Personally-owned devices at IBM
Supporting the Workplace of the Future at IBM
ISACA Conference, Copenhagen 7 September 2012
Carsten Broegger Andersen, Nordic IT manager
Barb Mathers, Director
Karen Keeter, Senior Manager
IBM Enterprise Transformation | Office of the CIO
© 2012 IBM Corporation
What is BYOD?
BYOD (bring your own device) is a program that allows employees to
use a personally owned device for work instead of, or in addition to,
a corporate-issued device.
90% of companies will support corporate
applications on personal mobile devices by
2014 – Gartner, Nov. 2011
By 2016, over 350 million will use their
smartphones for work. – Forrester, April 2012
80% of the current global population will
have a mobile device by 2016. – IBM Five in
Five, Dec. 2011
Employee satisfaction:
allowing employees to choose a
device that they prefer; no longer a
one-size-fits-all model
Increased productivity:
supports employees being able to
work when they want, where they
want, using mobile devices
© 2012 IBM Corporation
The enterprise is evolving towards global integration
© 2012 IBM Corporation
. ..the new work paradigm is shifting towards a “mobile” employee
W o r k in g w h e r e I w a n t, w h e n I w a n t …
w ith th e in fo rm at io n th a t I n e e d (d a ta , a p p lic a tio n s ,
w eb access)
u s in g a n y av ailab le c o n n ec tiv ity ty p e (d ia l-u p ,
w ir e le s s , h ig h s p e e d , s e c u r e V P N a n d d is c o n n e c te d )
u s in g an y c o rp o rat e a p p ro v ed d ev ic e (P C ,
s m a r tp h o n e , w ir e le s s h a n d h e ld d e v ic e , e tc . )
w ith th e s u p p o rt th a t I n e e d (o n -lin e , v o ic e , g lo b a lly ,
W o r k is n o lo n g e r a p la c e !
© 2012 IBM Corporation
The IBM Personally owned Device Case Study
 95% (400K+) IBM employees are issued laptops
 Strong dependency on collaboration and social media tools
to conduct IBM business and stay connected to clients,
colleagues, etc.
 Over 115,000 smartphones and tablets and growing rapidly
(primarily Android OS and Apple iPhones/iPad devices)
 11k Macintosh laptops at IBM (majority are personally
 Personally owned devices can be used for business
purposes – most employees pay for their own device/service
 Program is an augmentation to our enterprise policy
How did IBM become a “mobile” business?
 Established policies for mobile employees
 Established t’s and c’s for personally-owned devices
 Sold expensive office space and created world-wide
mobility centers
 Launched small, focused “opt-in” BYOD pilots. Resisted
the urge to “boil the ocean”
 Embraced collaboration and social media tools to enable
self-support through communities
IBM's BYOD program
"really is about supporting
employees in the way they
want to work. They will find
the most appropriate tool to
get their job done. I want to
make sure I can enable
them to do that, but in a
way that safeguards the
integrity of our business.“
– IBM CIO Jeanette Horan
A highly diverse workforce:
• 425,000 employees worldwide
• 50% workforce has less than 5
years of service
• 50% of employees work remotely –
not from a traditional IBM office
• 71% of employees are outside the
© 2012 IBM Corporation
Workforce segmentation
Infrastructure Employee Segmentation
Executive Management
Laptop (l/w)
Video Device
Manufacturing Employee
Simple SW
Customer Facing IBMer
Basic Application User
Low Cost WS
Web Browser
Research & Development
Power PC
Supporting Roles
Low Cost WS
Simple SW
Limited Acc
© 2012 IBM Corporation
Employee personas will help determine the mobile device
and eligibility for access to the IBM network
User segments
IT Architect
Client Facing
Ruchi Developer Kimberly
Project Manager
IBM Executive
Client Rep
DB Admin
Using personal
devices without
accessing IBM
tools (e.g.
Loading docs
through laptop
Security & Partitioning
Connectivity & App store
Core Collaboration Apps
(E-mail, Calendar, Contacts,
Connections, Sametime)
Mobile Optional +
 File Share+Sync+Backup
 Core Administration Apps
(some w3 content, You & IBM,
UWP, WWER, ILC, Manager
Lotus Mobile Connect
Lotus Traveler, Lotus Sametime
UC, BluePages,….
Tech Sales
Mobile enhanced +
 Productivity Apps & Print
 Role Enablement Apps
Mobile Primary +
 Virtual Machine
(e.g., Sales = CRM, FMS,
Forecasting tool)
LMC + Full VPN
Lotus Traveler, Lotus Sametime UC, BP,7
© 2012 IBM Corporation
Extract from Internal IBM 2012 Workplace Effectiveness Survey:
Willingness to enable personal mobile devices with Intranet/w3
access, even if not reimbursed for it
4 1 % o f IB M e rs w h o c u rre n tly o w n
a m o b ile d e vic e w a n t IB M a c c e s s
K e y D e c is ion D riv e rs
5 6 % o f IB M e rs p la n n in g to p u rc h a s e
a n e w ta b le t o r s m a rtp h o n e in 2 0 1 2
w a n t to e n a b le it w ith IB M a c c e s s
K e y D e c is io n D riv e rs
H a v e a N o k ia s m a rtp h o n e o r a n iP a d
P la n to p u rc h a s e a n A n d ro id s m a rtp h o n e
P re fe r w o rk in g o n a ta b le t
P re fe r w o rk in g o n a ta b le t
P re fe r w o rk in g o n a s m a rtp h o n e
P re fe r w o rk in g o n a s m a rtp h o n e
H a v e e ith e r a n u n lim ite d o r lim ite d
d a ta p la n v s n o p la n s
U s e m o b ile d e v ic e to s e a rc h fo r
in fo rm a tio n
B e lie v e m o b ile a c c e s s s a v e s tim e
H a v e a n u n lim ite d d a ta p la n
U s e m o b ile d e v ic e to re a d n e w s a le rts
B e lie v e m o b ile a c c e s s s a v e s tim e
O th e r a c tiv itie s s u c h a s w o rk e -m a il, s o c ia l
n e tw o rk in g a re n o t th e k e y d riv e rs
* Logit predictive m odel of all m obility-related variables regressed on outcom e (will em ployees enable personal m obile devices with V P N access).
© 2012 IBM Corporation
Extract from Internal IBM 2012 Workplace Effectiveness Survey:
Base: Use mobile for work (n=2,250)
© 2012 IBM Corporation
What are our biggest challenges?
• Providing modern and secure network access
that supports:
• Personally owned devices
• Partitioning technologies
• Mobile device management
• Multiple device types / multiple OS versions
• Defining a mobile application portfolio
• Providing an easy-to-use “app store” for
distribution of applications
• Standardization and comprehensive tooling
• Supporting a variety of devices, platforms,
carriers and countries
• Securing access to corporate data and
developing strategies to reduce the risk of data
• Addressing unexpected legal or compliance
• Managing expenses and determining the right
balance of reimbursement
© 2012 IBM Corporation
Addressing the challenges with a four-pronged approach
Sunset legacy devices (Symbian, Win
Cross link Traveler accounts with IBM
Endpoint Manager registration
Digital Certification for all mobile
devices (1st step authentication)
Cross link digital certs to IEM and
network access
WiFI protection via enforced
Containerization solutions
Remote wipe capability
Enable and deploy high
value applications
Self-support model, powered
by IBM’s social software IBM
1. Technology
Security (ITCS300)
Client Standard
Connection tools and service
expense eligibility (CIO 128)
All mobile devices must be
registered in IBM Endpoint
2. Policy
3. Education
Provide education and
certification to enable
employees to be “security
Annual Business Conduct
Guidelines certification
“Ask the experts” © 2012 IBM Corporation
1. Deploy a secure technology framework
 IBM EndPoint Manager for Mobile Devices
 Deployment to include all Mobile devices
(smartphone & tablet which are connected to our
 Users not running IEM on their mobile device
will be denied access to IBM’s network
(including Lotus Traveler)
 IBM EndPoint Manager for Mobile Device
– Manage all password requirements
– Allow remote wipe out in event of data loss or
security incident
– Check specifics device configuration such as
jailbroken, Siri activation, iCloud access,
device encryption, browser
 All devices (endpoint) will have to be registered
into an inventory database (WAM) regardless
© 2012 IBM Corporation
1. Deploy a secure technology framework (cont)
Selected application access
for many
Mail, calendar, contacts,
registration and end point
management, remote wipe
Limited Pilots:
• Sametime
• Connections (w/o attach)
• Other applications
Full VPN access for
selected users
• Unified Access Gateway:
• Roles-based access (application
specific and full VPN)
• Isolated to Business Container
• Serves PC and Mobile
Virtualized client (pilot)
• Standards- based framework and tools
for developers
All intranet applications
and tools
Device Wide Security
Agent Based Verification/Provisioning
Secure Enterprise Container
Consistent Credentials
Email, Calendar, Contacts
Other Secure Business Apps
Security Inspection Services
“App store” for all devices
© 2012 IBM Corporation
1. Deploy a secure technology framework (cont)
IBM Endpoint Manager (Android and Apple)
Junos Pulse (Android)
© 2012 IBM Corporation
2. Develop a strong usage policy
Use of personal devices for business
purposes is voluntary.
Eligible employees (all except privileged
users) can use personal devices as long as
they agree to the IBM terms and
Employees must adhere to security
policies and installation of security agent
to ensure their device is secure.
IBM or client information and data
(property) maintained or stored on a
device is owned by IBM.
Employee agrees to allow IBM to inspect
or take possession of the device upon
IBM can revoke the ability to use the
IBM can do a remote wipe of the device at
any time, if the device is lost or stolen,
User will remove all IBM property when
they stop using the device.
IBM may, but is not obligated to provide
any 3rd party software. User must obtain
valid licenses for any 3rd party software
they choose to use for IBM business or
purchase it - with IBM approval - through
an approved IBM procurement
© 2012 IBM Corporation
3. Educate your employees
Digital IBMer Education
Designed to help IBMers practice secure computing as a
foundation for the effective use of new and emerging
technologies – including social, mobile, and cloud
Available in 10 languages including English.
Business Conduct Guidelines
Specify IBM's standards of business ethics, basic
values and principles.
All employees must complete the IBM Business
Conduct Guidelines on a yearly basis.
Course completion and date are automatically recorded
in the Learning@IBM system.
Employee must complete “quick check” all questions to
receive credit for completion.
© 2012 IBM Corporation
4. Support personally owned devices through social software
 Support is through communities
enabled with IBM Connections and
other internal support tools
 Support will be provided application
level, not device level
 IBM application support (how to)
today is self-service via IT Help
Central (ITHC)
 IT Help Central team looking to
expand self-service documents for
application (“how to”) questions to
recognize application differences
between devices (Macintosh vs
Windows, for example)
 Users must self-support OS,
hardware and other non-IBM
 Mobile and workstation applications
will be accessible via a single integrated
“App Store”. Two separate stores today
© 2012 IBM Corporation
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied.
IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties
or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products,
programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the
Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be
trademarks or service marks of others.
© 2012 IBM Corporation
Glossary of security terms
• Device wide security - Basic “whole phone” security controls to prevent “root” level attacks and malware
without impacting user experience (no passcode enforced; implemented on personal side of device)
• Security inspection - All corporate remote access (limited and full VPN) includes security inspection (DLP:
data loss & intrusion prevention, IPS, detailed traffic data for APT analysis)
• Access control - All corporate remote access ensures both user and device access is confirmed/validated
(must validate device is registered, endpoint controlled, and in good security posture before allowing network
• Minimum needs access - Corporate network access is limited to minimum needed based on user profile
(many users will not need full w3 access, so will not be provisioned VPN)
• Secure enterprise container - Business data remains in secure “container” on device, with stronger security
controls applied only to this container (strong passcode, encryption, data copy prevention, data wipe, etc)
• Credentials - Remote access credentials must be separate from corporate application access credentials
(don’t want front door key and room keys the same)
© 2012 IBM Corporation