vodafone global enterprise deploy the apple iphone across ...€¦ · deploy the apple iphone...
TRANSCRIPT
Deploy the Apple iPhone across your Enterprise with confidenceWhite Paper
Vodafone Global Enterprise
While enterprise IT’s reaction may be to say “no,” saying “no” is not an option. Invariably, an executive will demand an iPhone or the groundswell from users will become too loud to ignore. Enterprise IT departments need to think now about strategies to support iPhone deployments locally and worldwide and adopt the tools necessary to support their deployment strategy.
Enterprise IT administrators need to pay particular attention to walking the fine line between providing end-users the tools to take full advantage of the richness of the iPhone experience, and having processes in place to keep corporate data as secure as possible.
Some organisations just focus on items such as corporate email, calendar, and contacts but need to ask:
• How does the solution protect all of our corporate data? What about users of Safari (the Apple web browser) or other applications?
• How am I protecting my laptops today? Would I just protect email when securing my laptops?
To make iPhone deployments successful, enterprise IT should:
1. Connect enrolled iPhones securely to enterprise resources, including email, Wi-Fi and VPN
2. Provide access to recommended enterprise applications
3. Enforce enterprise security policies to protect corporate data
4. Maintain a detailed, central inventory
5. Provide access control over iPhones connecting through ActiveSync
6. Secure lost, stolen, or retired iPhones through full and selective wipe
7. Bring iPhones under IT management
8. Option to administer centrally for consistent multi-country deployments
Enterprises need an iPhone strategy
The Apple iPhone has become a catalyst for changing the way both users and organisations think about their phones. Users want iPhones because of the exceptional experience they provide and because they support business applications. These applications include email, but also broad business applications like Salesforce.com and even niche business applications like medical imaging viewers.
Let’s examine each of these areas and how Vodafone’s Device Manager for iPhone can help.
1. Connect enrolled iPhones securely to enterprise resources, including email, Wi-Fi and VPN
Once a device is enrolled, it is important to make the device useful by allowing it to connect to enterprise resources such as email, Wi-Fi, and VPN. These configurations should be:
Generated dynamically, meaning that a user’s credentials should be pre-populated and the right resource (e.g., server name, VPN concentrator) targeted to the right employee.
Handled over-the-air, to eliminate the need for enterprise IT to physically configure each iPhone (a time-consuming task even for small deployments).
Transmitted in a secure format, such that when configurations are pushed over-the-air, the information within them (server names, account names, etc.) cannot be intercepted by hackers.
Vodafone Global Enterprise Device Manager makes it easy to provision end-users for enterprise resources, including email, Wi-Fi, and VPN. It dynamically generates configurations for iPhones based on the settings defined by an enterprise IT administrator. Administrators are able to tie settings to LDAP groups to meet the varying requirements within the organisation.
All configuration profiles generated for an iPhone are delivered over-the-air using a protocol called SCEP (Simple Certificate Enrolment Protocol). Use of the SCEP protocol not only allows distribution of configurations without the need for IT to physically touch a device, but it also ensures that the configurations themselves are encrypted such that sensitive information, like server addresses and account names, are not exposed during the distribution process.
The certificates used to sign and encrypt configuration profiles can also be used for authentication to back-end resources, including Exchange, Wi-Fi and VPN. Finally, because Vodafone Device Manager signs all configuration profiles, any backups made with iTunes will automatically be encrypted and password protected.
Vodafone Global Enterprise 3
2. Provide access to recommended enterprise applications
While email, Wi-Fi, and VPN are important resources to provision to a user’s phone, they are not the only elements an IT department should be concerned with. iPhones are essentially mini computers and have been designed to power rich applications, including business-oriented applications like Salesforce.com and CRM. Organisations face two main challenges in handling applications within their enterprise:
Communicating which of the 250,000+ applications on the Apple App Store are supported by the enterprise and making them easily accessible. For instance, many organisations would provide support for applications like the popular CRM tool, Salesforce.com or news tools like Reuters, while they would not provide support for iPhone games.
Understanding how they will handle reimbursement of paid applications. Many applications, including popular ones like QuickOffice, cost money, and IT will need to determine how to pay for those applications.
Vodafone Device Manager Application Distribution for iPhone The Vodafone Device Manager platform helps enterprises communicate to end users which App Store applications are supported by IT, assists with the application reimbursement process, and makes it easy to provide direct access to web-based applications.
Through the Device Manager application, enterprise IT administrators can link to applications from the App Store and create a recommended applications list, which can be custom-tailored to an individual or group of users. When a user clicks on a recommended application, they see a description of the application and the option to download it from the App Store. Employees can participate in giving IT visibility into their application usage by marking these recommendations as applications they use. Updates to the recommended applications list can be made over-the-air to reflect changes in recommendations and in policies. For example, using the recommended applications list, IT can ensure that an executive travelling to China is equipped with the right language translation tool or currency converter just before their trip.
Managing payment for applications is also an important issue. Most organisations prefer to tie iTunes accounts to personal credit cards or corporate cards that are personally liable, and then reimburse employees for use of sanctioned applications. To support this, the recommended applications list can be targeted to individual users or groups, enabling IT to communicate which applications will be reimbursed by either the corporate IT or finance departments. Employees automatically know what is supported and what is not from within their own iPhone; regular auditing against these lists can help track down sources of abuse.
Device Manager administrators can also give users easy access to web-based applications by configuring Web Clips. A Web Clip places a direct link to a website within the user’s iPhone home screen. This allows an end-user to launch a web application as they would any other application.
3. Enforce enterprise security policies to protect corporate data
Most companies, when protecting laptops, protect those devices by ensuring the device has a strong power-on password and that the device has full disk encryption. The reason why organisations use these methods is because they know corporate data is within multiple applications on the laptop, not just email.
iPhones fit into the same model, there are many business-oriented applications (Salesforce.com, WebEx, and Oracle Business Applications, among others) and each of these applications may have corporate data. Thus, the entire device must be secured.
To secure the iPhone, Vodafone Device Manager delivers configurations securely, and these configurations apply to the entire device. We can:
• Define the complexity of a power-on password (password type, number of characters, number of special characters required, etc)
• Define the number of failed attempts a user can make before the device wipes itself.
Each configuration delivered is digitally signed to prevent tampering; a user cannot delete or overwrite the security policy applied because of this signature.
While email is not the sole repository for corporate data, ensuring that the email system is secured is still critically important. To accomplish this, Vodafone Device Manager places access controls into the ActiveSync email environment. These controls ensure that if a user does not periodically launch the Vodafone Device Manager client, the user will automatically be disconnected from email.
Specifically, the Vodafone Device Manager can:
• Provide visibility of all devices connecting to ActiveSync
• Prevent unregistered / unmanaged devices from connecting to ActiveSync
• Prevent devices that have not connected to Vodafone Device Manager/ launched the Device Manager application in a specified period of time from connecting to ActiveSync
• Prevent devices that have not received the latest policy within a specified period of time from connecting to ActiveSync
• Detect and report what OS an iPhone is running; if the iPhone is not running a minimum iPhone OS, then the phone can automatically be disconnected from ActiveSync
• Detect the platform type of a device and if the platform does not support full disk encryption (eg iPhone 3GS) then disconnect it from ActiveSync
• Detect if a iPhone has been modified through multiple signature-based methods; if the iPhone is modified, optionally disconnect it from ActiveSync.
How often these assessments take place (eg once a day, once a week, etc) is administratively definable.
Vodafone Global Enterprise 5
Vodafone Global Enterprise 7
4. Maintain a detailed, central inventory
Once users begin enrolling on the system, it is important to know what iPhones exist, who they are associated with, and whether they are owned by the user or the enterprise. Additional useful information available includes phone number, serial number, etc. As they look to keep an accurate device inventory, IT must decide:
• How to record and track inventory information
• How to keep up with the ever-increasing number of devices in the organisation
• How to ensure that the information is kept up to date over time.
Further, visibility into the ActiveSync environment is also crucial to the success of any iPhone deployment.
Device Visibility Features
The Device Manager platform can easily provide visibility into the managed devices connecting into the organisation, including iPhones, by means of the Device Manager client.
The Device Manager client gathers detailed information about an individual device and reports it back to the Device Manager platform. In the case of the iPhone, reported data includes device ID, platform type (eg iPhone, 3G, 3GS, 4), and OS type (eg iPhone OS 3.0, 3.1 or iOS 4).
This information can be used to answer simple questions like “How many devices are in my organisation?” and “What is the breakdown of iPhones versus other devices?” The information can also be used to help manage policies, such as mandating that iPhone operating systems be kept up to date.
Vodafone’s Device Manager also provides visibility of enterprise devices connecting into the ActiveSync environment. The Vodafone Device Manager Sentry acts as a gateway, only allowing authorised devices to connect to ActiveSync. The Sentry functionality allows organisations to understand what devices have connected to corporate email, possibly bypassing security policies such as mandates that devices be registered with a device management system. The Sentry acts as an ActiveSync proxy. Device clients connect to the Sentry, which relays email traffic to the ActiveSync server. This method will work for:
• On-premise solutions, such as Microsoft Exchange, Lotus Notes and Novell GroupWise
• Cloud-based email environments, such as Gmail and Microsoft Hosted Exchange Services, where functions such as direct query of the mail server and remote wipe may not be readily available.
5. Provide access control over iPhones connecting through ActiveSync
We believe that customers should experience the best email experience. To do this, customers should leverage the iPhone’s native ActiveSync email client, with email delivered in real time to the device as emails are received. With ActiveSync becoming a de facto standard for push email and PIM (Personal Information Manager) and with an increasing number of devices that support ActiveSync, IT must prioritise native ActiveSync security and management instead of investing in email point-products.
Vodafone Device Manager ActiveSync Management Capabilities
The Sentry changes the ActiveSync email model from one where any device can connect, to one where enterprise IT can manage the influx of devices entering the network.
With the Sentry, enterprises can ensure that only registered devices are allowed to connect to corporate email. This means that organisations are able to properly provision, secure, and manage a device before the device begins downloading corporate email. The Device Manager platform can also set policies to limit the number of devices connecting to ActiveSync. This helps to prevent numerous devices from accessing corporate email simultaneously and limits exposure to risk for the organisation.
Vodafone Device Manager Security Features for iPhone
Once devices are provisioned, it is important to determine if they meet the correct requirements to connect to corporate email. The platform can detect whether iPhones have been modified. Modified iPhones should be disconnected from enterprise email in order to protect corporate data. Upon detecting a modified iPhone, the Device Manager platform can notify administrators to take action, and also disconnect the phone from corporate email. This method helps to ensure that phones that pose a high security risk don’t connect to the organisation.
Organisations should also ensure that their user base runs the latest iPhone OS software. Apple continually releases updates to the iPhone that enhance both the user experience as well as the security of the device. Through the Device Manager platform, IT administrators can detect if users have not upgraded their iPhone, and then prompt those users to upgrade. Administrators can also use the Sentry to require that users run the latest iPhone OS software from Apple before connecting to corporate resources.
Finally, the Device Manager platform can use its inventory capabilities to set policies that require that only specific iPhone models to be able to connect to corporate email. This access control functionality helps enterprise IT enforce policies that mandate full device encryption to protect all corporate data on the device, including email, application data, and any corporate information that exists in the browser cache. Furthermore, the use of signed configuration profiles distributed by the device management platform enforces the requirement that all iTunes backups be password protected and encrypted.
Phones Plan Download document Webtexts PC Synchronization
Synchronization Money Download Application Icon Smart phones
Discount Exclusive Preview Bundles New
InternationalI t ti l Best SellinB t S lli g Sim carSi dd Home phoneH h Laptop L t
43
1. User attempts to access corporate email
4. Is phone in compliance
YES
Sentry
ActiveSyncEmail
5. Vodafone Updates Allowed
Devices List for ActiveSync3. User E
nrolls iP
hone
2. Request denied, Device not in Allowed List for ActiveSync
6.User attempts to access corporate email
7. Request allowed
Summary
Vodafone Global Enterprise 9
6. Secure lost, stolen, or retired iPhones through full and selective wipe
A user may misplace or lose their phone, so protection of data is vital. In other cases, an employee may leave the company with a personal iPhone that had been connected to the corporate network. With the multitude of situations that IT may have to contend with, it is important for IT to have the right tools to remove confidential information from a device for a given situation.
Securing Lost, Stolen, or Retired iPhones
If a device is lost or stolen, it is important to be able to wipe the device of all corporate information and restore it to factory defaults. The Device Manager platform can easily identify an individual iPhone and push a remote wipe command to the phone. This command causes the device to remove all information and essentially returns the device to the state it came in when it left the factory. This approach to wiping corporate information is critically important; as mentioned earlier, corporate data can exist in many places throughout the phone.
While many use cases are served by fully wiping an iPhone, Vodafone recognises that a “one-size-fits-all” may not exist. In some cases, for instance when an employee leaves the company, the IT department may want to focus on removing email from the device instead of wiping out personal information, like music or pictures of the employee’s family. ActiveSync mailbox on an iPhone can be reset and this causes all of the email to be removed from the device. After this command is issued, the phone is blocked from accessing the ActiveSync server to ensure that email cannot be downloaded again to the device. This allows IT to begin drawing an enterprise data boundary between corporate and personal information on the phone.
7. Bring iPhones under IT management
There are generally two approaches when it comes to connecting smartphones to enterprise management systems and our solution supports both.
• IT should act as the gatekeeper for smartphones connecting to the enterprise by enrolling devices for users.
• End-users should enrol their devices themselves via a simple process, to help unburden the IT staff.
With Vodafone Device Manager for iPhone, administrators define by group or individual user what rights should be assigned, including the ability to enrol phones. Vodafone recognises that not all users will provision themselves or that IT may want to control the process. Therefore, the Vodafone Device Manager Admin Portal enables IT to enrol phones on behalf of end users, either individually or by importing information for multiple users and phones.
Regardless of the method used, both enrolment and provisioning is handled over-the-air, eliminating the requirement for IT to physically touch each device.
8. Option to administer centrally for consistent multi-country deployments
Many large enterprises operate with regional if not globally centralised IT functions. It is important to be able to apply and enforce policies and applications recommendations regardless of country boundary. This reduces the cost of management and delivers consistency of policy to different user groups.
Vodafone Device Manager for iPhone can be deployed either hosted within your premises or within the cloud. It operates independent of the country of iPhone use and can even deliver control to devices outside the extensive Vodafone network. This allows offering consistency, lower operations resource and centralised reporting capability.
Organisations across virtually every industry have found iPhones gaining traction among their employees.
While iPhones have certainly served as the catalyst for broadening the set of supported mobile devices in the enterprise, users will quickly bring in other platforms. Whatever strategy your enterprise adopts, all existing smartphone platforms should be manageable. Without automated tools, any smartphone deployment, including iPhones, will become difficult to support.
Vodafone Global Enterprise provides the broadest set of best-of-breed tools for organisations to deploy iPhones with confidence across the globe and independent of the current carrier or provider.
00000/09/10
www.vodafone.com/globalenterprise
Vodafone Group 2010. This document is issued by Vodafone in confidence and is not to be reproduced in whole or in part without the prior written permission of Vodafone. Vodafone and the Vodafone logos are trademarks of the Vodafone Group. Other product and company names mentioned herein may be the trademarks of their respective owners. The information contained in this publication is correct at time of going to print. Such information may be subject to change, and services may be modified supplemented or withdrawn by Vodafone without prior notice. All services are subject to terms and conditions, copies of which may be obtained on request.