Q&A: BYOD Is Better in Minneapolis

Minneapolis has had a bring-your-own-device (BYOD) policy for about two and a half years, and it began solely with smartphones. Since the explosion of tablet technology, however, the city has expanded – it either provides city-issued iPads to employees who want and need additional mobility, or allows employees to bring their own iPads to the environment.

“I decided that we would set up a program that would allow us to get ahead of the tablet orientation a lot of people were taking,” said CIO Otto Doll, adding that Minneapolis now has 171 iPads in its ranks – 86 of which are employees’ personal devices on one of two service options with the city.

In this abridged, edited interview, Doll explained why BYOD is better than a city-issued device, and how Minneapolis ensures a secure environment for all tablets on the city’s network – by taking just a little bit of ownership of the device since some users opt to retrieve all city data for which they’re authorized on their devices.  

Can you tell me about the BOYD policy itself – what does it consist of?

We have the iPad services come in two flavors: There’s a basic service and what we call a premiere service. Basic service [36 city employees use this] says that you can get your email, calendar, tasks and contacts synced up with the device – and you can either do that with your own device or with a city-owned iPad. The premiere service [50 employees use this] adds the ability to access the city’s network to get to your specific data sets out on your personal drives and folders, as well as guaranteeing that you can get the city applications through the iPad.

There’s also a Minneapolis app store where we went out and determined applications that allow people to function much like they do when they’re on a traditional desktop/laptop type setup in city government. We’re a Microsoft Office environment, so we have a way for people to get to a Word document and manipulate it if necessary; we chose apps to do that sort of stuff. We’ve got a PDF app out there, we’ve got the ability to browse your files and pull things up.

When it’s a city-owned iPad, we support the actual physical device. But we only do limited problem determination for people that own their own iPads; if there’s something wrong with it, they’ve got to get it fixed themselves. We provide this environment where we will ultimately allow full access to your city work world, but you’ve got to abide by our security requirements.

How do you determine who gets a city-issued iPad?

We require people to go through a process we have internally to allow people to acquire IT services in general, so departments vary a little bit in the processes that we set up with them, but basically if department management OKs it, then we will issue the device or we will accept a personally owned device when a department management OKs it.

I use my own personal iPad, and I have the premiere service, so I have access to [my work] world. I really feel, and we promote this with the staff, that if you’re going to do personal things with the device, which most people are going to end up doing, that there’s got to be some separation of duty. And people will cross that line. I think that’s just a natural outcropping – people, unless they really believe the device is only going to be used for city-purposes, it allows you to move into personal use of the device, which again, most people end up doing. So we expect over the life of this service that we will see far more people bringing their own to the table than getting a city-owned one. And it saves us some money in the sense that we’re not necessarily having to buy an iPad for an employee.

And what do you use to ensure your networks are secure despite employees using their personal tablets and smart phones? Or even the city-issued ones since they have access to almost everything?

One of the challenges with these types of devices is that they naturally store things on themselves, whereas we have a much stricter policy for desktops. Everything is stored in the network on the desktops. But ultimately if people have the authority to get to sensitive information, then they will also have that same responsibility to ensure that information is kept secure. And we drive certain levels of security, such as the degree of difficulty of the password; we maintain that when we support a personally owned device, we have the ability to wipe that device. So the individual employee signs up to that level of security and they typically sign a piece of paper that says they will abide by a stronger security profile when they are using their own device.  And when they’re connected in or coming in through a VPN connection, we secure stuff as one would expect.

And you said those on their personal devices have a stronger security profile – can you explain that a little bit?

On a normal iPad you can get away with just a four-digit password by default, unless you set on the iPad a much stronger requirement. We require a special character, at least one uppercase character, at least one lower and also numeric. We don’t allow the same password to be re-used within so many changes of the password, which we require to be changed. So those sorts of security standards can be set through parameters, which we basically lock down on an individual’s device, even if they own the device.

How did the city integrate smart phones and tablets – and a personalized app store – into its IT environment?