Users want mobility and their own devices on the network - IT wants security! How can both groups get what they need? Tools exist to make that happen and this presentation provides an overview of what National Gypsum did recently (2011/2)
2. National Gypsum Company is a fully integrated building products manufacturer
Headquartered in Charlotte, NC
with mines and quarries, and
manufacturing plants across
North America
2
3. National Gypsum and MobileIron
Nov 2009
June 2012
(National Gypsum
(M2)
buys MobileIron)
iPads sold by
0 >70 million
Apple
MobileIron
7 2300
customers
… countries 2 32
… employees 39 320
3
MobileIron - Confidential 3
4. National Gypsum Mobile Requirements
Business users pick devices they want (not Blackberry)
SECURE process to enable / allow BYOD phones, iPads
ActiveSync and Juniper VPN connections
DEVICE level security and respect for “employee data”
– PIN/passcode, device / backup, encryption
– NO jailbreaks, MDM and SW inventories
Elected NOT to use most “mobile intel” – employee issues
– Using last location / international warning message
Next: PKI SCEP mgmt, app deployment coming, iOS domination
4
5. Evolving Mobile Strategy
FIRST: Email
It’s all about email all the time
NEXT: Personal tools
Leverage the app store for personal tools
• Sales/service, office, plant, engineers – DIVERSITY
NOW: Connecting data
Connect our data/processes with employees, partners, customers
• NGC4ME is .NET custom web app – one-stop shop
• SharePoint is private cloud/content manager/etc.
5
6. Principles / Learning…
Do not custom develop unless absolutely required
– Leverage smart devices and off-the-shelf components
– Stay away from super customized work – takes resources
– Approach as “Systems Integrator” – assemble proven components
Keep focused on USABLE solutions to business issues
– “Voice of the Customer” as the priority guide!
Remember technically simple solutions are better (Agile/Nimble)
– Cannot assume that “best” will always be “best”
Leverage existing technology components
– Microsoft AD/PKI, Servers; Juniper VPN; .NET Development
Security cannot just say NO – offer the secure option
6
7. What we implemented
ActiveSync email access – Exchange 2007/ISA then;
– Now Exchange 2010 and Juniper/Junos Pulse
– All devices “under management”; all users
Juniper – Junos Pulse VPN access (iPad/iOS) – SharePoint and .NET web
applications delivered (“NGC4ME”) -- SharePlus and Colligo Briefcase
Field sales / customer svc / marketing deployment
– Collection of apps (BrainShark/SharePlus/Concur)
– Now working on custom app / deployment / one click (NGC4ME)
Legal / security issues with some approaches
– DropBox NOT permitted – Box.Com and SharePoint in use instead
– Avoid “personal accounts” in favor of more “enterprise ready”
answers
7
8. High Level Architecture
PKI Server,
MobileIron HSM
iPad
NGC AD Servers MobileIron Enrollment
iPhone, Juniper SSL VPN • Policy Checking
Android
MDM Configuration
• WiFi, VPN, Certs/Apps
Exchange CAS
SharePoint / .NET Mailboxes Exchange CAS Sentry
MI Sentry • Email is „User Driver”
Juniper VPN as Proxy
• AD Integrated
SQL Databases
SharePoint Portal/.NET
• Windows Servers SQL
• XML Interfaces M/F
Mainframe
8
9. App Challenges - Responses
Challenge Response
Beyond email, our employees SharePoint is open, web
leverage shared content oriented content manager
Apps deliver data into SharePoint Users save data into team sites,
(Reports, Search-BCS) workflow and email ties
“Personal Cloud” based upon
MySites and user profiles
Simple web forms SharePoint Lists – Mobile
Safari OR Apps (see below)
Surveys, pictures and easy Colligo, SharePlus, Filamente
analysis (More complex!) and Docs2Go provide great
tools
9
10. Core philosophy – Responsible but not restrictive
Vision: “Do the right thing for the right reason” (Security, risk &
compliance – collaboration with the business)
Security cannot just say NO … Must offer a secure option
Business Need Options Proposed Response / Solution
Easy-to-use cloud DropBox, iCloud, various Internal users:
storage “personal” storage SharePoint MySites
accounts and services External: Box.Com
Full-fidelity Keynote conversion, Business account:
presentations with personal Slideshare, BrainShark
animations SlideShark
10
Late 2007 – Only corporate procured Blackberry allowed – BES for security and controlMove to “user choice” as the number of good choices multiplied iPhone (ATT Only) and Android / Win Mobile (Mostly Verizon) phones start replacing BlackberryNeeded a way to setup and enforce consistent policy across a varied fleet of devices! But how?2008 Audit finings!2009 project to improve security – MobileIron decision / deployment!
Current requirements – Beyond “email on my phone” and now moving into “I need a mobile application”Biggest threat – lost or stolen / misused/abused devices – Data loss and unauthorized data accessEnrollment REQUIRED – Easy to do – But some controls to prevent casual, unmanaged connections PIN/Passcode Required - NOT Simple, minimum 6 characters/numbers, wipe after too many tries…Enforced device and backup data encryption – Jailbreaking not supported!!SW Inventory Required – Plans to deploy / manage SW more in near future!!
Initially mobile users wanted access to their email – Continues to the BIG DRIVER across the board for mobile device connectionBlackberry served that purpose well – secure and managedMore user choices – Improved smart phones – move away from BlackberryNew smart phones – iPhone, Android – APP STORES – users choose devices and users access their own applicationsSales reps managing contacts, documents and their own information – STOP traveling with laptops all the timeiPad comes along and explosion of user app choices – Some reps practice real ‘laptop elimination” in favor of more mobile deviceExplosion of design and sales tools – architects, retail store personnel – Start trying to leverage INTERNAL data via APPS - SharePoint clients, Mobile SafariEngineers, Quality Control – Plant folks with iBooks, Kindle – SharePoint and web based appsHTML5 server content Juniper e=reverse web proxy“less” IE Specific Support requirements - .NET Apps – NGC4ME and SharePointUSER SIDE: Increasing numbers of devices per user – iPhone, iPad and a Laptop – Sometimes other devices – iPod Touch, mix and match device level!
IT as a “System Integrator” – Limited resources and fast moving providers limit our interest / ability to DEEPLY CUSTOMIZEOpen up choice as much as possible WITHOUT compromising data / systems security too muchStay focused on delivering business user valueLeverage and integrate with EXISTING technology – Internal PKI – Juniper SSL VPN (Junos Pulse) -- .NET Development (HTML5) SQL and XML Integration
Two Key Mobility Tools:MobileIron for Security / MDMJuniper Secure Access for authentication, access control, server protection – VERY Robust solution that covers far more than these mobile devices –Customer / Partner extranet, Associate VPN and/or basic intranet accessExchange Server 2010 email and related contentSharePoint 2007 data stored/managed; ECM / reports / simple apps.NET Web services and sites – Tight connections into IBM Mainframe transaction processing and hosted SAP financial systems(XML Gateway / data connections from Software AG tools)
Link iOS to SharePoint contentLeverage rich SharePoint Apps in the App Store to access / edit / update LISTS, PICTURES/MEDIA“Personal Cloud” – Windows Laptop tied to MYSITES – App on iPad tied into Document Libraries
Our core philosophy is provide for responsible, flexible secure use – without being too restrictiveMI Agent on device and system gives us structure around granting access – delivering configuration, content and security controlsUser benefits and business productivity more than offset the perceived costsDue to content management, e-discovery and related legal hold concerns we made a decision NOT to allow use of personal level accounts connected to DropBox (or other personal cloud services).Setup internal “managed cloud” via iOS Apps that access Sharepoint readily.Internal users with a significant need for external sharing leverage BOX.Net – Business account is centrally managed – subject legal holds, searches for e-Discovery Same for BrainShark