Problem solve Get help with specific problems with your technologies, process and projects.

Addressing security challenges of a BYOD policy with VMware View 5

Implementing a BYOD policy can improve end user productivity, but administrators should consider the potential security challenges the mobile devices can create.

Implementing a bring your own device policy can open a whole new world of productivity to end users. But it can also bring many challenges, particularly in virtual desktop infrastructure environments.

More resources on creating a BYOD policy

VMware shops using View 5 for BYOD realize VDI challenges

BYOD policybasics: Defining and enforcing a successful policy

BYOD FAQ: Answers to IT’s burning questions about BYOD

The important thing is to consider potential challenges prior to implementing a BYOD policy. Below are just a few of the challenges that might come up.

BYOD strains security
The most important technical concern that must be addressed is security, which is one of the major reasons for implementing VDI in the first place. By centralizing desktops inside the data center, the potential for data loss drops dramatically. On the other hand, allowing end users to bring in their own devices means they are potentially bringing in security threats and circumventing the perimeter security designed to keep them out.

To prevent this, all endpoint devices not managed by IT, both from the Internet and on the LAN, can be placed in a semi-secured network zone. You can do this by placing all the end user network ports in an isolated network zone that only has access to a VMware View Security Server. Alternatively, the use of network access control technologies can automatically place devices into untrusted network zones when they don't meet predefined qualifications, such as having a specific antivirus configuration or a predefined system configuration that is controlled by corporate IT.

Access to desktop pools can be restricted so that certain desktop pools cannot be reached from the Internet by using the "tag" feature of VMware View. By creating tags such as "internal" or "external" on the View Connection servers, admins can make pools available through specific View Connection servers by selecting the proper tags in the pool settings. Imagine a library that implements VDI for use by the public, but access to this pool is only granted when connecting from inside the library. It can also be used to place users from the Internet into a more restricted network environment than if they were connected locally. For example, you may want to restrict access to an accounting application or apply a specific Active Directory Group Policy if a user is not connecting from a secured company facility.

Another security challenge administrators should consider is whether to implement a globally trusted security certificate from the likes of Verisign or GoDaddy. VMware has started introducing security warnings when users connect to a View environment that doesn’t have a trusted certificate installed.  In an end-to-end IT controlled environment, it is easy to create a certificate within Active Directory that all domain members trust. When a BYOD policy is introduced, the client devices will not be members of Active Directory, and therefore will not trust the certificate. This can cause errors on the client side. In order for any device to be able to connect and fully trust the View environment, a certificate should be obtained from a trusted root certificate authority.

Consider device variety 
One type of device that will inevitably show up when instating a BYOD policy is the tablet. Tablets are touch-based devices, whereas Windows is mouse/keyboard-based. Accessing a desktop through a touch interface can initially confuse end users. Retraining, or at least support, will most likely be necessary and a help desk should be prepared to deal with these concerns.

Administrators will also need to decide how much support they will provide for the end users' devices. An obvious question that should be asked is "can the help desk support Macs and iPads?" For most organizations the answer will be "no." This creates a dilemma for an organization that needs to provide an end-to-end experience for its end users. At this point, an IT department will need to decide between the following support stances:

  • provide a list of supported BYOD devices;
  • run end-user devices through a qualification process prior to allowing the user access; or
  • provide a list of requirements that an end user's device must meet.

This will make support from IT easier, but reduces the flexibility of a BYOD environment.

Implementing a BYOD policy can cause many unexpected challenges above and beyond the challenges of introducing a VDI environment. Administrators should consider these potential security concerns before moving forward.

Dig Deeper on VMware View

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What stage is your organization in with their BYOD policy?
Yes, the market for NAC has seen a large spike in demand because of BYOD concerns. There are many ways to solve the security problems that BYOD entails, and VDI is certainly one approach. The neat thing about NAC is that it provides a universal layer of security, something that applies to both known and unknown devices, and NAC augments whatever approach you take—VDI, MDM, whatever. NAC can easily tie into directory services as you’ve suggested in order to deliver just the right applications (VDI or otherwise) that a person or device needs. I work for a NAC vendor (ForeScout), and we’ve published a couple of whitepapers which your readers might appreciate: One is a report from SANS, the other a whitepaper by Securosis that describes how NAC can help you say “yes” to BYOD without exposing the organization to new security and compliance risks.
The problem with this article is that it assumes the devices won't have 3G/4G access. Suddenly all the Network Access control systems are bypassed!