iPhone and iPad Enterprise Enablement


Published on

Best practices for implementing iPhone and iPad smartphones and tablets in the enterprise with mobile device management.

Learn more: http://www.maas360.com/products/mobile-device-management/apple-ios/

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • In our webinar today we will talk about embracing the existing iPhone opportunity, then move into some medium term best practices to implement in your enterprise to ensure corporate policies can be met and data protected.We will show some of the tools that are available today to manage the devices, both from an end user and IT administrator perspective and provide links to additional resources as well as discuss the iOS 4.2.
  • 2012 is the year that businesses are confronting how to fully embrace mobile devices. This also drags the IT team into the picture as users bring their own devices into the enterprise without a proper IT management strategy and operation. iPhones and Droids are being selected over the traditional Blackberry and Windows Mobile devices. In a survey were IT professionals and executives at 800 companies were interviewed, the results indicate that three quarters of corporations will deploy the iPad in the next year. Twenty Five percent are deploying them already. A large part of this adoption has to do with the release of the iOS 4.2 and the improved enterprise security and management features.And this is a good thing! Amazingly enough the business does benefit. Studies have shown employees work 10-20% more night and weekend hours when provided a laptop with corporate access. When the same studies come out on Smartphone productivity gains, they are likely to surpass the laptop percentages. Also, studies show anywhere from 23-56% of employees are currently using their own devices at work.
  • Have a realistic policy for 2011. Support multiple device platforms and allow personal devices. You likely already doing this now. With very minimal information a user can synch an iphone to your exchange server. Cost savings could also add up as the employee is covering their own plan.Take stock of your mobile devices by implementing a multi-platform reporting and inventory tool. This will help understand risks regarding mobile devices and make informed decisions. The solution should also be extended to your help desk and HR departmentsExchange/Active Sync does not provide simple ways to prevent non-sanctioned devices from connecting to Exchange Server.Probably the most important, require and enforce basic security precautions. This includes requiring a strong password, password expiration, auto-lock and auto-wipe if a specific number of failures. Enforce that local encryption is enabled and have the ability to remote wipe. We will show some tools later that will help IT with this.
  • A policy around bluetooth should also be enforced. Require it to be hidden or non-discoverable. When a Bluetooth device is discoverable, it is very easy to scan for it using a PC and potentially download private data. Setting it to non discoverable mode prevents the bluetooth devices from appearing on the list during a device search process.You should start planning for a single console, multi-platform Mobile Device Management (MDM) solution. Consider the following: MDM platform that manages all PC/Mac form factors and OS devices, integration with your existing reporting/inventory tool and a cloud based solutionGet into the habit of reporting on and discussing mobile device inventory and policy status in your IT operations review.
  • There are tools available now that help with Active Sync and your iPhone which I will explain in the upcoming slides. These include Outlook Web Access, Microsoft Exchange Active Sync and the iPhone Configuration Utility.
  • Outlook Web Access offers a number of actions for devices using Active Sync, like Removing the Device, Wiping all Data on the Device, Displaying a Recovery Password and Retrieving the log file.The iPhone and iPad supports the Remote Wipe. This easily allows the user to blow up a device that may have been lost or stolen or allows the IT admin to take action as well. To do this, simply log into OWA, under Options on the left, go down to Mobile Devices. Highlight the device you wish to wipe and select wipe all data from device from the top. If you are an IT admin, you then have the ability to browse to a particular users mailbox after logging in to take the appropriate action for the specified user.
  • Here is the list for supported exchange active sync polices.For Example, you are able to enforce a password on the device, including parameters around the password, set an inactivity time before the device locks and requires the password to be entered.With Exchange 2007 and 2010 you are able to have more complex password settings, including Password expiration and Password History. You can also now allow or disallow the camera to be used as well as requiring device encryption.
  • Exchange Server 2007 allows you to assign mobile device security policies on a per-user or global basis. These policies are called Exchange Active Sync Mailbox Policies.To create an Exchange ActiveSync Mailbox Policy in Exchange 2007, from the Exchange Management Console, navigate to Organization Configuration and then Client Access to view any existing policies that apply to mobile devices in your organization. On the right hand side under Actions, Client Access, Go to New Exchange ActiveSync Mailbox and you will be brought to the next screen.
  • As you can see there are a number of parameters that you can set within the policy. The first thing you have to do is enter a name for the mobile device security policy you’re creating. As a best practice, it is best to enter a name that describes the policy’s purpose.Below the Mailbox Policy Name field are a number of checkboxes that you can use to enable or disable various policy elements. The first checkbox allows you to decide whether or not you want to allow users to use non –provisionable mobile devices. What this means is that the mobile devices security policy that you are creating is not compatible with some older mobile devices.The next checkbox allows you to control whether or not mobile users are allowed to download email attachments to their mobile devices. If your users don’t have a legitimate business need for downloading email attachments, you might want to prohibit attachment downloads as an antivirus measure and to conserve bandwidth.The lower section allows you to require a password, and then set the parameters for that password. For example, you can set the password length and complexity requirements. You can also control the amount of time that a mobile device can be idle before it locks itself and requires the user to re-enter the password for continued use.Once you have enabled and disabled the mobile device security policy options to your liking, click the “New” button and the ActiveSync Mailbox Policy will be created. When the creation process completes, click the finish button to close the wizard.
  • The mobile device security policy you just created will now be listed in the Organization Configuration, Client Access container.
  • To assign the mobile device security policy to a mailbox, from the Exchange Management Console navigate through the console tree to Recipient Configuration, Mailbox to view a list of all users in your organization. Right Click on the user whom you want to assign the policy and select properties. Go to the mailbox features tab. This tab is used to enable or to disable Exchange ActiveSync, but also contains a properties button. Select Exchange Active Sync from the list and click the properties button above it to display the Exchange ActiveSync Properties dialog box.
  • Click the browse button and select the policy that you would like to apply. Click OK to complete the process. After the apply of the policy it can take anywhere from 5-10 minutes for the device to receive the policy. Once that occurs an indication will appear on the device stating that a passcode policy has been applies and will not download any data until a new passcode is set.The user is then prompted to enter in a passcode twice for verification and then hit OK. If you want to apply the same policy for everyone, simply make the policy the default policy.
  • The iPhone Configuration Utility lets you easily create, encrypt and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs. You can download this from apple’s website along with documentation for business integration.
  • When a device is connected, you can use iPhone Configuration Utility to install configuration profiles and applications on the deviceThe content of the main section of the window changes as you select items in the sidebar. The sidebar displays the Library, which contains the following categories:Devices shows a list of iPhone and iPod touch devices that have been connected to your computer.Applications lists your applications that are available to install on devices attached to your computer. A provisioning profile might be needed for an application to run on a device.Provisioning Profiles lists profiles that permit the use of the device for iPhone OS development, as authorized by Apple Developer Connection. Provisioning profiles also allow devices to run enterprise applications that are not distributed using the iTunes Store.Configuration Profiles lists the configuration profiles you’ve previously created, and lets you edit the information you entered, or create a new configuration that you can send to a user or install on a connected device.Now I will go over a few of the options that are available for setting up a Configuration Profile.******Go to config tool Live……Configuration Profiles, *NEW, (top left)*****
  • This is just setup slide. Details to follow.
  • I want to take 5 minutes out right now and dive into this key slide. This is really how we approach and integrate into the different device platforms which are out there. We first start with a breadth approach, then provide depth with more granular security and policy options for devices such as iOS and Android.For breadth, we allow the management of any device that leverages ActiveSync for either Exchange or Lotus Notes. This allows for an auto-discovery of any device using ActiveSync in your environment to get corporate e-mail. It also allows you to manage those devices via the standard feature set made available thought Exchange or Notes.  Like creating and enforcing ActiveSync policies, remote wipe, auto-device discovery. Integration into your Exchange or Lotus environment is made possible by our MaaS360 Cloud Extender. This is a 13MB piece of software which can be installed on your mail server or on a server which can communicate to the mail server. It helps facilitate communication between your environment and ours. One thing to note, it does not change or interrupt your mail deliver as it exists today. It’s designed to be very light touch in your environment.  For more in-depth management of iOS and Android devices, we have additional integration.  Specifically, for  iOS devices, we have chosen a best practice method by utilizing the MDM API which apple has created for the management of these devices. This allows us to have the integration needed without the weight of an agent. In a sense, Apple made it easy for us and for you. The additional features you can use with this type of integration include performing select data wipe (wiping corporate data and leaving personal data behind), pushing down Wi-Fi Profiles, and even pushing down and managing VPN profiles).  For Android, we were forced to take an agent based approach. This is because the Android OS does not have the mature API calls that Apple had developed. So for Android, we allow for more granular control by placing an agent on the device itself. Together, the ActiveSync integration, iOS API, and Android Agent allow for complete management of mobile devices. All of this comes together in our MaaS360 Platformwhich allows you to perform actions on devices as well as review your own environment with our mobility intelligence reporting. Mobility intelligence is our version of business intelligence reporting with additional analytics.  Do you have any questions around how we integrate into the different device platforms? 
  • Here is a quick breakdown of the advanced features we offer by Operating System. Please keep in mind that we can provide management of any device which leverages ActiveSync or Lotus Traveler. This includes Windows mobile, Windows 7 Phone, Symbian, and even WebOS.
  • Joe to coverQuotes from article:“MaaS360 is our Clear Choice Winner based on its strong overall performance, particularly its ease of use.”“MaaS360 initially shocked us it was so simple to deploy.”“Everything was easy to set up.”
  • Joe to cover
  • iPhone and iPad Enterprise Enablement

    1. 1. Enabling iPhones andiPads in the Enterprise Presented by Donna Lima and Josh Lambert 1
    2. 2. What Will I Learn Today? • How to embrace the iPhone/iPad opportunity • Best Practices for Mobile Device Management • Existing Tools Available to Start Managing iPhones/iPads • iOS 5 2
    3. 3. Embracing the iPhone Opportunity • 2012 is the year businesses are confronting a mobile device challenge • Users are bringing their own devices into the enterprise – iPhones and Androids are valid options. They are on the rise and have surpassed the end user capabilities of the traditional BlackBerry and Windows Mobile devices • Amazingly enough, the business does benefit from this! – Studies have shown employees work 10-20% more night and weekend hours – Cost savings for companies from employee-owned devices and plans 3
    4. 4. Best Practices • Have a realistic policy for 2012 – Support multiple device platforms and allow personal devices • Put in a multi-platform discovery tool, immediately – Many businesses don’t have good data on their mobile devices – Discover non-sanctioned devices • Establish a quarantine policy and approval workflow – Difficult with Exchange ActiveSync • Enforce the basic security precautions – Password – Remote Wipe – Encryption 4
    5. 5. Best Practices • Bluetooth: Hide it or make it non-discoverable • Start planning for a single console, multi- platform Mobile Device Management (MDM) solution – Consider a MDM platform that can manage all devices, laptops, tablets and smartphones – Be sure to include your reporting/inventory tool – Consider a cloud-based MDM solution • Report and discuss mobile device inventory and policy status in your IT operations review 5
    6. 6. There are Tools Available Now! • Outlook Web Access • Microsoft Exchange ActiveSync • iPhone Configuration Utility 6
    7. 7. Outlook Web Access for Remote Wipe • Additional information here: – http://forum.maas360.com/go/mobileitexpertise/help-i-lost-my-ipad-or-iphone-too 7
    8. 8. Supported Exchange ActiveSync Policies • The following Exchange policies are supported – Enforce password on device – Minimum password length – Maximum failed password attempts – Require both numbers and letters – Inactivity time in minutes • The following Exchange 2007 policies are also supported – Allow or prohibit simple password – Password expiration – Password history – Policy refresh interval – Minimum number of complex characters in password – Require manual syncing while roaming – Allow camera – Require device encryption 8
    9. 9. Exchange ActiveSync Mailbox Policies• Exchange Management Console 9
    10. 10. Exchange ActiveSync Mailbox Policies 10
    11. 11. Exchange ActiveSync Mailbox Policies 11
    12. 12. Exchange ActiveSync Mailbox Policies 12
    13. 13. Exchange ActiveSync Mailbox Policies 13
    14. 14. iPhone Configuration Utility Demo • Download here – http://www.apple.com/support/iphone/enterprise • Apple also offers a number of resources for business integration – http://www.apple.com/iphone/business/integration • The MaaSters Center has a video available – http://links.maas360.com/webinar_iphoneConfig2 14
    15. 15. iPhone Config Utility 15 15
    16. 16. iOS 5 • Next major version of iOS for: – iPhone 3GS and above – iPod Touch 3rd Gen and above – All iPads • 200+ new features, including: – iCloud, iMessage, Notification Center – Newsstand, Reminders – Siri (voice dictation, commands) for iPhone 4Ss • No longer requires a computer for: – Activation, Upgrades, Backups via Wi-Fi • Volume Purchase Program – Business customers can purchase volume licenses for Apple software directly from Apple 16 16
    17. 17. iOS 5 and the Enterprise: Key Features iCloud – Automatic store and sync of your music, photos, documents, and more across your devices. iMessage – SMS-like service which uses data plan only, supported on all iOS 5 devices (even iPod Touch). PC free – No longer need a computer to own an iPad, iPhone, or iPod touch. Activate, Sync, Backup and Upgrade your device wirelessly. MDM enhancements 17
    18. 18. MaaS360 OverviewUser/Device Enrollment OTA Configuration & Management In-depth Inventory & Device Reporting Improved Visibility & Control 18
    19. 19. Mobile Device Management Features ActiveSync Apple iOS Android BlackBerry Lotus Traveler> Activate iOS MDM: > Market agent > Supports all EAS or Traveler > Auto-discovery of devices > Apple certificate-based > In-depth OTA connected devices > Auto-discovery of policies > Easy device enrollment configuration and policy > Prevents non-approved > Device activation > Push from admin management devices from accessing > Visibility into device > TouchDown integration: corporate email inventory > User self-service enrollment > Passcode, mandatory > Auto-discovery of devices > Increased actions:> In-depth OTA configuration or disallowed apps, > Auto-quarantine of devices > Send message and policy management: device feature > Alerts and workflows to restrictions, Wi-Fi and > Reset passcode > Passcode, restrictions, approve or block devices email profiles, > Change BES policy Wi-Fi, VPN, email, and > Create and enforce selective wipe ActiveSync policies (e.g., > Wipe Device more > Increased actions: PIN) > Remove device from BES> Increased actions: > Lock, full wipe, > Remote device wipe > Refresh data > Full/selective wipe, update, locate, query, lock, update, passcode > Support for Exchange 2007 > Support for BlackBerry send message, & 2010 Enterprise Server 5.0 and reset passcode reset > Support for Traveler 8.5.2+ higher> Corporate app storefront > Corporate app storefront > Exchange or Lotus Notes> Jailbroken device detection > Rooted device detection 19
    20. 20. Network World MDM Product Test MaaS360 is the Clear Choice Winner “Fiberlink’s MaaS360 is our Clear Choice Winner, based on its strong overall performance, particularly its ease of use. The application initially shocked us, as it was comparatively simple to deploy.” 20
    21. 21. Questions or follow-up?Wrap-up Donna Lima - dlima@fiberlink.com Josh Lambert– jlambert@fiberlink.com• Up-coming Webinars (http://maasters.maas360.com/webinars) – January 19 – Securing the Kindle Fire in the Enterprise• Past Webinars (http://links.maas360.com/webinars) – Managing iPhones, iPads, and Androids with Exchange ActiveSync – Controlling Mobile Data Expenses – Kindle Fire vs. iPad 2 – iOS 5: A Three-part Series• Plus lots of How-To content at the MaaSters Center – Mobile Device Management Best Practices • http://links.maas360.com/mdm – Mobile Device Management Strategy Series from Lopez Research • http://links.maas360.com/mdmstrategy – Mobile Device Management Glossary • http://links.maas360.com/mdmglossary 21