Enterprise Mobility Management
by Mary Branscombe
Managing IT systems nowadays means coping with devices on both sides of the organisation’s firewall.
HardCopy Issue: 66 | Published: June 1, 2015
Thinking about your mobility strategy? Mobile Device Management (MDM) has come a long way from the days of Exchange profiles or the feature lockdown of BlackBerry Enterprise Server, where ‘taking control’ usually meant ‘turning things off’. What businesses need now is a mix of connectivity, control, productivity, security, identity and access management, which means that device management is just part of the story – although you still have to be ready to cope with lots of devices, some of which you might never have come across before.
The new term for this is Enterprise Mobility Management (EMM), and everyone from BlackBerry to Sophos is promising it. You will also find familiar MDM names like Good and AirWatch, device manufacturers like Samsung, and one big player you might not expect, namely Microsoft.
Microsoft’s own description of its Enterprise Mobility Suite (EMS) sums up the key areas you need to think about, stating that it’s “to help organisations enable their users to be productive on the devices they love, while protecting the company.” Devices your users might love include Bring Your Own devices over which you have limited management; Choose Your Own devices that you whitelist and can have more control over (although not as much as your standard enterprise devices where you can apply strict policies); or even ‘on your own’ devices that you don’t support, manage or maybe even know about, but that users might still try to connect, such as Apple Watch or Microsoft Band.
The system that you choose to manage such devices must at the least integrate with the system you are currently using to manage your standard enterprise devices, because you don’t want to have to duplicate policies any more than you have to, and the fewer the systems you have to juggle, the smaller the likelihood of loopholes slipping between the cracks. Your users look at the same email and the same documents whether it be on smartphone, tablet, laptop or desktop, so having management tools that treat such devices as separate problems isn’t helpful.
Such diversity means that you can’t hope to manage much on the devices themselves – and the more personal the device, the less happy users are going to be about letting you interfere. They will put up with the company wallpaper on their company desktop but they’re really going to hate it showing up on their phone. Furthermore, this type of management can only give you protection at the device level.
More important is to manage the information flow to and from such devices, and to manage and protect the apps and systems that users access with those devices. There’s not much point in installing an approved document reader onto someone’s phone if you can’t stop them opening a work document in Google Docs. And you probably need to manage the data flowing into Dropbox from notebooks and desktops in the office just as much as you do the apps installed on your users’ phones, because that’s all part of the same balancing act between keeping users happy and productive, and keeping control of the company assets that go on their devices (while staying well clear of their personal information).
Identity management and integration with your directory systems is also important, as you need to make sure it’s really one of your users connecting and not someone who’s phished their credentials. This implies an element of access management and authentication, ideally multi-factor rather than just passwords. Given the rate at which we upgrade our phones and tablets these days, you need to be thinking in terms of identity, information and apps rather than devices; and it has to happen automatically, from the moment they sign in with their work credentials, no matter what device they show up with.
You also want some self-service tools for users, such as password reset and facilities for locking their devices remotely. With UK users carrying up to four separate devices each, you don’t want the extra work, and devices will be more secure if you let users lock them rather than hang around hoping to find them because they don’t want to go through a tedious reporting process.
This all needs to work without assuming users will connect over a VPN, so it’s a good opportunity to look at mobilising some of your internal systems, perhaps using team sites on SharePoint Server, so that users can access them from their phone or tablet if they’re out of the office. As usual, the alternative to doing so is to risk users copying files onto USB sticks that they can lose, or to cloud services where you have no control. If you want to protect information you need to stay in control of how it’s accessed, and you can only do that if you give users the access they need.
Rather than develop a separate mobile device management tool, or just extending the EAS policies that are already in Exchange Server and Office 365, Microsoft has combined the cloud versions of its existing tools for identity management, mobile management and information protection into a suite that works with your on-premise infrastructure (especially Active Directory and System Center), and with Office, which remains a familiar and popular product (even with iPad users these days).
The mobile device management component of the Enterprise Mobility Suite (EMS) is Microsoft Intune, which manages both PCs and mobile devices like smartphones and tablets. Identity management comes from Azure Active Directory Premium, which you can sync with your on-premise AD, even if you have multiple forests. Access and information protection is provided by Azure Rights Management. At this point these are separate services with separate interfaces for setting up specific features, but those features do work together so you get more options by having all three services in the suite – as well as a lower price than if you took out individual subscriptions.
Intune integrates particularly well with System Center, where you can see the Intune console directly. You can even co-ordinate System Center Configuration Manager to automatically download updates to Intune. The Intune portal remains far simpler than Configuration Manager. For example, you don’t need to know the details of how the same setting works on different devices as Intune abstracts the differences so you can set it once and have it applied as necessary.
Intune covers Windows, OS X, iOS, Android, Windows Phone, Windows Mobile and Symbian, and includes secure Android options like Samsung Knox which give you the option of removing apps from a device. Neither BlackBerry nor the older Mac OS are supported though. You can use it to provision email accounts, certificates and Wi-Fi and VPN profiles on mobile devices, and you can enforce policies like having to unlock the device with a PIN, requiring encryption, turning off Bluetooth and all the usual MDM settings. And because it integrates with Active Directory, these settings will all be reversed when someone leaves and you remove them from AD. There’s a selective wipe feature, so you don’t remove personal information when a user unregisters a device, and there’s self-service features like password reset and remote locking.
At the other extreme, if you have company owned devices that are shared by factory workers or staff in a restaurant, for example, you can bulk enroll thousands of devices against a single service account and then have users sign in when they pick up a device for their shift. If you need to use devices as a kiosk, you can lockdown iOS devices using supervisor mode and the Apple Configurator so the user can’t run a different app, change the volume or even rotate the screen – ideal if you’re using it as a cash register or demo station.
You can also use Intune to get the right apps to users, whether that’s making a portal with links to useful apps, or pushing them out to the PC. Any MDM system can do that, and like other MDM offerings, Intune has a set of managed file viewers for PDF, images and videos, and a managed browser that keeps company information inside a container on the device. This is a good match for URL filtering, so you can stop someone visiting gambling sites on a company device, even if they’re not on your network.
But where Intune and EMS are unique is their ability to manage Office apps on devices. As with the management options included in Office 365 you can restrict cut, copy and paste in Word, PowerPoint, Excel and the Mobile Outlook Web App to keep work information out of personal email, have documents from OneDrive for Business open in the Office apps rather than any other document apps on the system, and restrict where documents can be saved. You can also wrap your own line-of-business apps on iOS and Android into the same container as Office, so users can copy work information between them, but not out into their personal email.
And you can use the Azure Rights Management Service component to automatically apply policies like preventing confidential documents from being printed or forwarded outside the company, or have them expire after a certain date, based on what’s in the document. You can set up specific templates with the protection you want, and make those available to users or let them pick them from standard protections for their document or email.
This gives you the familiar Information Rights Management (IRM) options from Windows Server, but they now work in the mobile Office applications, and there are free apps on multiple platforms for reading protected files. Most importantly, because Azure RMS is a cloud service, you don’t need to worry about federating with partner companies so their employees can open protected documents.
Intune also detects rooted Android devices and jailbroken iOS devices as well as telling you which Windows PCs have out-of-date anti-virus software or haven’t run an AV scan recently, so you can restrict access to email or file stores from devices that don’t have good enough security without locking the users out when they use more secure devices. And because rooted devices don’t always tell the truth, there’s an agent that runs on Android to collect that information more accurately.
You can set up conditional access to resources using the Workplace Join option in Azure Active Directory Premium, which is the lightweight version of domain join that works on iOS and Android devices, as well as Windows 8.1 and Windows RT. You don’t get to set group policies using Workplace Join, but it does mean that you know more about the devices that are connecting to your network. Instead of having to assume the worst case scenario – that your user is on an unprotected PC in an Internet café or hotel business centre that’s infected with half a dozen pieces of malware – you know they’re on their own device and that it’s not compromised.
In return the user gets a simpler experience where you provision their device with useful apps and settings, with single-sign access to both cloud applications and on-premise systems (if you chose to set that up). You can now even use conditional access to let only users who allow you to manage their device connect to Exchange for email and calendar sync, whether it’s in Office 365, your own Exchange servers, or other Office 365 services like SharePoint. And you can require a PIN or multi-factor authentication, either for registering a device in the first place, or for accessing an app each time.
You could do some of that using the Device Registration Service in Windows Server 2012 R2, which includes Workplace Join, but you have to set up all the remote connectivity yourself, which is a significant investment of time and hardware, and you wouldn’t get the extra protection in Azure Active Directory Premium. Furthermore, before you turn on conditional access, you can run a report in Azure Active Directory Premium to see exactly what will be affected, so you’ll know if you’re about to lock the CFO out of your expenses system before they call you to complain.
Other Azure Active Directory Premium reports tell you if your users are making impossible journeys, such as logging in from New York half an hour after they log in from London. This is based on machine learning, so if a high speed rail link opens up, employees using it won’t get locked out incorrectly. If it’s a legitimate user they can still log on using two-factor authentication.
Azure Active Directory Premium has a rich and growing list of further services. For example you can monitor what cloud apps are in use on your network, using an agent that you deploy to PCs. This is the point where EMS becomes much more of an holistic solution to productivity for device users, some of which just happen to be mobile, combined with protection at the device, app, document and even network levels.
Samsung SDS EMM
Samsung has two enterprise mobility solutions. Samsung KNOX Enterprise Mobility Management is a cloud service that uses Centrify’s identity service to integrate with your Active Directory for sign-in to mobile and cloud apps. There is also Samsung SDS Enterprise Mobility Management, an on-premise MDM and app management system that you can run on your own Windows, Linux or AIX server, with the option of a second server in the demilitarised zone of your network to handle encrypted push notifications. In both cases you can buy just the software, which comes with preset security policies that make it easier for you to get up and running more quickly, or there are installation and maintenance services available. (The name, incidentally, was apparently inspired by the famous Fort Knox.)
Samsung SDS EMM had an early advantage in that it supported both KNOX and Samsung SDS Container, which is Samsung’s own secure container, as well as Android and iOS devices. It currently supports KNOX 2.0, as do almost all MDM and EMM systems now. This includes the usual MDM features like managing email and email attachments so they stay in the container, enforcing encryption or turning off camera, screenshot, USB and tethering features, whitelisting and blacklisting apps on the device (including by role).
There is also an Android agent that can detect if someone is trying to turn off EMM or root the phone, stopping the device from connecting until it’s protected again. If that person keeps trying to get into the device, it will be remote wiped. You can put together a ‘business store’ with approved apps, such as a camera app for taking pictures of whiteboards at meetings that only saves images to a company cloud service. You can also use the mobile enterprise app platform included in SDS EMM to create apps that integrate with your own backend systems.
There’s a self-service portal that lets users do some simple device management, including locking a lost device, but many of the pieces that you’ll find in other MDM and mobile app management systems are optional extras, which means you can pick and choose. If you need secure communications between apps on a mobile device and your own servers then you can add on the App Tunnel feature which creates an SSL/TLS tunnel for each app rather than using a VPN. There’s also an optional mail, calendar and contact app, and a file sharing tool called Securage that integrates with your own network storage.
The more interesting options let you change the policies on a device using geo-fencing, time of day or infrastructure like secure entry systems. This means you could allow employees to process customer orders on their phone, but only when they’re on company premises during working hours, or you could apply different policy settings to employees when they enter different buildings, or specific areas inside a building, such as turning off their camera when they’re in the research department.