W11, BYOD, Chrome Books and User Personas

How Windows 11 is driving change in corporate choices today

Overview

Windows 11 device compatibility, and the cost option to pay for extended Windows 10 support past October 2025, is driving investigation into hardware, security and management options in many large organisations.  This article is intended to walk through the high-level considerations for corporate device changes that are designed to either reduce overall operational costs or improve the user experience.

Windows 11 corporate device compatibility was generally worsened by Covid.  The rush to move office workers into home based remote roles drove a laptop purchasing frenzy that was met by many hardware providers clearing their stocks of older devices, without future proofing being a main concern of the buyers.  The goal was remote working to keep companies viable, realistically without procurement weightings for future downstream hardware replacement costs.

In 2025 Corporations are therefore facing device replacement costs to align with Windows 11 support, and many have therefore started investigating BYOD or Chrome book options.

Why BYOD

So, why BYOD?  The principle is that while an organisation retains ownership of corporate data and resources that may be accessed, the device itself is the property of the user.  This scenario can give the following benefits:

• Reduce the overhead of corporate device ownership in relation to procurement and provisioning of corporate hardware.
• Gives users the ability to work from devices they are used to.
• Makes remote working easier to facilitate.
• Increased productivity.
• Provides a level of redundancy where there are corporate device issues or when an employer has reduced office space available.

The counterpoint of the cost savings potential of BYOD is a higher cost of managing and provisioning applications and security across a wider range of device types.  Corporations also have to consider remuneration for employees who provide a suitable BYOD device, and the enforcement of age limits and support requirements on a user provisioned device.

Why Chrome Books

Chrome books as corporate devices are interesting as they are far cheaper than typical corporate Windows OS devices.  They are also popular for the following reasons:

• Built in antivirus
• Fast boot times
• OS License free
• Light Weight

These benefits have seen Chrome Books being the standardised requirement for Students in middle schools, they are comparatively low maintenance, have low entry costs and provided that educational applications are web based then there is a one size fits all approach that standardises the student experience.

The rise in BYOD opportunities

Whether you consider the use of iOS devices or Chrome Books as the base of a BYOD strategy, the rise in corporate options has stemmed from improvements in mainstream Mobile Device Management (MDM) options for managing remote devices, and mobile application management (MAM) for corporate applications.  In the corporate world Microsoft has bundled the use of Intune and MDM with typical corporate M365 licensing, and as the features of Microsoft mobile device management have improved, this has reduced the need to run multiple device type specific management platforms.  Simplified security and OS management from one MDM platform has therefore made the corporate ability to manage the base security of BYOD devices simpler.

Secondly browser based or secure local client access to Virtual devices has widened the ability for corporations to provide a Workplace user experience that is as similar to the corporate desktop experience as to make little difference to the user. Adding where needed a VPN layer, and data access security for cloud held data, and there is the basis of a well-managed corporate experience.

User Personas and BYOD

As more corporate applications become Web based, there is a drive to map user personas across organisations for two reasons:

Firstly, to define software management personas, in effect deciding on a build and provisioning scenario that matches larger groups of users’ requirements.  This should simplify onboarding, minimising the need for post onboarding changes and software additions, user downtime and generally meet the target persona groups software requirements.

Secondly, to investigate Users’ application usage, to drive compatible hardware requirements.  In effect enabling a corporation to determine whether a user’s device requirement could be met by a Chrome Book or iOS device, or whether their general software licensing could be reduced.  In a perfect world scenario, if User requirements could be met by lower Microsoft licensing costs and a browser-based BYOD policy, without impacting user functionality or corporate security, then significant savings are possible.

The result of the above activity is to identify organisation units (users or device types) that meet differing criteria for BYOD devices and the software or data available to them.  In the end you are likely to have a layering of user profiles and suitable device types based on the following scales:

• Corporate Device user with access to Corporate only managed Resources
  • Think of this as your top tier of user requirements, with access to corporate data or applications that you wouldn’t want to be leveraged on BYOD devices. This can also cover use case scenarios based on computational power or physical lock down locations.
• Limited BYOD options with wider BYOD approved resources
  • Allows a limited set of BYOD device choices but give users access to a wider range of resources (applications and data) approved for BYOD access.
• Wider BYOD but limited approved resources
  • Allows a wider set of BYOD device types (think full Tablet, Laptop, Smartphone, Desktop spread), but against a more limited and controlled set of corporate resources

It is possible to target these groupings based not only on User Personas and BYOD security concerns over corporate resources, but against a physical demand of the applications utilised.  The data can soon become complex, as you are then subdividing your costs saving opportunities into a combination of User Persona, BYOD costs, IT and security management and variable virtual device sizing to allow for differing user requirements.  What starts as a three level scenario can blossom into many, with variable scaling of back end costs.  It is possible to implement a full scenario of BYOD computing, balancing corporate security requirements on resources access, with a variable cost model for virtual device provisioning, however consideration has to be given to the licensing and administration of a more complex model, versus the Goals of the BYOD Strategy itself.

The Risks of BYOD

Provided that the steps in the following section are addressed and costed, then the path to BYOD can meet the balance of corporate and user goals.  However, the following non exhaustive list are all relevant considerations that are often sighted.

• Potential of accidental data loss with data moving from corporate to personal storage
• Malicious data theft is often sited, not as a direct result of malicious user activity, but user installed applications on the personal device side of their BYOD device, monitoring or collecting data that the users have access to.
• Multiple Web Browser management, authentication and updates, along with Cloud Access Security Brokerage are concerns
• Complex RBAC requirements
• Lower enrolment trust, compared to a freshly provisioned corporate device, BYOD devices typically have usage prior to enrolment.
• User device refresh expectations, where a user is paid to provide a BYOD device, then what are the expectations when that device becomes end of life, and what are the enforcement actions available to the employer
• BYOD devices will typically be allowed access to a lower subset of applications and data compared to a corporate device, and this needs to be factored into User personas
• Perceived likelihood of unsupported devices, possibly as a result of higher overall device portfolio administration
• User incident reporting, with the possibility of reticence to report if there is a detrimental impact on their BYOD device.

Assuming that the above risks are understood and mitigated then there are several steps to the implementation of a corporate BYOD strategy, as outlined in the next section.</p

The corporate steps for BYOD for adoption

When considering the costs savings potential of BYOD, these do have to be balanced against an increased cost of corporate management, Software licensing and User training.  Following any investigation into BYOD opportunities, the following steps are core to an organisations successful implementation of a BYOD policy, and all should be considered, reviewed and costed prior to the journey commencing:

1. Define Corporate BYOD Usage Policy

This must specify approved devices, the role of corporate security, acceptable use, any impact on a personal device, privacy concerns, exit processes and the implications of user non-compliance. 

2. Understand Mobile Device Management capabilities and administration

Simplify BYOD management to as few MDM technologies as possible, and review to ensure that corporate requirements can be maintained on the nominated BYOD devices

3. Enforce data Protection and MFA

Encryption and BYOD device usage restrictions need to be enforced, but the user has to be able to work and access corporate data that meets their role needs.  Data location, local download privileges, encryption at rest and separation of corporate and personal data all need to meet corporate requirements and User rights.  MFA should be implemented for access to corporate systems from any BYOD device.

4. Employee Training

In addition to accepting the corporate BYOD Usage Policy, users need to be trained and reminded of any increased cybersecurity risks of BYOD, how they are to handle corporate data for their roles, and how to report issues, data or device losses.

5. Monitor, Update and Remote Wipe

BYOD devices should be subject to the same or higher standards than your corporate devices.  Your MDM technology and administration processes need to check for relevant security updates, approve them and apply to specific device types.  The corporate BYOD Usage Policy has to cover  remote device wipe and manage the expectations of the enterprise and User regarding the impact of remote enforcement on the BYOD device.

6. Corporate application re-development

Enterprises often have a range of internally developed or complex applications, with built-in on-premises requirements that do not sit well with a BYOD policy.  Some challenges can be alleviated by enforcing VPN access, others may need code changes to allow Entra ID based verification, or adaption to how corporate network shares are utilised.  These challenges may be alleviated by the use of User personas to dictate BYOD relevance to roles, with a fall-back position being an acceptance that a corporate managed and supplied device may be the only working alternative until specific application challenges are overcome.

Learn More About BYOD

A BYOD strategy, implemented well and fully considered prior to committing to the transformation journey, can meet corporate goals of reducing costs, increasing flexibility and improving or maintaining the user experience in many organisations.

The hidden costs such as Human Resource management implications, legal review, ongoing IT and Security Management overheads, licensing and data protection requirements may however negate or impact on the pursuit of bottom-line Operational Savings.

The National Cyber Security Centre has an excellent technical article on the use of BYOD in an Enterprise, under their Device Security Guidance collection of articles.  Their approach and understanding underpins the technical complexity of BYOD which should not be ignored when assessing whether a BYOD strategy is right for your Enterprise.  The NCSC articles are available here Bring your own device (BYOD) - NCSC.GOV.UK