Unintended consequences of BYOD

You can't pick up a trade magazine without reading about the pitfalls and advice regarding Bring Your Own Device (BYOD) initiatives. While most organizations have not yet embraced BYOD for laptops, many have done so for mobile phones and tablets. In my experience, most organizations have focused their efforts during BYOD deployments on device security, regulatory requirements, and end user support.  In late January, Apple released a patch to their iOS devices that began severely impacting corporate email platforms; both on-premise Exchange as well as Office365. The negative impact of this patch is shedding light on the effects that BYOD policies can have. In the worst-case scenarios, this impact can extend beyond just mail platforms and affect other systems that happen to share the same core infrastructure as the affected mail system;  all due to a minor iOS software release from Apple.

When IT organizations control every aspect of the entire IT environment, they typically have a process to test software releases and patches prior to a slow, controlled update. This process allows the IT team to ensure there are not unintended consequences of the update. In a BYOD world, employees often have the flexibility to update their devices at will -- and device manufactures and software publishers utilize this to push new features and functionality quickly to the masses. Since software releases often provide features that can enhance revenue for the OEMs or enhance the reliability and satisfaction of the end user, the manufactures and publishers often include mechanisms to quickly push software updates.

When Apple released the  iOS 6.1 patch for iPhones and iPads, those devices all received a push notification to accept the "over the air" update from Apple and many obliged. Shortly after the push came out, IT organizations started noticing performance and disk space issues with their Microsoft Exchange. Like other devices, iOS utilized Microsoft's ActiveSync protocol to sync email, calendars, contacts, and tasks from a user's mailbox to their device. A bug was introduced in Apple's implementation of the ActiveSync client which caused Apple devices to create excessive server resources consumption including massive log growth, memory and CPU utilization when a user responded to an exception to a recurring event in their calendar. This excessive consumption of resources caused Exchange server slowdowns and failures. In some cases, it even impacted other corporate systems due to shared storage area network resources. Apple has acknowledged the issue but a patch has not yet been released. While waiting for the patch, many organizations have quarantined iOS 6.1 devices and no longer allow them to connect to their Exchange servers.

This event is causing some IT organizations to re-think their BYOD strategies. Since iOS upgrades are not easily uninstalled, these organizations are facing a situation where they are forced to disable mobile device access for a subset of users and devices that are unexpectedly diminishing the performance or availability of core systems, such as email. It’s not hard to imagine how this will negatively affect the users, and the problem will likely experience an elevated since of urgency if the affected users are executives, highly-mobile employees, or other VIPs.

There are some preventative steps that IT organizations can take in order to prepare for mobile phone software updates. For example, Apple offers an iOS developer program that provides early access to software releases. Unfortunately, the release cycle is not incredibly rigid, so the amount of time IT shops have to test each release of iOS is unpredictable, and may be as short as a week or two. Additionally, the problems experienced with this most recently release of iOS would likely only have been noticed once a large number of iOS devices were connecting the mail environment.

IT leaders need to consider the risk of BYOD beyond just security and compliance -- they need to consider how BYOD could take down all IT resources and how they can mitigate that risk. Mitigation techniques might include:

• Isolating the infrastructure utilized to support email (the most commonly accessed system by employee owned devices)

• Considering a more disciplined BYOD strategy where as corporate IT controls more aspects of the device or only supports and allows certain known, tested devices and software

• Creating processes to quickly test new consumer grade devices and software updates so the IT organization can quickly assess the risk they create for the environment and act appropriately to quarantine and communication to employees if required

• Proactively communicating to employees that if their device impacts IT systems, it will be disabled -- even if you are the CEO

• Purchasing enterprise support agreements with vendors of consumer devices so engineers can quickly escalate issues rather than waiting for "message board" support to confirm suspected issues.

As we continue to meld consumer and corporate IT, the frequency of unintended consequences will increase. IT organizations need to accept that BYOD is more than a security and compliance concern -- it has the potential to have much greater impact to the stability of IT environments.