Last week's Advice Line, on how Apple's App Store stands IT's traditional deny-by-default policy on its head, stirred its share of criticism. One comment in particular left me scratching my head, as it asked why I didn't provide concrete guidance on how IT should initiate the shift away from deny-by-default when it comes to the iPad and App Store.
I'm scratching my head because I don't see any barriers to getting started. All you have to do is to establish a new policy that includes the following:
[ Also on InfoWorld.com: Get Bob Lewis's continuing IT management wisdom in his Advice Line blog and newsletter. | Find out why running IT as a business is a train wreck waiting to happen. ]
- Company acquisition of iPads is a matter of management discretion. IT approval is not needed.
- Company iPads must be configured with Passcode Lock set to On, and Auto-Lock set to 10 minutes or less.
- Employees may acquire any and all software from Apple's App Store they expect to be useful in the performance of their responsibilities or that they expect might enhance the functioning of the organization to which they report, subject to their manager's approval or delegated authority, with these exceptions:
- Programs that place company data outside the corporate firewall
- Programs that provide "remote control" access to their corporate PC
- Programs, or any use, that store sensitive company data on the iPad in unencrypted form
- Programs that are redundant to standard solutions already established by IT, such as providing connectivity to company email, calendar, and directory
- IT will provide secure facilities for this functionality on request. If for an exception is needed, employees should contact the head of Information Security to develop a solution.
- When this policy conflicts with external compliance requirements (PCI, HIPAA, Sarbanes/Oxley), our external compliance requirements supersede this policy.
More elaborate guidelines might be needed in particular circumstances, but chances are, the above outline will suffice.