rfi template for enterprise mdm solutions - · pdf filerfi template for enterprise mdm...

MDM SOLUT ION – RFI T EMPLATE

© 2012 Zenprise, Inc. 1

RFI Template for Enterprise MDM Solutions



About This RFI Template

A secure mobile device management solution is an integral part of any effective enterprise mobility program.

Mobile devices are similar to other endpoints in the enterprise and require similar security as corporate issued

desktops and laptops. Many businesses are also subject to regulatory requirements and compliance standards

that drive the need for specific mobile security capabilities. Enterprise mobility is a fast evolving area and with a

crowded field of products and solutions from several vendors, businesses have to choose carefully to pick the

correct solution that will not only address their needs today but also those of the future. Not all MDM solutions are

created equal. There are several products that offer basic management of devices and inventory. Others support

only a limited range of features on some platforms. Very few solutions offer a full complement of capabilities that

address enterprise mobile security, availability, and manageability requirements. This document provides

guidelines on key requirements that should be addressed by an MDM solution.

The requirements for MDM solutions are grouped into the following categories:

1. Core MDM capabilities

2. Simplicity of MDM solution for administrators and end-users

3. End-to-end security and compliance

4. Enterprise-grade architecture

5. Best-in-class support, services and training



1 Core MDM Capabilities

1.1 Delivery Model:

1.1.1 Solution should provide deployment options that fit the business model and budget, with cloud

and on-premises options, as well as a hybrid option with a mix of cloud solution and back-end

integrations with LDAP, PKI, and application servers, as well as subscription options.

1.1.2 How does the solution handle the BYOD (bring your own device) trend in enterprises?

1.2 Integration with Systems and Services:

Solution must be able to integrate with the standard application, collaboration and email platforms.

1.2.1 Explain how the solution integrates with the following systems:

• Active Directory (direct integration for not just authentication, but also role and group data)

• Microsoft® Exchange Server / ActiveSync for securing access to corporate email/calendar.

• PKI and certificate systems for two-factor authentication and single sign-on

• Security Information and Event Management (SIEM) Systems for advanced correlation, re-

porting, and incident forensic analysis

• Asset management or configuration management databases

1.2.2 Explain how the solution provides additional functionality over and above what is available with

Microsoft Exchange™ ActiveSync (EAS) – Direct OS-MDM API integration instead of relying

only on ActiveSync policies.

1.3 Provisioning:

1.3.1 Explain the provisioning process for devices on different platforms – iOS™, Android™, Sym-

bian™, and WindowsMobile™. Is the enrolment process similar or are there platform specific

variations?

1.3.2 Explain how the solution provides a secure registration process in which users and devices can-

not partially register (e.g., register with the Microsoft Exchange server but not with the MDM).

1.3.3 Explain how the solution performs a compliance check pre-enrollment, to ensure that jail-broken,

rooted, or non-compliant devices can be enrolled into the system.

1.4 Presence Awareness:

1.4.1 Explain how the solution provides device status, tracking, and monitoring. Does it provide a full

software inventory and a range of device statistics?



1.5 Platform Support:

1.5.1 Provide a matrix of platforms and operating systems your service supports. At a minimum the so-

lutions should support all of the major mobile OSes – iOS, Android (including non-C2DM),

Windows, Symbian, and Blackberry™.

1.5.2 Explain how the solution manages devices remotely per platform and operating system. What

remote service and troubleshooting capabilities does it provide? Does it enable device service

functions such as chat and remote control?

1.6 Inventory Management:

1.6.1 Explain how the solution captures and stores information about the user, device, user location,

compliance, quantity, groups, device type, OS type, etc.

1.6.2 Explain how the solution manages and enforces the number of devices and types of devices per

user. Does the solution support the Apple® VPP program to enable automated provisioning of

volume licenses purchased from the Apple enterprise store?

1.7 Security and Compliance Management:

The MDM solution must have the capability to detect, block/allow, and report on devices that are not

compliant with security requirements and policies. It must also enable IT to specify certain device

compliance checks pre-enrollment. Device compliance checks must also include the following:

• “Jailbreaking”

• “Rooting”

• Encryption

• Managed vs. unmanaged

• Compliant pc policy

• Revoked

• Application (blocking)

• Software (version)

• Firmware (version)

1.7.1 Explain how the solution identifies, reports, and handles violations from the list of compliance cri-

teria above.

1.7.2 How does selective wiping and full wiping work?

1.7.3 What kind of information logging and auditing capability is available for compliance audits?



1.7.4 Do you support application deployment to managed devices?

1.7.5 Do you support selective wiping of Active-Sync information?

1.7.6 How do you secure applications and over the air data exchanged with applications?

1.8 Handling of Corporate Liable versus Individually Liable Devices:

1.8.1 How does the solution identify corporate liable vs. individually liable devices? Does it enable us-

ers to self-identify device ownership, or does it keep that in the hands of IT or security

professionals?

1.8.2 Does it allow import and automatic tagging of device ownership from an asset or configuration

management database?

1.8.3 Does the solution provide a secure container for secure distribution of corporate documents that

can be time-expired?

1.9 Reporting:

1.9.1 Please provide a list of common reports that are available from the system.

1.9.2 Can the system provide reports by the following parameters?

• By Device Count

• By Device Type

• By User Name and User Count

• By Carriers

• By OSes

• By Inventory

• By Status

• By Location/Region

2 Simplicity for administrators and end-users

IT administrators and security personnel are constantly under pressure to serve their internal customers

efficiently. Every new task or activity adds incremental burden that causes costly additions of temporary

personnel, resources, training needs or service-level challenges. Explain how the MDM solution addresses

the following user experience criteria.



2.1 Deployment:

MDM solutions should ease the IT administrator’s burden by making it simple to deploy policies and

match them to user groups and devices.

2.1.1 Explain the information architecture that is used store users, groups, policies and configurations.

Can users be associated with multiple groups (e.g., can a user be part of “West Coast”, “Man-

agement” and “Sales”, or is it a one-to-one mapping)?

2.1.2 How many steps are required to deploy a new policy?

2.1.3 How does the solution present the set of policy choices available by platform? How does it pre-

vent selecting the wrong policy for a device type (e.g., Associating an Android policy to iOS)?

2.1.4 How hard is it to change a policy once that policy has been mapped to user groups or deployed?

Can you change the policy once and have the change reflected everywhere the policy is de-

ployed, or do you have to change it everywhere it’s deployed?

2.2 Active Directory/LDAP integration:

Having up-to-date information in the MDM system is important for security. The system should allow the

setting of policies and rules on the inheritance of policies across groups and users.

2.2.1 Does the solution automatically handle the addition or removal of groups and users based Active

Directory/LDAP changes?

2.2.2 Does the solution provide support for certificate based authentication and two-factor authentica-

tion?

2.2.3 Does the MDM solution offer true, real-time LDAP integration avoiding the need to manually add

or remove users?

2.2.4 Are changes seamlessly propagated to all intended user groups and devices?

2.2.5 How soon can a change made in the Active Directory system be seen in the MDM administration

console?

2.3 Reporting Capabilities:

2.3.1 Explain how the MDM solution supports generating reports to analyze data, performance and

compliance reporting.

2.4 Mix and match mobile configuration resources:

One of the ways that MDM solutions can reduce the time and effort for administrative tasks is by

allowing the reuse of policies and profiles among groups.



2.4.1 Does the system allow the creation of a policy once and redeploying it across many groups?

2.4.2 Can users derive policies from two or more groups without the need to create a third combined

group?

2.5 Ease-of-use for end users:

The end user on-boarding experience must be simple for any enterprise mobility solution to work and to

be adopted by employees. The solution must cause minimal support impact to IT administrators.

2.5.1 Is the end user on-boarding experience consistent across devices? Do enrolment of some device

types require special considerations?

2.5.2 Does Android enrolment require users to create a new Google® account?

2.5.3 Do administrators have to pre-register a user’s device in the system before the user is allowed to

enroll the device?

2.5.4 Many users do not prefer to turn on location services since it drains their device battery. Also

many international offices cannot require users to turn on location services. Do users have to

turn on location services on their devices in order to enroll?

3 End-to-end security and continuous compliance

Enterprise MDM solutions typically focus on device security. This is necessary but not sufficient. Enterprise

mobility deployments particularly in highly regulated industries with compliance standards need to account for

multiple points of vulnerability.

3.1 Always on device compliance checks:

3.1.1 Does the MDM system check device compliance before the devices attempt to enroll? Can jail-

broken devices enroll before being blocked?

3.1.2 Do administrators have a choice of enforcement actions - prevent enrolment, allow enrolment but

block, or allow enrolment?

3.1.3 Does the MDM system block devices with blacklisted applications?

3.1.4 Do automated compliance checks require the administrator to turn on location based services?

3.1.5 Explain how the solution goes beyond just device level security to address security for apps, the

network, and data.

3.1.6 How does the solution provide upfront and ongoing assurance that devices are compliant with

corporate and regulatory policies?



3.2 Mobile Data Leakage Prevention (mobile DLP):

When it comes to data, mobile devices are similar to other endpoints in the enterprise. Increasingly,

employees use them to access sensitive corporate data. The ability to distribute documents securely

and easily to users and preventing leakage of sensitive corporate data is a critical capability for the

MDM solution.

3.2.1 Explain the mobile DLP capabilities of the MDM system with respect to data security and other

regulatory compliance needs.

3.2.2 Does the MDM system provide a secure encrypted container on the devices for corporate docu-

ments?

3.2.3 Can it perform a selective wipe of corporate documents and an automated wipe upon jail-break

detection?

3.2.4 Can the system prevent the data from being emailed, printed, copied/pasted, or locally saved to

prevent data leakage?

3.2.5 Can data be marked for time-based expiration and automatic wipe after the defined expiration?

3.2.6 Does the system allow automated data synchronization with the server with the ability to block

such synchronization over cellular networks to prevent data overages?

3.3 Mobile App Security and Optimization:

Mobile apps will be and in some cases are already key components of most enterprise mobility

strategies. The ability to control and secure the apps and protect against bad, risky or non-compliant

mobile apps are important app-level security requirements.

3.3.1 Does the MDM system allow blacklisting and whitelisting of apps?

3.3.2 Does the system restrict the type of apps that can be installed or run?

3.3.3 Can the system control device resources on Android devices? Can the system prevent a user

from opening a blacklisted application on their Android device?

3.3.4 Does the solution offer the ability to lock or kill apps upon being launched on the device

3.3.5 Does the solution enable IT to offer app access to apps on a granular, one-by-one basis?

3.3.6 Does the system encrypt data at rest as well as data in transit?

3.3.7 Does the system also provide encryption and compression of app traffic?

3.4 Mobile Security Intelligence:

Mobile administrators must have the ability to analyze and identify mobile threats by correlating security



events from multiple sources.

3.4.1 Does the MDM system offer integration with SIEM systems (e.g., Splunk®, ArcSight™, etc.) for

advanced analysis of threats and security events?

3.4.2 Does the system report data on any potential unauthorized accesses or attempts at such access

to the corporate network?

4 Enterprise-grade Architecture

The system architecture of the MDM solution can make or break the overall security of the system. The MDM

solution must be architected for security from the ground up. The number of ports that need to be opened to

the backend infrastructure must be kept to a minimum without compromising the overall usability of the

solution. The MDM solution should integrate seamlessly into the existing infrastructure without requiring the

network architecture to be rearranged or exposing data in the DMZ.

4.1 Security Architecture:

4.1.1 Introducing the MDM solution should not require changes to the IT security architecture. Explain

how the MDM solution is architected with security best practices in mind.

4.1.2 Is any corporate data stored in the DMZ?

4.1.3 Do you require Active Directory data to be replicated to your system and stored in the DMZ or

outside the firewall?

4.1.4 How many ports does the MDM solution require to backend infrastructure?

4.1.5 Does the system share databases/instances among customers in cloud deployments? Is there an

incremental charge for a dedicated instance?

4.2 High Availability:

A technology failure or interruption shouldn’t take down the mobile management solution or create

security holes. The very advantage of mobility and anytime, anywhere access to information would be

lost if the system is not architected to handle failures.

4.2.1 Explain how the MDM solution is architected for high availability? How will it handle system fail-

ures?

4.2.2 What type of clustering architecture is the system built on?

4.3 Scalability:

4.3.1 Explain how the architecture can address enterprise mobility needs today and scale to keep pace

with growth.

4.3.2 Can the MDM solution scale out to thousands of devices? Can it grow with the organization as



needs change?

5 Support services and training

Enterprise grade MDM solutions must have world-class support, services and training.

Support must “follow the sun” in that it should be available across all geographies and time zones.

5.1 Customer support

5.1.1 Do you offer global and 24x7x365 “always on” support for P1 issues? Do you offer local language

support in my global locations?

5.1.2 Explain your professional services offerings to help deploy the solution quickly and to help get the

most out of the solution including application specific customizations.

5.2 Educated and experienced support staff

5.2.1 Explain how you ensure that your support personnel can handle support calls and escalations.

5.3 Services offering

5.3.1 Explain what types of enterprise services are available for turn-key deployments.

5.3.2 Can we receive consulting assistance with evaluating our enterprise mobility deployment and

best practices on policies to implement?

5.4 Training programs

5.4.1 Explain the training options that are available for our IT staff and our internal support personnel.

© 2012 Zenprise, Inc. All rights reserved. Zenprise is a registered trademark of Zenprise Inc. All third-party trademarks, trade names, or service marks may be

claimed as the property of their respective owners. OT-29-1

Zenprise, Inc. • 1600 Seaport Blvd. Suite 200 • Redwood City, CA 94063 • +1 650 365 1128 • www.zenprise.com

rfi template for enterprise mdm solutions - · pdf filerfi template for enterprise mdm...

Documents