The bank chose to move employees from the iPhone Configuration Utility to a SaaS-based version of FibreLink's Mobile Device Management utility.
The bank then deployed a full device profile with Microsoft's ActiveSync Email, which bought the bank time to perform an analysis of document distribution options; it chose a cloud-based and centrally managed model, where all content use was pre-approved.
Employees are allowed to use any iOS mobile device they want. Lalli said he continues to evaluate Android devices, but that they are "not quite there yet" as far as employee uptake.
Unlike Hyatt, Bank of New York Mellon centrally manages all data that goes out to personally-owned devices. As Lalli put it, you can wipe a device, but then an employee could just download ActiveSync and be right back on the corporate network and IT would never know it.
"This is the comment I get all the time, 'I can go to Starbucks and just click one thing and I'm on the network. Why do I have to go through all this security to get onto our network? And, by the way, if you keep doing that, I'm not going to use your network," Lalli said. "That's the message I get from internal users."
Lalli said he wants to be able to manage the data from where it is and not from what device it might be on. While they've not completely achieved that goal, that's the end strategy.
"I'm vendor agnostic," he said. "We'd like to be able to track our data where it goes, and who cares where the devices go."
The bank still does not permit "highly confidential" information in the cloud, Lalli said, since closing the security hole should always be "the highest priority of any BYOD strategy."
Other key considerations:
- You will have to track multiple devices per employee
- Whether to wipe or block a specific device and not a user
- Whether to use a cloud-hosting service or an internally based SOA-model; Cloud is a faster to deploy.
Lalli said the MDM market remains immature, and that it's important to test capabilities above and beyond what base MDM applications can offer.
Brian Katz, director of mobility engineering for global infrastructure services at pharmaceutical company, said his company had also deployed MDM. But, Katz said he prefers to look at least two years ahead, with the end goal being not which devices to enable, but how to get the company's greatest asset, corporate data, out to end-users.
"Is it BYOD? Do you spend more money because you have to manage those devices, so what you save in not paying for them you then spend in trying to manage them?" he said. "One of the biggest things is creating an acceptable use policy."
A use policy should not only be about what employees are prohibited from doing with mobile devices, but what they can do. "If you secure your data, it doesn't matter who owns the device," Katz added.
Dion Hinchliffe, executive vice president of strategy at the Dachis Group, agreed with Katz.
Hinchliffe, whose company develops software to measure corporate social network performance, believes MDM is too "heavy weight."
Educating employees on good data security is as important as developing hardened security measures. Companies need to establish simple, easy to follow rules, such as not allowing employees to store data in the cloud.
"We have to get into the business of emergent change. We don't want to control it all," he said.
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His email address is email@example.com.
Read more about mobile and wireless in Computerworld's Mobile and Wireless Topic Center.