RFI Template for Enterprise MDM Solutions - Template for Enterprise MDM Solutions. MDM SOLUTION ... A secure mobile device management solution is an integral part

Download RFI Template for Enterprise MDM Solutions -   Template for Enterprise MDM Solutions. MDM SOLUTION ... A secure mobile device management solution is an integral part

Post on 19-Mar-2018




3 download


MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 1 RFI Template for Enterprise MDM SolutionsMDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 2 About This RFI Template A secure mobile device management solution is an integral part of any effective enterprise mobility program. Mobile devices are similar to other endpoints in the enterprise and require similar security as corporate issued desktops and laptops. Many businesses are also subject to regulatory requirements and compliance standards that drive the need for specific mobile security capabilities. Enterprise mobility is a fast evolving area and with a crowded field of products and solutions from several vendors, businesses have to choose carefully to pick the correct solution that will not only address their needs today but also those of the future. Not all MDM solutions are created equal. There are several products that offer basic management of devices and inventory. Others support only a limited range of features on some platforms. Very few solutions offer a full complement of capabilities that address enterprise mobile security, availability, and manageability requirements. This document provides guidelines on key requirements that should be addressed by an MDM solution. The requirements for MDM solutions are grouped into the following categories: 1. Core MDM capabilities 2. Simplicity of MDM solution for administrators and end-users 3. End-to-end security and compliance 4. Enterprise-grade architecture 5. Best-in-class support, services and training MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 3 1 Core MDM Capabilities 1.1 Delivery Model: 1.1.1 Solution should provide deployment options that fit the business model and budget, with cloud and on-premises options, as well as a hybrid option with a mix of cloud solution and back-end integrations with LDAP, PKI, and application servers, as well as subscription options. 1.1.2 How does the solution handle the BYOD (bring your own device) trend in enterprises? 1.2 Integration with Systems and Services: Solution must be able to integrate with the standard application, collaboration and email platforms. 1.2.1 Explain how the solution integrates with the following systems: Active Directory (direct integration for not just authentication, but also role and group data) Microsoft Exchange Server / ActiveSync for securing access to corporate email/calendar. PKI and certificate systems for two-factor authentication and single sign-on Security Information and Event Management (SIEM) Systems for advanced correlation, re-porting, and incident forensic analysis Asset management or configuration management databases 1.2.2 Explain how the solution provides additional functionality over and above what is available with Microsoft Exchange ActiveSync (EAS) Direct OS-MDM API integration instead of relying only on ActiveSync policies. 1.3 Provisioning: 1.3.1 Explain the provisioning process for devices on different platforms iOS, Android, Sym-bian, and WindowsMobile. Is the enrolment process similar or are there platform specific variations? 1.3.2 Explain how the solution provides a secure registration process in which users and devices can-not partially register (e.g., register with the Microsoft Exchange server but not with the MDM). 1.3.3 Explain how the solution performs a compliance check pre-enrollment, to ensure that jail-broken, rooted, or non-compliant devices can be enrolled into the system. 1.4 Presence Awareness: 1.4.1 Explain how the solution provides device status, tracking, and monitoring. Does it provide a full software inventory and a range of device statistics? MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 4 1.5 Platform Support: 1.5.1 Provide a matrix of platforms and operating systems your service supports. At a minimum the so-lutions should support all of the major mobile OSes iOS, Android (including non-C2DM), Windows, Symbian, and Blackberry. 1.5.2 Explain how the solution manages devices remotely per platform and operating system. What remote service and troubleshooting capabilities does it provide? Does it enable device service functions such as chat and remote control? 1.6 Inventory Management: 1.6.1 Explain how the solution captures and stores information about the user, device, user location, compliance, quantity, groups, device type, OS type, etc. 1.6.2 Explain how the solution manages and enforces the number of devices and types of devices per user. Does the solution support the Apple VPP program to enable automated provisioning of volume licenses purchased from the Apple enterprise store? 1.7 Security and Compliance Management: The MDM solution must have the capability to detect, block/allow, and report on devices that are not compliant with security requirements and policies. It must also enable IT to specify certain device compliance checks pre-enrollment. Device compliance checks must also include the following: Jailbreaking Rooting Encryption Managed vs. unmanaged Compliant pc policy Revoked Application (blocking) Software (version) Firmware (version) 1.7.1 Explain how the solution identifies, reports, and handles violations from the list of compliance cri-teria above. 1.7.2 How does selective wiping and full wiping work? 1.7.3 What kind of information logging and auditing capability is available for compliance audits? MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 5 1.7.4 Do you support application deployment to managed devices? 1.7.5 Do you support selective wiping of Active-Sync information? 1.7.6 How do you secure applications and over the air data exchanged with applications? 1.8 Handling of Corporate Liable versus Individually Liable Devices: 1.8.1 How does the solution identify corporate liable vs. individually liable devices? Does it enable us-ers to self-identify device ownership, or does it keep that in the hands of IT or security professionals? 1.8.2 Does it allow import and automatic tagging of device ownership from an asset or configuration management database? 1.8.3 Does the solution provide a secure container for secure distribution of corporate documents that can be time-expired? 1.9 Reporting: 1.9.1 Please provide a list of common reports that are available from the system. 1.9.2 Can the system provide reports by the following parameters? By Device Count By Device Type By User Name and User Count By Carriers By OSes By Inventory By Status By Location/Region 2 Simplicity for administrators and end-users IT administrators and security personnel are constantly under pressure to serve their internal customers efficiently. Every new task or activity adds incremental burden that causes costly additions of temporary personnel, resources, training needs or service-level challenges. Explain how the MDM solution addresses the following user experience criteria. MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 6 2.1 Deployment: MDM solutions should ease the IT administrators burden by making it simple to deploy policies and match them to user groups and devices. 2.1.1 Explain the information architecture that is used store users, groups, policies and configurations. Can users be associated with multiple groups (e.g., can a user be part of West Coast, Man-agement and Sales, or is it a one-to-one mapping)? 2.1.2 How many steps are required to deploy a new policy? 2.1.3 How does the solution present the set of policy choices available by platform? How does it pre-vent selecting the wrong policy for a device type (e.g., Associating an Android policy to iOS)? 2.1.4 How hard is it to change a policy once that policy has been mapped to user groups or deployed? Can you change the policy once and have the change reflected everywhere the policy is de-ployed, or do you have to change it everywhere its deployed? 2.2 Active Directory/LDAP integration: Having up-to-date information in the MDM system is important for security. The system should allow the setting of policies and rules on the inheritance of policies across groups and users. 2.2.1 Does the solution automatically handle the addition or removal of groups and users based Active Directory/LDAP changes? 2.2.2 Does the solution provide support for certificate based authentication and two-factor authentica-tion? 2.2.3 Does the MDM solution offer true, real-time LDAP integration avoiding the need to manually add or remove users? 2.2.4 Are changes seamlessly propagated to all intended user groups and devices? 2.2.5 How soon can a change made in the Active Directory system be seen in the MDM administration console? 2.3 Reporting Capabilities: 2.3.1 Explain how the MDM solution supports generating reports to analyze data, performance and compliance reporting. 2.4 Mix and match mobile configuration resources: One of the ways that MDM solutions can reduce the time and effort for administrative tasks is by allowing the reuse of policies and profiles among groups. MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 7 2.4.1 Does the system allow the creation of a policy once and redeploying it across many groups? 2.4.2 Can users derive policies from two or more groups without the need to create a third combined group? 2.5 Ease-of-use for end users: The end user on-boarding experience must be simple for any enterprise mobility solution to work and to be adopted by employees. The solution must cause minimal support impact to IT administrators. 2.5.1 Is the end user on-boarding experience consistent across devices? Do enrolment of some device types require special considerations? 2.5.2 Does Android enrolment require users to create a new Google account? 2.5.3 Do administrators have to pre-register a users device in the system before the user is allowed to enroll the device? 2.5.4 Many users do not prefer to turn on location services since it drains their device battery. Also many international offices cannot require users to turn on location services. Do users have to turn on location services on their devices in order to enroll? 3 End-to-end security and continuous compliance Enterprise MDM solutions typically focus on device security. This is necessary but not sufficient. Enterprise mobility deployments particularly in highly regulated industries with compliance standards need to account for multiple points of vulnerability. 3.1 Always on device compliance checks: 3.1.1 Does the MDM system check device compliance before the devices attempt to enroll? Can jail-broken devices enroll before being blocked? 3.1.2 Do administrators have a choice of enforcement actions - prevent enrolment, allow enrolment but block, or allow enrolment? 3.1.3 Does the MDM system block devices with blacklisted applications? 3.1.4 Do automated compliance checks require the administrator to turn on location based services? 3.1.5 Explain how the solution goes beyond just device level security to address security for apps, the network, and data. 3.1.6 How does the solution provide upfront and ongoing assurance that devices are compliant with corporate and regulatory policies? MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 8 3.2 Mobile Data Leakage Prevention (mobile DLP): When it comes to data, mobile devices are similar to other endpoints in the enterprise. Increasingly, employees use them to access sensitive corporate data. The ability to distribute documents securely and easily to users and preventing leakage of sensitive corporate data is a critical capability for the MDM solution. 3.2.1 Explain the mobile DLP capabilities of the MDM system with respect to data security and other regulatory compliance needs. 3.2.2 Does the MDM system provide a secure encrypted container on the devices for corporate docu-ments? 3.2.3 Can it perform a selective wipe of corporate documents and an automated wipe upon jail-break detection? 3.2.4 Can the system prevent the data from being emailed, printed, copied/pasted, or locally saved to prevent data leakage? 3.2.5 Can data be marked for time-based expiration and automatic wipe after the defined expiration? 3.2.6 Does the system allow automated data synchronization with the server with the ability to block such synchronization over cellular networks to prevent data overages? 3.3 Mobile App Security and Optimization: Mobile apps will be and in some cases are already key components of most enterprise mobility strategies. The ability to control and secure the apps and protect against bad, risky or non-compliant mobile apps are important app-level security requirements. 3.3.1 Does the MDM system allow blacklisting and whitelisting of apps? 3.3.2 Does the system restrict the type of apps that can be installed or run? 3.3.3 Can the system control device resources on Android devices? Can the system prevent a user from opening a blacklisted application on their Android device? 3.3.4 Does the solution offer the ability to lock or kill apps upon being launched on the device 3.3.5 Does the solution enable IT to offer app access to apps on a granular, one-by-one basis? 3.3.6 Does the system encrypt data at rest as well as data in transit? 3.3.7 Does the system also provide encryption and compression of app traffic? 3.4 Mobile Security Intelligence: Mobile administrators must have the ability to analyze and identify mobile threats by correlating security MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 9 events from multiple sources. 3.4.1 Does the MDM system offer integration with SIEM systems (e.g., Splunk, ArcSight, etc.) for advanced analysis of threats and security events? 3.4.2 Does the system report data on any potential unauthorized accesses or attempts at such access to the corporate network? 4 Enterprise-grade Architecture The system architecture of the MDM solution can make or break the overall security of the system. The MDM solution must be architected for security from the ground up. The number of ports that need to be opened to the backend infrastructure must be kept to a minimum without compromising the overall usability of the solution. The MDM solution should integrate seamlessly into the existing infrastructure without requiring the network architecture to be rearranged or exposing data in the DMZ. 4.1 Security Architecture: 4.1.1 Introducing the MDM solution should not require changes to the IT security architecture. Explain how the MDM solution is architected with security best practices in mind. 4.1.2 Is any corporate data stored in the DMZ? 4.1.3 Do you require Active Directory data to be replicated to your system and stored in the DMZ or outside the firewall? 4.1.4 How many ports does the MDM solution require to backend infrastructure? 4.1.5 Does the system share databases/instances among customers in cloud deployments? Is there an incremental charge for a dedicated instance? 4.2 High Availability: A technology failure or interruption shouldnt take down the mobile management solution or create security holes. The very advantage of mobility and anytime, anywhere access to information would be lost if the system is not architected to handle failures. 4.2.1 Explain how the MDM solution is architected for high availability? How will it handle system fail-ures? 4.2.2 What type of clustering architecture is the system built on? 4.3 Scalability: 4.3.1 Explain how the architecture can address enterprise mobility needs today and scale to keep pace with growth. 4.3.2 Can the MDM solution scale out to thousands of devices? Can it grow with the organization as MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 10 needs change? 5 Support services and training Enterprise grade MDM solutions must have world-class support, services and training. Support must follow the sun in that it should be available across all geographies and time zones. 5.1 Customer support 5.1.1 Do you offer global and 24x7x365 always on support for P1 issues? Do you offer local language support in my global locations? 5.1.2 Explain your professional services offerings to help deploy the solution quickly and to help get the most out of the solution including application specific customizations. 5.2 Educated and experienced support staff 5.2.1 Explain how you ensure that your support personnel can handle support calls and escalations. 5.3 Services offering 5.3.1 Explain what types of enterprise services are available for turn-key deployments. 5.3.2 Can we receive consulting assistance with evaluating our enterprise mobility deployment and best practices on policies to implement? 5.4 Training programs 5.4.1 Explain the training options that are available for our IT staff and our internal support personnel. 2012 Zenprise, Inc. All rights reserved. Zenprise is a registered trademark of Zenprise Inc. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. OT-29-1 Zenprise, Inc. 1600 Seaport Blvd. Suite 200 Redwood City, CA 94063 +1 650 365 1128 www.zenprise.com MDM SOLUT ION RFI T EMPLATE 2012 Zenprise, Inc. 11


View more >