Whitepaper FAMOC Mobile Device Management

Transcription

FAMOC Whitepaper
FAMOC. Enterprise Mobility Management
WWW .fancyfon. COM
MOBILE DEVICE MANAGEMENT: FAMOC WHITEPAPER
EXECUTIVE SUMMARY
As businesses strive to cope with the tremendous surge in mobile device and application usage, it has
become essential to implement systems that allow real-time monitoring, management and data
protection. In short, corporate and personal mobile devices need to be integrated into IT
management and helpdesk solutions, and costs need to be managed. Failure to do so results in
security and compliance issues, unnecessary operational expenditure and productivity leakage.
Especially the issue of security policy compliance with regards to different operating systems, mobile
devices and business applications in use, not to mention the “Bring-Your-Own-Device” strategies
(BYOD), that are of great interest nowadays.
FAMOC is one of Europe's leading MDM solutions on the market, and the most complete and flexible
solution for mobile device lifecycle management. The system supports all major mobile device
platforms, allowing Apple (iPhone and iPad), BlackBerry (BES / BIS), Android, Symbian, Bada,
Windows Phone, Windows Mobile, Java-enabled phones and HP / Palm WebOS devices to be
centrally administered using one interface.
FAMOC provides central management and control of all mobile devices, especially when it comes to
the security policy enforcement, distribution of roles and permissions, connectivity and access
configuration, location, billing, remote support and inventory of the entire smartphone fleet.
FAMOC ensures that managing mobile devices remotely becomes quick, easy and error free; which
also means that organization’s smartphones and tablets are always working efficiently. Moreover,
the company can easily migrate between different mobile devices. Remote Support feature allows
the IT to immediately provide assistance and troubleshoot devices. Helpdesk can always reset a
device password on request, newly set or delete the device data with a remote wipe. This increases
the privacy and security while reducing IT effort and costs. User satisfaction increases significantly.
Particularly noteworthy in FAMOC Mobile Device Management are simple and flexible deployment
options (onsite/cloud-based), an infinitely scalable proxy functionality, full multi-tenancy and the
seamless integration with company’s internal and external infrastructure. In the expression of these
decision-relevant criteria FAMOC mobile device management currently enjoys unique position in the
market.
Copyright© 2008-2013 by FancyFon Software Ltd.
1
Table of Contents
1
Establishing baseline ....................................................................................................................... 4
2
Advantages ...................................................................................................................................... 7
3
Unique Selling Points ....................................................................................................................... 8
4
5
6
3.1
Fast and Simple Roll-Out ......................................................................................................... 8
3.2
Multi-Tenancy.......................................................................................................................... 8
3.3
BES Adapter ........................................................................................................................... 10
3.4
Out-of-the-Box Anti-Virus Integration................................................................................... 11
3.5
Effective Security Policy Enforcement and Monitoring ........................................................ 11
3.6
Scalable and Configurable Proxy Functionality ..................................................................... 12
FAMOC Features............................................................................................................................ 13
4.1
General Features ................................................................................................................... 13
4.2
Server Functionality............................................................................................................... 13
4.3
Devices and operating system support ................................................................................. 14
FAMOC Features............................................................................................................................ 15
5.1
Security Policy Management ................................................................................................. 16
5.2
Application Management ...................................................................................................... 19
5.3
Data Backup and Migration ................................................................................................... 21
5.4
Inventory (Asset Management)............................................................................................. 22
5.5
Real-time Remote Support / Helpdesk.................................................................................. 23
5.6
Configuration Management and Bootstrap .......................................................................... 24
5.7
FancyFonSecureSource.......................................................................................................... 25
5.8
Enterprise AppStore .............................................................................................................. 26
5.9
End-user self-care portal ....................................................................................................... 27
Integration Options ....................................................................................................................... 29
6.1
BES Integration ...................................................................................................................... 29
6.2
Active Directory / Open LDAP ............................................................................................... 29
6.3
Web Services ......................................................................................................................... 31
6.4
FAMOC Mobile Identity Management .................................................................................. 31
6.5
Apple's Volume Purchase Program (VPP) ............................................................................. 32
6.6
VPN Support .......................................................................................................................... 32
6.7
Third Party Integration .......................................................................................................... 32
2
7
8
9
Infrastructure Protection............................................................................................................... 33
7.1
Proxy Concept........................................................................................................................ 33
7.2
Certificate Management ....................................................................................................... 34
7.3
Jailbreak and Rooting ............................................................................................................ 34
Technical Overview ....................................................................................................................... 35
8.1
System Architecture .............................................................................................................. 35
8.2
High Availability ..................................................................................................................... 35
Virtualization ................................................................................................................................. 36
10 System Requirements.................................................................................................................... 37
11 Hardware Requirementson the VMware ESXi Server ................................................................... 38
12 Installation Requirements ............................................................................................................. 39
13 Hosted Solution ............................................................................................................................. 40
Table of Figures ..................................................................................................................................... 41
3
1
Establishing baseline
With the so-called ‘ IT consumerization’, diverse devices started to enter enterprise environments.
Corporate Mobility was an uniform landscape, it consisted mainly of BlackBerry devices, offering
robust technology and guaranteed high security and reliability in the mobility infrastructure. The
BlackBerry technology has been accepted as safe and could be operated economically with relatively
little training and administration costs. It was hardly perceived as a separate cost of IT.
But then the corporate mobile landscape changed abruptly. RIM, the Canadian manufacturer of
BlackBerry, lost track of the mobility trends of the last 5 years and the BlackBerry became
significantly less attractive. The executives in the company quickly made sure that much more
attractive iOS devices (iPhone and iPad) found their way into the enterprise. It led the IT departments
to take advantage of these new devices and to manage diversity.
The same is happening now with the Android devices. Here, however, things become even more
difficult, with many manufacturers of Android devices, the operating system is merely used to
complement their own components, which leads to even greater fragmentation of the device
landscape.
Bring-Your-Own-Device (BYOD)
In recent months there has been a huge spike in employees bringing their own smartphones and
tablets to work; as a result, there is a whole list of new challenges for the IT department to address:




What happens if an employee’s personal smartphone is lost or stolen, which has
sensitive corporate data downloaded onto it? What if the device isn’t password
protected?
What happens if the employee leaves the organisation, having used their personal
devices to store corporate data? How can this data be recovered?
How can you prevent an employee accessing privileged information with a personal
device, and passing it on to a third party?
How can you protect against the employee’s personal device from being hacked?
Some companies allow employees to use their own device for everyday business. The cost, safety,
and regulatory issues that caused this strategy are often not seen or hidden. Administrative expenses
increased significantly, as the variety of devices in the enterprise to manage mobile devices increases
immensely. The security risk for the company increases significantly. This can only be managed with
an MDM solution that can handle all these platforms and firmware versions.
4
What this scenario means for the IT department?

Each mobile operating system (for Android - each manufacturer) needs its own management
Solution (iPhone Configuration Utility, the BlackBerry Enterprise Server, Microsoft Systems
Management Server, HTC, Samsung, Motorola have their own management solutions, etc.)

Assets are hardly controllable

Intensive trainings for the IT administration

Multiple support teams for the different systems

Standalone security concepts for mobile platforms
What this scenario means for enterprise security?

Integration and implementation of a number of mobile security solutions (VPN clients, IT
policies for BlackBerry, security policies for Windows Mobile devices, iPhone Configuration
Utility, etc.)

In case of theft or loss of a device business-critical data is lost and cannot be cleared
centrally. Even with BlackBerry and Windows Mobile devices where you can send a remote
‘kill handheld’ command this is not guaranteed. If the thief / finder takes a different not
Internet-enabled SIM card, the wipe will not be executed since it requires access to the data.

Hardly manageable security risks in case of BYOD - if these devices are not included in a
mobility management solution
What does this mean for the cost?


Rising costs, as more management solutions are in use
Exponentially rising costs, with more operating systems supported
Solution to the problem: FAMOC Mobile Device Management
Enterprises need a centralized solution to manage diverse devices effectively. FAMOC Mobile Device
Management responds to all of the previously mentioned challenges, enabling secure, centralized
management and control of all mobile devices in a corporate environment.
FAMOC supports all major mobile device platforms. Apple (iPhone and iPad), BlackBerry (BES / BIS),
Android, Symbian, Bada, Windows Phone, Windows Mobile, Java-enabled phone and HP / Palm
WebOS devices are centrally administered under a single interface.
FAMOC empowers IT, Security and Helpdesk departments to streamline asset administration, ensure
data security, enhance mobile applications experience and improve overall productivity. With the
solution, mobile structures expense management in the company is again manageable.
5
Single point of control
FAMOC is a single management solution to control your diverse and expanding mobile world:






Central web-based management console – Multiple mobile phones are correctly configured
over the air in minutes via a single, web-based administration console
Multi-OS support with automatic device and platform recognition – RIM, Symbian, Apple,
Windows Mobile, Android, Java-based feature phones, Samsung Bada, Nokia/Intel MeeGo,
HP-Web OS and MS-Windows Phone 7
Multiple server management – Enables the seamless synchronization and management of
external servers, such as RIM BlackBerry Enterprise Servers (BES 4.x, BES 5.x), Lotus Domino,
Exchange or SNMP Servers
Multi-tenancy support – FAMOC allows the creation of multiple units/departments with
separate groups of users, allowing for multiple administrators, with varying levels of access
privileges
Multi-language support – Enables multi-national environment management providing the
flexibility of adding new language support to the system
Scalability – FAMOC is capable of coping and performing under an increased and expanding
workload, allowing new devices and services to be added seamlessly and cost-effectively to
fuel business growth
6
2
Advantages
FancyFon's MDM product is an award-winning solution with a number of unique features, which
include out-of-the-box antivirus protection, in-depth security features for the Android platform,
Remote Access to devices screen and keyboard for a range of platforms including Android. Our
solution is flexible, offers and API for easy integration with existing customer portals as well as other
3rd party solutions.
This powerful administrative interface provides centralized cross-platform administration of mobile
devices with all applications and configurations and provides for the enforcement of existing
company policies and safety standards to the entire inventory of mobile devices.
FAMOC enables customers to optimize costs, whilst centralizing and simplifying the processes
associated with managing a mobile business environment.
FAMOC advantages

Flexible deployment options

Platform constantly verified by numerous customers in Europe since 2009

Support for all major mobile platforms

Unified management interface with a precise overview of all mobile devices

Seamless integration with corporate infrastructure (including BES integration and
management)

Continuous backup of mobile data with cross-platform data migration

Real-time and automatic inventory

Effective security policy enforcement and monitoring with advanced security features

Out-of-the-box anti-virus integration (powered by Webroot)

Unrestricted proxy functionality

Remote Access for support and troubleshooting (incl. Samsung and other Android devices)

Scalability

Streamlined administration procedures

Reduce equipment downtime

Efficiency / cost savings
7
3
Unique Selling Points
FAMOC mobile device management features and outstanding decision-relevant features that are
currently not available in this form in any other solution on the market.
FAMOC unique selling points include:

Fast and simple roll-out

Scalability and multi-tenancy

Advanced enterprise and security Android features

BES integration (BES and BES Express)

Native Windows Phone 8 support

Out-of-the-box anti-virus integration

Effective security policy enforcement and monitoring

Configurable proxy functionality

High availability hosting
FAMOC mobile device management is characterized by extremely rapid update cycles. The solution is
continually being developed and adapted to the demands of the market and users. Frequent
Software updates come out in two to six week rhythm frequency and are provided to users free-ofcharge.
3.1 Fast and Simple Roll-Out
FAMOC ensures simple integration with internal enterprise infrastructure but also a seamless and
fast MDM solution roll-out. Users, devices or SIM cards are added to the platform upon a file import
or external server synchronization. The next step is the installation package send-out. After FAMOC
client components installation, devices automatically start reporting to FAMOC server. Security policy
implementation and enforcement is as simple as that.
3.2 Multi-Tenancy
From just 100 users, it may be necessary that an MDM system should be multitenant.
FAMOC Mobile Device Management provides full multi-tenancy support, which means that the
system allows to manage an unlimited number of structures with different permissions and
prerogatives.
8
The system enables:

Management of devices from different companies within corporations or business group
from a single console

Management of end-points of subsidiaries and branches

Management of devices from different areas and departments

Management of devices from different IT structures(LDAP / Active Directory)

Management of the devices with different PIM connections(MS Exchange, Lotus Notes,
Novell GroupWise)

Management of devices from different BlackBerry Enterprise Server structures
FAMOC provides seamless integration with various LDAP / AD structures and allows management of
different levels of hierarchy with multiple VIP structures. For example, IT service providers are able to
manage infrastructures of multiple customers within a single console. Additionally, separate
structures can be created for different functional needs e.g. accounting, asset administration,
security controlling.
The data of FAMOC MDM system can be freely scalable and passed via web services to other
monitoring and enterprise systems. Specific data from FAMOC can be passed to external systems,
some other can be extracted from external systems and displayed in FAMOC console.
Equally significant is the fact that the system administrator can quickly and easily create licenses for
each client, which limit the duration and number of devices.
The multi-tenancy with FAMOC MDM is available both in the hosted/cloud solution as well as inhouse solution.
Figure 1Adding organizations
9
Figure 2Adding new institution
3.3 BES Adapter
When integrated with the BES adapter, FAMOC allows management of complex mobile device
infrastructures with full BES integration. The BES-adapter is a standalone appliance which supports
the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express. FAMOC provides full
BES support and the possibility to integrate with multiple BES servers, enabling consolidating the
infrastructure under a single interface.
The difference from other MDM solutions is that FAMOC not only collects BES data, but fully
integrates BES servers into the system allowing multiple BES servers to be managed centrally from
FAMOC MDM interface.
The BES-adapter is also available in the hosted solution. Like all other features, the BES adapter is an
integral part of the solution - a free option for users.
10
BlackBerry management capabilities
With the management capabilities of FAMOC for BlackBerry, BlackBerry smartphone users
experience the following features from FancyFon:

Integration into multiple BlackBerry Enterprise Servers to provide a single point of control
and remove administrative complexity

BES users management enabling auto-activation of users, bulk operations on multiple BES
servers, and quota monitoring

Remote application installation and device configuration empowering remote software
installation, data synchronization, configuration of parameters, and corporate policy
deployment

Backup and restore of BlackBerry contacts, calendar information and other defined data and
files, over the air, initiated by the BlackBerry user or centrally by an administrator

Security enhancement and regulatory compliance including secure data migration,
corporate policy implementation, benchmark policy creation, the configuration or wipe of all
BlackBerry handsets, and the remote wipe of a handset’s SD card when required

Over the air troubleshooting and user support to reduce staff downtime, speed diagnosis
and problem resolution, and ensure that staff have constant access to crucial data and
resources, irrespective of time and place
3.4 Out-of-the-Box Anti-Virus Integration
FAMOC provides the best-of-breed antivirus protection thanks to integration with Webroot.
With Android devices proliferating across corporate mobile environments and being heavily targeted
by hackers, having an effective anti-malware solution is crucial to corporate data protection.
The out-of-box anti-virus solution extends the set of unique features for Android devices, including
in-depth security management and Remote Access to devices screen and keyboard, providing the
next decision-relevant feature and a significant competitive advantage.
3.5 Effective Security Policy Enforcement and Monitoring
FancyFon fully understands the importance of mobile device security, and is at the forefront in
developing state of the art security solutions. FAMOC security management ensures an unparalleled
level of security support across multiple platforms, managed centrally, over the air, empowering IT
administrators to easily address all the new challenges of enterprise mobility management.
11
3.6 Scalable and Configurable Proxy Functionality
FAMOC provides extremely flexible configuration possibilities of the proxy structures.
FAMOC identifies devices using IMEI, serial numbers, UID or Exchange ID. In case a device that
attempted to connect to Exchange could not be identified, is stolen or unmanaged, FAMOC
generates alerts or disables access to such device.
Available access policies that can be used with the main policy:

Allow access for devices managed in FAMOC

Allow access for device which last contact was not earlier than …

Allow access for devices from whitelist

Block access for devices that report blacklisted applications

Block access for jailbroken devices.
For more information refer to section 7.
12
4
FAMOC Features
4.1 General Features














User-friendly interface
Single point of control over the entire mobile infrastructure
Unified management interface for all mobile platforms
Support for different mobile devices (iPhone / iPad, BlackBerry (BES / BIS), Symbian
S60,Windows Phone, Windows Mobile, Android, Bada, Java enabled phones, HP / Palm Web
OS and more)
Wizard for initial use and administration console setup
Enforcement of existing company policies to mobile devices
Seamless deployment, integration and activation of business applications
Inventory of the mobile environment (some data uploaded with automatic device detection)
Expense monitoring with integrated billing module
Cross-platform data migration (e.g. address book, applications, settings)
Global real-time remote support for end-users
Unrestricted scalability with BYOD scenarios
Comprehensive reporting
Multilingual interface
4.2 Server Functionality









Scalable integration with external enterprise management systems (such as IBM Tivoli /
Netcool and all other with SOAP / SNMP integration) through Web Service interface and
SNMP
User management (management of different divisions, different LDAP / Active Directory
structures, integration of various proxy capabilities, different terminals hosted) full
configurability of the proxy functionality (in customer's own environment or combined)
Integration of different CA-hosted structures (in customer's own environment or hosted)
BES integration (via the BES adapter - can be hosted at customer's own infrastructure and
managed directly from FAMOC console)
Group-based rollout of applications and configurations
Available as a hosted version or as an in-house solution
TouchDown support
High availability - in-house or hosted
WebService integrations
13
4.3 Devices and operating system support










Android
Apple iOS
RIM BlackBerry
Windows Phone
Symbian S60
Symbian UIQ, Windows Mobile
Java
Samsung BADA
Nokia/Intel MeeGo
HP/PALM WebOS
14
5
FAMOC Features
FAMOC is a powerful solution for mobile environment management. Its functionality is divided into
the following modules:










Security policy management
Application management
Data backup and migration
Inventory (asset management)
Real-time remote support / helpdesk
Configuration management and bootstrap
FancyFon SecureSource
Billing module
Enterprise AppStore
End-user self-service portal
An MDM system requires constant maintenance, development and adaptation. FAMOC is subject to
a continuous and very short innovation cycle with functionality developed accordingly to customers’
needs. The solution is not static; it grows with the market and in the interaction with the users.
FAMOC is a web-based management console, therefore no software to be installed on the systems of
the user.
Figure 3Dashboard
15
5.1 Security Policy Management
FAMOC security management implements corporate security policy allowing differentiated access
rules for groups and shared data including pre-defined user profiles.
Moreover, the solution allows for end-to-end certificate lifecycle management, also via integration
with existing corporate Certificate Authorities. If a mobile device is lost or stolen, FAMOC can remove
all applications and sensitive data, over the air, to prevent any security breaches.
If, on the other hand, an employee leaves the organization or breaches security policy, the
administrator can select and wipe only the sensitive corporate data from the device. Also, if the
system detects an unauthorized SIM card, the device can be locked and wiped. The system ensures
secure communication between the server and mobile devices, protects stored data and enables
seamless corporate policy deployment.
Figure 4 Configurations repository
16
FAMOC security management quick feature guide
CONNECTIVITY CONFIGURATION





Browser and APN restrictions - sets parameters around approved and forbidden
Internet connections, configures corporate APN usage
VPN configuration - provides over-the-air VPN connection configuration to company
mail servers for predefined groups of users
Anti-virus application management - enables the installation, configuration and
administration of antivirus applications on mobile devices
Bluetooth monitor - blocks Bluetooth connectivity, preventing unauthorized data
transfer
Certificate management - a unique system that uses individual certificates for each
device, with a remote invalidation option. When transferring data between your
phone and FAMOC server, the certificate request comes from the device, the key
never leaves the device, so it is not possible to impersonate the device by copying
the certificate
DATA PROTECTION & BACKUP






Data encryption - encrypts all drives on the devices, including removable media,
preventing data to be removed from the device
Data security management – improves email security, prevents messages being
moved, blocks the use of 3rd party email account, automatically rejects untrusted
certificates, manages application installer, enforces password for iTunes, controls
iCloud
Password policies - remotely enforces password protection, defining complexity and
the regularity of changes
Auto-lock - ensures the user is automatically logged out, or the phone is locked, after
a specified period of inactivity
Data backup/restore - enables automated and encrypted backup sessions to be
performed, with cross-platform data restore eliminating the risk of losing critical data
on the handset
Data wipe - automatic full or selective wipe settings for the mobile device and
memory card if the device is lost or stolen, or if a wrong password is entered, or if
the SIM card is changed (even with no Internet connectivity)
17
DATA ACCESS CONTROL





Containerization & BYOD – provides a clear distinction between corporate and
privately owned devices with separate policies based on the ownership of the device
Access rules for specific groups or departments - predefines user profiles, loads sets
of shared data for different work groups
Exchange Proxy – real-time EAS traffic control between mobile device and Exchange
server with automatic access denial for devices that are:
Lost / stolen
- Not reporting to the server for a predefined period of time
- Not in compliance with the policy (e.g. contain a blacklisted application)
Application password protection - empowers administrator to block access to an
application with a lock code or administrator password,
Secure access to corporate file server via SecureSource –enables iPad users to
securely access documents that are stored on the corporate server. With
SecureSource, documents are only available in the mobile device’s temporary
memory during the session, and all documents are automatically wiped from
memory when connection is terminated. No traces of documents are available on the
device, therefore if the device is lost or stolen there is no risk of data leakage. In
addition, the entire communication and file access trail is logged for audit purposes.
USER RESTRICTIONS



Installation restrictions - ensures that employees aren’t installing inappropriate or
unsafe applications, or uninstalling business critical applications or data
Application blacklist - manages lists of forbidden applications for download,
preventing the mobile phone coming under attack from malware, spyware or viruses
Device functionality restrictions – sets restrictions around the use of mobile device
applications, such as use of the web browser, or the phone’s camera
REAL-TIME MONITORING AND ALERTS


Instant alerting in case of security threats:
SIM card change
Devices nor connected to server
Stolen/lost devices
Breaks in regular backup
Jailbreak
Instant reaction when security is breached:
Remotely lock device
Automatically wipe on X password attempts or SIM change
Identify device location
18
5.2 Application Management
FAMOC application management automatically discovers and reports on the organization's mobile
device inventory, providing a real-time view of all applications, and information on their health and
usage.
Moreover, FAMOC empowers administrators to easily manage a corporate application repository and
integrate it with external AppStores (Apple Volume Purchase Program support). Offering the highest
standards of security management, FAMOC provides full control over the applications installed on
end-users devices (e.g. blacklisting, whitelisting, installation restrictions) and ensures secure
communication, configuration and data protection for all business apps used within an organization
(e.g. passwords and challenge response authentication).
Figure 5Application repository
FAMOC application management quick feature guide
REMOTE APPLICATION ADMINISTRATION









Enables scheduled actions to single users and groups of devices (predefined intervals
of operations, off-peak time actions)
Ensures seamless application provisioning and installation as well as service
activation
Manages over-the-air application configurations and upgrades
Provides scheduled or ad-hoc backup and restore of application data
Tracks device software performance
BYOD support with only business apps installation and management
Enables remote application uninstall, service deactivation and device clean-up
Provides remote application start
Offers a “keep software alive” option ensuring that the crucial business apps is
constantly active and automatically restarts when necessary
19
CORPORATE APPSTORE



Easily manages corporate applications repository
Allows integration with external AppStores (VPP support)
Provides users to access the corporate AppStore directly from their devices
APPLICATION SECURITY MANAGEMENT & MALWARE PROTECTION





Enables user installation restrictions
Manages a blacklist of unauthorized applications, preventing the mobile phone
coming under attack from malware, spyware or viruses
Ensures anti-virus application management
Enforces application password protection, empowering administrator to block access
to an application with a lock code or administrator password
Offers challenge response authentication for application access (on-mobile token)
REMOTE DIAGNOSTICS




Provides visibility into ongoing application performance
Discovers running applications
Monitors critical application parameters
Identifies root cause of performance issues and facilitates problem resolution
20
5.3 Data Backup and Migration
With the continuous backup, crucial data is protected permanently and can be immediately
recovered in case of device loss or hardware failure.
Additionally, FAMOC allows cross-platform data migration. Thus, a user without losing any data and
at no additional expense can easily switch from a Nokia device to a BlackBerry smartphone. Data
backup function requires a client component that transmits the collected data to the backup server.
The backup server must therefore have sufficient storage capacity.
Currently, not all mobile platforms, support this function FAMOC. The compatibility is dependent on
the current technical specifications of your platform manufacturer. A detailed overview is offered by
the technical specification.
Figure 6Data import
21
5.4 Inventory (Asset Management)
FAMOC detects, stores and reports on a mobile device fleet, no matter how large or fragmented,
building a library of information about company assets, including hardware, software, SIM cards,
users and processing information. Thus the solution gives a real time view into the organization’s
mobile environment, and is a highly useful resource for future planning.
Figure 7Device inventory
Figure 8 Single device view
22
5.5 Real-time Remote Support / Helpdesk
The helpdesk integration and the associated Remote Access is an essential part of FAMOC mobile
device management. FAMOC Remote Access is a highly secure and easy to use solution that
troubleshoots mobile devices over the air, empowering the administrator to take remote control of
mobile devices over a data connection (e.g. GPRS/EDGE/3G, WiFi), to view the device screen and use
the device keyboard.
Over the air end user support with speedy diagnosis and problem resolution translate into a
reduction of overall IT departmental costs, acceleration of new service adoption, a decrease in device
downtime and an increase in workforce efficiency.
It is possible to set alarms function via email, SMS, and SNMP for individual users or groups of users
in various cases such as an immediate information in case of detecting jailbreak, rooting or a blacklist
application on a managed device.
Figure 9 Remote Access panel
23
5.6 Configuration Management and Bootstrap
FAMOC enables administrators to perform all tasks related to over-the-air configuration provisioning,
and supports a wide array of devices and operating systems. The solution tracks data for both
individual assets and the entire system (version and model number, baseline performance, relations
to other assets), empowering the remote configuration of parameters and corporate policy
deployment.
FAMOC allows the configuration of general settings for specific departments. This can be done using
operation packages, which may consist of FAMOC client components, policies, applications and text
messages.
Figure 10 Package configuration
Bootstrap functionality
On the bootstrap page mobile devices can quickly, easily and safely enroll to FAMOC.
The page provides administrator with various ways of adapting to different requirements in the
following areas:

Design:
- Adjustable link (based on the server name), page title, page title and welcome text
- User authentication to AD, local user, password, or OTP password

-
Installation methods:
Configurations and applications that should be installed with the Base Agent
Group-related assignments, so that complex structures can be mapped easily
It is possible to prepare different installation packages for different operating systems. User is
allowed to select between different sets, but the system also provides automatic platform detection.
24
5.7 FancyFon SecureSource
FancyFon SecureSource addresses the growing requirement from organizations to provide their
mobile workforce with secure access to corporate documentation.
SecureSource enables mobile workers to use tablets to access documents that are stored on the
corporate server, however documents are only available in the mobile device’s temporary memory
during viewing, and all documents are automatically wiped from memory when connection to
SecureSource is terminated. In addition, SecureSource is designed to auto-lock after a predefined
period of time, to block access to documents in third party applications (to prevent forwarding or
printing, etc.), and also to report on any attempts to open the documents in third party applications.
Devices with SecureSource will not store corporate documents. Even in case of device loss or theft,
sensitive data is protected. Additionally, all mobile access to documents is recorded by the system
which is useful when tracking compliance.
By harnessing the power of both FancyFon FAMOC and FancyFon SecureSource, organizations can
embrace the productivity improvements that BYOD offers, without breaching corporate security
policy or putting any sensitive corporate data at risk.
Secure View is currently available for iPads. Android tablets are on the roadmap.
Figure 11FancyFon SecureSource
25
5.8 Enterprise AppStore
FAMOC empowers administrators to push apps over-the-air, create specific enterprise AppStores and
to integrate the system with external AppStores.
FAMOC allows to create a number of various corporate stores and assign group of users to them. The
corporate stores repository includes all applications unlocked for the company. Employees can install
apps directly on the device. There is no intervention from IT necessary, which reduces the
administrative efforts.
Figure 12Corporate AppStore in FAMOC
26
Figure 13Corporate AppStore on device
5.9 End-user self-care portal
FAMOC empowers end-users to remotely manage their devices using a web-based administrative
console. An intuitive self-care panel provides a real-time view into device parameters, easy access to
corporate AppStore, data backup and migration in case of a device upgrade and prompt reaction in
case of a device loss or theft (location, remote device lock, data wipe) which frees up valuable IT and
helpdesk resources.
Each user can log in with his password on that site and it view all the devices he is assigned to. Thus,
every user has the option, for example to create backups, restores, perform or to install or uninstall
applications.
In the security tab, each user can delete his own unit and report lost as stolen / if the helpdesk e.g.
unavailable.
27
FAMOC end-user self-care quick feature guide
Application management




Real-time view info application installed on the device
Tracking software requiring update
User-friendly application installation or removal
Direct access to corporate AppStore
Data persistence



Encrypted backup session (scheduled / ad-hoc)
Cross-platform data restore
Data migration in case of device upgrade
Instant reaction in case of data security threat



Remote device lock
OTA data wipe
Identifying device location
Figure 14End-user self-care portal
28
6
Integration Options
FAMOC seamlessly integrates with enterprise infrastructures through:







BES integration – allows to integrate with multiple BES servers, enabling consolidating the
infrastructure under a single interface
Directory services - allows Open LDAP or Active Directory server to be added or
synchronized to FAMOC, which is quick and safe even when using a hosted version.
The number of lists to be integrated with FAMOC is unlimited.
Web Services - allows integration of external applications with FAMOC services using SOAP
protocol. The freely scalable web service enables data transfer from the FAMOC MDM
system in any third-party systems.
Apple's Volume Purchase Program (VPP) –FAMOC allows application redemption codes for
Apple Volume Purchase Program to be applied in the console.
VPN concept – FAMOC provides scalable VPN functionality, which is particularly important
for hosting.
Third party integrations -Lotus Domino, Exchange / ActiveSync or other solutions can bind to
the FAMOC and easily integrate with the system.
Imports - allows the administrator to perform bulk imports of users, groups, SIM cards,
devices to FAMOC
6.1 BES Integration
FAMOC supports BlackBerry Enterprise Server integration in hosted and onsite version. The platform
seamlessly integrates with multiple BES servers, providing a significant simplification of the mobile
assets administration.
6.2 Active Directory / Open LDAP
FAMOC can integrate existing user directories that are created in Open LDAP or Active Directory into
the system. This simplifies significantly the administrative procedures - especially when managing
large numbers of devices.
Synchronizing FAMOC with an existing Open LDAP or Active Directory starts with establishing a
connection. FAMOC provides flexibility in this matter:



User authentication can be done on the LDAP
Secure connections and import interval scan be specified
Different LDAPs can be included, allowing very granular configurations
29
Figure 15LDAP synchronization
The next step is class and attribute names mapping. Formatting schemes and replacement values can
facilitate the import significantly. Additional tab allows group mapping.
Figure 16Data mapping
After saving the settings, it is possible to test the connection. A list of users is displayed and it is
possible to change settings in case errors occur. If data import is displayed correctly, the
synchronization may be activated. After the initial import, a synchronization interval is set, so that
any changes in AD or LDAP are also available in FAMOC.
30
After importing data, creating connections are displayed in the import repository. Administrator can
view all the details of the connection: when was it set, data of last an the next synchronization,
synchronization interval, LDAP server address, login, users and groups information. Connections can
be edited and deleted and the import can be triggered manually at any time.
LDAP and AD synchronization is available both in an onsite and a hosted version of FAMOC. In each
scenario, external structures over VPN may be connected to the FAMOC.
6.3 Web Services
FAMOC supports WebService bindings, allowing both passing data to any other system and
extracting the data by third party systems.
This ability is essential for the effective use of an MDM system in many companies and industries.
An MDM solution must be sustainable and be prepared for all possible scenarios. IT is in a continuous
evolution, which does not stop with the introduction of an MDM system. Ticket systems are
modified, supplemented or replaced by new solution, systems for billing control need to be tied,
monitoring systems should provide comprehensive top-level information, etc.
When adding an MDM solution to an enterprise infrastructure, such feature clearly speeds up the
process. Especially as there are often different regulations and requirements in individual divisions.
Therefore, an MDM system should provide data in a simple and a heterogeneous manner to meet
the individual needs of the affiliates.
If you want to install an MDM solution in such a scenario, not in an individual company, it should
offer a granular and scalable multi-tenancy. Administration of mobile assets should be centralized
and integrated with other external systems.
6.4 FAMOC Mobile Identity Management
FAMOC Mobile Identity Management enables cross-platform administration of user identities and
certificates. Certificates can be generated and provided remotely allowing the administrator to
efficiently protect sensitive data without user interaction and with the maximum level of data
encryption and security.
The exact workflow in FAMOC Mobile Identity Management is as follows:






The administrator initiates the process in the FAMOC Web Interface
Creation of CSR (Certificate Signing Request) on the device is performed automatically on the
device
The CSR is sent from the device to FAMOC server (important: only the CSR is sent, the key
used to generate the CSR remains only on the device)
The CSR is passed to the integrated CA server
The CA server generates the actual certificate
The newly created certificate is sent out to the device and installed
31
FAMOC Mobile Identity Management is a unique feature which makes identity and certificate
management integrated, unified and secure.
6.5 Apple's Volume Purchase Program (VPP)
FAMOC supports the integration of Apple's Volume Purchase Program (VPP). With this feature,
companies can purchase licenses from Apple and apply application redemption codes via the
console.
Summary of key information about the use of VPP with FAMOC MDM:




Companies are required to register for an Apple ID, for example [email protected]
Purchasing applications via VPP is the only way to distribute paid applications to corporate
iOS devices
The company needs to decide how the payments are made. Currently, major credit cards and
Click & Buy can be used for payment of direct debits.
The delivery of licenses takes in some cases up to an hour. It usually takes less than 10
minutes, often less than 5 minutes.
6.6 VPN Support
FAMOC provides scalable VPN capabilities:


Hosted solutions are seamlessly integrated into the user VPN network
Communication on the SSL or VPN channel is complete (AES or 3DES encryption from 256
bits).
Moreover FAMOC Mobile Device Management provides a scalable VPN functionality which means
that each VPN can be integrated directly with the server. It supports all currently available VPN
technologies for the integration of the MDM server into existing infrastructures.
6.7 Third Party Integration
FAMOC enables scalable integration with external Enterprise Management Systems (for example
IBM, Tivoli, Netcool).
Similarly, allows BES, BES Express, Lotus Domino, Exchange 2003 - 2010 and Active Sync –to be
integrated into the MDM system.
Data can be exchanged via SOAP, SNMP and XML protocols with any systems.
Users, groups, devices and SIM cards can be imported and partly exported from existing repositories
to .csv format.
32
7
Infrastructure Protection
This section describes the level of data protection in FAMOC.
Among other topics the following items are described in this section:



Scalable proxy functionality
Integrated Certificate Management (CA)
Jailbreak and Rooting
7.1 Proxy Concept
Existing proxy server can be easily integrated into the MDM system and the proxy elements of
FAMOC can be flexibly configured, which is of great importance for fail-safe operations.
The advantage of unlimited configurability of proxy functionality is that the MDM is able to keep
pace with the constant growth and dynamic changes of the mobile infrastructure, which is of utmost
importance, especially for complex DMZ scenarios and in case of hosted implementations.
The solution consists of at least one ActiveSync proxy running in the DMZ. Moreover, there is a
possibility to install Fail Over proxies. Modular proxies can be operated via FAMOC.
Figure 17Proxy concept
The FAMOC proxy server is one of the most powerful solutions in the market, and it is optimized to
control and protect mobile access to corporate data. The proxy server identifies the device prior
granting access and additionally filters devices via whitelisting and blacklisting features.
33
7.2 Certificate Management
For an even more secure mobile infrastructure, FAMOC offers a unique system that uses individual
certificates for each device, with a remote invalidation option. When transferring data between a
phone and FAMOC server, the certificate request comes from the device, the key never leaves the
device, so it is not possible to impersonate the device by copying the certificate. This tab displays a
list of installed certificates along with their details and allows to generate and install, renew or
revoke a certificate on the device.
FAMOC certificate management allows the integration of any number of CAs on each FAMOC server not only on the server level but also on the level of individual clients and / or organizations. In this
way, complex certification scenarios can be implemented.
Figure 18Certificate management
7.3 Jailbreak and Rooting
Jailbreak and rooting are technologies allowing to overcome limitations imposed by device
manufacturer. Even though such practices are not illegal, they may pose threat to mobile
infrastructure and are usually incompliant with enterprise security policy.
Therefore, a reliable MDM system should detect jailbreak and rooting on mobile devices and
instantly alarm administrator. FAMOC ensures reliable jailbreak and rooting recognition.
34
8
Technical Overview
8.1 System Architecture
FAMOC comprises of a central repository that collects all data concerning the mobile ecosystem, and
client components designed to enable the efficient management of a mobile device through its
lifecycle.
The FAMOC server is at the heart of the solution, providing the device inventory, managing
communication with mobile devices, and handling the administration sessions via a web-based GUI.
FAMOC server components may consist of more than one physical server, depending on the
configuration, additional fail-over, and a load-balancing or database server maybe included. The
solution can be implemented as either a hosted service or installed behind the firewall.
FAMOC client components are lightweight software applications, installed over the air on
smartphones to communicate with the server via secure data connections. Each application performs
a different set of functions, such as remote installations and configurations deployments, device
parameter collection, performing data backup and restore, locating devices or launching a remote
access session.
Figure 19FAMOC architecture
8.2 High Availability
To ensure high availability of FAMOC, failover setup is recommended. This setup combines both
application server processes and the database server as a pair.
(See also the comments on the High Availability in section 3)
35
9
Virtualization
FAMOC is provided as a virtual appliance on VMware 4.x and 5.x.
The virtual appliance is an OVF template imported into the existing structure of VMware and finally
adjusted to the network.
36
10 System Requirements
FAMOC MDM is delivered as an appliance in the form of VMware images. The user must have a
VMware infrastructure.
FAMOC MDM uses CentOS 6.3.x, which for the user, however, is not noticeable, as the product is
used as an appliance via web interfaces.
Application systems of the appliance:


Apache 2.x
MySQL 5.x
Using FAMOC requires additionally an SMS gateway, which is included at no extra charge:

Kannel Gateway (Open Source Solutions)
This can be installed on the FAMOC Server or on separate hardware

Contract with an SMS Provider
Several vendors are supported, including Clickatell, SMSGlobal, Mach and many others. Integrating
existing SMS gateway is to be checked individually.
37
11 Hardware Requirements on the VMware ESXi Server
The hardware requirements for the virtual machines are 2 CPU cores, 2 GB RAM and 100 users, then
for every 100 users 1 GB more.
The hard drive size is set to 20 GB and 30 GB and can be expanded up to 256 GB.
For intensive use, we recommend to connect an external storage system, which can be increased if
necessary.
38
12 Installation Requirements






Fully qualified domain name for the FAMOC Server
License file
Server certificates
- In PEM (preferred) or PKCS12 format
Network Requirements
- DNS
- Static IP address for FAMOC Server
- Routing settings
- Incoming Connections: open firewall ports (HTTP, HTTPS + Remote Access: 11009)
- Outgoing connections: APNs, GCM, HTTPS,
SMS connections
- Service Provider via http (e.g. Clickatell Central API account)
- SMPP connection to the service provider
Push Services
- Apple APNs certificate
- Registration for Google push service
39
13 Hosted Solution
FAMOC Mobile Device Management is available also as a hosted version. The hosted solution
provides the same functions as the in-house solution. The connection with the enterprise servers
must be followed to the FAMOC mobile device management solution via VPN and can be requested
in individual cases.
40
Table of Figures
Figure 1Adding organizations .................................................................................................................. 9
Figure 2Adding new institution ............................................................................................................. 10
Figure 3Dashboard ................................................................................................................................ 15
Figure 4 Configurations repository ........................................................................................................ 16
Figure 5Application repository .............................................................................................................. 19
Figure 6Data import .............................................................................................................................. 21
Figure 7Device inventory....................................................................................................................... 22
Figure 8 Single device view ................................................................................................................... 22
Figure 9 Remote Access panel............................................................................................................... 23
Figure 10 Package configuration ........................................................................................................... 24
Figure 11FancyFon SecureSource.......................................................................................................... 25
Figure 12Corporate AppStore in FAMOC ............................................................................................. 26
Figure 13Corporate AppStore on device ............................................................................................... 27
Figure 14End-user self-care portal ........................................................................................................ 28
Figure 15LDAP synchronization ............................................................................................................. 30
Figure 16Data mapping ......................................................................................................................... 30
Figure 17Proxy concept ......................................................................................................................... 33
Figure 18Certificate management......................................................................................................... 34
Figure 19FAMOC architecture ............................................................................................................... 35
41

Whitepaper FAMOC Mobile Device Management

Transcription

Similar documents

AVS24 2.4 GHZ Wireless Audio/Video Sender

about berewick flyer

Dual POS Brochure

No trophy could ever fully express our

A golden opportunity to A golden opportunity to

New User FFM Marketplace Testing

Pookoo Industrial Co., Ltd.

Click the picture above to a FREE Bingo quiz

Exhibitors in Alphabetical Order

Drivemocion™ Press Pack / Logos - AU-My