Turning on a BYOD program at the BBC
The UK public broadcaster shares the lessons it has learnt while building a comprehensive bring-your-own-device strategy.
More than most organizations, the BBC relies on a broad mix of both internal and freelance talent to create its huge variety of TV and radio programs. But an increasingly large proportion of those employees and contractors now rely on their own smartphones, tablets and laptops alongside — or, indeed, instead of — BBC-supplied devices to get work done. And that has forced the public broadcaster to creating a comprehensive, yet soft-touch strategy for both bring-your-own and choose-your-own device that supports a matrix of device, application, data and access options.
As Paul Boyns, head of IT strategy and policy at the BBC highlights, the organization did not have much choice in the matter. “Whether we formally acknowledge bring-your-own-device (BYOD) or not, it was and is happening anyway, it’s something you have to face up to; the alternative is your information is put at risk.”
But BYOD doesn’t have to be viewed as just another burden on IT, he emphasizes. “There are actually beneficial use-cases here, with an opportunity to do [end user computing management] better — from an IT and an architecture perspective.” So rather than having two managed parallel environments for BYOD and desktop, he wants to see them converged into a single system.
Three dimensions of BYOD
In the meantime, though, the stream of new devices and task-based applications presents its own unique set of challenges. “We have to expect that apps are going to work across multiple operating systems — indeed, we may not even know where they are going to land. An application might be running on a BBC device or it might be on a [user-supplied] device; and it might be in any location or on any network.”
That means that to deliver BYOD — and decide at what level it will do so — the BBC needs to nail down some key pieces of information on each user: “We need to know who they are and what they are allowed to access. We need to know the platform they are connecting from and we can provide the apps relevant to that platform. And we need to regulate what we can give them based on where they are geographically.”
The multi-dimensional service ranges from a fully authenticated user through to a completely anonymous one; from a fully trusted device through to an unknown one; from a user on a BBC internal network through to someone in a sensitive geography who isn’t legally allowed to access certain systems or run certain applications remotely.
Having decided on the breadth of services it wanted to offer, the organization has found itself with a number of decision points: how the mobile assets should be funded, who should support them, and what kind of architecture should underpin ‘the device ecosystem.’
Funding is still not a cut-and-dried case, says Boyns. Due to the cost implications, the organization was quick to rule out any kind of free choice of fully funded devices. That said, it has looked at various funding schemes such as ‘employer contribution’ and ‘employee salary sacrifice.’ But while it is drawn to a salary sacrifice (in which the device cost would be gradually deducted from an employees’ pay in a tax-efficient way), for the time being it has decided not to use any funding scheme.
“Right now we are going to keep device funding simple,” says Boyns, “Users will have two options: bring your own device — so it’s your device, you self-support and you can use it for home and work; or choose-your-own device (CYOD), where you pick from our catalog, we buy it and you use it for work.” In the latter case, the corporation doesn’t, of course, prohibit personal use, but it both owns the device and controls what’s on it.
In the case of BYOD, support is also treated in a hands-off fashion. While the bring-your-own user is not formally supported, the IT organization will provide an ‘expert bar’ service of problem solvers to users. “The accountability of getting the problem solved, however, lies with the user,” says Boyns. “In contrast, if you are using one of our BBC-managed assets, we take on that accountability to solve your problem.”
Support levels also differ depending on the type of hardware, operating system, and the application (virtualized, hosted, or ‘thick client’) being used.
The IT organization also has to take a hard look at its architecture model for end user computing in order to clearly understand the different services that staff are going to be consuming on all types of device. “In particular, you should be asking if there a good reason why an app has to be a managed service or if it could just as easily be provided via a private or public cloud,” he says.
The BBC has most of its strategy now either in place, in pilot or in planning, and Boyns is happy to share the steps that others going down this route should consider:
• Refresh your acceptable use policy Ensure your acceptable use policy is reviewed and revised so it covers all aspects of BYOD. And create awareness of the policy among staff so they know there are certain new behaviors they are signing up to.
• Streamline office comms Make sure that email and calendar work well across all supported devices and that Wi-Fi is available across all of your facilities.
• Audit apps and data Classify your applications and data so you know which are the important elements to deliver in a BYOD environment — and start that early. “It’s a big undertaking but it allows you to have fine granularity about which apps to deliver, in which context and for which users.”
• Explore cloud Think about whether you need to have direct control over all the services you are delivering and where you might want to put some out into a cloud environment as it may make them easier to deliver in a platform-agnostic manner in the future.
• Enable file sync and share Consider introducing a chosen public cloud file-sharing service, such as those offered by Box, Dropbox or Huddle – something that is much more prevalent in a mobile-first world. After all, your staff are probably using such services now, so better to focus them on one that you know about. But he counsels: “From a pure security perspective we think such file sharing services can be made workable, but they do raise questions from an information policy and compliance perspective about putting certain classifications of data in such environments. Without potentially complex engineering you can also lose the ability to stop data being downloaded to an unsecured device and I’d suggest you ask the vendor how they can help you secure that.”
• Adopt MDM Implement basic mobile device management to enforce password protection, PIN usage and (where appropriate) encryption. “But an MDM strategy is not a BYO strategy,” he says. Regard MDM as “an investment stopgap, one of the tools to help you get through this phase” before more comprehensive tools that manage both desktop and BYOD environments emerge.
• Aggregate users Divide your users into manageable groups so you can match different levels of BYOD services to different roles. Across the BBC’s 22,000 staff and thousands of freelance contributors there are more than 1,000 roles, and its implementation team have had to analyze and aggregate many of those into profiles based on how mobile they are, the kind of autonomy they have over access to information, the processes they engage in and the extent to which they collaborate with others both inside and outside the organization.
Lastly, Boyns points out that this is a whole new world in terms of how the business gets charged back for the services delivered. “This is a really challenging one,” he outlines. “When it comes to desktop, IT charges the rest of the organization a fairly standard charge per month, covering a whole raft of things – email, unified comms, network, and so on. But if 20% of your users are on BYOD and not using some of those other services you’ve got to make sure you’ve got an appropriate cost level associated with that. So we need to deconstruct the way we have been charging for services over the past decade or more and find a new, feasible way to charge going forward.”
The BBC’s Paul Boyns was speaking at Ovum’s Future of the Work Summit in London.