Establishing a BYOD policy with VDI in mind

If you're using VDI to help manage BYOD, put that on paper, and make sure it's a part of your BYOD policy.

As IT professionals map out a bring your own device (BYOD) policy, incorporating virtual desktop infrastructure

options may help resolve a number of the problems that crop up with employee-owned devices in the workplace.

To prevent employees from circumventing corporate IT in a rush to do their jobs, IT departments need to create new policies. VDI can be a useful tool in the BYOD toolkit, enabling employee-owned devices to be safely used in ways that would otherwise be unthinkable. And it gives IT a way to work with users rather than against them. It's important to establish policies that help IT maintain control without negating the potential benefits of BYOD.

How VDI helps BYOD security

A major BYOD policy decision involves information security. Which kinds of data can reside on which types of device? On the continuum of trust for devices, employee-owned mobile devices connected to the Internet with no corporate oversight and control are the least trusted, while servers inside corporate data centers are the most trusted.

Most organizations map the degree of trust to a degree of access; the more trusted the location, the more access to applications and data. Sometimes the level of access granted is an all-or-nothing decision; in other cases, organizations create highly granular rules with a lot of inspection of the device before it is granted access to applications and data.

Using a mobile device as a VDI client requires much less trust of the device because the data and applications never reside on the device itself. For some organizations, this makes for a much simpler test of trust and more straightforward path to a BYOD rule. In that case, the policy might be that any device can have VDI access, but if it isn't a corporate device, then the only access allowed is through VDI.

Who has control over employee devices?

Another BYOD policy consideration concerns the level of control IT has over personal devices. Users want to be sure that IT cannot see or delete their personal contacts, email, photos or anything else that they store on a personal device. On the other hand, the company needs to be able to protect its data wherever it resides.

One solution is a corporate-supplied mobile application that wraps all the data and tools that are required to get work done into a single, centrally managed mobile application. This is a good solution if there is already a mobile wrapper for the data types and applications your business needs, but it's usually limited to mainstream applications with mass adoption.

The good news is that the types of data and applications that work inside these wrappers are usually allowed onto the least-trusted devices, while those that require more trust are likely not to be supported. VDI vendors are starting to add these application wrappers to their products to accommodate mobility needs, but conventional VDI can help here too. The data can remain inside the virtual desktop and be accessed from a personal device with no change to the existing application. The VDI client device can be minimally trusted or completely untrusted since the data and applications never reside on the client, always on a virtual machine.

VDI eases software licensing

Software licensing also brings challenges. If privately owned laptops have licensed software installed, who should bear the cost? Software like Microsoft Office has solid rules concerning private-use rights that come with a corporate license, but what about other applications? Computer-aided design apps, video production and even project management software can be expensive and must be licensed for every PC on which it is installed, including the employee PCs if the software is installed onto their BYOD device.

What happens if an employee leaves the company? Clearly he or she takes the device, but what happens to the software license? If the software uses license enforcement and places a software license token on the device, the token represents a (potentially expensive) purchased license. When an employee leaves, that token and that software instance may be lost.

Another licensing trap involves the software that a staff member installs on a personal device and then uses for corporate functions. Who is liable for the license and any noncompliance? Staff may use student-licensed software for business purposes or may illegally download pirated software and use this for business purposes.

More on VDI and BYOD

Simplifying device management with VDI and BYOD

Challenges of using View 5 for BYOD management

Desktop virtualization in the age of BYOD

VDI can help with licensing issues, because all the applications remain inside the desktop VM in a data center, so there is no loss of license when an employee leaves. Plus, only authorized applications are installed, and since the employee's device is used only as a portal to the desktop, there are fewer liability complications for the company.

Naturally, care is required with license compliance under VDI. IT should make sure that the approved applications are fully licensed for use in the organization. There may be special operating system licensing requirements for the virtual desktop, since it is remotely accessed. Also, software installed on the virtual desktop may have special licensing for using it remotely, particularly if a single VM is shared by multiple people rather than dedicated to a single staff member.

Another aspect here is the proliferation of devices that staff will use; many will have a laptop, a tablet and a smartphone. If your VDI licensing includes a cost for each device from which a desktop is accessed, this could get expensive.

Considering data syncing

Another BYOD issue that VDI helps prevent is employees storing unique corporate data on their devices. Tools that sync data, like email and collaboration applications, are useful; the data center always gets an up-to-date copy.

However, with content creation apps, like Word documents or Excel spreadsheets, the danger is that information can be generated on an employee device and not end up inside the company's four walls. Tools like Dropbox augment this hazard, as employees can scatter information among multiple devices that aren't yet included in corporate information management.

Providing a full suite of applications in the virtual desktop so that employees don't need to seek alternatives helps keep information inside the company, as can a wrapped mobile application. Alternatively, most VDI products now recognize the growing importance of BYOD and include file-syncing applications that allow staff to sync files in the corporate file servers from anywhere, giving IT the chance to back up data and recover it should the need arise.

This was first published in September 2013

Dig deeper on Virtual desktop infrastructure and architecture

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchEnterpriseDesktop

SearchServerVirtualization

SearchCloudComputing

SearchConsumerization

SearchVMware

Close