I've got several devices that I use frequently. Smartphone, tablet, and laptop are all frequently used devices. When I spent my time working at a VAR, I saw examples of all these devices being brought into the environment. One problem - sometimes they didn't play well with patch management.
Most corporate IT environments use Windows as the "approved" operating environment. It's easy to manage and configure. Most people learn how to use Windows as their first computer. Microsoft has written several tools to help manage Windows ecosystems. But users don't always want to have the corporate laptop.
Bring Your Own Device (BYOD) has caused an explosion of IT assets that aren't necessarily friendly with the corporate plan. I used a Macbook in a Windows shop. Before that, I ran a Linux desktop in a very locked-down Active Directory network. Both times I had to take care of my own patching. Which is fine for an IT person like me. But what if the user isn't computer savvy?
How can IT enforce patches on systems that they don't technically own? I've seen all kinds of crazy quarantine systems and network access policies that prevent non-corporate devices from accessing the network if they aren't running agents or detection software. But does that really help when more than half your workers are bring the systems they feel the most comfortable using?
IT needs to help enable knowledge workers to accomplish tasks quickly and easily. If that means that those workers are going to use a tablet instead of a Windows laptop then that is the way things need to be. That doesn't mean that the security of data inside the organization should be at risk due to spotty patching practices. Do you want to see medical records leaked publicly because someone keeps delaying a patch reboot? Laugh, but people delay that little prompt all the time. And on a non-corporate asset, how can you enforce reboots and patch installations?
There have been "solutions" before. I can remember seeing Network Access Control (NAC) demos that forced users into quarantine areas to remediate their issues. These were all cumbersome and manual affairs. And how are you supposed to keep with zero-day outbreaks? There was a time when Apple decided to block execution of Java to prevent an exploit. The problem was the version number that Apple specified was above the currently released version. Java wouldn't function until that little gaffe was fixed.
How are you handling patch management for your BYOD devices? Are you enforcing something via network policy? Are you leaving it up to the whims of the user? Or have you decided to build a perimeter around your user-facing edge to prevent disaster from striking?