© 2013 IBM Corporation
Securing the Mobile Enterprise Jude Lancaster
Product Manager
Endpoint Manager for Mobile Devices
1
1
IBM Endpoint Manager Mobile Device management
2
2
IBM Endpoint Manager Architecture
TEM Server
DB
Console / Web Reports Relay(s)
Android devices* Apple iOS devices*
Apple Push
Notification
Servers
http / 52311
http / 52311 Management
Extender
Servers, desktops, laptops*
Relay
http / 52311
TCP port 2195 to
gateway.push.apple.com
TCP port 5223 to
*.push.apple.com
* Managing devices that are not connected to the internal network requires opening the management port to the
Internet (HTTP 52311 for Laptops and Android or HTTPS 443 for Apple iOS devices)
BigFix Server
Blackberry*
BES
https / 443
3
3
• Securely enable and accelerate
BYOD mobility
• Mobilize every employee with secure
connectivity to apps and services
• Scale without limits, without
infrastructure costs
Next generation mobility Mobile meets Cloud
Company
Confidential ©
2013 Enterproid
4
DIVIDE OVERVIEW
Company
Confidential ©
2013 Enterproid
Dual Persona
• Native user experience
• Secure work container
for iOS & Android
• Extensible to VPN & UC
Business Applications
• Common apps for all
employees
• Third-party apps by
employee group
• External file storage option
Cloud Management
• IT control of the container
• User self-service
• MDM APIs
4
5
5
Ibm endpoint manager + divide Complete MDM BYOD Solution
Dual Persona
Leverages the sophisticated policies and
features of IBM MDM and Endpoint
Management
Management of Divide as a “virtual device”
including safe, secure distribution and
management of apps
+ +
Immediate solution for BYOD challenges
and security concerns for Mobility OS’s
Seamless delivery: same Divide App,
binding to IBM MDM at time of enrollment
Business Apps IBM Endpoint Manager
6
Architected for reliability
6
No Enterprise Data traverses the Divide Cloud
Management
Traffic
Control
Data
Customer Email Server
What is stored in the Divide cloud?
Device Inventory
Email addresses
Policy settings
DIVIDE MANAGER Customer Site
DIVIDE Smart Devices
IBM Endpoint Manager
Company
Confidential ©
2013 Enterproid
7
DUAL PERSONA IS FOUNDATIONAL Separate and Secure Dual Personas
• Data security
• Enterprise apps and services
• Easy to manage and control
• Native user experience
• Choice of device, services
• Freedom and privacy
7
8
“ Lorem ipsum
dolor sit amet,
consectetuer
adipiscing elit.
Integer
pharetra, felis id
volutpatadipisci
ng quam lectus
id ipsum....” 8
2 U.K.-based
analyst firm Gfk
“When asked why users
are loyal to their
smartphones, 72%
cited ease of use and
the ability to quickly
navigate their phone's
menu.”2
What users want Choice of native user experience
PERSONAL WORKSPACE ENTER
PASSCODE
Tap Divide app icon
Double tap Home button to access Divide
9
9
• Professional-grade email, contacts, calendar and browser
• Data-at-rest is protected with AES 256 bit encryption
• Data-in-motion leverages existing VPN investments
• Secure cloud based file storage (optional)
• Separate voice and messaging (including future 2-number UC)
• Internally developed apps uploaded and assigned via policy – in minutes and with no developer modifications
• Divide App security automatically provides data-at-rest AES-256 bit encryption
• Divide Extensions provide extraordinary integration with 3rd party Apps and Cloud services
GEARED FOR INNOVATION Leveraging the App Ecosystem
STANDARD DIVIDE APPS THIRD PARTY APPS
10
10
What it organizations need for byod
Divide Container Security
Data Protection
• Device PIN/passcode
• Passcode history and complexity
• Passcode failure actions
• FIPS 140-2 validated encryption
• Full and selective device wipe
• Wipe on SIM removal/rooted
• VPN support
• S/MIME support
OTA Self-Service Provisioning
• ActiveSync email
• VPN configuration
Container Controls
• Whitelisting – application push
• Blacklisting
• Location based services
• Data leakage prevention
• URL blocking
Compliance Management and Reporting
• Device hardware
• Operating system
• Policy compliance
• Compromised device status
• Voice, Data, and SMS usage reporting
11
Extensible for the future
11 Company
Confidential ©
2013 Enterproid
12
Securing next generation mobility
IBM Endpoint Manager with Divide delivers a comprehensive platform for mobility
12
Unified tracking and
management of
everything a mobile
user needs including
employee owned
devices and
corporate provided
smartphones,
tablets and laptops
A “single pane-of-
glass” to provision
and manage mobile
devices, laptops and
the Divide
workspace in the
easiest way
possible.
Directly connects
the Divide
workspace with IT
apps and services
via the corporate
VPN for complete IT
control.
The Divide
workspace provides
a native user
experience that
users expect and
love and is
extensible to IT
voice and data
services.
Security &
Compliance
Inventory
Tracking Device
Management
Secure & Reliable
Access Management
User
Experience
A fully integrated
next generation
solution for
mobility that
delivers simplicity
and scale
Limited to mobile
devices with
separate facilities to
track corporate and
employee owned
devices with manual
consolidation of data
A “swivel-chair”
approach with
separate consoles to
manage mobile
devices and the
Good email sandbox
breeds operational
complexity and
requires additional
admin training.
No VPN integration
for personal devices
with all data
traversing the Good
NOC and on-
premise servers,
creating issues of
reliability and scale.
The Good sandbox
delivers a
proprietary “one size
fits all’ user
experience that
users reject and is
email-centric.
An inherently
siloed
approach to
mobility that
inflates costs
and complexity
A single policy
management and
compliance platform
eliminates security
gaps and simplifies
policy administration
and enforcement
Separate facilities
for policy
management and
compliance creates
operational
overhead and error
opportunities
13
The right solution for byod?
13
A first generation
solution purpose-built for email sync
A next generation
solution purpose-built
for BYOD
Device Management
X
✔ Manages the
Divide workspace
and integrates with IBM Endpoint
Manager for device MDM
Does not integrate with
deployed MDM
solutions
Secure “Workspace”
✔
X
Provides a secure
workspace that preserves the native iOS and Android
user experience
Provides an email sandbox
with a proprietary
user interface
Secure VPN
✔
X
Provides VPN connectivity between the workspace
and corporate apps
No VPN integration -
all data traverses the
Good NOC
App Choice
✔
X
App wrapper technology enables the use of any third party
app within the workspace
Third-party
apps must be modified and recompiled using the
Good SDK ($)
Avg TCO/ User
$$$$
$$$$
$
14
Questions
Top Related