Quick Reference Guide

Published February 2012

Transforming how employees work by providing the best hardware, software, and technology available to boost employee satisfaction and productivity

Executive Summary

A new reality is taking over the workplace, as employees more and more want to use their personal electronic devices to do their jobs, and utilize the same technologies and applications at work that they use at home. This blending of consumer and enterprise technologies is the Consumerization of IT, and it boosts employee productivity and satisfaction. However, it can make it difficult for IT departments to ensure an enterprise’s data security and integrity.

Many enterprises still mandate that employees use IT-standards hardware only. However, as the Consumerization of IT becomes more mainstream and shifts that model, some enterprises now are allowing employees to select and manage their own devices.

Rather than fighting that shift, Microsoft IT (MSIT) decided to work with it. MSIT has instituted policies and procedures that enable this freedom for employees and ensure that valuable intellectual property remains secure and protected.

Microsoft supports a hybrid model of enterprise-standard and consumer-standard hardware, and offers limited support to employees who want to use their own devices, provided those devices meet minimum hardware requirements. For years, MSIT has been supporting the Consumerization of IT informally, by allowing employees to utilize consumer technologies, and by enabling IT services for personal smart phones, such as email, instant messaging, and teleconferencing.

The Consumerization of IT is the crux of today’s enterprise efficiencies, and requires that MSIT:

• Validates the identity and security of the device that an employee is using to gain access to Microsoft resources.

• Enable users to capitalize on the social capabilities that are so popular in today’s consumer technology world.

MSIT built its foundation for the Consumerization of IT within Microsoft on four pillars, including:

• PCs that are running the Windows® operating system and other devices

• Security and management

• Productivity

• Unified application development

Why Microsoft Embraces the Consumerization of IT

During the last three decades, PCs have become the main tool that people use to complete their work. However, because of today’s ever-expanding market of inexpensive, accessible devices, such as smartphones, laptops, and tablets, employees are working anytime and anywhere. Employees may use their laptops to work remotely, parsing their work files late at night, or use their smartphones to answer emails while running weekend errands.

At Microsoft, employee job satisfaction and productivity has soared as employees utilize personal devices for work and personal use. Here are some quick figures pertaining to the Consumerization of IT at Microsoft:

• Microsoft employees are working on at least two devices at any given time, and often, from anywhere but their office.

• MSIT supports 22,000 wireless access points.

• There are approximately 1.3 million devices on the Microsoft corporate network (corpnet).

• MSIT has saved approximately $300,000 U.S. dollars annually, per facility, by enabling employees to connect remotely by using DirectAccess, a feature of Windows® 7.

• Microsoft® Lync® and Lync mobile clients are one the highest rated services in MSIT. Workers can use personal computers to conduct meetings and collaborate.

MSIT is transitioning from managing hardware to managing users’ access to corpnet and its intellectual property. To do this, IT developed a strategy in which it would support a hybrid environment of Windows and non-Windows devices.

MSIT’s primary focus as it follows the trend of the Consumerization of IT is to protect Microsoft’s intellectual property, ensuring its confidentiality, integrity, and availability to employees. MSIT encourages productivity and collaboration among employees by providing secure data-access options that can support a broad set of device types and security models, including MSIT-managed devices, unmanaged devices, and consumer devices. Depending on the security of a device, and an employee’s credentials, MSIT then can control access to data, based on its security classification: high impact, moderate impact, or low impact.

This is a delicate balancing act for IT departments:  If an enterprise makes access too difficult, users become frustrated because they cannot access the files and data that they need. Often, they then will work around IT, potentially putting their company at risk. However, if IT departments do not deploy the correct access-control and data-protection measures, the IT environment is at risk of losing costly intellectual property.

The Four Pillars of the Consumerization of IT

The Consumerization of IT requires that an IT organization, first and foremost, continually ask itself, “How do we support our employees? What are their needs? How do we meet those needs, but also protect our organization’s intellectual property?”

At Microsoft, the answers to these questions required that MSIT work toward meeting user expectations and enterprise requirements, chief among those being security. Therefore, MSIT built it support for the Consumerization of IT on the foundation of four key pillars:

• Windows PCs and other devices: MSIT must classify what are enterprise-standard, consumer-standard, and  nonstandard devices, and then determine the various support models for each.

• Security and management: MSIT must determine how to manage and control these devices, and their users’ access to intellectual property, and then ensure data’s integrity and security once users place it on these devices.

• Productivity: MSIT must determine which applications and technologies to support on employees’ devices to ensure that they continue to be satisfied and productive.

• Unified application development: MSIT must establish best practices for line-of-business (LOB) application development, and ensure a secure development lifecycle and marketplace for these applications.

Is It Right for You?

The implementation of the Consumerization of IT necessitates weighing benefits against risks and costs. The impact of these factors varies widely depending on an enterprise’s environment and requirements. The following table details these pieces:

MSIT: Making it Work

A strategic goal of MSIT is to enable its workforce rather than inhibit it, and MSIT continually searches for ways in which to make employees more agile and productive. For MSIT, the biggest challenges to the Consumerization of IT have been, and continue to be:

• Minimizing the risk that intellectual property will be lost or compromised, while supporting the melding of consumer and enterprise activities and technologies

• Maintaining cost efficiencies

• Improving regulatory compliance continuously

• Providing adequate support to maintain productivity

MSIT and Microsoft’s employees share the responsibility for safeguarding the enterprise’s information, as well as protecting against the inherent risks of potential data loss or corruption.

Challenges to the Consumerization of IT

When an enterprise adopts a significantly broader set of consumer devices within its environment, this decision requires careful research and planning. Additionally, the enterprise’s IT personnel and business decision makers must decide how to address the following challenges:

• Determining identity and access: With a blend of use comes a blend of identity. An enterprise must determine which identity users can utilize on their devices, and mandate specifications for how devices protect those user identities.

• Protecting data: The blend of personal and business data on a single device is a major concern for any enterprise, as is data protection and retention. If an enterprise plans to implement a blended environment, its IT department must define data ownership explicitly, and impress upon its employees that data security is the responsibility of the IT department and the user.

• Establishing policies: Clear policy setting and development of standards can aid in identifying key controls that various blended environments require. Jurisdictional issues arise in these mixed-ownership environments, and these can vary widely across geographies. This can make forensic investigation, and data-retention actions and policy, exceptionally complex.

• Managing risk: The key to risk management is establishing controls. Many consumer-oriented devices do not include the necessary controls to become managed devices, which join an enterprise’s domain. This means that an IT organization will be unable to establish the device’s integrity and ensure its health. This is a significant risk. Allowing access to corporate resources by devices that are unmanageable, with unknown configurations, could compromise data protection considerably.

• Provisioning:  Some devices have only consumer capabilities and software. If a device does not have enterprise capabilities—such as the ability to join a domain and use a Trusted Platform Module (TPM) chip—this will limit its access significantly within an IT environment. An enterprise needs to investigate provisioning issues thoroughly, so that its IT department and users are fully aware of a device’s options and limitations.

• Managing assets: How will users pay for a personal application on a corporate-provided device? For example, if an employee purchases software, installs it on the PC that the enterprise provides, and then connects to the enterprise’s network, that software appears as licensable in the IT environment.

• Ensuring productivity: Workforce productivity is a key benefit of the Consumerization of IT because it enables users to turn otherwise lost time into productive time. However, this means that an enterprise also is at risk of data loss and access by malicious users.

• Supporting innovation: One of the key upsides of consumer technology is its ease of use and rapid innovation, which leads to agility for users. Enterprises must support this research and innovation.

• Providing support: In an environment of mixed ownership, applications, and services, it might be tempting to devise a mixed-support model. However, this can complicate and confuse users. Here are the device-management layers that MSIT enforces:

  • Unmanaged: This layer is for testing, development, and guest access. There is no reporting for this layer.

  • Trusted:  This layer is for use by Microsoft Exchange ActiveSync®, a Microsoft Exchange synchronization protocol that is optimized to work with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization's information on a server that is running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to access their email, calendar, contacts, and tasks, and continue accessing this information while they work offline.

  • Fully managed: Full reporting occurs, and only MSIT can add data to corpnet.

The following table details considerations for supporting the Consumerization of IT successfully on various devices:

• Considering globalization: Many consumer-oriented devices and services are available only in certain geographical locations and regions. Additionally, an enterprise needs to determine the level of support that its IT organization will provide for localized items, such as keyboards, power supplies, language, and device availability.

• Enabling applications: Most enterprises include LOB applications on corporate devices, and provide full IT support for those applications. If an enterprise enables consumer applications and rich media applications to coexist, its IT organization must determine the level of accountability that will ensure application compatibility.

The MSIT Support Infrastructure for the Consumerization of IT

MSIT investigated and planned its support for the Consumerization of IT, and developed a support infrastructure for its blended environment of Windows and non-Windows devices.

Supporting a blended environment

MSIT supports a mixed-use environment, as employees are following the trend of Bring Your Own Device (BYOD) to work. Microsoft employees routinely use Windows and non-Windows devices. However, some devices do not comply with MSIT procurement guidelines, based on cost or security features, while other devices are not available globally.

When considering the user experience with enterprise level (nonconsumer) Windows devices, MSIT does the following:

• Highlights Microsoft technology. MSIT supports non-Windows devices, but stresses that for an optimal experience, users utilize Windows devices.

• Provides driver support for factory imaging and for Windows Deployment Services.

• Provides a three-year warranty for Windows devices, and help-desk support.

• Enforces and supports global standards.

• Manages OEMs proactively.

• Conducts testing regularly on Windows operating systems that are being developed.

• Determines the best cost for a given technology level.

• Provides a return policy for users: 14 days, for any reason.

• Develops a Cost Per Head budget that includes peripherals and replacement batteries within two or three years of device use.

Imaging devices

MSIT established several policies for Windows device imaging when it began supporting the Consumerization of IT, including that MSIT will:

• Provide seamless installation out of the box. Users should be able to configure their device fully within 40 minutes.

• Ensure that devices are ready for virtual private network (VPN) connection, and that users can connect to corpnet immediately.

• Support five languages: English, French, German, Japanese, and simplified Chinese.

• Conduct testing of drivers and manufacturer applications.

• Guarantee preinstallation of basic desktop applications, so users do not have to locate and download them.

Supporting devices

The structure of MSIT’s global helpdesk support for devices is similar to that for hardware. MSIT standards continue to receive full helpdesk support, while offsite, third-party support depots service MSIT-recommended devices. MSIT establishes and coordinates these depots in each local area. One key point to note is that associated support costs are the device owner’s responsibility, and MSIT does not support self-hosted devices.

Procuring and provisioning devices

Some OEMs lack global-distribution methods or cannot leverage existing provisioning services. MSIT is developing third-party support to obtain, install, configure, and ship MSIT standard and recommended devices from these OEMs. This allows employees to use any Windows device that is domain joined, and they can access corpnet via wireless network and Exchange ActiveSync.

Enabling device connectivity

Exchange ActiveSync has a certification logo program for devices, which assures that they respond correctly to some ActiveSync security and management policies. MSIT leverages the ActiveSync logo program, and only enables certified devices and operating-system versions to connect to the corporate network.

Managing security and access

MSIT has established policies regarding how devices and users can access corporate resources.

MSIT assures data access by establishing clear policies for the identity that a user must utilize to access corpnet, and then what level of data access that specific identity holds.

These factors enable MSIT to leverage a four-quadrant framework to address Consumerization of IT within the MSIT environment:

Furthermore, MSIT manages computers by using Microsoft System Center 2012 Configuration Manager, which captures and aggregates knowledge about enterprise-standard systems, policies, processes, and best practices. This enables optimization of an infrastructure to reduce costs, improve application availability, and enhance service delivery.

Currently, MSIT supports the following operating systems on devices:

• Windows 7

• Windows Vista®

• Windows Server® 2008

• Windows Server 2003

Providing applications and technologies to expand user productivity

As employees continue to blend their personal and professional time, they will want to capitalize, at work, on the experiences that they have outside of work. This includes their experiences on Facebook, blogs, and other social media. By making those productivity channels available, MSIT allows employees to be more flexible, and attracts a strong pool of potential employees who expect to be able to utilize those channels while they work.

The following are the MSIT-established policies for utilizing social-media applications and technologies:

• External services: Employees are utilizing social-networking services as a way to communicate with customers, business partners, and consumers. MSIT does not block such activity. However, MSIT has established, and is promoting awareness of, what information users should, and should not, share via social networking. MSIT blocks very few sites, and actually encourages employees to use social media actively.

• Internal services: MSIT promotes the use of social-networking services that Microsoft provides, such as Microsoft SharePoint® and My Sites, and Lync. Additionally, MSIT has built custom analogues to consumer services, which provide capabilities such as microblogging and video sharing.

• Rich media: MSIT does not block rich media services, because these are becoming a valuable means of distributing information. Similar to social media, MSIT is recommending Microsoft internal media services as appropriate communications channels.

• Windows 7 AppLocker®: Some consumer applications are problematic from a legal perspective, especially peer-to-peer sharing applications. MSIT uses the Windows 7 AppLocker feature to block these troublesome applications at the network edge, and keep them from running. This prevents employees from launching these hazardous applications on a domain-managed system.

Developing applications to support users

Today, LOB developers are writing applications for traditional enterprise endpoints. Additionally, they now are targeting specific consumer devices, like Windows® Phone, or are writing applications that are web-based and device-agnostic.

The following is a list of best practices that MSIT has developed for unified application development:

Develop applications in HTML5, which is device-agnostic, and provides an excellent user experience.

• Provide a backend infrastructure that supports the user experience.
• Support employee-driven development, so that user-centric designs will emerge.
• Develop applications for users, and design the experience to provide support for failures.
• Remember the cloud. The future of application development is in users being able to access and utilize those applications from anywhere, on any device.

Designing and deploying LOB applications

One key step that MSIT has taken to ensure security and transparency with regard to application development is to work closely with the Windows Phone 7 development community on the design and deployment of LOB applications.

MSIT considers any Windows Phone 7 device that requests corporate credentials to be an LOB application. It further requires that developers complete an Application Consulting and Engineering security design review in addition to a number of development minimum requirements from a privacy, accessibility, and globalization perspective.

Summary

The Consumerization of IT allows users to utilize an unprecedented range of devices, while enabling IT departments to provide seamless connectivity to their enterprises’ technology, and ensure the security and integrity of their enterprise’s intellectual property.

MSIT ensures data access, where applicable, by utilizing the four pillars of the Consumerization of IT – Windows PCs and other devices; security and management; productivity; and unified application development. However, it also safeguards data security and integrity for Microsoft.

Looking ahead, MSIT will continue to evaluate new trends and technologies, as it continues to evolve with the support of the Consumerization of IT.

For More Information

• The Consumerization of IT
  http://technet.microsoft.com/en-us/library/hh407021.aspx

• Windows Enterprise: Customer Stories
  http://www.microsoft.com/consumerization