Tip

Addressing security challenges of a BYOD policy with VMware View 5

Implementing a bring your own device policy can open a whole new world of productivity to end users. But it can also bring many challenges, particularly in virtual desktop infrastructure

    Requires Free Membership to View

environments.

More resources on creating a BYOD policy

VMware shops using View 5 for BYOD realize VDI challenges

BYOD policybasics: Defining and enforcing a successful policy

BYOD FAQ: Answers to IT’s burning questions about BYOD

The important thing is to consider potential challenges prior to implementing a BYOD policy. Below are just a few of the challenges that might come up.

BYOD strains security
The most important technical concern that must be addressed is security, which is one of the major reasons for implementing VDI in the first place. By centralizing desktops inside the data center, the potential for data loss drops dramatically. On the other hand, allowing end users to bring in their own devices means they are potentially bringing in security threats and circumventing the perimeter security designed to keep them out.

To prevent this, all endpoint devices not managed by IT, both from the Internet and on the LAN, can be placed in a semi-secured network zone. You can do this by placing all the end user network ports in an isolated network zone that only has access to a VMware View Security Server. Alternatively, the use of network access control technologies can automatically place devices into untrusted network zones when they don't meet predefined qualifications, such as having a specific antivirus configuration or a predefined system configuration that is controlled by corporate IT.

Access to desktop pools can be restricted so that certain desktop pools cannot be reached from the Internet by using the "tag" feature of VMware View. By creating tags such as "internal" or "external" on the View Connection servers, admins can make pools available through specific View Connection servers by selecting the proper tags in the pool settings. Imagine a library that implements VDI for use by the public, but access to this pool is only granted when connecting from inside the library. It can also be used to place users from the Internet into a more restricted network environment than if they were connected locally. For example, you may want to restrict access to an accounting application or apply a specific Active Directory Group Policy if a user is not connecting from a secured company facility.

Another security challenge administrators should consider is whether to implement a globally trusted security certificate from the likes of Verisign or GoDaddy. VMware has started introducing security warnings when users connect to a View environment that doesn’t have a trusted certificate installed.  In an end-to-end IT controlled environment, it is easy to create a certificate within Active Directory that all domain members trust. When a BYOD policy is introduced, the client devices will not be members of Active Directory, and therefore will not trust the certificate. This can cause errors on the client side. In order for any device to be able to connect and fully trust the View environment, a certificate should be obtained from a trusted root certificate authority.

Consider device variety 
One type of device that will inevitably show up when instating a BYOD policy is the tablet. Tablets are touch-based devices, whereas Windows is mouse/keyboard-based. Accessing a desktop through a touch interface can initially confuse end users. Retraining, or at least support, will most likely be necessary and a help desk should be prepared to deal with these concerns.

Administrators will also need to decide how much support they will provide for the end users' devices. An obvious question that should be asked is "can the help desk support Macs and iPads?" For most organizations the answer will be "no." This creates a dilemma for an organization that needs to provide an end-to-end experience for its end users. At this point, an IT department will need to decide between the following support stances:

  • provide a list of supported BYOD devices;
  • run end-user devices through a qualification process prior to allowing the user access; or
  • provide a list of requirements that an end user's device must meet.

This will make support from IT easier, but reduces the flexibility of a BYOD environment.

Implementing a BYOD policy can cause many unexpected challenges above and beyond the challenges of introducing a VDI environment. Administrators should consider these potential security concerns before moving forward.

This was first published in June 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

What stage is your organization in with their BYOD policy?

Brian Knudtson
What's your opinion?
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.