lost and not covered by work.
Imagine Sally-Ann gets robbed coming into the office an her bag is stolen, but she still needs her phone for MFA to log in to resources. Maybe u have conditional access or maybe she is a rep and is on the road so conditional access won't work. Maybe the cloud PABX software is loaded on it and calls are transferred. Whatever u are using BYOD for - can u realistically go to Sally-Ann and say, go buy a new phone, now because we need to configure MFA.
redredme@reddit
You know what happens without BYOD?
Dataleaks. Shadow IT.
That famous quote from the original Jurassic Park is true, especially in IT:
"Life uh...finds a way." https://youtu.be/kiVVzxoPTtg?si=YiNHYc4dH4QhNSyA
Replace life with users and yes.. there you have it. If you want to, sure, you can keep on playing that game of whack a mole your entire career.
For me, to keep it to famous movie/series quote:
I don't want it. (Jon Snow) https://youtube.com/shorts/SaOY7W8LJ60?si=GqwWEZIQqEmoCDUW
Work with it, not against it. Mold it, change it, secure your data and most of all: do not create reasons for your users to duplicate your data in Shadow IT. Because then you are in the real GDPR nightmare.
Is BYOD a nuisance? Yes. It's also a real pain in the ass to lock down each and every SaaS app you use. Possible? Sure. Will it go wrong? Absolutely.
No BYOD was only somewhat possible in the terminal server era. Unfortunately we've moved beyond that.
LavaTakes@reddit
Just be happy you don’t work in higher ed then. Majority of our network devices are BYOD.
kimoppalfens@reddit
To me, they don't necessarily contradict. Data should only be consumed on a compliant device.
This doesn't necessarily mean the company has to hand you a physicsl device. Byod + VDi, to me, is acceptable. This can be, cost effective, and convenient in certain setups. External, non- full time consultants, off shored labor etc...
FastFredNL@reddit (OP)
Yeah we currently have a mixture. AD, AAD/Intune, and BYOD devices to login into Citrix. But we plan to move away from Citrix, company applications only on AAD managed devices. So the only BYOD devices are gonna be smartphones, but with the risk of company data ending up in private iClouds and other stuff
Sillent_Screams@reddit
Most Orgs have implemented MDM anyway.
ThimMerrilyn@reddit
Absolutely not. Lol
You have the correct vision from a security and administrative perspective. Don’t budge
landwomble@reddit
1) why should an employee use their own laptop and risk privacy/remote wipe 2) total cost of building a good byod setup, maintaining it and troubleshooting weird problems because someone is trying to use a device that doesn't meet spec/weird driver or vendor bugs etc is probably much higher than the cost of just supplying a corp laptop over a few years 3) compatibility. Someone decides they want to use a shiny MacBook when you have LoB apps that require windows 4) patching and security is hard
ZaradimLako@reddit
Hi, M365/Azure Admin here.
After lots of back and forth and experimenting on Mac, IOS, Android and Windows, we did the following:
App Protection policies that apply only to private devices and some conditional access policies. People can download teams, outlook etc. on their private phones and use it normally but there is 0 data transfer. They cannot download anything, they cannot upload anything from anywhere to anywhere except inside the m365 world. Like lets say you get an item sent to you via outlook, you can download the attachment but only into the onedrive, not onto the device.
Those who find that too annoying get company phones and laptops which do not have restrictions except the obvious stuff like that they cannot link any personal google accounts or whatever into the phone in some way and mandatory update installs.
Desktop App logins on private devices is completely blocked, browser versions only for M365 stuff.
I am also not a fan of BYOD stuff. People have wayy too different hardware so each vendor has its quirks on a lot of things, and also I cant be bothered with cases where someone comes with a phone that is old and/or laptop but I have to "make it work" and I now have to administrate a dinosaur samsung phone or a windows laptop with 8 gigs of ram. You are completely right about rejecting BYOD.