FAMOC Whitepaper. FAMOC. Enterprise Mobility Management.

Transcription

1 FAMOC Whitepaper FAMOC. Enterprise Mobility Management

2 EXECUTIVE SUMMARY As businesses strive to cope with the tremendous surge in mobile device and application usage, it has become essential to implement systems that allow real-time monitoring, management and data protection. In short, corporate and personal mobile devices need to be integrated into IT management and helpdesk solutions, and costs need to be managed. Failure to do so results in security and compliance issues, unnecessary operational expenditure and productivity leakage. Especially the issue of security policy compliance with regards to different operating systems, mobile devices and business applications in use, not to mention the Bring-Your-Own-Device strategies (BYOD), that are of great interest nowadays. FAMOC is one of Europe's leading MDM solutions on the market, and the most complete and flexible solution for mobile device lifecycle management. The system supports all major mobile device platforms, allowing Apple (iphone and ipad), BlackBerry (BES / BIS), Android, Symbian, Bada, Windows Phone, Windows Mobile, Java-enabled phones and HP / Palm WebOS devices to be centrally administered using one interface. FAMOC provides central management and control of all mobile devices, especially when it comes to the security policy enforcement, distribution of roles and permissions, connectivity and access configuration, location, billing, remote support and inventory of the entire smartphone fleet. FAMOC ensures that managing mobile devices remotely becomes quick, easy and error free; which also means that organization s smartphones and tablets are always working efficiently. Moreover, the company can easily migrate between different mobile devices. Remote Support feature allows the IT to immediately provide assistance and troubleshoot devices. Helpdesk can always reset a device password on request, newly set or delete the device data with a remote wipe. This increases the privacy and security while reducing IT effort and costs. User satisfaction increases significantly. Particularly noteworthy in FAMOC Mobile Device Management are simple and flexible deployment options (onsite/cloud-based), an infinitely scalable proxy functionality, full multi-tenancy and the seamless integration with company s internal and external infrastructure. In the expression of these decision-relevant criteria FAMOC mobile device management currently enjoys unique position in the market. Copyright by FancyFon Software Ltd. 1

3 Table of Contents 1 Establishing baseline Advantages Unique Selling Points Fast and Simple Roll-Out Multi-Tenancy BES Adapter Out-of-the-Box Anti-Virus Integration Effective Security Policy Enforcement and Monitoring Scalable and Configurable Proxy Functionality FAMOC Features General Features Server Functionality Devices and operating system support FAMOC Features Security Policy Management Application Management Data Backup and Migration Inventory (Asset Management) Real-time Remote Support / Helpdesk Configuration Management and Bootstrap FancyFonSecureSource Enterprise AppStore End-user self-care portal Integration Options BES Integration Active Directory / Open LDAP Web Services FAMOC Mobile Identity Management Apple's Volume Purchase Program (VPP) VPN Support Third Party Integration Copyright by FancyFon Software Ltd. 2

4 7 Infrastructure Protection Proxy Concept Certificate Management Jailbreak and Rooting Technical Overview System Architecture High Availability Virtualization System Requirements Hardware Requirementson the VMware ESXi Server Installation Requirements Hosted Solution Table of Figures Copyright by FancyFon Software Ltd. 3

5 1 Establishing baseline With the so-called IT consumerization, diverse devices started to enter enterprise environments. Corporate Mobility was an uniform landscape, it consisted mainly of BlackBerry devices, offering robust technology and guaranteed high security and reliability in the mobility infrastructure. The BlackBerry technology has been accepted as safe and could be operated economically with relatively little training and administration costs. It was hardly perceived as a separate cost of IT. But then the corporate mobile landscape changed abruptly. RIM, the Canadian manufacturer of BlackBerry, lost track of the mobility trends of the last 5 years and the BlackBerry became significantly less attractive. The executives in the company quickly made sure that much more attractive ios devices (iphone and ipad) found their way into the enterprise. It led the IT departments to take advantage of these new devices and to manage diversity. The same is happening now with the Android devices. Here, however, things become even more difficult, with many manufacturers of Android devices, the operating system is merely used to complement their own components, which leads to even greater fragmentation of the device landscape. Bring-Your-Own-Device (BYOD) In recent months there has been a huge spike in employees bringing their own smartphones and tablets to work; as a result, there is a whole list of new challenges for the IT department to address: What happens if an employee s personal smartphone is lost or stolen, which has sensitive corporate data downloaded onto it? What if the device isn t password protected? What happens if the employee leaves the organisation, having used their personal devices to store corporate data? How can this data be recovered? How can you prevent an employee accessing privileged information with a personal device, and passing it on to a third party? How can you protect against the employee s personal device from being hacked? Some companies allow employees to use their own device for everyday business. The cost, safety, and regulatory issues that caused this strategy are often not seen or hidden. Administrative expenses increased significantly, as the variety of devices in the enterprise to manage mobile devices increases immensely. The security risk for the company increases significantly. This can only be managed with an MDM solution that can handle all these platforms and firmware versions. Copyright by FancyFon Software Ltd. 4

6 What this scenario means for the IT department? Each mobile operating system (for Android - each manufacturer) needs its own management Solution (iphone Configuration Utility, the BlackBerry Enterprise Server, Microsoft Systems Management Server, HTC, Samsung, Motorola have their own management solutions, etc.) Assets are hardly controllable Intensive trainings for the IT administration Multiple support teams for the different systems Standalone security concepts for mobile platforms What this scenario means for enterprise security? Integration and implementation of a number of mobile security solutions (VPN clients, IT policies for BlackBerry, security policies for Windows Mobile devices, iphone Configuration Utility, etc.) In case of theft or loss of a device business-critical data is lost and cannot be cleared centrally. Even with BlackBerry and Windows Mobile devices where you can send a remote kill handheld command this is not guaranteed. If the thief / finder takes a different not Internet-enabled SIM card, the wipe will not be executed since it requires access to the data. Hardly manageable security risks in case of BYOD - if these devices are not included in a mobility management solution What does this mean for the cost? Rising costs, as more management solutions are in use Exponentially rising costs, with more operating systems supported Solution to the problem: FAMOC Mobile Device Management Enterprises need a centralized solution to manage diverse devices effectively. FAMOC Mobile Device Management responds to all of the previously mentioned challenges, enabling secure, centralized management and control of all mobile devices in a corporate environment. FAMOC supports all major mobile device platforms. Apple (iphone and ipad), BlackBerry (BES / BIS), Android, Symbian, Bada, Windows Phone, Windows Mobile, Java-enabled phone and HP / Palm WebOS devices are centrally administered under a single interface. FAMOC empowers IT, Security and Helpdesk departments to streamline asset administration, ensure data security, enhance mobile applications experience and improve overall productivity. With the solution, mobile structures expense management in the company is again manageable. Copyright by FancyFon Software Ltd. 5

7 Single point of control FAMOC is a single management solution to control your diverse and expanding mobile world: Central web-based management console Multiple mobile phones are correctly configured over the air in minutes via a single, web-based administration console Multi-OS support with automatic device and platform recognition RIM, Symbian, Apple, Windows Mobile, Android, Java-based feature phones, Samsung Bada, Nokia/Intel MeeGo, HP-Web OS and MS-Windows Phone 7 Multiple server management Enables the seamless synchronization and management of external servers, such as RIM BlackBerry Enterprise Servers (BES 4.x, BES 5.x), Lotus Domino, Exchange or SNMP Servers Multi-tenancy support FAMOC allows the creation of multiple units/departments with separate groups of users, allowing for multiple administrators, with varying levels of access privileges Multi-language support Enables multi-national environment management providing the flexibility of adding new language support to the system Scalability FAMOC is capable of coping and performing under an increased and expanding workload, allowing new devices and services to be added seamlessly and cost-effectively to fuel business growth Copyright by FancyFon Software Ltd. 6

8 2 Advantages FancyFon's MDM product is an award-winning solution with a number of unique features, which include out-of-the-box antivirus protection, in-depth security features for the Android platform, Remote Access to devices screen and keyboard for a range of platforms including Android. Our solution is flexible, offers and API for easy integration with existing customer portals as well as other 3rd party solutions. This powerful administrative interface provides centralized cross-platform administration of mobile devices with all applications and configurations and provides for the enforcement of existing company policies and safety standards to the entire inventory of mobile devices. FAMOC enables customers to optimize costs, whilst centralizing and simplifying the processes associated with managing a mobile business environment. FAMOC advantages Flexible deployment options Platform constantly verified by numerous customers in Europe since 2009 Support for all major mobile platforms Unified management interface with a precise overview of all mobile devices Seamless integration with corporate infrastructure (including BES integration and management) Continuous backup of mobile data with cross-platform data migration Real-time and automatic inventory Effective security policy enforcement and monitoring with advanced security features Out-of-the-box anti-virus integration (powered by Webroot) Unrestricted proxy functionality Remote Access for support and troubleshooting (incl. Samsung and other Android devices) Scalability Streamlined administration procedures Reduce equipment downtime Efficiency / cost savings Copyright by FancyFon Software Ltd. 7

9 3 Unique Selling Points FAMOC mobile device management features and outstanding decision-relevant features that are currently not available in this form in any other solution on the market. FAMOC unique selling points include: Fast and simple roll-out Scalability and multi-tenancy Advanced enterprise and security Android features BES integration (BES and BES Express) Native Windows Phone 8 support Out-of-the-box anti-virus integration Effective security policy enforcement and monitoring Configurable proxy functionality High availability hosting FAMOC mobile device management is characterized by extremely rapid update cycles. The solution is continually being developed and adapted to the demands of the market and users. Frequent Software updates come out in two to six week rhythm frequency and are provided to users free-ofcharge. 3.1 Fast and Simple Roll-Out FAMOC ensures simple integration with internal enterprise infrastructure but also a seamless and fast MDM solution roll-out. Users, devices or SIM cards are added to the platform upon a file import or external server synchronization. The next step is the installation package send-out. After FAMOC client components installation, devices automatically start reporting to FAMOC server. Security policy implementation and enforcement is as simple as that. 3.2 Multi-Tenancy From just 100 users, it may be necessary that an MDM system should be multitenant. FAMOC Mobile Device Management provides full multi-tenancy support, which means that the system allows to manage an unlimited number of structures with different permissions and prerogatives. Copyright by FancyFon Software Ltd. 8

10 The system enables: Management of devices from different companies within corporations or business group from a single console Management of end-points of subsidiaries and branches Management of devices from different areas and departments Management of devices from different IT structures(ldap / Active Directory) Management of the devices with different PIM connections(ms Exchange, Lotus Notes, Novell GroupWise) Management of devices from different BlackBerry Enterprise Server structures FAMOC provides seamless integration with various LDAP / AD structures and allows management of different levels of hierarchy with multiple VIP structures. For example, IT service providers are able to manage infrastructures of multiple customers within a single console. Additionally, separate structures can be created for different functional needs e.g. accounting, asset administration, security controlling. The data of FAMOC MDM system can be freely scalable and passed via web services to other monitoring and enterprise systems. Specific data from FAMOC can be passed to external systems, some other can be extracted from external systems and displayed in FAMOC console. Equally significant is the fact that the system administrator can quickly and easily create licenses for each client, which limit the duration and number of devices. The multi-tenancy with FAMOC MDM is available both in the hosted/cloud solution as well as inhouse solution. Figure 1Adding organizations Copyright by FancyFon Software Ltd. 9

11 Figure 2Adding new institution 3.3 BES Adapter When integrated with the BES adapter, FAMOC allows management of complex mobile device infrastructures with full BES integration. The BES-adapter is a standalone appliance which supports the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express. FAMOC provides full BES support and the possibility to integrate with multiple BES servers, enabling consolidating the infrastructure under a single interface. The difference from other MDM solutions is that FAMOC not only collects BES data, but fully integrates BES servers into the system allowing multiple BES servers to be managed centrally from FAMOC MDM interface. The BES-adapter is also available in the hosted solution. Like all other features, the BES adapter is an integral part of the solution - a free option for users. Copyright by FancyFon Software Ltd. 10

12 BlackBerry management capabilities With the management capabilities of FAMOC for BlackBerry, BlackBerry smartphone users experience the following features from FancyFon: Integration into multiple BlackBerry Enterprise Servers to provide a single point of control and remove administrative complexity BES users management enabling auto-activation of users, bulk operations on multiple BES servers, and quota monitoring Remote application installation and device configuration empowering remote software installation, data synchronization, configuration of parameters, and corporate policy deployment Backup and restore of BlackBerry contacts, calendar information and other defined data and files, over the air, initiated by the BlackBerry user or centrally by an administrator Security enhancement and regulatory compliance including secure data migration, corporate policy implementation, benchmark policy creation, the configuration or wipe of all BlackBerry handsets, and the remote wipe of a handset s SD card when required Over the air troubleshooting and user support to reduce staff downtime, speed diagnosis and problem resolution, and ensure that staff have constant access to crucial data and resources, irrespective of time and place 3.4 Out-of-the-Box Anti-Virus Integration FAMOC provides the best-of-breed antivirus protection thanks to integration with Webroot. With Android devices proliferating across corporate mobile environments and being heavily targeted by hackers, having an effective anti-malware solution is crucial to corporate data protection. The out-of-box anti-virus solution extends the set of unique features for Android devices, including in-depth security management and Remote Access to devices screen and keyboard, providing the next decision-relevant feature and a significant competitive advantage. 3.5 Effective Security Policy Enforcement and Monitoring FancyFon fully understands the importance of mobile device security, and is at the forefront in developing state of the art security solutions. FAMOC security management ensures an unparalleled level of security support across multiple platforms, managed centrally, over the air, empowering IT administrators to easily address all the new challenges of enterprise mobility management. Copyright by FancyFon Software Ltd. 11

13 3.6 Scalable and Configurable Proxy Functionality FAMOC provides extremely flexible configuration possibilities of the proxy structures. FAMOC identifies devices using IMEI, serial numbers, UID or Exchange ID. In case a device that attempted to connect to Exchange could not be identified, is stolen or unmanaged, FAMOC generates alerts or disables access to such device. Available access policies that can be used with the main policy: Allow access for devices managed in FAMOC Allow access for device which last contact was not earlier than Allow access for devices from whitelist Block access for devices that report blacklisted applications Block access for jailbroken devices. For more information refer to section 7. Copyright by FancyFon Software Ltd. 12

14 4 FAMOC Features 4.1 General Features User-friendly interface Single point of control over the entire mobile infrastructure Unified management interface for all mobile platforms Support for different mobile devices (iphone / ipad, BlackBerry (BES / BIS), Symbian S60,Windows Phone, Windows Mobile, Android, Bada, Java enabled phones, HP / Palm Web OS and more) Wizard for initial use and administration console setup Enforcement of existing company policies to mobile devices Seamless deployment, integration and activation of business applications Inventory of the mobile environment (some data uploaded with automatic device detection) Expense monitoring with integrated billing module Cross-platform data migration (e.g. address book, applications, settings) Global real-time remote support for end-users Unrestricted scalability with BYOD scenarios Comprehensive reporting Multilingual interface 4.2 Server Functionality Scalable integration with external enterprise management systems (such as IBM Tivoli / Netcool and all other with SOAP / SNMP integration) through Web Service interface and SNMP User management (management of different divisions, different LDAP / Active Directory structures, integration of various proxy capabilities, different terminals hosted) full configurability of the proxy functionality (in customer's own environment or combined) Integration of different CA-hosted structures (in customer's own environment or hosted) BES integration (via the BES adapter - can be hosted at customer's own infrastructure and managed directly from FAMOC console) Group-based rollout of applications and configurations Available as a hosted version or as an in-house solution TouchDown support High availability - in-house or hosted WebService integrations Copyright by FancyFon Software Ltd. 13

15 4.3 Devices and operating system support Android Apple ios RIM BlackBerry Windows Phone Symbian S60 Symbian UIQ, Windows Mobile Java Samsung BADA Nokia/Intel MeeGo HP/PALM WebOS Copyright by FancyFon Software Ltd. 14

16 5 FAMOC Features FAMOC is a powerful solution for mobile environment management. Its functionality is divided into the following modules: Security policy management Application management Data backup and migration Inventory (asset management) Real-time remote support / helpdesk Configuration management and bootstrap FancyFon SecureSource Billing module Enterprise AppStore End-user self-service portal An MDM system requires constant maintenance, development and adaptation. FAMOC is subject to a continuous and very short innovation cycle with functionality developed accordingly to customers needs. The solution is not static; it grows with the market and in the interaction with the users. FAMOC is a web-based management console, therefore no software to be installed on the systems of the user. Figure 3Dashboard Copyright by FancyFon Software Ltd. 15

17 5.1 Security Policy Management FAMOC security management implements corporate security policy allowing differentiated access rules for groups and shared data including pre-defined user profiles. Moreover, the solution allows for end-to-end certificate lifecycle management, also via integration with existing corporate Certificate Authorities. If a mobile device is lost or stolen, FAMOC can remove all applications and sensitive data, over the air, to prevent any security breaches. If, on the other hand, an employee leaves the organization or breaches security policy, the administrator can select and wipe only the sensitive corporate data from the device. Also, if the system detects an unauthorized SIM card, the device can be locked and wiped. The system ensures secure communication between the server and mobile devices, protects stored data and enables seamless corporate policy deployment. Figure 4 Configurations repository Copyright by FancyFon Software Ltd. 16

18 FAMOC security management quick feature guide CONNECTIVITY CONFIGURATION Browser and APN restrictions - sets parameters around approved and forbidden Internet connections, configures corporate APN usage VPN configuration - provides over-the-air VPN connection configuration to company mail servers for predefined groups of users Anti-virus application management - enables the installation, configuration and administration of antivirus applications on mobile devices Bluetooth monitor - blocks Bluetooth connectivity, preventing unauthorized data transfer Certificate management - a unique system that uses individual certificates for each device, with a remote invalidation option. When transferring data between your phone and FAMOC server, the certificate request comes from the device, the key never leaves the device, so it is not possible to impersonate the device by copying the certificate DATA PROTECTION & BACKUP Data encryption - encrypts all drives on the devices, including removable media, preventing data to be removed from the device Data security management improves security, prevents messages being moved, blocks the use of 3rd party account, automatically rejects untrusted certificates, manages application installer, enforces password for itunes, controls icloud Password policies - remotely enforces password protection, defining complexity and the regularity of changes Auto-lock - ensures the user is automatically logged out, or the phone is locked, after a specified period of inactivity Data backup/restore - enables automated and encrypted backup sessions to be performed, with cross-platform data restore eliminating the risk of losing critical data on the handset Data wipe - automatic full or selective wipe settings for the mobile device and memory card if the device is lost or stolen, or if a wrong password is entered, or if the SIM card is changed (even with no Internet connectivity) Copyright by FancyFon Software Ltd. 17

19 DATA ACCESS CONTROL Containerization & BYOD provides a clear distinction between corporate and privately owned devices with separate policies based on the ownership of the device Access rules for specific groups or departments - predefines user profiles, loads sets of shared data for different work groups Exchange Proxy real-time EAS traffic control between mobile device and Exchange server with automatic access denial for devices that are: - Lost / stolen - Not reporting to the server for a predefined period of time - Not in compliance with the policy (e.g. contain a blacklisted application) Application password protection - empowers administrator to block access to an application with a lock code or administrator password, Secure access to corporate file server via SecureSource enables ipad users to securely access documents that are stored on the corporate server. With SecureSource, documents are only available in the mobile device s temporary memory during the session, and all documents are automatically wiped from memory when connection is terminated. No traces of documents are available on the device, therefore if the device is lost or stolen there is no risk of data leakage. In addition, the entire communication and file access trail is logged for audit purposes. USER RESTRICTIONS Installation restrictions - ensures that employees aren t installing inappropriate or unsafe applications, or uninstalling business critical applications or data Application blacklist - manages lists of forbidden applications for download, preventing the mobile phone coming under attack from malware, spyware or viruses Device functionality restrictions sets restrictions around the use of mobile device applications, such as use of the web browser, or the phone s camera REAL-TIME MONITORING AND ALERTS Instant alerting in case of security threats: - SIM card change - Devices nor connected to server - Stolen/lost devices - Breaks in regular backup - Jailbreak Instant reaction when security is breached: - Remotely lock device - Automatically wipe on X password attempts or SIM change - Identify device location Copyright by FancyFon Software Ltd. 18

20 5.2 Application Management FAMOC application management automatically discovers and reports on the organization's mobile device inventory, providing a real-time view of all applications, and information on their health and usage. Moreover, FAMOC empowers administrators to easily manage a corporate application repository and integrate it with external AppStores (Apple Volume Purchase Program support). Offering the highest standards of security management, FAMOC provides full control over the applications installed on end-users devices (e.g. blacklisting, whitelisting, installation restrictions) and ensures secure communication, configuration and data protection for all business apps used within an organization (e.g. passwords and challenge response authentication). Figure 5Application repository FAMOC application management quick feature guide REMOTE APPLICATION ADMINISTRATION Enables scheduled actions to single users and groups of devices (predefined intervals of operations, off-peak time actions) Ensures seamless application provisioning and installation as well as service activation Manages over-the-air application configurations and upgrades Provides scheduled or ad-hoc backup and restore of application data Tracks device software performance BYOD support with only business apps installation and management Enables remote application uninstall, service deactivation and device clean-up Provides remote application start Offers a keep software alive option ensuring that the crucial business apps is constantly active and automatically restarts when necessary Copyright by FancyFon Software Ltd. 19

21 CORPORATE APPSTORE Easily manages corporate applications repository Allows integration with external AppStores (VPP support) Provides users to access the corporate AppStore directly from their devices APPLICATION SECURITY MANAGEMENT & MALWARE PROTECTION Enables user installation restrictions Manages a blacklist of unauthorized applications, preventing the mobile phone coming under attack from malware, spyware or viruses Ensures anti-virus application management Enforces application password protection, empowering administrator to block access to an application with a lock code or administrator password Offers challenge response authentication for application access (on-mobile token) REMOTE DIAGNOSTICS Provides visibility into ongoing application performance Discovers running applications Monitors critical application parameters Identifies root cause of performance issues and facilitates problem resolution Copyright by FancyFon Software Ltd. 20

22 5.3 Data Backup and Migration With the continuous backup, crucial data is protected permanently and can be immediately recovered in case of device loss or hardware failure. Additionally, FAMOC allows cross-platform data migration. Thus, a user without losing any data and at no additional expense can easily switch from a Nokia device to a BlackBerry smartphone. Data backup function requires a client component that transmits the collected data to the backup server. The backup server must therefore have sufficient storage capacity. Currently, not all mobile platforms, support this function FAMOC. The compatibility is dependent on the current technical specifications of your platform manufacturer. A detailed overview is offered by the technical specification. Figure 6Data import Copyright by FancyFon Software Ltd. 21

23 5.4 Inventory (Asset Management) FAMOC detects, stores and reports on a mobile device fleet, no matter how large or fragmented, building a library of information about company assets, including hardware, software, SIM cards, users and processing information. Thus the solution gives a real time view into the organization s mobile environment, and is a highly useful resource for future planning. Figure 7Device inventory Figure 8 Single device view Copyright by FancyFon Software Ltd. 22

24 5.5 Real-time Remote Support / Helpdesk The helpdesk integration and the associated Remote Access is an essential part of FAMOC mobile device management. FAMOC Remote Access is a highly secure and easy to use solution that troubleshoots mobile devices over the air, empowering the administrator to take remote control of mobile devices over a data connection (e.g. GPRS/EDGE/3G, WiFi), to view the device screen and use the device keyboard. Over the air end user support with speedy diagnosis and problem resolution translate into a reduction of overall IT departmental costs, acceleration of new service adoption, a decrease in device downtime and an increase in workforce efficiency. It is possible to set alarms function via , SMS, and SNMP for individual users or groups of users in various cases such as an immediate information in case of detecting jailbreak, rooting or a blacklist application on a managed device. Figure 9 Remote Access panel Copyright by FancyFon Software Ltd. 23

25 5.6 Configuration Management and Bootstrap FAMOC enables administrators to perform all tasks related to over-the-air configuration provisioning, and supports a wide array of devices and operating systems. The solution tracks data for both individual assets and the entire system (version and model number, baseline performance, relations to other assets), empowering the remote configuration of parameters and corporate policy deployment. FAMOC allows the configuration of general settings for specific departments. This can be done using operation packages, which may consist of FAMOC client components, policies, applications and text messages. Figure 10 Package configuration Bootstrap functionality On the bootstrap page mobile devices can quickly, easily and safely enroll to FAMOC. The page provides administrator with various ways of adapting to different requirements in the following areas: Design: - Adjustable link (based on the server name), page title, page title and welcome text - User authentication to AD, local user, password, or OTP password Installation methods: - Configurations and applications that should be installed with the Base Agent - Group-related assignments, so that complex structures can be mapped easily It is possible to prepare different installation packages for different operating systems. User is allowed to select between different sets, but the system also provides automatic platform detection. Copyright by FancyFon Software Ltd. 24

26 5.7 FancyFon SecureSource FancyFon SecureSource addresses the growing requirement from organizations to provide their mobile workforce with secure access to corporate documentation. SecureSource enables mobile workers to use tablets to access documents that are stored on the corporate server, however documents are only available in the mobile device s temporary memory during viewing, and all documents are automatically wiped from memory when connection to SecureSource is terminated. In addition, SecureSource is designed to auto-lock after a predefined period of time, to block access to documents in third party applications (to prevent forwarding or printing, etc.), and also to report on any attempts to open the documents in third party applications. Devices with SecureSource will not store corporate documents. Even in case of device loss or theft, sensitive data is protected. Additionally, all mobile access to documents is recorded by the system which is useful when tracking compliance. By harnessing the power of both FancyFon FAMOC and FancyFon SecureSource, organizations can embrace the productivity improvements that BYOD offers, without breaching corporate security policy or putting any sensitive corporate data at risk. Secure View is currently available for ipads. Android tablets are on the roadmap. Figure 11FancyFon SecureSource Copyright by FancyFon Software Ltd. 25

27 5.8 Enterprise AppStore FAMOC empowers administrators to push apps over-the-air, create specific enterprise AppStores and to integrate the system with external AppStores. FAMOC allows to create a number of various corporate stores and assign group of users to them. The corporate stores repository includes all applications unlocked for the company. Employees can install apps directly on the device. There is no intervention from IT necessary, which reduces the administrative efforts. Figure 12Corporate AppStore in FAMOC Copyright by FancyFon Software Ltd. 26

28 Figure 13Corporate AppStore on device 5.9 End-user self-care portal FAMOC empowers end-users to remotely manage their devices using a web-based administrative console. An intuitive self-care panel provides a real-time view into device parameters, easy access to corporate AppStore, data backup and migration in case of a device upgrade and prompt reaction in case of a device loss or theft (location, remote device lock, data wipe) which frees up valuable IT and helpdesk resources. Each user can log in with his password on that site and it view all the devices he is assigned to. Thus, every user has the option, for example to create backups, restores, perform or to install or uninstall applications. In the security tab, each user can delete his own unit and report lost as stolen / if the helpdesk e.g. unavailable. Copyright by FancyFon Software Ltd. 27

29 FAMOC end-user self-care quick feature guide Application management Real-time view info application installed on the device Tracking software requiring update User-friendly application installation or removal Direct access to corporate AppStore Data persistence Encrypted backup session (scheduled / ad-hoc) Cross-platform data restore Data migration in case of device upgrade Instant reaction in case of data security threat Remote device lock OTA data wipe Identifying device location Figure 14End-user self-care portal Copyright by FancyFon Software Ltd. 28

30 6 Integration Options FAMOC seamlessly integrates with enterprise infrastructures through: BES integration allows to integrate with multiple BES servers, enabling consolidating the infrastructure under a single interface Directory services - allows Open LDAP or Active Directory server to be added or synchronized to FAMOC, which is quick and safe even when using a hosted version. The number of lists to be integrated with FAMOC is unlimited. Web Services - allows integration of external applications with FAMOC services using SOAP protocol. The freely scalable web service enables data transfer from the FAMOC MDM system in any third-party systems. Apple's Volume Purchase Program (VPP) FAMOC allows application redemption codes for Apple Volume Purchase Program to be applied in the console. VPN concept FAMOC provides scalable VPN functionality, which is particularly important for hosting. Third party integrations -Lotus Domino, Exchange / ActiveSync or other solutions can bind to the FAMOC and easily integrate with the system. Imports - allows the administrator to perform bulk imports of users, groups, SIM cards, devices to FAMOC 6.1 BES Integration FAMOC supports BlackBerry Enterprise Server integration in hosted and onsite version. The platform seamlessly integrates with multiple BES servers, providing a significant simplification of the mobile assets administration. 6.2 Active Directory / Open LDAP FAMOC can integrate existing user directories that are created in Open LDAP or Active Directory into the system. This simplifies significantly the administrative procedures - especially when managing large numbers of devices. Synchronizing FAMOC with an existing Open LDAP or Active Directory starts with establishing a connection. FAMOC provides flexibility in this matter: User authentication can be done on the LDAP Secure connections and import interval scan be specified Different LDAPs can be included, allowing very granular configurations Copyright by FancyFon Software Ltd. 29

31 Figure 15LDAP synchronization The next step is class and attribute names mapping. Formatting schemes and replacement values can facilitate the import significantly. Additional tab allows group mapping. Figure 16Data mapping After saving the settings, it is possible to test the connection. A list of users is displayed and it is possible to change settings in case errors occur. If data import is displayed correctly, the synchronization may be activated. After the initial import, a synchronization interval is set, so that any changes in AD or LDAP are also available in FAMOC. Copyright by FancyFon Software Ltd. 30

32 After importing data, creating connections are displayed in the import repository. Administrator can view all the details of the connection: when was it set, data of last an the next synchronization, synchronization interval, LDAP server address, login, users and groups information. Connections can be edited and deleted and the import can be triggered manually at any time. LDAP and AD synchronization is available both in an onsite and a hosted version of FAMOC. In each scenario, external structures over VPN may be connected to the FAMOC. 6.3 Web Services FAMOC supports WebService bindings, allowing both passing data to any other system and extracting the data by third party systems. This ability is essential for the effective use of an MDM system in many companies and industries. An MDM solution must be sustainable and be prepared for all possible scenarios. IT is in a continuous evolution, which does not stop with the introduction of an MDM system. Ticket systems are modified, supplemented or replaced by new solution, systems for billing control need to be tied, monitoring systems should provide comprehensive top-level information, etc. When adding an MDM solution to an enterprise infrastructure, such feature clearly speeds up the process. Especially as there are often different regulations and requirements in individual divisions. Therefore, an MDM system should provide data in a simple and a heterogeneous manner to meet the individual needs of the affiliates. If you want to install an MDM solution in such a scenario, not in an individual company, it should offer a granular and scalable multi-tenancy. Administration of mobile assets should be centralized and integrated with other external systems. 6.4 FAMOC Mobile Identity Management FAMOC Mobile Identity Management enables cross-platform administration of user identities and certificates. Certificates can be generated and provided remotely allowing the administrator to efficiently protect sensitive data without user interaction and with the maximum level of data encryption and security. The exact workflow in FAMOC Mobile Identity Management is as follows: The administrator initiates the process in the FAMOC Web Interface Creation of CSR (Certificate Signing Request) on the device is performed automatically on the device The CSR is sent from the device to FAMOC server (important: only the CSR is sent, the key used to generate the CSR remains only on the device) The CSR is passed to the integrated CA server The CA server generates the actual certificate The newly created certificate is sent out to the device and installed Copyright by FancyFon Software Ltd. 31

33 FAMOC Mobile Identity Management is a unique feature which makes identity and certificate management integrated, unified and secure. 6.5 Apple's Volume Purchase Program (VPP) FAMOC supports the integration of Apple's Volume Purchase Program (VPP). With this feature, companies can purchase licenses from Apple and apply application redemption codes via the console. Summary of key information about the use of VPP with FAMOC MDM: Companies are required to register for an Apple ID, for example [email protected] Purchasing applications via VPP is the only way to distribute paid applications to corporate ios devices The company needs to decide how the payments are made. Currently, major credit cards and Click & Buy can be used for payment of direct debits. The delivery of licenses takes in some cases up to an hour. It usually takes less than 10 minutes, often less than 5 minutes. 6.6 VPN Support FAMOC provides scalable VPN capabilities: Hosted solutions are seamlessly integrated into the user VPN network Communication on the SSL or VPN channel is complete (AES or 3DES encryption from 256 bits). Moreover FAMOC Mobile Device Management provides a scalable VPN functionality which means that each VPN can be integrated directly with the server. It supports all currently available VPN technologies for the integration of the MDM server into existing infrastructures. 6.7 Third Party Integration FAMOC enables scalable integration with external Enterprise Management Systems (for example IBM, Tivoli, Netcool). Similarly, allows BES, BES Express, Lotus Domino, Exchange and Active Sync to be integrated into the MDM system. Data can be exchanged via SOAP, SNMP and XML protocols with any systems. Users, groups, devices and SIM cards can be imported and partly exported from existing repositories to.csv format. Copyright by FancyFon Software Ltd. 32

34 7 Infrastructure Protection This section describes the level of data protection in FAMOC. Among other topics the following items are described in this section: Scalable proxy functionality Integrated Certificate Management (CA) Jailbreak and Rooting 7.1 Proxy Concept Existing proxy server can be easily integrated into the MDM system and the proxy elements of FAMOC can be flexibly configured, which is of great importance for fail-safe operations. The advantage of unlimited configurability of proxy functionality is that the MDM is able to keep pace with the constant growth and dynamic changes of the mobile infrastructure, which is of utmost importance, especially for complex DMZ scenarios and in case of hosted implementations. The solution consists of at least one ActiveSync proxy running in the DMZ. Moreover, there is a possibility to install Fail Over proxies. Modular proxies can be operated via FAMOC. Figure 17Proxy concept The FAMOC proxy server is one of the most powerful solutions in the market, and it is optimized to control and protect mobile access to corporate data. The proxy server identifies the device prior granting access and additionally filters devices via whitelisting and blacklisting features. Copyright by FancyFon Software Ltd. 33

35 7.2 Certificate Management For an even more secure mobile infrastructure, FAMOC offers a unique system that uses individual certificates for each device, with a remote invalidation option. When transferring data between a phone and FAMOC server, the certificate request comes from the device, the key never leaves the device, so it is not possible to impersonate the device by copying the certificate. This tab displays a list of installed certificates along with their details and allows to generate and install, renew or revoke a certificate on the device. FAMOC certificate management allows the integration of any number of CAs on each FAMOC server - not only on the server level but also on the level of individual clients and / or organizations. In this way, complex certification scenarios can be implemented. Figure 18Certificate management 7.3 Jailbreak and Rooting Jailbreak and rooting are technologies allowing to overcome limitations imposed by device manufacturer. Even though such practices are not illegal, they may pose threat to mobile infrastructure and are usually incompliant with enterprise security policy. Therefore, a reliable MDM system should detect jailbreak and rooting on mobile devices and instantly alarm administrator. FAMOC ensures reliable jailbreak and rooting recognition. Copyright by FancyFon Software Ltd. 34

36 8 Technical Overview 8.1 System Architecture FAMOC comprises of a central repository that collects all data concerning the mobile ecosystem, and client components designed to enable the efficient management of a mobile device through its lifecycle. The FAMOC server is at the heart of the solution, providing the device inventory, managing communication with mobile devices, and handling the administration sessions via a web-based GUI. FAMOC server components may consist of more than one physical server, depending on the configuration, additional fail-over, and a load-balancing or database server maybe included. The solution can be implemented as either a hosted service or installed behind the firewall. FAMOC client components are lightweight software applications, installed over the air on smartphones to communicate with the server via secure data connections. Each application performs a different set of functions, such as remote installations and configurations deployments, device parameter collection, performing data backup and restore, locating devices or launching a remote access session. Figure 19FAMOC architecture 8.2 High Availability To ensure high availability of FAMOC, failover setup is recommended. This setup combines both application server processes and the database server as a pair. (See also the comments on the High Availability in section 3) Copyright by FancyFon Software Ltd. 35

37 9 Virtualization FAMOC is provided as a virtual appliance on VMware 4.x and 5.x. The virtual appliance is an OVF template imported into the existing structure of VMware and finally adjusted to the network. Copyright by FancyFon Software Ltd. 36

38 10 System Requirements FAMOC MDM is delivered as an appliance in the form of VMware images. The user must have a VMware infrastructure. FAMOC MDM uses CentOS 6.3.x, which for the user, however, is not noticeable, as the product is used as an appliance via web interfaces. Application systems of the appliance: Apache 2.x MySQL 5.x Using FAMOC requires additionally an SMS gateway, which is included at no extra charge: Kannel Gateway (Open Source Solutions) This can be installed on the FAMOC Server or on separate hardware Contract with an SMS Provider Several vendors are supported, including Clickatell, SMSGlobal, Mach and many others. Integrating existing SMS gateway is to be checked individually. Copyright by FancyFon Software Ltd. 37

39 11 Hardware Requirements on the VMware ESXi Server The hardware requirements for the virtual machines are 2 CPU cores, 2 GB RAM and 100 users, then for every 100 users 1 GB more. The hard drive size is set to 20 GB and 30 GB and can be expanded up to 256 GB. For intensive use, we recommend to connect an external storage system, which can be increased if necessary. Copyright by FancyFon Software Ltd. 38

40 12 Installation Requirements Fully qualified domain name for the FAMOC Server License file Server certificates - In PEM (preferred) or PKCS12 format Network Requirements - DNS - Static IP address for FAMOC Server - Routing settings - Incoming Connections: open firewall ports (HTTP, HTTPS + Remote Access: 11009) - Outgoing connections: APNs, GCM, HTTPS, SMS connections - Service Provider via http (e.g. Clickatell Central API account) - SMPP connection to the service provider Push Services - Apple APNs certificate - Registration for Google push service Copyright by FancyFon Software Ltd. 39

41 13 Hosted Solution FAMOC Mobile Device Management is available also as a hosted version. The hosted solution provides the same functions as the in-house solution. The connection with the enterprise servers must be followed to the FAMOC mobile device management solution via VPN and can be requested in individual cases. Copyright by FancyFon Software Ltd. 40

42 Table of Figures Figure 1Adding organizations... 9 Figure 2Adding new institution Figure 3Dashboard Figure 4 Configurations repository Figure 5Application repository Figure 6Data import Figure 7Device inventory Figure 8 Single device view Figure 9 Remote Access panel Figure 10 Package configuration Figure 11FancyFon SecureSource Figure 12Corporate AppStore in FAMOC Figure 13Corporate AppStore on device Figure 14End-user self-care portal Figure 15LDAP synchronization Figure 16Data mapping Figure 17Proxy concept Figure 18Certificate management Figure 19FAMOC architecture Copyright by FancyFon Software Ltd. 41