White Paper: Mobile Device Management with Microsoft Exchange and Cortado Corporate Server
Mobile Device Management 1. Introduction... 3 2. Challenges When Introducing an Enterprise Mobility Strategy... 4 3. Mobile Device Management (MDM) with Microsoft Exchange ActiveSync... 6 4. Cortado Corporate Server Mobile Device Management withsecure Corporate Data Access... 7 2
1. Introduction Driven by the rapid growth of consumerization and bring your own device (BYOD), smartphones and tablets are conquering companies like never before. Worldwide there are over 1.2 billion mobile internet users and with numbers rising fast, traditional PC use is becoming less and less relevant. By 2015, it is expected that the number of mobile-device users will exceed that of traditional desktops. On the one hand, mobility increases productivity and flexibility in companies, on the other hand however it poses significant challenges for IT professionals in the areas of data security, device integration and user-expectations. Leveraging the trends of consumerization and BYOD increases mobility, employee productivity and signals the start of the post-pc era. These developments require new approaches by IT professionals to provide users with secure access to corporate data and to manage users smartphones and tablets. It is essential to create a secure environment in which users can remotely access the corporate network from any device while fully leveraging the functionality of their smartphones or tablets. The outcome is the complete flexibility of mobility combined with comprehensive security, equating to a fundamentally new approach for any remote access security strategy. In this white paper, you will discover how to efficiently implement mobile device management (MDM) within your organization, allowing you to fully meet the increased demands of mobile device security and flexibility that BYOD and consumerization pose. 3
2. Challenges When Introducing an Enterprise Mobility Strategy The main challenge when transitioning toward a more mobile workforce is implementing and installing a cross-platform, secure remote access environment. Any hesitation can lead to drastic delays especially in a time where companies need to stay ahead of the trend to stay competitive. A company s IT needs to focus on three elements when implementing secure mobile access: Usability Life cycle of mobile devices Security Users requirements, feedback and critique must be taken into account if an enterprise mobility strategy is to be successful. The important first step when designing a mobile remote environment is to talk with the prospective users in order to find the best solution to fit their mobility needs. Any specific requirement in regards to using mobile devices to access corporate information needs to be taken into account. Listening to users feedback and requests will lead to greater user acceptance once the solution is implemented, and will make it easier for IT to support new devices. The next step is to decide on a new Mobile Device Management (MDM) strategy based on the feedback received. MDM refers to products and services that accompany the life cycle of mobile devices. The focus is currently on smartphones and tablets as these have no traditional Windows operating system that IT can tie into existing systems. Soon, companies will need a cross platform device management solution that can cover any device including PCs and Macs rather than segmenting devices and multiplying management efforts. MDM solutions can be sorted into two categories: an open approach and a container approach. In an open approach, the MDM solution is based on security agents running on the mobile device and communicating with a server-side management platform. This approach allows granular control over which restrictions need to be enforced, and the whole device with all its local intelligence and power can be included in the remote secure access design. Container solutions force users to search for unsecure workarounds. 4
In a container approach, the MDM does not allow this kind of control. These systems are based on the idea that ensuring that relevant information does not leave the domain of a specific application. The container ensures integrity, authenticity and accessibility. Many of these solutions are actually designed around access to e-mails and not intended to actually manage the device that holds the container. Open solutions offer both flexibility and security Once an MDM strategy has been chosen, there a several phases in a devices life that are governed by its rules: provisioning, managing, lockdown and auditing. Provisioning This begins with deploying devices and equipping them with an initial configuration, assigning access permissions and providing certificates which will be later used to authenticate the device or the user to other services and applications. Managing After the devices are deployed, the configuration needs to be updated and the guidelines modified for administration or security. Additional applications as well as functional and security updates may need to be deployed. Lockdown At the end of a mobile device s life cycle, it needs to be locked down, denying access to the device or relevant data. Also, it is highly recommended that IT performs a remote wipe of data or run a backup to facilitate the migration to a new device. Auditing Throughout the whole life cycle, strong auditing capabilities are required to ensure that any regulations and guidelines are adhered to and known so if necessary it is known what your users are doing because their company might be liable for their actions. 5
3. Mobile Device Management (MDM) with Microsoft Exchange ActiveSync Microsoft Exchange ActiveSync is a basic solution for MDM without any additional costs. When deciding whether or not to implement an MDM solution, it is important to note that these solutions are expensive. Unfortunately, as stated above, many IT teams are not aware that they are already using a widely supported open device management technology- Microsoft Exchange- which can secure smartphones and tablets without any additional cost. Before investing in an additional MDM solution, IT should have a closer look at which security and mobility features are already provided by the Exchange, and then decide whether additional functions are worth the premium. ActiveSync Platform Comparison Feature Windows Mobile Windows Phone ipad/iphone (ios 4.2) Android (3.0) Link Access Yes No No No Disable Wi-Fi/Bluetooth Yes No No No Allow Mobile over the Air Update Yes Yes N/A N/A Min. # of Complex Characters Yes From 7.5 Yes Yes Task Sync Yes From 7.5 From ios 5 No Require Device Encryption Yes No Yes Yes Allow Browser Yes No Yes No Disable Camera Yes No Yes From 4.0 Allow Attachment Download Yes No From ios 5 From 4.0 Require Manual Sync while Roaming Yes No Yes From 4.0 Maximum Attachment Size Yes No No From 4.0 ActiveSync is the Exchange server s counterpart on the mobile device and enforces the MDM rules and provision set via the server. Provisioning and Managing cover the majority of a devices life time. During these first two phases, ActiveSync provides enterprise IT with the ability to restrict certain devices or device types from access and provides a wide array of policies for enforcing password and encryption requirements as well as limitations to mailbox usage. During the third phase, lockdown, the decommissioning of a mobile device, the user already has the remote wipe capability built into the Exchange /ActiveSync management solution. 6
Auditing, the fourth phase, is a parallel phase accompanying the device s active life. Since Exchange / ActiveSync MDM is based on mature technology designed for the handling of sometimes sensitive information, several ways for device inventory tracking and usage reporting are available via GUI or Powershell scripts. 4. Cortado Corporate Server Mobile Device Management with- Secure Corporate Data Access IT departments in organizations are constantly confronted with new mobile devices which must be integrated into the corporate network. End users are increasingly deciding what devices as well as which features and applications they want to use in daily business resulting in increased numbers of consumer devices in the corporate environment. Consequently, one of the most important features of a MDM solution is cross-platform device support. The diverse amount of mobile devices with different operating systems and life cycle stages must be recorded, securely integrated and managed. The MDM system should not compromise security, and do so without hindering users. Professional MDM and effective security with Cortado Corporate Server. With the cross-platform MDM possibilities available with Cortado Corporate Server, companies can fully and efficiently integrate every device into their existing corporate network. Cortados advanced MDM enables flexible management of mobile devices, users and resources. Applications, such as intranet, internet, or other apps, can all be centrally managed by using the Enterprise Resource Store and securely rolled out throughout the enterprise. With the HTML5-based Management Console, IT professionals can get an overview of the device pool, access, users, apps and more at any time by simply using a web browser. 7
Whether ios, Android, BlackBerry, Symbian, Windows Phone, notebooks belonging to mobile employees or PCs and Macs of home office users the MDM features adapt flexibly to the requirements of each device, as well as the existing IT environment (Adaptive MDM). Cortados Advanced MDM at a glance Application management: C entrally manage enterprise applications such as intranet and internet applications, as well as other apps R oll out applications over the air (OTA) securely throughout the company via the Enterprise Resource Store R ecommend apps and set up cross-platform links to the respective app stores Device management: T he control panel provides an overview of devices and allows them to be centrally managed A dd devices and connect to file, database and print systems Device Locator helps find lost or stolen devices R emote wipe mobile devices either partially or completely PCs, Macs, Smartphones Notebooks, Tablets E-mail Fax User management Printer Policy management PDF/Zip-Export Application management User Self Service Portal Demolo rum vellit Everchicit Demolo rum vellit ium Everchicit deseque Puda dollaci quodipsa magnihitiae voluptat Dit que delitas as alignis fugit que nullanit, ulla quiatiuaut dolorrori demet pa eveliqui uodisinto dior sunt, occae sequos autem sequiditent sciendu seque maios cipsaec esti nos atenihicilis landae. es aliae porio aut et ente nonsequaemodit alis minullaut alitatet videliq omnis quundis ept asperesci doluptatiunt voloribus vel illabo. nonid posa nobit, coreped es Ihiciis aut as et andanda solorei cus, umquam moluptat as reseeicimil itionsed exerderia quid nimilloritia exerferum coremque nos acea nos Demolo rum vellit Igenimolu pta voluptatem Everchicit deseque fugitatum ium Igenimolu pta voluptatem Quiam, Quiam, core laborer core laborer que con que con feraeptae feraeptae Puda dollaci reium erestia reium erestia non non dite de dite de quodipsa magnihitiae nonsequatia cuptatem conem nonsequatia cuptatem conem arionseque aut es eumarionseque aut es eum delitas rehenis rehenis conas alignisvoluptat fugit con conseculpa si blaciatquam, si blaciatquam, Dit que plit, plit, sin fugiati fugiati derovidendis que nullanit, conseculpa con preium, est dolores sin con preium, nimustrum nimustrum ulla quiatiuaut dolorrori demet pa eveliqui est dolores experis uodisinto derovidendis qui dolupta dior estosciendu esto imperciatur, imperciatur, occae sequos luptaque experis delest, qui dolupta seque luptaque autem sequiditent sunt, delest, tiberum, cipsaec is et verror tiberum, is et pellis im pellis seque maios esti nos num essed seque atenihicilis et mintiscius landae. im et mintisciusverror mi, si toriationum essed mi,aliae es et ente si porio aut nonsequaemodit alis minullaut alitatet expliquam toriatio expliquam veniendel veniendel omnis quundis elis elis videliq eptquaeper doluptatiunt quaeper doluptat moasperesci doluptat iliat voloribus vel illabo. occae sumiliat volecep eritiberchit atusdant atusdant coreped monon- volecep eritiberchit id occae sum posa Ihiciis assunassunquam vendandeni es as et andanda quam vendandeni Doluptatatem Doluptatatem alibeatet nobit, solorei alibeatet moluptat aut eicimil itionsed cus, as rese temoluptatur dolut ulluptatiurumquam deria temoluptatur dolut ulluptatiur eictur ad eictur ad exerquid nimilloritia molore molore molorempori molorempori alibero alibero coremque quam veribus, quam veribus, faccae de exerferum faccae de ate consequo blant. consequo blant. nos omniendioate volupta tquaesequid omniendio acea nos volupta tquaesequid quidiciis quidiciis dellaut dellaut et et etus sus etus sus quiant quiant faceriam faceriam nem etur, utessuntia eos nem etur, utessuntia eos molent. molent. re re consequod consequod quiatio quiatio Quiam, rporehe niscim rporehe niscim fugiaero fugiaero core explabo nisquid nisquid explabo qui laborer qui que erovition erovition feraeptae remquos remquos con reium nonerestia non re, non conem dite de re, cuptatem sam inisto nonsequatiasam inisto aut es eumarionseque con rehenis si blaciatquam, conseculpa plit, fugiati derovidendis est dolores sin con preium, nimustrum Nis aut Nis aut occaborem occaborem esto luptaque experis delest, qui dolupta tiberum,imperciatur, endi rerioribust, sit, qui endi rerioribust, sit, qui rehende is et verror pellis im seque num essed et mintiscius nitatiis rehende strumquam nitatiis mi, si hiliquis hiliquis strumquam quatusandae veniendel quatusandae aut aut expliquam toriatio elis doluptat et odi rat et odi Orita poruma sam repel in Orita poruma sam repel in quaeper velland iliat volecep earumque volupta earumque volupta tatiorumrat velland ici mo- repta repta sus occaetatiorum atusdant ici quias ut quias sus mi, sum quam explant eritiberchit explant mi, volorum dem faceat. ut ut assunut volorum dem faceat. quam quam Doluptatatem vendandeni alibeatet nimporum aut essimol uptiore nimporum aut essimol uptiore fugit qui fugit qui temoluptatur dolut ulluptatiur ut molorpos ut molorpos eictur ad repudia repudia pedis rest ptatis ma et volestrum pedis rest ptatis ma et volestrum molore corio que corio que molorempori alibero quam veribus, rem volupisfaccae rem volupis ate harchiliqui re, in de re, in cusam,harchiliqui om consequo blant. omniendio cusam,volupta tquaesequid om quidiciis id magnatio id magnatio dellaut - quiant et etus sus e e faceriam nem etur, utessuntia eos re molent. consequod quiatio rporehe niscim fugiaero nisquid explabo qui erovition remquos non re, sam inisto Igenimolu pta voluptatem Ullanteser e et Device management ium deseque Puda dollaci quodipsa magnihitiae voluptat Dit que delitas as alignis fugit que nullanit, ulla quiatiuaut dolorrori demet pa eveliqui uodisinto dior sunt, occae sequos autem sequiditent sciendu seque maios cipsaec esti nos atenihicilis landae. es aliae porio aut et ente nonsequaemodit alis minullaut alitatet videliq omnis quundis ept asperesci doluptatiunt voloribus vel illabo. nonid posa nobit, coreped es Ihiciis aut as et andanda solorei cus, umquam moluptat as reseeicimil itionsed exerderia quid nimilloritia exerferum coremque nos acea nos fugitatum Ullanteser e et fugitatum Demolorum Everchicit vellit ium deseque Puda dollaci quodipsa magnihitiae voluptat Dit que delitas as alignis fugit que nullanit, ulla quiatiuaut dolorrori demet pa eveliqui uodisinto dior sunt, occae sequos autem sequiditent sciendu seque maios cipsaec esti nos atenihicilis landae. es aliae porio aut et ente nonsequaemodit alis minullaut alitatet videliq omnis quundis ept asperesci doluptatiunt voloribus vel illabo. nonid posa nobit, coreped es Ihiciis aut as et andanda solorei cus, umquam moluptat as reseeicimil itionsed exerderia quid nimilloritia exerferum coremque nos acea nos Igenimolupta voluptatem Quiam, core laborer que con feraeptae reium erestia non dite de nonsequatia cuptatem conem arionseque aut es eum rehenis con conseculpa si blaciatquam, plit, fugiati derovidendis est dolores sin con preium, nimustrum esto luptaque experis delest, qui dolupta tiberum,imperciatur, is et verror pellis im num essed seque et mintiscius mi, si expliquam toriatio elis doluptat veniendel quaeper occae sumiliat volecep eritiberchit atusdant moassunquam vendandeni Doluptatatem alibeatet temoluptatur dolut ulluptatiur eictur ad molore molorempori alibero quam veribus, faccae de consequo blant. omniendioate volupta tquaesequid quidiciis dellaut et etus sus quiant faceriam nem etur, utessuntia eos molent. re consequod quiatio rporehe niscim fugiaero nisquid explabo qui erovition remquos non re, sam inisto Ullantesere fugitatum et Nis aut occaborem endi rerioribust, sit, qui nitatiis rehende strumquam hiliquis quatusandae aut et odi Orita poruma sam repel in earumque volupta tatiorumrat velland ici repta sus quias ut explant mi, volorum dem faceat. ut quam nimporum aut essimol uptiore fugit qui ut molorpos repudia pedis rest ptatis ma et volestrum corio que rem volupis re, in cusam,harchiliqui om id magnatio e Databse Document management Ullanteser e et Nis aut occaborem endi rerioribust, sit, qui nitatiis rehende strumquam hiliquis quatusandae aut et odi Orita poruma sam repel in earumque volupta tatiorumrat velland ici repta sus quias ut explant mi, volorum dem faceat. ut quam nimporum aut essimol uptiore fugit qui ut molorpos repudia pedis rest ptatis ma et volestrum corio que rem volupis re, in cusam,harchiliqui om id magnatio e 8
User management: Add users and define their access rights via the Management Console Individually set which content, drives, and printers each employee can access and which corporate resources are available for them Policy management: Create, manage and enforce guidelines for mobile corporate access Set extensive password guidelines, such as length, complexity, or validity Extensive cloud desktop features Cortado Corporate Server combines encrypted access to the corporate IT infrastructure with a comprehensive cloud desktop concept, providing employees with the flexibility and scalability they require to perform. You benefit from locationindependent and secure access to key corporate data, flexible document management and wide-ranging file handling options no matter whether access is through a native app on a smartphone or tablet or via an HTML5-based browser on a PC or Mac. Files can be quickly and easily viewed, forwarded via e-mail, exported to PDF or ZIP, printed, faxed or scanned. Database reports can also be obtained from the corporate network. Thanks to the Cortado cloud desktop, users can work with their mobile device just as well as at their office desktop, giving them the freedom to fully perform. Leveraging the local resources of the respective device ensures optimal ease of use and high user acceptance. The User Self Service Portal provides end users with convenient management options and access to corporate resources. Users can manage passwords, locate a device that has been lost or stolen, lock and partially or fully delete its content. The result is increased security as well as less time and resource demands on IT professionals. Comprehensive security concept The foundation of Cortado s security concept is controlled openness. All applications and local resources that users need for their daily tasks are made available to them. As a result, there is no longer any incentive to search for workarounds and to break out of a supposedly secure container system. Thanks to complete control, corporate data remains secure. Through complete integration into the existing Active Directory, user rights can be managed and further limited for mobile access if required. 9
The open security concept of Cortado accompanies the entire life cycle of a mobile device from its introduction, to the allocation of rights and policies up to its phasing out with detailed monitoring complementing the security concept. Comprehensive security is ensured resulting in a professional compliance management system: Complete integration into the existing Active Directory Data transfer via an SSL-encrypted connection Locally stored data is encrypted Password-protected access to corporate resources Locate device if lost or stolen and block if necessary Complete or partial remote wipe Minimum local data storage through backend access No downloading of potentially harmful files thanks to the preview feature 10
Headquarters Cortado AG Alt-Moabit 91a/b 10559 Berlin, Germany Phone: +49 (0)30-39 49 31-0 Fax: +49 (0)30-39 49 31-99 Cortado Pty Ltd. Level 20, The Zenith Centre, Tower A, 821 Pacific Highway Chatswood, NSW 2067, Australia Phone: +61-(0)2-84 48 20 91 Australia E-Mail: info@team.cortado.com www.cortado.com USA (Colorado) Cortado, Inc. 7600 Grandview Avenue, Suite 200 Denver, CO 80002, USA Phone: +1-303-487-1302 Fax: +1-303-942-7500 E-mail: info@cortado.team.com www.cortado.com Cortado Japan 20th Floor, Marunouchi Trust Tower Main, 1-8-3 Marunouchi Chiyoda-ku, Tokyo 100-0005 Phone: +81-(0)3-52 88 53 80 Fax: +81-(0)3-52 88 53 81 Japan A Brand of Names and trademarks are names and trademarks of the respective manufacturer. Translated by Cortado AG.