Managing Enterprise Mobile Devices and Delivering Enterprise Mobile Applications

Transcript

1. Managing Enterprise Mobile Devices and Delivering Enterprise Mobile Applications Dulitha

   R. Wijewantha Software Engineer WSO2 Kasun D. Delgolla Software Engineer WSO2

2. EMM BYOD MDM MAM COPE Hypervisor MEAP KNOX SCEP App-wrap

   SDK GCM APNS Appstore

3. More and more problems for CIOs

4. What is the core problem? • Employees are bringing their

   mobile devices to work. • Employees work outside of office and prefer mobile access to email, documents etc. • Productivity of an organization depends on employees having quicker access to information

5. What is Enterprise Mobility? Enterprise Mobility refers to the shift

   in business practices, where more employees work outside the office and must access secure corporate data to conduct daily tasks through mobile devices.

6. What are the top priorities of an EMM system? •

   Securing Enterprise Data • Provision enterprise resources to devices • Device compliance monitoring with policies • Provisioning Mobile applications to devices

7. Solution :-

8. Top Level view of EMM WSO2 EMM consists of below

   components - • Mobile Device Management • Mobile Application Management • Enterprise Mobile Store and Publisher

9. Enterprise Mobility Management overview

10. Push Notifications What is a push notification? Internet based communication

    style where the server initiate a connection to the device and push a message. iOS Android

11. WSO2 EMM - Device Management 1. Role Based Permission 2.

    Policy (Roles, Platform, User) 3. Compliance Monitoring 4. Device configuration and information 5. End-User MDM Console 6. Self-service provisioning 7. SSO

12. Enrollment of a Device to EMM • Agreement between the

    user and the EMM system where EMM will control the device • Enrollment involves registering the device to the EMM system for further communication • Enrollment will trigger actions on the device if the EMM is configured • Enrollment is the key step in getting the device to managed status

13. Before enrollment! Android - Device OS Version should be 4.0.4+

    - Device should not be rooted iOS - Device OS Version should be 5.0+ - Device should not be jailbroken If any of these conditions aren’t met, those devices will be restricted WHY?

14. Device provisioning to EMM Android Provisioning - Agent application required

    - MDM command communication through Agent iOS OTA Provisioning - iOS Operating system built-in functionality - MDM Payload Profile has to be installed - MDM command communication handled by OS

15. Android Enrollment process 1. Receives the email notification 2. Click

    the link to download the Agent 3. End-User license is displayed (if accepted) 4. Authentication (Integrated with Enterprise user store) 5. Device sends the Device Token to MDM 6. Device is registered.

16. Android GCM connectivity flow 1. Android Agent sends the sender

    id to GCM Server 2. Upon registration, devices receives the registration id 3. Device sends the registration id to the EMM server 4. EMM server will store the registration id to send messages/commands to the device

17. EMM <-> Android Device connectivity flow Device 2 GCM 1

    EMM Server SSL

18. EMM <-> iOS Device connectivity flow

19. iOS Enrollment process 1. Receives the email notification 2. Click

    the link 3. End-User license is displayed (if accepted) 4. Authentication (Integrated with Enterprise user store) 5. Configuration Profile sent to capture device information 6. Device sends the information 7. Server sends the SCEP payload 8. Device generates the CSR to the SCEP server 9. Issues the certificate through CA 10. Finally the MDM payload profile is installed 11. Server captures all the Tokens

20. What happens if compromisation happens after the enrollment? Captured by

    the monitoring process and can be blocked/wiped according to the scenario

21. Android MDM Operations Configuration Device Lock User password protected WIPE

    Clear Password Send Message Wifi Camera Encrypt Storage Mute Password Policy Change Lock Code App Blacklisting Information Location Battery Information Memory Information Operator Info Root Detection Application Information

22. iOS MDM Operations Configuration Device Lock Clear Passcode Wi-Fi Camera

    VPN APN Email Mute (Require Agent) Calendar LDAP Black – Listing Apps Enterprise WIPE Password Policy Information Location (Require Agent) Battery Information Memory Information Application Information

23. Policy Admins can set BYOD policy for the entire organization

    or to specific groups/employees/platforms. WSO2 EMM provides a simple set of policies such as password policy, Wifi policy etc. Once a policy is defined and pushed to devices, there is a monitoring mechanism to check compliance.

24. Current Enterprise situation with Apps Develop apps and host it

    in the respective platform Public Market Place (Apple Store , Android Google Play) App is exposed to public (Restrictions through authentication) Discovering the application is not easy

25. Mobile App Management • Mobile App Management encapsulates the lifecycle

    of the application and drive the App through an approval process • Mobile App Management also covers the provisioning of Mobile Apps to devices • App policies can be defined to blacklist and provision apps upon enrollment to devices

26. Features provided by WSO2 EMM Own enterprise store Unified store

    Easy app discovery and provisioning App policy

27. WSO2 EMM - Mobile Application Management Publisher Store Application Management

    Console

28. Publisher Supports multiple platforms Android • Native, Hybrid Application (.apk)

    • Web Application • Market Place Application (Google Play) [Free] iOS (iPhone, iPad) • Native, Hybrid Application (.ipa) Need to have enterprise developer account • Web Application • Apple Store Application [Free] • VPP Application

29. MAM & Unified Store Approach

30. Supports multiple platforms Android Native, Hybrid Application (.apk) Web Application

    Market Place Application (Google Play) [Free] iOS (iPhone, iPad) Native, Hybrid Application (.ipa) Need to have enterprise developer account Web Application Apple Store Application [Free] VPP Application Publisher - App Lifecycle Created Unpublished Rejected In-Review Published

31. Store 1. User subscription 2. Advanced search options 3. Mobile

    App sorting 4. Support for existing user stores 5. Single-Sign on

32. Store - How application is installed 1. Employee logs to

    the store 2. Discovers the application 3. Installs the app to the device

33. Application Management Console 1. Mobile app policy enforcement 2. Compliance

    monitoring 3. Bulk app push 4. User Management 5. Tracking app Installation

34. Demo • Create a user for Android and iOS •

    Add him to a marketing role • Add policy to marketing role asking to install apps and password policy • Enroll Android device and iOS device to EMM • Perform a Device lock operation • Add application from Publisher (iOS & Android) • Install app through Store (iOS & Android) • Install app through MAM (iOS & Android) • Enterprise Wipe iOS • Factory wipe Android

35. Setting up Android EMM uses GCM to communicate with Android

    Devices To set up GCM, 1. Go to Google console 2. Create a project (Project ID) 3. Enable GCM for Android 4. Create a server key (API Key) http://developer.android.com/google/gcm

36. Setting up Android Contd... Once you successfully registered with GCM,

    1. Get Android Agent Source code 2. Do all the configuration changes and compile 3. API key and GCM sender ID configured at the server side

37. Setting up Android Contd...

38. Q&A

39. Thank You