Debate rages over how to manage personal mobile devices used for work

Many businesses allow employee-owned devices like iPhone but lack policies for them

Increasingly, businesses accept the idea that employees should be able to use their personal mobile devices, such as smartphones and tablets, for work. But debate is raging as to whether these employee-owned devices should be managed and secured exactly as corporate-owned devices might be.

A survey of 988 information technology managers published this week by vendor Courion shows 69% of the organizations they work for let employees use personally owned mobile devices to connect to the corporate network, though a quarter of the total say they either don't have a policy on how these personal mobile devices can access applications or are unaware there is one.

ROUNDUP: The 5 biggest IT security mistakes

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Increasingly, businesses accept the idea that employees should be able to use their personal mobile devices, such as smartphones and tablets, for work. But debate is raging as to whether these employee-owned devices should be managed and secured exactly as corporate-owned devices might be.

A survey of 988 information technology managers published this week by vendor Courion shows 69% of the organizations they work for let employees use personally owned mobile devices to connect to the corporate network, though a quarter of the total say they either don't have a policy on how these personal mobile devices can access applications or are unaware there is one.

ROUNDUP: The 5 biggest IT security mistakes

"The notion of employee-liable devices is not something that can be ignored," says Andrew Borg, analyst at Aberdeen Group, adding, "Without a doubt, employee-owned devices must be compliant with policy." That might include at a minimum the ability to do wipe and lock of an employee's personally owned device.

In regulated industries, stronger controls might be expected, such as on-device encryption and a mobile VPN. To address the notion of mixing personal and corporate data, there are commercially available products, including those from Good Technology, that can create separation of personal and corporate use at the operating system level for smartphones and tablets. Other possibilities include VMware's virtual-mobile desktop, Borg points out.

Aberdeen Group's own recent research published in March about employee-owned mobile devices being used for work showed that in a survey of 500 enterprises , 72% "permit use of employee-owned mobile devices for business purposes." That's up substantially from the 40% that allowed it just two years ago. In the March 2011 survey, 45% said "yes" to any type of device from the employee end, and 27% said the devices had to be compliant with policy.

When it comes to letting employees buy whatever mobile device they want to use at work, "there are wise ways to do this and unwise ways," Borg says. Some companies allow it simply because they believe they are pushing the costs of the device onto the employees without the IT department managing and securing them. But this view is "short-sighted," says Borg. The strategic view is to push to achieve compliance of personal mobile devices with corporate security and management policies.

Some organizations might agree.

"Our policy is we want our users to use personal devices for work if they want," says Endre Walls, chief technology officer at Philadelphia-based Resources for Human Development, a nonprofit organization with about 4,800 employees in 14 states that provides social and welfare services. But the organization only allows personal devices such as iPhones and Androids for work if the employee agrees to use certain mobile-device management software, in this case, MaaS360 from Fiberlink, deployed there since May.

The MaaS360 agent software, controlled through Fiberlink's cloud-based service, gives the IT division at Resources for Human Development a way to ensure password policy is adhered to, and also provides a way to wipe the devices if lost or stolen. "We've used this twice already," says Walls.