SAN DIEGO -- Flexibility and simplicity for end users are key to a successful BYOD program in the enterprise.
That was a common theme at the Jamf Nation User Conference, an annual event from Apple management software provider Jamf. Attendees heard about an out-of-the-box BYOD enrollment experience with Jamf Pro where users can enter their credentials to enroll a device in single sign-on, for instance, and limit authentication prompts across all managed devices.
When organizations support BYOD, users can avoid carrying multiple devices while still having on-the-go access to their work applications and data. In this Q&A, Jamf CEO Dean Hager, CIO Linh Lam, and vice president of portfolio strategy Michael Covington discuss Jamf's strategy, technical support and outlook on BYOD for iPhones in the enterprise.
Editor's note: This interview was edited for brevity and clarity.
During the keynote, you highlighted the BYOD enrollment process for an iPhone in Jamf Pro. That's a very user-centric process, so why was it so important to emphasize for the audience?
Linh Lam: If you think about the onboarding process before, trying to set up your phone is a pain. We're trying to emphasize to our audience of mostly IT professionals that [Jamf] is empowering the users. This onboarding process is intuitive because it's just using Apple functionalities that everyone is used to through the Settings app, and it's easy enough for users to walk through themselves.
IT professionals will be intrigued by this because they can be hands-off. The goal is to reduce ticket volumes for the help desk, and that's exactly what we want to do -- make the lives of IT administrators easier.
Dean Hager: To enroll a device in a management security system back in the day, you had to send them a link or a packet. That is just ripe for hacking. You could fool somebody into enrolling in a system they never meant to enroll in.
Having personally owned devices be able to enroll the way that [Lam] showed … not only does it provide a better user experience, but it lowers the potential for a [hacking attempt].
Some BYOD users see any type of mobile device management (MDM) or on-device agent as an encroachment on their privacy. How do you approach the messaging around BYOD onboarding and management to address these concerns?
Michael Covington: I've stopped using the word management when I talk about [BYOD] use cases and instead use the word enrollment. Right now, management means something specific to users based on past experiences that often has a negative connotation for personal devices. Many workers have gone through the process of enrolling a personal device to be fully managed by an MDM … or VPN software that usually brought with it a ton of stuff that users didn't know about. It's about establishing trust with a business and delivering the applications users need to get work done.
The other big part of this is how we get to the BYOD enrollment. We're leveraging that built-in Apple experience and getting away from the link sending and from users downloading an application they have to install on their device. They just have to go through those familiar Apple settings and configure that relationship by walking through all those prompts.
If I'm the user, I like seeing these prompts. I agree to things, and if I don't, I can stop at any time. The prompts are coming from Apple -- not the company I work for and not the third party that my company has chosen to manage my device. Apple has a great history with its sandbox approach, so I feel good that they have created a clear separation between that work container and the personal side.
Do organizations see this approach as sufficient controls for BYOD security? You highlighted the limits of copying and pasting data between an iPhone's work and personal containers, but what about screenshots or simply writing the data down? Security management features can only go so far.
Lam: There are policies around data governance that you need to have in place and train users to abide by, but we focus on the mechanical controls you can implement. Of course, you won't be able to control it all, but as much as you can, you need to supplement that policy with technology that can help with those controls.
You need to prioritize the surface area of risks and think, 'Which are the major ones, and how can we prevent them?' If someone wants to get that data and share it in a harmful way, they will figure out how to do it.
Covington: We are obviously able to provide DLP functionality between the work and personal containers. But within the last year we acquired a company called ScreenTrust, which gave us the technology to use the on-device content filter engine that Apple uses. It not only can perform domain URL-oriented blocking but also keyword-based blocking. We also have a network functionality … that can do some clever things that are DLP-oriented as well.
BYOD can mean saving a user from carrying two smartphones around. Do you see it as a goal of Jamf's software to enable users to have a single device with the BYOD ownership model?
Linh LamCIO, Jamf
Hager: I see no reason going into the future that users will need two devices. Whether that's a work-provided device or a personal device may vary. In both cases, you have management and security solutions and policies that can make the device work for that person.
I am a full-on, complete member of the anti-two phone movement. Power to the one phone.
Hager holds up his one and only iPhone.
Lam: When you think of these two worlds of work and personal, they're blending more than ever with remote work. So thinking about this use case from the perspective of [your personal life], I think having two phones is just terrible.
The single device provides a much better experience that employers can offer their employees, which can help with usability and attract more people to work for them.