Technical Brief Managing enterprise email in a mobile world Going beyond ActiveSync to address enterprise mobile mail security and management challenges with Kony EMM ActiveSync for Enterprise ActiveSync is a mobile data synchronization protocol developed by Microsoft. It is included in MS Exchange, as well as alternate email systems such as Notes and GroupWise through add-on tools. It synchronizes data with mobile devices by maintaining a push delivery system for the email, contacts, calendar, notes, and task data the user sees in their Outlook (or equivalent) mail client. While ActiveSync handles the data traffic itself (and secures the data in transit), most enterprises struggle with lack of management. For example, even something as basic as getting a list of all devices that are receiving enterprise data using ActiveSync is not an included function. Just as importantly, there is no simple system for effectively assessing the risk of a given mobile device and automatically allowing or denying it access to the mail environment. Automating ActiveSync security is usually the starting goal that leads an enterprise to evaluate a mobile device management solution. This process typically entails finding solutions for four distinct areas around mobile email.
1. Defining mobile compliance Before you can start enforcing rules, you have to define what the rules are. Defining the rules means having a guide to what can be controlled, and having a system to create the rules you want. MS Exchange allows for some extremely limited basic security, such as requiring a passcode before a device connects. The problem is that an app can fool the Exchange server about whether the passcode actually exists, as well as the limited choice of controls. Kony has a solution to this problem. An administrator with a Kony EMM implementation has a comprehensive suite of tools to help them define their choices of what they want to require about a device before it can touch enterprise data. The Kony rules wizards provide support for multiple platforms, recognizing that different platforms have different risks and capabilities for control. Example 1 Example 2 Page 2
2. Enforcing a mobile compliance policy A mobile compliance policy isn t useful unless it can be effectively enforced. Kony EMM allows an admin a wide range of choices on how to enforce policy. When the Kony EMM system determines that a device is out of compliance, actions that can be automatically taken are: Alert the admin Alert the user Block email access to the specific device Wipe all enterprise data from the device Wipe only enterprise app data from the device Complete wipe of the device back to factory new condition Actions can be linked. For example, say an admin has forbidden Angry Birds to be installed on a user s device. The user didn t have Angry Birds when they enrolled, but they have installed it now. An admin could have the user notified first that they have a forbidden app with instructions to remove it or an enterprise wipe will happen in five minutes time. If the user does not remove the app in the time specified, the device has all its enterprise data automatically removed, with an email alert sent to the admin. Any combination of linked actions is possible, allowing for a robust customizable enforcement model. 3. Automating compliance policy enforcement for ActiveSync Without Kony EMM, ActiveSync is an on or off solution. An admin can either keep it globally on for all users, off for all users, or manually enable it user by user. This does not allow for a scalable and effective secure environment that protects corporate data. Kony EMM is integrated directly with ActiveSync Powershell commands. This removes the administrative burden of maintaining ActiveSync on or off settings by admins, and instead leverages the Kony EMM solution to automate the process. Without having to add any new appliance or software to the mail path (or make any changes to the mail environment), the Kony server prevents all unauthorized devices from communicating with ActiveSync. The Powershell integration allows the Kony server to directly toggle those ActiveSync on/off switches automatically, user by user, device by device, based on compliance with the designated mobile policy. For example, a device that has not enrolled to Kony EMM has not been validated as compliant, so ActiveSync for that device remains off at the server level. Users first must enroll to the Kony EMM server, which checks for device compliance (not jailbroken, etc.) before telling the Exchange server to allow communication with that specific device. Mail access can be automatically blocked to a specific device if that device falls out of compliance at any time. Access is automatically restored once it is no longer out of compliance. Page 3
There is no need to require users to manually request access to enroll in Kony EMM. With real-time Active Directory integration, an admin can assign all or specific AD groups as allowed for EMM enrollment. For example, an admin needs to make mail access available for all users, as long as the device itself meets security guidelines. Adding the default AD group of authenticated users would allow all users to enroll using their username and password. With instructions for enrollment on the new hire portal, there would be no need for an individual user to have to open a help desk ticket or contact the admin to get mail access (or WiFi network profiles, VPN profiles, apps, etc.) Another common example is an enterprise that requires supervisor approval before connecting a device to the corporate mail server and/or network. A simple online form requesting access could be set up where the action on supervisor approval would add the user account to a specified group within AD and trigger an email with enrollment instructions. Because that specified group was already designated as allowed for EMM enrollment, no help desk or admin involvement is needed for the user to obtain the desired access on their device. One key point to remember is that the enterprise gains this automated mail security without adding additional risk. Because Kony does not place a critical component in the mail path, a Kony EMM server outage would not result in a mail outage for existing users. New users would not be able to connect to mail during the outage, which is exactly the desired model. If the device cannot be evaluated for compliance with the mobile policy, it cannot connect to the corporate network. 4. Native mobile mail apps Mobile devices today all come with a native app for email, contacts, and calendar that includes support for ActiveSync. Some native apps even have controllable security built in that an EMM solution can leverage. ios devices from Apple and Android devices from Samsung especially are recognized as leading the industry with enterprise-enabled native mail apps that allow admins to control things such as disabling silent mail forwarding. Sometimes the built-in security meets the needs of the enterprise, but that s not always the case; maybe you have standardized on devices besides ios and Samsung s Android. The Kony EMM solution meets these needs by integrating with TouchDown, the industry-leading third party mail, contacts, calendar, notes, and task app from Nitrodesk. Some use cases where even the best native apps are not sufficient: Separate encryption is desired at the mail app level so that even if a device is compromised via jailbreak or root, the enterprise data is still secure behind its own encryption. A passcode is desired at the app level, not just at the device level. Many users like to be able to unlock their device and share it with colleagues, friends, children, friendly dogs, etc. You might want to let friends look Page 4
something up on the web using your phone, but do you want them to be able to accidently read or send email from your corporate account? Some security departments require the ability to prevent a user from storing an email attachment in a non-sanctioned app or local storage area. Usage controls such as restricting time of day and/or locations that the mail app can be used. Kony EMM makes these compliance definitions possible with the addition of TouchDown, whereas native mail apps cannot be secured or controlled in this fashion. Disabling copy/paste within the email app, as well as stopping a user from sneaking a copy by taking a screenshot. Kony EMM is a uniquely intelligent EMM solution that allows for context-aware control such as only disabling screenshots when the mail app is open, but allowing them in other areas of the device. One key risk that needs to be managed in the enterprise is enforcing these mail app requirements across so many supported platforms. With Kony EMM, an admin has flexibility; for example, requiring TouchDown for Android while blocking the native mail app from connecting to the corporate mail server, while allowing the native mail app on an ios device. You can get even more detailed down to the vendor level by allowing the Samsung email app, but blocking the HTC or Motorola (or any other vendor) native app and requiring TouchDown on those devices. This document may contain information proprietary to Kony, Inc., is bound by the Kony license and other agreements, and may not be used except in the context of understanding the use and methods of Kony software without prior, express written permission. All terms, trademarks, or service marks mentioned have been capitalized and are considered to be registered trademarks of their respective holders. This document is intended for informational purposes only; it is an overview of a Kony product direction but shall not to be construed as a specification, contract or commitment to build or deliver any new or modified code, services or functionality. The features expressed in this document are subject to change or cancelation at any time and should not be considered in purchasing decisions for Kony products and services. The development, testing, release and availability of Kony products and services are the proprietary decisions, and at the sole discretion, of Kony, Inc. Page 5
About Kony, Inc. Kony is the fastest growing cloud-based mobile application development platform (MADP) in the industry with over 600 live multi-channel apps, serving over 20 million end users across 45 countries, and generating over 1 billion sessions. The Kony Experience Platform is an integrated software development lifecycle (SDLC) platform to define, design, develop, test, deploy, and manage multi-channel applications from a single code base. With Kony, you can deliver stunning user-first experiences, get to market faster, and lower your application TCO. Kony also offers a suite of more than 33 ready-to-run B2E and B2C apps that enable customers to quickly extend their business. For more information, please visit www.kony.com and connect with Kony on Twitter, Facebook, and LinkedIn. 2013 Kony Solutions, Inc. All rights reserved.