Reduce Business Risk by Deploying EMM Solutions with Conditional Access Capabilities

Chicago

EMM solutions that deliver conditional access to desired services like email, storage and cloud services motivate BYOD users to enroll.

Let’s face it, your BYOD employees aren’t too thrilled about installing an EMM app, agent or container on their device. It feels like an intrusion on one of your most personal possessions and breeds mistrust. That said, the BYOD world is all about gives and gets. Unless your company enforces a corporate-liable policy and buys every employee a smartphone, a compromise must be made to ensure the security of corporate data. This is where the use of the carrot comes into play.

While the BYOD trend was initially about allowing employees to use their mobile devices for work, the trend has shifted. Now you encourage your employees to use their devices because it makes them more productive anywhere, anytime. Whether your company is just allowing or actually encouraging employees to use their devices for work, you have to overcome the “hassle factor” and suspicions of company spying that deters them from EMM enrollment.

First, your Mobile COE must perform exhaustive due diligence to select the most unobtrusive EMM package available with the fewest steps to install that still meets your company’s needs. Next, this system must prohibit access to the systems, apps and data employees want most until they enroll. Some packages even limit access via MAM functionality. Anyway, if you want email, you have to enroll. If you want to access SharePoint, you have to enroll. You get the idea. Gives and gets.

Reduce risk to your business by restricting corporate system access to only those devices enrolled in an EMM solution. What is your company doing to prevent unmanaged devices from accessing sensitive data?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Reduce Corporate Expenses by Configuring Devices and Delivering Apps to Users with MDM

Dallas

When you’re ready to deploy apps or provision Wi-Fi, certificates, VPN or email to mobile devices, get an EMM solution to provide MDM.

With the basics of device-level security and policy enforcement covered by Exchange ActiveSync, you’re ready to take the next step in providing value to your employees. Extending access to PIM, delivering apps to devices and provisioning functionality over the air was the reason the earliest mobile device management (MDM) packages were built. I should know since I co-founded the first cloud-based MDM company back in 2003. The space has broadened significantly and is now referred to as enterprise mobility management (EMM) with an evolving set of features. The MDM component of EMM delivers:

  • Support for the most widely used mobile operating systems
  • Software lifecycle management that deploys, upgrades and retires apps
  • Operating system configuration management that enforces the IT policies applied to devices, monitors compliance and provides auditing
  • Simplifies users’ lives by provisioning pre-configured settings for email, VPN, Wi-Fi and certificates via profiles
  • Asset management and usage of devices and apps
  • Telecom expense management
  • Service management and remote helpdesk support capabilities
  • Scalability to support hundreds of thousands of devices

Reduce your expenses and improve user productivity by remotely configuring devices and delivering apps to users without needing additional support staff. What is your organization doing do help employees configure their mobile devices and get the apps they need?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Reduce Company Expenses and Enforce Mobile Security with Exchange Active Sync

Houston

If you don’t have an Enterprise Mobility Management solution, start with Exchange Active Sync to enforce device policies and security.

Baby steps. While you might not say Microsoft Exchange Server in the same breath as enterprise mobility management, this product has managed more devices than any other system over the last decade. Since most enterprises already use Active Directory for identity coupled with Exchange Server on-premises or via Office 365 in the cloud for email, calendar and contacts, this is a simple way to get started. A protocol called Exchange ActiveSync (EAS) that dates back to the Pocket PC and is used by virtually every mobile operating system to allow the magic to happen.

So what does this have to do with managing devices? Well, EAS helps secure smartphones and tablets via policy enforcement. This allows you to require PINs and passwords, device and storage card encryption, remote wipe for lost or stolen phones, and S/MIME email encryption, to name a few. It also lets you disable features like a phone’s camera, removable storage, Wi-Fi, Bluetooth, SMS and others. If you’ve worked in the public sector, this probably rings a bell.

If you think managing your mobile devices via Exchange ActiveSync is unorthodox, remember this was the only way to manage iPhones until iOS 4 and Android until version 2.2 was released. I think EAS facilitated the BYOD movement more than any other factor.

Reduce expenses and risk to your company by enforcing security policies on your mobile devices using the capabilities found in an email server you probably already own. What basic steps has your organization taken to enforce mobile security on smartphones and tablets?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Mobile Strategies for Business is Now Available

Book Cover

I’m pleased to announce that my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform Your Business” is now available.

Mobile Strategies for Business is the first book to clearly explain how executives can digitally transform their organization through a simple, step-by-step process.

The mobile tidal wave has permanently transformed the consumer world and now it’s washing up on the shores of the enterprise. This drives the need for an enterprise mobile strategy to mobilize existing applicationsmodernize infrastructuresbuild new apps for employees and customers, and bring order to your environment via enterprise mobility management. Mobile Strategies for Business guides you through this transformation and drives positive outcomes including reducing expensesimproving employee productivityincreasing revenueboosting user engagement and reducing risk.

Based on the top 50 most important enterprise mobility concepts spanning four major topic areas, Mobile Strategies for Business is the first book to clearly explain how to digitally transform your business through a simple, step-by-step process.

You’ll learn how to address the following organizational challenges:

  • How to transform IT infrastructures that are wholly unprepared to deliver on the promise of Mobile and IoT for employees and customers. Learn how to enhance performance, scalability, bandwidth and security to support today’s mobile and cloud workloads.
  • How to reconcile the convergence of the Bring Your Own Device (BYOD) phenomenon and the need to keep corporate data secure. Learn how to support the flexible work styles of your mobile employees while keeping everything safe.
  • How to migrate the millions of out-of-date, insecure and unsupported desktop and Web 1.0 apps that currently run global business to run on modern mobile platforms. Learn how to unchain your line of business apps and web sites from the desktop and move them to the mobile devices your employees actually use.
  • How to rapidly build mobile enterprise apps that run on any platform and work with data from any backend system. Learn how to mobile-enable your existing systems and data to empower your mobile employees and reach out to your mobile customers.

Back Cover

Mobile Strategies for Business is a project plan and an implementation guide allowing your organization to digitally transform so it can ride the mobile wave to employee and customer success. Along the way, it builds a future-looking foundation that prepares your organization for successive technology tidal waves that will impact your business, workforce and customers.

What is your organization doing define and execute on a mobile strategy? It’s time to empower your mobile workforce.

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Enterprise Mobile Management with Intune

In this week’s episode of “Inside Windows Phone,” Matthijs Hoekstra and I discuss enterprise mobility management with Microsoft Intune.

Yes, we covered exciting acronyms like EMM, MDM, MAM, MIM and MCM.

– Rob

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Sign Up for my Newsletter and get a FREE Chapter of “Mobile Strategies for Business!”

[mc4wp_form id=”5975″]

Microsoft Enterprise Mobility Management (EMM) is Here

iPad Portal

I’m pleased to announce the release of Microsoft’s Enterprise Mobility Management (EMM) solution comprised of Windows Server 2012 R2, System Center Configuration Manager 2012 R2 and Windows Intune.

In this article, I’ll walk you through each EMM component and illustrate the respective Microsoft capabilities.

Mobile Device Management (MDM)

This is the most general type of management where IT can apply policies, configurations, provisioning, and settings to mobile devices enrolled with an on-premise MDM server or cloud-based service.

The Microsoft MDM solution interfaces with the management APIs exposed by the various mobile operating systems.  As with all MDM offerings on the market, this means there are variations in management capabilities across operating systems since each exposes a different set.

Policy settings for enrolled devices include:

  • Requiring passwords and associated configurations and restrictions
  • Enforcing device encryption
  • Allowing cameras, web browsers on iOS and Android
  • Allowing iCloud backup and document sync on iOS
  • Content ratings on iOS
  • Allowing cloud settings and credential sync on Windows 8.1
  • Internet Explorer settings on Windows 8.1
  • Allowing voice and data roaming on iOS
  • Deployment of user and device certificates for managed devices by using the Simple Certificate Enrollment Protocol (SCEP). These certificates can be used to support Wi-Fi and VPN connections.  Supported devices include those running iOS, Windows 8.1 and Windows RT 8.1, and Android.  Learn more on TechNet: http://technet.microsoft.com/en-us/library/dn261202.aspx
  • Deployment of VPN profiles that provision devices with the settings and certificates that they need to access corporate networks.  Supported devices include those running iOS, Windows 8.1, Windows RT and Windows RT 8.1.  Learn more on TechNet:  http://technet.microsoft.com/en-us/library/dn261217.aspx
  • Deployment of Wi-Fi profiles that provision devices with the settings and certificates that they need to access corporate Wi-Fi hotspots.  Supported devices include those running iOS, Windows 8.1, and Windows RT 8.1, and Android.  Learn more on TechNet:  http://technet.microsoft.com/en-us/library/dn261221.aspx
  • Jailbroken iOS devices and rooted Android devices are detected

A comprehensive matrix of supported policies per device can be found on TechNet:
http://technet.microsoft.com/en-us/library/dn376523.aspx

In addition to Remote Wipe which removes everything from a device, we also have Selective Wipe which removes company apps, data and management policies from the mobile device while leaving personal apps and data untouched.  Learn more on TechNet:  http://technet.microsoft.com/en-us/library/jj884158.aspx#bkmk_dev

Mobile Application Management (MAM)

A more specific type of management, MAM focuses on delivering native apps from a corporate app catalog to an employee device while giving IT the power to selectively remove downloaded apps and associated data without touching personal apps and data.

Microsoft provides a Company Portal (Self Service Portal) that is downloadable from the Windows Store, Apple App Store, and Google Play.  Windows 8/RT, Windows 8.1/RT/Pro/Enterprise, Windows Phone 8,  Android 4 and higher as well as iOS 6 and higher are all supported.  Users can download corporate apps to their device from the portal.

Company Portal

Corporate apps can also be pushed (user consent may be required) and remotely uninstalled from all devices except Windows Phone 8.  Public apps made available by IT can deep linked to their respective public stores via the portal.  Remote apps can also be made available and accessed across mobile platforms via Remote Desktop Services (RDS) for high-security scenarios.  Administrators can view an inventory of installed corporate apps on the devices while not seeing the personal apps.

iPad Portal

A new Identity and Access feature is Workplace Join which makes your mobile device known to your IT department by creating an object in Active Directory.  Employees can access applications and data everywhere, on any device. Employees will get single sign-on when using browser applications or enterprise applications.

Workplace Join

Single Sign On (SSO) is facilitated via the new Web Application Proxy which securely publishes corporate resources out to mobile devices without the need for VPN.  Active Directory Federation Services (ADFS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security.  ADFS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.  Multifactor authentication boosts the level of secure access to corporate resources.

Mobile Information Management (MIM)

This is the most granular type of management where IT policies are assigned directly to the data to ensure security no matter where it resides, flows to, or which app is using it.

Active Directory Rights Management Services protects and encrypts documents and Exchange email by identifying the rights a user has to a given file and removes the option to perform actions outside those rights.  This data loss prevention (DLP) capability keeps corporate email from being forwarded to external email accounts and data from being uploaded to 3rd party cloud file sharing providers.  Using our rights management technology means your mobile data is secure wherever it goes.

Mobile Content Management (MCM)

Secure distribution and mobile access to documents for employees.

Secure mobile file synchronization is facilitated by Work Folders.  This is a secure share on Windows Server 2012 R2 that is made available to individual mobile devices that are Workplace joined.  In order to say “Goodbye” to Dropbox and “Hello” to corporate file sync, you’ll have to accept some security policies on your device.   Your IT department can encrypt the Work Folders on your device, require a password to sign in, and erase all the files in your Work Folders if you lose your device.

Work Folders

Our Dynamic Access Control technology can be used with the server share to provide automatic document classification and protection based on their content.  Using Work Folders is a great way to make your work files available to all your devices, even when you’re offline.  You can even control if files are synched over metered connections or while roaming.

Takeaways

System Center Configuration Manager is the Gartner Magic Quadrant Leader for Client Management Tools with the largest global market share.  With the majority of corporations using SCCM to manage their Windows and Mac desktops and laptops plus Windows, Linux and UNIX servers, this is management technology that you probably already own and a skillset your IT staff already has.  Over the years we’ve added support for managing new clients as dictated by their market share and customer requests.  Managing the growing variety of mobile devices roaming on wireless data networks via our Windows Intune cloud gateway allows you to leverage 20 years of SCCM “know-how” instead of purchasing point solutions.  You’ll get the massive scalability you’re looking for as well as the support and sustained engineering you’ve come to count on from Microsoft.

 

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Sign Up for my Newsletter and get a FREE Chapter of “Mobile Strategies for Business!”

[mc4wp_form id=”5975″]

Windows Phone 8 and the Enterprise Feature Pack

I’m pleased to announce that we are enhancing the business capabilities of Windows Phone 8 with the Enterprise Feature Pack.

Building on technologies like Secure UEFI Boot, BitLocker, and TPM, an update to Windows Phone 8 will arrive in the first half of calendar year 2014 that increases IT control while boosting employee productivity.  The Enterprise Feature Pack includes:

  • Virtual Private Network (VPN) connections that are automatically triggered by the apps that need them.  This means you won’t have to manually create a VPN tunnel in advance of running an app that needs to connect to your corporate network.
  • Certificate management to enroll, update, and revoke certificates for user authentication.
  • Enhanced mobile device management (MDM) policies to lock down functionality on the phone for more enterprise control.  Additionally, richer mobile application management (MAM) including allowing or blocking the installation of certain apps.
  • Enterprise Wi-Fi support with EAP-TLS that uses a client-side certificate.
  • Secure/Multipurpose Internet Mail Extensions (S/MIME) to sign and encrypt email.

We’re also boosting our commitment to corporate customers by increasing the length of our support lifecycle from 18 months to 36 months.  This means that starting with Windows Phone 8, we’ll make feature, functionality, and security updates available for 36 months.

With Windows Phone 8, your investment in our mobile platform is secure.

– Rob

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Sign Up for my Newsletter and get a FREE Chapter of “Mobile Strategies for Business!”

[mc4wp_form id=”5975″]

5 Steps to Containerize your Enterprise Mobile Apps

Containerize your Apps

Just in case you haven’t noticed lately, the BYOD Juggernaut appears to be stumbling in the security department.  It’s time to get your mobile enterprise house in order and containerize your apps to create islands of security on potentially insecure mobile devices.

 

We’ve seen buggy mobile operating system updates that allow users to bypass lock screens, public app markets full of malware-infected apps, and the easy ability to jailbreak/root devices making them instantly untrustworthy.  There are devices that base their encryption on the user PIN (1111) which doesn’t make the cut with any security professional.  There are mobile device management vendors that claim they can detect jailbroken/rooted devices, but they can’t because the hacked OS cleverly reports incorrect information to the MDM agent.

How secure can your PIN-enforced, fully encrypted, managed device be when it comes with a built-in Trojan Horse back door that allows users to unwittingly download infected apps designed to steal data and send it to another country?

Make no mistake, we are living in the middle of a Cyber war where your mobile devices, your company servers, and your government is being attacked daily by super-empowered individuals, organizations, and even other governments.  They want to steal your ideas and sensitive data while creating chaos and inflicting damage on vital infrastructure.  As a CIO/CSO, it’s your job to keep your organization’s data safe no matter where it resides. Sometimes, following all the best practices to lock down your employee’s devices aren’t enough when users can innocently download an app designed for espionage.  In most BYOD environments, employees resist having their personal devices heavily-managed.  The best thing you can do is treat all mobile devices as hostile and never give any of them direct access to your internal corporate assets.  Expand your organization’s “Guest” Wi-Fi network and send all those un-trusted devices out to the Internet.

I realize this sounds like I want you to suck the life out of the amazing productivity gains we’ve achieved through the use of smartphones and tablets.  Nothing could be further from the truth.  For starters, you can easily implement a baseline level of device security in exchange for allowing your employees to use their device at work.  Remember, virtually every smartphone and tablet on the planet comes preloaded with Exchange ActiveSync client bits that allows you to enforce a complex PIN, device encryption, periodic PIN expiration (like your PC’s), and remote wipe for lost or stolen device.  Beyond that, it’s about keeping your corporate data safe.  Since data is presented to users via enterprise apps, you need to containerize and bulletproof them:

1) Enterprise mobile apps should prompt a user for credentials in order to launch the app.  When assessing a potential threat, assume that an already logged-in device has fallen into the hands of a bad actor.  Yes, for certain apps that deal with sensitive data, requiring additional credentials to get it to launch can slow down a hacker.  I recommend having your users enter their standard corporate credentials including Domain\Username, and Password.  This will make them easier to remember.  You’ll want your app to clear the entered password from memory as soon as possible.  Since a string that captures an entered password is immutable, apps should instead implement either a specialized secure string capability or use char[] arrays depending on the platform.  A mobile OS that doesn’t implement a shared file system that spans across all apps will make this even more effective.  To reduce the vulnerability of an active session, the app should logout after a predetermined time of inactivity or if it notices that the device has moved from a secure location to an insecure one. The takeaway is it’s the app’s responsibility to containerize its contents through the use of credentials.

2) Enterprise mobile apps must protect their local data-at-rest with encryption.  This is important not only for unencrypted devices, but also the encrypted ones where the bad actor is already logged-in and can see everything as plain text.  In this scenario, the app is your last line of defense to protect sensitive data.  The apps should employ AES 256 encryption on their data at rest and the cryptographic modules and algorithms provided by the mobile operating system must be FIPS 140-2 certified.  Oh and guess what, I now have a use for those corporate credentials I asked your apps to require.  Creating an encryption key requires a password and a salt value.  In this case, the Domain\Username can serve as the password and Password will serve as the salt value.  While some mobile platforms have APIs to secure your credentials or keys, it might be better to assume the device is already compromised that therefore require the user to enter their credentials each time in order to encrypt and decrypt the information.  Keep in mind that your banking web site requires you to enter your credentials every single time as well.  Why should your mobile enterprise app be any different?  The takeaway is it’s the app’s responsibility to containerize data-at-rest.

3) Enterprise mobile apps must protect their data-in-transit with SSL.  Don’t assume that the corporate network is already providing a VPN tunnel to allow for the traversal of insecure data.  You also shouldn’t assume that your mobile device automatically supports the wide variety of different VPN protocols employed by all the different vendors out there.  Lastly, employees hate to setup a VPN connection before using their apps and transmitting data because it’s cumbersome and takes too long.  Responsible mobile enterprise app developers will always provide built-in support for SSL for all their app’s data movement needs.  The apps will either use one of the public certificates already found on the device or an imported cert from your company’s enterprise certificate authority.  The takeaway is it’s the app’s responsibility to containerize data-in-transit.

4) Enterprise mobile apps must present credentials to the web services they’re calling in order to send/receive data.  The one thing you can count on across all mobile devices is support for Basic authentication.  Enabling this type of auth on your web server prompts the user for their credentials.  You won’t need to worry about clear text problems because your communications channel is already wrapped in SSL.  On IIS for instance, for the virtual directory exposing the web services, you will enable Basic auth and have the default Domain set to your company’s Domain name.  The web service calls from your mobile apps will conveniently pass along the Domain credentials the device user entered to launch the app and encrypt the local data.  Appropriate Active Directory users and groups will have access to this directory to ensure that only authorized users can access the data provided by the web services.  In other words, it takes the combination of the enterprise mobile app and correct user credentials entered on the device side to unlock the data provided by the web services.  Oh and one more thing, the Domain credentials passed in from the device can also be used to provide or deny access to the SQL Server containing the sensitive data.  And yes, you can encrypt the data-at-rest found in the tables, rows, and columns of SQL Server.  The takeaway is it’s the app’s responsibility to containerize the secure passing of credentials through each tier of your enterprise mobile solution.

5) An Internet gateway at the edge of the network must be employed to securely publish web services.  Since you’re not going to do anything foolish like directly expose your web servers to the Internet and the whole VPN question is often uncertain, you need a way to access those web services from devices roaming on mobile data networks.  Luckily, this problem may already be solved for you if your company is using Exchange servers for email.  Most companies expose Exchange ActiveSync out to the Internet via ISA, TMG, or UAG in order to access email, calendar, contacts, and device management policies.  This same technology can securely proxy the virtual directories where your web services are located out to the Internet using Web Publishing.  These reverse proxy servers typically reside in your company’s DMZ between your front and back firewalls.  Keep in mind that this method of exposing corporate data can often be more secure than providing VPN access.  A VPN tunnel extends your corporate network out to the device and it seems to make people feel safe when combined with device encryption and an enforced PIN.  But what if you have one of those devices that comes complete with a built-in Trojan Horse gateway to a malware-infested app market in the cloud.  You’ve now created a security vulnerability because one of those un-vetted, untested, rogue apps can drive a truck through the VPN tunnel and attack your corporate network directly.  Jailbroken and rooted devices bring the same type of risk and some device operating systems can work with alternate app markets right out of the box.  On the other hand, securely publishing discreet web services via reverse proxy technologies that provide deep packet inspection shrinks your attack surface dramatically.  Visualize a tiny pinpoint on a server that can only be accessed by your mobile app instead of a tunnel that can see all your servers and is accessible by everything on your device.  I think you get the picture.  The takeaway is to containerize access to web services rather than blindly delivering the entire network to a potentially compromised device.

Mobile devices offer the promise of unprecedented productivity by allowing employees to work anywhere at anytime.  Unfortunately, some of them can present security risks that must be mitigated if we all want to see the momentum behind BYOD continue.  You might be wondering why I referred to containerized apps as islands of security.  I guess it’s because I imagine a compromised smartphone or tablet as an ocean of insecurity where the hacker thinks he’s already won.  But he hasn’t.  Those enterprise mobile apps you’ve built following the 5 principles I’ve discussed above are the islands breaking through the water that require their own credentials to launch and take care of encrypting their own data-at-rest and data-in-transit.  Remember, Cyber security threats are at the highest levels they’ve ever been and everyone must take data protection seriously.

This is your Chief Mobility Officer telling you not to get mindlessly swept away by trends like the Consumerization of IT and BYOD without first addressing your company’s security needs.  Containerize your apps!

– Rob

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Sign Up for my Newsletter and get a FREE Chapter of “Mobile Strategies for Business!”

[mc4wp_form id=”5975″]