Professional Documents
Culture Documents
Mobile Device
Management
HOW TO NAVIGATE
THE EVER-CHANGING
MOBILE DEVICE LANDSCAPE
INSIDE
S T R AT E G Y
HANDS ON
SPONSORED BY
InfoWorld.com
Deep Dive
MOBILE STRATEGY
Mobile managements
landscape
Devices, apps, and information are the interrelated concerns to address
GALEN GRUMAN
InfoWorld.com
Deep Dive
Major vendors for key mobile management needs
DATA LOSS PREVENTION
DEVICE
MANAGEMENT
APPLICATION MANAGEMENT
Traffic
monitoring
InterGuard
Software
Symantec
Managed
online
storage
Accellion
Box
Citrix Systems
Dropbox
YouSendIt
App
distribution
AirWatch
BlackBerry
BoxTone
Centrify
Citrix Systems
Fiberlink
Good Technology
Intel McAfee
Microsoft
MobileIron
SAP Sybase
Symantec
Tangoe
Wyse Trellia
Apperian
App47
Apple
Citrix Systems
Good
Technology
MobileIron
Odyssey
Software
(Symantec)
SAP Sybase
Secure app
development
and
management
AppCentral
Good
Technology
MobileIron
SAP Sybase
Veracode
Verivo
App content
management
Secure app
containers
AppCentral
Good
Technology
MobileIron
Mocana
Symantec
Nukona
Antenna
Software
Blackberry
Cellrox
Enterproid
Fixmo
NitroDesk
Open Kernel
Labs
Partnerpedia
InfoWorld.com
Deep Dive
The challenge
for MDM
vendors and
IT alike is
that because
different mobile
platforms
have different
capabilities, its
impossible to
have a uniform
management
approach to all
devices.
InfoWorld.com
Deep Dive
connect to. But commercial developers still need to
pick one API and thus one vendor, or use multiple
APIs in their apps, with the complexity that brings.
Whats really needed, of course, is a common
set of content management APIs that all apps
can use with any management toolanalogous
to the all-but-standard Microsoft EAS protocol in
device management today. As in the case of EAS,
InfoWorld.com
Deep Dive
MOBILE STRATEGY
Even as IT
has given up
the notion of
ruling over
mobile devices
and instead
has come to
view them as a
device jointly
owned with
the user, IT
rightfully wants
to manage
the businessoriented apps
on those
devices.
apps used by employees, contractors, and business partners, in which even a control-oriented
organization simply cant seize the traditional
control over all the devices.
InfoWorld.com
Deep Dive
From there, you can code installation profiles
based on user policies such as roles. When a user
logs into the (usually hosted) server, the apps tied to
his or her profile are downloaded to the device. The
server also pushes updates and gives IT a console
for monitoring usage, changing application permissions, locking down data, and wiping apps when a
user leaves the company or changes roles.
With these boxed apps, IT can control and
monitor the apps in that box. The approach is very
similar to how many MDM tools work, providing
their own clients, managing the email, and so on,
apart from the rest of the device; its akin to the
VDI approach used in Citrix Systems Receiver
app for mobile devices.
That box approach provides a clear separation between work and personal apps and data,
but its a bit heavy-handed, forcing users (in the
case of Antennas Volt) to open a container app
to access business-provisioned HTML apps. Thats
acceptable for HTML apps, as users typically first
launch a browser before running a Web app, and
you can think of the Volt client as a browser for
enterprise apps. Plus, IT directly controls those
apps because they run on ITs servers just like a
desktop Web app.
The enterprise-created HTML5 apps provisioned through Volt are kept in their own
workspaces, so their data is encrypted and
separated from the devices other info. Apples
iOS natively supports such encryption and separation, but Googles Android 2.x supports neither
and Android 3.x and 4.x support just encryption.
Because the enterprise HTML5 apps run within
Volt, the AMP server can directly manage them,
without affecting the devices other apps.
In the case of iOS, the AMP server can also
manage native apps provisioned through AMP or
through an MDM integrated with AMP. Likewise,
an MDM tool that integrates with AMP can
manage apps provisioned by AMP (HTML5 and
native) or by the tool itself (native). Either way,
the HTML5 apps provisioned through Volt work
offline, syncing data when reconnected.
Theoretically, the Volt-provisioned HTML5
apps could be accessed as separate apps on an
iOS devices home screen, rather than through
Volt. They would still be secured and managed
as an app bundle by AMP, but the user would
InfoWorld.com
Deep Dive
Whats key
is that the
management
is embedded
in the app, so
you dont have
to manage the
device itself.
Thus, you
should be
able to extend
legitimate
application
management
to a greater
number of
users than
the universe
of devices
you actually
manage.
InfoWorld.com
Deep Dive
the only real option for iOS devices until last fall.
And now those organizations that need or want
to manage applications more directlywith the
same level of control, security, and compliance
monitoring they enjoy on the desktophave
tools to move up to that level.
What is great to see in all this is an approach
InfoWorld.com
10
Deep Dive
MOBILE STRATEGY
InfoWorld.com
Deep Dive
for approaching the information management
question, one based on access privileges to keep
information away from unsecured environments
in the first place.
Wiping devices
If youre dealing
with a lawsuits
discovery
motion, the
use of mobile
devices
complicates
the already
complex
e-discovery
process.
Managing e-discovery
If youre dealing with a lawsuits discovery motion,
the use of mobile devices complicates the already
complex e-discovery process. If you use serverbased email such as Exchange or Google Apps,
you have the emails received and sent from the
user without needing to access the employees
mobile device. But if an employee used a personal
email address to communicate something being
sought through discovery, you may need to get
that device and review its contents. This raises all
sorts of messy issues related to user privacy.
The law around such access is murky,
though courts have more often than not decided
11
InfoWorld.com
Deep Dive
that work information on personal devices is
subject to e-discovery. Realistically, that means
users devices could be taken for legal discovery
and all the contents rifled through. Making that
clear in employee policies is probably a good idea.
For employees who dont want their personal
devices accessed by their company or opposing
lawyers, the one true option is to use a work-only
device for work and not mix personal and work to
begin with.
12
InfoWorld.com
Deep Dive
MOBILE STRATEGY
13
InfoWorld.com
14
Deep Dive
What seems to
really perturb
IT admins is
that these apps
come from app
stores, where
there are no
site licenses.
And these
vendors dont
offer enterprise
support plans.
Welcome to
the reality of
consumerized
IT.
InfoWorld.com
Deep Dive
IT needs to
think different.
Let go of the
endpoint
mentality,
and instead
focus on the
information
and access to it.
15
InfoWorld.com
16
Deep Dive
HANDS ON
Exchange ActiveSync
policy support compared
Microsoft Exchange, Microsoft System Center
2012, Google Docs for Business, and various
third-party management tools support EAS policies out of the box. According to mobile analyst
Chris Hazelton at the 451 Group, the core EAS
policies cover most businesses needs. But
as Table 1 on the next page shows, the various
mobile OSes support different EAS policies; EAS
support in and of itself doesnt tell you what
security level you get.
Apples iOS 4.2 was the first major modern
mobile OS to support EAS policies, and it helped
catapult the iPhone to enterprise dominance.
Since then, Google has increased Androids
EAS coverage in each version, with Android
4 supporting more EAS policies than previous
versions. Samsung, the leading Android maker, has
added policy support as well as APIs to Android 4
to many of its devices. (I detail which EAS policies each version of Android and Windows Phone
support in the article How Windows Phone 8
security compares to iOS and Android.)
When you compare Windows Phone 8s EAS
policy support to that of Windows Phone 7.5,
theres not much difference. Microsoft has not
really added much on the management end,
notes J.P. Halebeed, global director of R&D at
mobile device management (MDM) vendor
AirWatch. A critical addition is support for encryption on the device (its on by default for internal
storage, but not for SD cards) and the related
support for EASs encryption policies. The lack
of support for encryption had been one of the
biggest barriers to Windows Phones business
acceptance. Microsoft also supports the new
InfoWorld.com
17
Deep Dive
Table 1: Major vendors for key mobile management
(MDM means a separate mobile device management server is required)
POLICY
APPLE
IOS 7
SAMSUNG
MICROSOFT
GOOGLE ANDROID 4 BLACKBERRY WINDOWS
ANDROID 4
+ SAFE BLACKBERRY 10 PHONE 8
Yes
Yes
Yes
Yes
Yes
Yes
No
MDM
Yes
Yes
NA
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Password history
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
MDM
No
MDM
No
No
Disable camera
Yes
Yes
Yes
No
No
No
No
No
No
No
Disable Wi-Fi
MDM
No
MDM
No
No
Disable Bluetooth
MDM
No
MDM
No
No
Disable IrDA
NA
No
No
No
No
Yes
Yes
Yes
No
No
MDM
No
MDM
No
No
MDM
No
MDM
No
No
Yes
Yes
Yes
No
Yes
MDM
No
No
Yes
No
No
No
No
No
No
Allow browser
Yes
MDM
MDM
No
No
No
No
No
No
No
Yes
No
No
Yes
Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
InfoWorld.com
18
Deep Dive
across the OSes, and each requires a management tool. Many MDM tools support multiple
mobile OSes, providing a single console for IT
admins. Some also offer client apps that add
capabilities not found in the native APIs, though
this typically forces users to opt for proprietary
email and other apps for business purposes. Table
2 on the next page shows some of the more
commonly requested management features typically implemented through APIs.
Apple, for example, has several dozen such
APIs that use remotely installed configuration
profiles not only to configure various iOS settings
(such as preconfiguring VPN or allowed access
points) but also to manage app behavior (such
as disallowing the forwarding of corporate
messages via personal accounts in Mail). iOS 7
adds several new policies, including the ability
to control which apps can be used to open
specific data formats, to create shared password
keychains, and to manage access to Apple TVs
(such as in conference rooms). All are part of what
iOS calls a supervised environment, in which the
iPhone or iPad is treated as an appliance.
Along the same lines, in Windows Phone 8,
Microsoft supports the ability to revoke applications, restrict email forwarding, remotely enroll or
unenroll devices, and remotely update businessprovisioned apps. One capability in Windows
Phone 8 not available to other mobile OSes is its
integration with Active Directory, notes Ahmed
Datoo, vice president of marketing at MDM vendor
Citrix Systems. This means that MDM tools such
as Cirtixs can access the Active Directory groups,
then assign policies to those groups rather than
maintain a separate set of groups in the MDM tool
from the set in Active Directory. Thats a time-saver
for IT, he notes; it reduces the risk of employees
not being in the correct groups for the policies that
should apply or falling through the cracks when
terminated in, say, Active Directory but not in the
MDM tools user database.
Microsoft and Google provide far fewer such
capabilities in their APIs, though Samsung and
Googles Motorola Mobility unit have added their
own security APIs to their Android 4 devices. For
example, Samsungs SAFE APIs allow IT admins
to disable cameras, Bluetooth, tethering, voice
recording, SD cards, and Wi-Fi.
InfoWorld.com
19
Deep Dive
Table 2: Other native management capabilities
(Typically requires a mobile device management server to use)
CAPABILITY
Encryption
APPLE
IOS 7
SAMSUNG
MICROSOFT
GOOGLE ANDROID 4 BLACKBERRY WINDOWS
ANDROID 4
+ SAFE BLACKBERRY 10 PHONE 8
AES 256,
user has
no disable
option
AES 128,
user has
disable
option,
only some
models
support
encryption
AES 256,
user has
disable
option, not
all devices
support
encryption
AES 256,
user has
disable
option
AES 128,
user has
disable
option
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
S/MIME
Yes
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
VPN
Yes
Yes
Yes
Yes
Yes
Configure VPN
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
No
Yes
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Secure boot
Yes
Yes*
Yes
Yes
Yes
App sandboxing
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Yes
No
Although both Apple and Microsoft have mechanisms to do at least basic app managementiOS can
essentially hide an app so that its no longer available
to a user, and Windows Phone 8 can update corporate apps remotelymobile application management (MAM) capabilities are mostly up to the mobile
management vendors to deploy, Rege says.
All the app stores but Googles are highly
curated. For their mobile OSes, Microsoft and BlackBerry copied Apples curated approach, which has
kept malware off iOS. Android has no such rigorous
control, and although Google now spends more
effort to analyze apps, the Google Play market is full
of malware. The feds recently announced that industrial-class spyware used in advanced persistent
InfoWorld.com
20
Deep Dive
HANDS ON
Mobile management,
OS by OS
Enterprise-grade security and manageability arent
exclusive to BlackBerry
GALEN GRUMAN
Businesses
do seem to be
comfortable
with BlackBerry, certainly,
and also with
Windows
Mobile. They
are increasingly
comfortable
with iOS 4.
Andrew Jaquith
Analyst
Forrester Research
BlackBerry OS
The key to securing a BlackBerry is to use BES 5 or
BES10, which provides over-the-air management
based on more than 400 security and management
policies that IT can use, from password requirements to remote wiping. BlackBerry OS 10 also
supports EAS policies for smaller organizations that
dont want to manage the full BES ennvironment.
BlackBerry does offer free versions of BES for
Microsoft Exchange and IBM Lotus Notes environ-
InfoWorld.com
21
Deep Dive
Mobile security and management capabilities compared
Key
EAS = via Microsoft Exchange ActiveSync.
BES = via BlackBerry Enterprise Server 5.x or 10.
CAPABILITY
APPLE
GOOGLE
IOS
ANDROID
3.X, 4.X, 5.X, 2.X, 3.X,
6.X, 7.X
4.X
MICROSOFT MICROSOFT
WINDOWS WINDOWS
PHONE 8
PHONE 7.X
NOKIA BLACKBERRY
5.X, 6,
SYMBIAN
7,109
2.X, 3.X1
On-device encryption
Yes
Yes11
Yes
No
Yes2
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Complex passwords
Yes
Yes
12
Yes
No
Yes
Yes
Yes
EAS
4, 12
EAS, 3PS
EAS
EAS, 3PS
BES
Support VPNs
Yes
Yes
No
No
Yes
Yes
Disable camera
Yes3
No
EAS, 3PS
No
No
BES
Yes3
No
EAS, 3PS
No
No
BES
Yes
No
No
BES
Remote lockout
Yes
Remote wipe
Selective wipe of biz apps and data
Enforce and manage policies
EAS policies supported
Manage over the air
Second-factor authentication
(RSA SecurID)
EAS, 3PS
No
12
EAS, 3PS
EAS
No
BES
Yes3
EAS, 3PS12
EAS, 3PS
EAS
EAS, 3PS
BES
3PS
No
No
No
No
BES13
EAS, 3PS
EAS
EAS, 3PS
BES
NA
9 (OS 10);
None (others)7
EAS, 3PS
10
EAS, 3PS10
EAS12
14
9 (AOS 2)
13 (AOS 3,4)5
EAS, 3PS10
EAS12, 3PS
EAS, 3PS
EAS
EAS, 3PS
No
No
Yes
No
No
Yes8
BlackBerry Tablet OS
Apple iOS
InfoWorld.com
22
Deep Dive
the air. It allows for selective wiping of business
data and apps, and it supports complex passwords, on-device encryption, and remote wipe.
iOS supports 14 EAS policies managed through
Exchange, and it uses configuration payloads that
can be emailed to users, made accessible via a Web
link, or provisioned over the air through Mac OS X
10.7 Lion Server or later. If you use a mobile device
management tool from AirWatch, Boxtone, Citrix
Systems, Good Technology, MobileIron, Symantec,
Sybases Afaria unit, Tangoe, or others, you can audit
and enforce their use, as well as provision them over
the air. AirWatch and Mobileron also let you manage
Macs this way.
iOS 5 added a few additional policies for MDM
tools to take advantage of as well: They can turn
off iCloud syncing, require the use of a password to access iTunes, disable email forwarding,
deletenot just render inaccessibleapps (both
individually and for all corporate-provisioned apps),
disable voice and data roaming, set policies for
the handling of nontrusted certificates, detect and
reapply user-deleted MDM configuration profiles,
set Web proxies, set autologin for approved Wi-Fi
access points, send crash data, and monitor battery
levels. iOS 6 and iOS 7 added a few controls each
for such granular management.
Google Android OS
Although one of the most popular smartphone
OSes, Android has been among the least secure.
The Android 2.2 and earlier smartphone versions do
not have on-device encryption nor do they support
complex passwords, for example. Enterprises are
generally quite uncomfortable with Android right
now, partly because the enterprise security road map
doesnt seem to clear to them, and partly because
the vast number of Android devices makes it hard
to understand what will work for them and what
wont, says Forresters Jaquith. The lack of OS file
system encryption is often cited as a concern.
But just as rabid iPhone users forced many businesses to allow iPhones in before Apple stepped up
iOSs security, enthusiastic Android users are doing
the same today. Many customers seem willing,
essentially, to punt and use something like Good
Technologys product to put a secure workspace
on Android devices so that they can use them,
Jaquith notes. IBMs Lotus Notes Traveler app adds
such a secure workspace for Notes users, as does
NitroDesks TouchDown app for Exchange users.
And both Motorola Mobility (which Google is
acquiring) and Samsung offer business-capable
Android devices that add on-device encryption
and EAS policy support similar to what iOS offers.
Over time, Android should get more secure. In
fact, the tablet-oriented Android 3.0 OS does support
on-device encryption and policies for complex passwords, password history, and password expiration.
The Android 0 Ice Cream Sandwich OS,
released in late 2011 for some devices, brings
those security capabilities to Android smartphones, as well as tablets. Mid-2012s Android
4.1 Jelly Bean also supports them,
And it may not be just Google that fills in that
InfoWorld.com
23
Deep Dive
blank in the short term. For example, Android
2.2 Froyo and 2.3 Gingerbread include only
a basic VPN, but Motorola Mobilitys Droid Pro
includes the more robust and beefed-up AuthenTec
IPSec multiheaded VPN. Likewise, the Motorola
Mobility Atrix, the Photon 4G, and its other
business smartphonesas does Samsungs
SAFE seriesadd on-device encryption and
Android 3-level EAS policies despite Android 2.2s
and 2.3s lack of native support for them.
Nokia Symbian
Once billed as the most popular smartphone OS
in the world, Symbian is almost invisible in the
United States. Symbians share of global Web
InfoWorld.com
Deep Dive
HANDS ON
Devices such
as the iPhone
have strong
personal utility
and appeal, but
they are also
increasingly
able to meet
core corporate
security and
management
needs.
24
InfoWorld.com
25
Deep Dive
If youre
not treating
employee use
of personal and
provisioned
PCs and laptops
with the same
level of security
requirements
youre placing
on mobile
devices, then
somethings
wrong.
InfoWorld.com
26
Deep Dive
compromise the public at large.
Required security and management capabilities include a complex password to use the
device, password expiration, remote wipe,
in-transit military-grade encryption of email and
other data, a military-grade wipe contents after
x failed attempts policy, VPN access to sensitive
systems and data stores, physical second-factor
authentication support, military-grade on-device
encryption, support for S/MIME and FIPS 140
standards, and discrete lockdown control over
accessible networks and allowable applications.
InfoWorld.com
27
Deep Dive
unsecured Exchange synchronization. Thus, their
built-in mail clients wont connect to an Exchange
server that uses EAS policies. The Android 2.2 OS
update brings some EAS policy support to such
devices, such as password requirements.
The other option is to deploy a third-party
management tools client, such as the Good for
Android app, which provides email, calendar,
and contact access to both Exchange and Notes
servers. The app can require a password, encrypt
the messages and other data, and remotely wipe
the messages and other information stored within
the app. Of course, using it requires having a Good
for Enterprise server in place. The same is true for
similar clients from MobileIron and others.
For Lotus Notes environments, IBM has an
Android version of its Lotus Notes Traveler app that
lets you secure access to Notes and to data pulled
in from Notes, as well as remote-wipe that data.
Microsoft Windows Mobile. Windows
Mobile supports this categorys PIN requirement
and the good-to-have options. You can enforce
most of them using Microsoft Exchange and its
EAS policies; SSL encryption of messages in transit
is a native capability of the Windows Mobile
operating system.
If you use Lotus Notes with Domino 8.5.1 or
later, you can use the free Lotus Notes Traveler app
to remote-wipe Notes email, calendar, and contact
data. But Domino/Notes cant enforce any devicewide policies on the iPhone, just on Notes access.
If you use Novell GroupWise 8, you can
install the optional Data Synchronizer Mobility
Pack to gain EAS policy access. Otherwise, youre
stuck with the Mobile Server product, which
uses the Nokia IntelliSync technology (discontinued in late 2008) rather than EAS to manage
devices; that means each device needs to have
an IntelliSync client installed, though Novell is no
longer providing the client. Effectively, this limits
GroupWise to older Windows Mobile (5.0 and
2003) devices.
Microsoft Windows Phone. Microsofts
newest mobile OS has less support for security than Windows Mobile. In this category, it
supports the PIN requirement, as well as the
following good-to-have capabilities: SSL encryp-
InfoWorld.com
28
Deep Dive
version of its operating system, but that changed
in the 2.0 release. The first version has no access
to corporate data protected by BES unless you
tether the PlayBook first to a BlackBerry smartphone, in which case the tablet is just a window
onto the protected smartphones data and apps.
InfoWorld.com
Deep Dive
Google Android. The 2.x version of Android
OS lacks the services to provide most of this
categorys requirements, so it cannot legitimately meet the needs of Category 3 businesses.
Android 3.x and 4.x do meet this categorys basic
needs, but not the nice-to-have capabilities.
Microsoft Windows Mobile. Windows
Mobile supports all the requirements for this
category, but youll need Microsoft System
Center Mobile Device Manager 2008, Good for
Enterprise, or MobileIron products to handle
the good-to-have option of managing which
applications users may install. Otherwise, the
issues and capabilities for Category 3 businesses
CAPABILITY
Apple iOS 3.2, 4, 5, 6, 7
CAT. 2
(IMPORTANT)
CAT. 3
CAT. 4
(SENSITIVE) (TOP SECRET)
Exchange
Notes
GroupWise
Exchange
Notes
GroupWise
Exchange
Natively supported
Notes
GroupWise
Exchange
Notes
Not supported
GroupWise
Exchange
Notes
GroupWise
Exchange
Notes
GroupWise
Nokia Symbian 3
Exchange
Notes
GroupWise
RIM Blackberry 5, 6, 7, 10
Exchange
Notes
GroupWise
Not supported
29
InfoWorld.com
30
Deep Dive
BlackBerry. The BlackBerry supports all the
requirements for this categoryif you use the
full version of BES with Notes or GroupWise, or
either the free Express or the paid full version of
BES for Exchange. Youll need the full BES for the
good-to-have features for all three email platforms. The issues and capabilities for Category
3 businesses are the same as those described for
Category 1 businesses.
If your business deals with life-critical information, such as for defense work, there are only
two viable smartphone options: BlackBerry and
Windows Mobile.
Apple iOS. iOS 7 meets the military-grade
encryption (FIPS) requirements (as well as
S/MIME support in iOS 5 or later) or provide the
level of application and network-access control
necessary, but it doesnt support physical secondfactor authentication. It can be used in military
organizations, but only by those people whose
level of clearance doesnt require extraordinary
security measures.
Google Android. The Android operating
system lacks the services to provide most of this
categorys requirements, so it cannot meet the
needs of Category 4 businesses.
Microsoft Windows Mobile. Natively,
Windows Mobile cant meet military-grade requirements such as physical second-factor authentication support and military-grade (FIPS) encryption,