Managing end-user devices, simply put, sucks. It requires a significant amount of infrastructure and staff. It leeches time from your IT department and end users. And the more you try to wrap your arms around all the devices in your company, the more problems you have.

Trying to fully control and manage every device connected to the network results in unhappy users and broken IT staff, huddling in data closets, weeping – while the executives upstairs are piped a false sense of security.

So stop managing devices. Don’t join them to a domain, don’t lock them down. Give up control.

I promise you, it’s not as crazy as it sounds.

All the devices!

IT departments have been struggling for years to juggle trusted and non-trusted (BYOD) devices. We layered on tool after tool to try to stay in control, but it hasn’t really worked. It’s just made management more complex.

We built a taller wall around trusted devices and the network, and tried to extend control to all the new things that employees were bringing to work. We began to manage triple the devices with the same number of staff.

Users hated the new restrictions on their computers as we locked them down, and IT hated all the new infrastructure we had to install and maintain to keep any semblance of control. We kept piling on sandbags long after the levee broke.

It’s time to start over

Instead of trying to exert control, what if we went the opposite direction? What would happen if IT treated all end-user devices as non-trusted, employee _and_company owned?

  1. **Security is simplified. ** If we assume that all endpoints are insecure, we can drastically shrink the surface area we need to protect and focus on data and apps. Devices are separate from the data center and one another.
  2. App management is centralized. With a small number of exceptions, we can deliver apps via browsers, virtual desktops, or streaming – from the datacenter or the cloud.
  3. Data is tied to identity. Unstructured data moves to the cloud, with rights management or containerization in place depending on your compliance needs.
  4. Devices don’t matter. Remember, we’re relying on remote delivery of apps and data (Think of everything as a thin client.). A user is having a computer problem that takes more than 5 minutes to fix? Swap the device out with another from the pool.
  5. Overall management is simplified. But maybe we require a health check to keep things from getting too crazy. Don’t add machines to the domain, use an MDM. Passcode, A/V, and security updates seem like reasonable requirements to enforce, but stop there.

This isn’t a thought experiment. This model is being pulled off successfully (sometimes in pieces), not just in Silicon Valley, but in growing pockets around the country – within organizations that are aggressively embracing the future.

Vendors are building and have already built products and services to support this model. VMWare, Microsoft, Google, Amazon – almost every player who matters is on-board.

If you’re in an architecture or strategic role, this is the future you need to be planning for. The current model is untenable – within a few years, if your IT departments is still trying to manage devices the same way you do today, with half the budget, a quarter of the staff, twice the tools, and exponentially more devices – you will fail.

Photo: ep_jhu