Last week we have received a support request telling that a user is being locked from the Active Directory continuously. We turned to the user (who was very annoyed) and asked her about any mobile phone or tablet that she may be using that has the corporate email account defined. She told us that she used to be using a Nokia feature phone but she has switched to iPhone and not using the Nokia anymore. We kept that and began investigating the issue by the logs and saw that she was receiving “bad password” error in every five minutes with +/- 15 seconds of difference. Digging deeper, we saw that the bad password was coming from the Exchange Server, logs directing to the hardware load balancer. When we took a network capture from the load balancer. We have narrowed to log to the second that the account received a bad password error from the Active Directory to see the IP address that made the connection. And voila! The IP address that we found belonged to an IP from a mobile carrier. Once again we turned to the user and told that a device that belonged to her, connected to that mobile carrier is trying to connect with a wrong password. She told us that she had given her Nokia phone to the repair shop and most probably the shop is testing the phone. Ticket is closed.
The whole process showed us one thing: not having a Bring-Your-Own-Device is an invitation for a disaster and not taking the necessary steps is insisting on having a disaster. This support request could easily turn to be a crisis and even downtime. As I have discussed thoroughly in the article series, these disasters can be avoided.
Before rolling out the BYOD policies, make sure that you reevaluate your existing infrastructure. This includes password change policy, existing devices that will handle the additional load which will come from the employees’ devices, firewalls etc.. Consumer-grade devices will not be able to cope with the new devices’ loads: wireless access points will serve more devices, servers will answer more queries and switches, routers and firewalls will handle more traffic. Also the network bandwidth has to be upgraded.
Supported devices and the platforms and the level of support has to be clearly defined. At one point, you will inevitably find yourself trying to cope with various Windows and Mac OS releases, Linux Distributions, iOS, Android, BlackBerry versions, ChromeOS and God knows what else. Also you are not guaranteed that the users will be using the default applications; for example what will your answer be if a user opens a ticket that says he cannot sync his Google calendar with the company’s Exchange calendar using a third-party calendaring application on a supported Android release? Limit supported devices and supported applications. Or go mad.
Requiring device registration is a must. A simple registration form asking the device make, model, MAC address, mobile carrier and the user is enough. Considering the case above, with this information, we could easily figure out the device itself. Considering the overall infrastructure, this information would help us track the users who are bringing their devices, who are abusing the policy, block offending users and even block the devices.
As I have told in the second article in the series, BYOD is a swift revolution and it is not possible to stand against it. It is not time for the administrators to complain about the incoming devices and the anticipated headaches. It is time for the management to sit down, understand the BYOD trend and take the necessary steps to lessen the load both on the users and the IT personnel. With these tips, I cannot say that your company’s BYOD adoption will be painless, but I can guarantee that following these tips will lessen the pain.