The Privacy-Control Trade-Off: User Privacy Vs. Corporate Control

One of the most powerful principles of economics is the concept of trade-offs. Whether it’s deciding to buy a new car rather than putting that money toward your retirement or the trade-off we make when we entrust our private information to businesses in return for more personalized services, we understand that with every choice we make, we must give up something in exchange for what we gain.

Every day, business and technology leaders grapple with such trade-offs. This is especially true for today’s dynamic enterprise environment in which more employees have now been afforded the option of choosing what type of technology they wish to use. Unlike in years past when a new employee was assigned a desk and a PC, workers today demand choice in how and where they can be most productive.

However, accommodating these choices requires trade-offs and, as such, is forcing IT organizations to address some thorny questions: What precautions should they take to detect and prevent wrongdoing or carelessness that could harm the company while respecting employee privacy? How might a slate of evolving data privacy regulations such as GDPR expose an organization to potential risks and liability? And how might the implementation of corporate controls negatively impact the user experience–will it come at the expense of their productivity or make it more challenging to hire and retain employees?

Managing Devices in a Hybrid World

Today’s IT environment looks strikingly different than it did just a few years ago. Between the rise of bring your own device (BYOD), and a global pandemic that hastened the current work-from-anywhere ethos, the hybrid enterprise is increasingly mobile, relying on a variety of devices and connectivity options. Personally-owned devices also present other control and visibility challenges to IT organizations since security updates are not being regularly applied, making it difficult to measure the level of risk associated with BYOD devices and network connections.

In a similar manner, more businesses now support a combination of PCs and Apple products. For a new generation of users, having the choice of which technology they use for work represents an increasingly important factor in their employment decision. A study by Wipro found that 73% of employees are more loyal to a company that offers choices in the devices they use.

Whereas Apple was once considered a niche technology limited to the creative department, that’s no longer the case. According to a January 2023 report by IDC, across the last three years, Apple products have seen a 60% increase in market share while the PC market grew by only 6%. Considering that more than 70% of college students have indicated a preference for working on Mac devices, we should expect to see the adoption of Apple products continue to grow in the coming years.

As Apple becomes more embedded in the enterprise, mobile device management (MDM) solutions will play an increasingly important role in negotiating the tradeoffs between corporate control and user privacy.

Three Principles for Striking the Right Balance

Understanding the nuances of trade-offs in the hybrid enterprise can be illustrated with the all-too-common scenario of an employee losing their iPhone. Most of us who have an iPhone are familiar with Apple’s Lost Mode feature that can help you track down a missing phone and remotely wipe it if it’s unable to be retrieved. It’s important to understand that, unlike a corporate-managed device, Lost Mode is designed for consumers who require a personal Apple ID.

Apple provides the framework for a corporate-owned device to be located by the organization, but that method also requires the user to be notified that someone in the organization located the device, which might leave some users feeling uneasy about being tracked. Similarly, while MDM can be used to wipe a corporate-owned device, an IT admin would probably be reluctant to wipe an employee’s personal device in the event they haven’t properly backed up their private photos and data.

Because the expectation of privacy at home is different from what people are used to when working in the office, we must recalibrate what those boundaries mean as these lines become further blurred. Consider the following three principles when implementing corporate controls so that managing devices doesn’t come at the expense of your user’s privacy:

1. Be Transparent to Engender Trust: Telling your users what you’re going to do and why you’re doing it is essential in establishing and maintaining trust. By doing this, you can avoid users attempting to circumvent policies and deploying their own ‘shadow IT’ solutions. In order for users to trust IT, you need to demonstrate that it’s a two-way street. When you clearly explain, “Here’s what we’re doing and why we’re doing it,” in a way that they can easily understand, that kind of open and honest communication can go a long way and will make it much less likely that a user will go behind IT’s back and potentially expose your organization to unnecessary risk such as using a personal device for work that might have security vulnerabilities. While communication is key, it’s just as important that we dedicate resources to training users on how to identify risk.

2. Embed Compliance Early in the Process: Just as software developers are now being encouraged to implement security best practices across the entire software life cycle rather than at the end of the cycle, IT organizations should likewise incorporate compliance-related processes and controls earlier in the device management life cycle. Companies should be thinking about providing mixed access for both hybrid workers while sensitive corporate systems should be protected by a device trust system where access is only granted from a corporate managed and controlled device (and in some cases, they should consider providing employees with company-owned devices). This not only offers flexibility to use a personal device for some occasions but provides an important layer of assurance that sensitive corporate systems can only be accessed by a trusted device.

3. Respect the Difference: Apple and Windows represent very different computing paradigms and consequently shouldn’t be managed in a way that erases those differences. By employing a multi-platform management solution to manage both, you just end up washing away the unique benefits of each platform and deny the preference originally expressed by your users. As a result, users become frustrated by not being able to take advantage of the capabilities and features they have grown accustomed to, which ultimately just ends up creating more help desk tickets for the IT team. Conversely, choosing a native device management tool–one that’s purpose-built for the best experience possible on that platform–will go a long way towards enabling the experiences that your end users wanted to begin with and will be less likely to try and seek workarounds that directly conflict with existing policies.

There’s little doubt that Apple will continue to increase its penetration into the enterprise market in the years to come. That tomorrow’s generation of workers won’t accept being tethered to a single platform. As IT teams grapple with the complexities that come with managing these hybrid device environments, they’ll need likewise to weigh the many privacy trade-offs that users will demand and government regulators will codify into law.

Avatar photo

Weldon Dodd

Weldon Dodd is the SVP of Community for Kandji, a next-generation device management solution for Apple device fleets.

weldon-dodd has 1 posts and counting.See all posts by weldon-dodd