When the iPhone became better than the company laptop, IT departments had to decide how much control was worth the fight. Neither option was clean.
Around 2010, something embarrassing started happening in IT departments at large organizations. Employees were showing up to meetings with iPhones that were faster, cleaner, and easier to use than the company-issued BlackBerrys they were supposed to carry. Some of them had stopped carrying the BlackBerry entirely. They were checking corporate email on their personal phones because it was better. IT did not authorize this. IT did not know what to do about it.
That moment, repeated across thousands of organizations over several years, is what "consumerization of IT" refers to. Consumer technology got better than enterprise technology in a particular domain (mobile devices) and employees started using what worked, regardless of what was approved.
The term "Bring Your Own Device" (BYOD) emerged as organizations tried to build a policy around something that was already happening. The policy challenge is not complicated to state, though it is very hard to resolve. If employees use personal devices to access corporate data, what rights does the organization have over those devices? If the organization has no rights, it cannot control what happens to corporate data when the employee's phone is lost, stolen, or compromised. If the organization has full rights, it is managing a device it does not own and that contains the employee's personal information, photos, messages, and anything else they keep on their phone.
Neither option is acceptable. So most organizations landed somewhere in the middle, which creates its own problems.
Mobile device management (MDM) is the software category that tries to resolve this. An MDM system lets IT configure and manage certain functions on enrolled devices without owning the device entirely. IT can push security policies (requiring a passcode, enabling encryption), control access to corporate apps, and, in most implementations, remotely wipe the device if it is reported lost or stolen or if the employee leaves the organization. The trade-off is the scope of visibility and control the MDM grants to the employer versus the privacy cost to the employee.
What most employees do not fully understand when they enroll their personal device in their employer's MDM is what they are consenting to. MDM enrollment agreements are long documents. Most employees click through them without reading. The exact scope of what the employer can see and do varies by MDM product and configuration, but the broad envelope is: employer can see what corporate apps are installed, can enforce policies on the device, can wipe corporate data (or sometimes the entire device), and can monitor compliance with security requirements. In some configurations, employers have broader visibility than employees assume.
The privacy question here is one that IS departments often inherit without being equipped to answer. A security team knows how to configure an MDM. They may not have thought carefully about what happens when a terminated employee's device is wiped and it turns out to contain three years of personal photos that were not backed up elsewhere. They may not have thought about whether their MDM visibility into app usage crosses a line that an employment lawyer would find interesting. These are legal and ethical questions that live in a gap between IT capability and organizational governance.
The deeper dynamic under BYOD is the same one that produces shadow IT in general. Employees are not circumventing corporate IT policy because they are careless about security. They are doing it because the authorized tools are harder to use than the unauthorized ones. An employee who uses Dropbox instead of the corporate SharePoint is usually not making a security calculation. They are making a convenience calculation, and the enterprise tool lost.
This pattern has accelerated in the years since the initial BYOD moment. The gap between consumer apps (Google Docs, Notion, WhatsApp, Slack free tier, and dozens of others) and traditional enterprise software is, in many areas, still large. When a project team needs to coordinate quickly and the corporate collaboration tool requires a ticket and a two-week procurement process, they use WhatsApp. When a small team needs to share files and the SharePoint permission system takes longer to navigate than the work itself, they use a shared Google Drive. These workarounds are not unusual. They are the normal operating mode of large portions of knowledge work.
The BYOD framing sometimes makes this sound like a hardware problem: personal phones accessing corporate data. The real dynamic is broader. It is about the structural gap between the speed and usability of consumer software and the procurement, security, and standardization requirements of enterprise IT. That gap is not closing in favor of enterprise IT. If anything, the tooling that individual users and small teams can access for free or cheaply has continued to improve faster than most enterprise procurement cycles can keep up with.
IT departments that try to solve this by locking everything down find that the workarounds move somewhere harder to see. IT departments that accept shadow IT as a reality and try to manage its risks find that they are governing a distributed, informal technology landscape that was never designed to be governed. The consumerization of IT did not create this problem so much as it made visible a structural tension that had always existed between user-level needs and organizational IT governance.
About the author
Share
More notes
Related notes