1. Bring Your Own Device (BYOD)
    1. An organization's employees both own and use personal computing devices external to (not provided by) the workplace.
    2. Organizations must have clear guidelines about BYOD that specify:
      1. who may bring devices to the workplace
      2. what types of devices they may bring
      3. how the security configurations of those devices are managed
      4. how data whose origin was internal to the organization, but was received on those devices, may be shared
    3. The use of BYOD often requires significant adjustments to an organization's acceptable use policy. Unless policy is clearly defined, IT staff may find themselves in a situation where they don't know the scope of their support services.
    4. The core issues around BYOD relate to device and data ownership:
      1. Traditionally, the company owned both the data and the device, and was responsible for both.
      2. In a BYOD environment, the user may own the device and both the user and the company may own the data.
    5. These ownership issues also bring legal and privacy concerns to the forefront:
      1. Users should understand what monitoring will take place on their personal mobile devices.
        1. Users (employees) must consent to any monitoring software installed on their personally-owed devices.
      2. BYOD privacy concerns have a legal basis.
        1. An organization implementing BYOD policies should consult with their attorneys to determine what requirements may exist in their industry and jurisdiction.
    6. When an organization decides to adopt a BYOD policy, it should develop clear guidelines for the onboarding and offboarding of devices, specifying what data may be stored on personal devices and how it may be used:
      1. During onboarding, IT staff should ensure that the device meets organizational security requirements and is safely configured.
      2. When a user leaves the organization or is preparing to dispose of a device, IT staff should then conduct an offboarding process that ensures all sensitive corporate information is removed from the device. This may be a time-consuming process, but it is vitally important to ensure that corporate information doesn't fall into the wrong hands.
    7. IT staff developing BYOD policies should consider the technical implications on their architecture and infrastructure:
      1. When the organization purchases devices, it's easy to standardize on hardware, operating systems, and applications. When users bring their own devices, however, this standardization is often impossible.
      2. BYOD organizations must be prepared to support a wide variety of hardware, operating systems, and applications. Some of the specific technical issues for BYOD devices include:
        1. whether the organization will use mobile device management to control the configuration of BYOD devices
        2. how the organization will ensure that BYOD devices are regularly patched and contain appropriate antivirus controls
        3. whether the cameras on BYOD devices will be permitted to take photos and/or video in company facilities
        4. what procedures the organization will follow in the event of a BYOD device compromise
  2. Choose Your Own Device (CYOD)
    1. Employees select the equipment that they would prefer to use and then the company purchases it and manages it for them.
    2. Some organizations following the CYOD strategy may simply provide employees with an allowance to purchase a device and then they let the employee select whatever device best suits their work style.
    3. However, it's more common to find companies that have a menu of standard devices that are supported by the IT department and then they allow employees to select their preferred devices from that menu.
  3. Corporate-Owned, Personally Enabled (COPE)
    1. The company owned, personally enabled, or COPE model, recognizes that BYOD approaches arose, in part, because employees don't want to carry separate devices for business and personal use.
    2. The COPE model allows generous personal use of corporate owned devices.
    3. Employees may install apps, configure personal cloud accounts and personalize their corporate owned devices.
  4. VDI
    1. Virtual Desktop Infrastructure (VDI):
      1. Virtual desktops are deployed and run on servers located in a data center or the cloud.
      2. VDIs must be carefully configured to meet organizational security requirements. Employees then use their personal devices to connect. Data never leaves the virtualized environment.