Running a successful BYOD Initiative
Albee Jhoney
Hari H Krishna
© 2013 International Business Machines Corporation
1
Life was so much easier when everyone simply had a Blackberry
Share of global Q1 2012 smartphone
sales to end users, by OS
• Android and iOS accounted for 79% of
all smartphone shipments
• Many employees want to use their
devices to access work information
• Mobile devices offer significant
advantages for companies
• ‘Halo effect’ of Apple Mac’s
• Before companies can realise the
benefits of mobile devices, they
need to be able to manage the
associated risks
Source: Gartner 2012; does not include media tablets
© 2013 International Business Machines Corporation
2
IT manages risks by maintaining control points
© 2013 International Business Machines Corporation
3
With BYOD, IT loses control
© 2013 International Business Machines Corporation
4
PCs and mobile devices have many of the same management needs
Traditional Endpoint Management
 OS provisioning
 Device inventory
 Patching
 Security policy mgmt
 Power Mgmt
 Application mgmt
Mobile Device Management
 Device config
(VPN/Email/Wifi)





Device Wipe
Location info
Jailbreak/Root detection
Enterprise App store
Self-service portal
 Encryption mgmt
 Roaming device support
 Integration with internal
systems
 Scalable/Secure solution
 Easy-to-deploy
 Multiple OS support
 Consolidated infrastructure
“Organizations…would prefer to use the same tools across PCs, tablets and smartphones,
because it's increasingly the same people who support those device types”
– Gartner, PCCLM Magic Quadrant, January 2011
© 2013 International Business Machines Corporation
5
Managing Mobile Devices – The Problem
 Potential unauthorized
access (lost, stolen)
End
User
 Disabled encryption
 Insecure devices connecting
to network
 Corporate data leakage
•
•
•
•
Mail / Calendar / Contacts
Access (VPN / WiFi)
Apps (app store)
Enterprise Apps
VPN / WiFi
Corporate
Network
Access
Encryption not enforced
iCloud
iCloud Sync
iTunes Sync
6
© 2013 International Business Machines Corporation
6
Managing Mobile Devices – The Solution
 Enforce password policies
Secured by
BigFix policy
End
User
 Enable device encryption
 Force encrypted backup
 Disable iCloud sync
• Personal Mail / Calendar
• Personal Apps
Corporate Profile
 Access to corporate email,
• Enterprise Mail / Calendar
apps, VPN, WiFi contingent on • Enterprise Access (VPN/WiFi)
• Enterprise Apps (App store or
policy compliance!
VPN / WiFi
Custom)
 Selectively wipe corporate data
if employee leaves company
Corporate
Network
Access
Encryption Enabled
iCloud
 Fully wipe if lost or stolen
iCloud Sync
iTunes Sync
© 2013 International Business Machines Corporation
7
IBM understands the demands of managing a global
heterogeneous IT infrastructure with BYOD
• 430,000 IBM employees in over 120 countries.
• Deployment to over 750,000 endpoints
• A 78 per cent decrease in endpoint security
issues
• IBM is also in the process of deploying Mobile
Device Management solution across its entire
mobile workforce of over 120,000 staff
• BYOD with 200,000+ smartphones projected
• 2099+ Terabytes of WAN traffic per month
© 2013 International Business Machines Corporation
8
Mobile Device Management
Services:
Benefits:
• Providing enterprise-wide
visibility (eg. device details,
apps installed, device
location)
• Address business and technology
issues of security, complexity
and bring your own device
(BYOD) in mobile environments
• Ensuring data security and
compliance
• Device configuration
• Manage enterprise and personal
data separately with capabilities
such as selective wipe
• Support devices on the
Apple iOS, Google Android,
Microsoft Windows Phone,
Blackberry, Nokia Symbian
• Leverage a single infrastructure
to manage all enterprise
devices—smartphones, tablets,
desktops, laptops and servers
“IBM's MDM capability is very complementary to that of PCs, and it is one
of the few vendors in this Magic Quadrant that can support PCs and
mobile devices”
Gartner, MQ for Mobile Device Management Software, 2012
© 2013 International Business Machines Corporation
Apple iOS
Google Android
Windows Phone
Blackberry
Nokia Symbian
Windows Mobile
9
Implement BYOD With Confidence
How do I deal with the business mandate that employees be allowed to "Bring
Your Own Device"?
• App container. Deploy, manage, configure, and
remove Enterproid Divide containers to separate
personal and work environments on iOS and
Android devices
• PIM container. Separate personal and corporate
email and prevent sensitive data from being
copied into other apps with NitroDesk TouchDown
integration
• Dual-persona OS. Manage BlackBerry 10
devices, which provide a native user experience
to personal and work personas
• Extend BYOD to laptops. Unified device
management approach brings together
containers, smartphones, tablets, laptops,
desktops, and servers under one infrastructure
© 2013 International Business Machines Corporation
Manage and secure only the apps and data inside the
enterprise container, leaving users free to control the
personal side of their device with Enterproid Divide.
10
Handle Multi-Platform Complexities With Ease
How do I manage an ever-expanding list of OS and hardware platforms when the
user controls what apps are loaded and the carrier controls when the OS is
updated?
• Device management via Android agent,
iOS APIs, Lotus Traveler, Microsoft
Exchange, and Office 365
• Complete device hardware and software
inventory in near real-time
• Web reports provide at-a-glance mobile
device deployment overviews
• Pass mobile device data to network
management, service desk, asset
management, and security and compliance
systems
Better plan internal mobile projects with easy
access to near-real time data about your mobile
environment.
© 2013 International Business Machines Corporation
• Multi-tenancy support for service
providers and organizations that need to
completely separate different parts of the
organization
11
Secure Sensitive Data, Regardless of the Device
How do I ensure the security of mobile devices as they access more and more
sensitive systems?
• Unified compliance reporting across all
devices, including CIS Benchmarks
• Configure security settings such as
password policy, encryption, WiFi, iCloud sync
• Full wipe, remote lock, map device
location, and clear passcode options if
device is lost or stolen
• Blacklist apps and automate alerts, policy
response
• Detect jailbroken / rooted devices to notify
users, disable access
• Integrate with mobile VPN and access
management tools to ensure only compliant
devices are authorized
© 2013 International Business Machines Corporation
Multiple user communication and alert methods,
including Google Cloud Messaging (GCM),
enables users to be part of the security solution.
12
Minimize Administration Costs
How do I cost-effectively manage the sheer volume of these tiny devices with
average replacement rates of 12-18 months?
• Multiple authenticated device
enrollment options, including LDAP/AD
integration
• Employee self-service portal to enable
employees to protect personal and
enterprise data
• Enterprise app store directs employees
to approved apps, includes support for
Apple’s Volume Purchase Program
(Apple VPP)
• Integration with IBM Worklight for 1click transfer of internally-developed
mobile apps from dev to production
• A ‘single device view’ enables IT
personnel to easily view device details
and take required action
© 2013 International Business Machines Corporation
A flexible enrollment process enables organizations
to include a EULA and to collect critical device and
employee data via customizable questions
13
IBM Endpoint Manager
Continuously monitors the health
and security of all enterprise
endpoint in real-time via a single,
policy-driven agent
Endpoints
Desktop / laptop / server endpoint
Mobile
Purpose specific
• Common management agent
• Unified management console
• Common infrastructure
Patch
Management
Lifecycle
Management
Software Use
Analysis
Mobile
Devices
Power
Management
Core
Protection
Server
Automation
Security and
Compliance
Systems Management
• Single server
Security Management
IBM Endpoint Manager
© 2013 International Business Machines Corporation
14
IBM Endpoint Manager for Mobile Devices
Functionality Overview
Category
Endpoint Manager Capabilities
Platform Support
Apple iOS, Google Android, Windows Phone, Blackberry, Symbian, Windows Mobile
Management Actions
Selective/full wipe, deny email access, remote lock, user notification, clear passcode
Application Management
Application inventory, enterprise app store, iOS WebClips, whitelisting/blacklisting
Policy and Security Management
Password policies, Samsung SAFE, device encryption, jailbreak/root detection
Location Services
Track devices and locate on map
Enterprise Access Management
Configuration of Email, VPN, Wi-Fi, Authenticated Enrollment, Self Service Portal
Expense Management
Enable/disable voice and data roaming
Cloud Email Device Management
Office 365 support
Containerisation
Nitrodesk Touchdown (Android), Enterproid Divide, Red Bend
© 2013 International Business Machines Corporation
15
How it Works
Identify unmanaged assets
Lightweight, Robust Infrastructure
Remote Offices
• Use existing systems as Relays
• Built-in redundancy
• Support/secure roaming endpoints
Cloud-based Content Delivery
• Highly extensible
• Automatic, on-demand functionality
Single Server & Console
• Highly secure, highly scalable
• Aggregates data, analyzes & reports
• Pushes out pre-defined/custom policies
Single Intelligent Agent
• Performs multiple functions
• Continuous self-assessment & policy enforcement
• Minimal system impact (< 2% CPU)
© 2013 International Business Machines Corporation
Manage roaming
devices 16
Authenticated Enrollment and Self Service portal
A flexible enrollment process can include an EULA and collect critical device
and employee data via customisable questions
© 2013 International Business Machines Corporation
17
Authenticated Enrollment and Self Service portal
© 2013 International Business Machines Corporation
18
Complete device hardware and software inventory
© 2013 International Business Machines Corporation
19
Last known location of the device
© 2013 International Business Machines Corporation
20
Create your own Enterprise AppStore
21 © 2013 International Business Machines Corporation
21
Secure the device
A unified report of password policies across all mobile OS’ makes it easy for
administrators to identify non-compliant devices
© 2013 International Business Machines Corporation
22
Secure the device
© 2013 International Business Machines Corporation
23
Endpoint Manager for Mobile Devices, Part of IBM MobileFirst
Industry Solutions
Insurance
Retail
Transport
Telecom
Government
Healthcare
Automotive
IBM & Partner Applications
Application
& Data
Application
Platform
and Platform
Data Services
Management
Devices
Security
Network
Analytics
Development & Integration Services
Strategy & Design Services
Banking
Servers
Cloud & Managed Services
© 2013 International Business Machines Corporation
24
Stanford University uses IBM Endpoint to support it’s large BYOD
environment of over 45,000 endpoints
Stanford University
• Palo Alto, California
• Population: 30,000
• 45,000+ End Points
© 2013 International Business Machines Corporation
The solution
•
•
•
•
•
•
•
•
Opt-in Power Management
Security Patching (Windows / Mac)
Inventory
Anti Malware
Application Updates
Software deployment
Laptop Recovery
PGP Whole Disk Encryption
Benefits
• Rapid Operating System Patching
and Compliance (across Windows
and OS X)
• Accurate IT asset inventory
• Power Savings: Pacific Gas &
Electric Rebate ~$70,000 May 2009
https://itservices.stanford.edu/service/bigfix
25
Large Healthcare Provider
Extending the reach of healthcare
This innovative healthcare provider in the southeastern United States is
piloting a program to improve patient outcomes by providing secure
healthcare support remotely through mobile devices, such as:
Home Health Care: iPads provided to Home Healthcare diabetes patients to
enable direct input of diagnostic data; Face time sessions with home health
nurses reduce the need for on-site visits, which improves nurse utilization
while reducing costs
Education: iPod Touches with pre-loaded educational apps provided to
parents of babies in Neonatal Intensive Care Unit (NICU)
Customer Needs
Key Features & Outcomes
 Consolidate management of endpoints – PCs,
laptops, mobile devices
 This regional healthcare provider uses IBM Endpoint
Manager for its unified approach to endpoint management
 HIPAA compliance
 Minimize on-going operational costs
 Minimize device replacement costs
© 2013 International Business Machines Corporation
 1 employee is able to manage and secure 30,000 PCs +
4,000 mobile devices
26
Mobile Device Management
Services:
Benefits:
• Providing enterprise-wide
visibility (eg. device details,
apps installed, device
location)
• Address business and technology
issues of security, complexity
and bring your own device
(BYOD) in mobile environments
• Ensuring data security and
compliance
• Device configuration
• Manage enterprise and personal
data separately with capabilities
such as selective wipe
• Support devices on the
Apple iOS, Google Android,
Microsoft Windows Phone,
Blackberry, Nokia Symbian
• Leverage a single infrastructure
to manage all enterprise
devices—smartphones, tablets,
desktops, laptops and servers
“IBM's MDM capability is very complementary to that of PCs, and it is one
of the few vendors in this Magic Quadrant that can support PCs and
mobile devices”
Gartner, MQ for Mobile Device Management Software, 2012
© 2013 International Business Machines Corporation
Apple iOS
Google Android
Nokia Symbian
Windows Phone
Blackberry
Windows Mobile
27
ibm.com
© 2013 International Business Machines Corporation
28
Legal Disclaimer
• © IBM Corporation 2012 All Rights Reserved.
• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are
subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing
contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or
capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth or other results.
• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs
and performance characteristics may vary by customer.
• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM
Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server).
Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your
presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in
your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International
Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other
countries.
• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:
UNIX is a registered trademark of The Open Group in the United States and other countries.
• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of
others.
• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta
Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration
purposes only.
© 2013 International Business Machines Corporation
29
Backup
© 2013 International Business Machines Corporation
30
IBM Endpoint Manager for Mobile Devices Architecture
Google Cloud
Messaging (optional)
IEM Server
Apple Push
Notification Servers
DB
Consolidated Reports / Management
Lotus Traveler / Exchange
Server
TEM Relay
Mgmt Extender for iOS
Agent Comms /
Management APIs
ActiveSync
ActiveSync
Management by Email
31
© 2013 International Business Machines Corporation
Fully-Managed Devices
31
IBM Endpoint Manager for Mobile Devices
IBM Endpoint Manager’s cloud-based content delivery system enables customers to benefit from
frequent feature enhancements without the difficulty of performing upgrades
Integration with Enterproid’s Divide container technologies for iOS and
Android
Web-based administration console for performing basic device management
tasks with role-based access control
Integration with BlackBerry Enterprise Server for integrated support of
BlackBerry v4 – v7 devices
Enhanced security with support for FIPS 140-2 encryption and bi-directional
encryption of communications with Android agent
Additional Samsung SAFE APIs for expanded management and security of
SAFE devices
SmartCloud Notes & Notes Traveler 9.0 support, including cloud and highavailability versions
© 2013 International Business Machines Corporation
32
Jailbreak / Root Detection –
Warn Users, Notify Administrators, Take Action
© 2013 International Business Machines Corporation
33
IBM announced same-day support for Apple iOS6
New MDM features in iOS6
• Ability to set a device-level proxy (only
works in "Supervise mode")
• Single-app mode. Ability to set a "Locked
App" like a "Kiosk Mode"
• Some new restrictions like the ability to
disable Game Centre
• Configure a profile to automatically be
removed at a specified date
• Disable recent contacts from syncing for a
given email account
• Disable passbook while device is locked
• Disable shared photo streams
© 2013 International Business Machines Corporation
34
Delivering for multiple mobile platforms
IBM Worklight
Fast and cost-effective development, integration and management of rich, cross-platform
mobile applications
Client Challenge
Using standards-based technologies and
tools and delivering an enterprise-grade
services layer that meets the needs of
mobile employees and customers
Key Capabilities
Encrypted cache on-device
• A mechanism for
storing sensitive data on
the client side
• Encrypted - like a
security deposit box
© 2013 International Business Machines Corporation
Mobile optimised middleware
• Open approach to 3rd-party integration
• Mix native and HTML
• Strong authentication framework
• Encrypted offline availability
• Enterprise back-end connectivity
• Unified push notifications
• Data collection for analytics
• Direct updates and remote disablement
• Packaged runtime skins
35