By Oleh Sannikov, R&D Team, SoftServe, Inc.
Cloud-enabled, with multiple email accounts, a mobile device dealing with corporate internal information is a Pandora’s Box. Obviously, it implies that businesses should reconsider their data security policies and choose a specific scenario of BYOD adoption and Mobile Device Management.
The story of “Bring Your Own Device” or BYOD begins in 2007, when the first iPhone was introduced by Apple. The market paradigm changed, customers no longer wanted corporate phones for their work. The option of remote work and flexible schedule was a serious benefit. Young talented workers, as a perfect target group for employers, led the initiative and it spread as a tsunami worldwide.
“With a year-on-year growth rate of more than 250%, 850,000 new Android devices are activated each day, jetting the total number of Android devices around the world past 300 million.” - Andy Rubin, SVP, Mobile and Digital Content, Google, MWC 2012
“365 Million iOS devices have been sold through March 30, 2012” -Tim Kook, VP, Apple, WWDC 2012
BYOD is now covering about 9 of 10 USA companies. It obviously means reconsideration of security politics and enforcement of data security. The benefits are in reduced corporate hardware purchase and maintenance.
Factors of employee’s motivation and benefits achieved by companies are listed below.
Drivers for BYO Drivers from BYO
Ease of working outside the office Better work time flexibility and mobility
Keeping equipment relevant Possibility to hire part-time/freelance workers
Improved work satisfaction Attraction of talented people
Improved productivity Improved employee satisfaction
Improved employee productivity
Improved business continuity
Reduced training and on-boarding costs
More details on these factors can be found in the research conducted by Citrix.
Q: So, where is the Devil?
In the phone! Cloud-enabled, with multiple email accounts, a device dealing with corporate internal information is a Pandora’s Box. The mix of private and work data can cause a mess in synchronization, when the user is not even aware which part of the data regularly replicates to his home computer. With independent access to 3G internet, a device can appear as an intruder, acting as a bridge to the company’s network.
Another issue is compatibility. Phones brought by workers can have different versions, conflict with each other, be wrongly configured, have inadequate access rights or not support safe adopted protocols. That’s the reason; the word “devil” is used as a synonym for “device”.
Trapping devils and mitigation of security risks along with the configuration overhead are subjects of Mobile Devil Management.
Mobile Devil Management
Limitations, rules and restrictions are standard tools of Mobile Device (or Devil) Management. It should be scalable to setup and support many devices in a reasonable time. MDM should be integrated into the enterprise environment and be able to change device function as its corporate function changes seamlessly and without user interation. It should also protect sensitive data in the case of device theft or employee withdrawal, by locking and remotely wiping the data.
Apple’s MDM toolset, covered in this article, is an example of flexibility and sufficient reliability of top of platform security, to wildcard mobile devices accessing corporate networks.
iOS Devil Management
Enrollment and Configuration
MDM is applied to an iOS device and once it has accepted a special Configuration Profile, it is installed through a USB by Configuration Utility (CU) or over-the-air. Therefore, the basic features can be achieved by having only CU (provided freely by Apple).
Full-featured MDM requires a server:
Microsoft ActiveSync Exchange 2003, 2007 or 2010
Or one of many third party MDM solutions on the market (e.g. AirWatch), covering not only iOS, but other platforms in a supported scope
Configuration profiles are XML files, optionally signed and encrypted by the enterprise CA, to be protected from alterations and sharing with others. Once a profile is installed, the device becomes manageable and can be dynamically configured with settings, queried for information or remotely wiped.
Supported configuration settings include:
Accounts: Exchange ActiveSync, IMAP/POP, Wi-Fi, VPN, LDAP, CardDAV, CalDav, calendars
Passcode policies: require passcode, complexity settings, age, auto-lock time, number of failed attempts
Security and Privacy: allow sending of diagnostic data, untrusted certificates; force encryption of backups
Functionality: Installing apps; allowing Siri, camera, screen capture, autosync in roaming, voice dialing, in-app purchase; requiring store password for all purchases;
iCloud: allow backup, document and key-value sync
In addition to configuration, a device can be queried for information in real time:
Device: UDID, name, model name, iOS version, serial no., IMEI, modem firmware, battery level, capacity, free space and network information
Security: applied restrictions, configuration profiles and certificates installed, passcode and hardware encryption status
Applications: a detailed list
MDM also can manage:
Profiles: configuration and provisioning
Applications: install and remove (only managed)
Passcode: wipe, lock or clear
Interaction is made using the Apple Push Notification service, being embedded into the core of the OS and optimized for traffic consumption.
The picture above (provided in the already mentioned Apple’s MDM toolset description) illustrates the workflow:
The server sends a push notification prompting the device to check in for tasks or queries.
The device connects directly to the server over HTTPS. The server sends commands or requests information.
Android, Blackberry, Windows Phone…
(Are all MDM-capable)
Blackberry and Microsoft were originally targeting enterprise markets, with legacy security model implementations. But they are currently out of BYOD focus, less expensive and some might say not as “cool” as Apple products.
Android runs on a huge variety of devices in all market segments. Open platform by design, with diverse stores, no apps review or common practice to be “rooted”, it has weak and fragile security walls. MDM services run at the privilege level, accessible to other processes, which disables the application of proper restrictions. Therefore, IT departments strike to prevent Androids intrusion, in favor of safety reasons.
(What can we do here?)
Each company will have its own scenario of BYOD adoption.
Mature IT companies and service providers already have adjusted environment to keep the “devil” trapped. Corporate network has an isolated layer for guest access; each project is configured to live in sandbox and has access to its own resources only. Employees sign NDA documents and take responsibility for their actions.
As Mobile Device Management is one of the BYOD’s hearts, one of existing (like AirWatch) or proprietary solution can be used.
In all cases, reasons to use this or that specific approach should be determined by analyzing company’s information flows and measuring security risks of data leakage.
About the Author
Oleh Sannikov is a Technology Consultant at SoftServe, Inc., a leading global provider of software development, testing and consulting services. Oleh has more than 9 years of experience in software creation for Apple iOS and Mac OS X environments. He specializes in consulting and architecture assessments of mobile solutions developed at the Company.
This article was originally published by Executive Brief
Sign-up for our free newsletter to kick off your day with the latest technology insights, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.