1 The fastest, most secure path to mobile employee productivity
2 2 If your organization lacks a bring-your-own-device (BYOD) strategy, you may be in danger of losing employees who are unhappy because they can t use the latest, greatest devices, or exposed to unacceptable security vulnerabilities from those same employees bringing in prohibited, unsecured devices for work purposes. The era of tight IT control over mobile work devices, including laptops, smartphones and tablets, is over. As shown in Figure 1, a recent survey of Citrix enterprise customers found that 50 percent of smartphones, 54 percent of tablets and 18 percent of desktop and laptop PCs used for work were also employees personal devices. Gartner predicts that by 2017 half of all employers will require employees to provide their own devices for work. And it s not just one device. Studies show that, on average, employees use three or more devices throughout the workday. 60% A survey of Citrix customers confirm high levels of BYO for mobile devices % devices that are BYO 40% 50% 54% 20% 18% 0% Smartphones Tablets Desktops/ Laptops Figure 1: Citrix survey results for percentage of BYO devices in organizations. Productivity vs. security Organizations facing the BYOD trend must strike a delicate balance between empowering mobile users with the capabilities they need to stay productive and protecting the organization from the multiple risks these personal devices and applications present to network security and sensitive intellectual property.
3 3 What does it take to get employees up, running and productive quickly and securely with their numerous devices? Most organizations turn first to enterprise mobile device management (MDM) platforms. MDM solutions are powerful tools for any BYOD arsenal. However, there are other considerations in a BYOD environment, including secure use of mobile applications, cloud services and enterprise files and information. As shown in Figure 2, there are many point solutions for solving each of these issues, but only Citrix offers a single, comprehensive solution that addresses all of them and allows organizations to empower employees quickly while meeting security and compliance requirements. Any app, any device, anywhere Mobile Value-on-Investment Mobile Device Management XenMobile Sandboxed Mail and Web Mobile App Security ShareFile XD SDK / App DNA Secure Mobile Data Sharing App Dev Tools NetScaler Mobile Network Control SSO and Identity Management XD/XA Windows as a Service GoToMeeting Podio Collaboration Figure 2: The broader mobility market is fragmented. According to our recent Citrix mobility survey, the first and primary application required by most users (almost 90 percent) is enterprise , including calendars and contacts (Fig. 3). That sounds simple enough, but in fact there are many options for providing mobile access to , and each has its own balance of usability, flexibility and risk.
4 4 When it comes to supporting mobility, what are the most important types of mobile applications to your organization? 100% 80% 90% 60% 40% 20% 35% 48% 21% 36% 39% 52% 0% Mobile SharePoint (including access calendar and contacts) Enterprise file sync and share Web conferencing Secure browser Collaboration tools Line of business apps Figure 3: Citrix survey results for mobile applications important to organizations. Native Users are often most comfortable using the client software native to the device and its operating system, and for some organizations that s a perfectly acceptable strategy. However, before allowing employees to use native it s important to understand the management, security and compliance challenges it presents. Perhaps most daunting is the number of different native clients and operating systems IT must track, secure and keep updated with the most current versions and security patches. Most of these clients were created for consumers, not enterprise users, and are only now starting to catch up with the needs of securityconscious enterprise IT departments. IT must take into account the different levels of capability each client offers and the risks it poses to sensitive information. For example, native clients often don t encrypt or attachments stored on the device, which means proprietary information may be accessible in the event the device is lost or stolen or the user leaves the organization. IT can use MDM capabilities to remotely wipe the applications and data on the device. However, different mobile operating systems and versions provide different levels of hooks into MDM software to support that capability. Depending on the client, users may have to, or simply be allowed to, mix corporate and personal in the same account. This means selective wipe of corporate information may be impossible when an employee changes roles or leaves the organization.
5 5 Native client software is often open to sharing information with other applications and functions on the device, which adds the risk that corporate contacts, s and calendar entries could be accessed by other applications, including malicious ones. Most native clients also allow users to open and edit attachments in unprotected or even malicious mobile applications, copy and paste information to other files and forward sensitive information to personal accounts or unauthorized users in violation of company policy. Finally, Microsoft Exchange ActiveSync, used to synchronize between Exchange and mobile applications, often requires deploying some messaging services in the enterprise DMZ, which is not as secure as the internal enterprise network and in some cases can provide hackers a path to corporate information. It s up to your organization to determine if user flexibility, productivity and satisfaction outweigh the risks of native . Sandboxed Another option is specialized sandboxed client software offered by Citrix (WorxMail) and other vendors. Sandboxed keeps work and personal data on the device completely separate by encrypting work information and making work-related applications and information unavailable to personal applications. Many solutions allow assignment of granular enterprise policies restricting the opening, forwarding, editing and saving of files to protect proprietary information. And the containerization of corporate applications and data makes it much simpler to implement selective wiping of corporate applications and data when a user changes roles, leaves the organization or loses the device. However, the interfaces of some sandboxed solutions may not be as familiar or appealing to users as that offered by the device s native application. In contrast, WorxMail delivers a native-like experience. Finally, sandboxing may reduce the flexibility a power mobile user seeks for various functions. Virtual Current users of Citrix XenApp and Citrix XenDesktop virtualization solutions know that either can be harnessed to deliver mobile access to Windows desktop applications, including Microsoft Outlook Virtual is one of the most secure alternatives, since applications and data are stored securely, either in the datacenter or locally in an encrypted file system with powerful enterprise policy enforcement. Thanks to Citrix Receiver, the mobile experience conforms to user expectations for the device and its operating system, including touchscreen capabilities. Such a strategy eliminates most of the security hazards of local native clients and their vulnerable and attachments. Virtual is ideal for employees who prefer to use the same as on their desktop and are able to work offline using their mobile device.
6 6 Web-based Finally, Outlook Web Access provides mobile browser access to Outlook , but only limited offline access. Issues include browser incompatibility as well as an interface that may not be as comfortable, responsive and familiar for the mobile user as the interface of the native client application. Unsecured web browsers also bring their own risks, such as web-based malware. As with Exchange ActiveSync, Outlook Web Access may involve deploying some Exchange services in the enterprise DMZ. In sum, each mobile alternative balances usability and protection of private information. Organizations should consider all these factors when deciding which mobile method to use. They may wish to deploy different strategies for different departments and employees depending on issues involving proprietary information, compliance and security. File sharing Once they re up and running with , BYOD users often seek easy access to the files and other data they need to be productive. Most want to be able to annotate or edit files on their mobile devices. To do this, many currently take advantage of file-sharing and synchronization cloud services such as Box, Dropbox and Google Drive. Unfortunately these services were created for consumers, not the securityconscious enterprise, and pose their own risks. Storing any sensitive information in a third-party cloud service immediately takes it out of the control of the enterprise and may expose it to theft, such as when Mitt Romney s DropBox and Hotmail accounts were hacked during the 2012 presidential election campaign. Some of these services have started to offer encryption and two-factor authentication, but some only encrypt data in transit, rather than at rest, and users often do not take advantage of these capabilities. Since information is stored in the public cloud it is difficult or impossible for IT to exert any control over which information is stored in which account or to wipe sensitive information or block access when users change roles or leave the organization. As with , users may access these files with unprotected devices or applications. A single mobile solution Numerous point solutions address the multiple challenges of managing and securing mobile devices, applications and access in the enterprise. Some focus on MDM, others on securing mobile applications and still others on secure file sharing. Some emphasize IT security and management needs at the expense of user empowerment and flexibility. Only Citrix offers a comprehensive solution spanning all those requirements and the needs of different IT departments and users. With Citrix XenMobile solutions, organizations can be up, running and productive quickly with a BYOD strategy
7 7 that fits their exact needs. As requirements evolve, companies can take advantage of the industry s largest third-party gallery of secure, enterprise-friendly mobile applications and easy, effective tools for securing internally developed software both provided by Citrix. Further, only Citrix offers a single solution for quickly deploying any or every strategy, from the user device s native client software to virtualized and sandboxed . Some XenMobile solutions can even be implemented securely without the use of MDM, eliminating concerns of some users that IT is monitoring their personal devices, applications and location. With a complete, integrated mobile management solution, organizations can quickly enable employees to be productive and continue to expand the scope of their BYOD strategy according to their unique needs, schedule and capabilities. XenMobile MDM Edition XenMobile MDM Edition is a comprehensive enterprise solution that offers role-based management, configuration and security for thousands of enterprise and personal user devices, including laptops, smartphones and tablets, across their lifecycles. With XenMobile MDM Edition, IT configures management servers and user devices quickly via a web-based administrative console and imported Active Directory user groups and accounts. Administrators can also configure XenMobile MDM Edition to make requests to a certificate authority to enable certificate-based authentication for Wi-Fi, VPN and Exchange ActiveSync profiles. Users can self-enroll their devices easily with IT-provisioned policies and applications and download and deploy any or all IT-sanctioned mobile, SaaS and Windows applications from a unified corporate app store. XenMobile MDM Edition also offers mobile application blacklisting and whitelisting; detection and blocking of jailbroken devices for compliance purposes; and full or selective remote wipe of data and applications and data, depending on the capabilities of the mobile operating system. XenMobile MDM Edition provides tight control across the entire device lifecycle by: Configuring device settings and policies, such as device and application restrictions. Provisioning devices via self-service device enrollment and centralized distribution of configurations, policy and application packages and updates. Securing devices, applications, the network and data with authentication and access policies, application and cloud service blacklisting and whitelisting, enforcement of secure application tunneling and deployment of content- and context-aware mobile data loss prevention policies.
8 8 Monitoring devices, infrastructure, service-level and telecom expenses. Supporting users by remotely locating, locking and wiping devices in the event of loss or theft. XenMobile MDM Edition is also one of the few MDM solutions to provide IT with remote user device control and troubleshooting. Decommissioning devices by identifying devices that are inactive and wiping or selectively wiping them upon employee departure. With selective wipe, the corporate profile and all associated applications, including , are removed without affecting the user s personal applications and information. access XenMobile doesn t stop at device management, however. Organizations seeking to make employees productive with access to enterprise will find XenMobile offers every possible solution for access from any user or device. With XenMobile, organizations can even deploy different solutions to different types of users, depending on their risk profiles. For example, for simple content creators, office administrators or other users that fit a low-risk profile, XenMobile MDM Edition can quickly provide Exchange access from a native client, ensuring only approved native and third-party clients and users have access and are kept up-to-date according to role-based restrictions and enterprise policies. For board members, executives or other users with access to more-sensitive data, XenMobile provides its own sandboxed client, WorxMail, which offers a rich, comfortable user experience similar to that of native clients, but adds extensive enterprise visibility and policy creation and enforcement capabilities. With WorxMail, all corporate , contacts and calendar items are stored on the device completely separate from personal applications and information and are inaccessible to them. All and attachments can be encrypted and policies can be enforced to prevent users from opening, editing or saving attachments in unapproved applications, forwarding sensitive information or cutting and pasting confidential company information into other documents. IT can also require secure remote connectivity via a micro VPN. WorxMail integrates tightly with the XenMobile secure browser, WorxWeb, so that all web links are opened in a secure, sandboxed browser environment. WorxMail can also integrate with Worx-enabled enterprise applications and scores of secure third-party applications listed in the Citrix Worx gallery.
9 9 Figure 4: Links clicked in WorxMail, including internal intranet sites, securely open in WorxWeb. WorxMail can even be deployed without any MDM, quelling concerns among executives or other employees that their devices, activities and locations are being tracked at all times. With the use of Citrix NetScaler for secure access, IT no longer has to deploy Exchange ActiveSync servers in the less-secure DMZ. If IT feels these or other users require a highly secure virtual alternative, or simply mobile access to other Windows applications, XenDesktop provides completely virtualized access to Outlook for Windows and other Windows applications, with all applications and data stored centrally in the secure datacenter, or streamed and stored locally in a secured, encrypted file system with powerful enterprise policy enforcement. Citrix Receiver ensures the user experience always fits the mobile device, including the user of touch capabilities.
10 10 Finally, organizations that wish to deploy Outlook Web Access to selected users such as field workers or facilities managers can use NetScaler for a single point of granular remote access control. Citrix also offers the secure, sandboxed WorxWeb browser, which can be required for secure user web access to Outlook Web Access. Citrix ShareFile for file sharing In addition to device management and secure, flexible access, XenMobile can secure file sharing with Citrix ShareFile, a highly secure enterprise alternative to consumer file-sharing and synchronization services such as Dropbox, Box, and Google Drive. ShareFile can synchronize files stored across multiple devices, including PCs, laptops, network servers, smartphones, tablets and even SharePoint repositories. With ShareFile, all user documents are encrypted in transit and at rest. IT can exert tight control with granular policies, similar to those of WorxMail, to prevent leakage of sensitive enterprise information and to wipe devices of sensitive files in the event a device is stolen or a user leaves the organization or changes roles. ShareFile integrates tightly with WorxMail, allowing IT to define policies that limit the size of attachments. If an attachment exceeds the size limit, the message automatically provides ShareFile links instead. This limits global communication costs and the strain placed on the messaging infrastructure by large file attachments. Figure 5: ShareFile integrates with XenMobile Worx-enabled apps, including WorxMail for secure file and document collaboration.
11 11 Finally, aside from WorxMail and WorxWeb, the Worx ecosystem provides an SDK that can add extensive mobile policy definition and enforcement to enterprise or third-party line-of-business applications, including Windows apps, whether they were built originally for mobility or not. Users can access the applications from the unified app store and, thanks to Citrix Receiver, IT can deliver a mobile experience for users while securing apps with policies added by the Worx SDK. Conclusion BYOD is here to stay. If your organization has not yet implemented BYOD, Citrix XenMobile solutions offers a comprehensive, enterprise-level ecosystem for deploying a complete strategy quickly, including devices, applications, enterprise access and secure file sharing. Not only can you get up and running faster with one solution than multiple point solutions, but XenMobile provides unparalleled flexibility for deploying a range of preferred access strategies that balance user satisfaction and flexibility with enterprise management, security and compliance requirements. The comprehensive solution Citrix offers not only gets you going fast, it also allows you to extend your BYOD capabilities according to the needs and constraints of your enterprise. Corporate Headquarters Fort Lauderdale, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA EMEA Headquarters Schaffhausen, Switzerland India Development Center Bangalore, India Online Division Headquarters Santa Barbara, CA, USA Pacific Headquarters Hong Kong, China Latin America Headquarters Coral Gables, FL, USA UK Development Center Chalfont, United Kingdom About Citrix Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles empowering people to work and collaborate from anywhere, easily and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing, Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at Copyright 2013 Citrix Systems, Inc. All rights reserved. Citrix, XenMobile, XenApp, XenDesktop, NetScaler, NetScaler Gateway, ShareFile, Citrix Receiver, WorxMail and WorxWeb are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies. 1013/PDF