BYOD goes back to school
North Hennepin Community College is a two-year college in Brooklyn Park, Minnesota. It’s part of the Minnesota State and Universities System. I recently spoke with Kris Boike CIO of the college about Bring Your Own Device (BYOD) at her institution and the selection process behind their choice of the Good Enterprise Suite.
Students at North Hennepin are BYOD according to Boike. There are some student-focused mobility pilots taking across the university system where students receive a tablet and a laptop paid for by their tuition dollars. There are also campus-owned computer labs and computer classrooms that they would have access to while the campus is open, during school hours.
Boike mentioned that the college supplies laptops or desktops to faculty for their office. They also provide online storage where the campus IT department backs up faculty data. However, the faculty employment contract allows them to work wherever they want to work.
“Because they own all of their intellectual property, all of their course and curriculum materials, they tend to choose to store them not here on campus,” Boike said. “They tend to want to bring in their own tablets or their own laptops into the classroom, and connect that directly into our classroom technology system to use that for presentation or classroom instruction purposes. We as an IT group here, we needed to think through how we manage those BYOD devices.”
Mobile device and data security on campus
“I mean, number one, we have, of course, policy around where that data, what I will say is protected data, is supposed to reside,” Boike said. She also emphasized their need for security to govern data at rest as well as in flight.
“We had policy that said whether it could be stored on your personally owned device, or not,” she said. “We had policy then that said campus owned devices and related to encryption or USB devices related to encryption, or external hard drives. That type of thing. We still experience data loss. With inadvertent human error, we would find data in flight, or in transmission, that should not be in transmission. We were finding data at rest on personally owned devices that should not be.”
She also mentioned that the IT department was getting several reports from the faculty of either personally owned devices and USB devices that were lost or stolen. Sometimes the device was found again, or it was lost forever. These reports were about campus and personally owned devices.
“That was always just placing risk for the college, and the system that we chose not to have,” Boike said.
“The last piece about that I will say is that there were grievance issues,” she said. North Hennepin has four or five employee bargaining units between faculty and staff positions.
“Whether it is some type of legal issue, lawsuits, or grievance issues. Personally owned devices then became HR discoverable as a result of that process,” Boike said. “One of the concerns out of the owner of that personally owned device was that all of the sudden, their personal information all the sudden became part of that. If that device shared personal email, as well as college-related email systems, now all of the sudden, both came into play. That was not exciting for them.”
Selecting Good Enterprise Suite
Prior to taking the role of CIO at North Hennepin, Boike worked for American Express, Wells Fargo and Target so she had an exposure to the need for mobile device security in regulated environments.
“The process that I took my team through really was understanding the use cases, for not only campus owned mobile devices, but how our faculty and staff are using their personally owned devices,” Boike said. “We really did start with documenting the business case, the college case, for how users were using those devices. Then, we really began to look at the marketplace in terms of what could be provided and what could not be provided. Really through an RFI [Request for Information] and RFP [Request for Proposal] process, is what we did.”
“The two things that really fell out is, number one, with the bargaining unit,” she said. “It was about location services. As I reviewed this with our bargaining unit, they did not want the college to be able to turn on location services.”
“Because then, the fear was, the college could track them wherever they went. However, they wanted that ability to be turned on for personal life reasons,” Boike said. “That was number one. Number two was, exactly what I said before, about HR legal discovery, and the ability, even when the device was lost.”
“If we needed to wipe a device, it was fine for us whether an employee separates from the college, or a device is lost, ‘Go ahead and wipe the college, or the academic side of the device, but please do not touch my personal information that is on there,” she said. ‘Unless I tell you it is okay.’ If the device is lost, they probably would be okay with it, but if it is, ‘I am just separating from the college. Do not touch it.’ Those were the two big differentiators that really separated Good from the rest of the pack.”
“Again, that remains the differentiator of Good versus any other product like AirWatch, or any other product,” Boike said.
Implementing the Good Enterprise Suite at North Hennepin
Boike and her team chose an external consultant with experience in the Good Enterprise Suite to train some of their internal engineers on the platform so they could be self-sufficient after the implementation.
“I think for us on the implementation side it was really about the training of the end-users and gaining their confidence and ability to use the product, Boike said. “It was more about starting with those that wanted the early adoption and wanted to be able to bring in their own devices onto the campus, and really letting that peer influence build the momentum and the support behind it.”
“Number one is, because of the bargaining unit, or the unit environment that we are in, it really is about making sure all of those contractual issues are supported across those units,” Boike said. She then stressed that any support lacking across the bargaining unit could have stopped the project.
“I think the other piece is, as we have been piloting this now for the system, it really is about communicating the successes and the advantages,” She said. “Where we have now been able to successfully, I will say, mitigate risk, when it comes to legal discovery, pertaining to the containerization of these devices. We have been able to successfully mitigate any risk when a device is out of someone’s control for a window of time, or it gets lost, or an individual separates from the college. We have been able to do that much more successfully, and we have hard data now to show that, versus any other campus.”