BlackBerry Forums Support Community

BlackBerry Forums Support Community (
-   BlackBerry and Mobile Security (
-   -   What is your company doing about MDM? (

b52junebug 08-18-2010 11:31 AM

What is your company doing about MDM?
So as we all move forward in this mixed Mobile Device world, what steps are your companies taking to ensure that every device is complaint with current company acceptable use policies? I know that there are a few software developers out there that promise great things on Mobile Device Management(MDM), but is anyone using them? Mobile Iron, Tangoe MDM, Zenprise, Trust Digital?

It appears that in a recent converstion with our Tech Rep at Cisco, that us as administrators are all standing around scratching our heads trying to figure out how we can incorporate all of these fantastic devices into our environment. How can we determine the actual security of such devices and be able to ensure data integrity across all platforms?

As we all know the customer base drives our world. So when the customer is the CEO with a new iPhone, we have to figure out how to make it work. What are you doing in your company?

CanuckBB 08-18-2010 12:34 PM

2 words. BB and BES.

If you are a publicly traded company, You can explain to the CEO that the iPhone will likely not meet audit requirements.

And the customer base does not drive our world. Corporate policies drive our world. I'll deploy any device that does not contravene corporate policies.

NJBlackBerry 08-18-2010 12:42 PM

That doesn't hold water anymore.
The CEO and auditors want BlackBerrys and BES and iPhones and iPads.
You can do secure mobile device management and if you think your employees don't already have multiple devices, you are wrong.

Secure your ActiveSync environment. Discuss availability of secure VPN tunnels with your VPN environment. Write processes and proceudres around what is and is not allowed. Push down equivalent security policies to all devices.

It can (and must) be done right.

b52junebug 08-18-2010 07:34 PM


Originally Posted by NJBlackBerry (Post 1643419)
It can (and must) be done right.

Absolutely. The next question is: What policy's will you enforce or apply to these handhelds? Active sync is great, but it is not robust enough to mimic BES. Not without a third party software. Are you enforcing password rules?

One thing we found works better with Active sync, is to set the password attempts to 6 instead of 10. Apple has written there software that after 5 attempts, it disables the device for 1 minute, then 5, then 15, then 30, then 1 hour, then wipes it, if you leave the password attempts at 10. So by decreasing it to 6 now you will have the device wiped in 60 minutes not 2 hours.

Enforce encryption on the device. I know that the device is encrypted, but the data transmission must be as well.

Also WHY OH WHY would you EVER put more than one Exchange account on a device?

Your policy's must be comprehensive donxxx8217;t leave any room for error. Your users must know that the device will be bricked at any point for any reason. So they are required to do backups on their own devices. Release your company of the financial liability that comes from having iTunes loaded on a company PC.

Also if your company is considering allowing personally owned devices to connect to company resources check your computer usage policy. See what can or should be allowed on a personal phone with company info. Determine whether or not your company is going to pay for the personxxx8217;s data package. Most carriers up charge to have enterprise email.

When looking at VPN or Citrix, know the cost. Do you have enough licenses to cover all of the new connections?

Know how to use the iPhone configuration utility. It is a free download. The problem with the native utility is that to put it on a phone, the phone has to be physically connected to the PC with the policy.

You may also want to consider a product for email like GOOD. It will sandbox the application and when you wipe email off, it doesnxxx8217;t touch personal info. It will also do a check for a compromised device and allow you to use the iPhone config tool to put a policy on that will configure things like VPN or recommend apps for download.

Also we all need to find a way to check for hacked (jailbroken), etc. devices.

Beware of vendors hawking really cool apps that connect to the web or require you to put a hole in your firewall to work. It seems that the vendors havenxxx8217;t figured it out either.

Remember we are all in this changing environment together and we too must adapt or get left behind.

P.S. I get my new torch tomorrow for testing.. :razz:

b52junebug 09-20-2010 01:31 PM

Here is what I received from our Apple rep:
Mobile Device Management (MDM) - Third Party Solutions

iPhone and iPad both support Mobile Device Management, giving businesses the ability to manage scaled deployments of iPhone/iPad across their organizations. These Mobile Device Management capabilities are built upon existing iOS technologies like Configuration Profiles, Over-the-Air Enrollment, and the Apple Push Notification service and can be integrated with in-house or third-party server solutions. This gives IT departments the ability to securely enroll iPhone/iPad in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, and even remotely wipe or lock managed iPhone/iPad devices.

Here is a list of third party mobile device management companies (in alphabetical order):

AirWatch - AirWatch is a Web-based Solution with Multi-tenant Architecture

John Marshall
[email address]

Good - Good on iPhone, iPad, and iPod Touch

DC Cashman
[email address]

Mobile Iron - iPhone Security & iPhone Management Solution | MobileIron

Mike Leigh
[email address]

Sybase (SAP) - Sybase iPhone Enterprise Solutions - Mobile Device Management Application & Software - Sybase Inc

Chuck Vertrees
[email address]

Tangoe - Enable the Potential of your Smartphone Infrastructure | Software

Tiffany Benson
[email address]

Trust Digital (McAfee and Intel) - Enterprise Mobility Management EMM | Device Agent | Trust Digital

Sandrine Goodman
[email address]

Zenprise - Zenprise

Kelly Thayer
[email address]

Here is a summary of the capabilities of the iOS 4 MDM APIs (enhanced now with Query and silent OTA Management capabilities):

Enrollment - user authentication, certificate enrollment, device configuration
Configuration of settings - accounts, policies, restrictions and other settings
Queries - device information, network, compliance, security, applications
Management - remote wipe, remote lock, clear passcode, configuration/provisioning profiles

Capabilities are further outlined in this document:

penguin3107 09-27-2010 08:11 AM

Ixxx8217;m surprised BoxTone isnxxx8217;t in this list too. From what I have seen, all of the vendors in this list do not have access to the iOS4 APIs. IIRC AirWatch and Trust do xxx8230; the Webinar Zen just did didnxxx8217;t showcase anything iOS4 specific so I doubt they have access xxx8230; and Good hasnxxx8217;t shown anything iOS4 specific either.

b52junebug 10-01-2010 11:49 AM

So would you all entertain a solution that was built to encompass all of the OS's/device types? What would you look for?
Would you like the program to be as user friendly as possible with sync to the device password? In other words would you like a secure app, with device password authentication? You can require a password on the iphone/droid, but if you are using something like Good, you still have to put in a password to get into email. So now its not the same experience as Active Sync.

Would you want one console to administer that pushes out your policy and translates it to whatever platform the user has?

Would you want an approval process built into it that would add people to your console, then allow them to self enroll?

Would you want your users to have to connect to VPN for all web traffic, so that they are restricted by your firewall rules?

How are you going to limit hourly employees from accessing email after their work hours?

Would you want the console to have roles, like BES? Would you have this console be web based like BES? Would you want it to integrate into your BES management? So it would be a one stop shop for management?

Would you like to have your own app store, where your users could go out and pick up recommended apps?

What is your wish list for Mobile Device Management?

b52junebug 10-26-2010 12:58 PM

I have a webex with Zenprise tomorrow. Will let you know what they say. They claim to be able to do selective wipes, Remote control for win & android not apple, jailbreak/Rooting detection.

They have also changed their pricing structure to per device not per mailbox. So I will let you all know how it goes.

Arkanian 11-17-2010 01:00 PM

Re: What is your company doing about MDM?
We are actually looking at both Mobile Iron and Airwatch as our MDM solution for other smartphones. MDM from these companies have come a long way in the last 3 months. I don't think it will ever replace the BES but it finally has the flexibility to comply with our policies.

entmdm 12-14-2010 04:04 PM

Re: What is your company doing about MDM?
What I have seen is that if you plan to manage Blackberry devices in the enterprise and manage iPhone in the enterprise, using a software like AirWatch is the best solution. I especially like the insight they have into working with Apple products like the iPad.

OVERKILL 12-20-2010 02:39 PM

Re: What is your company doing about MDM?
We've got a whopping two Apple devices in our organization now, though neither of them have any sort of enterprise access on them at the moment, so there are no policies in place for the devices. They are just toys at the moment until we figure out if there will be future adoption or not.

As it stands, our iPad may go the way of the Dodo if the Playbook ends up being half of what RIM says it will be.

So far, the only thing I've really had to deal with has been BES. Since our organization has used Blackberry exclusively for close to a decade now.

If we DO end up continuing to adopt non-BB devices.... Then I will need to look into some of these solutions myself.

b52junebug 04-15-2011 01:24 PM

Re: What is your company doing about MDM?
FYI, Airwatch was purchased by Motorola.. So expect the same sort of assimilation of their product as many other Moto purchased companies....

rambo47 04-15-2011 08:05 PM

Re: What is your company doing about MDM?

Originally Posted by b52junebug (Post 1714757)
FYI, Airwatch was purchased by Motorola.. So expect the same sort of assimilation of their product as many other Moto purchased companies....

That doesn't exactly fill me with warm and fuzzy feelings. :?

dubzga 04-25-2011 09:43 AM


Andy_k98 04-25-2011 11:25 AM

Re: What is your company doing about MDM?
check out Trellia Networks for MDM solution

AirWatch 04-25-2011 02:34 PM

Re: What is your company doing about MDM?
This is a response from the AirWatch PR team. AirWatch has not been purchased by Motorola. The company is privately held and 100% funded by its executive leadership team. AirWatch has been recently recognized by Gartner as a leader in mobile device management software. AirWatch has a global presence with over 1000 customers. AirWatch will be exhibiting at BlackBerry World in Orlando May 3-5 and Interop in Las Vegas May 8-12.

Please contact AirWatch if you have any questions.
866.501.7705 | [email address] |

b52junebug 04-28-2011 07:37 PM

Re: What is your company doing about MDM?
Thank you Airwatch for clearing that up. I just assumed when the Motorola rep said it, well... you know how that goes.. I wonder who they did purchase though?

b52junebug 04-28-2011 07:39 PM

Re: What is your company doing about MDM?
We did go with MobileIron though after looking at all of the different solutions. They fit our needs better than anyone else we looked into.

rRamjet 06-08-2011 10:31 PM

Re: What is your company doing about MDM?
I think b52junebug may have confused Good with Air-Watch. Good was purchased by Motorola a few years back. They did nothing with it then sold it again.
If you are wanting the same level of security as BES, Good is probably the only option right now in the MDM market. Like BES they don't use active sync and go via a NOC.

b52junebug 06-09-2011 02:28 PM

Re: What is your company doing about MDM?

Originally Posted by rRamjet (Post 1726234)
I think b52junebug may have confused Good with Air-Watch. Good was purchased by Motorola a few years back. They did nothing with it then sold it again.

Actually no, it wasnt Good that the Moto rep was talking about. It was a dedicated MDM solution. I am VERY familiar with the Good Technology Woes.. Been there done that.

You are correct in talking about the fact that Good sandboxes the experience, however the biggest complaint is that because it is sandboxed, it decreases the user experience. So you have to ask, Security or Mulitple logins, other issues with having a Sandboxed solution.

All times are GMT -5. The time now is 09:03 AM.

Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.