SAN DIEGO– Flexibility and simplicity for end users are essential to the success of a BYOD program in the enterprise.
It was a common theme at the Jamf Nation User Conference, an annual event for Apple management software provider Jamf. Attendees heard about an out-of-the-box BYOD enrollment experience with Jamf Pro where users can enter their credentials to enroll a device in single sign-on, for example, and limit authentication prompts on all managed devices.
When organizations support BYOD, users can avoid carrying multiple devices while still having on-the-go access to their business apps and data. In this Q&A, Jamf CEO Dean Hager, CIO Linh Lam, and VP of Portfolio Strategy Michael Covington discuss Jamf’s strategy, support, and outlook on BYOD for iPhones in the enterprise. .
Editor’s note: This interview has been edited for brevity and clarity.
During the keynote, you highlighted the BYOD enrollment process for an iPhone in Jamf Pro. It’s a very user-centric process, so why was it so important to focus on the audience?
Linh Lam: If you think about the onboarding process before, trying to set up your phone is painful. We try to emphasize to our audience of mostly IT professionals that [Jamf] empower users. This onboarding process is intuitive because it just uses the Apple features that everyone is used to through the Settings app, and it’s easy enough for users to navigate on their own.
IT pros will be puzzled by this as they can be passive. The goal is to reduce ticket volumes for the help desk, and that’s exactly what we want to do: make life easier for IT admins.
Dean Hager, CEO, Jamf
Dean Hager: To enroll a device in a management security system back then, you had to send them a link or a packet. It’s just ripe for hacking. You could trick someone into signing up for a system they never wanted to sign up for.
Have personal devices that can enroll the way [Lam] shown… not only does it provide a better user experience, but it reduces the potential for a [hacking attempt].
Some BYOD users view any type of mobile device management (MDM) or on-device agent as an invasion of their privacy. How do you approach messaging around BYOD onboarding and management to address these concerns?
Michael Covington: I stopped using the word management when i talk about [BYOD] use cases and use the word instead registration. Currently, management means something specific to users based on past experiences that often has a negative connotation for personal devices. Many workers have gone through the process of enrolling a personal device to be fully managed by MDM…or VPN software that usually brought with it a ton of stuff that users didn’t know about. It’s about building trust with a business and providing the apps users need to get the job done.
Michael Covington, Vice President of
portfolio strategy, Jamf
The other big part of this is how we get to BYOD enrollment. We’re leveraging this built-in Apple experience and moving away from sending links and users downloading an app that they need to install on their device. They just have to go through those familiar Apple settings and set up that relationship by going through all those prompts.
If I’m the user, I like seeing these prompts. I agree to things, and if I don’t, I can quit at any time. The prompts are from Apple – not the company I work for or the third party my company has chosen to manage my device. Apple has a great history with their sandbox approach, so I feel good that they’ve created a clear separation between this work container and the personal side.
Do organizations see this approach as sufficient controls for BYOD security? You’ve pointed out the limitations of copying and pasting data between work and personal containers on an iPhone, but what about screenshots or just writing data? Security management features can’t go any further.
Linh Lam, DSI, Jamfe
Lam: There are data governance policies you need to put in place and train users to follow, but we’re focusing on the mechanical controls you can implement. Of course, you won’t be able to control everything, but wherever possible, you should complement this policy with technology that can help with those controls.
You need to prioritize the risk surface and ask yourself, “What are the main ones and how can we prevent them?” If someone wants to get that data and share it in a harmful way, they’ll figure out how to do it.
Covington: Obviously, we are able to provide DLP functionality between business and personal containers. But in the last year, we acquired a company called ScreenTrust, which gave us the technology to use the content filtering engine on the device used by Apple. It can not only perform domain URL-oriented blocking, but also keyword-based blocking. We also have network functionality… which can do smart things that are also DLP oriented.
BYOD can mean saving a user from carrying two smartphones. Do you consider it a goal of Jamf software to allow users to have a single device with the BYOD ownership model?
When we think of these two professional and personal worlds, they merge more than ever with remote work.
Linh LamDSI, Jamf
Hager: I see no reason why users need two devices in the future. Whether this is a work-issued device or a personal device may vary. Either way, you have management and security solutions and policies that can make the device work for that person.
I am a full member of the anti-two-phone movement. Power on one phone.
Hager brandishes his one and only iPhone.
Lam: When you think of these two worlds of work and personnel, they intertwine more than ever. with telework. So thinking about this use case from the perspective of [your personal life]I think having two phones is just terrible.
The single device provides a much better experience that employers can provide to their employees, which can help with user-friendliness and attract more people to work for them.
Dean Hager, CEO, Jamf
Michael Covington, Vice President of
Linh Lam, DSI, Jamfe