Professional Documents
Culture Documents
From BlackBerry
to BYOD
Learn how Citrix XenMobile can
empower your organization to
move from traditional corporate-
issued BlackBerry devices to any
user-owned mobile device without
sacrificing security and control.
citrix.com
From BlackBerry to BYOD White Paper 2
The good news is that there are mobile device management (MDM) tools and other
solutions available for just these purposes. BlackBerry Limited (formerly Research
in Motion) recently introduced a solution for managing and securing iOS and
Android devices in addition to its BlackBerry devices. However, only Citrix provides
a comprehensive enterprise mobility management (EMM) solution that offers mobile
iOS and Android device users secure access to Windows applications and online file
sharing, in addition to providing IT with robust mobile device management and mobile
application management (MAM).
Both Android and iOS started as consumer-focused mobile platforms, but over
the past few years Google and Apple have increased their built-in management
and security features and made them available to third-party enterprise mobility
management solutions for centralized management from a single console.
citrix.com
From BlackBerry to BYOD White Paper 3
BlackBerry has always been the gold standard for enterprise security and data
protection, and remains one of the only platforms with Federal Information
Processing (FIPS) 140-2 certification, which means it’s approved for government
use. However, while BlackBerry security and management were once head and
shoulders above those of the competition, this is no longer the case. Android and
iOS security and management features have been upgraded over the years to the
point where they are usually acceptable for all but the most security-conscious
enterprise environments.
BlackBerry protects content stored on the device with FIPS 140-2 certified device
data encryption using the highly secure AES 256 standard, allowing enterprises to
encrypt all data on the device if necessary. BES 10, the current version, also offers
a feature called BlackBerry Balance, which allows the device to isolate personal
and work applications, files and network connections from each other, helping to
prevent the spread of personal malware and leakage of sensitive information. The
workspace is always encrypted and the personal space can be encrypted as well.
Apple has been adding similar enterprise security features with every iOS
upgrade. The most recent version, iOS 7, uses AES 256 device encryption for all
data and applications by default. It also includes a new feature called Managed
Open that allows IT to define managed apps and unmanaged apps and create
a containerized work space that restricts managed apps from sending data
to unmanaged and vice versa. However, IT cannot restrict interactions among
managed apps.
iOS 7 native applications, including its email client, are not tagged as managed
apps, so enterprises can prevent users from sending data from managed
applications through email. Another feature, Managed Accounts, lets IT configure
a Microsoft Exchange account so that files can be opened only in designated
managed applications. If a managed application supports sharing in social media,
such sharing cannot be restricted, however.
citrix.com
From BlackBerry to BYOD White Paper 4
If an iPhone is lost or stolen, the iOS Find My iPhone capability allows users to
locate the device with GPS and/or wipe it and display a message. The same
capability can be managed centrally through iOS 7 MDM interfaces. However,
selective wipe is not a native feature of the iOS platform itself.
Since Android is open source and has so many versions and devices, it’s difficult
to spell out its security features as easily as with iOS 7 or BlackBerry. The current
default device encryption is 128-bit AES, vs. 256-bit for the other two platforms.
Available third-party applications can separate work and personal applications and
data much the way iOS and BlackBerry can, and MDM agents can be harnessed by
IT for full or selective remote wipe. A number of Android platforms, such as Samsung
SAFE and Knox for the popular Galaxy devices, add a host of powerful security and
management features, including AES 256-bit encryption. The Knox platform is one of
the few, aside from BlackBerry, that boasts FIPS 140-2 certification.
However, some customers may be concerned about possible NOC outages and
some critics argue that the NOC architecture is not necessary now that wireless IP
connections are so much faster and more reliable than they once were.
With iOS 7, Apple has introduced per-app VPNs that allow IT to assign VPNs to
individual applications, rather than across the system, so the enterprise is not exposed
to all the applications and personal data on the device every time it connects.
Android has built-in support for PPTP and L2TP VPNs and the option to enable
always-on VPN mode. Several third-party platforms, such as Samsung Knox, can
achieve FIPS 140-2 certified 256-bit AES encryption over wireless connections.
Per-app VPN is not available natively in Android yet.
Protecting applications
Aside from the aforementioned workspace, BES 10 offers a built-in enterprise app
store, BlackBerry World for Work, which can be used by IT to push and install
mandatory enterprise applications remotely and list recommended and approved
apps for download as well. BES also provides the ability to set policies for
whitelisting mobile applications.
citrix.com
From BlackBerry to BYOD White Paper 5
Android includes none of these features natively but provides APIs for integrating
with MDM and EMM solutions offering equivalent features, depending on the
device. For example, Samsung SAFE offers multiple MDM features for its Android
Galaxy line, include application whitelisting and blacklisting, which are available to
enterprise MDM applications via APIs.
The BlackBerry email client application is famous for its tight security, encrypting
email at rest and over the wireless connection and securing it via the BlackBerry
NOC architecture. Both Android and iOS provide native and third-party email
clients that use Exchange ActiveSync for accessing enterprise email, calendars
and contacts. Android email is not always encrypted at rest but can be protected
by using platforms such as SAFE or a secure third-party email client such as Citrix
WorxMail, and can be encrypted over the wireless connection using a VPN. iOS 7
encrypts email natively and can encrypt it over the wire via a per-app VPN.
Browser-based Outlook web access (OWA) is another email option that accesses
Exchange services via mobile device web browsers. Microsoft offers a native OWA
client app for Apple iOS that takes greater advantage of iPhone and iPad hardware
features than using OWA in a browser. Sandboxing can be implemented via iOS 7
Managed Open In feature and via third-party applications in Android-based devices.
With BES 10, BlackBerry is a relative newcomer to the universal EMM marketplace.
It provides a number of management features to support iOS and Android devices
in addition to BlackBerry 10 devices. BlackBerry Fusion, a previous product,
included some of these features.
However, BES 10 will not work with previous BlackBerry device versions, which
means enterprises deploying them will need to run two different versions of BES.
Nor does BlackBerry Limited make management APIs available to third-party
EMM platforms, so these solutions can only provide basic device management for
BlackBerry devices, not the centralized mobile application management and other
features they provide for other device platforms.
BES 10 offers a number of powerful management features for iOS and Android,
including centralized device provisioning, monitoring and management across the
citrix.com
From BlackBerry to BYOD White Paper 6
lifecycle. It also offers a host of policies that can be configured for Android and
iOS devices centrally. Perhaps the most significant feature of BES 10, however,
is the new Secure Workspace, an application wrapping, containerization and
connectivity function similar to BlackBerry Balance, which separates work and
personal domains, applications and data. It also provides enterprise-level iOS
and Android applications for access to enterprise email, calendars, and contacts;
a secure Work Browser; and Documents to Go for secure viewing of email
attachments. All data in the Secure Workspace, both at rest and in transit, is
protected with AES 256 encryption, and data in transit moves through the same
NOC as BlackBerry data.
Users can self-enroll devices after IT configures appropriate policies, and IT can
push out mandatory applications and updates and wipe work applications and
data remotely from Android and iOS devices in the event they are lost or stolen.
BES 10 has many attractive capabilities for BYOD organizations, but companies
making the transition should also consider EMM alternatives that have additional
features to address more use cases.
The Citrix solution is one of the few that lets iOS and Android devices access
enterprise Windows applications virtually using the market-leading Citrix
XenApp and Citrix XenDesktop software. XenApp and XenDesktop provide
unmatched performance over wireless networks, even over low-bandwidth or
inconsistent connections. There’s even the option of offline access to Windows
applications via a secure, encrypted virtual machine on the device subject to
powerful policy enforcement.
Also, XenApp and XenDesktop are excellent solutions for the most security-
conscious organizations looking to provide access without storing anything at
all on the mobile device. Citrix Receiver provides tools to create a more mobile-
friendly Windows experience adjusted for tablet and smartphone displays, with
features such as touch, pinch and zoom. For organizations that don’t want to
citrix.com
From BlackBerry to BYOD White Paper 7
The XenMobile Worx environment provides Android and iOS devices with secure
mobile applications for email, calendars and web browsing, protecting the
enterprise from the hazards of native and third-party clients. The user experience
is very similar to that of native clients and browsers. However, the WorxWeb
mobile browser opens all links, including enterprise web and third-party SaaS
applications, in a secure, sandboxed environment that protects the organization
from hackers and malware.
The sandboxed WorxMail mobile client provides a rich user experience with
extensive enterprise visibility and policy enforcement, and its email and contacts
are inaccessible to personal applications. Both email and attachments can be
encrypted and IT can enforce polices to prevent attachments from being opened,
edited or saved in unapproved applications. Email users can also be prevented
from forwarding sensitive information or cutting and pasting confidential company
information into other documents. IT can enforce secure remote email connectivity
via a micro VPN and can disallow attachments in outgoing emails, forcing users to
provide ShareFile links for downloading instead.
In addition to Worx email and browsing applications, Citrix provides an SDK that
IT can use to add mobile policy enforcement to enterprise and third-party line-of-
business applications with as little as one line of code. The Worx App Gallery is an
online marketplace of hundreds of third-party Worx-enabled mobile applications
providing scores of useful mobile functions. Both the Worx environment and
per-app VPNs, as well as support for Samsung SAFE and Knox, are attractive
advantages of Citrix XenMobile compared to BlackBerry BES 10.
If a mobile device is lost or stolen, XenMobile MDM allows IT to remotely lock the
device and/or wipe sensitive applications and data.
citrix.com
From BlackBerry to BYOD White Paper 8
Conclusion
Organizations looking to migrate from a BlackBerry to a BYOD environment have
more options than ever before. Both Apple and Android now provide a host of
enterprise-friendly management and security features, and several third-party EMM
platforms offer consistent, automated, centralized management of these devices.
The Citrix XenMobile platform provides the most seasoned, comprehensive EMM
solutions for making migration to BYOD speedy and successful.
About Citrix
Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, easily
and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing,
Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more
than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.
Copyright © 2013 Citrix Systems, Inc. All rights reserved. Citrix, XenMobile, XenApp, XenDesktop, NetScaler, Citrix Receiver, ShareFile, Worx,
WorxMail and WorxWeb are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other
countries. Other product and company names mentioned herein may be trademarks of their respective companies.
1213/PDF citrix.com