We have all benefited from the acceptance of BYOD. Or have we?
Actually, when you look at it more closely you will see some cracks in the exuberant endorsement when it comes to enterprise management, specifically, Mobile Device Management (MDM).
In the old days, MDM was ruled by BlackBerry (known then as RIM). BlackBerry bound it all into a homogenous mesh for complete enterprise control, making life for IT and corporate security much easier.
But when BlackBerry stumbled, BYOD came into the enterprise in force, which revolutionised the approach users take to their mobile devices. This does not imply that BlackBerry is out of the game, but that simply in the consumer world, BYOD has increasingly meant iOS and Android devices. Recent reports suggest that 40% of BYOD devices are used to access corporate data and services. This presents a security issue for IT departments struggling to contain the rapid expansion of devices and blending of use cases within daily life.
Outside of the BlackBerry group of devices, MDM is served differently by Apple or Google. The OS of each solution provides MDM interfaces or frameworks that facilitate sandbox or remote control mechanisms provided by third-party solutions. In the past, FIPS-140 certification was a feature only implemented by Blackberry, but more recently, Apple and some Android devices have caught up and now offer the same capability. The impact of that is often underestimated – most government and all military deployments in North America, and similarly in Europe, require extended forms of encryption support, built into the application and hardware. Without such certification, the possibility of selling devices into those markets is challenging beyond trial status. With more recent public revelations, medium and larger enterprises are looking to improve their security, which for MDM is a critical factor in ensuring the confidence and protected nature of the system.
The benefits of iOS (the sandboxing, no sharing of file system data or process space) whilst shielding the user and app developer from rogue apps picking at the weaknesses in their design, may also prevent any third-party app from fully delivering on the promise of device management with BYOD. Despite this apparent limitation, Apple offers (in iOS7) comprehensive control options such as automated enrolment of a device, single sign-on, shared/floating licenses and targeting which apps can access or share corporate data. MDM on Apple is best implemented in the purely corporate space (no BYOD) – when personal mail, contacts, SMS, logs and personal apps are also included in a BYOD scenario, more complex solutions are required.
There are pros and cons to this – if the corporate policy is not to have certain public apps on devices, then it’s not easily enforceable with BYOD. Most MDM systems allow reporting of “compromised” devices back to IT, which includes rooted phones or blacklisted apps, but that is as far as it goes.
Android has a similar sandbox feature and also provides device administration, though it is aimed at GoogleApps for the comprehensive control. Google can remotely delete and manage your Android phone. Apps are unable to do the same to user-installed Apps without the hoops mentioned – rooting the phone, or enabling developer access for unsigned apps. Android Device Policy allows the enterprise to perform functions such as wipe a device, reset PINs, lock or locate a device and insist on PIN or password entry.
So if the OS is, by design, preventing you from achieving a level of enterprise control that was possible with BlackBerry devices, what can you do if you want to encourage BYOD as well as integrate corporate-issued devices?
Some key vendors have come forth with excellent MDM offerings that are gradually addressing this gap. Examples include Good Technology, AirWatch (acquired by VMWare for $1.5 Billion), MobileIron and of course Citrix. The main effort here has been to provide an integrated approach that is cross-platform. Given the above restrictions, how do these companies claim to provide MDM?
In most cases where the device is considered Corporate-issued, the OS for that device is issued by the enterprise – it’s not a standard OS release from Apple or Google. There is no opportunity for personal apps. Downloading your “favourite” app into the sandbox is not supported. The method used is to create a local sandbox (the “containerisation” approach) that has secured applications issued from the sandbox controller (the Enterprise) via the normal app distribution mechanism (App Store or Play) or through a centralised app issuer (essentially an App Store in the Enterprise) controlled by the enterprise. The Sandbox typically has a secured VPN connection to either a Cloud service or back to the Enterprise IT. This mirrors what BlackBerry BES offers.
Alternatives are necessary when BYOD is planned, as replacing the OS would lose all the personal data as well. Apple offers a number of restrictions available if a personal device is also under MDM control – each app is designated as either personal, or under MDM control. Apps that are MDM-enabled can be erased and protected in a number of ways such as disabling mail account changes, WiFi APs, copy/paste between apps.
CounterPath views MDM as a necessary evolution of BYOD within an enterprise, but one where management of devices is just one element of the strategy.
Enterprises require control over distribution, configuration, security and crucially – analytics. CounterPath supports each of these and in the case of analytics enables service providers and enterprise communications departments to quickly diagnose and assess client needs and problems. These include the ratio of 3G/4G and WiFi usage for types of calls, the quality of each call through standardised metrics (MOS scores) and confidence in the security of the communications through secured channels for all of the above, extending to hundreds of thousands of clients per installation.
We have integrated solutions with Citrix, best known for their VDI solutions, and are in the process of being certified on AirWatch, MobileIron and Good Technology solutions. In addition, for those who wish to deploy immediately, without the MDM overhead, CounterPath have long offered a centralised user profile distribution solution (CCS). This innovative, patented and hosted solution seamlessly links with generic and customised versions of Bria, our award winning and leading softphone solution for iOS, Android and now BlackBerry.
Enterprises can now configure access details for employees VoIP and IM communications, and have those configurations forcibly implemented at the device. The Bria app is securely delivered in a certificate-signed and encrypted form only from OEM approved App stores. Updates can also be made mandatory and changes are available almost instantly.
The problem facing many MDM strategies is the secured link they provide, to safeguard corporate data and applications, means a tethered line to a central hosted service, or back to the corporate offices. As one of the early pioneers and of SIP and VoIP in general, CounterPath has had many years of experience in defining, implementing and perfecting the quality of experience for the user with delay-sensitive communications such as voice, and even video to some extent. We know that sending all the media over a VPN link, through a central location, often leads to a poor experience unless steps are taken to mitigate the route taken by the voice and video.
Bria has evolved to differentiate streams of traffic, and is certified to work with leading devices by ACME Packet, to ensure the experience is optimal. One of the ways this is achieved is through support for fully automated SBC control – users do not have to manage or manipulate any settings to get through firewalls in hotels, homes or enterprises. In cases where the network link is variable in quality, Bria offers support for TSCF (Tunnel Service Control Function), which enables audio packet reconstruction and restoration across redundant links. Bria supports TLS and SRTP, as well as operating efficiently over VPNs.
Whether you choose to implement full-scale MDM, or you want to take a more cautious approach to BYOD control, CounterPath offers a solution that will meet the needs of tight corporate IT security policies, and those of a more fluid nature.
For more information, see: CounterPath to Enter the Mobile Device Management (MDM) Market