BYOD Topic: How Complicated Can Calendars Be?

In a January 2013 blog post from Microsoft TechNet regarding excessive iOS6.1 logging on a Microsoft Exchange Server1, author Bobby Pendino and Microsoft MVP Andy David trade comments regarding causes and fixes for an Apple-versus-Microsoft approach to managing calendar requests and synchronization. Now, these two companies are no stranger to complicated operating systems and complex code, but their differing approaches to a seemingly insignificant Information Systems (IS) component such as notification of calendar synchronization changes made a king-sized enterprise problem for anyone that had a combination of Apple consumer products and Microsoft server products (which is a pretty large number of organizations!). The primary incident discussed in this particular technical discussion described a single Apple device, automatically updated to iOS 6.1, and the resulting 50 Gigabytes of logging that inundated the Microsoft Exchange Server when the device rebooted and began checking calendar appointments automatically. In a web article from 8 February 20132, Author Ed Burnette notes that several corporate environments decided to shut off access by Apple devices, because there is no local control over the Apple automatic updating that their users had configured. The technical details flowed out over a few months, with a good reference for altering Microsoft Exchange mailbox handling to eliminate most of the problem, and leaving Apple users out in the cold until Apple released a fix (reference is here: https://devcentral.f5.com/community/group/aft/2165837/asg/50 ).

Clearly Apple and Microsoft worked quickly to remediate this particular flaw, but the real stakeholders that need to pay attention are enterprise IS managers and also corporate CIOs who are interested in bringing to fruition the business dreams of Bring Your Own Device (BYOD) that is all the rage these days. While it is a possible method for streamlining many of the difficulties of employees having various combinations of telephone, tablet, laptop, slate, and desktop computers that are personally or organizationally owned, this particular story highlights the real possibility that BYOD brings a whole new world of risk into the information systems strategic thinking bubble. Much of risk-based assessments of evolving IT and IS infrastructure assumes a certain predictability of likely futures. In a true BYOD enterprise, how does one postulate the risk over the universe of possible devices that might be brought to bear to access and interact with corporate data when the user has full flexibility?

The implications are significant. An organization that proposes to implement a BYOD strategy needs to provide policy-level guidance that can exist long enough for employees to effectively understand and use it properly, along with implementation procedures that are technically current enough to handle new devices and interactions as they evolve and occur.

If the policies of an organization change quickly over time to accommodate technology changes, employees will not have a firm enough basis to understand and comply with that policy. The result is an unwillingness or an actual inability to really comply with the guidance because it is too transient to succeed as a policy.

If the procedures an organization’s IT/IS personnel implement are insufficient to meet the policy directives, then the risk increases significantly that some unusual/odd/uncharacteristic device may be introduced that has an unintended consequence that has great impact on the organization.

Typically, an organization includes policy statements such as “the incorporation of new software or hardware onto the network must be coordinated with the IS/IT department so that compatibility and impact analysis can be done.” In the situation described, there was no opportunity to vet the impact of a revised Apple iOS because it was automatically configured without user interaction and without coordination with the enterprise components of any organization. The decision of a single hardware provider can impact directly on an entire organization without any opportunity to develop remediation or integration steps effectively.