Huawei AnyOffice MDM Technical White Paper

Transcription

1 Huawei AnyOffice MDM Technical White Paper

2 Contents 1 Background Solution Overview Lifecycle-Based MDM Acquirement Deployment Secure Access to Intranet Resources Application Management Running Customizable Compliance Check and Response Policies Diversified Device Control Policies Asset Loss Management Self-Service Management for Users Retirement...19

3 4 Solution Highlights Better MDM Capabilities on Huawei Mobile Devices* Device Control Application Management Terminal Information Acquirement MDM Capability Modularization* Seamless Switchover Between Intranet and Extranet Mechanism Mechanism of ios MDM Mechanism of Android MDM MDM Data Server...26

4

5 1 Background In 2012, 20% of employees use their own mobile devices, such as the iphone, ipad, or Android devices, for work-related activities. Along with the trend of IT consumption, Bring Your Own Device (BYOD) becomes the new norm. Now, instead of a trendy concept, BYOD is changing the way people work with an unstoppable momentum. With their own devices, employees can exchange and trace sales opportunities more flexibly, promote enterprise information management, flatten the UIs, and enhance decisionmaking efficiency and responding speed. However, the openness of BYOD introduces various security and management risks. BYOD extends the border of office. Employees can work and play games on the same mobile devices. Personal and office applications are blurring the boundary in between. For most enterprises, prohibiting BYOD is infeasible. Young employees are born in a technology explosion era. Most of them are familiar with mobile information technologies and urge for BYOD support from enterprises. This need forces enterprises to adjust to the BYOD technologies. At the same time, BYOD brings various problems and risks as the one ninth of an iceberg below the sea. The open and intelligent mobile platform faces problems, including malicious code embedding, data leaks, mix of personal and enterprise applications, and multiplatform with different structures. These problems are the challenges for enterprise IT management. Against this background, MDM came into being. At present, all the mainstream mobile device operating systems support the MDM protocols to some extent. Huawei AnyOffice, a mobile office client, integrates the MDM function to centrally manage enterprise smart terminals. With this function, the IT personnel of enterprises can manage the smart terminals just like they use a domain controller to manage enterprise PCs. The AnyOffice supports the ios and Android operating systems. 1

6 2 Solution Overview Focusing on the requirements, features, and challenges of BYOD, Huawei AnyOffice mobile security solution not only ensures easy and secure access to the enterprise intranet for mobile workers, but also provides excellent user experience. Huawei, by virtue of its experience and expertise in telecommunication and network security, integrates the following components into the solution: AnyOffice mobile office client a mobile office client on a mobile smart terminal SVN2000-M/5000-M series unified SSL/IPSec VPN gateway USG2200/5100/5500 series gateway with both firewall and Unified Threat Management (UTM) functions AnyOffice Manager* unified policy management platform Mobile Enterprise Application Platform (MEAP) Figure 2-1 Huawei AnyOffice mobile security solution Terminal Access DMZ Intranet Office-based AnyOffice client Non-office-based SSL Enterprise Wi-Fi 3G/4G Mobile Security Access Gateway SVN Security management Assets management Unified policy Management platform* Application distribution IT services UI design Application integration Device interface Application compilation Application release and maintenance Development platform Business object Workflow Supporting platform Application interface LDAP AnyOffice client Public Wi-Fi Firewall/UTM Firewall/UTM MEAP OA and other servers Authentication and authorization Strong mobile authentication AnyOffice security platform Identity Privacy Compliance Access control Mobile NAC* Link security SSL or UDP tunnel encryption L3/L4 VPN Threat defense DDoS Network antivirus Network IDS/IPS Data protection Mobile sandbox Web, , and DLP Anti-theft Application security Application Control Management security Security management Application management Assets management IT services * indicates a feature to be supported by later versions of Huawei AnyOffice Mobile Security Solution. 2

7 MDM is an important component of Huawei AnyOffice mobile security solution. Different from other vendors, Huawei puts forward a lifecycle-based MDM solution, which provides complete MDM policies and methods during the acquirement, deployment, running, and retirement of mobile devices. This design ensures the proper and secure implementation and running of devices in each process. With the features of enterprise-owned devices and BYOD devices, the AnyOffice ensures not only device security but also user experience on using the mobile devices. Acquire Device Lifecycle Deploy Retire Run Acquirement Huawei AnyOffice mobile security solution complies with the ITIL Asset Management Standards, supports the discovery and registration of enterprise-owned devices and private devices, and provides the customized template of commitment of mobile device usage. Deployment Enterprises must ensure the security compliance of the mobile devices. Huawei AnyOffice mobile security solution supports the policy configuration and delivery on the host firewall, VPN, and Wi-Fi, and the enforcement of security policies. The core of mobile office is the secure allocation of mobile applications. Huawei AnyOffice mobile security solution integrates the Enterprise App Store and implements secure allocation, installation, and configuration of applications. Moreover, the company can use the AnyOffice to define policies for whitelisted and blacklisted applications, ensuring that the right person accesses the right application and data. 3

8 Running In this phase, MDM focuses on data and application security. Huawei AnyOffice supports password policies, jailbreak detection and isolation, and control over possible data leak channels, including the SIM card, SD card, camera, Bluetooth, Wi-Fi, USB, GPS, and recording. Mobile devices are prone to loss. The AnyOffice provides key data encryption, remote locking, and remote data wipe functions. On the management back end, the IT department can query and audit the models, operating systems, and versions of all mobile devices and export asset audit reports. Required IT workload is a key indicator of a mobile office solution. Huawei AnyOffice provides a self-service portal where employees can perform operations, including registration, password resetting, loss report, remote locking, and remote data wipe. This portal significantly reduces IT departments' workloads. The centralized management back end supports management functions more complex than the previous ones, including message pushing and fault location. Retirement Upon employee resignation or device loss, the IT department can uninstall the applications on the device, remotely wipe the remaining data, and finally annul the device to prevent data leaks. If a company-owned device is recycled, the recycled device can be re-registered, and the administrator can configure security policies and applications on this device. For details, see the next chapter. 4

9 3 Lifecycle-Based MDM 3.1 Acquirement Assets management is an important aspect in the implementation of MDM. Huawei AnyOffice mobile security solution provides the following methods to help enterprises to start asset registration using MDM. Provides customizable terminal user agreements. The MDM function of the AnyOffice can perform operations on mobile devices, including remote mobile device control (such as remote locking and remote data wipe), device function restriction (such as disabling the Bluetooth and USB), and terminal information query (such as querying terminal application software list, operating system, and the location of a terminal device). Therefore, enterprises must initiate a terminal user agreement to inform users of these facts before registering terminal devices, especially BYOD devices, to the AnyOffice and enabling the MDM function to avoid unnecessary legal affairs. Figure 3-1 Assets confidentiality agreement configuration 5

10 The AnyOffice provides a default terminal user agreement template. Figure 3-2 Assets confidentiality agreement template When a user logs in, the AnyOffice client checks whether the user's terminal device is registered. If no, the client displays a terminal user agreement for this user to read. The registration proceeds only after the user agrees the agreement, and then the MDM function can be enabled on this terminal device. Distinguishes enterprise assets from private assets. The AnyOffice can distinguish enterprise assets from private assets to help administrators define different MDM policies for different assets. Administrators can view the list of successfully registered assets on the AnyOffice management back end and push information to the specified terminal using the group messaging function (such as sending instant messages to employees on the move). 3.2 Deployment Secure Access to Intranet Resources When deploying mobile working, enterprises need to deliver the configurations of common enterprise applications, such as , VPN, and Wi-Fi, to the enterprise-owned devices and BYOD devices that need to access 6

11 intranet resources. Huawei AnyOffice mobile security solution provides a one-stop configuration delivery function for the administrators to centrally configure or import application configurations on the AnyOffice management back end and deliver the configurations to the registered devices. The entire process does not require the participation of terminal users, and the operations are quite easy for the administrators. Supports the setting of Exchange ActiveSync and IMAP/POP mail parameters on the ios terminals on the management page and delivering the settings to the mobile devices (excluding Android devices). Figure 3-3 ios parameter one-stop setting (a) Figure 3-4 ios parameter one-stop setting (b) 7

12 VPN Supports the setting of VPN parameters on the ios terminals on the management page and delivering the settings to the mobile devices (excluding Android devices). Figure 3-5 ios VPN one-stop setting Wi-Fi VPN is deployed for mobile devices to access enterprise intranet over the Internet, and Wi-Fi is deployed for mobile devices to access the intranet when mobile device users return to the intranet. Meanwhile, to ensure access security, enterprises usually perform strict certificate authentication on the Wi-Fi access users. The AnyOffice management back end supports the import of Wi-Fi configuration files to the management page and delivers the configuration files to mobile devices. Figure 3-6 Wi-Fi configuration file management 8

13 You can select one of the following as required to configure Wi-Fi configuration files on the management page: Do not replace Wi-Fi certificate configuration Use the Wi-Fi certificate of the Wi-Fi configuration file that the administrator imports and do not make any modification. Manually configure Wi-Fi certificate The administrator imports Wi-Fi certificates. When a user logs in, the gateway automatically combines the Wi-Fi certificate associated with the user to the Wi-Fi configuration file associated with this user and then delivers the configuration file to the user terminal. CFCA automatically issue a Wi-Fi certificate The gateway applies for a Wi-Fi certificate from the CFCA server, combines the certificate with the Wi-Fi configuration file associated with the corresponding user, and delivers the configuration file to the user terminal (So far, the gateway supports only the connection with the CFCA server of China Minsheng Bank) Application Management Enterprise App Store The administrator can upload various mobile application installation packages and icons of the Android or ios platform to the AnyOffice management back end. These applications can be enterprise applications for intranet use only or common tool software (all ios applications uploaded to the Enterprise App Store are In-House Apps). 9

14 Figure 3-7 Adding applications to the Enterprise App Store In addition, the administrator can select applications from the App Store as required, import them to the Enterprise App Store, and recommend them to employees. Figure 3-8 Adding applications in the AppStore to the Enterprise App Store The administrator can view the list of applications in the Enterprise App Store, including the application name, category, version, size, applicable operating system, update date, and description. In addition, the administrators can query the number of times each application is downloaded as well as the top 10 applications downloaded. Applications are authorized to enterprise users of different roles as resources. Therefore, the list of applications a terminal user can view in the application list of the Enterprise App Store varies with the permission granted to the terminal user. 10

15 3.3 Running Security is crucial for mobile working no matter whether employees use enterprise-owned devices or BYOD devices. With the AnyOffice solution deployed, the enterprise IT administrator can view the security compliance status of each terminal device, configure various security policies, and deliver these policies to the AnyOffice client. When a user logs in, the AnyOffice client can perform a security compliance check. If a violation is detected, the AnyOffice automatically performs the specified action based on the configured policy and notifies the administrator of the violation. The AnyOffice ensures device security using the following methods: Periodical compliance checks (such as application compliance checks, jailbreak checks, and password strength compliance checks). Compliance check on the user terminal when a user logs in to the AnyOffice. Real-time policy delivery (the administrator delivers the compliance check policies immediately after modifying them for the AnyOffice to execute the latest policies). Considering the differences of enterprise-owned devices and BYOD devices, the AnyOffice allows the administrator to configure different policies for them. For example, the administrator can configure strict security policies for the enterprise-owned devices and less strict policies for the BYOD devices Customizable Compliance Check and Response Policies The AnyOffice provides diversified and flexible terminal security compliance check policies and response policies. The enterprise administrator can select policies as required and deliver policies based on different terminals and roles. 11

16 Application compliance check Figure 3-9 Application compliance check policy Configure policies to whitelist and blacklist applications on the terminal as well as policies to handle violations. For example, the administrator can configure a policy to prevent the installation of game software Angry Birds on enterprise-owned devices. If this software has been installed on the device, the policy can be executed to prevent the user from logging in to the AnyOffice and prompt the user to uninstall it. Password strength compliance check The administrator can configure a policy to define the password length, validity period, history, and letters and digits. If a terminal does not comply with the requirement, the AnyOffice can send a notification to the user or prevent the terminal from accessing the intranet (supports only notification on ios devices). Jailbreak check Jailbroken devices usually have unstable systems and are prone to viruses. For security reasons, enterprises allow only non-jailbroken smart terminals for mobile working. 12

17 The administrator can configure policies to determine whether to perform jailbreak checks and the actions for jailbroken devices (including alert, prevent the login to the AnyOffice, and prevent intranet access using Wi-Fi). Roaming policy The administrator can configure a policy to detect whether a terminal is roaming. If yes, the back end sends a notification to the user or does not implement MDM control. For employees sensitive to roaming charging, this policy can help them save money. SIM card policy If the SIM card of a smart terminal is changed, the smart terminal might have been stolen. The administrator can configure policies to determine whether to check SIM card change and the actions for the devices whose SIM cards are changed (including alert, prevent the login to the AnyOffice, and prevent intranet access using Wi-Fi). Terminal encryption check Android 4.0 and later versions support full-disk encryption. Enterprises can require their employees to enable this function on the Android devices to enhance the security of local data. The administrator can configure policies to determine whether to check the Android terminal full-disk encryption function and the actions for the devices that do not have this function enabled (including alert, prevent the login to the AnyOffice, and prevent intranet access using Wi-Fi). Operating system version check The administrator can specify the earliest version of the ios and Android terminals for accessing the intranet. That is, the terminals earlier than the specified version are not allowed to access the intranet. 13

18 Figure 3-10 Compliance check policy AnyOffice client uninstallation policy If the AnyOffice client is uninstalled, the applications installed from the AnyOffice Enterprise App Store are uninstalled as well (supported by the ios terminals). AnyOffice long-time offline check Employees using smart terminals for mobile working need to log in to the AnyOffice on workdays to send and receive and browse company websites. Therefore, if the AnyOffice is offline for a long time on a terminal, it is abnormal. The administrator can configure a policy to determine whether to enable this check, specify the period in which the AnyOffice is allowed to be offline, and send to inform the users that the period is about to expire. For example, AnyOffice long-time offline check is enabled, the period in which the AnyOffice is allowed to be offline is set to 30 days, and the days to send to inform the users that the period is about to expire is set to 5 days. If a terminal does not log in to the AnyOffice for 25 consecutive days, the user will receive notification in the later 5 days. If the terminal does not log 14

19 in to the AnyOffice in the last 5 days, the terminal will never be able to log in to the AnyOffice again unless the administrator unlocks the terminal. Service daemon If service daemon is enabled, periodical compliance checks are performed on the service processes run on the background, regardless of whether the AnyOffice is running, and corresponding actions are performed based on the check result and configured policy. In addition, the service processes can receive and execute the MDM commands, such as remote locking and remote data wipe, sent from the management back end. If service daemon is disabled, compliance checks are not performed on service processes after a terminal logs out of the AnyOffice, and the service processes neither receive nor execute the MDM commands sent from the management back end. Service daemon applies to enterprise-owned devices. Once enabled, the enterprise can learn about the terminal status and make proper responses upon status anomalies no matter whether the employees use the AnyOffice for working. Service daemon is not recommended for BYOD devices in that employees need use the personal devices freely during non-working hours. For example, after employees log out of the AnyOffice, they can use the cameras of the BYOD devices freely. AnyOffice SSID access point check Terminals that have AnyOffice SSID access point check enabled can log in to the AngOffice only after they connect to the specified SSID. For example, an enterprise requires its employees to log in to the AnyOffice and access intranet resources using one or more specific SSIDs, so that strict user identify authentication (such as 802.1X authentication) can be performed during the Wi-Fi connection before user terminals log in to the AnyOffice. When the employees return home, they can use other SSIDs to access the Internet (these SSIDs are not controlled by the enterprise, and the terminals may access the Internet without authentication). The terminals may be reachable to the SVN gateway, but are prevented from logging in to the AnyOffice or access intranet resources. In this case, the administrator needs to enable the AnyOffice SSID access point check policy and deliver the policy to employees' mobile devices. 15

20 3.3.2 Diversified Device Control Policies Device permitted Device function enabling/disabling policy ios Android Installing application programs Purchasing application programs Snapshot Automatic synchronization when roaming Multiplayer game Wi-Fi Portable WLAN access point Voice dialing Adding Game Center friends Permitting passbook when the device is locked USB debugging Camera Bluetooth scanning Siri itunes Store password required for all purchased items indicates that the function can be enabled/disabled on the device Opening functions on mobile devices brings convenience to users but also information leaks. If mobile devices are used for working, enterprise data leaks will compromise enterprise interests. For example, when an employee uses a mobile phone to connect to the intranet to receive and send or browse official documents on the intranet websites, the employee may snapshot the or document and send it to the Internet, or the employee may take photos of confidential information on the intranet and leak the information outside. As listed in the previous figure, the AnyOffice provides diversified device control policies. The administrator can enable or disable the listed functions as required to prevent data leaks during employees' mobile working. 16

21 Application program permitted Configure policies to determine whether to allow the use of YouTube, itunes Store, and Safari on the ios devices. icloud permitted Configure policies to determine whether to allow data backup to the icloud, file synchronization with the icloud, and photograph streams on the ios devices. Security and privacy permitted Configure policies to determine whether to allow the sending of ios device diagnosis information to Apple Inc., receiving distrusted TLS certificates, and forcible encryption during itune backup Asset Loss Management Compared with PCs, mobile devices are prone to loss and stealing. If a mobile device used for working is lost or stolen, the enterprise data on the mobile device may be leaked. Against this background, the AnyOffice solution provides the remote device control function, which includes: Remote locking Remote locking includes device hardware locking and AnyOffice software locking. When a mobile device is lost, the administrator can deliver a remote locking command on the management back end to remotely lock the device to prevent data leaks. Remote unlocking Remote unlocking includes unlocking a device and allowing device login. Unlocking a device means clearing the device locking password, and allowing device login means unlocking the devices that do not log in for a long time to log in again. 17

22 Remote data wipe If a lost device cannot be retrieved, the administrator can deliver remote data wipe command on the AnyOffice management back end to the device to promptly erase the data on the device. In addition, this function provides the following control options: Clear enterprise data and configuration data on the AnyOffice Restore factory default Erase data in the SD card The administrator can deliver different clear operations as required. For example, for a lost enterprise-owned device, the administrator can deliver the restore factory default and erase data in the SD card commands to ensure that all data on the device is erased. For the BYOD device of a resigned employee, the administrator can deliver the clear enterprise data and configuration data on the AnyOffice command to erase only the enterprise data on the device Self-Service Management for Users In the AnyOffice solution, the administrator can use the MDM data server back end to manage enterprise assets, including the enterprise-owned devices and employees' BYOD devices. However, the BYOD devices are not the assets of the enterprise. Therefore, employees hope to implement MDM on their own. The AnyOffice provides a self-service management page for employees to manage their own mobile devices. This not only decreases the workload of the administrator to some extent but also enables employees to use their BYOD devices freely. Employees can perform the following operations on the management page: Download AnyOffice Agent 18

23 GPS positioning Internal asset information viewing Self-deregistration of smart terminals Data wipe for stolen mobile devices Lock/Unlock of mobile phones Figure 3-11 Self-service page 3.4 Retirement The administrator can deregister or delete assets on the AnyOffice management back end. When an employee resigns, the enterprise recycles the enterprise-owned device, unbinds the asset and user name, and deregisters the asset. This recycled device can be assigned to another employee. Assets deleting is used to clear the data on the back end. For example, some old assets are no longer used. The administrator can delete the data of these assets to stop maintaining these assets. When an asset is deregistered or deleted, all enterprise data that the user leaves on the AnyOffice is cleared, including the , browser data, downloaded enterprise apps, configuration files, and pictures. 19

24 4 Solution Highlights The lifecycle-based MDM solution of Huawei provides complete MDM policies and methods during the acquirement, deployment, running, and retirement of mobile devices. This solution ensures the proper and secure implementation and running of devices in each process. With the features of enterprise-owned devices and BYOD devices, the AnyOffice ensures not only device security but also user experience on using the mobile terminals. In addition, the MDM of Huawei AnyOffice solution has the following highlights: 4.1 Better MDM Capabilities on Huawei Mobile Devices* For Huawei mobile devices, the AnyOffice solution not only uses the universal interface of the Android system to implement MDM but also employs the interfaces of the devices to provide more powerful and diversified MDM capabilities Device Control Huawei devices provide the following capabilities in terms of device control: Enable/Disable USB network sharing Enable/Disable USB MTP Enable/Disable USB PTP Enable/Disable user data synchronization Set/Reset screen-lock password Reboot the device Enable/Disable portable WLAN access point 20

25 4.1.2 Application Management Huawei devices provide the following capabilities in terms of application management: Clear temporary application data (such as data) Stop a process, such the blacklist application process. Silent application installation and uninstallation On non-jailbroken Android devices, the system prompts users to confirm whether to install or uninstall applications for security reasons. However, in some cases, requiring users to confirm the installation of each application adversely affects user experience. For example, when the AnyOffice is uninstalled, all applications installed from the AnyOffice Enterprise App Store are uninstalled automatically. If users have to confirm each application, it would be troublesome. Therefore, silent installation and uninstallation is the better choice Terminal Information Acquirement Besides device control and application management, Huawei devices also provide diversified terminal information acquirement interfaces for the MDM back end to display versatile terminal information, including free memory space, Bluetooth MAC address, Bluetooth matching devices, Bluetooth status, SD card status, IP address, SIM card carrier, and ICC ID. 4.2 MDM Capability Modularization* The SDK is an important component of Huawei AnyOffice mobile security solution. Instead of being an independent component, it is a software package, whose source code is not revealed. However, this component provides API for the upper-layer applications which are developed based on this component. As shown in the following figure, the SDK delivers the following functions: Connects to operating systems, including ios and Android through the abstract layer of Huawei DOPRA platform. 21

26 Shields lower-layer differences between operating systems. Provides uniform encryption/decryption interfaces for upper layers. Is compatible with the secure communication interfaces of the standard SOCKET. Enables the AnyOffice to integrate self-developed and third-party applications, such as the AnyOffice client software, virtual desktop, and third-party application espace Mobile and to encrypt and decrypt local files and data in transit. As mentioned above, enterprises can install the AnyOffice and deploy an SVN or MDM data server to manage mobile devices. Similarly, they can integrate the SDK when developing mobile applications and use the MDM API provided by the SDK to integrate the MDM function to application service flows. For example, MDM compliance checks (such as jailbreak checks and screen-lock password checks) can be integrated into the login to mobile applications. If the checks are failed, the terminal is prevented from accessing the enterprise services (terminals that fail the compliance checks may cause security risks when accessing the intranet). The MDM of other vendors requires the installation of dedicated MDM application software. However, Huawei AnyOffice solution provides the MDM modularization function for enterprises to integrate MDM flexibly into the mobile working solutions of enterprises. For example, some enterprises require the MDM function for deploying mobile working, but they do not want the AnyOffice UI. In this case, the modularization can meet their requirements. Figure 4-1 Framework of the SDK component Application layer Compatible with standard SOCKET / HTTP secure communication interface Security SDK SDK initialization Clean SDK running environment File encryption and decryption File operations Data encryption and decryption Create a VPN encrypted tunnel Protocol encapsulation Data encryption and decryption Network communication Session management Close VPN Encryption tunnel Compatible with systems adaptation interface of different OSs OS layer Hardware layer 22

27 4.3 Seamless Switchover Between Intranet and Extranet Mobile workers may access the intranet from the Internet or intranet using Wi-Fi. Therefore, the mobile working solution must meet the requirements not only on accessing the intranet from both the inside and outside the intranet but also the switchover between the intranet and extranet. For mobile devices to access the intranet from the extranet, the in-built VPN capability enables the AnyOffice client to automatically establish an L4VPN tunnel with the SVN after the users pass the login authentication and MDM compliance checks, so that the users can access intranet service resources, such as and web resources. For mobile devices to access the intranet from inside the intranet, the AnyOffice provides a one-stop Wi-Fi configuration delivery function to automatically deliver the Wi-Fi configuration file and Wi-Fi certificate to the clients after the users pass the login authentication and MDM compliance checks, so that the 802.1X client on the terminals can connect to the enterprise Wi-Fi network based on the configuration. In addition, the AnyOffice provides the environment awareness function, which detects extranet and intranet switchovers and performs specified actions based on the policies delivered by the SVN. For the extranet-intranet switchover, the AnyOffice client automatically terminates the VPN connection and accesses the intranet servers directly to reduce data transmission costs (the AnyOffice client can also continue to use the VPN connection to access intranet resources based on the policy action even if the terminal resides on the intranet). If the terminal switches from the intranet to the extranet, a VPN connection is automatically set up to ensure service continuity. The switchovers are all performed automatically by the AnyOffice client and require no manual intervention (for example, users do not need to reenter the user name and password to log in to the AnyOffice client). The switchovers are seamless, which ensures the quality of user experience. 23

28 5 Mechanism 5.1 Mechanism of ios MDM For an ios device, the MDM function is implemented by the ios device, Apple Push Notification service (APNs), and the MDM data server. The APNs is a service provided by Apple (Apple deploys a service on the Internet in load balancing mode. The destination IP address is subnet /8, and the domain name is gateway.push.apple.com), and the MDM data server is provided by each MDM vendor. In the AnyOffice solution, the SVN functions as the MDM data server. Figure 5-1 Mechanism of MDM on ios devices Firewall Apple Push Notification Service Third-Party MDM Server 1. When a user starts the AnyOffice client for the first time, the AnyOffice management back end delivers the MDM configuration file to the user terminal after the user completes the registration and logs in to the client.the MDM configuration file includes the information about the MDM data server (such as the domain name of the MDM data server) and MDM client certificate. When the user terminal receives the MDM configuration file, a dialog box will be displayed on the terminal screen to notify the user of the impact of installing the MDM configuration file on the terminal and requires the user to confirm whether to install it. 24

29 2. After the user agrees to install the configuration file, the MDM configuration file will be installed on the ios device. 3. The terminal establishes a TLS connection to the APNs and obtains the Device Token of the MDM from the APNs. Then the terminal forwards the UDID and Device Token to the MDM data server for recording, so that subsequent push messages can be forwarded to the correct terminal (UDID uniquely identifies an ios device, and Device Token uniquely identifies an application on the terminal. Here, the Device Token identifies the MDM application). 4. When the MDM data server needs to communicate with an iphone or ipad, the MDM data server sends a notification message (contains the Device Token) to the ios device through APNs. The detailed procedures are as follows: The MDM data server initiates a connection to the APNs and shows its certificate to the APNs to prove its legitimacy (The MDM data server certificate must be applied from the Apple Push Certificates Portal in advance and installed on the MDM data server). After the connection is set up, the MDM data server sends a notification message to the APNs and requires the APNs to wake up the specified ios device. Then APNs forward the message to the device (The APNs only wakes up the device and does not send the detailed MDM command to the device). 5. After receiving the message, the device connects to the MDM data server directly using HTTPS. Then the device obtains the MDM command from the MDM data server and executes the command (such as device locking, data wipe, and reporting application list). In this process, the interactions between the APNs and MDM data server are implemented by the MDM agent of the ios system, not the MDM client software installed on the ios device by the MDM vendor. That is, even without any third-party MDM software, MDM can be performed on the ios devices as long as the MDM configuration file is installed on the ios devices and the MDM data server is deployed. After the MDM function is enabled on the ios device, the MDM agent and APNs maintain a persistent connection, so that the APNs can find the ios device and push messages to it at any time. 25

30 5.2 Mechanism of Android MDM In the AnyOffice solution, the MDM function on the Android devices is implemented by the Android device and the MDM data server. Different from ios devices, Android devices must install the client software of the MDM vendor to implement the MDM function. The AnyOffice client software implements the MDM client function and interacts with the MDM data server (in the current AnyOffice solution, the SVN functions as the MDM data server). The AnyOffice client for Android devices establishes an encrypted L4VPN tunnel with the MDM data server each time and sends keepalive packets over the tunnel to maintain the connection. If the MDM data server needs to interact with an Android devices, the MDM data server must send a notification message to the AnyOffice client over the L4VPN tunnel first. Then the AnyOffice client initiates an HTTPS connection with the MDM data server to obtain and execute the MDM commands (such as device locking, data wipe, and reporting application list) and then reports the execution result to the MDM data server. 5.3 MDM Data Server The MDM data server is a background server to store information related with the AnyOffice client. The information includes: Information about enterprise application programs (such as application icon and size) Assets information Information about installed application programs on the mobile device Mobile application installation package The database accessories include the PC server, server guide CD-ROM, server hard disk (1.2 TB), operating system software (Windows Server 2008 installation CD-ROM), database software (SQL Server 2008 installation CD- ROM), and software installation CD-ROM (the server must run the MDM data server software of the SVN). The operating system and database software must be installed before delivery, but the MDM data server software program must be installed by users. 26

31 As shown in the following figure, the MDM data server contains a tomcat server, file server, and database software. They can be installed on the same or different PC server. Figure 5-2 Interaction between the device/nms, SVN, and MDM data server Network Management IOS Terminal Android Terminal AnyOffice Gataway Other MDM Module Apache+tomcat load balancing & tomcat clustering Apache DB Server DB Server DB Server MDM Data Server Apk Files Plist Files Ipa Files File Server Icons Icons DB In daily service interactions, the MDM data server interacts with the AnyOffice client, SVN, and the sweb of the SVN. The AnyOffice client and the sweb do not directly interact with the MDM data server. They use the SVN to forward access requests and replies. The SVN and MDM data server perform bidirectional certificate authentication with each other before setting up a connection. After the authentication succeeds, an HTTPS connection is established for follow-up data exchange. Use application query as an example. A user opens the app store on the AnyOffice client and clicks the icon of a certain application to view its details. The AnyOffice client sends the query request to the SVN. The SVN transparently forwards the request to the MDM data server. Then the MDM data server analyzes the request and returns the result to the SVN. The SVN transparently forwards the result to the AnyOffice client. Then the AnyOffice client displays the result to the user. * Later versions of Huawei AnyOffice security solution will support the function marked with "*". 27

32 Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are the property of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The product, service, or feature that you purchase should be restricted by the Huawei commercial contract and the clauses in the contract. All or a part of products, services, or features described in this document may not be purchased or used. Every effort has been made in the preparation of this document to ensure the accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, expressed or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure the accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, expressed or implied. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen People's Republic of China Website: support@huawei.com