Now, Yankee Group reports that 58 percent of smart phones used for business are individually liable, while In-Stat predicts that up to 67 percent of the 1.9 billion Wi-Fi devices expected by 2014 will be BYODs. No wonder so many employers have stopped fighting to keep BYODs out and seek ways to rapidly enable safe business use and control corporate wireless LAN (WLAN) access. Let's consider a few strategies.
Guest Networks as On-Ramps
Even companies that have not yet embraced BYODs may well be carrying BYOD traffic over their corporate networks. For many workers, guest WLANs are the quick and easy way to use a personal Apple iPad, Android tablet, Kindle Fire or other BYOD at the office. Guest WLANs alone are sufficient to allow users to reach cloud services like Office 365 or Google Apps over the Internet.
But in other instances, guest WLANs are not enough to meet business needs. For starters, guest WLANs tend to leave security up to users - a less than ideal situation. Next, BYODs may use Exchange ActiveSync (EAS) to read corporate email or a viewer like Citrix Receiver to access corporate applications. EAS and virtual desktop infrastructure (VDI) traffic can be delivered by guest WLANs, but something more is needed to put those business applications and settings into place on unmanaged devices. Finally, guest WLANs do not let BYODs become full-fledged enterprise endpoints with secure, direct access to corporate services and data.
Or can they? While guest WLANs may not be the ultimate destination for BYODs, they can be convenient on-ramps to systems that enable more extensive business use.
Nudging BYODs in the Right Direction
BYOD users can find their own way to Internet-accessible servers used to enable BYOD business use. For example, users can download IT-generated, password-protected iOS profiles to configure EAS or Wi-Fi settings or enroll with any mobile device manager (MDM) that pushes profiles to registered BYODs. IT can even prompt this by sending invites to known devices. But there lies the rub: How can IT automatically spot BYODs to kick this off with minimal effort and delay?
Over the past year, several vendors have seized upon this need and are offering products or features to facilitate BYOD discovery, fingerprinting and activation.
- Wired network equipment manufacturers such as Cisco and Juniper have launched mobility initiatives to enforce consistent access policies for (mostly managed) endpoints that roam between WAN and WLAN.
- Network access control (NAC) appliance manufacturers like Avenda, Bradford Networks, and ForeScout have parlayed guest access control into BYOD access control by fingerprinting (mostly unmanaged) endpoints to enable policy-based redirection and enforcement.
- WLAN equipment manufacturers such as Aerohive, Aruba and Meru have launched products or features to register and provision BYODs at the point of entry (as opposed to somewhere deeper inside the corporate network).
WLAN-based BYOD Activation
Let's focus on the latter, using a few vendor solutions to illustrate how WLAN infrastructure can be leveraged to enable BYOD activation.
When Aruba acquired Amigopod late last year, it gained a family of "visitor management" appliances that support self-registration and auto-provisioning of BYODs. Amigopod plays a central role in Aruba's Mobile Device Access Control (MDAC) solution, which combines controller-based fingerprinting with Amigopod activation, followed by AirWave monitoring and helpdesk support.
In October, Meru added Smart Connect and Guest Manager features to its SA-200 and SA-2000 Identity Manager appliances. Smart Connect uses defined policies to redirect BYODs to a portal for auto-configuration of secure WLAN settings. Guest Manager supports wired and wireless BYOD registration, including BYODs connected to portions of the network not built on Meru gear.
Last spring, Aerohive released HiveOS and HiveManager updates that simplify mobile Internet device enablement. Specifically, devices connecting to an Aerohive guest WLAN can be redirected to a self-registration portal where they are auto-configured with their own Private PSK. This enables secure guest WLAN access for everyone. Next, based on device type, user domain authentication and configured policy, some BYODs can be moved onto non-guest WLANs to deliver the appropriate level of corporate resource access.
These scenarios represent three different ways to use WLAN infrastructure as a platform to get BYODs onto corporate networks quickly, without requiring IT effort or relying on user configuration. Expect to see considerable innovation as BYODs continue to escalate and enterprises make more productive use of them by running broader applications. The more that you can automate, especially while leveraging infrastructure you already own, the less time you'll spend on basic BYOD activation.