1. Figure out what employees want to do
Too many IT organizations look at the use of devices they did not furnish as a threat and try to block them. When they can't, they tie them up in knots to discourage their use -- in the name of security, of course. If they can't cite specific credible risks -- ones they actually experience at a level that hurts the company -- they fire them and get an IT group not motivated by fear or power.
Figure out what employees want to do -- why they bought that iPad or Galaxy S III, why they use a Mac at home or want one at work, why they want to work from home or on the road, and what they think they can do so with tools you're not providing. Most of this you'll get by talking to employees, but tools such as Visage Mobile's MobilityCentral can help you understand real-world usage as well.
You'll soon see patterns that let the business know what resources are lacking or counterproductive -- thus, wasting money -- as well as those that have high value to users. You'll also be able to create a risk profile grounded in the real world, based on what people are doing and/or want to do, then maximize the ROI on your security and management dollars accordingly.
2. Embrace Exchange ActiveSync
More than a decade ago, Microsoft created the technology that now makes the BYOD phenomenon possible in a corporate setting: Exchange ActiveSync, a protocol that lets you establish policies for technical configuration of devices that access the Exchange email server, as well as validate compliance with those policies of devices that attempt access. EAS is built into Exchange (2007 and later have the best support for mobile devices), System Center 2012, and through add-ons the current versions of Lotus Notes and Novell GroupWise.
Apple licensed EAS for OS X and iOS, giving IT free, immediate management capabilities over the BYOD-leading products. Motorola Mobility uses it in all its current Android smartphones and tablets, and Samsung uses it in many of its current Android products. The products representing 95 percent of what your users want can be secured and managed out of the box.
Many in IT don't seem to know this. At a minimum, your Exchange Server should be set to require users to enter a PIN or password to unlock their device if they want access to corporate email and to force automatic session time-out after 15 minutes of nonuse; the typical 5-minute default is too quick, unless your employes are being shadowed physically by corporate-data thieves, which suggest you have a different problem than EAS security settings. That way, a lost or stolen smartphone or tablet can't be used to access corporate information. How easy is that?
If you want, enable EAS's remote lock and remote wipe capabilities that let IT proactively lock or wipe a missing or stolen device -- but remember, by setting a password requirement and a time-out, the device autolocks. You can set a failed-attempt autowipe for employees whose group profiles suggest the information they deal with is highly sensitive.
It's hard to get a list of which EAS policies each major platform supports, so I've done that work for you. If you truly need more controls than what EAS provides out the box, only then should you consider a mobile device management (MDM) tool. Of the nearly 100 providers of such tools, there's a short list of leaders to consider, of which two are widely agreed to be the deserved market leaders: Good and MobileIron. (Beware the many MDM tools that are merely front ends to Exchange's built-in capabilities.)