Don't Let Mobile Phone Number Ownership Place Your
BYOD Program on Hold

Employee-owned phone numbers used for business purposes as part of a BYOD program carry the risk of negative financial and operational business impacts. Mobile operations and BYOD project leaders can use these best practices to evaluate the risk and develop an appropriate mitigation strategy.

• Allowing external-facing employees to use their own personal mobile numbers to engage with customers or partners places those contacts at risk of loss or dissatisfaction when workers leave or their employment is terminated.
• Many employees engaging in bring your own device (BYOD) programs value a separation of personal and work environments, and may not be comfortable using or resigning their personal mobile numbers as a condition for enrollment.
• Manual work-arounds requiring employees to block or mask outbound mobile numbers are rarely followed by employees.
• Even with a solution in place to offer a secondary number, some employees may favor using their personal numbers for work-related use because they are familiar to them and, in some instances, to their clients.

• Assign a second, enterprise-owned number to all personally owned devices that are involved in customer-facing interactions, or where faced with regulatory requirements for logging and archiving communications.
• Avoid manual work-arounds that require extra steps to block or mask caller ID for outbound calls.
• Investigate vendor solutions via PBX vendors and telephony carriers that implement dual-number, single-SIM solutions.
• Leverage training and written policies to guide employees to use only the approved applications and numbers for enterprise voice and SMS communications on their mobile devices.

Sanctioned personally owned smartphones continue to permeate into the enterprise, requiring IT organizations to re-evaluate existing mobile policies and find new technologies to segregate that which is personal from that which is enterprise-related on the device. While most organizations instinctually focus on their data isolation requirements for BYOD programs, voice communications are often simply relegated to the employees' personal plans and numbers. This approach, however, carries its own risks around employee satisfaction, customer retention, cost and regulatory requirements that need to be carefully evaluated.

In the latest Gartner survey (conducted in 2013) of 1,088 knowledge workers across the U.S., France and Germany, mixing personal and business activities on the same device was reported as the second-strongest employee concern for BYOD programs, second only to restrictions around personal app usage. Leveraging a personally owned callback number for business purposes only aggravates this problem, as many employees are uncomfortable providing their personal numbers to colleagues, partners or customers, or worse yet, placing it on their business cards or public-facing sites. Failure to provide employees with separate business numbers often results in lower adoption and satisfaction ratings for BYOD programs.

Permitting employees to use phone numbers owned by the enterprise is also a risk. Some segments of employees, especially in sales, relish the use of their personal numbers for business, because it creates a tie to the individual rather than to the organization, and serves as a security blanket should the employee depart. By allowing end users to use their own personal numbers and address books for business-to-consumer (B2C) or B2B interactions, terminated employees do not just take their personal devices when they leave, but also potentially important business contacts. Initiating a device wipe against a user's device, while removing the address book, will not prevent customers from communicating with former employees. For example, enterprises must evaluate the risk of members of their sales organization or field service representatives moving to a competitor and having existing customers inadvertently dialing those former employees directly.

Leveraging a personal number for work-related purposes limits the ability of the employer to track, record and manage business-related communications. Requiring employees to route their own numbers through a gateway for call recording or to submit detailed call records that include personal calls may violate privacy regulations or receive severe push-back from labor representatives. As a result, IT organizations in regulated industries where greater requirements for secure communications and call/SMS logging or archiving are present must evaluate their needs for a more robust, isolated approach.

Enterprise mobile number ownership is not always a requirement, nor will every user within a given organization meet such a requirement. Depending on the solution chosen, the different approaches to retaining the numbers may come at a cost or with an impact to the end user by deviating from the native mobile user experience. As a result, organizations should review what drives the need for retaining number ownership across roles by engaging the different business units to understand the risk of numbers being ported out, and consult with legal and HR teams to understand the limits to which monitoring and retention of numbers is permissible. IT organizations should review the following questions with feedback from their various business unit representatives when evaluating their requirements for phone number ownership:

• What is the current status of number ownership as stated in any existing policies, and do these policies require an update should the company's position change?
• What roles currently participating in the BYOD program present the highest risk when using a personal number?
• Are there potential alternatives to employee use of mobile numbers, and what is the impact of these alternatives on productivity and cost management?
• How does the corporate and regional culture respond to the separation of personal and work environments?
• What is the legal requirement for retaining call and SMS logs for employees, and what exceptions should the business be aware of?

IT leaders should also factor in the goals and policies of their overall BYOD program. Where only a very limited population of the workforce needs to have their phone numbers owned by the organization, simply designing eligibility criteria in the BYOD program's policy to exclude those users from the program and keep them on fully managed corporate-provided devices instead may prove satisfactory. However, in organizations aiming to move large populations onto BYOD, or to leverage BYOD to improve employee satisfaction or productivity, IT may be forced to support users where phone number ownership will need to be maintained. Enterprises must then select one or more solutions to meet their needs.

To address the challenge of phone number ownership for BYOD, no single solution exists that addresses all the needs of a larger, global organization and its employees. Instead, IT should consider offering alternative policy- and technology-based solutions for users to choose, based on role or geographic location. IT should carefully review the trade-offs of each approach, focusing on cost, end-user impact, geographic availability and required functionality.

• Employee number resignation – In BYOD programs that allow for personal devices to connect to the enterprise's carrier subscription, many IT organizations will include a caveat within the policy that, as a condition for enrollment, customer-facing employees get assigned new numbers for their devices or simply resign ownership of their existing personal numbers to the enterprise. This approach provides the organization with direct ownership of the numbers, along with the ability to leverage the existing pooled voice and data plans. Number resignation can, however, come at the expense of user satisfaction and lack of visibility to control personal and business interactions. Forcing users to resign their personal phone numbers leads many eligible employees to simply abstain from their company's opt-in BYOD program. As those numbers may be entrenched in their daily lives, the thought of simply giving them away to their employer is unacceptable. For employees who do participate, receiving both personal and business calls on the same line may risk customer satisfaction (for example, when the employee answers a customer call at an inopportune time, such as while in a loud restaurant). Because both personal and business calls come in through the same line, there is no way to differentiate whether all calls are personal or business-related.
• A fully managed option (two phones) – Providing users with an enterprise-owned, fully managed device allows the organization to maintain ownership of the phone number and service plan. These users may be allowed to participate in the BYOD program and connect a personally owned device (for example, a secondary phone or tablet) to various corporate resources. As part of the policy, however, users electing to receive an enterprise-owned device are required to leverage that device for all work-related voice communications. While some organizations will elect to mandate that specific user roles maintaining a high risk associated with phone number ownership be provided an enterprise-owned device, this option can also be provided as an opt-in, where users can elect to take the company-provided device if they are not comfortable with the voice and data management infrastructure and policies required for BYOD.

• Voice over Internet Protocol (VoIP) dialers – VoIP dialers provide a separate dialer app that allows users to leverage their 3G/4G cellular data or WLAN connections to place and receive calls. These solutions have traditionally faced concerns around inconsistent call quality when connected to the wireless WAN over slower connections. User experience for these apps also receives mixed reception based on OS restrictions that prevent a fully native look and feel (for example, requiring users to enter a PIN before answering or placing calls). This approach provides a largely hardware-agnostic, carrier-independent option, and will meet the requirements for larger, global rollouts. Organizations selecting a VoIP-based approach should review its impact on the users' data plans, especially when providing a stipend, reimbursement or allowance.
• Hosted services – Third-party VoIP services offer secondary numbers on the device, delivered through the VoIP client, without the need for additional on-premises infrastructure. While consumer-oriented VoIP services exist that offer secondary numbers at low or no cost, these solutions should be carefully evaluated as their lower cost often comes at a trade-off to central management, integration, call quality, security and user privacy. Example vendors include RingCentral and AT&T (Toggle).
• Mobile unified communications (UC) – Most UC suppliers now offer IT organizations the option to register a mobile phone with the enterprise IP-PBX over the cellular network and/or wireless LAN (WLAN), and use it in the same way as a desk phone. Some fixed-mobile convergence (FMC) solutions offer seamless handoff between in-building WLAN and the cellular network. Mobile UC solutions offer additional productivity benefits, such as directory and integration with presence and messaging services. Organizations evaluating these solutions should review the impact on their UC licensing agreement for mobile features along with their WLAN's coverage and overall network capacity to support additional traffic. Example vendors include Cisco, Microsoft, Unify and Avaya.
• PBX call forwarding and call twinning (no endpoint software) – Leveraging the call-forwarding capabilities available in most PBX solutions, IT organizations can transfer a call dialed inbound to the PBX to a mobile device. Contacts are provided either the user's primary desk phone PBX extension or a secondary extension dedicated to forwarding to the mobile device, and thus aren't provided the user's mobile number. Call twinning functionality allows two phones – typically a desk phone and mobile phone – to ring simultaneously and extend the connection through both devices. As the connection is shared versus simply forwarded, it allows users to answer calls from their mobile devices when away from their desks or offices, yet still maintain the PBX connection. These approaches require a lower initial investment, with no additional licensing costs for a mobile client, and may be appealing for organizations with older PBX infrastructure lacking client-side applications. However, they do not natively address the issue of caller ID from the mobile device for outbound calls nor handle SMS messages. Although there are work-arounds for outbound calls, such as dialing into your phone switch and transferring out to mask your number, or simply blocking caller ID altogether, these approaches require extra steps for users and typically garner only limited employee compliance. Instead, a mobile UC client (as discussed above) is commonly leveraged.
• Dual SIM – While the majority of smartphones are capable of only one native phone number through a single-SIM card, dual-SIM phones are available that support two separate SIM cards, each with its own number. With the additional SIM, a second dialer is provided on the device that can be leveraged as a work persona. Enterprises can keep the second SIM on the corporate plan, thus retaining ownership of that second number. As the availability of phones that support dual-SIM cards varies by region and device manufacturer, this hardware requirement places further limitations on device eligibility. In addition, eligible users may opt out of this approach as both SIM slots are being utilized for personal use to address variable carrier coverage and reduce roaming. Dual-SIM approaches should be looked at for regional deployments based on hardware availability, where cost control is the program's leading goal, even at a trade-off with expanded hardware choice. In areas with limited dual-SIM hardware options, dual SIM may still be leveraged as a secondary option for users interested in the devices on which they are available.
• Virtual SIM – Virtual SIM solutions virtualize SIM cards and their associated mobile numbers to simulate the presence of physical SIMs to mobile operator networks. As such, they function similarly to a dual-SIM approach, but can operate on a broader range of devices and devices not offering a dual-SIM variant. Because these solutions rely on carrier partnerships to function, global deployment is limited. In addition, it is likely with future carrier agreements that both numbers will be required to coexist on the same network, so users will be limited with their service plan choices. An example vendor is Movirtu (now part of BlackBerry).

As each solution comes with potential trade-offs, enterprises may be required to offer several alternatives guided by the constraints of individual role requirements, geographic location, device and carrier availability of the solution chosen. For example, while a global enterprise may find that a dual-SIM approach may make sense in EMEA to split costs leveraging a pooled voice and data plan, a mobile UC VoIP dialer approach may be preferable for U.S.-based employees, where dual-SIM devices are generally unavailable. In the same scenario, a policy allowing eligible users to choose an enterprise-owned device as an alternative to the BYOD program would cover any users not comfortable or technically able to comply with the BYOD program's requirements.

For most organizations, the aforementioned limitations around phone number resignation and call forwarding/twinning without a secondary outbound dialer will force these approaches to be a tactical move. For BYOD, enterprises should pursue a dual-number approach, leveraging two distinct numbers on the device to separate personal from enterprise-related communications. This approach provides clear separation of both inbound and outbound communication, and ensures that the enterprise retains ownership of the secondary number. Because hardware-dependent solutions limit user choice, enterprises should instead investigate vendor solutions via PBX vendors and telephony carriers that implement dual-number, single-SIM solutions. Future dual-number offerings based on voice over LTE (VoLTE) will significantly improve wireless WAN call quality through integrated support for packet-switched voice; however, these are still years away from widespread deployment (see Note 1).

Ultimately, the solution chosen is only as good as the compliance among users who employ it. As the selected approach may require a separate dialer, users need to be trained in the acceptable means for placing and receiving calls, along with how to install and use any third-party software provided. To avoid users getting into any bad habits, training should be issued at the time of deployment or during the BYOD enrollment process as part of the broader program onboarding.

The mobile policy signed by users participating in the program should outline the requirements to leverage the assigned solution for work-related communications. While full compliance may be difficult to monitor, enterprises should look at long-term inactivity on the assigned corporate number as a red flag for active customer-facing employees. As circumvention may introduce major compliance violations, IT should work with HR in determining the appropriate correctional activity for users found in violation, ranging from user notification and education to termination. Compliance can also be encouraged through tactics such as ongoing communications promoting best practices.

Additional research contribution and review: Steve Blood, Ken Dulaney, Bill Menezes, Rob Smith, Bryan Taylor, Chris Silva, Jason Wong and Nick Jones

As VoLTE garners further support from the carrier and handset communities, it will allow for voice to be run as an all-IP end-to-end service on LTE networks. Among the benefits introduced by VoLTE are higher-quality voice communications, faster call setup and the support of multiple public identities (phone numbers). The latter will allow the carriers to support dual numbers through a single dialer, and without the need for a secondary or virtual SIM. As carriers look to monetize on BYOD, we expect to see more carrier-delivered offerings for split numbers and billing on personally owned devices. However, VoLTE is still adolescent, with widespread adoption still years away. By September 2014, only 11 communications service providers (CSPs) worldwide had a commercially deployed VoLTE offering.