White paper that outlines the benefits and best practices of a BYOC program. A "bring your own computer program" is one where employers allow employees to bring their own computer to work, or provide a stipend to an employee who wants to choose and purchase a computer themselves.
1. WHI T E PAP E R
“Bring Your Own Computer” Program:
6 Best Practices for Success
Driven by the groundswell
of demand for consumer
technology like Apple Macs,
“Bring Your Own Computer”
(BYOC) programs are gaining
popularity with businesses. The
program provides a company’s
employees with the flexibility
to choose their device. Some
choose PCs. Many are choosing
the Mac they already cherish
for personal use.
SUMMARY
Business users who love the Apple Mac are the “consumerizers” of technology
in their firms. As loyal citizens of the company, they may use the one-size-fits-all
approved desktop configured with Microsoft Windows. But each one dreams of
ditching that device for a Mac or a better laptop.
Driven by the groundswell of demand for consumer technology like Apple Macs,
“Bring Your Own Computer” (BYOC) programs are gaining popularity with
businesses. The program provides a company’s employees with the flexibility to
choose their device. Some choose PCs. Many are choosing the Mac they already
cherish for personal use.
There are many valid reasons for choosing a Mac. Technologically, Macs are on
par with, if not superior to, many Windows machines. Mac laptops also have a
good battery life up to seven hours. Most importantly, Macs serve as a sleek
accessory for the image-conscious executive who needs to project “latest
and greatest” while wooing big clients.
For these reasons, more organizations are beginning to o er BYOC programs.
BYOC programs can be a huge benefit for both the employees and IT. Employees
enjoy the flexibility of choosing the machine best suited to their needs, while
companies benefit from happier executives and sta , and reduced hardware
investment. In addition, if executed correctly BYOC can dramatically reduce IT
administration and help desk costs.
It is critical that su cient planning is done prior to implementation of these
programs. On considering BYOC, your company will have questions about how
to approach implementation. This guide describes the six best practices of
BYOC for making this program a success in your organization.
1
2. “Bring Your Own Computer” Program:
6 Best Practices for Success
1–CHOOSE APPROPRIATE DELIVERY MODEL
When implementing BYOC, a key consideration is how to deliver identical services
to multiple computing platforms. While there are many solutions in the market, a
managed client based virtual machine is the most robust, flexible and cost e ective
solution for BYOC. Since the image runs locally, it is available online or o ine, and
requires little hardware or server infrastructure. The management wrapper further
ensures the image can be centrally managed and updated.
DELIVERY MODEL PROS CONS
Port everything to the web • Works with any device with • Expensive and
Convert all essential services an Internet connection. time-consuming
to be web applications that to convert.
can be accessed from the • Some applications cannot
employee owned machine. be converted to the web.
• No offline access.
Provide a remote desktop • Can be accessed from • Requires expensive
Host employees’ corporate many devices. back-end infrastructure.
desktop in the cloud on a • Can be centrally managed. • Interactive applications do
server using VDI (virtual not work well in VDI or TS.
desktop infrastructure) • No offline access.
or TS (Terminal Services).
Provide virtualized • Performance is good with • May not work across both
applications that run locally local application execution. Mac and PC.
Distribute or stream • Can be centrally managed. • Virtual applications do
virtualized applications to not interoperate with
employee owned device. each other.
• Some applications
cannot be virtualized.
• Weak security.
Provide a managed • Is centrally managed. • None.
corporate virtual machine • Local execution provides
to run locally great performance and
Distribute corporate virtual the ability to run online
desktop directly to the or o ine.
employee owned machine • OS virtualization provides
using client virtualization. security and platform
independence.
2
3. “Bring Your Own Computer” Program:
6 Best Practices for Success
2–CLEARLY DEFINE THE POLICIES FOR THE BYOC PROGRAM
Articulation of policies will help guide success of a BYOC program. By specifying
details in advance, your company can present a comprehensive, well-thought
program that will be easy to understand and follow. Typically, a stipend model
combined with a clearly defined minimum hardware support policy works the best.
Here are typical policies to consider with BYOC:
How will machines be acquired? Some programs direct users to buy machines
from local retailers or through a corporate discount with an online retailer. A
company can also fulfill BYOC by making the purchases through its own
corporate acquisition process.
Is there a stipend, and how much? While some companies require participants in
BYOC to use their existing computer, others provide a stipend. The user would be
free to add personal funds if they wanted to upgrade to a more powerful model.
Which employees are eligible? Some BYOC programs are enterprise-wide; others
specify eligibility, such as a minimum management level or pay grade.
What are the minimum hardware specifications for a machine? The company
must establish a baseline for running business applications at an acceptable level
of performance. Once this baseline is established, the company should specify
minimum system requirements (e.g. RAM, CPU and disk space).
Any recommended or prohibited devices? The BYOC program will generate more
enthusiasm by accepting as many types of devices as possible. This policy will be
a ected by the program’s support policy and how the company implements
program delivery (see “Delivery Model”).
Who provides support? Policy should define if corporate IT provides hardware
support, or if the employee must add a support package (like AppleCare) for
their device. Policy should also specify the minimum level of the support package
(such as response by “next business day”), and who will pay for the external
support package.
All policies should be clearly communicated to employees. Legal and tax
implications are closely related to program policies.
3–DISCUSS LEGAL ISSUES WITH CORPORATE COUNSEL
Corporate counsel should consider factors in the BYOC program that would a ect
a lawsuit or audit. A forensics analysis may require the company to gain control of
particular computers in the possession of employees, contractors, or collaborators.
For example:
Who owns the hardware? If users own their devices, consider the use of a binding
agreement that allows the company to meet potential obligations to auditors or
the legal process. Consider solutions that provide tracking and containment of
corporate data on the user device.
Who owns data on the hardware? The agreement should specify which data are
owned by the company versus user. For example, a partition such as a virtual
machine would be owned by the company. Data and applications owned by
users would go elsewhere on the hardware.
3
4. “Bring Your Own Computer” Program:
6 Best Practices for Success
Statement on personal privacy. The company should clarify what it can and cannot
see or access on the physical computer, and its commitment to privacy of personal
use and data on the device. Users should be responsible for backing up their own
data, as the company cannot be liable for its loss.
4–CONSIDER TAX IMPLICATIONS TO
BOTH THE USER AND THE COMPANY
BYOC can a ect the company’s and employees’ tax responsibilities. The primary
issue entails whether conveying all or even part of a physical device to an employee
7 Essentials for or contractor is a taxable event. Federal and/or state law may apply. For example:
Virtual Desktop Security Does the recipient owe extra tax on the event? Users will be more enthusiastic
CHECK HOST SANITY about BYOC if they do not have to pay taxes on a new computer.
Check BYOC physical machine
for malware that can attack the Does the company pay this tax for the recipient? If new taxes are due, users will
corporate VM. Each virtual desktop be more enthusiastic about BYOC if the company pays those taxes.
is automatically scanned for malware
before device can be used. If the recipient leaves the company and keeps the machine, does that constitute
VM ENCAPSULATION extra compensation? Policy should specify a user’s tax responsibility for separation
The VM is completely isolated from from employment or contract.
and independent of the underlying
Companies considering BYOC should consult their tax advisor to clarify these
physical computer.
issues. Users also may be advised to consult their tax advisor.
VM ENCRYPTION
The VM supports strong encryption,
such as AES 128- or 256-bit. 5–NEGOTIATE SOFTWARE LICENSES
BASED ON YOUR DELIVERY MODEL
ACTIVE DIRECTORY
INTEGRATION When using virtual desktops, the company may be required to pay for two software
VM supports AD credentials and licenses unless the employee owns the device—one for the physical desktop, and
two-factor authentication, such as one for the virtual machine. Licensing should be incorporated into multiyear
RSA SecurID and PKI.
return-on-investment calculations for the BYOC program. For example:
GRANULAR SECURITY POLICIES
Address the entire organization or What are the licensing considerations if the Virtual Machine runs on a server? If
target policies for di erent user the user is running a Windows virtual environment on a server, VDA licenses are
groups. required in addition to the Microsoft OS license.
CENTRALIZED CONTROL OF
What are the licensing considerations if the Virtual Machine runs on the endpoint?
SECURITY POLICIES
If the user is running a Windows VM on top of an existing OS, only the only the
An administrator can revoke or kill
VMs running on any device. Virtual Machine needs to be licensed by the corporation.
TAMPER RESISTANT CODE
Only authorized individuals can
6–RE-ASSESS SECURITY AND NETWORK POLICIES
access, modify, or copy the VM System security is the last major requirement for BYOC. Physical devices chosen by
image or metadata.
end users are outside the reach of controls protecting the organization’s physical
perimeter. So each device must be treated as “untrusted,” and subject to strict
endpoint security measures. Regardless of the delivery model chosen, the BYOC
machine should not be allowed to directly connect to the corporate network.
One approach is to segment the network to create separate corporate and guest
networks. The BYOC machines are allowed only on the guest network. Access to
corporate resources can then be provided from within the secure virtual machine
or through a VPN access point.
4
5. “Bring Your Own Computer” Program:
6 Best Practices for Success
HOW MOKAFIVE IMPLEMENTS BYOC
As you’ve seen, the key to a successful BYOC program is to enable flexibility on
endpoint devices while protecting the corporate environment. MokaFive does this
with desktop virtualization, but in a unique and di erent way from traditional
server-based solutions. In essence, MokaFive moves the virtual machine o the
server and onto each endpoint. Organizations get all the benefits of virtualization
namely the ability to centrally manage but without the cost, complexity and the
network needs of a server based virtual desktop solution.
C AS E ST U DY
Major Silicon
Valley Law Firm
CHALLENGE
A BETTER APPROACH
• Half of the lawyers wanted to
use Macs, not PCs Simple to deploy, Simple to update
• Enable separate personal and
corporate environments With MokaFive, an IT administrator creates a “virtual golden image” of the enterprise
• Support mobile executives’ desktop, called LivePC, and uploads to their MokaFive server. LivePC golden images
desktops across multiple are delivered to MokaFive Player running on users’ devices. Updates applied to the
platforms (Mac, PC, Linux)
golden image are automatically distributed to all LivePCs. Users’ LivePCs are
SOLUTION bit-accurate copies of the golden image, so update success rates are significantly
• Deploy MokaFive directly on higher. And no matter how many, how large, or how complex—updates get applied
attorneys’ desktops, Mac or
with a single reboot.
PC hardware
• Single image across users in Always secure
the U.S. and China
• Users personalize desktops MokaFive eliminates worry about infection from malware on users’ systems. The
with applications enterprise golden image is virtualized and completely separated from the users’
BENEFITS hardware, applications, and data. More than 70 policy controls, such as encryption,
• Ease of management: single personalization, and enterprise integration with features like AD and two-factor
image for all mobile executives, authentication servers, enable IT to easily implement enterprise security measures
yet personalized by each user and policies across all desktops.
Users Keep Their Stu
No longer will updates blow away users’ personal settings every time the enterprise
desktop changes. Within the LivePC, user specific corporate applications, data, and
settings are kept separate from the golden image and golden image updates. IT can
maintain and update a single golden image yet provide customized experience for
each user within their LivePC.
5
6. “Bring Your Own Computer” Program:
6 Best Practices for Success
One Total Package
Unlike standalone client hypervisors, MokaFive incorporates a Type 2 client
hypervisor (VMware Player, VMware Fusion, or Oracle VirtualBox) and wraps it
with management capabilities. The Player runs on many platforms including Macs
and PCs. The LivePC runs on top of MokaFive Player and is isolated well from the
users’ machine. MokaFive will also o er a baremetal solution, which will allow
“We’ve used MokaFive companies to use MokaFive management directly on corporate machines
for more than two without having to manage and license a host OS.
years. It lets us MokaFive is right for BYOC
embrace consumer MokaFive provides the best of all worlds for a BYOC program. For the enterprise,
technology and it enables total security and central control of all endpoints. The solution allows
IT administrators to centrally create, deliver, secure and update a fully-contained
personalization, while virtual desktop to every employee-owned computer. Robust endpoint security
at the same time provided by MokaFive ensures that electronic corporate assets stay separate
ensures a managed from personal applications and data. For the user, BYOC with MokaFive enables
freedom to use and personalize whatever device they choose. These capabilities
secure environment.
provide the bedrock of a successful BYOC program.
Bottom line: user
satisfaction is higher LEARN MORE
and my sta is By following these six best practices, companies will be prepared to avoid
more e ective.” the potential speed bumps and road blocks of BYOC—and reap the benefits of
more productivity, happier employees, and lower cost of IT operations. For more
Philip Hoare information on creating a BYOC program or deploying virtual desktops, please
CIO, Wilson Sonsini
Goodrich & Rosati email MokaFive at sales@mokafive.com or visit our website at www.mokafive.com.
MokaFive
475 Broadway Street, 2nd Floor
Redwood City, CA 94063
http://www.mokafive.com
MokaFive™, LivePC™, and the MokaFive
logo are trademarks of MokaFive, Inc. All
other product or company names may
be trademarks of their respective owners.
Revision: BYOCEWP1
6