Device diversity has been a long-standing issue in the workplace — cross-OS devices, tablets and mobile devices, and personal devices all add distinct layers of difficulty into the device management process for IT. Due to ever-increasing device heterogeneity in the workplace on top of the COVID-19 pandemic and subsequent popularization of remote work, many organizations have been forced to rethink the way devices are distributed and managed.
More specifically, 2021 brought with it a widespread BYOD trend. According to Bitglass, in 2021, 47% of organizations saw an increase in the use of personal devices for work purposes. What’s important about this is that personal devices used for work purposes can’t be managed in the same way as corporate-owned devices.
This trend, and more importantly how we work today, has opened up new challenges (and opportunities) for IT orgs. The key here is to understand what devices exist in an organization, categorize them based on who owns and/or manages them and what their purpose is, and then decide how holistically they can be managed. Mapping all of this out helps you avoid confusion while minimizing unintentional attack vectors.
To do this properly, you need to first gain a full understanding of what device management options exist. This article defines and explains the following device acronyms: BYOD, COD, COPE, COBO, and CYOD. Once you have a clear understanding of the differences between each, you can take the next step in your device management journey by creating policies to manage and secure devices in each relevant category.
Understanding Device Terminology
There are two primary categories of devices used in the workplace: personal devices and corporate-owned devices (COD). What’s more, the COD category can be further broken down into even more specific groups. The variables that differentiate each type of device are:
- Who owns the device?
- Who owns the data on the device?
- Who maintains the device?
- Who pays ongoing bills associated with the device?
- Who owns the phone number registered to the device?
- What capacity is the device used in?
You can use this list in two ways. The first way is to figure out which types of devices are currently used in your organization and create a policy for each. The second way is to use your preferences to answer these questions, figure out which device type is associated with your answers, and choose to only allow that type in the workplace.
Let’s dive into the acronyms associated with each.
What is BYOD?
BYOD stands for bring your own device.
BYOD refers to the trend of employees using personal devices to access work-related systems and resources. These personal devices can be anything from laptops to tablets to smartphones to USB drives and more.
BYOD in the workplace typically requires that you draw a hard line regarding what will or will not be monitored to maintain employee trust. If you choose to install an agent on personal devices to monitor usage, implement conditional access policies, or something else, it needs to be clear what you can see and what you can’t. Monitoring personal use of the device is outside of the organization’s scope.
Keep in mind the costs associated with BYOD — both monetary and non-monetary. If employees are allowed to use any type of device for work purposes, support personnel will have a lot on their plate. Securing and monitoring such a wide range of devices is expensive, difficult, and time-consuming. If you choose to specifically allow BYOD in your organization, consider narrowing it down (e.g. the only BYOD allowed are laptops — no phones, tablets, or any other non-COD).
What is COPE?
COPE stands for corporate-owned, personally-enabled.
COPE devices are provided to an individual by the organization. They are used primarily for organizational purposes, but the individual is also allowed to use them in a personal capacity. It’s important to note that with COPE devices, privacy can be compromised, as the organization has visibility into everything happening on the device. However, privacy concerns can be mitigated with the proper containerization tools that separate work-related data and personal data.
One example of this is a role that requires the use of a smartphone. A COPE phone allows employees to carry a single phone on them during work hours, rather than two. The phone will be set up with work-related apps and abilities, but the user is able to make voice calls, send texts, check a personal email account, and download personal apps from it. COPE devices can be a good compromise between a too strict COD policy and a too lenient BYOD policy.
What is COBO?
COBO stands for corporate-owned, business-only.
COBO takes things a step further than COPE by prohibiting personal use on the device. COBO devices often come in the form of kiosk tablets, Zoom Room controllers, and other devices that are used by the business at large, rather than by individuals. However, it is possible for individuals to have COBO devices, such as a company-issued smartphone with policies prohibiting personal use.
While COBO devices are great for organizational security and productivity monitoring, they significantly restrict users and remove the user’s ability to to use a single device for work and personal purposes. COBO is an adequate solution for organizations looking to step up security and compliance and/or organizations that lack the ability to keep personal and work data separate.
What is CYOD?
CYOD stands for choose your own device.
CYOD allows employees to choose from a list of devices specified by the organization. This gives employees more freedom and flexibility to choose the device(s) that works best for them, while staying under the umbrella of device management that IT has already established. This controlled approach keeps support costs low. Support technicians only need to be trained on certain devices, and fewer device types and configurations used means cheaper and easier to support.
In some cases, employees have the option to select and pay for the chosen device, which transfers ownership over to them. This approach is used as a compromise between the traditional BYOD and COD strategies. (This approach is not reflected in the table above.)
Managing BYOD and COD
Use the tables above and the graph below to determine what level of flexibility you want to allow, as well as what level of ownership you want over the devices used in your organization. COPE and CYOD can vary in flexibility depending on the policies you enact, and BYOD can have more corporate control over it with the right device management tool in place.
Keep in mind that you don’t just have to choose one type of device to allow. The rules can change from department to department, but don’t bite off more than IT can chew. No matter what direction you choose to go, create specific policies around devices to protect your organization and your employees. Be sure to also put a holistic device management tool in place to ensure that you remain as secure, compliant, and productive as possible, no matter what devices are in the mix.