How should employees without a company computer get access to the company’s applications?
Employees without a company computer, typical within trade and service industries, have until now neither needed nor had access to the company’s IT-services. Now that work and communication processes are being digitized, companies now depend on all employees to have one or more company-provided applications, which brings with it certain challenges that need addressing.
To get access to the company’s applications, the employee must have an identity in the company’s IT-system. Workers without company computers, usually referred to as deskless workers, often won’t need this before the company starts deploying company-wide collaboration and communication tools like Workplace from Facebook, where the platform’s success depends on engaing all parts of the company, deskless workers included.
Typical challenges that often occur are:
- How do we invite the employees that do not have an email?
- How do we organize the infrastructure/where should they login?
- How do we get control over the user lifecycle?
- How shall we distribute new applications?
- Self-service and training – or customization of support?
1. How do we invite the employees that do not have an email?
This challenge is fundamental and far from unusual. Cloudworks has implemented cloud services in companies that have had tens of thousands of employees with no company-provided email account. There are many solutions. Some of them are better than others, but they all have their strengths and weaknesses.
The procedure needs to be tailored to the company, their security policies and sometimes also regulatory matters. In Germany, employees often won’t accept being contacted by IT or management via SMS on their private phone.
Private mail could be a natural choice and this might be how the employee receives the paycheck. If this is not an established and utilized channel, typical challenges might be that the mail-address is outdated or fallen out of use.
Based on a security point-of-view, the largest problem is that the company cannot control the email-service. In the worst-case scenario could the address have been re-assigned to someone or perhaps even hi-jacked without the company ever finding out.
One practical alternative, that we have implemented for some companies, is to send the invitations via SMS. This method isn’t 100% reliable either, but the likelihood of discovering information that might have gone astray, e.g. due to change of owner of the phone number, is significantly larger with this method.
Another alternative is to print the invitations on paper and hand them out at the next staff assembly or attach it with the next paycheck. Using personalized invitation codes, it can be seen as more elaborate than sending an SMS or mail, but in some cases, this might be the only choice you have.
2. Where should the employee login?
This is for many the largest challenge since this choice affects fundamental parts of the company’s identity infrastructure. The starting point for most companies is that they have Microsoft Active Directory (AD) as their user database and that employees without a work computer are not registered there.
If the missing user group is deployed to AD, this will require buying additional Client Access Licenses (CALs). If the application that is going to be implemented is a cloud service, such as Office365 or Workplace from Facebook, AD alone won’ be sufficient, since it cannot authenticate users to these services kinds of services by itself
Directly towards cloud services
The easiest alternative is to authenticate the employees directly against the new cloud service, as long as this is supported by the service. The benefit is that there is no need for additional infrastructure. The drawback to this is the fact that this identity cannot be reused for other applications. This means that the next application that would be implemented for the whole organization could not use the same login as the previous did. In the long term is this, therefore, not a user-friendly method.
Given that most companies will roll out more multiple applications over the course of coming years, our recommendation is to introduce an identity service from day one that grows with the needs of the business.
Active Directory Federation Services
The companies with AD can expand with Active Directory Federation Services, which the cloud service can use to authenticate users. One alternative within Microsoft portfolio is to integrate the local AD with Azure AD. This is a well-proven solution that works especially good in homogenous Microsoft environments. The solution can also be integrated with other cloud services that are delivered by non-Microsoft vendors, but the selection and support could, dependent on the service, be perceived as somewhat limited.
Independent identity solutions in the cloud
Organizations that prefer independent identity solutions in the cloud without vendor-specific lock-in may consider Okta or similar cloud-based identity providers. These are full-fledged IAM platforms that handle identity management for cloud services and offer advanced authentication features.
If you want to establish the service locally, then Micro Focus/NetIQ and other on-premise platforms are good alternatives. The list of identity and authentication platforms is long and still growing. Several solutions have wide functionality that can handle almost any scenario presented to them, though in the end, suitability depends on the situation and needs.
It is important to be aware that choosing the right identity solution will greatly simplify the introduction of cloud services into the business. The choice of solution is dependent on the company’s needs and further plans. Our recommendation is to develop an overall company identity strategy at an early stage in the process.
3. How do we get control over the user lifecycle?
The answer to this question goes hand in hand with the previous answer, especially if the goal is to automate the user management as much as possible. The user lifecycle deals initially with on- and offboarding of employees to services they are supposed to have access to. This can, of course, be done manually, or semi-manually with the help of CSV-imports or similar, but if this is unacceptable due to security or efficiency concerns, the service must be integrated with the identity infrastructure.
Furthermore, the question is what is the process in the business? Is the data quality in AD good enough to be used as a source? The best is to use the HR-system as a starting point since this is where the onboarding process should start. The identity solution should then be integrated with the HR-system as a source. There might even be different sources for different user groups in your company? If so, all sources should be integrated and used properly.
If the employees without a company computer aren’t registered in the HR-system nor any other system, the user management needs to be done manually, and delegation of user management can be a way to divide the ensuing efforts. The identity solution is then arranged so that designated employees get the possibility to create and remove users for their store or region. This also avoids establishing requst processes for getting and removing access.
4. How shall we distribute new applications?
This is part of a slightly different discussion and might be an issue that will become relevant at a later stage. Traditionally, applications have been distributed to desktop clients, but the emerging cloud services often use an application portal or intranet with links to the company’s application portfolio. For employees without a company computer the intranet might still be unavailable. Then it might be better to have an application portal that is distributed as an app for mobile, which has links to the employee’s applications and notifies when new apps are available.
5. Self-service and training – or customization of support?
Organizations with many employees without a company computer often run their business in industries with low margins. They tend to have a relatively high turnover of users, and the number of users can be reltively high. If introducing applications to this group of employees triggers as many support cases per employee as for those who already have a computer and are heavy users of the company’s IT services, then it can easily swamp those who provide support. The understanding of an IT solution is not necessarily the same in this group of employees.
User-friendliness and rigging for self-service is the key to a good user experience and to an efficient operation.
- Have good self-service solutions for password change and reset.
- Make sure the onboarding of users, especially during roll-out, is intuitive.
- Provide easily-accessible relevant documentation
- Keep in mind that the user group probably accesses the service from a mobile phone. Documentation in a traditional format might not work well that way.
- Feel free to offer e-learning in the form of short videos showing registration, logon, configuration of MFA, password reset and so on.
It is possible to organize good identity solutions for the industries mentioned in this article, without costing a fortune. The key to success is good planning. The company should have an understanding of their IT strategy for the next couple of years, as well as the functional needs and regulatory requirements that have to be taken into consideration.
In Cloudworks we have a lot of experience with identity management within trade and service companies and will happily provide clarification and conceptual advice.