From BlackBerry to BYOD White Paper

From BlackBerry
to BYOD
Learn how Citrix XenMobile can
empower your organization to
move from traditional corporate-
issued BlackBerry devices to any
user-owned mobile device without
sacrificing security and control.

citrix.com
From BlackBerry to BYOD White Paper 2

There was a time when enterprise mobile computing

meant IT-issued laptops for creating content and
BlackBerry devices for sending and receiving email.
Thanks to the popularity of Apple iOS and Google
Android platforms, the consumerization of IT and
enterprise bring-your-own-device (BYOD) programs,
the entire mobility landscape has shifted. Today’s
mobile workers are more likely to be using the same
iPad, iPhone and Android-based devices at work
that they use at home. IT departments have tried
to accommodate these users to reap the proven
productivity, job satisfaction and customer service
benefits of BYOD.

How do organizations shift from a BlackBerry-for-all approach to true mobile device

diversity while maintaining the control, management, security and compliance they
were used to before BYOD? What can they use to provide secure connectivity to
enterprise networks, email, contacts, calendars and applications? What is the best
way to protect proprietary information on the device and the enterprise network from
hackers and mobile, web and personal application-based malware? Finally, how can
mobile device users be prevented from sending sensitive information in a personal
email or posting it to a social network site?

The good news is that there are mobile device management (MDM) tools and other
solutions available for just these purposes. BlackBerry Limited (formerly Research
in Motion) recently introduced a solution for managing and securing iOS and
Android devices in addition to its BlackBerry devices. However, only Citrix provides
a comprehensive enterprise mobility management (EMM) solution that offers mobile
iOS and Android device users secure access to Windows applications and online file
sharing, in addition to providing IT with robust mobile device management and mobile
application management (MAM).

BlackBerry vs. Android and iOS

In evaluating the challenges of migrating from BlackBerry to iOS and Android devices,
it’s important to understand the management and security options offered by each
mobile device platform. BlackBerry has always been enterprise focused and, unlike
iOS and Android, always packaged with its own enterprise mobility platform, the
BlackBerry Enterprise Server (BES).

Both Android and iOS started as consumer-focused mobile platforms, but over
the past few years Google and Apple have increased their built-in management
and security features and made them available to third-party enterprise mobility
management solutions for centralized management from a single console.

citrix.com
From BlackBerry to BYOD White Paper 3

Data protection on the device

With mobile users connecting to the enterprise network for email and enterprise
applications, taking and sharing enterprise files and data on the road and mixing
personal and enterprise applications and data on the same device, enterprise
mobile data protection has become vitally important.

BlackBerry has always been the gold standard for enterprise security and data
protection, and remains one of the only platforms with Federal Information
Processing (FIPS) 140-2 certification, which means it’s approved for government
use. However, while BlackBerry security and management were once head and
shoulders above those of the competition, this is no longer the case. Android and
iOS security and management features have been upgraded over the years to the
point where they are usually acceptable for all but the most security-conscious
enterprise environments.

BlackBerry protects content stored on the device with FIPS 140-2 certified device
data encryption using the highly secure AES 256 standard, allowing enterprises to
encrypt all data on the device if necessary. BES 10, the current version, also offers
a feature called BlackBerry Balance, which allows the device to isolate personal
and work applications, files and network connections from each other, helping to
prevent the spread of personal malware and leakage of sensitive information. The
workspace is always encrypted and the personal space can be encrypted as well.

With BlackBerry Balance, any data sent to the BlackBerry workspace is

inaccessible to personal applications. Users cannot cut and paste work information
into personal applications or email messages. Highly granular policies for further
data loss protection can be set up as well, either alerting users when they are
about to send confidential enterprise information to personal contacts or social
media or preventing them outright from doing so.

In the event the BlackBerry device is stolen or an employee leaves the

organization, IT can wipe all information and applications from the device remotely,
or just wipe work-related information to prevent sensitive information from getting
into the wrong hands.

Apple has been adding similar enterprise security features with every iOS
upgrade. The most recent version, iOS 7, uses AES 256 device encryption for all
data and applications by default. It also includes a new feature called Managed
Open that allows IT to define managed apps and unmanaged apps and create
a containerized work space that restricts managed apps from sending data
to unmanaged and vice versa. However, IT cannot restrict interactions among
managed apps.

iOS 7 native applications, including its email client, are not tagged as managed
apps, so enterprises can prevent users from sending data from managed
applications through email. Another feature, Managed Accounts, lets IT configure
a Microsoft Exchange account so that files can be opened only in designated
managed applications. If a managed application supports sharing in social media,
such sharing cannot be restricted, however.

citrix.com
From BlackBerry to BYOD White Paper 4

If an iPhone is lost or stolen, the iOS Find My iPhone capability allows users to
locate the device with GPS and/or wipe it and display a message. The same
capability can be managed centrally through iOS 7 MDM interfaces. However,
selective wipe is not a native feature of the iOS platform itself.

Since Android is open source and has so many versions and devices, it’s difficult
to spell out its security features as easily as with iOS 7 or BlackBerry. The current
default device encryption is 128-bit AES, vs. 256-bit for the other two platforms.
Available third-party applications can separate work and personal applications and
data much the way iOS and BlackBerry can, and MDM agents can be harnessed by
IT for full or selective remote wipe. A number of Android platforms, such as Samsung
SAFE and Knox for the popular Galaxy devices, add a host of powerful security and
management features, including AES 256-bit encryption. The Knox platform is one of
the few, aside from BlackBerry, that boasts FIPS 140-2 certification.

Data protection over the wire

As with its device encryption, the BlackBerry platform protects enterprise data sent
over the airways with AES 256 encryption. The BlackBerry platform is also famous
for its network operations center (NOC) architecture, which adds a layer of security
that tunnels email to the NOC and then to the BES server using encryption and
compression. BES servers only accept email from the NOC, so it’s not necessary
for enterprises to open ports for inbound Internet communication. This architecture
is inherently more secure than other platforms.

However, some customers may be concerned about possible NOC outages and
some critics argue that the NOC architecture is not necessary now that wireless IP
connections are so much faster and more reliable than they once were.

With iOS 7, Apple has introduced per-app VPNs that allow IT to assign VPNs to
individual applications, rather than across the system, so the enterprise is not exposed
to all the applications and personal data on the device every time it connects.

Android has built-in support for PPTP and L2TP VPNs and the option to enable
always-on VPN mode. Several third-party platforms, such as Samsung Knox, can
achieve FIPS 140-2 certified 256-bit AES encryption over wireless connections.
Per-app VPN is not available natively in Android yet.

Protecting applications
Aside from the aforementioned workspace, BES 10 offers a built-in enterprise app
store, BlackBerry World for Work, which can be used by IT to push and install
mandatory enterprise applications remotely and list recommended and approved
apps for download as well. BES also provides the ability to set policies for
whitelisting mobile applications.

The iOS Developer Enterprise program enables companies to publish enterprise

app stores of approved applications for internal use. Enterprises can also control
which applications become managed apps with the containerization features
outlined earlier.

citrix.com
From BlackBerry to BYOD White Paper 5

Android includes none of these features natively but provides APIs for integrating
with MDM and EMM solutions offering equivalent features, depending on the
device. For example, Samsung SAFE offers multiple MDM features for its Android
Galaxy line, include application whitelisting and blacklisting, which are available to
enterprise MDM applications via APIs.

The BlackBerry email client application is famous for its tight security, encrypting
email at rest and over the wireless connection and securing it via the BlackBerry
NOC architecture. Both Android and iOS provide native and third-party email
clients that use Exchange ActiveSync for accessing enterprise email, calendars
and contacts. Android email is not always encrypted at rest but can be protected
by using platforms such as SAFE or a secure third-party email client such as Citrix
WorxMail, and can be encrypted over the wireless connection using a VPN. iOS 7
encrypts email natively and can encrypt it over the wire via a per-app VPN.

Browser-based Outlook web access (OWA) is another email option that accesses
Exchange services via mobile device web browsers. Microsoft offers a native OWA
client app for Apple iOS that takes greater advantage of iPhone and iPad hardware
features than using OWA in a browser. Sandboxing can be implemented via iOS 7
Managed Open In feature and via third-party applications in Android-based devices.

MDM, EMM and virtualization alternatives

While the native features of iOS and Android have improved greatly, the
management and deployment package offered by BlackBerry Limited makes its
devices more enterprise friendly compared to devices running the other platforms,
which have no such packages. However, enterprises looking to migrate to iOS
and/or Android can achieve comparable management capabilities using a third-
party EMM platform such as Citrix XenMobile. Instead of wrestling independently
with each mobile platform and its particular features, enterprises can apply a
common management infrastructure and set of policies across all three. EMM
solutions also provide automated device management features that allow users
to self-enroll their devices and enable IT teams to track, provision and support the
devices throughout their lifecycle.

With BES 10, BlackBerry is a relative newcomer to the universal EMM marketplace.
It provides a number of management features to support iOS and Android devices
in addition to BlackBerry 10 devices. BlackBerry Fusion, a previous product,
included some of these features.

However, BES 10 will not work with previous BlackBerry device versions, which
means enterprises deploying them will need to run two different versions of BES.
Nor does BlackBerry Limited make management APIs available to third-party
EMM platforms, so these solutions can only provide basic device management for
BlackBerry devices, not the centralized mobile application management and other
features they provide for other device platforms.

BES 10 offers a number of powerful management features for iOS and Android,
including centralized device provisioning, monitoring and management across the

citrix.com
From BlackBerry to BYOD White Paper 6

lifecycle. It also offers a host of policies that can be configured for Android and
iOS devices centrally. Perhaps the most significant feature of BES 10, however,
is the new Secure Workspace, an application wrapping, containerization and
connectivity function similar to BlackBerry Balance, which separates work and
personal domains, applications and data. It also provides enterprise-level iOS
and Android applications for access to enterprise email, calendars, and contacts;
a secure Work Browser; and Documents to Go for secure viewing of email
attachments. All data in the Secure Workspace, both at rest and in transit, is
protected with AES 256 encryption, and data in transit moves through the same
NOC as BlackBerry data.

Users can self-enroll devices after IT configures appropriate policies, and IT can
push out mandatory applications and updates and wipe work applications and
data remotely from Android and iOS devices in the event they are lost or stolen.

BES 10 has many attractive capabilities for BYOD organizations, but companies
making the transition should also consider EMM alternatives that have additional
features to address more use cases.

The Citrix solution

Enterprises seeking a comprehensive, seasoned MDM and EMM platform,
together with mobile access to Windows applications and a virtualization option,
should take a close look at XenMobile. Citrix offers a raft of powerful features, such
as secure mobile access to Windows applications, online secure file sharing and
per-app VPNs, which BES 10 does not provide.

XenMobile MDM Edition is a comprehensive MDM platform that discovers and

manages all mobile devices on the network, including iOS, Android and BlackBerry
devices. Administrators can configure its mobile management servers via a web-
based administrative console and import user group accounts from Microsoft
Active Directory. Once policies are configured, mobile staff can self-enroll devices,
which are then configured automatically with granular IT policies and designated
applications. XenMobile MDM Edition also offers an enterprise app store that
provides access to additional suggested and approved applications. In contrast
to most competing MDM solutions, including BES 10, the app store serves as a
central point of access to approved SaaS and Windows applications as well.

The Citrix solution is one of the few that lets iOS and Android devices access
enterprise Windows applications virtually using the market-leading Citrix
XenApp and Citrix XenDesktop software. XenApp and XenDesktop provide
unmatched performance over wireless networks, even over low-bandwidth or
inconsistent connections. There’s even the option of offline access to Windows
applications via a secure, encrypted virtual machine on the device subject to
powerful policy enforcement.

Also, XenApp and XenDesktop are excellent solutions for the most security-
conscious organizations looking to provide access without storing anything at
all on the mobile device. Citrix Receiver provides tools to create a more mobile-
friendly Windows experience adjusted for tablet and smartphone displays, with
features such as touch, pinch and zoom. For organizations that don’t want to

citrix.com
From BlackBerry to BYOD White Paper 7

spend a lot of resources porting or rewriting Windows applications to each device

platform, Citrix provides a powerful, cost-effective alternative not offered in the
BlackBerry ecosystem.

With XenMobile MDM IT can configure devices with role-based authentication

and access and implement policies that prevent enterprise mobile applications
from sharing sensitive data or interacting with personal applications on the device.
Citrix ShareFile is a powerful alternative to consumer file-sharing services such as
DropBox. ShareFile encrypts all data and retains it within the enterprise, subject to
stringent IT policies. It adds to the advantages of XenMobile over BlackBerry BES 10.

The XenMobile Worx environment provides Android and iOS devices with secure
mobile applications for email, calendars and web browsing, protecting the
enterprise from the hazards of native and third-party clients. The user experience
is very similar to that of native clients and browsers. However, the WorxWeb
mobile browser opens all links, including enterprise web and third-party SaaS
applications, in a secure, sandboxed environment that protects the organization
from hackers and malware.

The sandboxed WorxMail mobile client provides a rich user experience with
extensive enterprise visibility and policy enforcement, and its email and contacts
are inaccessible to personal applications. Both email and attachments can be
encrypted and IT can enforce polices to prevent attachments from being opened,
edited or saved in unapproved applications. Email users can also be prevented
from forwarding sensitive information or cutting and pasting confidential company
information into other documents. IT can enforce secure remote email connectivity
via a micro VPN and can disallow attachments in outgoing emails, forcing users to
provide ShareFile links for downloading instead.

In addition to Worx email and browsing applications, Citrix provides an SDK that
IT can use to add mobile policy enforcement to enterprise and third-party line-of-
business applications with as little as one line of code. The Worx App Gallery is an
online marketplace of hundreds of third-party Worx-enabled mobile applications
providing scores of useful mobile functions. Both the Worx environment and
per-app VPNs, as well as support for Samsung SAFE and Knox, are attractive
advantages of Citrix XenMobile compared to BlackBerry BES 10.

If a mobile device is lost or stolen, XenMobile MDM allows IT to remotely lock the
device and/or wipe sensitive applications and data.

Finally, Citrix NetScaler, an application delivery appliance, gives mobile users

secure, remote access to corporate web-based and virtual applications using
highly granular, IT-configured access control. In addition to robust authentication
and an application-level firewall, NetScaler acts as an application load balancer to
provide reliable, high performance for enterprise and web applications during peak
use periods. All web application components, including OWA, are deployed behind
the enterprise firewall, rather than in the less-secure DMZ. Only Citrix provides an
application delivery appliance as part of its EMM offering.

citrix.com
 From BlackBerry to BYOD White Paper 8

Conclusion
Organizations looking to migrate from a BlackBerry to a BYOD environment have
more options than ever before. Both Apple and Android now provide a host of
enterprise-friendly management and security features, and several third-party EMM
platforms offer consistent, automated, centralized management of these devices.
The Citrix XenMobile platform provides the most seasoned, comprehensive EMM
solutions for making migration to BYOD speedy and successful.

Corporate Headquarters India Development Center Latin America Headquarters

Fort Lauderdale, FL, USA Bangalore, India Coral Gables, FL, USA

Silicon Valley Headquarters Online Division Headquarters UK Development Center

Santa Clara, CA, USA Santa Barbara, CA, USA Chalfont, United Kingdom

EMEA Headquarters Pacific Headquarters

Schaffhausen, Switzerland Hong Kong, China

About Citrix
Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, easily
and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing,
Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more
than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.

Copyright © 2013 Citrix Systems, Inc. All rights reserved. Citrix, XenMobile, XenApp, XenDesktop, NetScaler, Citrix Receiver, ShareFile, Worx,
WorxMail and WorxWeb are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other
countries. Other product and company names mentioned herein may be trademarks of their respective companies.

1213/PDF citrix.com