Windows phone 8 enterprise and Mobile Device Managment by Andrej Radinger (mdm)

444 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
444
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Enterprise App publishing optionsEnterprise app distribution options and techniques for user authentication
  • <read goals verbatim>Companies control which phones may run their apps- Enterprise apps may install and run only on phones that are enrolled with the associated enterpriseCompanies can deploy their apps without ongoing interaction from Microsoft- Companies control the full lifecycle of their appsThe user is in control of their phone- App installs require user confirmation- Companies can query only their own apps and settings
  • <read goals verbatim>Companies control which phones may run their apps- Enterprise apps may install and run only on phones that are enrolled with the associated enterpriseCompanies can deploy their apps without ongoing interaction from Microsoft- Companies control the full lifecycle of their appsThe user is in control of their phone- App installs require user confirmation- Companies can query only their own apps and settings
  • 1. Create a Company account with Windows Phone Dev Center2. Acquire an enterprise certificate from Symantec3. Create the Application Enrollment Token (AET)4. Develop and sign applications to distribute within the enteprise5. Enroll phones with the enterprise6. Distribute and Install applications on enrolled phones7. Run applications8. Phone home
  • Issuer must be Symantec. Only one root of trust is valid for enterprise certificates.Valid from/to dates are for a period of 12 months. The cert is invalid outside of the validity period.Subject CN (common name) is shown to the user when enrolling with an AET file or installing an enterprise app.Subject UID is the Enterprise ID (Publisher ID). The Enterprise ID ties together an app and an AET.The EKU includes a new OID for Windows Phone enterprise application deployment. This EKU must be present for the cert to be valid for WP8 enterprise functionality.
  • Windows phone 8 enterprise and Mobile Device Managment by Andrej Radinger (mdm)

    1. 1. Windows Phone 8 Enterprise Mobile Device Management (MDM) Andrej Radinger Windows Phone Development MVP andrej@mobendo.hr October 23rd 2013
    2. 2. Topics • • • • Introduction Windows Phone Applications 8 in the Enterprise Windows Phone 8 Devices in the Enterprise Building a Company Hub
    3. 3. Introduction
    4. 4. End Users are in the driver seat! • 59% of employees use mobile devices to run LOB apps2 • 91% of employed adults use personally owned device for business use1 • Currently 150 million employees is using their own smartphones and tablets in the office (BYOD)3 • BYOD until 2014 >50%3 1 Survey conducted by Harris Interactive, Feb 2012 State of Mobile Computing Survey, Jan 2012 2 Symantec, 3 Juniper Research, 2012 2012 4 Forrester, Jan
    5. 5. IT department loosing control! • 72% organizations have tablets in use without formal deployment. • 40% of IT decision makers say they let workers access corporate information from BYOD devices, but 70% of employees indicated they access corporate networks this way2 • <10% of organization are fully aware of devices accessing their network3 • 50% companies experiences data breaches due to unsecure devices4 • Corporate IT policies that ban the use of employee-owned devices in the name of security inadvertently create new security holes6 1 Dimensional Research|May 2011 2011 3 SANS Annual Mobile Security Survey, April 2012 2 IDC, 4 Ponemon and 5 Symantec, 6 Dell, 2011 WebSense sur4vey, 2012 State of Mobile Computing Survey, Jan 2012
    6. 6. Mobile Devices in Enterprise Today • The use of personally owned devices growing By 2016 … or just 3 years from now: – +10 billion mobile-connected devices (1.4 mobile devices per capita) – Cisco, Feb. 2012 – Smart connected devices (PCs, tablets and smartphones) shipments reach 1.84 billion units – IDC, Mar. 2012 – 1 billion consumers will have smartphones - Forrester, Feb 2012 • BYOD usage is a reality and growing ”Currently 150 million employees is using their own smartphones and tablets in the office. This number is predicted to rise to 350 million by 2014” Mobile Security Strategies: Threats, Solutions & Market Forecasts 2012-2017 (Juniper Research, 2012) • IT is not in control „40% of IT decision makers say they let workers access corporate information from employee-owned devices, but 70% of employees indicated they access corporate networks this way” Consumerization of IT Study: Closing the “Consumerization Gap” (IDC, 2011 ) • Restrictive policies are not the answer „Corporate IT policies that ban the use of employee-owned devices in the name of security inadvertently create new security holes.” CIO Strategies for Consumerization: The Future of Enterprise Mobile Computing (Dell, 2011) TOP IT Mobility Challenge Cost effectively secure and manage the multiple devices in the Enterprise
    7. 7. MDM Overview • • • MDM addresses TOP IT Mobility Challenges Fairly new solution area – consolidation & major shifts still ongoing Common elements that MDM solutions include: – Policy Management – Inventory Management – Security Management – Device Service Management • Device Software Distribution • Key attributes of high quality MDM solution: – – – – • High level of automatization High quality reporting Integration with existing security and management systems Right balance of „User Experience vs. Security” Few things to keep in mind: – – – Some device platforms will limit manageability (due to manufacturer design) Android platform support is difficult (due to platform fragmentation) Most MDM solutions focused on major device platforms (WP, iOS, Andorid), limited or no support for other platforms not uncommon
    8. 8. Windows Phone apps 8 in the Enterprise
    9. 9. Enable companies to deploy business applications to their employees privately and securely. Companies control which phones may run their apps Enterprise apps may install and run only on phones that are enrolled with the associated enterprise Companies control the lifecycle of their apps No ongoing interaction from Microsoft Companies control the deployment and distribution It’s highly recommended to authenticate users prior to app enrollment and app deployment
    10. 10. Enable end users to feel in control while preserving a company’s right to protect their data. App installs require user confirmation Updates of existing apps can be done silently Companies can inventory only their own apps Marketplace apps, user settings, and other enterprise data is not available The phone’s unique identifier is per-publisher Publishers cannot correlate user data with other publishers or companies
    11. 11. Windows Phone Applications in the Enterprise • Windows 8 allows enterprises to configure enterprise wide application distribution • The enterprise can create and distribute Windows Phone applications without requiring them to be approved by the Microsoft Windows Store • User phones can either be managed or unmanaged – Very high level of control over a managed phone – An unmanaged phone can be used in a “Bring Your Own Device” mode • An Enterprise can create its own Application Hub which can be made available on managed devices
    12. 12. Enterprise Applications • An Enterprise Application does not have any more access to the underlying device than a “normal” one • It does not have to pass the Marketplace certification – This could result in less reliable/harder to use applications being published by an enterprise – Enterprises are advised to use the Marketplace Test Kit to internally validate applications before making them available • Capabilities are enforced on the device – For example if an application needs to use the location service the user will be asked for permission when the application is first run
    13. 13. Creating Enterprise Applications • An Enterprise can use its keys to sign applications that are then posted in its own application store • Devices are “enrolled” to allow them to install and run applications from the Enterprise • An Enterprise “token” is loaded onto the device when it is enrolled • This allows it to allow it to validate enterprise applications • Enterprise applications are published directly by the Enterprise, they are not subjected to any Marketplace certification
    14. 14. Enterprise Client Application Example • Microsoft have created an internal application hub that provides corporate information alongside other information
    15. 15. Enterprise Registration • An Enterprise must register with the Windows Phone Developer Center if it wants to distribute enterprise applications to selected devices – Microsoft provides the Enterprise with a set of tools that can be used to create applications for deployment within the Enterprise – Microsoft informs VeriSign that the Enterprise is registering • Once the Enterprise has approved VeriSign will issue a certificate for the key pair to be used by the Enterprise to sign applications • This creates a new Enterprise Root and Certification Authority which is trusted by the Windows Phone 8 security system – Can be used to sign applications that can be deployed onto Windows Phones 8 devices
    16. 16. Overview 3 5 2 1 4 7 6
    17. 17. Account creation and cert acquisition • Must be a Company account • Publisher name displayed on phone • Company approval required • Private key, CSR, cert are local to PC
    18. 18. Enterprise certificate
    19. 19. App enrollment • App enrollment token (AET) is generated once per year 1 • Delivered to the phone over an authenticated channel via email, browser, or MDM • Validated for signature and expiration 2 2 3
    20. 20. App deployment • App is signed using tools in the WP SDK 8.0 1 • Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub • Validated for signature, an associated AET, and allowed capabilities 2 2 3
    21. 21. App launch • User launches an enterprise app via the shell or an API • Publisher ID is extracted and used to find the associated AET • AET must be valid and not revoked or disabled 1 2 3
    22. 22. Phone home • Phone sends device ID, publisher IDs, and enterprise app IDs • Phone receives status for each enterprise • Apps of invalid enterprises are blocked from being installed or launched • Scheduled daily, plus each enrollment and app install • After 7 consecutive failed attempts, install of enterprise apps is blocked, but launch of installed apps still works 1 2
    23. 23. Phone home – sample protocol • Response
    24. 24. Windows Phone 8 Devices in the Enterprise
    25. 25. The Enterprise and Windows Phone Devices • If the Enterprise just wants to distribute their applications to selected phones they just need to register to do this – They will sign the XAP files of their applications with their Enterprise certificate • An Enterprise can also deploy “managed” Windows Phone 8 devices • A “managed” Windows Phone 8 device is under much more direct control from the enterprise • System management tools are provided that allow the phone to be remotely managed – Applications can be installed and revoked – Data can be remotely deleted
    26. 26. Unmanaged and Managed devices • An Enterprise can interact with “managed” and “unmanaged” Windows Phone 8 devices • An Unmanaged phone (which might be a Bring Your Own Device) is one that is not integrated into the management regime in the Enterprise – The user of an Unmanaged phone has control over which applications are loaded onto the phone and what phone capabilities that the applications have • An Enterprise has a high level of control over a Managed phone – The Enterprise can automatically deploy and revoke applications on the phone – An Enterprise can remotely delete data from a Managed phone
    27. 27. Managed vs Unmanaged Phones Feature Unmanaged Phone Managed Phone Device encryption Yes Yes Private app distribution Yes Yes Policy management No Yes App Management No Yes App un-enrollment No Yes Remote delete of business data No Yes Company Hub APIs Yes Yes
    28. 28. Device Enrolment • The Enterprise can distribute applications to Managed and Unmanaged Windows Phone 8 devices – A device must be “enrolled” so that it can run Enterprise applications – This provides it with an enrolment token that can be used to open XAP files that have been signed by the Enterprise – This is a “one time” action • Managed phones are automatically enrolled to the Enterprise • An Unmanaged phone must be enrolled before it can run the applications
    29. 29. Enrolling an Unmanaged Phone • There are a number of ways that an unmanaged phone can be enrolled: – Send the phone the token using an email secured by IRM (Internet Rights Management) – Email a message containing a web link to the token – the user must authenticate on the web site before being given the token • Once the phone has been enrolled into the enterprise the user can download and run enterprise applications • Enrolment does not affect any other aspects of phone use – It does not allow remote management of the enrolled phone • Microsoft does not provide tools to track the number of unmanaged phones that have been enrolled
    30. 30. Enrolment on Managed and Unmanaged Devices Feature Unmanaged Phone Managed Phone App enrollment By attachment in email Via web link Integrated with device enrollment Implemented by Enterprise IT Provisioned by System Center By attachment in IT email or by web download Integrated with device enrollment Implemented by Enterprise IT Provisioned by System Center App un-enrollment N/A Integrated with device un-enrollment Containment Low High Enterprise app store Enterprise client install App inventory

    ×