Amid the pandemic, using trust to fight shadow IT

With most workers scattered at home and trying to come up with their own ad-hoc IT workarounds, there’s an easy way for IT shops to build trust: communicate.

A man using a mobile phone in shadow against a bright wall
Warren Wong (CC0)

Shadow IT, where workers sometimes go rogue in their efforts to solve business problems, can create challenges – and opportunities – for companies in the best of times. With the COVID-19 pandemic still unfolding, these are not the best of times. With most employees and executives still working from home, the big issue for administrators and IT pros still centers on how to make things work in today’s trying circumstances.

Every major platform has controls IT can use, some of them as blunt as a hammer and others that offer surgical precision. At either end of that spectrum lie two common questions: How restrictive does IT need to be and is there a way to fully communicate areas of risk while making business more secure.

Communication is critical if the IT and business sides of a company are to work together cohesively, regardless of where people are physically working. So, I’m not going to simply list the variety EMM and UEM features available across each and every platform. Instead, I want to focus on building the critical trust  relationship that’s key to success – not the least of which is to make IT look less punitive.

Mobile management comes of age

Not long ago, enterprise mobility felt like that last thing you needed for a trip and somehow had to stuff in your suitcase. It was its own separate, important but not well understood piece of IT infrastructure. That’s begun to change as the available tools and APIs have become more consistent across products – i.e. this control will restrict this feature on any mobile device from an Android phone to an iPad to a PC in the same way. The fact that’s possible and relatively simple to do shows just how much this space has matured.

Ten years ago, when Apple sunk the first foundation for mobile management, iOS was the only platform that could or needed to be managed beyond BlackBerry. And Apple didn’t create the entire solution, it simply created hooks for other companies to connect through. After the flag was planted, the enterprise mobility industry exploded into dozens of companies soon fighting to gain traction, stay afloat or get acquired.

After the iPhone (and iPad) came Android. Then, in a somewhat surprising turn, Apple abandoned its heavy infrastructure for managing Macs and made mobile management the solution for managing both of the company’s primary product lines. Although they started later, Google and Samsung began to experiment in enterprise manageability and feature sets. Microsoft joined the party with EMM – not just for managing Windows Phone, but also for PC management.  And ChromeOS, which has always supported access management capabilities (for schools, as well as for parents) has begun opening accessibility to EMM vendors.

The result: a robust EMM solution can now effectively serve as a single management console if needed. This can be an ideal option for SMB organizations that would prefer to avoid the heavyweight solutions and infrastructure used by multinational companies.

(Side note – I explored this back in 2013; it’s surprising to see just how much mobility can change and evolve over a decade.)

For the most part, core EMM options were settled pretty quickly, with multiple platforms offering the same basic functions for devices – unlocking, remote wipes, app installs, access to push messaging services like Exchange and an option to block access to some hardware and OS features like cameras or Angry Birds.

All this means is that there’s a robust number of products from a range of vendors at different price points and capacities. IT can now order a complete lock down of every device; dictate specific apps for corporate use; block certain web/cloud properties; allow a device to be used with a lighter touch where passcodes and remote wipes are the only management needed; and determine which devices require kiosk management. (The latter means locking a device into a single app, usually in situations where multiple users will interact with a device each day, such as in the classroom, in retail settings and in healthcare .

Who needs what?

The first thing that needs to happen, and ideally already has, is that you need to compile an inventory of organization-owned devices that people are using out of office, as well as personal devices being used for work tasks. Provided this list is available, you can easily decide who needs access remotely, what they need to access (and why), and where they will be connecting from.

All EMM suites give you the ability to compile a device inventory and a rundown of OSes and apps used. This is a fairly easy task for any device IT knows about whether corporate or BYOD. Other devices may not show up in your EMM console, but their access (or attempted access) to your network and its resources will be recorded in the logs of your perimeter and VPN tools as well as internal security tools, along with the services a user is connecting with to accomplish work-related tasks.

The question for authorized device and/or user access isn’t much different than managing permissions and group policies in Active Directory; those role and group assignments are often used by EMM to authenticate and permit access to specific resources. Handling this catalog of devices should be relatively simple, with an  inventory that connects a user’s information to their devices. Then it’s simply a matter of determining what access and capabilities you will allow and documenting that for future reference.

Notably, you’ll want to establish some level of dialog with users who are now remote, if only to make them aware of changes in policies and how those changes impact them. IT could go even further by creating a weekly newsletter that contains tips and advice for remote users about work, work-from-home issues and general computing topics. This often helps build a self-help culture, empowering users and at the same time scoring some IT social/political points.

As a general practice, keep things locked down as much as possible. If users need something more, you can always grant their request.

Hiding in plain sight – the trust and communication gap

All of the above is great and sets you on relatively secure footing with devices you know about. But shadow IT is more about accomplishing tasks without using IT-provided tools (devices, apps, services) and often without telling IT about underlying problems. It lurks in the shadows (hence the name) and often hides in plain sight in the office.

One way to handle this is open dialog, which may sound a bit oxymoronic. If IT functions in a transparent way, it can build trust in today’s extremely uncertain reality. Part of it, which strikes an empathetic note, is to show that everyone is really in the same uncharted waters and IT is doing its best to keep the ship steady. Explaining certain policies and restrictions is a powerful tool in the trust-building toolkit as it establishes a rationale behind policies. Though it may not change underlying issues, it can show how IT isn’t applying policies to be punitive.

Another key trust-building option is letting people see and understand the processes, commitments, and stakeholders involved in IT policy decisions – and inviting a genuine real-time conversation about pain points users are experiencing at home. These aren’t always obvious to IT staffers – whether it be a need for a certain app, an industry-specific cloud product, or an enterprise app designed without user input. Users need to be stakeholders in creating internal apps so that needs are explored (and hopefully met) early in the development cycle.

The ultimate goal: Save time and energy in app creation and develop a real partnership between business and IT.

Host a town hall – and share coronavirus struggles

Mass conference events can be challenging to set up when everyone’s in the building, but it can be done and it can be extremely beneficial in our current situation. It helps to create a “we’re all in this together’’ message and, properly moderated, can solicit incredible information IT can use to provide long-term shifts or resolve seemingly obscure issues related to an employee’s phone. Acknowledge at the outset that while there is no perfect solution, IT and business can work together to improve the state of affairs.

Striking a note about privacy

The biggest source of anxiety for users in a BYOD program is the fear that personal data will become accessible to an employer. It’s not an unfounded fear. Our phones contain an archive of our daily lives. They contain medical data, financial info, lists of favorite watering holes, intimate conversations with a spouse and unique memories such as videos of a baby learning to walk. All of this data is precious and there needs to be an understanding that it is extremely important as well as private.

The irony is that users tend to overestimate what IT can or will do. Showing users  the truth is usually a major turning point in shadow IT situations – and the biggest evidence at your disposal is your EMM vendor or even the creators of today’s devices: Apple, Samsung, Microsoft, and Google. There are hard rules and limits set by each platform and by EMM vendors. This creates a wall or barrier that IT cannot see over. The big advantage here is that you’re not asking people to take your word for anything – you suggest they go Apple’s business site or Google’s Android Enterprise documentation.

Likewise, let people know when Apple or Google announces changes that affect  privacy. One of the biggest moments from Apple’s Worldwide Developers Conference last year was the introduction of user profiles that let you separate and secure personal information in a much more user-oriented fashion, one that EMM specialists have been awaiting for several years. Alongside that was Apple’s decision to deprecate or remove certain device controls in a way that benefits of users.

It’s also helpful to talk about privacy capabilities you’re committing to honor, like not doing a full remote wipe if a phone is lost – issuing instead a command to wipe only business apps and information. Be thoughtful in advance about what commitments you can make and be held to and those you cant. Consider “consistency” to be a watch word.

Out of the shadows

At the end of the day, users aren’t going to trust IT shops completely and they may continue working around IT. They might, however, begin to discuss their shadow IT arrangements with IT pros in way they hadn’t in the past. This is especially important as people are still settling into working from home. It’s possible that some shadow IT workarounds might actually deliver a solution that could apply far and wide. Aside from policy or technical concerns, you may end up being able to consolidate app licenses and subscriptions in a way that could save a big chunk of change.

As we navigate this surreal state of affairs, IT can build a better relationship with tech users on the business side, one that hopefully will become part of the organization culture, even when people start trickling back into the office.

Copyright © 2020 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon