naveed makhani global product manager, ibm...
TRANSCRIPT
© 2012 IBM Corporation
IBM Endpoint Manager for Mobile Devices
Naveed Makhani
Global Product Manager, IBM MobileFirst Management & Security
@naveedmakhani
© 2012 IBM Corporation 2
Mobile devices magnify existing challenges and also pose unique
ones that significantly disrupt traditional management paradigms
Traditional Mgmt Model New Device Mgmt Paradigm
Enterprises provide all equipment Employees bring personal devices (BYOD)
Small set of supported platforms / models Many different manufacturers / models
IT initiates and manages upgrades OS/app upgrades managed by carriers, OEMs, users
IT tightly controls apps and security Users control their own devices
Options for IT departments
Don’t allow mobile devices because they are too hard to manage
Allow unmanaged and insecure mobile devices
Invest in tools to secure and manage devices
© 2012 IBM Corporation 3
Management capabilities vary greatly by mobile operating system,
but one thing is consistent – the user is king
Management
Function Supported
by Apple? Notes
Supported
by Google? Notes
Selectively Wipe
Mail / Calendar /
Contacts
Standard part of Apple’s MDM
interface
Android doesn’t have a native email
client that supports selective wipe, so
integration with 3rd-party email clients
(e.g., IBM Notes Traveler or
NitroDesk TouchDown) is necessary
Forcibly Install
Apps
iOS doesn’t currently support
forcible app install without
user permission, so enterprise
app store approach is needed.
“Vanilla” Android doesn’t currently
support forcible app install without
user permission, so enterprise app
store approach is needed.
Forcibly
Uninstall Apps
With iOS 5+, apps (both public
and private) provisioned via
the enterprise app store can
be uninstalled remotely
without user intervention
“Vanilla” Android doesn’t currently
support forcible app uninstall without
user permission.
Remote Control
Apps are sandboxed – there
is no ability for an app to gain
visibility/control over the entire
device
“Vanilla” Android doesn’t currently
support remote control
© 2012 IBM Corporation 4
Mobile OS vendors move very quickly
Google and Apple have released major Android and iOS versions 6x and
3x faster, respectively, than Microsoft has released major Windows PC
versions
Microsoft
Windows Apple iOS Google Android
Release Year 1985 2007 2008
# of Versions 11* 6** 10***
Versions per Year 0.4 1.2 2.5
OS “velocity” vs.
Microsoft - 3x 6.3x
* Microsoft Windows 1.0, 2.0, 3.0, 95, 98, 2000, ME, XP, Vista, 7, 8; excludes server platforms
** Apple iOS 1, 2, 3, 4, 5, 6
*** Google Android 1.0, 1.1, Cupcake, Donut, Éclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean
© 2012 IBM Corporation 5 Hardware
OS
Personal Domain Enterprise Domain
OS
Hypervisor
No Data Separation
Hardware
Operating System
Enterprise & Personal Apps Native
Apps
Hardware
Operating System
Personal Apps Enterprise Apps
Native Data Separation Based on platform-specific APIs
from OS vendors or from OEMs
(Samsung, Lenovo, etc)
Preserves native user
experience
Virtualization Hypervisor layer allows separate
OSes
Currently possible on Android
Requires cooperation between
carriers, OEMs, and
virtualization vendors
Enterprise Data
Personal Data
1
2
3
Hardware
3rd-Party Separation 3rd-party app acts as container
and replicates native OS
functionality such as email,
calendar, contacts
Some apps live in container
Disrupts native user experience
Apps Container
Operating System
Data Separation
© 2012 IBM Corporation 6
Native Management vs. Container Considerations
Desired User Experience – Consider native app experience versus that of 3rd-party
app replications; device-wide passcode vs. container-level passcode
Support for 3rd-party Apps – Will 3rd-party apps be managed? If using container
approach, how do 3rd-party apps get placed into container?
Data Leakage Controls – Are there dealbreaker data leakage concerns with native
OS capabilities?
Privacy & Data Separation – Consider privacy, liability, and management control
preferences of user base
Additional Resources
Comparison of Native MDM & Container Approaches
Managing Mobile Applications
© 2012 IBM Corporation 7
Approaches to Mobile App Management
Native Management – Leverages native OS capabilities for app management
SDK – App developers (internal and 3rd-party) incorporate management vendor
SDKs/libraries to enable integrated app management
App Wrapping / App Containerization – Leverages an app wrapping technology
to “wrap” an app binary with a layer of enterprise security and management
capabilities
Additional Resources
Comparison of Native MDM & Container Approaches
Managing Mobile Applications
© 2012 IBM Corporation 8
We have been building up our Mobile Enterprise capabilities
10 acquisitions to strengthen our position in mobile since 2006……
200+ IBM Software apps available in App Stores; ~ 1M downloads…
Cited as a leader in app design and managed services by Forrester and Gartner………
125+ patents for wireless inventions in 2012, bringing the total to 270…..
Doubling 2013 investment ……
© 2012 IBM Corporation 9
IBM MobileFirst Offering Portfolio
© 2012 IBM Corporation 10
IBM Endpoint Manager delivers a unified systems and security
management solution for all enterprise devices
Windows & Mac
Desktops/Laptops
Unix / Linux Servers
Windows Mobile / Kiosks /
POS devices
Android / iOS / Symbian /
Windows Phone devices
Supporting more devices…
…and more capabilities.
Mobile Device Mgmt Security Config Mgmt
S/W Use Analysis
OS Deployment Remote Control
Endpoint Protection
Power Mgmt Patch Mgmt
Device Inventory
Configuration Mgmt
© 2012 IBM Corporation 11
Enterprise Mobility Management with IBM Endpoint Manager
A unified infrastructure to manage and secure complex BYOD and traditional
environments of smartphones, tablets, laptops, desktops, and servers
Hybrid cloud-based delivery model enables rapid updates
Unified security compliance management via an integrated analytics platform
Support for Center for Internet Security (CIS) benchmarks for iOS, Android, Mac, Windows, Unix,
AIX, Red Hat Enterprise Linux, and Solaris
Multiple data containment approaches, all delivered on Endpoint Manager’s policy
management platform, give enterprises flexibility to leverage the containment strategy
that best fits their business and user needs
Increased security and management of mobile apps via integration of device
management (Endpoint Manager) with app dev platform (Worklight)
© 2012 IBM Corporation 12
Integration of MobileFirst Management & App Platform Streamlined App Deployment Workflow
Endpoint Manager customers can directly
import and distribute Worklight-built apps
via the Enterprise App Store, thereby
improving workflow between Development and
Operations
Distribute App to
Employees
Import into Endpoint
Manager App Store 2
3
Build app in Worklight 1
© 2012 IBM Corporation 13
Potential Future Integration Scenario Deny App Access
Scenario
Device is out of compliance with policy
Deny enterprise app access
Endpoint
Manager (devices)
On-going assessment of
device compliance
Report compliance
violation
4
Periodic query for device
compliance status
5
3
2
Worklight (apps)
1
© 2012 IBM Corporation 14
IBM’s CIO Office is managing 60,000+ smartphones and tablets with IBM Endpoint
Manager (60% iOS, 40% Android), and over 600,000 PCs and servers
Deployment Time (days)
Mobile
Devices
Enrolled
13k devices in
first 24 hours
24k in first
month
46k in first 2.5
months
70k projected by
end of March
MDM Deployment Progress
© 2012 IBM Corporation 15
How does IBM internally address BYOD?
Education
Policy
Technology
Formal
Mandatory Digital IBMer Security Training
Casual
IBM Secure Computing Guidelines
Targeted w3 articles
Social
Secure Computing Forum
Secure Computing Blog Posts
Developer
Secure Engineering guidelines
Mobile app security guidelines
© 2012 IBM Corporation 16
Web reports provide at-a-glance mobile device deployment
overviews
© 2012 IBM Corporation 17
A Self-Service Portal empowers employees to locate lost devices
and perform tasks such as lock, clear passcode, and device wipe
© 2012 IBM Corporation 18
A flexible enrollment process enables organizations to include a
EULA and to collect critical device and employee data via
customizable questions
© 2012 IBM Corporation 19
Distribute apps using the Enterprise App Store
© 2012 IBM Corporation 20
A user-friendly iOS Profile Configuration Wizard exposes the
configuration capabilities of Apple’s MDM APIs
© 2012 IBM Corporation 21
iOS Jailbreak Notification
© 2012 IBM Corporation 22
A “Single Device View” enables administrators and helpdesk
personnel to easily view device details and take required action
© 2012 IBM Corporation 23
Customer Profile: Large health care system in Southeast US
1 FTE managing 30,000 PCs and 4,000 mobile
devices
Mobile devices used in innovative ways
Home Health Care: iPads provided to home
health care diabetes patients to enable direct input
of diagnostic data; Facetime sessions with home
health nurses reduce the need for on-site visits,
which improves nurse utilization while reducing
costs
Education: iPod Touches with pre-loaded
educational apps provided to parents of babies in
Neonatal Intensive Care Unit (NICU)
© 2012 IBM Corporation 24
Summary
IBM Endpoint Manager for Mobile Devices delivers strong MDM capabilities in an
infrastructure that enables unified management of all enterprise devices –
desktops, laptops, servers, smartphones, and tablets
An integrated mobile enterprise platform overcomes limitations in native OS
management capabilities and delivers increased security and management of
mobile apps via integration of device management with app dev platform
Multiple data containment approaches, all delivered on Endpoint Manager’s
policy management platform, give enterprises flexibility to leverage the
containment strategy that best fits their business and user needs