EBF Blog

Part III of III: MobileIron and Microsoft Intune – March 2017 Detailed Comparison

Part III of III: MobileIron and Microsoft Intune – March 2017 Detailed Comparison

Video Blog
April 25, 2017
.page-node-6626 .head-img { display: none; }

This three-part video blog series is my perspective on Microsoft’s strategy, the evolution of Microsoft Intune, and the critical role MobileIron plays in a Microsoft shop. My opinions are based on publicly available and third-party data plus my analysis of Microsoft’s actions. Part I of this series gives an overview of Microsoft’s strategy, and Part II  provides a high-level comparison of MobileIron and Microsoft Intune.

 

I believe there is a substantial capability gap between a proven EMM like MobileIron and an immature MDM like Microsoft Intune. This video describes the differences between MobileIron and Microsoft Intune as of March 2017 along the following dimensions:

  • Security capabilities and certifications
  • Level of commitment to multi-OS
  • Application lifecycle management
  • Ecosystem integrations
  • Customer adoption

As always, talk to references and test the products to understand which solution is the best for you.

Any information concerning products and services other than MobileIron’s comes from public and third-party sources. Although we believe it to be accurate, we have not independently verified it and we cannot guarantee its accuracy.


Source: MobileIron Smart@Work Blog

Part II of III: MobileIron and Microsoft Intune

Part II of III: MobileIron and Microsoft Intune

Video Blog
April 24, 2017
.page-node-6625 .head-img { display: none; }

This three-part video blog series is my perspective on Microsoft’s strategy, the evolution of Microsoft Intune, and the critical role MobileIron plays in a Microsoft shop. My opinions are based on publicly available and third-party data plus my analysis of Microsoft’s actions. Part I of this series gives an overview of Microsoft’s strategy, and Part III provides a detailed technical comparison of MobileIron and Microsoft Intune.

 

Security is the central value proposition of MobileIron. Our goal is to provide a comprehensive, government-grade, best-of-breed security platform to enable business transformation. We believe that technology choice is essential for the modern enterprise. Our customers should be able to choose the devices, operating systems, apps, identity providers, and cloud services they want, with MobileIron providing a consistent security approach end-to-end.

If you are evaluating MobileIron vs. Microsoft Intune, I recommend that you first ask for references and then test the products head-to-head, even though the Microsoft sales team may not want you to do this. EMM is strategic. A wrong decision can be very costly. Testing up-front can save a lot of pain later.

Microsoft has four very specific sales tactics when selling Intune against MobileIron:

  • Intune is free” … but free security is rarely great security, and weak security is very expensive.
  • No one else can secure Office 365” … this is false because Microsoft has now opened their Microsoft Graph APIs to MobileIron. We and other EMMs will be able to use the proprietary controls Microsoft had only exposed to Intune in the past.
  • MobileIron is going out of business” … this is false (and seems a bit desperate) because MobileIron is a successful, growing, and financially sound public company.
  • Trust us – Intune will get better next year” … but mobile moves fast and security can’t wait.

The decision playbook is simple:

  • Talk to references: Don’t trust PowerPoints and promises. Because Intune is bundled into the broader Microsoft suite, many enterprises may have Intune licenses without Intune deployments. Ask to speak to a customer who has enrolled thousands of devices in Intune and is using it for apps.
  • Test the products: EMM platforms are very deep functionally, and testing will clarify the capability and stability differences between MobileIron and Intune.
  • Understand the strategy: Why doesn’t Intune have Common Criteria or FedRAMP certification? Why did it take Microsoft over 600 more days than MobileIron to support the Android enterprise (aka Android for Work) security framework? Why does Intune have far fewer technology integrations with third-party vendors than MobileIron? I believe that Intune has a very different strategy than MobileIron. MobileIron is 100% focused on EMM and all our resources go into building a platform aligned with our customers’ requirements. Intune, on the other hand, suffers from fundamental conflicts of interest in supporting non-Microsoft technologies. 

I also believe the value of Intune is shifting. Most market-leading EMM products, like MobileIron, are more mature than Intune. As Intune’s role evolves to policy middleware for Azure services, I believe that the main value Intune will provide is as an API through Microsoft Graph for Azure controls using the customer’s EMM of choice.

Please read Part III of this series, “MobileIron and Microsoft Intune: March 2017 Comparison,” for a more detailed technical comparison of the two products.

Any information concerning products and services other than MobileIron’s comes from public and third-party sources. Although we believe it to be accurate, we have not independently verified it and we cannot guarantee its accuracy.


Source: MobileIron Smart@Work Blog

Part I of III: MobileIron and Microsoft Strategy

Part I of III: MobileIron and Microsoft Strategy

Video Blog
April 23, 2017
.page-node-6624 .head-img { display: none; }

This three-part video blog series is my perspective on Microsoft’s strategy, the evolution of Microsoft Intune, and the critical role MobileIron plays in a Microsoft shop. My opinions are based on publicly available and third-party data plus my analysis of Microsoft’s actions. Part II of this series provides a high-level comparison between MobileIron and Microsoft Intune, while Part III provides technical details on that comparison.

Like almost every infrastructure software company in the world, MobileIron is both partner and competitor with Microsoft. Most of our customers are also Microsoft customers.

I believe Microsoft’s future depends on the success of three initiatives:

  • Migrate compute workload quickly to Azure
  • Don’t lose the battle for identity
  • Win back the developer

Three product solutions provide the underlying pillars for these three initiatives.

1. All roads lead to Microsoft Azure

For Microsoft to win, enterprise workload must move to Microsoft Azure instead of Amazon Web Services (AWS) or Google Cloud Platform. Azure consumption is a central metric Microsoft can measure to gauge whether its strategy is working. Each month, compute cycles, data storage, and transactions in Azure must increase at a rate higher than the rest of the market.

Will it increase Azure workload?” is a simple litmus test to predict Microsoft’s actions.

2. All roads start from Microsoft Azure Active Directory

Microsoft cannot afford to lose its position as the system of record for identity. I believe Microsoft Azure Active Directory is the most important product in the Microsoft stack. Microsoft has been very public that “identity is the control plane.” As a result, Azure services are all tightly tied to the identity services that Microsoft provides.

If a Google or an Okta starts taking over identity within a customer, Microsoft loses its most important architectural control point. Office 365 is not only a productivity suite, but also a forcing function to drive identity into the Microsoft Cloud.

3. All roads are built on Microsoft Graph

Before we talk about Microsoft Graph, let’s first turn the clock back 20 years. Microsoft became the largest software company in the world because it won the hearts and minds of developers. Customers go where developers are, and developers were inevitably on Microsoft platforms. Both server-side and client-side developers built on Windows. Microsoft Developer Network (MSDN) was the center of the universe because almost everyone used Microsoft tools.

Then Linux matured and many new developers, like MobileIron, chose it as their server platform. At the same time, client applications on the desktop moved into the browser. In 2010, iOS and Android adoption exploded and, as always, developers followed their customers and started building native apps for those OS platforms. Meanwhile, cloud became the primary infrastructure choice of startups, and AWS quickly established a leadership position.

Now it is 2017. A new startup, funded today, will most likely run in AWS, with Android, iOS, and web apps on the front-end. There is a good chance that the startup will not use any Microsoft development technologies even if the service is consumed on Windows devices. That was infeasible 15 years ago, but practical now.

Microsoft must win back the developer. Winning with Office 365 but losing the developer is not an option.

Microsoft Graph is the centerpiece of the Azure developer strategy. It is the API stack for Azure, and Microsoft needs as many developers to use it as possible.

The Role of MobileIron and Microsoft Intune

At MobileIron, we’ve seen Microsoft’s strategy evolve over the last few years. Microsoft Intune is a perfect example. Because of the strong position Microsoft System Center Configuration Manager (SCCM) has held in the traditional desktop management market, I believe Microsoft assumed Intune could easily achieve a similar position in the enterprise mobility management (EMM) market.

But it didn’t work out that way. Intune struggled with capability breadth, depth, and maturity against the more established EMM players. Intune lacked the fundamental advantage of SCCM – control of the operating system. Apple and Google, not Microsoft, were the primary OS vendors in mobile.

Intune needed a product advantage and it came in the form of Office 365 controls. Microsoft decided not to use the native frameworks for app configuration and security that Apple and Google had built into their operating systems (http://www.appconfig.org/), even though that was the preference of many Microsoft customers. Instead Microsoft built a proprietary set of controls for Office 365 apps and only exposed them to their EMM product, Intune. This meant that other EMM products could not leverage incremental security functions for Office apps, like preventing copy / paste or ensuring that a document was not saved to a consumer storage service.

The Microsoft sales team starting pitching that “only Intune secures Office 365.” They tried to convince customers to uproot their entire existing EMM infrastructure and switch to Intune to access a handful of Office configurations. Customers pushed back and the common outcome was not that they switched to Intune, but rather that they lived without these additional, useful configurations.

In January 2017, Microsoft changed course and exposed these functions through new Microsoft Graph APIs. Access to these APIs still requires the customer to buy Microsoft’s Enterprise Mobility + Security (EMS) suite, which includes Intune, so the Microsoft sales team does not lose a revenue opportunity. However, to me it indicates that Microsoft realized adopting a closed approach to Office security was not in the customer’s or Microsoft’s best interests.

I believe that, over time, product economics and strategy alignment will naturally shift the focus of Intune from trying to compete head-to-head for EMM business to instead providing Azure policy middleware that other EMM products can leverage. The middleware model better meets customer requirements and, more importantly for Microsoft, drives adoption of Microsoft Graph. Microsoft has a tremendous incentive to secure Azure services but none to secure Android or iOS as OS platforms.

The true battle for Microsoft is not EMM. It’s winning back the developer through Microsoft Graph and moving enterprise workload to Azure with identity at the core.

Please read Part II of this series, “MobileIron and Microsoft Intune,” for more details on these two products.

Any information concerning products and services other than MobileIron’s comes from public and third-party sources. Although we believe it to be accurate, we have not independently verified it and we cannot guarantee its accuracy.


Source: MobileIron Smart@Work Blog

MobileIron Cloud Update

MobileIron Cloud Update

MobileIron Products
Cloud
April 22, 2017

Cloud Winter Update 2017

The latest releases of MobileIron Cloud enhance security, strengthen multi-OS support, and improve user experience. Let’s take a look at some of the highlights.

More Robust Management and Security for Macs

MobileIron Cloud now offers comprehensive support for macOS. Many notable enhancements can be found in the areas of deployment and enrollment, configurations and actions, policies and compliance, and software distribution and management.

Support for Key Apple iOS 10.3 Enterprise Features

MobileIron Cloud supports many of the new enterprise features introduced in new Apple iOS 10.3. Wi-Fi restrictions, S/MIME enhancements and restart and shutdown of supervised iOS or tvOS devices — just to name a few.

Extend EMM Capabilities to PCs

MobileIron Cloud now supports MobileIron Bridge. IT admins can leverage a single console and communications channel to manage both mobile and PC operations for Windows 10. Benefits include increased organizational productivity, efficiency and agility — at lower cost, and without compromising mobile security.

Deeper Integration with Windows 10 Security Features

Support for Windows Information Protection (WIP) enables IT admins to define and enforce policies to protect enterprise data and control access to corporate resources via Windows 10 devices. MobileIron Cloud enables admins to easily distinguish between personal and business information, define which apps and users have access to the information, and control what users can do with the information — for example, this might include copy/paste or print.

Enhancements to AppConnect for Android

Containerization, security, and admin access to information are all improved thanks to new MobileIron Cloud enhancements to AppConnect for Android. IT admins can now reset the AppConnect Passcode, unlock the AppConnect for Android container, display a list of installed AppConnect enabled apps, and easily view encryption status and configuration installation status for apps.

Tiered Compliance Policies and Actions

IT admins now have more granular control over compliance policies and actions. They can create policies with complex triggers and chained compliance actions which allow for tiered enforcement in a variety of scenarios. For example, IT admins can now build chained actions with wait states, user notifications, and compliance actions, including block and quarantine devices.

Custom Query Reporting

MobileIron Cloud now enables IT admins to create reports that best meet their needs. They can modify report templates to include or exclude specific columns, ensuring only the information of interest is displayed, and in the preferred order. This helps to improve communication and speed decision making.

Secure Multi-User Login on iOS Devices

Use of iOS Web clips allows multiple users sign-in and sign-out from the same device. The user’s profile, applications, and configurations get copied onto the device when they log in and will be removed as soon as they logout. MobileIron Cloud support for iOS Web clips enables fast switching between multiple users of a single iOS device, while also ensuring privacy/security of each user’s profile.

There you have it, highlights of MobileIron Cloud’s most recent releases. Thanks for reading, and stay tuned for more updates down the road!


Source: MobileIron Smart@Work Blog

AppConfig Community Gains Industry-Wide Support

AppConfig Community Gains Industry-Wide Support

Ecosystem
Applications
Market Trends
April 13, 2017
.page-node-6601 .head-img { display: none; }


The AppConfig Community was launched in February 2016 with the mission to establish a common approach for enterprise app configuration and security based on native operating system frameworks from OS vendors like Apple and Google.

This week, the Community released the AppConfig Community Annual Report showcasing tremendous growth in membership, new developer use cases, and new developer resources. Here is the webcast:

Most of the EMM industry now supports this initiative, with membership growing from 4 providers in February 2016 to 19 providers in April 2017, including 42Gears, AppTec, baramundi software AG, BlackBerry, Centrify, Cisco Meraki, Cortado, IBM MaaS360, Jamf, Matrix42, MobileIron, Pulse Secure, SAP, SEVEN PRINCIPLES AG, SimpleMDM, Snow Software, Sophos, SOTI, and VMware.

More importantly, 90 ISVs are now members, with 40 more in process. 1,400 individual developers are also now part of the Community.

The reason that over 100 software vendors have come together so quickly to support the AppConfig Community is that we jointly believe that the transformational impact of mobility truly is “all about the apps.”

Business transformation only happens when you can fundamentally improve the workflow of the organization. The promise of mobility has always been to remove bottlenecks of time and space and enable innovative analysis and decisions, agile workflows, and stellar outcomes. This business transformation requires great apps. Our goal in the AppConfig Community has been to accelerate the adoption of these transformational business apps by making development simple for app developers and deployment simple for IT organizations.

Over the last year, the Community has focused on the four technology areas shown below. To support developers, in February 2016, we released an XML schema to make app configuration easier on iOS. In June 2016, with the active participation of Google, we expanded our best practices to Android. This year, we launched the Spec Creator tool to make the overall process easier for developers.

There is no fee to join the AppConfig Community. Everyone committed to supporting native frameworks is welcome.

ISVs: https://www.appconfig.org/join-appconfig/
Individuals: https://groups.google.com/forum/#!forum/appconfigcommunity
EMM providers: http://appconfig.org/join-as-an-emm/

If you have questions, please email join@appconfig.org.


Source: MobileIron Smart@Work Blog

How EMM can help with General Data Privacy Regulation (GDPR) Compliance

There is a major global trend in compliance towards codifying into the law the concept of reasonable, common sense security standards. Compliance is moving away from compliance on paper to compliance in practice. The General Data Protection Regulation (GDPR), which will go into effect in May 2018, will bring Europe under one comprehensive data security and privacy legal regime. GDPR applies to controllers in the European Union (EU), as well as those located outside the EU if the individual whose personal data is being processed is located in the EU. “Controller” is defined as the organization that decides the purpose and means of processing the personal data. With regard to processing personal data of employees in connection with their work, the controller would be the employer.

GDPR principles

While Europe leads the world in its focus on data privacy, the principles for processing personal data under GDPR are familiar and standards-based (see blog EMM and the Law here):

  • Lawful, fair, and transparent processing: Controllers must have valid grounds for processing the personal data.
  • Purpose: There must be a clear and explicit reason for processing the personal data.
  • Data minimization: The data processed should be limited to what is needed for the particular purpose. Access should only be granted to those people who need it for the particular purpose.
  • Accuracy: The data should be accurate and inaccuracies should be easily rectified.
  • Storage limitation: The data should be retained only for as long as it is needed for the particular purpose.
  • Integrity and confidentiality: The data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized processing and against accidental loss, using appropriate technical or organizational measures.
  • Accountability: The controller should be able to demonstrate compliance with the above principles.

As with other data privacy and security standards, GDPR includes the concept of proportionality – the controller should implement appropriate technical and organizational measures to ensure and demonstrate compliance. The measures taken by the controller should be proportionate to the processing in question.

Privacy by Design and Privacy by Default – Article 25 of GDPR

Privacy by design is not a new concept, but its inclusion in GDPR shows how practical, risk-based measures are now becoming legal requirements. Privacy by design requires the controller to implement appropriate technical and organizational measures from the initial setup of operations. In other words, privacy cannot be an afterthought; rather, privacy issues should be considered and risk-based security measures taken throughout the lifecycle of the process, from initial design through data deletion.

Privacy by default means that the controller should put in place appropriate technical and organizational measures to ensure that, by default, only the needed amount of personal data is collected and processed. The user shouldn’t have to opt out from giving extra information. The controller cannot gather more information “just in case” it might want to use it later.

Accountability means monitoring and compliance. A controller needs to be able to show that it has adequate security in place and that compliance is monitored. The penalties for non-compliance with GDPR are substantial: the maximum fines are the greater of 20 million euros or 4% of the company’s worldwide revenue.

EMM importance for GDPR compliance

Enterprise Mobility Management (EMM) solutions, such as MobileIron, are an important component of a reasonable GDPR compliance program:

  1. MobileIron allows the IT administrator of the controller to establish a clear boundary between personal and business data on the device. The controller doesn’t have access to the content of personal apps or personal email accounts on the device. This is critical to the data minimization as well as the integrity and confidentiality principle of GDPR.
  2. MobileIron gives the IT administrator visibility into which devices and apps are accessing business services. In the case of a data breach, the IT administrator can show through audit logging exactly what actions took place leading up to the compromise and what, if any, actions IT took as a result. This provides a clear record of any unauthorized access to business services and supports the GDPR principle of integrity and confidentiality, as well as of accountability. MobileIron’s solution enables the IT administrator to:
    • Manage inventory
      • Identify authorized and unauthorized devices.
      • Identify authorized and unauthorized apps.
    • Whitelist applications
      • Establish a subset of applications that are authorized to run on a device and access business services.
    • Protect Access
      • Allow only authorized users, devices, and apps to access business services, whether on-premises or in the cloud.
    • Provide audit logging
      • Monitor administrative actions and business data flows.
  3. Finally, MobileIron allows the IT administrator to protect the device from security threats, which is important for the principle of integrity and confidentiality, as well as of accountability. MobileIron’s solution enables the IT administrator to enforce compliance:
    • Apply appropriate security configurations and policies to the devices and applications.
    • Monitor the security compliance of the device and applications, including attacks on the integrity of the operating system to jailbreak or root the device.
    • Take remediation actions if the device or application is out of compliance

Conclusion

A controller (i.e., enterprise) cannot reasonably believe that it is providing adequate security for personal data unless it can demonstrate that it has implemented appropriate EMM controls and procedures to ensure separation of business data from personal data on the device, and to protect that business data from external threats and unauthorized use or disclosure. The MobileIron solution provides a controller with a robust framework for compliance with the data minimization, integrity and confidentiality, and accountability principles of GDPR.

Quelle:MobileIron Blog

NY Cybersecurity Regulation Targets Financial Services, but Implications are Much Wider

NY Cybersecurity Regulation Targets Financial Services, but Implications are Much Wider

Rethink: Security
Mobile Security
March 30, 2017

NY - Cybersecurity Regulations

The web of security and privacy regulations continues to grow this month as the New York Department of Financial Services (DFS) became the latest regulator to impose cybersecurity requirements on organizations it oversees. While this regulation primarily targets Financial Services organizations in New York, the implications are much wider. By March 2019, third party service providers whose services are utilized by covered entities will need to comply with certain parts of the regulation. And that may be only the first step. Regulations that first apply to Financial Services organizations are often ported to other industries or more broadly as certain laws become best practices and are copied in other jurisdictions.

The new DFS rules require organizations to establish a cybersecurity program and to designate a Chief Information Security Officer (CISO) who reports periodically to the Board of Directors and is measured on the effectiveness of the program. The CISO is required to oversee a number of activities, including:

On the one hand, these represent best practices. So, for organizations with a robust cybersecurity program already in place, you’re hopefully already doing most or all of this. On the other hand, implementing and running a robust cybersecurity program takes concerted effort

Fortunately, these regulations are largely consistent with a set of industry-standard frameworks: ISO 27001, NIST SP800-53, and CIS Critical Controls. It is therefore advisable to choose one of these as the basis for your cybersecurity program and build out from there.

  • Annual assessment of the security of the organization’s systems, with pentests
  • Encryption of sensitive data at rest and in motion
  • Limitation of user access privileges to Information Systems
  • Utilization of 2-factor authentication for external connections to your network
  • Ensure internal app developers follow secure development practices
  • Audit trails designed to detect and respond to security incidents
  • Detection of unauthorized access or use of nonpublic information
  • A risk assessment focused on the adequacy of security controls to ensure the organization’s security can adapt to new technologies and evolving threats

How can MobileIron Help?

MobileIron has an important role to play in the “defensive infrastructure” CISOs are required to establish by the regulation. Let’s look at how this infrastructure can address the required activities.

  • Annual assessment of the security of the organization’s systems, including Pentests
    Mobile is traditionally an easy target in pentests. Pentesters break into a device or find an app with insecure communication, download email and other documents, and declare a finding.

    MobileIron helps detect these attacks through jailbreak detection to identify compromised devices.

    MobileIron can make these attacks harder by using AppConnect, which encrypts enterprise data and protects it behind a second layer of authentication.

  • Encrypt sensitive data at rest and in motion
    Data at rest on mobile devices can be encrypted with AppConnect.

    Data in motion can be protected with MobileIron’s per-app VPN or Tunnel.

  • Limitation of user access privileges to Information Systems
    MobileIron Access helps ensure that the user is authorized, the device is not compromised and the application is authorized for access by that user.
  • Utilize two-factor authentication for external connections to your network
    MobileIron’s per-app VPN authenticates the device (something you have) to Tunnel. Combined with the AppConnect PIN (something you know) or TouchID (something you are), this provides two-factor authentication for connections from these apps to your internal network.

    MobileIron Access can also facilitate two-factor authentication for cloud services by allowing only managed devices (something you have) combined with user authentication (something you know).

  • Ensure internal app developers follow secure development practices
    Secure development practices include securing data at rest and in transit. The AppConnect SDK provides tools to enable developers to do both easily.
  • Audit trails designed to detect and respond to security incidents
    MobileIron Tunnel and Access can produce logs that show which users are accessing enterprise resources from which devices. This is potentially vital information for incident response teams.
  • Detection of unauthorized access or use of nonpublic information
    MobileIron enables IT administrators to identify when a device is compromised or when a user is no longer authenticated and take appropriate remedial action.
  • Perform risk assessments to ensure the organization’s security can adapt to new technologies and evolving threats
    EMM is becoming a “must have” tool for managing and securing devices, apps and data and ensuring that only authorized users using secure devices gain access to the appropriate business services and data.

    MobileIron, along with our ecosystem of mobile threat detection tools, provides a flexible basis upon which to build your organization’s security toolkit.

Additionally, asset inventory, device management, access controls and identity management are all now legally required to be addressed under the bank’s cybersecurity policy and are all facilitated by EMM providers, including MobileIron.

Conclusions

From the proliferation of rules, it’s clear government regulators are reacting to the increasing number of security breaches by taking a more proactive approach in defining minimum reasonable security practices. We therefore anticipate a future with increasingly strict regulations around cybersecurity. Organizations would be well served to implement a cybersecurity program that follows broadly accepted industry best practices. In this era of mobility, MobileIron can serve as an important piece of the technological foundation for such a program.


Source: MobileIron Smart@Work Blog

“The Single Best Tech Conference of the Year!”

“The Single Best Tech Conference of the Year!”

Miscellaneous
March 29, 2017
.page-node-6591 .head-img { display: none; }

EMM-CA-Law

That’s what one of our customers said last year. Our motto for MobileIron Live! 2017 is: “Come with questions – leave with answers.”

You can register here for Santa Clara, California (May 9-11) and here for Berlin (June 1-2).

Here are five reasons this is a must-attend event for every MobileIron customer:

  1. Deep content
    Our conference is technical, with material presented by our engineers, product managers, and customers. Our attendees are mobility owners, architects, administrators, and security professionals. Click to see the agenda for Santa Clara and Berlin. No fluff.
  2. Custom agenda
    We contact every registrant personally to see what topics are most important to him or her. At the top of the list so far this year: Office 365 security, DEP best practices, Android evolution, and Windows 10 with EMM. We will make sure that you leave with the tools and best practices you need for success.
  3. Peer best practices

    Our customers represent the true leading edge of business transformation through mobility. You will get in-depth best practice sharing with your peers at other companies in your industry and beyond.

  4. Technology evolution
    You will dive deep into topics that help you with your current deployment as well as the evolving architecture of MobileIron to support cloud services, Windows and Mac desktops, and the Internet of Things. You will be able to design an architecture to support the evolving technology landscape.
  5. One-on-one interaction
    Our support and solutions engineers will be available for one-to-one discussion during the entire show at the MobileIron Live! Answers Bar.

The focus of MobileIron Live! is education on architecture and deployment best practices to make every attendee a better mobile IT professional. I hope you can join us.


Source: MobileIron Smart@Work Blog

How EMM can help with General Data Privacy Regulation (GDPR) Compliance

How EMM can help with General Data Privacy Regulation (GDPR) Compliance

Mobile Security
Market Trends
March 28, 2017

There is a major global trend in compliance towards codifying into the law the concept of reasonable, common sense security standards. Compliance is moving away from compliance on paper to compliance in practice. The General Data Protection Regulation (GDPR), which will go into effect in May 2018, will bring Europe under one comprehensive data security and privacy legal regime. GDPR applies to controllers in the European Union (EU), as well as those located outside the EU if the individual whose personal data is being processed is located in the EU. “Controller” is defined as the organization that decides the purpose and means of processing the personal data. With regard to processing personal data of employees in connection with their work, the controller would be the employer.

GDPR Principles

While Europe leads the world in its focus on data privacy, the principles for processing personal data under GDPR are familiar and standards-based (see blog EMM and the Law here):

  • Lawful, fair, and transparent processing: Controllers must have valid grounds for processing the personal data.
  • Purpose: There must be a clear and explicit reason for processing the personal data.
  • Data minimization: The data processed should be limited to what is needed for the particular purpose. Access should only be granted to those people who need it for the particular purpose.
  • Accuracy: The data should be accurate and inaccuracies should be easily rectified.
  • Storage limitation: The data should be retained only for as long as it is needed for the particular purpose.
  • Integrity and confidentiality: The data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized processing and against accidental loss, using appropriate technical or organizational measures.
  • Accountability: The controller should be able to demonstrate compliance with the above principles.

As with other data privacy and security standards, GDPR includes the concept of proportionality – the controller should implement appropriate technical and organizational measures to ensure and demonstrate compliance. The measures taken by the controller should be proportionate to the processing in question.

Privacy by Design and Privacy by Default – Article 25 of GDPR

Privacy by design is not a new concept, but its inclusion in GDPR shows how practical, risk-based measures are now becoming legal requirements. Privacy by design requires the controller to implement appropriate technical and organizational measures from the initial setup of operations. In other words, privacy cannot be an afterthought; rather, privacy issues should be considered and risk-based security measures taken throughout the lifecycle of the process, from initial design through data deletion.

Privacy by default means that the controller should put in place appropriate technical and organizational measures to ensure that, by default, only the needed amount of personal data is collected and processed. The user shouldn’t have to opt out from giving extra information. The controller cannot gather more information “just in case” it might want to use it later.

Accountability means monitoring and compliance. A controller needs to be able to show that it has adequate security in place and that compliance is monitored. The penalties for non-compliance with GDPR are substantial: the maximum fines are the greater of 20 million euros or 4% of the company’s worldwide revenue.

EMM importance for GDPR compliance

Enterprise Mobility Management (EMM) solutions, such as MobileIron, are an important component of a reasonable GDPR compliance program:

  1. EMM allows the IT administrator of the controller to establish a clear boundary between personal and business data on the device. The controller doesn’t have access to the content of personal apps or personal email accounts on the device. This is critical to the data minimization as well as the integrity and confidentiality principle of GDPR.
     
  2. EMM gives the IT administrator visibility into which devices and apps are accessing business services. In the case of a data breach, the IT administrator can show through audit logging exactly what actions took place leading up to the compromise and what, if any, actions IT took as a result. This provides a clear record of any unauthorized access to business services and supports the GDPR principle of integrity and confidentiality, as well as of accountability. MobileIron’s solution enables the IT administrator to:

    Manage inventory
    – Identify authorized and unauthorized devices.
    – Identify authorized and unauthorized apps.

    Whitelist applications
    – Establish a subset of applications that are authorized to run on a device and access business services.

    Protect Access
    – Allow only authorized users, devices, and apps to access business services, whether on-premises or in the cloud.

    Provide audit logging
    – Monitor administrative actions and business data flows.
     

  3. Finally, EMM allows the IT administrator to protect the device from security threats, which is important for the principle of integrity and confidentiality, as well as of accountability. MobileIron’s solution enables the IT administrator to enforce compliance:
    – Apply appropriate security configurations and policies to the devices and applications.
    – Monitor the security compliance of the device and applications, including attacks on the integrity of the operating system to jailbreak or root the device.
    – Take remediation actions if the device or application is out of compliance

Conclusion

A controller (i.e., enterprise) cannot reasonably believe that it is providing adequate security for personal data unless it can demonstrate that it has implemented appropriate EMM controls and procedures to ensure separation of business data from personal data on the device, and to protect that business data from external threats and unauthorized use or disclosure. The MobileIron solution provides a controller with a robust framework for compliance with the data minimization, integrity and confidentiality, and accountability principles of GDPR.


Source: MobileIron Smart@Work Blog

6 Things Every CIO Should Know About iOS 10.3

6 Things Every CIO Should Know About iOS 10.3

iOS
Market Trends
March 27, 2017

6 Things Every CIO Should Know About iOS 10.3
Last year at the end of March, Apple released important new enterprise features in a sub-point release (iOS 9.3), breaking a tradition that harkens back to the release of the very first iOS device in 2007. While in the past, most major iOS enhancements were announced at Apple’s Worldwide Developer Conference (WWDC), and delivered in the Fall, this year for the second year running, we will also see a major Spring release, iOS 10.3. Once again, Apple will focus the “dot 3” release on delivering new features to business and education customers. Here’s what you need to know.

1. Better Wi-Fi Controls

A new iOS restriction will allow admins to control which Wi-Fi networks supervised (corporate-owned) devices can connect to. This capability allows mobile admins to limit Wi-Fi connections to only the networks their organization has deployed. When an end-user opens Wi-Fi settings on their device, they will observe just the networks that were predefined by their administrator, and those Wi-Fi networks will only be visible when the device is in range of the Access Point. Wi-Fi restrictions will be especially attractive to organizations that want to restrict kiosk and point of sale devices from connecting to untrusted networks. Together with a new capability that allows admins to remotely shutdown and restart devices, Apple is investing in features that may be particularly attractive to organizations interested in deploying Corporate Owned Single Use (COSU) devices often seen in kiosks.

2. Email Just Got More Secure

Apple is adding support for oAuth 2.0 in the native email client. The new authentication option is available to organizations that deploy Exchange services with Microsoft Office 365 and Active Directory File Services (ADFS). When oAuth 2.0 is deployed, a token is used to verify the connection, as opposed to a less secure username and password. Together with improvements around S/MIME, the secure email protocol that utilizes certificates for signing and encrypting email, Apple is demonstrating a serious commitment to securing enterprise email on iOS devices.

3. tvOS management: It’s not just for iPhones and iPads

Apple is making a significant investment in beefing up controls around tvOS. New iOS 10.3 EMM controls that allow admins to remotely shutdown and restart iOS devices are also being extended to tvOS 10.2 and later devices. Other enhancements allow admins to deploy configurations like certificates, Wi-Fi networks, and global proxies that were previously only available to iOS devices. From a security standpoint, admins will also have more control over how tvOS devices use Airplay, when a passcode is required, and what apps can be used on an Apple TV.

4. Continued investment in Education

The Shared iPad in Education program was introduced with iOS 9.3 and includes a cloud component called Apple School Manager (ASM) and a teaching app called the Classroom app. Currently the program, which requires enrollment with DEP and EMM management, is only intended for educational institutions. However, with iOS 10.3, Apple is introducing the concept of an unmanaged Classroom 2.0 app that can be used by any institution. Apple is also making some incremental improvements to the existing Shared iPad in Education program and continues to invest heavily in education. For more information about Apple’s education programs, check out Apple’s Education website.

5. iOS has a new File System

One of the biggest changes in iOS 10.3 is something most people won’t even notice. The files system, which is really the underlying structure iOS runs on, has been updated for the first time since the inception of the iPhone way back in 2007. In fact, the HFS+ file system had already been running on Macs since way back in 1985, and it’s also the engine behind tvOS. The new Apple File System (APFS) update is optimized for SSD’s and Flash memory, and it’s designed to prioritize latency, which means things will happen faster on your device. It also supports encrypting data with multiple keys, which could portend some practical new capabilities around data protection in future releases. APFS will make its first appearance on iOS 10.3 devices, with macOS and tvOS to follow soon after. If your organization is deploying in-house apps, you should thoroughly test them against iOS 10.3, and don’t forget, Apple will soon deprecate support for 32-bit apps.

6. Better controls for company-owned devices

Many of the new capabilities in iOS 10.3 can only be deployed to “Supervised” devices. Device supervision is Apple’s methodology for corporate devices that are tightly restricted to business mandated functions and are allocated additional levels of controls. Companies that participate in Apple’s Device Enrollment Program (DEP) can supervise devices over the air when they are enrolled with MobileIron. As in the past few releases, Apple has also indicated that some iOS restrictions that were available for all iOS devices in the past will be deprecated and only made available to supervised devices. Although Apple doesn’t provide dates for these deprecations, if your organization is deploying iOS restrictions to BYOD devices, it might be worth reviewing your current restriction policies.

To learn more, tune into our podcast on iOS 10.3.


Source: MobileIron Smart@Work Blog