Download Checklist for an Employee-Owned Notebook or PC Program

Checklist for an Employee-Owned Notebook or
PC Program
Gartner RAS Core Research Note G00174917, Leslie Fiering, 11 March 2010, RA1110252011
Interest in offering employee-owned notebook programs (also
referred to as “BYOC,” “Bring Your Own Computer” programs
by the press) is growing due to better technology, rising user
demand and increasing pressure on organizations to reduce
costs. A realistic preparedness assessment prior to planning and
deploying an employee-owned notebook program is critical to
meeting business objectives and avoiding additional costs.
Key Findings
• The benefits of an employee-owned notebook program include freedom from managing
nonstrategic assets; more time for IT staff to focus on high-value, high ROI initiatives; a
more attractive workplace to attract new hires; and increased user productivity.
• Cost reduction is not likely to be a major outcome for the near term to midterm, which
could be disappointing to cash-constrained organizations looking to reduce the capital
budget. PC-related costs can be moved, but not totally eliminated, through changes in
ownership.
• While a small segment of the user population might opt for a desktop PC at a fixed
location, the majority will demand notebooks for the flexibility to work at home (WAH) as
well as the office.
• PC virtualization software with employee-owned notebooks offers a viable way to create
a fully secure and manageable environment on an unmanaged, and potentially “hostile,”
host PC.
Recommendations
• Perform a thorough due-diligence check of your organization’s readiness to launch an
employee-owned notebook program, paying equal attention to the technology and policyrelated issues.
• Make the availability of all critical applications and the prevention of unwanted data
leakage from the enterprise the primary issues when considering remote-access and
enterprise digital asset isolation strategies.
• Get buy-in from HR, legal, finance and business unit leaders, as well as the IT
organization.
2
• Monitor developments in PC virtualization as a preliminary
step if you are only considering employee-owned notebook
programs as a future option.
ANALYSIS
1.0 Introduction
While there has been ongoing interest in employee-owned
notebook programs for the past five years, the number of serious
inquiries from Gartner clients has grown significantly in 4Q09 and
1Q10. PCs and notebooks remain critical tools for knowledge
workers; however, as these devices commoditize, choosing
specific devices no longer provides organizations with a strategic or
competitive edge.
Security and manageability remain critical concerns, but the
growing maturity of network access controls (NACs) and PC
virtualization technology help to improve security while reducing the
dependence on specific hardware. More technologically aggressive
companies familiar with these technologies are seeing a way to
reduce their PC management overhead. Less technologically
aggressive companies are just looking for ways to cut capital
spending, even if the savings are only short term.
• Isolate enterprise digital assets.
• Determine PC hardware, software and bandwidth requirements.
• Clarify software license terms and conditions.
• Establish a third-party maintenance and support option.
• Define the scope of IT support responsibilities.
• Determine financial ramifications.
• Ensure there are no counter-indicators.
• Identify workers who will support and benefit from the program.
• Develop appropriate policies.
• Develop a communications plan.
The price of consumer PCs and notebooks has dropped at
approximately 10% per year over the past five years, with an even
steeper price decline for notebooks in 2009 due to the introduction
of netbooks (low-cost, Internet-focused mini-notebooks). This
means that more users can afford to buy their own personal
technology for home use. They are finding that their own
technology, in many cases, is faster, sleeker and more effective
than what their employers issue.
2.0 Provide Robust, Scalable and Secure Remote
Access
Recent college graduates equipped with highly desirable skills such
as Internet programming, social networking software and cloudcomputing skills are accustomed to having complete control over
their personal computing technology. Many have used the level of
PC and client computing technology of their prospective employers
as a decision criterion.
A variety of methods can be used to identify specific devices, their
physical and virtual locations, and their usage history. Such device
“fingerprinting” can help organizations determine whether a user
is connecting from a managed company device, from a personal
device that has been registered with the organization’s technical
support group, or from a completely unknown system such as a
kiosk in a coffee shop. Further tests can also determine the security
posture of the device, and whether it has been recently scanned for
malicious software (malware).
According to a 2009 Gartner survey of 528 IT managers in
organizations located in the U.S., Germany and the U.K. and that
had more than 500 employees, U.S. companies expect a 60%
growth in the number of employee-owned PCs from 2009 to yearend 2010. German companies are expecting a 40% increase, while
U.K. companies are anticipating a more modest 15% growth in the
same period. All start from a reported baseline of 10% to 12% of
their users.
Before embarking on an employee-owned notebook program,
organizations need to conduct a realistic self-assessment to ensure
they are prepared to address each of the following checklist items:
• Provide robust, scalable and secure access to corporate data.
When employee-owned notebooks attach to the enterprise
network, the assumption has to be that the device is hostile until
proved otherwise. The response must be a series of NACs that
include strong authentication, and scan and block functionality, as
well as network behavior analysis.
2.1 Designing a Remote-Access Strategy
To design a robust, scalable and secure remote-access strategy,
first define an organization’s higher-level policies for employeeowned devices that connect to the enterprise network. If the
device does not conform to the policy, then it is quarantined to
a protected part of the network for remediation, such as a link
to download patches or a link where an on-demand security
protection agent can be installed for the duration of the session.
Postconnection, the system must continue to be monitored for
evidence of malicious behavior (by the user or the software on the
device). The result is that trusted users on trusted systems get full
access to the enterprise network.
© 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution
of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be
reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner’s research may discuss legal
issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used
as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions
expressed herein are subject to change without notice.
3
What if a trusted user (full authentication) accesses the network on
a nontrusted device?
2.2 Multiple Levels of Access
One level of access control may no longer be appropriate now
that users can be anywhere, especially when they are not always
using corporate devices. Unmanaged and uncontrolled platforms
represent a high risk to the enterprise, because they are more likely
to contain keystroke monitors, worms, remote-access trojans and
other malware than managed platforms. Increasingly, the access
decision will have to include an evaluation of the level of trust
appropriate for the user’s remote platform.
2.3 Application and Data Requirements
To make effective remote-access strategy decisions, organizations
must also establish application and data requirements. Application
delivery and remote access weighed against the trust level of the
target PC are the major factors that determine the level of data
leakage risk (for example, enterprise data will be subjected to loss
or exposure by software on the employee-owned system).
3.0 Isolate Enterprise Digital Assets
3.1 Protecting Enterprise Data and Intellectual Property
After remote-access issues have been resolved, the second biggest
barrier to implementing an employee-owned PC or notebook
program is protecting enterprise (or customer) data and intellectual
property from loss, corruption or exposure. This is a serious
problem even with company-owned systems that have strong
endpoint protection. The problem is exacerbated by employeeowned systems (or partner- or contractor-owned systems) where
the endpoint security is uncertain.
The main goal is to ensure that the enterprise digital assets (defined
by the required enterprise applications and data) can be kept
totally isolated from whatever other applications and data are on
the employee-owned device. Ideally, there is absolutely zero data
leakage between corporate- and personal-owned devices. This
means that malware on the employee’s system cannot get to the
enterprise data and applications, and the enterprise data cannot
be copied onto the user’s system or an external medium. It is also
critical that whatever enterprise digital information resides or runs
on the employee-owned system can be totally removed without
leaving any traces (such as temporary files).
3.2 Web- and Server-Based Solutions
There is a spectrum of solutions at varying levels of cost, security
and functionality. Web-based applications that reside outside the
firewall provide full quarantine but also limit the ability of most
employees to do their jobs.
Server-based applications can be fully secured at the back end;
however, the delivery window is vulnerable to security breaches in
the underlying PC. Both solutions (Web-based and server-based)
require a network connection and do not work in offline mode.
3.3 Trusted Portable Personality Devices
Trusted portable personality devices (TPPDs) enable generic and
dedicated USB memory devices to launch guest end-user work
sessions that explicitly enable corporate security policies (including
strong authentication, encryption and business processes on
noncompany-owned systems). TPPDs can be provisioned and
controlled by the enterprise to access corporate e-mail and other
applications via virtual private networks (VPNs) and other secure
portals. Controls over copying and printing can be enabled.
If the applications require it, then devices can be provisioned with a
full application stack for offline use or simply with authentication, a
VPN client and remote procedure calls to create a secure network
connection on a potentially hostile PC. The drawbacks are no
guarantee of compatibility with all host PCs, and no guarantee of
finding a suitable workstation when a user needs it. Also, the small
devices can be easily lost.
3.4 Using PC Virtualization Options to Create a Managed
Environment on an Unmanaged PC
A growing number of PC virtualization options provide viable
solutions for enterprises to work with employee-owned notebooks
by isolating parts of the stack or the entire corporate application
stack from the underlying hardware, operating system (OS) and
other applications.
3.4.1 Application Virtualization
Application virtualization isolates an application’s resources,
eliminating the risk of conflict with other applications. This works
well in protecting the applications from corruption by malware. The
application can stream from a server, leaving no footprint on an
employee-owned PC, or it can cache locally. This solution works
well when there is known bandwidth (for the streaming solution)
and there are a fixed number of known applications to be used.
The drawback is that each application has to be packaged, and
there can be problems when applications have to interact. In
addition, application virtualization is designed to isolate application
configurations from that of the OS, but not to protect them from the
OS. In practice, a virtualized application cannot be secured from
an OS in which it runs. It may need to make demands on global
system policies.
Thus, the application virtualization solution only works well if the
data leakage profile is low and the host device is relatively trusted.
3.4.2 Hosted Virtual Desktops
Hosted virtual images deliver a near-identical result to blade-based
PCs. Instead of the motherboard function being located in the
data center as hardware, it is located in the data center as a virtual
machine bubble. Using standard server virtualization technology,
multiple virtual machines can run simultaneously on a server. When
users log on, their virtual machine image is loaded from storage. In
essence, the employee-owned system becomes a thin client and the
image-based server is totally isolated from the user’s local desktop.
4
Hosted virtual desktops (HVDs) do not work offline and do not
support persistent personalization (i.e., retain user changes once
the user signs off) without third-party products. The connection
protocol and network latency give rise to performance issues,
especially for “rich media” applications. Also, image management
techniques are immature, although they are improving rapidly. HVD
can provide benefits under the right circumstances, but it is not an
optimum device for every type of user or application. Offline use is
not yet a viable option for HVDs.
3.4.3 Full Virtual Machine or Virtual Work Space
A full virtual machine or a virtual work space, running locally on
a user’s PC instead of on a server, offers a complete solution by
creating a fully contained and isolated PC environment that runs
its own “virtual” hardware and its own separate Internet Protocol
(IP) stack (including OS and applications). As a result, the virtual
machine can have a separate network identity from the employeeowned machine hosting it. The standard corporate image can
be encapsulated within the virtual machine, creating a highly
controlled, consistent environment on any PC. File transfers with
a host PC can be disabled, so personal and company data can
be completely separated (i.e., digitally isolated). The downside is
higher hardware requirements for memory and performance, higher
software costs since the separate IP stack requires a separate set
of software and, in some cases, separate OS and licenses.
This solution creates the greatest level of control, manageability and
breadth of application usage options.
PC virtualization solutions are maturing rapidly and are viable for
more technologically aggressive organizations, but we do not
expect to see full mainstream use before 2012.
Financial institutions have been leaders in PC virtualization
adoption, using it originally for security reasons. However, their
growing familiarity with the technology means they have met this
isolation of digital assets requirement, which has led many other
financial organizations to consider early adoption of employeeowned notebook programs.
4.0 Determine PC Hardware, Software and
Bandwidth Requirements
Having robust, secure and scalable remote access along with
strong methods to isolate enterprise digital assets will be useless
if an employee-owned computer configuration cannot support
employees’ requirements.
For example, as much as 4GB of memory may be required to
run an enterprise virtual machine. Organizations considering
noncompany-owned platforms must ask, at a minimum, other
questions:
• How much memory is required?
• Are there particular processor speeds or a number of core
requirements?
• Are there particular graphics requirements?
• Will the required enterprise access methods and software run
on a Mac?
• Will the required enterprise access methods and software run
on a netbook?
• If a server-based software delivery model is used, how much
bandwidth is required to get acceptable performance?
• Is there required security software that must be on the
employee-owned system?
• Is there a required communications client that must be on the
employee-owned system?
While a segment of the user population that is considered full-time
WAH users might opt for desktop PCs, the majority of demand is
likely to be for notebooks. The desktop PCs might require different
configurations from the notebooks. Don’t let the lower price of
desktop PCs affect the types of models that are finally chosen for
the program. Most users will want the flexibility of a notebook that
permits use both in the office and at home.
Once the configurations and specifications are determined, they
need to be made available to the plan’s participants. A best
practice is to create and maintain a list of approved PC models.
Oversight and periodic updates of the list will be required. These
specifications will determine the requirement for and level of
subsidies to be provided to employees to ensure that minimum
standards are met in an employee-owned PC program.
5.0 Clarify Software License Terms and Conditions
Enterprises remain responsible for the licensing of end-user or
third-party devices they permit to be connected to their corporate
systems. Corporate use may also violate the terms and conditions
of end-user licensing agreements and result in further corporate
liability. For example, some applications, such as Corel WinZip,
are only free for personal use. As a result, it is critical to review
licensing terms and conditions for absolutely all corporate software
that will run or reside on employee-owned systems.
Using PC virtualization adds another layer of complexity since
additional licenses for the OS and applications will be required.
Microsoft’s Virtual Enterprise Centralized Desktop (VECD) license is
required to run Windows on HVDs or, in some cases, to license the
Windows OS in a virtual machine residing on an employee-owned
system. There are several options when paying for the VECD
license; therefore, due diligence is required to understand which
option is most appropriate for any given situation.
All Microsoft licenses purchased under a volume licensing
program that run on employee-owned systems can be moved to
other systems as often as every 90 days. Care must be taken to
synchronize any employee-owned system refresh to the OS and all
application vendors’ license terms.
5
6.0 Establish a Third-Party Support and
Maintenance Option
One of the great benefits of an employee-owned PC program
is relieving IT support staff from dealing with PC break/fix and
nonstandard software application issues. However, one of the
primary tenets of the program is the employee’s responsibility to
have a suitable machine available for company use at all times. If
that system breaks, then the employee will need to get the support
from somewhere. Requiring a hardware maintenance contract is
not enough, since there will always be “how to” questions, as well
as inquiries about OS and software problems. While many younger
workers who grew up with PCs, as well as many technically astute
workers, are self-sufficient, a significant percentage of knowledge
workers will still require an organized, predictable form of support.
A best practice is to organize suitable third-party support options
for the plan’s participants. The support can be provided by valueadded resellers, dedicated support organizations or PC hardware
OEMs. In addition to hardware, the support plan has to cover OSs
and application software, as well as home networking and printer
issues. Potential options are that:
• During the plan pilot and in early stages, the enterprise can
choose to pay part or all the support expense as an employee
benefit. Employees can, of course, opt out.
• Enterprises can also choose to provide “loaner” systems loaded
with the corporate image. This strategy serves to keep users
productive during a personal system repair period.
Note that there is a separate, in-house concierge-level support
program for executives who require faster and more-personalized
service. To ensure adequate funding, executives should be charged
for the concierge service.
7.0 Define the Scope of IT Support Responsibilities
The security perimeter established around the enterprise digital
assets on employee-owned PCs should define the boundary of
enterprise IT support responsibilities. If all enterprise applications
are delivered through terminal services, responsibilities will be
limited. Where a virtual work space or a fully sealed virtual machine
is used, then the IT organization must manage and support all the
software in the image. The user is then responsible for all support
issues elsewhere on the system.
It is critical that Tier 1 help desk agents are:
• Provided with a clear-cut set of criteria for determining which
types of calls the IT group can handle (i.e., calls that pertain to
corporate applications, data, networks and, where applicable,
virtual images).
• Familiar with the alternative third-party support options
to handle all technology for which users have personal
responsibility.
• Given discretion to help on a best-effort basis, where
appropriate.
• Familiar with concierge-level support options for senior
executives who have personal technology.
8.0 Determine Financial Ramifications
8.1 PC Hardware
An employee-owned PC program passes costs for PC
acquisition and support traditionally borne by the enterprise to
the employee. A best practice today to ensure employees buy
PCs that meet minimum requirements is to provide a stipend to
the buyer. However, paying out stipends requires the approval
and cooperation of the enterprise’s CFO. Money that was once
allocated to the capital budget must now be accounted for
differently on financial statements.
In many geographies, stipends are considered taxable employee
benefits, and many regions have their own set of laws. In the U.S.,
for example, each of the 50 states taxes the benefits at a different
rate. Thus, the stipend should be calculated to ensure that users
receive sufficient funds to buy suitable PCs (that meet minimum
specifications) after taxes are deducted. Also important are that:
• The final amount of the stipend must include the PC hardware
cost (including maintenance and support programs) plus the
amount of the local income tax. A table needs to be created
that takes into account local tax laws and rates for each
geography where the program will be instituted.
• In some cases, where the employee-owned program is only
being introduced to bring the population of nonsanctioned PCs
and notebooks within the enterprise security domain, then the
amount paid out can be less. These employees will use their
own systems regardless, and will welcome the additional funds.
Either way, a stipend is essential. If there is no payment, then there
is no leverage to define a service-level agreement that ensures
keeping a suitable system available for company use.
8.2 Broadband
In addition to providing stipends for PC hardware purchases,
companies need to decide how broadband support will be handled.
Since more than 60% of U.S. households now have broadband,
many companies no longer feel the need to pay this expense. In
some cases, companies will pay for a third-generation (3G) wireless
WAN (WWAN) on an employee notebook or broadband in the
home (with the assumption that the employee can use the 3G card
for enterprise access from home). In other cases, if the work the
employee is doing from home and/or while traveling is critical to the
enterprise, either or both expenses will be paid.
Another general rule is that the enterprise will pay broadband or
WWAN expenses if the employee works from home or while traveling
for the convenience of the company. Paying for the service ensures
employee commitment to meet enterprise service-level agreements.
6
8.3 Support
While maintaining the full operating capability of a personally
owned system is the employee’s responsibility, there are practical
reasons why an enterprise might choose to partially subsidize a
third-party support option and to provide loaner systems. During
the pilot and early stages of an employee-owned notebook or PC
program, having an affordable alternative to the “free” (as perceived
by users) IT help desk will help reduce inappropriate trouble calls.
This could ultimately lead to as much as a 40% reduction in IT
operations costs. However, the main consideration is to ensure that
users have a viable source of support and maintenance to sustain
productivity.
8.4 Total Cost of Ownership Considerations
Because system stipends and support subsidies are likely to be
required for a successful employee-owned notebook program, it is
unrealistic to expect large savings from the plan. Costs tend to be
moved rather than eliminated. Most savings are from indirect costs,
while the direct and visible costs are likely to be higher. Financial
planners need to be aware of where the changes in costs are likely
to occur.
The key benefits are that, longer term, responsibilities for
maintaining and supporting computing systems are shifted to users
to be handled on their own time. This frees IT staff to focus on
critical issues and reduces IT’s exposure to unplanned operational
costs.
9.0 Ensure There Are No Counter-Indicators
Employee-owned PC programs may not be appropriate or
desirable under all circumstances. Before deciding to support the
use of employee-owned PCs, an enterprise should consider all the
ramifications in terms of its legal obligation to conduct business
safely – and with full compliance – for its shareholders, maintain
productivity and meet all service-level agreements.
• Chaotic environments – where audit and control enterprise
software assets and data backups are not fully under control.
• No employee demand and/or employee resistance – some
employees may regard the program as a cost and not a benefit.
10.0 Identify Workers Who Will Support and Benefit
From the Program
According to a Gartner survey from late-2008, a significant
percentage of U.S. knowledge worker respondents in U.S.-based
companies of virtually every size reported using noncompanyowned devices on company systems and networks (see Figure 1
and “Economic Factors Accelerate Employees’ Use of Personally
Owned Equipment”).
Table 1. Survey Data: Percentage of Knowledge-Worker
Respondents Reporting Use of Noncompany-Owned Devices
on Company Systems and Networks
Company Size
(Employees)
Home PC
Notebook Number of
PC
Respondents
500 to 999
28%
21%
109
1,000 to 4,999
33%
28%
112
5,000 to 9,999
39%
33%
106
10,000 or More
24%
15%
115
Grand Total
31%
24%
442
Number of
Respondents in
Grand Total
136
106
—
Source: Gartner (March 2010)
In many cases, suitability needs to be decided on a case-by-case
basis. The program may not be suitable for all classes of workers.
However, identifying a population of unsuitable users does not
preclude offering the plan to other, more-suitable groups of users.
Contrast the findings of our end-user survey (published in January
2009) with those of another Gartner survey composed of 528 IT
managers in organizations with more than 500 employees in the
U.S., Germany and the U.K. in 2009 (published in February 2010).
Situations where employee-owned PC programs might not be
appropriate include:
While more than 40% of the organizations surveyed have a policy
regarding the use of employee-owned systems, these companies
also reported that employee-owned notebooks represented 10%
of the notebook installed base in 2009. Clearly, there is a large
underground of unsanctioned employee-owned systems of which
the responding organizations were totally unaware or chose to
ignore.
• High-security environments – such as military installations,
research facilities with costly intellectual property to protect.
• Employee-ownership could cause a public relations fiasco
– where the perception of a potential security breach is as
important as the actual security profile, such as an assistant in a
political department that handles sensitive information.
• Employee computer-literacy skill gaps – where lack of computer
self-sufficiency could lead to productivity loss and/or higher
unintended support costs.
In general, IT professionals and workers in technical roles, such
as software and hardware developers, are most able to support
personal technology. There is also a tendency of youngergeneration workers to prefer using personal technology over
company-provided systems.
7
Many Gartner clients report that software and hardware developers
constitute the highest concentration of “rogue” or nonsanctioned,
noncompany-owned systems attaching to the enterprise network.
Apparently, these workers feel their personal technology exceeds
that provided by the company and enables them to do their jobs
more effectively.
• Remote-access policies
Technically astute IT workers and users who are already using
their own (in many cases unsanctioned) PCs and notebooks would
be the ideal population for a pilot and early phase rollouts of an
employee-owned program.
• Safe storage of company data
Keep in mind that senior executives may also want to be part of
such a plan, not because they are technically savvy, but because
they want to be seen carrying the “latest and greatest” notebook
technology. As noted previously, plans for concierge-level support
will have to be in place for these executives.
• What to do at termination of employment
• Security policies
• Levels of permissible data access
• What to do if the system is lost or stolen
• Financial liabilities of enterprise and user
• Data cleansing from notebook hard drive
11.0 Develop Appropriate Policies
Policies that define the use of enterprise PCs and notebooks need
to be revised and extended to include employee-owned systems.
These new policies must be developed jointly by IT and business
units along with HR, finance and the legal department to ensure
that all enterprise HR, legal, compliance and financial requirements
are met.
12.0 Develop a Communications Plan
Just having policies is not enough. Participants in any employeeowned notebook program must be familiar with the policies and
know where to go for more information. These users must fully
appreciate their responsibilities in providing a working system,
meeting service-level agreements and observing all security
requirements.
The major areas the policies have to cover include:
• Language to explain the employee’s responsibility to have a
suitable machine available for company use at all times
• Minimum specifications for hardware and OS
• Who will pay – and how much – for hardware, software and
third-party support
• What is and isn’t supported by IT organization
In addition to creating a detailed policies document, it is often
helpful to publish a shorter, user-oriented version that covers
the main points that apply directly to the program’s participants.
Internal routing for help desk calls is not relevant, but the logistics
of the hardware purchase and user responsibilities certainly are.
This information should be available on a corporate website, and
must be circulated to all interested users and program participants
on a regular basis. Consider having users sign an annual letter of
understanding and compliance regarding the employee-owned
notebook program.