spca2013 - getting to grips with a sharepoint 2013 byod strategy
DESCRIPTION
Getting to grips with a SharePoint 2013 BYOD StrategyTRANSCRIPT
Getting to grips with a SharePoint 2013 BYOD Strategy
John Timney• Microsoft SharePoint MVP & 2010 & 2013 TAP member• 25 years+ in IT• Primarily worked in large organisations, on large projects• IT Services Agency, Syntegra, BT PLC• Capgemini PLC
• Specialise in large scale SharePoint Strategy, Architecture, Assurance and Governance
• Co- authored a few books on various SharePoint, JAVA and .NET subjects
• North East Administrator for the SharePoint UK User Group
Busy on Assurance for a 170,000 seat SharePoint 2013 and 0365 Hybrid Build.I’m from Up-North UK– I speak QUICKLY!
Agenda• The confusion of BYOD Terminology• The Changing BYOD Landscape• An overview of SharePoint 2013 Mobile Capability
• Planning for Mobile views• Supported Devices • SkyDrive
• Understanding your own Landscape• Tooling – Can it help?• Compliance• Licencing – EEK!• Scary Thoughts - OOH!• Q&A
More Questions than Answers!
Understand the terminologyGenesis 11:9 Let confusion reign in their midst
Confuscius says “if the root be in confusion nothing will be well governed”
• We are in acronym hell –TLA & FLA rules
Get back in your box Confuscious!• SMM = Social Media Monitoring• ORM = Online Reputation Management• MDM = is that master data management or mobile device
management)• MAM (EAM)= Mobile/Enterprise Application Management• BYOD = Bring your Own Device – you own it the
enterprise permits you to use it• BYOT = Bring your Own technology – you own it the
enterprise permits you to use it• COPE = corporate-owned, personally enabled-- the
enterprise purchases a device and service plan that the employee wants
• BYOL – Bring your own License• BAAD = Bring an Agreeable Device
BYOD Simplified – What is it?
• Something we use to connect to something we need
• As a user, I don’t care who owns it - I want the choice however
• As a corporate I have may concerns like security• I may have concerns about ownership• I may have concerns about supporting sporadic
devices• I may have concerns about licencing• I may be looking to drive down IT spend• I want my users to be more social, anytime,
anywhere! (McKinsey)
BYOD landscape – Start here!
What will make us more Productive?
Who will own all these devices
The BYOD Concept - Uptake
• The Middle East has one of the highest adoption rates of the practice worldwide in 2012.
• According to research by Logicalis, high-growth markets (including Brazil, Russia, India, UAE, and Malaysia) demonstrate a much higher propensity to use their own device at work. Almost 75% of users in these countries did so, compared to 44% in the more mature developed markets
• International research reveals that only 20% of employees have signed a BYOD policy
Traffic Analysis per Device Type
Cisco Measuring Data consumption per device type currently
( Cisco’s “Visual Networking Index (VNI) Global Mobile Data Traffic Forecast)
Traffic Itself
• By 2016, mobile-connected tablets alone will generate almost as much traffic as the entire global mobile network does in 2012, 1.1 exabytes per month
• 4G phones, only 0.2% of mobile connections, are already accounting for 6% of mobile data traffic
• By 2016, 4G will account for 36% of total mobile traffic
• By 2016, video will be over 70% of traffic
Demand• So, we have a surging demand• 15 billion network connected devices by 2015 – 2
per person• We understand the landscape – it’s growing out of
control
Is the application BYOD ready?
Understand the Mobile Experience in SharePoint 2013• Contemporary view This view offers an optimized
mobile browser experience to users and renders in HTML5. This view is available to Mobile Internet Explorer version 9.0 or later versions for Windows Phone 7.5, Safari version 4.0 or later versions for iPhone iOS 5.0, and the Android browser for Android 4.0 or later versions
• Full-screen UI There is also the ability to have a full desktop view of a SharePoint site on a mobile device.
• Classic view This view renders in HTML format, or similar markup languages (CHTML, WML, and so on), and provides backward compatibility for mobile browsers that cannot render in the new contemporary view. The classic experience in SharePoint Server 2013 is identical to the mobile browser experience of SharePoint Server 2010.
What you see!
Research here: http://technet.microsoft.com/en-us/library/jj673030.aspx
Detecting Mobile Devices• Mobile browser redirection• To access a site by using the optimized mobile browser experience,
a new feature named Mobile Browser View must be activated on the site. When activated and a mobile browser is accessing the site, this feature checks the mobile browser to determine whether it can handle HTML5. If the mobile browser supports HTML5, the contemporary view is rendered. Otherwise, the classic view is rendered.
• By default, this feature is activated when any of the following site templates are used:
• Team Site• Blank Site• Document Workspace• Document Center• Project Site• You must explicitly activate the feature on sites created with
other templates. You can activate or deactivate the Mobile Browser View feature at the site level.
Device Channels & Browser Definition
• In SharePoint Server 2013, you can render a single publishing site in multiple ways by using different designs that target different devices based on their user agent string using Device Channels.
• You create a single site and author the content in it a single time. Then, that site and content can be mapped to use different master pages and style sheets for a specific device or group of devices. Also, you can easily show different content to different device channels using same page and page layout.
• 10 MAX boundary per site collection – Info Arch!• Don’t underestimate the workload in customising for
each device
Push notifications & subscriptions• You can configure and manage a mobile account in
SharePoint Server 2013 to enable users to subscribe to alerts that are sent by using Short Message Service (SMS).
• SMS alerts are sent to the mobile device when changes are made to a SharePoint list or item
• Without SMS – you can use Push Notifications for apps on windows phones so then device is informed even if the app is not the active app – no IOS integration (yet) – COST Savings
• A standard alert over email usually requires the email client to be active – you can still do this
• For mixed environments consider the complexity of any notification services -
Geolocation• There is now a Geolocation field you can use in SharePoint
lists• There is an investment in time to get this working – work
out your benefits upfront• Not indexable via Search
Jury is out on this one for me
Business Intelligence
• SharePoint Server 2013 enables a user to view certain kinds of dashboard content.
• This includes PerformancePoint reports and scorecards, and Excel Services reports in iOS 5.0+ Safari browsers on iPad devices. OOTB
Office Web Apps – is really cool!• Office Web Apps Server is a new stand-alone server product
that still provides mobile browser-based viewers for these applications. These viewers called Word Mobile Viewer, Excel Mobile Viewer, and PowerPoint Mobile Viewer are optimized to render documents for phones. When integrated with SharePoint Server 2013, a user can enjoy enhanced viewing experiences when interacting with documents on the phone.
• Together, SharePoint Server 2013 and Office Web Apps Server offer a better user experience when interacting with documents on a mobile device. For example, when both products are used together, a user opens a server-based version of the document in the mobile browser. Without Office Web Apps Server, the user would first have to download the file and then open it in Office Mobile or in an Office document viewer. IOS file locking issues – 60 minute locks
SkyDrive & SkyDrive pro
• SkyDrive is free online storage that provides you with a personal library where you can upload and access files from any of your devices
• SkyDrive Pro library is managed by your organization and is available with either Office 365 or SharePoint
• Needs an app per device – including windows client• You can of course just use your browser for basic features• There are other services (Google Drive, Box, LiveDrive
and SugarSync for example)• SkyDrive Offline is a now a real world planning
consideration for supporting BYOD
Skydrive – free Apps or ipad, iphone, Android & windows Phone – only 3rd party for blackberry
Consistent access from any device!
What about SkyDrive Security
• SkyDrive is not, and has never claimed to be, HIPAA-compliant. Or IL3 If you have a level of security requirement that involves the phrase "security auditors" SkyDrive will never pass. There aren't any audit logs, for one thing.
• Office 365 (SP online) can provide IL2 – soon perhaps IL3
• Skydrive Pro can be enforced to use SSL for transport – it isn’t stored encrypted, only transmitted
• Subject to Patriot Act – EEEK!
Understand YOUR Device Landscape – get yourself ready!
Collect a Device Inventory
Device Type/Pool Serial Number/Asset Tag
Operating System Version
Is the browser supported in SharePoint 2013
Windows Phone XXXXX-XXXXXX 7.5 Yes
iPhone XXXXX-XXXXXX 5.0 Yes
Android (3000 devices) n/a 4.0 Yes
Know what devices are formally supported
Know what mobile views are required?• For smartphone devices only. Activated
by default on select site templates (Team Site, Blank Site, Document Workspace, Document Center, and Project Site).
• Some of the views are unavailable to certain phones and tablets – support call hell!
• http://technet.microsoft.com/en-us/library/jj673030.aspx
• For apps - Don’t expect device affinty across devices – the reason the BBC in the UK has not released iPlayer for all devices is they all appear to work differently – now on ICS 4.3, but limited success. Contemporary View
What views can we apply per site type
Mobile view Team Site
Blank Site
Document Workspace
Document Center
Project Site
Publishing Site
Contemporary view Yes Yes Yes Yes Yes n/a
Full screen UI Yes Yes Yes Yes Yes Yes
Device channels
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Yes
Classic view Yes Yes Yes Yes YesNot applicable
The browser-based mobile views in SharePoint Server 2013 can be used on a number of different SharePoint site templates.
Think about individual sites that may need customisations – and list them
Team Site
Blank Site
Document Workspace
Document Center
Project Site
Publishing Site
Notes
Yes Team Site #1 (HR) -Mobile view required
Yes Team Site #2 (Finance) – Mobile view required
Yes Public Facing Site -Mobile view required
Understand authentication Requirements in SharePoint 2013
SharePoint infrastructure
Authentication mode
Authentication provider
Windows Phone 7.5 or later versions (Internet Explorer Mobile)
iOS 5.0 or later versions (iPad, iPhone using Safari)
SharePoint on-premises
NTLMActive Directory
Supported Supported
SharePoint on-premises
Basic authentication
Active Directory
Supported Supported
SharePoint on-premises
SAML
WS-Federation 1.1 compatible Identity Provider
Supported Supported
SharePoint Online
Forms-based authentication
Org-ID Supported Supported
http://technet.microsoft.com/en-us/library/fp161350.aspx
Think about transmission• Any BYOD strategy will increase your Data
Transmission• Access points/network segments might need scaling• Skydrive synch can quickly get out of control if you
synch quickly changing directories• Think about monitoring – how do you do it, is it suitable
moving forwardDuring 2011 to 2016 Cisco anticipates that global mobile data traffic will outgrow global fixed data traffic by three times
Understanding the Tooling to help you! Get the Correct MDM capability!
Any E/MDM Solution MUST satisfy at least 4 Requirements
• Software Management•Network Service Management •Hardware Management• Security Management
Software management
• Configuration• Updates• Patches/fixes• Backup/restore• Software
Provisioning• Authorized
software monitoring
• Transcode• Hosting• Managed mobile
enterprise application platforms (MEAPs)
• Development• Background
synchronizationManage and suppot mobile applications, content and operating systems – Support Control
Network service management
• Invoice/dispute resolution• Procure and provision service• Reporting and Statistics on usage• Help desk/support – details to help problem
resolution• Usage – patterns and service evolution
indicators• Service and contract – SLA/OLA consideration
type stuff
Hardware Management
• Procurement• Provisioning• Asset/inventory• Activation•Memory
• Deactivation• Shipping• Imaging• Performance• Battery life
Security Management
• Sandboxing• Enforce Remote wipe• Enforce Remote lock• Apply Secure
configurations• Apply Policy enforcement• Ensure Password-enabled
• Enforce Encryption• Control
Authentication• Enforce Firewall• Enforce Antivirus• Enable Mobile
VPN• Compliance Engine
Windows Intune in the Cloud Configuration
Windows Intune in the Unified Configuration
For Device control look to Windows In-TuneFor Content control look to Azure AD Rights Management (for SharePoint/Exchange Online)
Mobile device management using Exchange ActiveSync
• Remote wipe If a mobile phone is lost, stolen, or otherwise compromised, you can issue a remote wipe command from the Exchange Server computer or from any Web browser by using Outlook Web App. This command erases all data from the mobile phone. ·
• Device policies Exchange ActiveSync lets you configure several options for device policies. These options include the following:• Minimum password length (characters) This option specifies the length of the
password for the mobile phone. The default length is 4 characters, but as many as 18 can be included. · Inactivity time (seconds) This option determines how long the mobile phone must be inactive before the user is prompted for a password to unlock the mobile phone. · Enforce password history Select this check box to force the mobile phone to prevent the user from reusing their previous passwords. The number that you set determines the number of past passwords that the user won't be allowed to reuse.
• Wipe device after failed (attempts) This option lets you specify whether you want the phone's memory to be wiped after multiple failed password attempts.
• Allow simple password. This setting enables or disables the ability to use a simple password such as 1234.
• Allow storage card. This setting specifies whether the mobile phone can access information that’s stored on a storage card.
• Password enabled. This setting enables the mobile phone password. • Password expiration. This setting enables the administrator to configure a length of time
after which a mobile phone password must be changed.
The SharePoint Stack• MEAP integration Layer - SharePoint
Composites and Data Connectors • Security - Unified Access Gateway with deep
packet inspection, Exchange policy Enforcement
• Provisioning - System Center Configuration Manager (SCCM), Windows Intune, Exchange Server, Windows Store
• Software - Visual Studio allow development of cross-platform thick and thin apps - HTML5
• Multi-channel transports like HTTP/SOAP/REST/EAS/XML/JSON, OData, and the Sync Framework support communication with any mobile client
We need to look beyond the SharePoint Platform
Don’t forget about testing tools• http://sixrevisions.com/tools/10-excellent-tools-for-
testing-your-site-on-mobile-devices/
Then think about Compliance – get your Legal stance ready!
BYOD Policy• You cannot segregate SharePoint 2013 from BYOD
– by design• 1 - Mobile Device Policy is KEY • Base it on user satisfaction if possible
• a risk assessment;• appropriate policies and procedures;• appropriate guidance to staff;• good governance and/or audit arrangements in place to
establish clear lines of responsibility for preventing contraventions;
• robust monitoring mechanisms; and• adherence to relevant guidance or codes of practice.
• 2 - Understand Expenses – who pays for what
• 15 billion/2 per person = 24,000 BILLS
US Regulatory Example• If you are in the Healthcare industry, you’ll need
to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
• The HIPAA Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI)
• Information management is critical
The Problem OutlinedUS - Walgreens Fined $1.44 Million for exposing confidential dataOne US hospital lost a single netbook and are facing a $1.5 million fine.
£50,000 Prudential - the first monetary penalty notice not related to a security breach.FSA imposed a fine of £3m on HSBC for various failures in respect of the personal data it held Zurich Insurance - £2.3m fine for mislaying an unencrypted tape backup with 46,000 sensitive customer records on it
Spain - 1.08 million Euro fine imposed on Zeppelin TV, made information about Big brother applicants available online
Gemany - Deutsche Bahn was fined 1.1 million Euros for breaches of data protection laws HaSpa (the savings bank of Hamburg) was fined 200,000 Euros for transferring customer data to external service providers.
Principle 7 UK DPA - Data Security - • • Information security is the most important
aspect of data protection• “Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data”
• Loss or unauthorised access can result in harm and could result in regulatory action
Enforcement of DPA• Sections 55A and 55B of the Data Protection Act
1998• NL – Article 26/4• contravention of Section 4(4) of the Act (the duty to
comply with the data protection principles• – serious breach of data protection principles likely to cause
substantial damage or distress – deliberate or reckless• Other enforcement powers:-• – enforcement notice• – powers of access and inspection• Criminal offences• Civil offences
Compliance demands Policy• Passwords should not be an option – IOS
automatically encrypts when it is enabled• Encryption should be mandatory – earlier
Android devices do not support encryption • Restrict Device Features as Necessary – disable
bluetooth/cameras – can you disable by geo-location?
• Restrict, allow and require apps you need to encourage productivity
• Block non-corporate email like GMail • Push your wireless network, VPN and passcode
settings to your users OTA (over the air) – remove them same way
• Do you allow temporary non-compliances?All Pointless without Testing and Penalty
Don’t forget about device Licensing – get your License budget ready!
Understand Microsoft’s stance!
All affect BYOD licensing costs = strategy consideration
VDA v CDL – desktop vs browser• Virtual Desktop Access (VDA) license is $100 per
year, per device. If you have Software Assurance, VDA rights are included
• If you buy a device with WinRT installed, it has built-in VDA privileges
• Without VDA you need a CDL per device• Access SharePoint via a browser only – you only
need a SP CAL• The default Office Web Apps mode is view-
only, and it is provided free. The other mode enables both viewing and editing, and this mode must be additionally licensed.
Scary Thoughts! Get yourself ready to be challenged!
Scary things without clear answers!• If a personal device gets stolen from inside an
employees car, with confidential data on it – who gets Sued? What are the insurance or personal implications?
• If your personal insured device gets lost with the only source of information on it, and a project delivery fails – who pays the penalties?
• Why would you ever choose and pay for a device – to save the business money, and then permit your employer to dictate how you can use it?
• Who pays if a device is found to have pirated software on it – my iPad is jailbroken – should you permit rooted or jailbroken devices – what are the consequences?
• If you end up using non-corporate software for company business – who covers the licence costs?
More scary thoughts!
• Swipe and Wipe is fine – what if the device cannot be wiped and the hard drive ends up in India being recycled – consequences?
• Many of us share devices with spouses and children – consequences of leaving a VPN open to SharePoint Central Admin
• What about device emulation and virtualisation – device spoofing via virtualisation – policy on that VM but not on the host
• I can afford a better device that makes me more productive, how is that measured and fairly balanced by HR for pay evaluations?
• Research has shown that we are affecting sleep patterns with tablets/smartphones & Bluelight, how will your company control this potential for productivity drop we never had with laptops?
BYOD strategies – better start that journey now!
Any Questions….?