<<Modern Workplace>>
IBM Digital Workplace has service offerings around four different areas – Managed Mobility Services, Mobile Collaboration Services, Mobile Virtualization Services and Support Services with Watson.
A traditional workplace has been the legacy way of accessing applications and data over a limited number of computing devices like laptop and desktops. Where as, now we talk about the digital consumer experience, or digital workplace. What is changing now includes:
Providing multiple choices of modern workplace devices (not limited to laptop or desktop but also adding handheld devices)
More automation to enable self-service tools for users to improve the overall experience and incident resolution time
Modern systems and tools – to improve user productivity and capability to collaborate more effectively with distributed global teams
All this is leading to a way to enable the user to access the workplace from any location, at any time, using their choice of devices, all with good performance.
CSAT = Customer Satisfaction Score
To institute a successful Enterprise Mobility Management (EMM) strategy, you should understand the specifics around each facet of mobility management. This knowledge can guide you to choose the right approach for managing your mobility program.
Management of mobile devices originally started with Mobile Device Management (MDM), which was focused more on securing the device. The term “MDM” was adopted by the industry and is still widely used.
As mobile devices progressed and were enhanced with new features/functions, additional management was developed to manage applications and content. Gartner defined a new term – Enterprise Mobility Management (EMM), which includes MDM, Mobile Application Management (MAM) and Mobile Content Management (MCM)1.
Mobile Device Management (MDM)
MDM is the capability to secure and configure the device, including security policy enforcement, configuration (for example, WiFi or VPN configuration) remote lock and wipe capability, user self-help portal and reporting.
Basic enterprise email integration allows users to gain access to their corporate email, contacts and calendar from their device.
Extended enterprise email integration allows the control of access to email based on the enrolment status and the compliance status of the device.
Mobile Application Management (MAM)
MAM is the capability to provision an enterprise application store and to install, update and remove public and private applications from a device. This can also include distribution rules to control which users get which apps and automatic deletion conditions.
Mobile Content Management (MCM)
MCM is the capability to configure secure access to content such as Microsoft SharePoint, Network File Shares and IBM Connections from a device with controls based on user names, passwords, IP address and device authentication.
Security-rich enterprise browsing
Enables security-rich web browsing from devices to the customer’s intranet via the EMM solution.
Now Unified Endpoint Management (UEM) is the latest term, which extends EMM to include the management of both mobile devices and traditional endpoints such as PCs (laptops and desktops) and Macs.
The industry is moving to a lower touch style for managing PCs/Macs, so the EMM vendors are extending their products to become UEM solutions.
1 https://www.networkworld.com/article/2361467/wireless/gartner-magic-quadrant-shifts-focus-from-mdm-to-enterprise-mobility-management.html
Note The following features apply to Smart Phones and Tablets and do not necessarily apply to Windows PCs, Macs and Chromebooks:
Containerization – Configuration and ongoing management of dual workspace or individual applications on the device. Create and apply security controls to separate work and personal data and optionally provide additional security (for example, prevent copy or paste capability from work to personal).
Security-rich application access – As well as securing the application using Containerization, the application may also require a secure VPN/ tunnel route to a client’s enterprise server for access to business data. This is designed to be achieved by using the UEM solution to provide a VPN for the whole device or just for individual application(s).
Application wrapping – The process of applying a management layer to a mobile application. Application wrapping allows a mobile application management administrator to set specific policy elements that can be applied to an application or group of applications. There are two levels of application wrapping:
Level 1: The UEM administrator uses the UEM solution to wrap the application, allowing UEM-level security controls to be applied to the application (for example, disable copy and paste capability and require user authentication).
Level 2: The application developer makes use of the UEM Software Development Kit to include some additional functionality. This allows more granular security controls to be applied to the application.
Some public applications are “pre-wrapped” by the vendor and available in the public application store.
Threat management – Helps detect, analyze and remediate malware on mobile devices.
Security-rich email – An UEM-provided email application on the device that stores data in the container and provides additional security controls (such as required password and restricted copy/paste). Optionally enable the ability to control mobile access to enterprise email based on the security & compliance posture of the device (including automated device quarantine / un-quarantine). This requires an UEM email Gateway to be deployed. There are 2 types of Gateway:
Remote Powershell: Users Powershell commands to control device access – email traffic is not routed through this gateway
In-line: Deployed between the mobile device and the email servers, email synchronization traffic passes through this gateway, enabling it to perform a real-time ‘gatekeeper’ function.
Security-rich document editing – Provides the ability to view and edit Microsoft Office documents using a special Office application provided by the UEM vendor. This application stores data on the device in the container and provides additional security controls such as required password and restricted copy/paste.
Cloud document synchronization – Provides the ability to store documents or files in a cloud repository (such as Box, Dropbox, Connections or the UEM provider’s cloud storage service) and more securely synchronize them to devices using the UEM service.
Telecom expense management – Tracks and reports on mobile data usage.
Security-rich chat – The ability to use instant messaging (chat) with an UEM-provided chat application that stores data in the container and provides additional security controls such as required password or restricted copy/paste.
Apple Mac, Windows PC and Chromebook Management – UEM can also provide a simple, low touch / modern management of Windows PCs, Apple Macs and Good Chromebooks. Note that not all of the features and scope of a managed service apply to PC and Macs managed using UEM. Also it is not a complete, like for like, replacement of traditional full blown PC/Management. There are separate, dedicated, IBM MMS PC and Mac management offerings that can provide this, using dedicated tools such as JAMF (for Mac) and BigFix or SCCM (for Windows PC).
As you’ve seen, getting set up on SaaS is fairly straightforward. But now comes the challenge of configuring each of your required UEM components. This phase takes an investment of skilled resources,
time and money to implement successfully.
Define the processes and procedures required to support the service
Integrate UEM with existing enterprise IT services such as directory, email, certificate authority, content repositories (for example, SharePoint), which will require on-premises gateway server(s) that need to be designed, sized, installed, configured, tested and maintained.
Configure security policies
Differ by device type (due to the different capabilities of the devices)
Configure applications in the Enterprise Application Store
The types of devices to be used - corporate owned versus personal.
Configure any optional components that may be in scope.
Dependent on scope of UEM services required. A SaaS deployment will include each of these components, but each will need to be configured before it is actually usable.
Enable the service desk to support user calls on UEM
Define the various processes – new starter/mover/leaver (what happens to enterprise data on a leaver’s device?)
Produce and maintain the device enrollment guides
Define the procedures to handle lost or stolen devices
What about running and managing UEM once it has been implemented (steady-state support)?
Keep up to date with new devices/operating systems and the new features and functions used
Selection of the UEM vendor
Hosting model selection (SaaS vs On-Premises vs Dedicated SaaS)
Technical solution design (matching business requirements to UEM features and configuration options)
UEM Gateway design/sizing/scaling – required for integration with the customer’s existing IT infrastructure
Install, configure and test the UEM Gateway(s)
Configure active directory/Lightweight Directory Access Protocol (LDAP) Integration for Identification and Authentication
Active directory group synchronization
LDAP search queries
Configure certificate authority integration
Certificates for automatic mobile user authentication with UEM
Certificates for automatic mobile user authentication with other services, for example, VPN or WiFi
Enrolment configuration
Authentication method
iOS Apple Push Notification Services (APNS)
iOS Device Enrolment Program (DEP)
Samsung Knox Mobile Enrolment
Android for Work / Android Zero Touch
Windows Phone enterprise certificate
Configure MDM Profiles
device settings/restrictions, which are different for each device operating system
the settings and capabilities are different for the various versions of the device operating system
iOS Supervised Devices
Android for Work policies
Samsung for Knox
BYOD vs Corporate owned vs COPE
Configure application publishing and distribution
iOS Volume Purchase Program (VPP) Configuration
Application wrapping process and testing
Configure compliance policies
What conditions to check for – for example, jailbreak/rooted device detection
What actions to take on condition detection
Different policies for BYOD vs Corporate owned vs COPE
Configure email integration
Automated email block/allow based on device UEM enrolment status
Automated email block/allow based on device compliance status
Microsoft Exchange – new device quarantine automation
Attachment handling policy
Configure additional UEM options in scope
Security-rich browser
Content management
Security-rich email
Security-rich document editing
Cloud document synchronization
Threat management
Telecom Expense Management
Per application VPN
Whole device VPN
Secure Chat
Produce user enrolment instructions/guides. One for each in scope device operating system.
Testing of all configured UEM features/services
Testing of device functionality and compatibility with UEM services. Performed for each in scope device type
Support for User Acceptance Test (UAT) and pilot of UEM service before full deployment
Service Desk training/enablement to provide Level 1 support for UEM service calls
Ruggedized device considerations
Ruggedized Android specific considerations (particularly Zebra devices)
Ruggedized Windows Mobile specific considerations (particularly Zebra devices)
Disaster recovery
High availability
Maintain and update user enrolment guides, as required
Maintain and update Service Desk problem determination guides, as required
Provide updated training to Service Desk if needed
Provide steady-state support for users
Answer ‘how to’ questions on UEM functions
New or Replacement device enrolment
Password/passcode resets
Utilize the agreed process/tools for incident/problem/change management
Determine and implement optimal performance settings for the UEM gateway servers
Participate in required audits and root cause analyses related to the UEM application
Monitor UEM vendor announcements to stay up to date with latest updates and releases from the UEM vendor
Monitor new device operating system announcements to stay up to date with latest updates and new features
IBM is an industry-leading provider of services and integrated solutions for the mobile enterprise. With more than 10 years of real-world experience delivering managed mobility solutions to hundreds of clients, and more than half a billion devices managed worldwide–including more than 100,000 IBM employees currently using smartphones and tablets–we can tap our specialized skills in mobile technologies, communications and IT networks to help you plan, implement and manage your mobile initiatives.
Combining an understanding of your challenges and business needs with expertise gained from delivering mobility services, our dedicated UEM team can get your mobile projects off the ground quickly. IBM managed mobility skills helps ease the cost and complexity of technology upgrades, mobile application support and multidevice, multiplatform mobile integration.
Mobility Services begins with a high-level project initiation meeting to review objectives and methodology. The transition phase is based on IBM’s deep experience in project management and best practices, whether you are implementing new services or transitioning your existing services to us.
Once your IBM Managed Mobility solution is deployed, the IBM team will provide ongoing support for the specific services you have selected. Because the solution is highly scalable, it can support an increasing number of users when you are ready to add them.
A Managed Mobility Service from IBM provides the following benefits:
Access to UEM subject matter experts from the Managed Mobility Services (MMS), with more than 10 years of real-world experience with UEM across various industries. UEM continues to be a niche skill.
Use of IBM’s Best Practices, developed through engagements with hundreds of customers (managing millions of devices) over the past 15 years or more.
Dedicated UEM teams with the ability to scale up resources as required to meet customer needs, which negates the need for the customer to maintain their own UEM skills (education, training, certification, and so on).
UEM can be complex, but this complexity is designed to be eased by using skilled IBM resources.
An IBM Managed UEM service is not just about the technical implementation, it is a full service comprising the processes, procedures, templates, user guides, Service Desk enablement, incident and problem management and more.