© 2012 IBM Corporation

IBM Endpoint Manager for Mobile Devices

Naveed Makhani

Global Product Manager, IBM MobileFirst Management & Security

@naveedmakhani

© 2012 IBM Corporation 2

Mobile devices magnify existing challenges and also pose unique

ones that significantly disrupt traditional management paradigms

Traditional Mgmt Model New Device Mgmt Paradigm

Enterprises provide all equipment Employees bring personal devices (BYOD)

Small set of supported platforms / models Many different manufacturers / models

IT initiates and manages upgrades OS/app upgrades managed by carriers, OEMs, users

IT tightly controls apps and security Users control their own devices

Options for IT departments

Don’t allow mobile devices because they are too hard to manage

Allow unmanaged and insecure mobile devices

Invest in tools to secure and manage devices

© 2012 IBM Corporation 3

Management capabilities vary greatly by mobile operating system,

but one thing is consistent – the user is king

Management

Function Supported

by Apple? Notes

Supported

by Google? Notes

Selectively Wipe

Mail / Calendar /

Contacts

Standard part of Apple’s MDM

interface

Android doesn’t have a native email

client that supports selective wipe, so

integration with 3rd-party email clients

(e.g., IBM Notes Traveler or

NitroDesk TouchDown) is necessary

Forcibly Install

Apps

iOS doesn’t currently support

forcible app install without

user permission, so enterprise

app store approach is needed.

“Vanilla” Android doesn’t currently

support forcible app install without

user permission, so enterprise app

store approach is needed.

Forcibly

Uninstall Apps

With iOS 5+, apps (both public

and private) provisioned via

the enterprise app store can

be uninstalled remotely

without user intervention

“Vanilla” Android doesn’t currently

support forcible app uninstall without

user permission.

Remote Control

Apps are sandboxed – there

is no ability for an app to gain

visibility/control over the entire

device

“Vanilla” Android doesn’t currently

support remote control

© 2012 IBM Corporation 4

Mobile OS vendors move very quickly

Google and Apple have released major Android and iOS versions 6x and

3x faster, respectively, than Microsoft has released major Windows PC

versions

Microsoft

Windows Apple iOS Google Android

Release Year 1985 2007 2008

# of Versions 11* 6** 10***

Versions per Year 0.4 1.2 2.5

OS “velocity” vs.

Microsoft - 3x 6.3x

* Microsoft Windows 1.0, 2.0, 3.0, 95, 98, 2000, ME, XP, Vista, 7, 8; excludes server platforms

** Apple iOS 1, 2, 3, 4, 5, 6

*** Google Android 1.0, 1.1, Cupcake, Donut, Éclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean

© 2012 IBM Corporation 5 Hardware

OS

Personal Domain Enterprise Domain

OS

Hypervisor

No Data Separation

Hardware

Operating System

Enterprise & Personal Apps Native

Apps

Hardware

Operating System

Personal Apps Enterprise Apps

Native Data Separation Based on platform-specific APIs

from OS vendors or from OEMs

(Samsung, Lenovo, etc)

Preserves native user

experience

Virtualization Hypervisor layer allows separate

OSes

Currently possible on Android

Requires cooperation between

carriers, OEMs, and

virtualization vendors

Enterprise Data

Personal Data

1

2

3

Hardware

3rd-Party Separation 3rd-party app acts as container

and replicates native OS

functionality such as email,

calendar, contacts

Some apps live in container

Disrupts native user experience

Apps Container

Operating System

Data Separation

© 2012 IBM Corporation 6

Native Management vs. Container Considerations

Desired User Experience – Consider native app experience versus that of 3rd-party

app replications; device-wide passcode vs. container-level passcode

Support for 3rd-party Apps – Will 3rd-party apps be managed? If using container

approach, how do 3rd-party apps get placed into container?

Data Leakage Controls – Are there dealbreaker data leakage concerns with native

OS capabilities?

Privacy & Data Separation – Consider privacy, liability, and management control

preferences of user base

Additional Resources

Comparison of Native MDM & Container Approaches

Managing Mobile Applications

© 2012 IBM Corporation 7

Approaches to Mobile App Management

Native Management – Leverages native OS capabilities for app management

SDK – App developers (internal and 3rd-party) incorporate management vendor

SDKs/libraries to enable integrated app management

App Wrapping / App Containerization – Leverages an app wrapping technology

to “wrap” an app binary with a layer of enterprise security and management

capabilities

Additional Resources

Comparison of Native MDM & Container Approaches

Managing Mobile Applications

© 2012 IBM Corporation 8

We have been building up our Mobile Enterprise capabilities

10 acquisitions to strengthen our position in mobile since 2006……

200+ IBM Software apps available in App Stores; ~ 1M downloads…

Cited as a leader in app design and managed services by Forrester and Gartner………

125+ patents for wireless inventions in 2012, bringing the total to 270…..

Doubling 2013 investment ……

© 2012 IBM Corporation 9

IBM MobileFirst Offering Portfolio

© 2012 IBM Corporation 10

IBM Endpoint Manager delivers a unified systems and security

management solution for all enterprise devices

Windows & Mac

Desktops/Laptops

Unix / Linux Servers

Windows Mobile / Kiosks /

POS devices

Android / iOS / Symbian /

Windows Phone devices

Supporting more devices…

…and more capabilities.

Mobile Device Mgmt Security Config Mgmt

S/W Use Analysis

OS Deployment Remote Control

Endpoint Protection

Power Mgmt Patch Mgmt

Device Inventory

Configuration Mgmt

© 2012 IBM Corporation 11

Enterprise Mobility Management with IBM Endpoint Manager

A unified infrastructure to manage and secure complex BYOD and traditional

environments of smartphones, tablets, laptops, desktops, and servers

Hybrid cloud-based delivery model enables rapid updates

Unified security compliance management via an integrated analytics platform

Support for Center for Internet Security (CIS) benchmarks for iOS, Android, Mac, Windows, Unix,

AIX, Red Hat Enterprise Linux, and Solaris

Multiple data containment approaches, all delivered on Endpoint Manager’s policy

management platform, give enterprises flexibility to leverage the containment strategy

that best fits their business and user needs

Increased security and management of mobile apps via integration of device

management (Endpoint Manager) with app dev platform (Worklight)

© 2012 IBM Corporation 12

Integration of MobileFirst Management & App Platform Streamlined App Deployment Workflow

Endpoint Manager customers can directly

import and distribute Worklight-built apps

via the Enterprise App Store, thereby

improving workflow between Development and

Operations

Distribute App to

Employees

Import into Endpoint

Manager App Store 2

3

Build app in Worklight 1

© 2012 IBM Corporation 13

Potential Future Integration Scenario Deny App Access

Scenario

Device is out of compliance with policy

Deny enterprise app access

Endpoint

Manager (devices)

On-going assessment of

device compliance

Report compliance

violation

4

Periodic query for device

compliance status

5

3

2

Worklight (apps)

1

© 2012 IBM Corporation 14

IBM’s CIO Office is managing 60,000+ smartphones and tablets with IBM Endpoint

Manager (60% iOS, 40% Android), and over 600,000 PCs and servers

Deployment Time (days)

Mobile

Devices

Enrolled

13k devices in

first 24 hours

24k in first

month

46k in first 2.5

months

70k projected by

end of March

MDM Deployment Progress

© 2012 IBM Corporation 15

How does IBM internally address BYOD?

Education

Policy

Technology

Formal

Mandatory Digital IBMer Security Training

Casual

IBM Secure Computing Guidelines

Targeted w3 articles

Social

Secure Computing Forum

Secure Computing Blog Posts

Developer

Secure Engineering guidelines

Mobile app security guidelines

© 2012 IBM Corporation 16

Web reports provide at-a-glance mobile device deployment

overviews

© 2012 IBM Corporation 17

A Self-Service Portal empowers employees to locate lost devices

and perform tasks such as lock, clear passcode, and device wipe

© 2012 IBM Corporation 18

A flexible enrollment process enables organizations to include a

EULA and to collect critical device and employee data via

customizable questions

© 2012 IBM Corporation 19

Distribute apps using the Enterprise App Store

© 2012 IBM Corporation 20

A user-friendly iOS Profile Configuration Wizard exposes the

configuration capabilities of Apple’s MDM APIs

© 2012 IBM Corporation 21

iOS Jailbreak Notification

© 2012 IBM Corporation 22

A “Single Device View” enables administrators and helpdesk

personnel to easily view device details and take required action

© 2012 IBM Corporation 23

Customer Profile: Large health care system in Southeast US

1 FTE managing 30,000 PCs and 4,000 mobile

devices

Mobile devices used in innovative ways

Home Health Care: iPads provided to home

health care diabetes patients to enable direct input

of diagnostic data; Facetime sessions with home

health nurses reduce the need for on-site visits,

which improves nurse utilization while reducing

costs

Education: iPod Touches with pre-loaded

educational apps provided to parents of babies in

Neonatal Intensive Care Unit (NICU)

© 2012 IBM Corporation 24

Summary

IBM Endpoint Manager for Mobile Devices delivers strong MDM capabilities in an

infrastructure that enables unified management of all enterprise devices –

desktops, laptops, servers, smartphones, and tablets

An integrated mobile enterprise platform overcomes limitations in native OS

management capabilities and delivers increased security and management of

mobile apps via integration of device management with app dev platform

Multiple data containment approaches, all delivered on Endpoint Manager’s

policy management platform, give enterprises flexibility to leverage the

containment strategy that best fits their business and user needs