Ast-0109766 Citrix MDM v1

DeepDive
Mobile Device
Management
HOW TO NAVIGATE
THE EVER-CHANGING
MOBILE DEVICE LANDSCAPE
INSIDE
S T R AT E G Y
Mobile managements landscape 2

The new app management tools 6
Buckle uphere comes the hard
part of mobile 10
Dont do overdo mobile
management 13
HANDS ON
SPONSORED BY
Copyright InfoWorld Media Group. All rights reserved.
Mobile security: iOS vs Android vs

BlackBerry vs Windows Phone 16
Mobile management, OS by OS 20
Say yes to (almost) any device 24
MOBILE DEVIC E MANAGE M ENT
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
MOBILE STRATEGY
Mobile managements
landscape
Devices, apps, and information are the interrelated concerns to address
GALEN GRUMAN
Smartphones, tablets, social networks, and

cloud services are all popular, incredibly useful
and a security risk. These days, the security focus
is on mobile devices, as they tend to be used a
lot to work with corporate information, but the
variety of platforms, the fact many are employeeowned, and uneven security capabilities all add
up to a realsometimes impossiblechallenge
to manage them in the same way as the corporate PC.
The issue is not so much hacking; outside of
malware easily available in the Google Play
market for Android, mobile devices are safer
than PCs from hackers. Instead, the issue is inappropriate information usage, where employees
inadvertently spill the beans about contacts,
embarrass people, violate any number of privacy
regulations, and neglect compliance obligations.
Most people do it by mistake, while some people
do it deliberately; what matters is that they do it.
That puts organizations in an uncomfortable
position. Survey after survey shows that technologically empowered users are happier and more
productive, so businesses want to tap into that
benefit. But they also have to safeguard their
secrets and comply with regulations. The good
news is that although the methods and tools are
still new, there are known, proven approaches to
reducing those risks without disabling the benefit
of consumerization.
For mobile devices, these tools fall into
several broad categories: data loss prevention,
mobile data management, and mobile application management. This guide walks you through
each category and explains the key issues and
providers.
Data loss prevention

Many organizations have already invested millions
of dollars in data loss prevention (DLP) tools, which
classify data access rights through text analysis and
metatagging, then monitor information flow (such as
contents in email) to look for problematic data types
for example, Social Security numbers or files tagged as
corporate secrets. DLP tools are usually set to alert IT or
users to possible issues, but can also be programmed
to block information first and ask questions later.
DLP tools require effort in creating the
information policy rules (usually associated to user
roles), then tagging information across the enterprise, and DLP requires shunting all information
flow through DLP servers to ensure it is analyzed.
DLP tools are not new, but their use in mobile
information flow is. There are several approaches
to mobile DLP:
Routing all mobile traffic through a corporate
DLP server, as Symantec offers.
Providing a mobile app for access to corporate
information repositories such as SharePoint;
that app honors the permissions set for files in
those repositories. Citrix Zenprise offers such
a tool for SharePoint, and of course many
cloud storage providers (such as Accellion, Box,
Dropbox, and YouSendIt) offer IT-manageable
cloud storage services.
Baking content management into apps
themselves by adopting APIs from companies
such as Citrix Systems, Good Technology,
MobileIron, and SAP Sybase. A related
technology area called mobile application
management typically also reaches into
content management.
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
Major vendors for key mobile management needs
DATA LOSS PREVENTION
DEVICE
MANAGEMENT
APPLICATION MANAGEMENT

Traffic
monitoring
InterGuard
Software
Symantec
Managed
online
storage
Accellion
Box
Citrix Systems
Dropbox
YouSendIt
App
distribution
AirWatch
BlackBerry
BoxTone
Centrify
Citrix Systems
Fiberlink
Good Technology
Intel McAfee
Microsoft
MobileIron
SAP Sybase
Symantec
Tangoe
Wyse Trellia
Apperian
App47
Apple
Citrix Systems
Good
Technology
MobileIron
Odyssey
Software
(Symantec)
SAP Sybase
Secure app
development
and
management
AppCentral
Good
Technology
MobileIron
SAP Sybase
Veracode
Verivo
App content
management
Secure app
containers
AppCentral
Good
Technology
MobileIron
Mocana
Symantec
Nukona
Antenna
Software
Blackberry
Cellrox
Enterproid
Fixmo
NitroDesk
Open Kernel
Labs
Partnerpedia
Mobile device management

If 2010 was the year that the bring-your-owndevice (BYOD) phenomenon became legitimate,
2011 was the year that mobile device management (MDM) tools were accepted as a way to
allow safe BYOD. Its no surprise that dozens of
vendors now offer MDM tools.
Today, MDM tools are deployed in financial
services, defense, government, and medical environmentsthe very industries most concerned
about information security. But MDM is not
new; enterprises have been using it for years in
the form of the BlackBerry Enterprise Server
(BES) to manage the access rights and device
permissions of BlackBerry messaging devices.
Microsoft Exchange, the most-used email server,
also supports a modest set of policies through its
Exchange ActiveSync (EAS) protocol.
EAS policies can require a device be
encrypted, have a complex password, or disable
its camera. IT manages those policies in Exchange
or the corporate version of Google Apps; the
same capabilities are also available in Microsofts
System Center 2012. That email server ties into
a corporate identity server (usually Microsofts
Active Directory) to determine which policies

apply to which user. If a device doesnt comply
with the rules associated to its user, that device is
denied some or all access. These servers also let
IT remotely lock or wipe the contents of a lost or
stolen device.
Apples iOS, the defunct Windows Mobile,
some versions of Googles Android, and some
versions of Nokias defunct Symbian mobile
platforms support a substantial number of EAS
policies, as does Microsofts Outlook email client
for Windows PC and Macs and Apples Mail client
for Mac OS X. By contrast, Microsofts Windows
Phone 8, and newer versions of Googles Android
support a very limited set of EAS policies. (BlackBerry devices work with the BES product and,
via connectors, to a lesser extent with Microsoft
Exchange and Google Apps. BlackBerry 10
devices also support EAS.)
Most MDM vendors products go beyond
what Exchange and other email servers provide,
adding access to non-EAS policies that a mobile
operating system might support. For example,
Apples iOS has a policy that lets IT disable its
iCloud file-syncing service.
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
The challenge
for MDM
vendors and
IT alike is
that because
different mobile
platforms
have different
capabilities, its
impossible to
have a uniform
management
approach to all
devices.
Some MDM vendors go further than exploiting

the extra policies in various mobile platforms, such
as to detect a modified (jailbroken) version of the
operating system. To do so, users run their mobile
app and the applications within it. Anything in that
app container can have all that MDM vendors
special policies applied, giving IT a safe zone on a
users device. (These apps can be set to not share
information outside the safe zone, essentially
separating the corporate information from the rest
of the device.) Some MDM vendors also provide
capabilities to enable help desk support for mobile
users and to control telecom spend, such as to alert
employees when they are roaming internationally.
The challenge for MDM vendors and IT alike
is that because different mobile platforms have
different capabilities, its impossible to have a
uniform management approach to all devices. The
MDM vendors handle the hard work of keeping up
with all the platforms capabilities as they change,
but IT still has to face the reality that it may need
to be somewhat flexible in its policy requirements
to support at least the most popular businessclass devices. Theres the wrinkle that comes with
supporting iOS devices: Apple requires businesses
to get their own Apple Push Notification Service
(APNS) credential from Apple to enable MDM
management; this certificate gives the MDM tool
permission to access iOS devices through Apples
notification servers on your behalf.
A related approach is to use network access
controllers to detect mobile access and apply user policies to that access; for example, F5 Networks has partnered with several MDM firms (AirWatch, MobileIron,
SilverbackMDM, and Citrix Systems) to let their
respective management tools work together. Aruba
Networks offers a mobile device-savvy networkcontroller-based access manager that monitors device
access and can apply policies to them.
Mobile application management

The least established area for controlling mobile
information access is mobile application management (MAM), which currently encompasses
several types of services:
App distribution, such as through corporate
app stores. These typically focus on managing
distribution of and permission for homegrown
Web and native apps, but can also provide
users links to recommended apps in public

app stores. Some can also manage native iOS
apps created by the business for internal use.
Secure app development, to add security
and permissions control for homegrown
apps content and access to corporate
network resources. Theres typically a
management console allowing IT to act on
those embedded controls.
App content management, such as to
restrict apps abilities to share authorized
content with other apps. These too are
focused on homegrown apps, though in
some cases can also be used by commercial app developers with a management
tool. Two vendors in this category, Mocana
and Symantec (through its acquisition of
Nukona), take an unusual approach of wrapping permissions around apps, rather than
requiring the apps internal code to implement policiesits sort of a DLP wrapper. The
other providers rely on policies being specified
within the apps code.
Secure app containers, which create a
separate partition, app container, or virtual
machine to segregate at least some corporate
apps and data from personal apps and data.
This approach allows freer use of content
across apps in a container than techniques
that secure data within just specific apps.
This approach differs from the use of virtual
desktop infrastructure (VDI) to present a
remote application in a window; such applications (Citrix Receiver and VMware View are
examples) have little to no access to information or capabilities on the mobile device
itself, beyond keyboard and emulated mouse
access. A related approach is to create separate partitions on the mobile deviceone
for personal apps and data, and the other for
IT-managed business apps and data.
The difficulty in current MAM approaches is that
theyre usually application-specific. That favors their
use for apps developed in-house, but a variety of
vendors are working with commercial developers
to embed their technology. Over time we may see
more user-installed apps supporting such app and
content management capabilities, for access via an
MDM or other tool the business has in place or can
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
connect to. But commercial developers still need to
pick one API and thus one vendor, or use multiple
APIs in their apps, with the complexity that brings.
Whats really needed, of course, is a common
set of content management APIs that all apps
can use with any management toolanalogous
to the all-but-standard Microsoft EAS protocol in
device management today. As in the case of EAS,
vendors could augment the core policies with

enhancements for specialty application needs,
and commercial developers could decide when to
use these extended capabilities, such as to reach
high-security markets. n
Galen Gruman is an InfoWorld executive editor
and its Mobile Edge blogger.
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
MOBILE STRATEGY
The new app

management tools
As IT concerns shift from devices to apps, policy-based products emerge
GALEN GRUMAN
Even as IT
has given up
the notion of
ruling over
mobile devices
and instead
has come to
view them as a
device jointly
owned with
the user, IT
rightfully wants
to manage
the businessoriented apps
on those
devices.
IT concerns are fast moving from mobile

device management (MDM) to mobile application
management (MAM) as part of a shift in thinking
from whether to allow mobile devices in to how
to best take advantage of them. At IT conferences, I hear more and more questions about how
to manage those applications. For organizations
used to controlling the software on a users PC
via tools such as IBMs Tivoli and Microsofts SMS,
the iPhones, iPads, and Androids now becoming
commonplace herald a Wild West environment.
The heterogeneity of those devices is
daunting enoughmost desktop application
management tools cant even do a decent job
of handling Mac OS X applications, so no one
expects them to go near the mobile devices. But
mobile OSes veer even more dramatically from
the desktop, making app management less suitable for ITs traditional approach. The use of app
stores means IT isnt the central distributor of
apps in mobile, while the mix of HTML and native
apps raises another level of complexity. Sure, IT
can put together its own mobile app store, but
its often a glorified website or intranet site with
links to approved or recommended apps, both
internal and external.
Even as IT has given up the notion of ruling
over mobile devices and instead has come to
view them as a device jointly owned with the
user, IT rightfully wants to manage the businessoriented apps on those devices. That way, when
an employee leaves the company or a device is
lost, the application and its data can be removed
from the device. IT also rightfully wants to be
able to manage updates and licenses, as well as
track usageespecially in the messy context of
apps used by employees, contractors, and business partners, in which even a control-oriented
organization simply cant seize the traditional
control over all the devices.
The first wave: Managing HTML app

containers via policies
Whats evolved in the device management space
is a policy-oriented approach. In this scenario, a
tool such as BlackBerry Enterprise Server (BES),
Microsoft Exchange (via Exchange ActiveSync
protocol, or a third-party MDM utility, such as
those from Good Technology, MobileIron, and
Trellia, manages the data it provisions, including
mail, contacts, and so on. It can also impose
devicewide access policies, such as password
requirements, remote lock, and more. Some of
these tools can even manage applications they
provision, essentially allowing or disallowing
access, as well as pushing updates.
The same is beginning to happen in mobile
application management.
One option is to go for the approach used by
Antenna Software, whose Volt MAM essentially
puts HTML5 apps in a virtual box on the iPhone or
Android device. These apps can tap into devices
native capabilities through JavaScript API extensions from Apple, Google, and others, as well as
via W3C-supported BONDI APIs. (Those extensions allow, for example, the capturing of signatures through a canvas tag or the generation of bar
codes.) You develop these HTML5 apps in your IDE
of choice (even a text editor), but you do have to
use Antennas APIs for the apps to work within the
Volt client and be provisionable and manageable
by the Antenna Mobile Platform (AMP) server.
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
From there, you can code installation profiles
based on user policies such as roles. When a user
logs into the (usually hosted) server, the apps tied to
his or her profile are downloaded to the device. The
server also pushes updates and gives IT a console
for monitoring usage, changing application permissions, locking down data, and wiping apps when a
user leaves the company or changes roles.
With these boxed apps, IT can control and
monitor the apps in that box. The approach is very
similar to how many MDM tools work, providing
their own clients, managing the email, and so on,
apart from the rest of the device; its akin to the
VDI approach used in Citrix Systems Receiver
app for mobile devices.
That box approach provides a clear separation between work and personal apps and data,
but its a bit heavy-handed, forcing users (in the
case of Antennas Volt) to open a container app
to access business-provisioned HTML apps. Thats
acceptable for HTML apps, as users typically first
launch a browser before running a Web app, and
you can think of the Volt client as a browser for
enterprise apps. Plus, IT directly controls those
apps because they run on ITs servers just like a
desktop Web app.
The enterprise-created HTML5 apps provisioned through Volt are kept in their own
workspaces, so their data is encrypted and
separated from the devices other info. Apples
iOS natively supports such encryption and separation, but Googles Android 2.x supports neither
and Android 3.x and 4.x support just encryption.
Because the enterprise HTML5 apps run within
Volt, the AMP server can directly manage them,
without affecting the devices other apps.
In the case of iOS, the AMP server can also
manage native apps provisioned through AMP or
through an MDM integrated with AMP. Likewise,
an MDM tool that integrates with AMP can
manage apps provisioned by AMP (HTML5 and
native) or by the tool itself (native). Either way,
the HTML5 apps provisioned through Volt work
offline, syncing data when reconnected.
Theoretically, the Volt-provisioned HTML5
apps could be accessed as separate apps on an
iOS devices home screen, rather than through
Volt. They would still be secured and managed
as an app bundle by AMP, but the user would
not see that bundling. Some users like to view all

their apps individually, while others like to group
them; essentially, Volt forces them to be grouped.
(Android doesnt support app bundles, so Voltprovisioned HTML5 apps must run within Volt on
that platform.)
Antenna CTO Dan Zeck says that the company
chose to run the Volt-provisioned apps on iOS
devices from within the Volt app because IT
customers wanted a visible separation of business
and personal apps, both to increase ITs comfort
level in the presence of the separation and to help
users make the mental switch between private
and work activities. But theres no technical reason
the apps couldnt appear as individual home
screen icons and maintain that behind-the-scenes
secure separation in iOS, he notes. (BlackBerry
OS 6, 7 and 10 also support such innate separation, though currently it works only with the most
recent version of BlackBerry Enterprise Service and
for just BES-provisioned apps.)
As is the case with MDM tools that support
app provisioning, the AMP server can install and
manage native iOS apps only if the enterprise has
an enterprise SDK agreement with Apple. AMP
then uses those credentials to install the apps
directly, without going through the public App
Store. This is an Apple requirement, meant to put
enterprise apps through the same quality-control
standards as any iOS app.
Other tools such as AppCentral offer similar
capabilities. However, the combination of the Volt
client and AMP hosted server appears to be more
appropriate for enterprises, in terms of integration with policy servers such as LDAP, integration
with MDM tools, and use of high-level encryption and authentication technologies. (AT&T uses
AMP in its Workbench offering, but the Volt/AMP
pairing is not limited to AT&T-connected devices,
as Workbench is.)
The second wave: Managing native

apps directly via policies
Though useful, the Antenna approach doesnt
extend to native apps, which cant run inside
another app or on ITs servers. Thats where the
AppCentral and AppGuard services come in. The
company AppCentral (formerly named Ondeego)
has released iOS and Android versions of its MAM
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
Whats key
is that the
management
is embedded
in the app, so
you dont have
to manage the
device itself.
Thus, you
should be
able to extend
legitimate
application
management
to a greater
number of
users than
the universe
of devices
you actually
manage.
technology that take a different approach to

mobile application management and distribution,
one that appears very well suited to native apps.
In a nutshell, with the AppGuard part of the
service, you add code to your iOS and Android
apps that uses AppCentrals policy APIs and
provides a listener function. The APIs let the
app communicate with an AppCentral server as to
policies for that app and/or user, such as restricting
usage to specific Wi-Fi access points (a common
requirement in health care) or zeroing out the app
and its data if the users permissions are revoked
(such as when a contractors gig is completed).
The listener function monitors activities such as an app launching or coming to the
foreground (suggesting its in active use), so it can
then check the current device and application
state against the policies. The listener function
also communicates app status and activity back
to the servernot entire device status, which
may allay concerns from employees, contractors,
and business partners over how invasive your
management may be.
Whats key is that the management is
embedded in the app, so you dont have to
manage the device itself. Thus, you should be
able to extend legitimate application management to a greater number of users than the
universe of devices you actually manage.
Apple has blessed AppCentrals technology,
so iOS developers need not worry about their
apps being rejected due to use of non-Apple APIs.
In the Android world, there is no such approval
concern, of course. And in the Android world, IT
can wrap someone elses app with the AppGuard
technology, to produce an IT-manageable and
-monitorable version.
The AppCentral tool provides the provisioning
of the apps, including licensing management
and distribution of third-party titlesa big challenge in the mobile space, especially with iOS
apps where Apple allows enterprises to directly
distribute their own programs and requires all
third-party apps to be distributed through the
App Store. There are also challenges in both iOS
and Android in bulk licensing, given the pay-peruser model of the Apple App Store and Androids
Google Play market; you can buy multiple licenses
and issue redemption codes to users so that
theyre not billed, but thats not a terribly efficient

mechanism for a large organization. AppCentral
has some capabilities here, though the issue is
a complex one, and ITs and mobile OS vendors
interests may not fully align.
The new MAM shows IT is adjusting to

the new consumerized reality
Were still in early days when it comes to mobile
management. In the last two years theres been a
mini gold rush in the MDM space, with dozens of
vendors joining the fray. In the last year, the MDM
concept has taken hold in the enterprise, allowing
even highly regulated companies to support iPhones,
iPads, and Androidsunimaginable in 2009.
MAM is next. IT worrywarts are shifting their
hand-wringing from devices to applications, some
for legitimate purposes, some as a new objection to raise. I fully expect that companies like
Antenna, AppCentral, Mocana, and Symantec
will lead the charge to resolving legitimate application management needs as Good, MobileIron,
and Sybase did in the MDM space.
Even better, approaches like AppCentrals that
move away from the heavy hand of total control to
the nuanced approach of specific control indicate
that IT is adjusting to the emerging consumerized IT-driven shared model of business technology, where users, IT, and third-party providers
are all part owners and thus part managers.
That approach requires a shift to more granular
management and policy-based management. The
tools to support that new reality are emerging.
The fretting over mobile app

management can now stop
A few years ago, CIOs commonly said they wouldnt
support iPhones or bring-your-own-device policies
due to security and management concerns. Today,
that viewpoint is pass, thanks to both the push
from users and the release of IT-oriented management tools for iOS and Android devices. As device
management concerns have faded, Ive heard app
management concerns take their place in both
private conversations and at IT conferences.
Those app management fears can dissipate,
too. Organizations can continue to use the simple
solution of provisioning apps directly from a
secured website or by emailing users the links
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
the only real option for iOS devices until last fall.
And now those organizations that need or want
to manage applications more directlywith the
same level of control, security, and compliance
monitoring they enjoy on the desktophave
tools to move up to that level.
What is great to see in all this is an approach
that gives IT control without unduly confining

users. As mobile devices move quickly to being
dual-purpose personal/business implements, tools
such as Volt let the two usage aspects coexist
nicely. Users arent forced to work with lockeddown smartphones and tablets, and IT isnt forced
to accept free-for-all devices. Everyone wins.. n
InfoWorld.com
DEEP DIVE SERIES
10
Deep Dive
MOBILE STRATEGY
Buckle uphere comes

the hard part of mobile
As IT goes beyond knee-jerk reactions to BYOD and mobile
management, tricky questions remain
GALEN GRUMAN
the fact that

mobile devices
have not led
to a mass loss
of corporate
information
does not mean
businesses
shouldnt be
concerned
about
information
leakage.
They should
no matter
what device
employees use.
At most businesses, its now an accepted fact

that at least some employees use personal smartphones and tablets for at least some work purposes
or use work-provisioned mobile devices for at least
some personal purposes. Just as the separation
between work hours and personal hours has disappeared for whole swaths of worker roles, so too is
the line between work and personal devices and
more importantwork and personal information
for many information workers.
This intermingling raises questions in areas for
which there are no easy answers. The methods for
the first line of security and information management were easy: a mobile device management
strategy coupled with a role-based policy on
who pays for and owns what. Although the
next set of issues have no set answers, it is time
for IT, business managers, and employes to start
thinking about them.
I was reminded of these tricky issues in
preparing a panel on device heterogeneity for
a recent CIO Global Forum and in subsequent
discussions with CIOs in multiple industries at this
invitation-only event where Ive been a regular
part of the moderator team. These smart CIOs
are way beyond the should we? phase and are
now dealing with these messier questions.
Managing information access

When people first started bringing iPhones to
work, many IT organizations freaked out over
allowing a new conduit to corporate data, with
fears of lost smartphones compromising corporate secrets. If you check the national database
of reported privacy breaches (a decent bench-
mark for breaches of all sorts), youll see this fear

has not been proven. But the fact that mobile
devices have not led to a mass loss of corporate
information does not mean businesses shouldnt
be concerned about information leakage. They
shouldno matter what device employees use.
In mobile management circles, youll hear
lots of talk about mobile information management, but there really is no good way to walk
that talk. The reason: Information privileges are
not embedded with the information itself. Plus,
applications have no way of knowingmuch less
honoringwhat those permissions are even if the
data carried those rights details.
Yes, there are products that let you embed
rights management into a custom app, as well
as some information access apps that provide an
IT-managed container. But they dont allow users
to work on the information; most are read-only
and/or require a live Internet connection for
what is essentially remote access to the data.
Even those that allow users to do real work can
work only on a small subset of files on a subset of
devices. Its not a scalable approach.
Operating systems vendors, app vendors, development tool vendors, and management tools vendors
need to get together to figure out a common protocol to enable true information management, as
Microsoft Exchange ActiveSync protocol and the
API extensions from Apple and other vendors have
largely done for device management.
In the meantime, all you have to work with
is the notion of determining who you trust and
when, along with managing initial information
access accordingly. Intel has a good model
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
for approaching the information management
question, one based on access privileges to keep
information away from unsecured environments
in the first place.
Wiping devices
If youre dealing
with a lawsuits
discovery
motion, the
use of mobile
devices
complicates
the already
complex
e-discovery
process.
When BlackBerrys ruled enterprise mobile, one

key capability that set businesses at ease was the
ability to remotely wipe a lost or stolen device, if
it was managed by BlackBerry Enterprise Server
(BES). iOS added support for remote wipe in
2010, using Microsoft Exchange native EAS
protocol, with both Android and Windows Phone
following in 2011. BlackBerry 10 also supports
remote wipe via EAS, so you dont need to have
BES deployed to get this basic protection.
The universal support for remote wipe from the
major mobile platforms removed a lot of IT angst.
But remote wipe may not do what you expect. It
erases the devices flash memory, but that erasure is
similar to erasing a hard drivewith the right tools,
a determined thief could recover some or all of
that wiped data. That might matter if your users
are storing supersecret data on their mobile devices.
On a hard drive, there are tools that write
nonsense data over the entire medium multiple
times to inhibit such recovery, but Im not aware
of such tools for mobile devices today. Plus, flash
memory doesnt tolerate such repeat writes as well
as magnetic disks, so a truly obscured mobile device
may not be stable enough to be reused. It probably
makes sense to destroy the device to wipe its data
where you need assured access prevention.
Encryption is the usual solution to this
issue, but when you wipe a mobile device, you
also clear its encryption so that the device can be
set up as a new device or restored from a backup,
such as from iCloud, Google Play, Windows
Store, or iTunes. Thats why several vendors
offer encrypted application containers for
managing apps developed with their APIs: They
can more securely wipe their containers without
affecting the rest of the device, leaving its encryption enabled.
For most people, the standard remote wipe
is sufficiently securethere arent cyber thieves
shadowing them to steal their unattended device
and recover its data.
But wiping a device does delete all its data.
Given that a tool like Quickoffice or Box can be

used for both personal and work data, its reasonable to expect IT to wipe the whole device, just to
be safe, if theres a loss or theft or when a person
leaves the company. If you have an iPhone or iPad,
your personal iTunes or iCloud backup means
you can restore your personal data after such a
wipeits a simple task. Other devices dont have
such a simple backup capability.
But some companies block use of iCloud,
which means your personal dataphotos and any
data in iCloud-compatible apps like GoodReader
and iWorkis not backed up for you. That can be
problematic for workers on the road, as one CIO
discovered when his draconian remote-wipe
policy caused him to lose his vacation photos.
If an employee backs up via iTunes at home (a
process Apple has largely automated), the employee
is OK. But of course work data is backed up to that
computer running iTunesincluding any work
data stored with apps on the device. Yes, iTunes
has an encryption option for those backups, but if
a company wants to wipe all company data that an
employee may have, such as when an employee
leaves the company, theres no surefire way to do so.
The lack of backup on other mobile devices in
a way reduces the risk, but you can expect users
on those devices, as well as on iOS, to use cloud
storageWindows Phone and Windows 8 even
come with SkyDrive storage by defaultso you
still have the possibility of corporate data in the
the wild. Without true information management,
youre left to best-efforts methods and a need to
trustor provide no access at all.
Managing e-discovery
If youre dealing with a lawsuits discovery motion,
the use of mobile devices complicates the already
complex e-discovery process. If you use serverbased email such as Exchange or Google Apps,
you have the emails received and sent from the
user without needing to access the employees
mobile device. But if an employee used a personal
email address to communicate something being
sought through discovery, you may need to get
that device and review its contents. This raises all
sorts of messy issues related to user privacy.
The law around such access is murky,
though courts have more often than not decided
11
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
that work information on personal devices is
subject to e-discovery. Realistically, that means
users devices could be taken for legal discovery
and all the contents rifled through. Making that
clear in employee policies is probably a good idea.
For employees who dont want their personal
devices accessed by their company or opposing
lawyers, the one true option is to use a work-only
device for work and not mix personal and work to
begin with.
These mobile questions extend

beyond mobile
By now, I bet most readers have realized that all
these issues could apply just as well to personal
computers, such as home PCs. In fact, they can.
Whether you use home email on a home
computer, a personal smartphone, a work

computer, or a work smartphone, the e-discovery
issues and privacy-invasion possibilities are the
same. Whether you work with information on a
home computer, a personal smartphone, a work
computer, or a work smartphone, the deletion
and backup are the same.
When it comes to information access,
most companies give their own devices a pass,
assuming they are safe and trusted. I think thats
naive in the day of work and personal blending of
hours, location, and tasks, especially for workers
who travel frequently. It may be best to apply
whatever segregation and access policies you can
regardless of whose device is in usebecause
the notions of mine, yours, and ours are
further blurring. n
12
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
MOBILE STRATEGY
Dont overdo app

management
Third-party apps in mobile shouldnt be treated as they were on PCs
GALEN GRUMAN
Youve accepted the fact that users are

working on iPhones, iPads, and Android devices,
even if you dont own those units. Youve figured
out that mobile device management (MDM) tools
can secure those items, so your corporate date is
safe on themat least as secure as it is on PCs.
But what about the apps on those devices?
How do you manage them? How do you handle
site licenses for them? How do you get enterprise
support for them? These are the questions IT
admins are now asking.
They wont like the answer: You dont do all
these things any longer. (For apps that tap directly
into your corporate information systems and
processes, app management is sensible, and there
are tools to help you do just that, as the story on
page 6 explains.)
Why app management is a

legacy approach
I know its severe heresy for many in IT, but
managing third-party apps is usually addressing the
wrong problem. The issue you should be investigating is how to manage your information and the
access to it. Way gone are the days that applications
and user equipment are safely locked within your
four walls and managing them could be a proxy for
regulating your data and permissions for it.
The corporate boundaries are permeable, and
they have been for some time, as people work at
home and on the road, as you use a mix of staff
and contractors. The rise of smartphones and
tablets has simply made this new reality obvious
to all. Any business that protected information by
controlling computing devices and their applicationsrather than actually managing that data
access at the sourceis now revealed to have

been not protecting whats really valuable.
If you think about it, worrying about
endpoints is the bad way to tackle information
management. This approach is rooted in the
mainframe days of IT, when all the real computing
action took place in the data center, and users
had at most dumb terminal access. When PCs
came along, IT fretted about having real information reside on peoples desks, and vendors came
up with all sorts of technologies to rope those PCs
into the data centers controls. Many are sensible,
such as encryption and forced sign-in, as they
protect the information that is so valuable.
Less sensible, though, are those that treat
apps as clients of the data center. Microsoft in
particular has been a master of tapping into the
IT mentality so that its Office apps are clients of
Exchange and other servers.
As a result, IT buys site licenses that have
expensive maintenance options and require
constant attention to make sure the licensing
rules are followed as employees come and go.
Its a great revenue stream for Microsoft, Adobe
Systems, and other similarly inclined vendors, as
well as for purveyors of asset-management tools,
and its been a great way to justify IT staff. The
inmates and jailers are all collaborating.
The problem with that approach is that
these applications are not in fact clients to some
server-based application. They are not like ERP
and CRM systems, despite Microsofts and others
attempts to make them so. (One organization I
know dropped 90 percent of its Office licenses in
favor of Google Docs but had to keep half of its
client access licenses due to Microsofts successful
13
InfoWorld.com
DEEP DIVE SERIES
14
Deep Dive
What seems to
really perturb
IT admins is
that these apps
come from app
stores, where
there are no
site licenses.
And these
vendors dont
offer enterprise
support plans.
Welcome to
the reality of
consumerized
IT.
intermingling of client and server technologies.)

Instead, iOS users opt for iWork, Quickoffice, or Documents to Go, not Office. Android
users go with Quickoffice or DocsToGo, as do
BlackBerry and other mobile operating systems
users. They work with native Office files, so for
most organizations, it doesnt really matter that
theyre not Microsoft apps, just as it doesnt really
matter if a user on a PC or Mac runs OpenOffice, iWork, or Google Docs. As long as the tools
support the Office capabilities required by your
work process, who cares what client is running?
IT has cared, but it really shouldnt.
What seems to really perturb IT admins is that
these apps come from app stores, where there
are no site licenses. And these vendors dont offer
enterprise support plans. Welcome to the reality
of consumerized IT.
How to manage apps in the era of

consumerized IT
These appsand more from the Mac, Windows,
Chrome, and other emerging app storesare
purchased by individuals, and most app stores let
consumers install them at no additional cost for
each device associated to the user ID. There are no
site licenses; the Apple app stores, for example,
treat businesses pretty much like individuals: Each
user gets a license that applies for as many as five
of their devices. In the case of a device accessed
by multiple users, such as a kiosk iPad or a library
Mac, the license applies to all users for that one
piece of hardware. (As of iOS 7, Apple does provide
traditional business licensing through its Volume
Purchase Program for App Store-provisioned apps.)
Devices can have apps from multiple
accounts. Thus, an iPad could have personal apps
downloaded from the users iTunes Store account,
as well as business-provisioned apps downloaded
from the businesss iTunes Store account or from
a network page that provisions a businesss internally developed apps to its authorized users.
There are also mobile application management
(MAM) tools for applications you develop in-house
and want to provision broadly, both for native apps
and for HTML5-based Web apps (see page 6).
Note the dichotomy: IT manages internal
apps using long-standing techniques, whereas
commercial apps are unmanaged.
In this new world, commercial apps are treated

the same as devices: Its a bring-your-own reality,
where the license is associated to the individual,
regardless of who ends up shouldering the cost.
And at the small costs of mobile apps, having a
labor- and technology-intensive process to manage
their purchases and track their installation is simply
out of whack with the reality on the ground. (Yes, I
know there are certain organizations that need strict
controls. Theyll continue to work that way, as they
should. But you have to ask yourself honestly, what
control do you really need over apps and endpoint
devices. Its not as much as youre used to.)
These commercial apps are not part of the
MAM mix, though some MDM tools let you
restrict which apps can be installed on a users
device authorized to access your network. Realistically, however, this approach works only for
highly controlled devices, such as iPads used in a
retail store by all employees; its not feasible for
bring-your-own devices.
But your private, internal apps are assumed to
be managed, either in a lightweight way such as
being downloaded (if a native app) or accessed (if
a Web app) from an intranet site (VPN-protected,
I would hope). You may use a MAM tool to
manage them, such as to remove apps from
contractor and employee devices when they leave
the project or company. The use of MAM makes
sense for apps that run locally and dont require
access to resources in your data centerin other
words, a stand-alone tool that you dont want a
person using at another business. Likewise, MAM
makes sense for removing or disabling apps that
store sensitive data locally on a device.
However, most internal apps are really front
ends to an internal resourcesERP, CRM, IT
management console, databases, BI, VDI, and
the likefor which you exercise your control by
managing access to the internal resource. In other
words, you should disable access to that information for that user, regardless of the apps they
might work with. They may still have the apps,
but they cant access or work on the data.
This realization explains why so many
businesses are enamored with tools like Citrix
Receiveressentially the same model of a Web
app and should be of your native client apps.
This access-control approachrather than app
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
IT needs to
think different.
Let go of the
endpoint
mentality,
and instead
focus on the
information
and access to it.
management approachis both safer and easier

than trying to track every endpoint app (including
browser) a user may leverage to access that information. Plus, this access-control approach applies
to any device: smartphone, tablet, computer, and
whatever else may be on the horizon, whether
owned by the business, the user, or both.
IT needs to think different. Let go of the
endpoint mentality, and instead focus on the
information and access to it. Then you wont be
asking about how to manage apps or worry about
site licensesat least not for stuff outside the data
center. The poster child for this new approach
is Bechtel, whose CIO Geir Ramleth successfully
exited the endpoint business several years ago. I
hear more and more CIOs at conferences and in
interviews starting to think the same way.
The reality is that users are smarter about tech
and need less mothering than in the 1980s and
1990s. I remember when fax machines, photocopiers, and printers were expensive, complex,
and fragile. Secretaries guarded them carefully,
and regular staff were kept away; many companies had departments to manage copying and
faxing. Over time, the technology got better and
cheaper, and employees got more familiar. Today,
these devices are broadly available to everyone,
in a self-service context. Many of us have them
at home. You call a contractor when they break,
and facilities or low-level IT monitors paper and
toner levelsor the staff does. And no one vets
what you copy or print to make sure its authorized; the assumption is you can be trusted with
the information you have access to.
Well, thats whats happening with PCs,
mobile devices, and some classes of apps.
Also rethink app support

As for enterprise support plans, just think about
all the money youll save as users spend more time
on mobile devices whose apps dont carry that
additional expense. Yes, youll have to train your
support staff to know the apps that you decide are
corporate-standard or corporate-preferred. But
you do that anyhow with tools like Office today.
For tools that employees choose to use
beyond your standards, the employee provides his
or her own supportthats the trade-off for the
flexibility to choose from outside the official list.
Its a trade-off that many people are willing and
even happy to make. (Those that dont want that
choice will use whatever you issue and support.)
Mobile and desktop apps that come through
app stores follow the same model as SaaS cloud
apps and open source appsdevelopers update
them regularly and users get those updates when
they are ready. Theres very little in the way of
support; the notion of vendor support phone
lines is pretty much dead already for individually
oriented software, including business-oriented
apps like Office and Creative Suite. The fact that
mobile, app store, and cloud apps dont provide it
is really just more of whats already happened.
If you really need support for such apps, youll
find a cottage industry of consultants and support
firms happy to take your business. They just wont
be the same companies that developed the apps.
Its basically no different than those copiers, printers,
and fax machinesor a home appliance or car:
You usually rely on a local independent service
provider rather than the manufacturer. Thats where
computers have been going for some time, and apps
are followingoutside the data center that is. n
15
InfoWorld.com
DEEP DIVE SERIES
16
Deep Dive
HANDS ON
Mobile security: iOS vs.

Android vs. BlackBerry
vs. Windows Phone
Third-party apps in mobile shouldnt be treated as they were on PCs
GALEN GRUMMAN
The BYOD phenomenon is old news, with

support from most companies. For IT organizations, that means ensuring proper security and
management over the mobile devices employees
are likely to use. In the last year, Apples iPhone
and iPad have become the new corporate standards due to high user satisfaction and superior
security capabilities.
But Samsung has been aggressively
promoting its SAFE (Samsung Approved for
Enterprise) extensions to Android to bolster its
reach into businesses wary of Googles historic
lack of concern for security and the rampant
malware on Android devices. SAFE targets the
first concern. BlackBerry, once the IT darling due
to its hundreds of security capabilities, is also
trying to gain corporate respect with BlackBerry
10, which supports basic Exchange ActiveSync
(EAS) policies out of the box (a first for BlackBerry), as well as a rich set of security features in
its retooled BES 10 management server.
Then theres Windows Phone 8, the third
version of Microsofts attempt to deliver a popular
smartphone OS. Its historically given little heed
to security concerns, but Version 8 endeavors to
satisfy basic business security concerns.
Mobile security falls into two fundamental
forms: Microsofts EAS policies and native APIs.
Exchange ActiveSync
policy support compared
Microsoft Exchange, Microsoft System Center
2012, Google Docs for Business, and various
third-party management tools support EAS policies out of the box. According to mobile analyst
Chris Hazelton at the 451 Group, the core EAS
policies cover most businesses needs. But
as Table 1 on the next page shows, the various
mobile OSes support different EAS policies; EAS
support in and of itself doesnt tell you what
security level you get.
Apples iOS 4.2 was the first major modern
mobile OS to support EAS policies, and it helped
catapult the iPhone to enterprise dominance.
Since then, Google has increased Androids
EAS coverage in each version, with Android
4 supporting more EAS policies than previous
versions. Samsung, the leading Android maker, has
added policy support as well as APIs to Android 4
to many of its devices. (I detail which EAS policies each version of Android and Windows Phone
support in the article How Windows Phone 8
security compares to iOS and Android.)
When you compare Windows Phone 8s EAS
policy support to that of Windows Phone 7.5,
theres not much difference. Microsoft has not
really added much on the management end,
notes J.P. Halebeed, global director of R&D at
mobile device management (MDM) vendor
AirWatch. A critical addition is support for encryption on the device (its on by default for internal
storage, but not for SD cards) and the related
support for EASs encryption policies. The lack
of support for encryption had been one of the
biggest barriers to Windows Phones business
acceptance. Microsoft also supports the new
InfoWorld.com
17
DEEP DIVE SERIES
Deep Dive
Table 1: Major vendors for key mobile management
(MDM means a separate mobile device management server is required)
POLICY
APPLE
IOS 7
SAMSUNG
MICROSOFT
GOOGLE ANDROID 4 BLACKBERRY WINDOWS
ANDROID 4
+ SAFE BLACKBERRY 10 PHONE 8
Allow device encryption
Yes
Yes
Yes
Yes
Yes
Require device encryption
Yes
No
MDM
Yes
Yes
Encrypt storage card
NA
Yes
Yes
No
Yes
Minimum password length
Yes
Yes
Yes
Yes
Yes
Minimum number complex chars (password)
Yes
Yes
Yes
Yes
Yes
Password history
Yes
Yes
Yes
Yes
Yes
Device wipe threshold
Yes
Yes
Yes
Yes
Yes
MDM
No
MDM
No
No
Disable camera
Yes
Yes
Yes
No
No
Disable SMS text messaging
No
No
No
No
No
Disable Wi-Fi
MDM
No
MDM
No
No
Disable Bluetooth
MDM
No
MDM
No
No
Disable IrDA
NA
No
No
No
No
Require manual sync while roaming
Yes
Yes
Yes
No
No
Allow Internet sharing from device
MDM
No
MDM
No
No
Allow desktop sharing from device
MDM
No
MDM
No
No
Yes
Yes
Yes
No
Yes
MDM
No
No
Yes
No
Disable removable storage
Disable email attachment access

Disable POP3/IMAP4 email
Allow consumer email
No
No
No
No
No
Allow browser
Yes
MDM
MDM
No
No
Configure message formats (HTML/plain text)
No
No
No
No
No
Include past email items (days)
Yes
No
No
Yes
Yes
Email body truncation size (KB)
No
No
No
No
No
HTML email body truncation size (KB)
No
No
No
No
No
Include past calendar items (days)
No
No
No
Yes
No
Require signed S/MIME messages
No
No
No
No
No
Require encrypted S/MIME messages
No
No
No
No
No
Require signed S/MIME algorithm
No
No
No
No
No
Require encrypted S/MIME algorithm
No
No
No
No
No
Allow S/MIME encrypted algorithm negotiation
No
No
No
No
No
Allow S/MIME soft certs
No
No
No
No
No
information rights management (IRM) EAS policy,

which lets companies enable rights management
for data on devices; Microsoft of course has a
corresponding IRM server product.
Finally, BlackBerry added EAS support to the new
BlackBerry 10 OS; previous versions could be secured
only through the BlackBerry Enterprise Server (BES).
Native security and management

API capabilities compared
The other form of mobile security comes from the
APIs in each mobile OS. These APIs vary widely
InfoWorld.com
DEEP DIVE SERIES
18
Deep Dive
across the OSes, and each requires a management tool. Many MDM tools support multiple
mobile OSes, providing a single console for IT
admins. Some also offer client apps that add
capabilities not found in the native APIs, though
this typically forces users to opt for proprietary
email and other apps for business purposes. Table
2 on the next page shows some of the more
commonly requested management features typically implemented through APIs.
Apple, for example, has several dozen such
APIs that use remotely installed configuration
profiles not only to configure various iOS settings
(such as preconfiguring VPN or allowed access
points) but also to manage app behavior (such
as disallowing the forwarding of corporate
messages via personal accounts in Mail). iOS 7
adds several new policies, including the ability
to control which apps can be used to open
specific data formats, to create shared password
keychains, and to manage access to Apple TVs
(such as in conference rooms). All are part of what
iOS calls a supervised environment, in which the
iPhone or iPad is treated as an appliance.
Along the same lines, in Windows Phone 8,
Microsoft supports the ability to revoke applications, restrict email forwarding, remotely enroll or
unenroll devices, and remotely update businessprovisioned apps. One capability in Windows
Phone 8 not available to other mobile OSes is its
integration with Active Directory, notes Ahmed
Datoo, vice president of marketing at MDM vendor
Citrix Systems. This means that MDM tools such
as Cirtixs can access the Active Directory groups,
then assign policies to those groups rather than
maintain a separate set of groups in the MDM tool
from the set in Active Directory. Thats a time-saver
for IT, he notes; it reduces the risk of employees
not being in the correct groups for the policies that
should apply or falling through the cracks when
terminated in, say, Active Directory but not in the
MDM tools user database.
Microsoft and Google provide far fewer such
capabilities in their APIs, though Samsung and
Googles Motorola Mobility unit have added their
own security APIs to their Android 4 devices. For
example, Samsungs SAFE APIs allow IT admins
to disable cameras, Bluetooth, tethering, voice
recording, SD cards, and Wi-Fi.
Microsoft uses a central manager in Windows

Phone 8 called DM Client that contains all the
relevant user and corporate profiles (like the
Windows Registry, in effect), rather than rely on
a set of separate installed configuration profiles
(like the OS X System Folder, in effect).
Then theres BlackBerry, the godfather of
mobile security and management. Its BES offers
hundreds of controls, and its Balance technology
lets IT create a partition on a BlackBerry 10 device
to keep personal and work apps and data separate.
BlackBerry has a fairly confusing set of MDM products as it transitions from its old BlackBerry platform
to the new one; I detail its various MDM products
and how they relate in the article BlackBerrys
road map to unified mobile management.
How to think about

mobile device management
Ojas Rege, vice president of strategy at MDM vendor
MobileIron, describes three bands of management
requirements that IT should be thinking about.
The first set of requirements is around configuration and protection of lost or compromised
devices. That typically requires password enforcement, encryption enforcement, remote lock and
wipe, remote email configuration, certificates
for identity, remote connectivity configuration
(such as for Wi-Fi and VPNs, though he says this
configuration capability is not essential if usage
is just for email and over cellular networks), and
detection of compromised OSes (such as jailbroken, rooted, or malware-infected ones).
The second set of requirements is around
data loss prevention (DLP), which covers
privacy controls (such as for user location), cloudusage controls (such as for iCloud, SkyDrive, and
Google Docs), and email DLP controls (such as the
ability to restrict email forwarding and to protect
attachments). More regulated environments
may require No. 2, and these policies are still TBD
for Windows Phone, Rege notes. By contrast,
iOS, BlackBerry, and Android have supported
most of these needs since (respectively) iOS 4,
BES 5, and Android 3, though a fewsuch as
managing email forwardsare handled outside
the OS by MDM clients such as MobileIrons.
The third set of requirements is around apps,
such as their provisioning and data security.
InfoWorld.com
19
DEEP DIVE SERIES
Deep Dive
Table 2: Other native management capabilities
(Typically requires a mobile device management server to use)
CAPABILITY
Encryption
All the app

stores but
Googles are
highly curated.
For their
mobile OSes,
Microsoft and
BlackBerry
copied Apples
curated
approach,
which has kept
malware off iOS.
APPLE
IOS 7
SAMSUNG
MICROSOFT
GOOGLE ANDROID 4 BLACKBERRY WINDOWS
ANDROID 4
+ SAFE BLACKBERRY 10 PHONE 8
AES 256,
user has
no disable
option
AES 128,
user has
disable
option,
only some
models
support
encryption
AES 256,
user has
disable
option, not
all devices
support
encryption
AES 256,
user has
disable
option
AES 128,
user has
disable
option
FIPS 140-2 certification
Yes
No
Yes
Yes
Yes
Over-the-air data encryption
Yes
Yes
Yes
Yes
Yes
S/MIME
Yes
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
VPN
Yes
Yes
Yes
Yes
Yes
Configure VPN
Yes
Yes
Yes
Yes
No
Restrict/block app stores
Yes
No
Yes
Yes
Yes
Restrict/block wireless LANs
Yes
No
Yes
Yes
No
Configure allowable access points
Yes
Yes
Yes
Yes
No
Signed apps required
Yes
No
No
Yes
Yes
Selective wipe of business apps and data only
Yes
No
Yes
Yes
Yes
Remotely update business apps
Yes
No
Yes
Yes
Yes
Secure boot
Yes
Yes*
Yes
Yes
Yes
App sandboxing
Yes
Yes
Yes
Yes
Yes
Disable copy and paste
Yes
Yes
Yes
Yes
No
Disable iCloud/Microsoft Account/Google

Account sync and storage
Yes
No
Yes
Yes
No
*Added by some smartphone makers
Although both Apple and Microsoft have mechanisms to do at least basic app managementiOS can
essentially hide an app so that its no longer available
to a user, and Windows Phone 8 can update corporate apps remotelymobile application management (MAM) capabilities are mostly up to the mobile
management vendors to deploy, Rege says.
All the app stores but Googles are highly
curated. For their mobile OSes, Microsoft and BlackBerry copied Apples curated approach, which has
kept malware off iOS. Android has no such rigorous
control, and although Google now spends more
effort to analyze apps, the Google Play market is full
of malware. The feds recently announced that industrial-class spyware used in advanced persistent
threats has now entered the Google Play market.

All four platforms provide mechanisms for
businesses to deploy their own apps directly to
users, so they can deploy and manage corporate
apps separately from those that users get from
the app store. Mobile mangement tools can
connect these mechanisms to group policies and
content-management controls.
Its a no-brainer that iOS and BlackBerry 10
have what it takes for almost any businesss security needs. Android, especially if you get Samsung
or Motorola devices, is a plausible platform if
youre not worried about the malware potential.
Meanwhile, Windows Phone holds down the rear,
appropriate for low-security requirements. n
InfoWorld.com
DEEP DIVE SERIES
20
Deep Dive
HANDS ON
Mobile management,
OS by OS
Enterprise-grade security and manageability arent
exclusive to BlackBerry
GALEN GRUMAN
Businesses
do seem to be
comfortable
with BlackBerry, certainly,
and also with
Windows
Mobile. They
are increasingly
comfortable
with iOS 4.
Andrew Jaquith
Analyst
Forrester Research
Although more and more businesses are opening

up tosmartphones other than the BlackBerry, its
amazing how many people still believe that the
iPhone in particular doesnt have appropriate security
for most enterprises. It does, and iOS 4 and later for
the iPad, iPhone, and iPod Touch support more security and management capabilities than all competitors except the BlackBerry and perhaps (based on
what criteria matter to your business) Windows
Mobile. Businesses do seem to be comfortable with
BlackBerry, certainly, and also with Windows Mobile.
They are increasingly comfortable with iOS, notes
Forrester Research analyst Andrew Jaquith.
Why? Because these three mobile OSes use a
mobile management server approach that lets IT set
and enforce policies across the user base. In fact, Apple
added that capability in iOS 4, released in summer
2010. Most management tools support multiple
devices; the exception is BlackBerry Enterprise Server
(BES), which supports only BlackBerry 5 through 7
devices. (BlackBerry Enterprise Service 10, by contrast,
supports BlackBerry 10, iOS, and Android.)
But what about the other mobile devices?
Googles Android is fast gaining popularity, now
selling more devices than Apple and BlackBerry
each. Then theres Windows Phone 8 from
Microsoft. Can it safely be brought in?
Lets go through the current versions of the
six major mobile platforms and their variants to
see how securely they can be managed. The table
at the end of this story highlights the capabilities
of each mobile platform for the most common
security and management needs.
First, a note on Exchange ActiveSync (EAS)
policies, Microsofts protocol for mobile security
and device management: EAS is fast becoming the

de facto protocol for managing mobile devices,
supported to varying degrees by Apple (in iOS and
Mac OS X), Google (in Android OS 3 and 4 and in
corporate Gmail, and in some Android 2 devices), IBM
(in the latest version of Lotus Notes), Nokia (in some
Symbian-based devices), Novell (in a server add-on for
GroupWise), and of course Microsoft (in Windows,
Windows Mobile, and Windows Phone). BlackBerry
had long avoided EAS in favor of its own BES, but
BlackBerry OS 10 now supports both. Its also key to
note that although there are 29 possible EAS policies,
some of them dont apply to many mobile devices,
such as disabling infrared or disallowing unsigned
CAB files (Windows-specific app files).
Second, a note on storage of corporate email,
calendar, and contact data: Devices that support
Microsoft Exchange, IBM Lotus Notes, or Novell
GroupWise wipe out the emails and address books
when access to the server is revokedor even just
disabled, as in the case of iOSusing protocols such
as LDAP to do so. In other words, these servers use
the same mechanisms to recall such corporate data
from mobile devices as they use for PCs.
BlackBerry OS
The key to securing a BlackBerry is to use BES 5 or
BES10, which provides over-the-air management
based on more than 400 security and management
policies that IT can use, from password requirements to remote wiping. BlackBerry OS 10 also
supports EAS policies for smaller organizations that
dont want to manage the full BES ennvironment.
BlackBerry does offer free versions of BES for
Microsoft Exchange and IBM Lotus Notes environ-
InfoWorld.com
21
DEEP DIVE SERIES
Deep Dive
Mobile security and management capabilities compared
Key
EAS = via Microsoft Exchange ActiveSync.
BES = via BlackBerry Enterprise Server 5.x or 10.
CAPABILITY
3PS = via third-party server.

NA = information not available
APPLE
GOOGLE
IOS
ANDROID
3.X, 4.X, 5.X, 2.X, 3.X,
6.X, 7.X
4.X
MICROSOFT MICROSOFT
WINDOWS WINDOWS
PHONE 8
PHONE 7.X
NOKIA BLACKBERRY
5.X, 6,
SYMBIAN
7,109
2.X, 3.X1
On-device encryption
Yes
Yes11
Yes
No
Yes2
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Complex passwords
Yes
Yes
12
Yes
No
Yes
Yes
Enforce password policies
Yes
EAS
4, 12
EAS, 3PS
EAS
EAS, 3PS
BES
Support VPNs
Yes
Yes
No
No
Yes
Yes
Disable camera
Yes3
No
EAS, 3PS
No
No
BES
Restrict/block app stores
Yes3
No
EAS, 3PS
No
No
BES
Restrict/block wireless LANs
Yes
No
No
BES
Remote lockout
Yes
Remote wipe
Selective wipe of biz apps and data
Enforce and manage policies
EAS policies supported
Manage over the air
Second-factor authentication
(RSA SecurID)
EAS, 3PS
No
12
EAS, 3PS
EAS
No
BES
Yes3
EAS, 3PS12
EAS, 3PS
EAS
EAS, 3PS
BES
3PS
No
No
No
No
BES13
EAS, 3PS
EAS
EAS, 3PS
BES
NA
9 (OS 10);
None (others)7
EAS, 3PS
10
EAS, 3PS10
EAS12
14
9 (AOS 2)
13 (AOS 3,4)5
EAS, 3PS10
EAS12, 3PS
EAS, 3PS
EAS
EAS, 3PS
BES, 3PS (OS10)
No
No
Yes
No
No
Yes8
1.Some Nokia E-series and N-series devices only.

2.Storage cards not encrypted.
3.Via choice of Apple Configurator Utility (no over-the-air confirmation or
auditing), Mac OS X 10.7 Lion Server or later, EAS, and 3PS.
4.Require PIN only.
5.Some third-party email client applications support additional EAS policies
within those applications only.
7.BES supports more than 500 policies of its own.
8.Some device models only.

9.BlackBerry Tablet OS 1.0 requires BlackBerry tethering to support all these
capabilities except VPN.
10. Except for iOS 3
11. AOS 3,4 only
12. AOS 2.2 and later
13. Except BB OS 5.x
ments; it does not support Novell GroupWise as the

full version does.
BES 5.03 and BES 10 have the ability to selectively
wipe business data and apps from users BlackBerrys
without affecting user data (they must run BlackBerry
OS 6 or later).
Some BlackBerry models support RSAs SecurID
second-factor hardware authentication tool, which
is required in selected military environments.
running the 1.0 PlayBook OS must be wirelessly

tethered to a BlackBerry to access corporate
resources; the BES that protects the BlackBerry thus
protects BlackBerry data available via the PlayBook.
The version 2.0 OS PlayBook OS lets you manage
PlayBooks directly via BES, rather than continue to
require a tether. Note that BlackBerrys running BlackBerry OS versions earlier than 10 and PlayBooks not
managed by BES have no security capabilities.
BlackBerry Tablet OS
Apple iOS
BlackBerrys strategy for securing its BlackBerry Tablet

OS, used in the discontinued BlackBerry PlayBook,
is the same as for the BlackBerry: BES. PlayBooks
iOS 4 stepped up mobile management significantly by allowing auditable, assured application

of EAS policies, as well as iOS-native policies, over
InfoWorld.com
DEEP DIVE SERIES
22
Deep Dive
the air. It allows for selective wiping of business
data and apps, and it supports complex passwords, on-device encryption, and remote wipe.
iOS supports 14 EAS policies managed through
Exchange, and it uses configuration payloads that
can be emailed to users, made accessible via a Web
link, or provisioned over the air through Mac OS X
10.7 Lion Server or later. If you use a mobile device
management tool from AirWatch, Boxtone, Citrix
Systems, Good Technology, MobileIron, Symantec,
Sybases Afaria unit, Tangoe, or others, you can audit
and enforce their use, as well as provision them over
the air. AirWatch and Mobileron also let you manage
Macs this way.
iOS 5 added a few additional policies for MDM
tools to take advantage of as well: They can turn
off iCloud syncing, require the use of a password to access iTunes, disable email forwarding,
deletenot just render inaccessibleapps (both
individually and for all corporate-provisioned apps),
disable voice and data roaming, set policies for
the handling of nontrusted certificates, detect and
reapply user-deleted MDM configuration profiles,
set Web proxies, set autologin for approved Wi-Fi
access points, send crash data, and monitor battery
levels. iOS 6 and iOS 7 added a few controls each
for such granular management.
Microsoft Windows Mobile

Although this mobile OS was discontinued in 2009,
it remains in use at many companies running legacy
applications, especially in government. Windows
Mobile 6.x supports all 29 EAS policies if you use
an enterprise license for Microsoft System Center
Mobile Device Manager, which is part of Exchange;
otherwise, it supports 14 EAS policies.
A variety of mobile management tools
support Windows Mobile devices as well, and
some Windows Mobile devices support the
SecurID authentication device.
Microsoft Windows Phone

The new Microsoft mobile OS has fewer management and security capabilities than Windows
Mobile, even though it uses the same Exchange
or EAS-compatible servers as the management
console. The biggest omissions are lack of support
for on-device encryption and for requiring use of
complex passwords in Windows Phone 7.x (reme-
died in Windows Phone 8), so it will not work with

many companies ActiveSync policy requirements.
Windows Phone 7including the 7.5
Mango release of fall 2011supports fewer
EAS policies than Windows Mobile and iOS, for
example. It does not support several policies that
may matter to some enterprises: disable camera
and disallow application downloads. It also
doesnt support VPNs. The Version 8 released in
fall 2012 adds several key needs, including VPN
support, but still is mimimally secure.
Google Android OS
Although one of the most popular smartphone
OSes, Android has been among the least secure.
The Android 2.2 and earlier smartphone versions do
not have on-device encryption nor do they support
complex passwords, for example. Enterprises are
generally quite uncomfortable with Android right
now, partly because the enterprise security road map
doesnt seem to clear to them, and partly because
the vast number of Android devices makes it hard
to understand what will work for them and what
wont, says Forresters Jaquith. The lack of OS file
system encryption is often cited as a concern.
But just as rabid iPhone users forced many businesses to allow iPhones in before Apple stepped up
iOSs security, enthusiastic Android users are doing
the same today. Many customers seem willing,
essentially, to punt and use something like Good
Technologys product to put a secure workspace
on Android devices so that they can use them,
Jaquith notes. IBMs Lotus Notes Traveler app adds
such a secure workspace for Notes users, as does
NitroDesks TouchDown app for Exchange users.
And both Motorola Mobility (which Google is
acquiring) and Samsung offer business-capable
Android devices that add on-device encryption
and EAS policy support similar to what iOS offers.
Over time, Android should get more secure. In
fact, the tablet-oriented Android 3.0 OS does support
on-device encryption and policies for complex passwords, password history, and password expiration.
The Android 0 Ice Cream Sandwich OS,
released in late 2011 for some devices, brings
those security capabilities to Android smartphones, as well as tablets. Mid-2012s Android
4.1 Jelly Bean also supports them,
And it may not be just Google that fills in that
InfoWorld.com
DEEP DIVE SERIES
23
Deep Dive
blank in the short term. For example, Android
2.2 Froyo and 2.3 Gingerbread include only
a basic VPN, but Motorola Mobilitys Droid Pro
includes the more robust and beefed-up AuthenTec
IPSec multiheaded VPN. Likewise, the Motorola
Mobility Atrix, the Photon 4G, and its other
business smartphonesas does Samsungs
SAFE seriesadd on-device encryption and
Android 3-level EAS policies despite Android 2.2s
and 2.3s lack of native support for them.
Nokia Symbian
Once billed as the most popular smartphone OS
in the world, Symbian is almost invisible in the
United States. Symbians share of global Web
traffic has declined steadily, as Nokia has retired it

for smartphones in favor of Windows Phone.
The Symbian OS comes in many varieties, with
most Nokia devices not supporting business-class
security or management. But the Nokia E-series and
N-series devices usually support the basics, including
on-device encryption, complex passwords, and
remote wipe. These devices support an unknown
number of EAS policiesNokia wouldnt say how
manybut the total appears to be fewer than iOS.
Disabling the built-in camera and preventing
access to Wi-Fi networks are two examples of EAS
policies that iOS and Windows Mobile handle (and
that BES offers) that Symbian does not. Many mobile
management tools support these Nokia devices. n
What the Mobile Device Management Vendors Offer

As smartphones and tablets proliferate, and as
employees make the case for device diversity, IT is faced
with the challenge of managing access, usage, and
security across multiple mobile devices. To address that
need, many vendors have developed tools that provide a
central console to manage multiple devices over the air
with a common set of policies, ensuring consistent policy
enforcement and providing auditing capabilities as well.
These tools use one of two approaches, and
sometimes both: (1) They use policy profiles, typically
based on the widely used Microsoft Exchange ActiveSync (EAS) protocol. (2) They use a client application
on each supported device to provide the managed,
secured workspace and additional policies. Those that
support the BlackBerry work with BlackBerrys own
tool, BlackBerry Enterprise Server (BES).
AirWatch supports Android, BlackBerry, iOS, and
Windows Mobile. It also provides content-filtering
policies, provides data-roaming policies, and allows
on iOS 4 and later selective wiping of business data
(leaving personal data intact for employee-owned
devices). It also supports management of Macs
running OS X Lion or OS X Mountain Lion.
Boxtone supports Android, BlackBerry, iOS, and
Windows Mobile. It also provides tools for troubleshooting user devices, user self-registration, and asset
tracking (including carriers used).
Citrix Systems Mobile Manager supports Android,
BlackBerry, iOS, and Windows Mobile. It provides
telecom expense management and service monitoring capabilities. Fiberlinks Maas360 manages and
enforces policy-based security and provides application

management on Android, BlackBerry, and iOS devices,
on other devices using Microsoft Exchange or IBM
Lotus Notes, and Windows and Mac OS X PCs.
Good Technologys Good for Enterprise and Good
for Government tools support Android, iOS, Symbian,
and Windows Mobile. The tools also permit control over
application installation, allow on iOS 4 and later selective
wiping of business data (leaving personal data intact for
employee-owned devices), and can be set to allow only
specific device/operating-system combinations.
McAfees Trust Digital EMM supports Android, iOS,
Symbian, and Windows Mobile. It also provides tools for
troubleshooting user devices and user self-registration.
MobileIrons MobileIron Server supports Android,
BlackBerry, iOS, Symbian, and Windows Mobile. It also
permits control over application installation, allows
on iOS 4 and later selective wiping of business data
(leaving personal data intact for employee-owned
devices), and provides telecom expense management
capabilities. It also supports management of Macs
running OS X Lion or later.
Sybases Afaria supports Android, BlackBerry,
iOS, Symbian, and Windows Mobile. It also provides
control over application installation, lets IT set up an
internal app store, and permits asset tracking of
mobile devices.
Tangoes MDM supports Android, BlackBerry, iOS,
and Windows Mobile. It also permits control over
application installation and provides telecom expense
management and service monitoring capabilities.
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
HANDS ON
Say yes to (almost)

any device
How to support iPhones, iPads, Androids, and other devices
beyond BlackBerry
GALEN GRUMAN
Devices such
as the iPhone
have strong
personal utility
and appeal, but
they are also
increasingly
able to meet
core corporate
security and
management
needs.
Resistance is futile: the iPhone has won.

try as you may to maintain the great corporate
barrier against employees using the latest smartphones on your network, the iPhone has or will
soon enter your business and connect to your IT
systems, and Googles Android devices such as
the Galaxy series are not far behind. In fact, many
CIOs and CSOs have already stopped resisting
and are instead putting their energies to greater
use: figuring out how to say yes to smartphones
that are quickly becoming key business devices.
Sure, devices such as the iPhone have strong
personal utility and appeal, but they are also
increasingly able to meet core corporate security
and management needs. The PC revolution 25
years ago blurred the distinction between business and personal. Todays mobile devices
are meeting IT halfway, permanently ending
any pretense of a hard line. Now its your turn to
figure out how to make the most of the smartphone revolution.
This guide will help you say yes to the latest
mobile devices, beginning with security capabilities, which remain a core concern for most organizations. To address this issue, Ive created four
classes to cover most businesses security needs. I
then explain how to ensure that each mainstream
mobile device can meet those requirements,
noting clearly when a particular device is ill-suited
to your environment. Your obligations may vary,
but you can fine-tune your smartphone strategy
by starting with the closest-fitting category.
To hone your pursuits, Ive focused on Apples
iPhone (including the iPod Touch and iPad),
Google Android OS devices, Microsoft Windows

Mobile and Windows Phone, business-oriented
Nokia Symbian devices (such as the S60 and E71),
and the BlackBerry.
Given the importance of email on mobile
devices, I also note considerations for the main
business email platformsIBM Lotus Domino/
Notes, Microsoft Exchange, and Novell GroupWiseand explain when it might make sense to
use a third-party mobile management product.
Be aware that many of those products dont
really add security capabilities. Some simplify
the provisioning of the devices native security
capabilities, but most are focused on monitoring
and managing your cellular telecom spend,
tracking the devices as assets, and giving IT basic
status information for help desk support. Rather
than adding yet another management tool, you
may want to opt out of the smartphone-provisioning business altogether, which may solve the
accounting issues these management platforms
have been devised to address.
Keep in mind that mobile is a moving target.
The advice that follows is based on what is available today, but vendors (hopefully) will continue
to improve their products capabilities.
What security category fits

your needs?
Although scare stories about smartphone security
often try to hold these devices to the standards of
military and financial services firms, most companies dont require those levels of security. Besides,
many defense and financial services firms have
24
InfoWorld.com
DEEP DIVE SERIES
25
Deep Dive
If youre
not treating
employee use
of personal and
provisioned
PCs and laptops
with the same
level of security
requirements
youre placing
on mobile
devices, then
somethings
wrong.
already figured out how to support iPhones and

iPads despite their higher security needs. Bank of
America, Citigroup, Nationwide Insurance, and
Standard Chartered are recent examples.
Many companies will require a blend of the
four broad categories outlined below. After all,
you likely support employees who are involved
in sensitive negotiations, as well as those who
have little to no access to vital corporate data. As
such, your say yes strategy should reflect that
internal diversity. The universal truth of mobile is
that it is not one-size-fits-all.
One final note: If youre not treating employee
use of personal and provisioned PCs and laptops
with the same level of security requirements
youre placing on mobile devices, then somethings wrong. Doing so would mean a more
immediate security gap to fix at the PC level.
Category 1: Routine business information.
Truck drivers, sales reps, sales clerks, graphics
designers, Web developers, repair and maintenance staff, personal coaches, restaurateurs
people in these professions deal with routine information that is rarely personally or legally sensitive.
If their smartphone is lost or stolen, the resulting
hassle amounts to reconstructing some data,
ensuring the cell service is discontinued, and buying
and re-outfitting a replacement device. Theres a risk
of a thief accessing your email, so you do need to
immediately change passwords at the server.
Required security includes a PIN to use the
device. Good, but not essential, security and
management capabilities incorporate password
expiration and complex-password requirements,
remote wipe, in-transit SSL encryption of email
and other data, and a wipe contents after x
failed attempts policy.
Category 2: Important business information.
Sales managers, veterinarians, personal assistants,
management consultants, IT administrators,
teachers, editors, videographers, programmers,
most midlevel managerspeople in these professions and positions have access to some personal
and financial information that wont make or
break the company but could cause economic or
PR damage worth preventing. They may also have
access to some internal systems via passwords that
could be abused by a bad actor who gets the device.

If their smartphone is lost or stolen, the
cleanup effort goes beyond the individuals
information and may require changing shared
passwords, informing business partners, and
losing short-term competitive advantages.
Required security and management capabilities include a complex password to use the device,
password expiration, remote wipe, in-transit SSL
encryption of email and other data, and a wipe
contents after x failed attempts policy. Good, but
not essential, security and management capabilities
include VPN and/or second-factor access to sensitive
systems and data stores, and on-device encryption.
Category 3: Sensitive business information.
Finance staff, auditors, bankers, medical professionals, HR staff, lawyers, regulators, product
managers, researchers, division managers, lead IT
admins, marketing and sales chiefs, chief executives in most firms, and all of their assistants
people in these impressions work with significantly
confidential information (legal, financial, product,
and personal) and usually have significant access to
key internal data stores and systems.
If their smartphone is lost or stolen, there
could be serious financial consequences, such
as the notification costs if personally identifiable
information is unprotected and the competitive
losses if details on business negotiations, staff
salaries, and the like are revealed.
Required security and management capabilities include a complex password to use the device,
password expiration, remote wipe, in-transit
SSL encryption of email and other data, a wipe
contents after x failed attempts policy, VPN and/
or second-factor access to sensitive systems and
data stores, and on-device encryption. Good, but
not essential, security and management capabilities include the ability to control access to specific
networks, to turn off the built-in camera, and to
control application installation.
Category 4: Top-secret information.
Military contractors, spies, police, senior diplomats, military personnel, congressional chairmen
and their aidespeople in these professions
work with confidential information, the exposure
of which could jeopardize individuals lives or
InfoWorld.com
DEEP DIVE SERIES
26
Deep Dive
compromise the public at large.
Required security and management capabilities include a complex password to use the
device, password expiration, remote wipe,
in-transit military-grade encryption of email and
other data, a military-grade wipe contents after
x failed attempts policy, VPN access to sensitive
systems and data stores, physical second-factor
authentication support, military-grade on-device
encryption, support for S/MIME and FIPS 140
standards, and discrete lockdown control over
accessible networks and allowable applications.
Securing the needs of Category1

businesses for routine information
If your business deals with routine information,
its pretty easy to embrace smartphones beyond
the BlackBerry.
Apple iOS. The iOS used in the iPhone, iPad, and
iPod Touch supports the PIN requirement for this
category, as well as all the good-to-have options.
(Note that email encryption is handled through
on-device encryption, for the iPhone 3G S and later
models, the third-generation and later models of
the iPod Touch, and all iPads.) SSL encryption of
messages in transit is a native capability of iOS.
Enforcing these requirements and options is
the issue at hand. If you cant trust users to enable
themselves, you can opt for the free Apple Configurator utility (previously named iPhone Configuration Utility) to set up the security policy profiles. But
to ensure employees actually install the profiles,
you have to manually sync them via a USB cable
to your PC. If you trust your staff, you can send
them the profiles or have them install the profiles
from a Web link. Another option that enables both
over-the-air provisioning and enforced installation
is the use of Mac OS X 10.7 Lions or laters policy
management tools.
Otherwise, youll need a third-party mobile
management tool, such as those from AirWatch,
Boxtone, Citrix Systems, Good Technology,
MobileIron, Symantec, Sybases Afaria unit,
Tangoe, or others. These also support over-theair management, compliance and deployment
auditing, and additional security controls that the
Apple Configurator utility does not, and more policies than Lion or Mountain Lion Server.
If you use Microsoft Exchange 2007 or later,

you can enforce PIN and password-expiration
requirements using EAS policies. You can also
issue a remote-wipe command via EAS.
Lotus Notes-based organizations can password-protect email access by combining Domino
8.5.1 or higher with the free Lotus Notes Traveler
app available at the iTunes App Store. Notes Traveler also provides remote wipe of email, calendar,
and contact data. But Domino/Notes cant enforce
devicewide policies on the iPhone or iPad, just on
Notes access, though it can remotely lock or wipe
an iOS device. If such policy enforcement is critical,
you might consider the profile validation, device
locking, and access control capabilities provided by
a third-party mobile management tool.
If you use Googles corporate Gmail, youre
restricted to using EAS policies.
If you use Novell GroupWise, you can use the
Data Synchronizer Mobility Pack add-on for GroupWise 8 to manage the iPhone via EAS policies. Or
you can use the GW Mail iPhone app to provide a
secure email client hat works with GroupWise 6
and laterbut GW Mail cant enforce devicewide
policies, just policies within its client.
Google Android. Android devices can be set to
require a PIN or custom swipe pattern before they
can be accessed, and with Android 2.2 and later
you can require use of a password on the device
and remote-wipe it. It also supports SSL in-transit
encryption, but it does not support on-device
encryption. The tablet-oriented Android 3.0 does
support encryption, as well as EAS policies for
password expiration, password history, and password complexity. So does Android 4.x for both
smartphones and tablets, as well as Motorola
Mobilitys line of Android 2.x smartphpones.
So far, there are only two general options
for more-secure Android usage, such as to gain
encryption of stored email data on pre-3.0
devices. One is NitroDesks TouchDown app,
which provides Exchange 2003 and later access,
as well as allows you to enforce EAS PIN requirements and enable EAS remote wipe. Each user
would need to install this app. Its critical to note
that many old Android phones that claim Exchange
compatibility, such as the Motorola Droid and HTC
Droid Eris, do not support EAS policies natively, just
InfoWorld.com
DEEP DIVE SERIES
27
Deep Dive
unsecured Exchange synchronization. Thus, their
built-in mail clients wont connect to an Exchange
server that uses EAS policies. The Android 2.2 OS
update brings some EAS policy support to such
devices, such as password requirements.
The other option is to deploy a third-party
management tools client, such as the Good for
Android app, which provides email, calendar,
and contact access to both Exchange and Notes
servers. The app can require a password, encrypt
the messages and other data, and remotely wipe
the messages and other information stored within
the app. Of course, using it requires having a Good
for Enterprise server in place. The same is true for
similar clients from MobileIron and others.
For Lotus Notes environments, IBM has an
Android version of its Lotus Notes Traveler app that
lets you secure access to Notes and to data pulled
in from Notes, as well as remote-wipe that data.
Microsoft Windows Mobile. Windows
Mobile supports this categorys PIN requirement
and the good-to-have options. You can enforce
most of them using Microsoft Exchange and its
EAS policies; SSL encryption of messages in transit
is a native capability of the Windows Mobile
operating system.
If you use Lotus Notes with Domino 8.5.1 or
later, you can use the free Lotus Notes Traveler app
to remote-wipe Notes email, calendar, and contact
data. But Domino/Notes cant enforce any devicewide policies on the iPhone, just on Notes access.
If you use Novell GroupWise 8, you can
install the optional Data Synchronizer Mobility
Pack to gain EAS policy access. Otherwise, youre
stuck with the Mobile Server product, which
uses the Nokia IntelliSync technology (discontinued in late 2008) rather than EAS to manage
devices; that means each device needs to have
an IntelliSync client installed, though Novell is no
longer providing the client. Effectively, this limits
GroupWise to older Windows Mobile (5.0 and
2003) devices.
Microsoft Windows Phone. Microsofts
newest mobile OS has less support for security than Windows Mobile. In this category, it
supports the PIN requirement, as well as the
following good-to-have capabilities: SSL encryp-
tion of in-transit email, and remote wipe. It does

not support the good-to-have on-device encryption or complex-password enforcement policy.
You can enforce the supported policies if
youre using an EAS-compatible server such as
Microsoft Exchange, Googles corporate Gmail, or
GroupWise 8 with the optional Data Synchronizer
Mobility Pack installed.
There is currently no support for Lotus Notes.
Nokia Symbian. Many Nokia devices support
this categorys PIN requirement, as well as the
good-to-have options.
For Exchange users, Nokia supports a subset
of EAS policies and management capabilities, but
the company declined to say which. It appears
from my research that Nokia supports fewer EAS
policies than Apples iOS 4 or later.
For Notes users, IBM offers the Lotus Notes
Traveler application to secure Notes email,
calendars, and contacts, and to remote-wipe that
data. If you want to manage Nokia devices, the
Good for Enterprise server bundle can do the trick
for some models such as the S60, if youre using
Exchange or Notes/Domino.
For Novell GroupWise, youre limited to older
devices that use the discontinued Nokia IntelliSync technology, which also requires you to have
GroupWise Mobile Server in place.
BlackBerry. The BlackBerry supports this categorys
PIN requirement and all the good-to-have options
if you use the BES or BES Express servers in addition
to your Exchange, Notes, or GroupWise server.
The free BES Express server software makes
BlackBerry management a viable option for
small businesses that use Microsoft Exchange or
Lotus Notes. Without BES, the pre-Version 10
BlackBerrys can have a PIN set on the device itself
and can encrypt in-transit messages. Version 10
BlackBerrys support basic EAS policies.
If you run Microsoft Exchange and want to
use its EAS policies instead of relying on BES (such
as if you support other smartphones in addition
to BlackBerrys), there are third-party tools that let
the BlackBerry support EAS, including AstraSync
and NotifySync.
Note that the BlackBerry PlayBook tablet does
not have any native security capabilities in the 1.0
InfoWorld.com
DEEP DIVE SERIES
28
Deep Dive
version of its operating system, but that changed
in the 2.0 release. The first version has no access
to corporate data protected by BES unless you
tether the PlayBook first to a BlackBerry smartphone, in which case the tablet is just a window
onto the protected smartphones data and apps.

businesses for important information
If your business deals with important information,
its a bit harder to embrace smartphones beyond
the BlackBerry, but you can confidently support
iOS, Windows Mobile, and Nokia Symbian.
Apple iOS. iOS supports all the requirements for
this category, as well as the good-to-have options
such as VPN support. The issues and capabilities
for Category 2 businesses are the same as those
described for Category 1 businesses.
One Category 2-specific issue to be aware is
that the VPN support for Cisco networks does
not let you use Cisco profile distribution files; you
have to manually enter the VPN profile or use the
Apple Configurator utility, Mac OS X Lion Server
or later, or a third-party management tool to
generate it, so theres more IT overhead in implementing VPN access.
Google Android. The Android 2.x operating
system lacks the services to provide many of
this categorys requirements, such as on-device
encryption and password expiration. OpenVPN
and PPTP/IPsec VPNs are supported in the
operating system but may not be available in all
devices (device makers dont have to implement
it). Android 3.x and 4.x do fill in the gaps on
encryption and password expiration policies.
If your concern is about protecting email,
calendar, and contacts dataand you use a
compatible VPNyou can probably compromise
the Category 2 requirements a bit for Android
users. But you cant meet them all.
Mobile supports all the requirements for this category, as well as the good-to-have options such
as VPN support. The issues and capabilities for
Category 2 businesses are the same as described
previously for Category 1 businesses.
However, for large-scale deployments in

Microsoft-based IT shops, you may want to use
Microsoft System Center Mobile Device Manager
2008, which lets you add self-provisioning, such as
for password resets, and handle thousands of users
across multiple Active Directory controllers if they
are in the same forest.
Microsoft Windows Phone. The Microsoft OS supports most of the requirements for
this category. It supports none of this categorys
good-to-have options. The issues and capabilities
for Category 2 businesses are the same as those
described for Category 1 businesses.
Nokia Symbian. Nokia supports all the requirements for this category, as well as the good-tohave options such as VPN support. The issues and
capabilities for Category 2 businesses are the same
as those described for Category 1 businesses.
BlackBerry. The BlackBerry supports all the
requirements for this category, as well as the goodto-have options such as VPN support. The issues
and capabilities for Category 2 businesses are the
same as those described for Category 1 businesses.

businesses for sensitive information
This level of businessfinancial services, legal, HR,
and health careis where businesses have to start
making support choices that could displease users.
Apple iOS. The iPhone and iPad support all the
requirements for this category. The issues and
capabilities for Category 3 requirements are the
same as those described for Category 1 businesses.
Where iOS becomes problematic is in the
good-to-have capabilities. You can disable the
camera and limit Wi-Fi access to specific SSIDs via
the Apple Configurator utilitys or OS X Servers
profiles or through third-party management tools.
Likewise, you can use third-party management tools to restrict users to specific apps. Using
the Apple Configurator utility, OS X Server, or a
third-party management tool, you can disable
the App Store, Safari, and iTunes, but those are
heavy-handed control options that will reduce the
iPhones intrinsic utility and appeal.
InfoWorld.com
DEEP DIVE SERIES
Deep Dive
Google Android. The 2.x version of Android
OS lacks the services to provide most of this
categorys requirements, so it cannot legitimately meet the needs of Category 3 businesses.
Android 3.x and 4.x do meet this categorys basic
needs, but not the nice-to-have capabilities.
Mobile supports all the requirements for this
category, but youll need Microsoft System
Center Mobile Device Manager 2008, Good for
Enterprise, or MobileIron products to handle
the good-to-have option of managing which
applications users may install. Otherwise, the
issues and capabilities for Category 3 businesses
are the same as those described for Category 1

businesses.
Microsoft Windows Phone. The Windows
Phone OS lacks the services to provide most of
this categorys requirements, so it cannot legitimately meet the needs of Category 3 businesses.
Nokia Symbian. Nokia supports all the
requirements for this category. The issues and
capabilities for Category 3 businesses are the
same as those described for Category 1 businesses. For the good-to-have options, I could not
find third-party management tools that provide
them for Nokias devices.
How each mobile platforms securability compares

CAT. 1
(ROUTINE)
CAPABILITY
Apple iOS 3.2, 4, 5, 6, 7
CAT. 2
(IMPORTANT)
CAT. 3
CAT. 4
(SENSITIVE) (TOP SECRET)
Exchange
Notes
GroupWise
Google Android OS 3.x, 4.x
Exchange
Notes
GroupWise
Google Android OS 2.2, 2.3
Exchange
Natively supported
Notes
Supported with extra tools
GroupWise
Microsoft Windows Phone 7.x
Exchange
Notes
Not supported
GroupWise
Microsoft Windows Phone 8
Exchange
Notes
GroupWise
Microsoft Windows Mobile 6.x
Exchange
Notes
GroupWise
Nokia Symbian 3
Exchange
Notes
GroupWise
RIM Blackberry 5, 6, 7, 10
Exchange
Notes
GroupWise
Not supported
Capabilities listed are for

Exchange 2007 and later, Lotus
Notes 8.5.1 and later, GroupWise
8 and later.
29
InfoWorld.com
DEEP DIVE SERIES
30
Deep Dive
BlackBerry. The BlackBerry supports all the
requirements for this categoryif you use the
full version of BES with Notes or GroupWise, or
either the free Express or the paid full version of
BES for Exchange. Youll need the full BES for the
good-to-have features for all three email platforms. The issues and capabilities for Category
3 businesses are the same as those described for
Category 1 businesses.
but the Good for Government product adds them

to meet Defense Department requirements.

businesses for top-secret information
Nokia Symbian. The Nokia devices cant meet

the military-grade (FIPS) encryption requirements
or provide the level of application and networkaccess control necessary. They can be used in
military organizations, but only by those people
whose level of clearance doesnt require these
extraordinary security measures.
If your business deals with life-critical information, such as for defense work, there are only
two viable smartphone options: BlackBerry and
Windows Mobile.
Apple iOS. iOS 7 meets the military-grade
encryption (FIPS) requirements (as well as
S/MIME support in iOS 5 or later) or provide the
level of application and network-access control
necessary, but it doesnt support physical secondfactor authentication. It can be used in military
organizations, but only by those people whose
level of clearance doesnt require extraordinary
security measures.
Google Android. The Android operating
system lacks the services to provide most of this
categorys requirements, so it cannot meet the
needs of Category 4 businesses.
Microsoft Windows Mobile. Natively,
Windows Mobile cant meet military-grade requirements such as physical second-factor authentication support and military-grade (FIPS) encryption,
Microsoft Windows Phone. The Windows

Phone 7.x operating system lacks the services to
provide most of this categorys requirements, so it
cannot legitimately meet the needs of Category 4
businesses. But Windows Phone 8 has FIPS certification, so it can be used in some circumstances.
BlackBerry. When used with the full version

of BES and the BlackBerry Smart Card Reader,
certain models of the BlackBerry can meet
Category 4 requirements.
The bottom line: You can say yes a lot

By now, I hope its clear that most businesses can
say yes to many of todays smartphones.
Although the minimal capabilities of Windows
Phone and Android 2.x largely limit their use to
Category 1 companies, Category 2 and Category
3 businesses can support iOS and even Android
3.x and 4.x, not just the traditional BlackBerry,
Windows Mobile, and Nokia Symbian devices.
So now the question is not whether your business
should say yes to smartphones but what value it seeks
from their broad use. Thats a better question to ask
and an even better one to help the business answer. n

Ast-0109766 Citrix MDM v1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ast-0109766 Citrix MDM v1

Hochgeladen von

Copyright:

Verfügbare Formate

DeepDive

Mobile managements landscape 2

Copyright InfoWorld Media Group. All rights reserved.

Mobile security: iOS vs Android vs

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

Smartphones, tablets, social networks, and

Data loss prevention

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

Mobile device management

Active Directory) to determine which policies

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

Some MDM vendors go further than exploiting

Mobile application management

users links to recommended apps in public

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

vendors could augment the core policies with

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

The new app

IT concerns are fast moving from mobile

The first wave: Managing HTML app

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

not see that bundling. Some users like to view all

The second wave: Managing native

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

technology that take a different approach to

theyre not billed, but thats not a terribly efficient

The new MAM shows IT is adjusting to

The fretting over mobile app

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

that gives IT control without unduly confining

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

Buckle uphere comes

the fact that

At most businesses, its now an accepted fact

Managing information access

mark for breaches of all sorts), youll see this fear

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

When BlackBerrys ruled enterprise mobile, one

Given that a tool like Quickoffice or Box can be

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

These mobile questions extend

computer, a personal smartphone, a work

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

Dont overdo app

Youve accepted the fact that users are

Why app management is a

access at the sourceis now revealed to have

MOBILE DEVIC E MANAGE M ENT

DEEP DIVE SERIES

intermingling of client and server technologies.)

How to manage apps in the era of