tallan mobile device management strategy guide

TALLAN INC.

MDM STRATEGY GUIDE

4/10/2014

DOCUMENT CREATED BY:

Matt Kruczek Mobile Practice Lead

Brian Sampson Mobile Practice Lead

Adam Worobec Senior Director

WE BUILD SOFTWARE THAT HELPS OUR CLIENTS GROW

4/10/2014 Mobile Strategy Guide

TABLE OF CONTENTS

TABLE OF CONTENTS ............................................................................................................................................................ I

MOBILE DEVICE MANAGEMENT .......................................................................................................................................... 1

MOBILE DEVICE MANAGEMENT FOR APPLE DEVICES .......................................................................................................... 1

VOLUME PURCHASE PROGRAM ENROLLMENT ................................................................................................................................... 1 APPLICATION DISTRIBUTION ........................................................................................................................................................... 1 DOCUMENT MANAGEMENT ........................................................................................................................................................... 2 MANAGED APPS VS. PERSONAL APPS .............................................................................................................................................. 2 CONFIGURING SINGLE SIGN-ON ...................................................................................................................................................... 3 CONFIGURING PER-APP VPN ......................................................................................................................................................... 3

MOBILE DEVICE MANAGEMENT FOR ANDROID DEVICES ..................................................................................................... 3

VOLUME PURCHASE PROGRAM ...................................................................................................................................................... 3 APPLICATION DISTRIBUTION ........................................................................................................................................................... 4 DOCUMENT MANAGEMENT ........................................................................................................................................................... 4 MANAGED APPS VS. PERSONAL APPS .............................................................................................................................................. 4 CONFIGURING SINGLE SIGN-ON ...................................................................................................................................................... 4 CONFIGURING PER-APP VPN ......................................................................................................................................................... 4 ANDROID PROVISIONING FEATURES SUMMARY .................................................................................................................................. 5

PEOPLE AND PROCESS ......................................................................................................................................................... 5

NEW DEVICE REGISTRATION ........................................................................................................................................................... 6 NEW APP REVIEW ..................................................................................................................................................................... 6

SUMMARY ........................................................................................................................................................................... 6


1

MOBILE DEVICE MANAGEMENT

Mobile Device Management, or MDM for short, is defined as a strategy that helps companies to secure, monitor, manage and support the usage of mobile devices at an enterprise level. Typically this is done through the use of MDM software suites that are designed to work with and connect into existing phone OS infrastructures. Choosing an appropriate MDM software package is the first step in the process.

A complete listing of MDM providers and a comparison between them can be found through the link below. Although the list appears to be iOS centric, many of the MDM providers in the list support both iOS and Android. It is important to pay attention to the features list as some are certainly more robust than others.

MDM Comparison List Link http://www.enterpriseios.com/wiki/Comparison_MDM_Providers

MOBILE DEVICE MANAGEMENT FOR APPLE DEVICES

With the introduction of iOS7, managing iDevices in the enterprise space has become a relatively easy and straightforward process. There are a few key terms and steps that should be taken into consideration when attaching any iDevice to the enterprise.

VOLUME PURCHASE PROGRAM ENROLLMENT

As part of a company’s mobile strategy there will inevitably be Apple App Store Apps that will need to be purchased and downloaded on every iDevice in the company.

In the past, in order to download an app from the Apple App Store, the app needed to be tied to an official Apple ID which was usually the employees personal ID. However, this ended up causing issues when the company went to reclaim or reuse instances of this app when the employee would change devices or leave the company. By enrolling in the Volume Purchase Program companies can reclaim and reuse any apps purchased through this program.

In order to utilize the volume purchase program, companies will need to enroll with Apple. This enrollment opens up a host of other options and features and should be done before doing anything else. More information about enrolling and the program itself can be found at the link below.

Apple Volume Purchase Program Information Link http://www.apple.com/business/vpp/

APPLICATION DISTRIBUTION

Application distribution, whether it be custom apps designed by the company or by independent developers, or apps purchased through the VPP, is all done through the company’s selected MDM software. There are typically two ways that the employee can download applications from the MDM provider.

http://www.enterpriseios.com/wiki/Comparison_MDM_Providers

http://www.apple.com/business/vpp/


2

The first way is for that application to be pushed down to the device automatically via the MDM software. This option provides a virtually seamless experience, ensuring that devices are always loaded with the latest copy of the company mandated applications. However, this requires the employee to give up a piece of control over the content of their devices.

The second way is via an MDM provided web page which the employee can browse to and cherry pick which applications they want to download and when. This provides a bit more control on the side of the employee, allowing them to select content when convenient.

DOCUMENT MANAGEMENT

Whenever documents are downloaded to an iDevice there is always a question of which app is allowed to open that document. This feature is determined by the “Open In” function, which is precipitated by a popup menu with a listing of apps that allows the user to choose which app will open the corresponding document. Through the use of MDM software packages, companies can limit which apps are on this approved “Open In” list, therefore limiting the amount of exposure to Personal Apps.

MANAGED APPS VS. PERSONAL APPS

Unless the company is adopting a policy of complete control of employees’ devices there is always going to be a potential for managed apps clashing with personal apps. Any app that resides under the “managed app” umbrella is typically subjected to the following restrictions:

Purchased under the Volume Purchasing Program

Monitored and updated via the company’s Mobile Device Management solution

Subjected to any and all document and security restrictions

To boil it down, any app that is “managed” is done so by the company and is subjected to company policy. However, most individuals also have a good number of “personal” apps on their devices. These apps were bought and are maintained by the employee and are not subject to any kind of monitoring by the company.

It is important to establish which “apps” the company will utilize up front so that these two app types can co-exist without conflict. For example, if the company decides that its word processing app of choice is “open office” and the employee already has a copy of open office on their iDevice, it will be necessary for that employee to remove that personal copy off of their device before the corporate copy can be downloaded and installed. Furthermore, this may cause additional conflict because certain features previously accessible by the personal copy may not be accessible to the corporate copy, such as the “open in” features and the iCloud sharing features. Proper preparation and communication to employees is necessary before announcing sweeping changes to policy.

Once your company has narrowed down the list of “approved” apps, they should endeavor to make sure that all employee devices have the proper version of the application.


3

CONFIGURING SINGLE SIGN-ON

Single Sign-on is a feature new to iOS7 that allows user credentials to be shared across all enterprise-managed apps. Each app configured with Single Sign-on verifies user permissions for enterprise resources, and logs users in without requiring them to enter passwords.

Single Sign-on is something that must be configured using your Mobile Device Management software of choice, and then is pushed down to each managed device as a certificate. This certificate will identify which apps will be sharing these enterprise credentials.

There are two caveats of implementing SSO. The first is that there must be a backend Kerberos based system in use in order for SSO to function. Most of the time this is not a problem because a good number of our enterprise level clients are working off the Microsoft stack, which uses Kerberos. The second caveat is that SSO will only function when the device is connected to the internal network. Therefore if the device is not connected to the company’s internal network, the credentials will need to be entered each time the user goes to access an app requiring network level authentication.

CONFIGURING PER-APP VPN

In the past, when iDevices contained apps that needed to connect to the VPN in order to function, the device would require the user to create a VPN profile inside settings and then connect to that VPN whenever they needed to utilize that app. The problem with this was that when the user connected to VPN this was a “device-wide” connection, meaning that every network call was then funneled through that VPN tunnel. This created a very large security risk in that apps that were never meant to touch the VPN network now had access to it.

With the advent of the Per-App VPN feature of iOS7, administrators can now better regulate which apps have access to VPN so that security is much more streamlined and tightened up overall. You can configure Per-App VPN with your Mobile Device Management software of choice.

MOBILE DEVICE MANAGEMENT FOR ANDROID DEVICES

Android continues to support robust enterprise management in both BYOD and company issues device scenarios. The following are some key areas to consider when it comes to MDM in the Android ecosystem and some highlights with regard to where differences exist between iOS and Android. It is important to note that Android does not currently implement any device provisioning by default. The operating system exposes an API which allows for device management, which third party developers have used to great success to build their MDM solutions.

VOLUME PURCHASE PROGRAM

Here is a key difference between iOS and Android. Apple’s VPP (Volume Purchase Program) makes certain aspects of licensing more seamless on iOS devices than on their Android counterparts. However, similar functionality can be achieved through app provisioning. In these cases apps can be distributed privately and then the organization who has purchased a license or licenses to use the app would be responsible for appropriately provisioning the software to match the number of allowable licenses.


4

APPLICATION DISTRIBUTION

When it comes to Android application distribution it follows the iOS section as above. Feel free to re-read that section for reference. In summary, Android devices can have applications managed through MDM software or via a custom web page/app store.

Android opens up two more possibilities for application distribution. Google allows for the creation of a private app store channel which controls which apps are available.

Finally, given the open nature of Android, apps can easily be side-loaded directly from an SD card or from an email attachment. However, this distribution mechanism takes the management out of mobile device management to a degree and is typically locked down in MDM scenarios rather than used as an approach.

DOCUMENT MANAGEMENT

Many of the MDM providers offer document management capabilities for Android devices. File can be securely sent to devices, removed from devices, and access to the files are controlled strictly by the MDM software on the device.

MANAGED APPS VS. PERSONAL APPS

Android’s mechanism for handling apps on a device is not quite separated into personal apps and managed apps the way it is with iOS. Some of the management features that may be exposed through an MDM provider are the ability to push apps, remove apps, and remotely wipe a device. Apps can be white listed and black listed to provide a truly controlled environment for which apps are allowed and which apps are not allowed on a device according to company policy. Android also provides the flexibility to scan for and remove unapproved apps.

CONFIGURING SINGLE SIGN-ON

Single sign-on is something new to iOS 7 which hasn’t filtered its way into the Android platform yet.

CONFIGURING PER-APP VPN

Android does explicitly provide for per app VPN. This concept, however, is known as split tunneling and can be achieved, though admittedly not as elegantly and not per app. A VPN client that supports split tunneling can configure traffic to which IP(s) or networks will go over the VPN and which will not.


5

ANDROID PROVISIONING FEATURES SUMMARY

A list of standard provisioning features supported by the top MDM providers is as follows:

Remote Email Configuration

Device Tracking

Remote Wipe

Remote Lock

Network setting configuration

Manage Devices With Group Policies o Password policies o Disable camera o Disable Bluetooth o Require device encryption o Require SD care encryption

App Provisioning o Installation o Removal o App white-list and black-list

Device Status o Location o Installed apps

PEOPLE AND PROCESS

The technical decisions detailed throughout this document are made and need to be supported by the right people and processes. There are two types of process worth mentioning. The first type is the process used to arrive at the strategic decisions that are detailed throughout this document. The second type are the processes used to support the day-to-day, tactical execution and operation of the mobile strategy.

In the beginning, it’s important to understand how the application development and device management decisions were made, to ensure they were the right decisions. This will also ensure that going forward these decisions can be revisited on a regular basis to make sure they are still the right ones.

For the future, it’s important to establish policies that will help the people in the organization who are supporting and managing all of the mobile capability be successful.

In establishing these policies there are two main areas that should be taken into consideration; new device registration, new app review.


6

NEW DEVICE REGISTRATION

Once the initial MDM solution has been installed and configured, it will be extremely important to set up protocol surrounding new device registration. If the new device is employee owned then first and foremost the employee should be well informed that if they wish to utilize the device on the company network they will need to relinquish a certain degree of control over the device. Luckily with the newer MDM solutions it is a relatively easy process to segregate the employees personal files and apps vs. those issued and controlled by the company.

Once this process has been agreed upon, it is paramount that the device be updated to the current and latest version of the OS. One of the reasons in doing this is to insure that whatever security protocols that are put into place will function cohesively and correctly. Typically the best way to do this is to have everyone with a device be on the same version of the operating system.

Finally once the OS has been updated it will be necessary to review the employees existing catalog of downloaded apps and insure that they do not overlap with any proposed company apps. If they do so then the employee’s version should be summarily deleted and replaced with the company’s version. This will insure that the company maintains full control of the apps.

NEW APP REVIEW

From time to time it will be necessary to add new apps to the company catalog. Sometimes these apps will be apps that are bought from the App store. When deciding to purchase new apps from the store there are a few things to take into consideration. The following is a list of good “rule of thumb” guidelines to use when selecting an app.

Check to see what apps (if any) the developer has developed. Typical good developers will have more than one app in the app store.

Look at the reviews of the application, more favorable and concrete reviews are best.

See how many versions of the app have been posted. Multiple versions of the app posted at a regular frequency typically means that the developer is constantly making improvements to the app.

Check to see if the developer has an associated website that provides support.

SUMMARY

This document covers the key elements of an MDM strategy. As with any strategy, it is bound to evolve over time as new requirements come to light and as feedback is gathered from the execution of the plan.

In addition to the weekly tracking of progress at a project level, Tallan recommends that the key mobile stakeholders meet at least once per quarter to review the strategy and adjust it as necessary.