Apple and internal IT have a lot in common.
Not really. But they could.
Take the App Store, and Apple’s well-known policy that before you control what you install on your iPad, Apple first controls what you can’t.
When Apple prevents you from doing what you want with a gadget you bought from it, it gives ownership a bad name.
As a metaphor for how IT might support end-user computing, on the other hand, the App Store provides excellent guidance, especially compared to the lockdown that’s purported to be industry best practice.
Which brings us to the End-User Computing Manifesto. I last visited this subject five years ago. An update is long overdue. Here it is.
Scope
End-user computing devices have multiple uses. They are the entry point for enterprise applications; tools for increasing the effectiveness of individual employees; and platforms for innovation by those employees capable of original thinking.
What follows supports these uses while providing a prudent level of protection from inadvertent and malicious damage.
Devices
- IT will provide standard desktop and laptop computers, and will support iOS and Android smartphones and tablets.
- Employees may use their own computers, smartphones and tablets so long as IT certifies they adhere to all security standards, either natively or through the deployment of company-managed virtual desktops.
Purchased Applications
- IT will maintain an internal “App Store” of tested and approved software. Each package will be the company standard for its functional purpose.
When an end-user requirement can be satisfied by App Store software, the standard supersedes individual preference (if Microsoft Office and SharePoint are in the App Store, for example, end-users won’t insist on Google Apps).
IT is, however, responsible for finding out what about its standard is so seriously deficient that an alternative seems like a good idea.
- Where the App Store can’t satisfy a manager-approved end-user request, end-users are free to purchase and install software so long as their manager approves it and certifies that the purchase has a business purpose. Except for software listed on the “App Blacklist” — software known to contain malware, serious security holes, or severe bugs.
Through automated software inventory tools, IT will scan end-user computing devices connected to the company network on a regular basis to detect newly installed software, and IT will research any new packages for possible inclusion in either the App Store or Blacklist.
- IT will, to the extent possible, automatically back up end-user data and configurations, providing tools for user-controlled manual backups when automated facilities aren’t practical.
- IT promises no support for end-user-purchased software, but may choose to help out as time and staff are available.
- IT will never say, “We don’t provide this kind of tool and we won’t let you buy it either.”
- If a device goes haywire, IT will recover its data if possible, and restore or replace it, if possible to the most recent stable configuration, otherwise to a standard build.
End-user Development
- IT will provide suitable tools and support for end-user software development.
- IT will never say, “We won’t build it for you, and we won’t let you build it for yourself either.”
- If an end-user develops an application that is redundant to an existing IT-supplied application, IT will give that employee’s manager the old hairy eyeball. It will also find out what about the official application is so seriously deficient that building an alternative seemed like a good idea.
- IT will provide training for business managers on how to manage small-scale application selection, development, and maintenance. Responsibility for the accuracy and integrity of applications developed (or purchased) without IT’s involvement is the responsibility of the business manager.
- IT and internal audit will provide consulting and review services for end-user-developed applications, if requested or if the situation demands it.
- When business management decides an end-user developed application has achieved mission-critical status, IT will take responsibility for providing a functionally equivalent replacement that adheres to all IT application standards and is managed as part of the IT applications portfolio.
- End-users may only upload information into production databases through audited validation programs provided by IT for that purpose.
Other Stuff
- IT will provide secure, convenient facilities for remote systems access. End-users may never, under any circumstances, install and use their own.
- End-users are not allowed to install software that tunnels through open firewall ports to bypass IT security.
Terms of Use
Feel free to cut-and-paste as much of this as you want into your company’s policy manual, with this restriction: If you do, you’ll let me know and provide an occasional status report so the KJR community can benefit from your experience.
I like the manifesto with one caveat. Small IT departments must limit the scope of supported environments.
Instead of “IT will provide standard desktop and laptop computers, and will support iOS and Android smartphones and tablets.”, I suggest “IT will provide standard desktop and laptop computers, and standard smartphones and tablets.” At this instant, our shop supports Blackberry devices. We are doing a trial of the Playbook (which does run Android apps), with a fallback to trial iPads with third party management software.
I outright reject the “bring your own device to work” model. No matter the intention and acceptance of limitations, users will want tech support for their equipment and bad personal decisions for both installed applications and hardware. Our firms DOES already provide secure connectivity to the company desktop for Business Continuity. Presuming, such an arrangement becomes a preference for significant number of users, then a migration to it or virtual desktops can be a path forward.
Rick
Our IT policies are the most draconian imaginable. To get them changed I have left terse feedback on their intranet site as well as have submitted support tickets for every issue that I suspect is related to security policies installed on my machine. Many people here just do nothing or spend untold hours trying to fix something that isn’t possible for them to fix.
What is most egregious about our security policies is they change frequently and it really is not possible to know for sure what installation broke because of them or what app won’t run properly because of them. And their level one support team is not interested in figuring out anything that is wrong with a tool that they don’t offer as an enterprise application. They’ve said we expect developers to troubleshoot problems their own applications to which I responded “How is that possible if I don’t have permissions to do so?”
I have proven to them that their installed policies consume huge amounts of my time and their time and do not serve their intended purpose. I hope my input has been instrumental toward getting the policies changed. They have been relaxed some as I am not the only one who has been handcuffed to the point of not being able to do their job and has complained about it. They have improved but have a long, long way to go. I wish I could copy and paste this article into an email and forward to all the decision makers at our corporate headquarters.
My advice to anyone who is in a similar situation is use VMs when you can. I wish I had that option and insight from the beginning.
Just a couple of slight suggestions:
“If a company-provided device goes haywire, …”
then add:
“If an end-user provided device goes haywire, you are on your own … or at the mercy of the Mac Store.”
End-User Development
The business expects you to do the job you were hired to do, whether that is sales, marketing, HR, production, or janitorial. Do not let your manager catch you working all week on your “desperately needed app” when what needs to be done is your job.
This is great stuff. On this point:
I think there needs to be something stronger there.
Regarding the Blacklist idea, from a security point of view that’s in my opinion not such a great idea. Specially in the regard of applications on workstations the security principle of “default deny” should be practiced.
At the end it’s a risk management issue and everyone has to decide if they are willing to take the risk or not of having a rouge application running on their network until it is detected and removed.
There are also logistical issues for example when company devices have to be replaced and users request all their applications to be put back as they were. No matter what SLAs you sign, or what your service catalog says many will demand you put the machine back as it was.
And once its on the machine try convincing them that application X should be removed, in which case they probably are not going to buy your arguments no matter how solid those are and will rant over IT at the water coolers.
My recommendation is default deny (a bitter pill to swallow), and try to avoid as much as possible not to take something away from the user. I think we cope with not getting something better than dealing with getting things taken away from us (in that regard I think most of us are not much different than my 1 year old daughter 😉
There’s nothing about licence compliance for purchased applications. You might need to include that “compliance with the licence terms and conditions for purchased software is the responsibility of the manager that approved the purchase request.”
Though in the context of what a person can easily deploy without the help of IT, it may not be an issue.
Another thing to consider is end-user storage. In the past we’ve enforced restrictions on personal data (e.g. iTunes music and video files) for storage on corporate file servers.
Now, with support for mobile devices, these restrictions become much trickier, as “legitimate” corporate data could be stored in an iTunes folder.
Bob,
To your very last point of End-User Computing Manifesto, v3, tunneling. I have used LogMeIn for several years to access my desktop computer when I am on the road. This puts me inside the company firewall to run programs, access databases, and process email without synchronizing with my laptop. Any IT imposed constraints still apply, since they do not run on my laptop. Yet, LogMeIn tunnels through the company firewalls to do its magic. Does this modify your last point?
Dick Caro
PS Now that I am on my own and my laptop is bigger and more powerful than my old desktop, I don’t use LogMeIn much anymore.
Doesn’t change a thing. An IT department that has anything on the ball will provide traveling employees with a way to access their full computing environment that has been properly certified to be safe and secure. It might even be LogMeIn, although there are quite a few other ways to skin this particular cat.
Keep in mind that solutions like LogMeIn are only as secure as your login information is private. While for some situations this is an entirely satisfactory level of protection, there are others where it constitutes an unacceptable security risk (remembering that if someone steals your laptop and gets past the initial password, your browser probably fills in the LogMeIn ID and password automatically).
There are plenty of companies that need more than this … for example, the use of fobs that provide one-time access keys (which, of course, require employee training so nobody thoughtlessly stores their fob in their computer bag).
Bob — great list but I think you missed one thing. Data.
With these new devices, software, etc, I also think a statement should be made on the proper use of corporate data. That is really the big struggle now, regardless if the “app” is approved, where does the data go to and what does the end user do with it.
Example, end user uses approved tools to grab data from a warehouse or transaction system. They then email/Excel/create report and send it to customers or even bad places. Data isn’t audited so bad information goes out or information is put in the wrong hands.
In IT we have played defense on security to protect internal systems, but now it looks like humans are the larger risk for giving out information.
Hands down, Apple’s app store wins by a mile. It’s a huge selection of all sorts of apps vs a rather sad selection of a handful for Zune. Microsoft has plans, especially in the realm of games, but I’m not sure I’d want to bet on the future if this aspect is important to you. The iPod is a much better choice in that case.