best practices securing android in the enterprise

© 2011 SAP AG. All rights reserved. 0

Social Media We want to hear from you

T

http://twitter.com/SAPStore

http://twitter.com/SAPMobile

http://facebook.com/sapstore

(SAP Store)

http://www.facebook.com/sapmobility

(SAP Mobile)

linkedin.com (SAP Store)

Webcast Highlights

Participate in today’s TweetChat about mobile app development

#MobileInsights

SAP Mobile Insights Webcast Series

http://bit.ly/sapmobileinsight

Mobile Sense Thought Leadership Series (webcasts & white papers):

http://fm.sap.com/mobilesense





Best Practices for Securing and Managing

your Android Devices

July, 2012

Peter Mitchelmore, Mobility Solutions Principal


The information in this presentation is confidential and proprietary to SAP and may not be disclosed without

the permission of SAP. This presentation is not subject to your license agreement or any other service or

subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this

document or any related presentation, or to develop or release any functionality mentioned therein. This

document, or any related presentation and SAP's strategy and possible future developments, products and

or platforms directions and functionality are all subject to change and may be changed by SAP at any time

for any reason without notice. The information in this document is not a commitment, promise or legal

obligation to deliver any material, code or functionality. This document is provided without a warranty of any

kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness

for a particular purpose, or non-infringement. This document is for informational purposes and may not be

incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except

if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results

to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-

looking statements, which speak only as of their dates, and they should not be relied upon in making

purchasing decisions.

Legal Disclaimer


Today’s Presenters

Peter Mitchelmore

Mobility Solutions Principal, SAP

Nick Rea

Senior Sales Staff Engineer,

Samsung Telecommunications America


Agenda

Android as an Enterprise Device

Considerations when Planning an Android Deployment

Securing and Managing Android: SAP’s Approach

Afaria Advanced Enterprise Security (AES) for Samsung Android

Secure Email with Nitrodesk

Wrap-up


Business value Productivity Engagement

Innovation approach Deductive Inductive

Mobile technology Substitution Net-new

Complexity Low High

Systems

interoperability Low High

Two Stages of Mobility


The Future is Bright

400 million Android devices activated

Android’s chief architect Andy Rubin has revealed that Android mobile

device activations have now reached 900,000/day

600,000 apps and games available from Google Play

Choose the best smartphones and tablets through a global partnership

network of over 300 carriers in over 169 countries


Top Five Smartphone Platforms (US subscribers), May 2012

*Source: comScore

Google 50.9%

Apple 31.9%

RIM 11.4%

Microsoft 4.0%

Symbian 1.1%


Customer Preferences

*Source: Enterprise Management Associates @2011

Android as an Enterprise Device


Mobilizing The Enterprise Is Complex

Device and Backend Diversity

Device Choice

Device & App Management

Development Tools & TCD/TCO

Security Ease of Use

Apps & More Apps!

End User Requirements

Enterprise Requirements


Android Strengths

Easy platform for development;

JAVA and Eclipse

Robust platform for developing

advanced mobile apps

Established App Portal

Many form factors available to

meet various needs


Challenges

Limited enterprise management capabilities in comparison to other

mobile operating systems

Each release of the OS has started to add additional enterprise enhancements

Afaria Advanced Enterprise Security (AES) overcomes management issues with

Samsung devices

User-based security approach

http://devlup.com/wp-content/uploads/2010/05/Google-Android-2.2-Froyo.jpg

http://devlup.com/wp-content/uploads/2010/05/android-cupcake.jpg

http://devlup.com/wp-content/uploads/2010/05/android-ecliar.jpg

http://androidheadlines.com/wp-content/uploads/2010/10/gingerbread2.jpg

http://devlup.com/wp-content/uploads/2010/05/android_donut-gxz.png


Form Factors


Things to Think About

How to better integrate personal devices

into the enterprise

Device fragmentation

No control over firmware update

How you might use the ‘pad’ form factor to

improve your business process

Securing and Managing Android SAP’s Approach


A leader yesterday, today and tomorrow

Enterprises Must Mobilize

Apps and Embrace Content Portals

… AFARIA DEPLOYS

Multiple OS Environment,

Increased Demand for

Consumer and Corporate Apps

Ignite Risk

… AFARIA SIMPLFIES

Critical Email Security Needed

for Corporate Standardized

Devices

… AFARIA SECURES

IT Departments Struggle to

Secure Ruggadized

Laptops for Task Workers

… AFARIA IS BORN



What is Afaria?

Afaria

Award winning MDM + App Management

Legacy, heritage of leadership

Intregation to Analytics and MEAP

Afaria mobile device and application management

solution allows administrators to centrally manage,

secure, and deploy mobile data, applications, and

devices


Our simple yet comprehensive solution


Beyond MDM

1 Personal to enterprise ready in minutes

2 Application management

3 Simple, targeted administrative experience


Personal to enterprise ready in minutes

Not safe for the enterprise

Lacking enterprise controls

No security

No app management

No enterprise app portal

No certificates

Safe for the enterprise

Simple enrollment takes users from unmanaged device to fully controlled device

Enterprise control

Power-on-password

Enterprise App Portal fully configured

Certificates for SSO, WIFI, VPN,

and Email are deployed

Apps enabled for not touch

configuration

Policies are automatically deployed


Application management

Un-configured

Application Configured

Application

Confused User Happy User

It works

automatically!

??? What is the server

name and port?


Simple, targeted administrative experience

One “size” administration does

not fit all • ERP

• Automation

• Managed Service

Administrative

UI

Analytics

On-the-Go

API


Keys to Adopting Android

Manage and secure corporate assets and

data without affecting personal data

Protect the device

Deliver and manage enterprise

applications

Configure and maintain devices


Afaria Advanced Enterprise Security (AES)

Deliver advanced enterprise management

capability for Android

Samsung has developed APIs for much

deeper device management

Advanced features available on Samsung Galaxy S

and Galaxy S2 devices (Android 2.3)

http://www.google.ca/imgres?imgurl=http://www.kadiumpublishing.com/forms/networkingplus/SamsungLogo.jpg&imgrefurl=http://www.kadiumpublishing.com/forms/networkingplus/survey.htm&h=354&w=1063&sz=148&tbnid=9NTYRx-3TE1-aM:&tbnh=50&tbnw=150&prev=/images?q=samsung+logo&zoom=1&q=samsung+logo&usg=__9LUfc6eKO0d_992kmWU0Bi0eBNQ=&sa=X&ei=7WliTdbuO83pgAfmlrTdAg&ved=0CBkQ9QEwAA


Afaria Capabilities with Android, Application Management

Feature Native Android

V2.2 AES for

Samsung 2.3 Native Android

V3.0 Native Android

V4.0

List applications install via MDM agent

•

Install & remove enterprise applications silently

•

Install enterprise applications via portal • • • •

Enable & disable enterprise applications

•

Enterprise applications information

•

Remove managed applications

•

Update application

•

Certificate installation

•

Prevent uninstall applications by user

•

Check if application installed

•

Check if application currently running

•

Add/Remove applications to/from blacklist

•

Enable uninstall application by user

•

Enable & disable applications

•

Wipe application data

•


Afaria Capabilities with Android, Configuration Management

Feature Native

Android V2.2

AES for Samsung

2.3

Native Android V3.0

Native Android V4.0

Enable & disable camera

•

Allow automatic synchronization while roaming

•

Configure VPN

Disable push while roaming

•

Remove managed exchange account and data

•

Check WiFi is enabled or disabled

•

Enable & disable WiFi • • • •

Access point control

•

Enable & disable Bluetooth

•

Start/Stop Bluetooth discovery

•

Enable & disable microphone

•


Afaria Capabilities with Android, Exchange Server Policies

Feature Native Android

V2.2

AES for Samsung

2.3

Native Android V3.0

Native Android V4.0

Active Sync host •

Create new exchange account •

Set exchange account display/account name •

Set exchange account sync interval •

Set exchange account protocol version •

Set exchange account sender name •

Set exchange account sender signature •

Set exchange account setting to always vibrate on email notification

•

Set exchange account setting to vibrate when silent only on email notification

•

Set exchange account setting to use TLS •

Set exchange account setting to accept all SSL related certificates

•

Set Active Sync client auth certificate •

Set the Exchange user •

Set user's email address •

Use SSL •

Domain •

Password •

Number of past days to sync •


Afaria Capabilities with Android, Exchange Server Policies

Feature Native

Android V2.2

AES for Samsung

2.3

Native Android V3.0

Native Android V4.0

Password Policy

Allow simple values for password • • • •

Require alphanumeric values for password • • • •

Minimum password length • • • •

Maximum password age in days • • •

Minimum complex characters in password • • •

Password history • • •

Get device password •

Set device password •

Maximum number of failed attempts before device is wiped

• • • •

Security Management

Remote lock & unlock • • • •

Remote wipe • • • •

Remote reset •

Remove configuration data •

Ability to lock management on phone •

Full device encryption •

Wipe encrypted data •

SD card encryption • • •

Add blacklist •

Remove blacklist •

Disable application •

Enable application •

Delete email account •

Delete VPN account

Wipe application data

Wipe SD card data •


AES For Android (Samsung) – NEW in Afaria 7.0 SP1

Application policy

Block all except white list

Allow all except blacklist

Bluetooth policy

Enable desktop/laptop connectivity

Location policy

Enable location provider

Clear installed certificates

Credential storage password

Reset credential storage

Unlock credential storage

Restriction Policy

Allow Non-market apps

Allow settings changes

Enable background data

Enable backup

Enable clipboard

Enable SD card

Enable USB debugging

Enable US Mass storage

Enable USB media player

Enable USB tethering

Enable WiFi tethering


Afaria Android Application Management

Deliver and control in-house enterprise apps

OTA to Android devices

Assign applications to user groups by admin-

defined categories

Enterprise app installation is tracked and

reported providing transparency into app

distribution status

Client-side Portal for Application Selection

• Organize Apps into admin defined Categories

• Both Marketplace and Enterprise apps

• Allows for end-user selection and installation


Secure Email with Afaria and Nitrodesk Touchdown™

Touchdown is a third party ActiveSync

email client provided by partner Nitrodesk.

• SAP has a reseller agreement with NitroDesk

Afaria manages Nitrodesk Touchdown to

provide a secure email client for Android

• Integrates with MS Exchange or Lotus Domino

• Does not require a separate email infrastructure

• Configure corporate email settings through the

Afaria console

Distribute the Touchdown app using Afaria

Available Touchdown settings

• Additional passcode requirements

• Maximum lock time for Touchdown

app

• Maximum email size/age

• Encryption settings

• Require encryption of email store

• Require encryption of SD card

• Attachment control

• Allow/disallow attachments

• Allow attachments on SD card

• Maximum size in bytes

• Allow HTML email to device

http://www.nitrodesk.com/default.aspx

Samsung Electronics. All Rights Reserved. Confidential and Proprietary.

Mobile Device Management (MDM)

Corporate Email / Calendar / Contacts

On-Device Encryption (ODE)

Virtual Private Network (VPN)

SAFE Overview

33

Quickly and easily access corporate email, meeting details, contact info and other critical information on the go

Wirelessly and securely access data from your corporate network while traveling or working in the field

Working with leading third-party providers, Samsung offers efficient and scalable mobile deployment solutions with 338 or more IT policies, addressing the most challenging management and security concerns

SAFE devices provide an intuitive and consistent user interface through enhanced Microsoft Exchange ActiveSync (EAS) features, sync functions and policy control

State of the art, AES 256-bit ODE helps prevent unauthorized access to all data on the device, including the microSD® storage card

Samsung works with a number of leading VPN providers enabling IP-based encryption for secure, persistent access to critical enterprise assets via Wi-Fi® and cellular network connections

WHY

HOW

Store proprietary documents, presentations and other corporate data on your mobile device – while keeping that sensitive data protected

Employees remain mobile, secure and compliant with remote management of applications and device features that meet company-specific requirements


Unprecedented Android IT Compliance

Leading VPN and MDM providers leverage Samsung’s advanced Software Development Kit (SDK) to provide industry-leading Android security and control for IT managers

VPN Mobile Device Management (MDM)

Microsoft Exchange ActiveSync (EAS) – Up to 80 EAS policies and features

On-Device Encryption (ODE) – AES 256-bit encryption on device and SD card

338 IT policies (substantially more than the nearest smartphone competitor) and 723 APIs by Samsung – the most comprehensive in the industry

Solid partnerships with leading vendors enables customer flexibility

Extended SSL (and soon IPsec) VPN protocols through leading providers ensures accessibility

Competitor Native Android Samsung Android 2011

Samsung Android 2012

338 (723)

#Policies (#APIs)

276 (537)

35 (33)

199

34


Business Requirements w/ Mobile Workforce How MDM Addresses …

Remote management Security Management/Security and Remote Configuration

Limit features and functions Kiosk Mode

Access to application store(s) Application Management

Geo-fencing Location-Based Services

Real-time access to device status and activity Inventory Monitoring

Manage voice and data usage Expense Management

Real-time mobile user support Help Desk / Remote Access

BEN

EFIT

S Support BYOD

Maximize ROI

Provide Strong Security

Balance security requirements with need for personal privacy without compromise

Boost end-user satisfaction, Increase mobile productivity and decrease IT support

Deploy IT policy and certificate management, along with comprehensive data integrity

Samsung goes well beyond native Android to provide new and enhanced security options and features that meet and exceed business requirements

Mobile Device Management Value Proposition

Samsung Electronics. All Rights Reserved. Confidential and Proprietary. 36

Applications developed through the SDK benefit from enhanced functionality and increased security

Samsung works closely with partners to thoroughly vet and understand each solution and address key industries and segments

A few examples include … • SAP EMR (Electronic Medical Record) solution on Galaxy S III allows for

enhanced connectivity to medical devices through healthcare-specific API’s integrated into the device (meeting Continua standards)

• Differentiated WebEx conferencing solution on Samsung devices with call/contact escalation and other user-friendly features

• VMware virtualization solution helps to securely separate corporate and personal data

• MicroStrategy dashboard solution was optimized on Samsung Galaxy Tabs

The Samsung SAFE SDK (Software Development Kit) is an application development framework that allows our business partners to design differentiated applications

that leverage Samsung’s highly-desirable products and solutions

SAFE’s Impact on Solution Development

With access to more than 700 API’s (Application Programming Interfaces), ISV’s (Independent Software Vendors) are able to develop enhanced applications


Next Steps

Browse the Afaria AES for Samsung Android website

http://sybase.com/android

Whitepapers, videos, webcast replays, etc...

Contact your SAP account rep to schedule a more in-depth presentation

Register at http://frontline.sybase.com

Knowledgebase, Product documentation, software updates, case management

http://sybase.com/android

http://frontline.sybase.com/

Wrap-up


7 Key Points to Take Home

1. Android fragmentation will continue to pose challenges for its adoption in the

enterprise

2. Sybase/SAP has the strongest security solution for Android in the industry with

Afaria

3. Afaria can provide security for Android in both BYOD and corporate-owned device

populations

4. Sybase’s partnership with NitroDesk provides a secure email solution for all

Android devices

5. Afaria AES for Samsung provides additional security capabilities on their devices,

and talks are underway with other leading handset manufacturers

6. Afaria can be used to manage, provision, and configure both Enterprise (custom

developed) Android apps, and Android Marketplace apps.

7. Afaria can be used to manage your entire population of mobile devices, including

iOS devices, Blackberries, and Windows-based laptops and tablets.

Questions

Thank You!

Contact information:

Peter Mitchelmore

[email protected]

Closing and Q&A

Participate in today’s TweetChat about mobile app development

#MobileInsights

SAP Mobile Insights Webcast Series


July 25th – The Merits of Mobile App Development for Android Devices

August 15th – Syclo Overview

August 29th - Mobility for Utilities

Mobile Sense Thought Leadership Series (webcasts & white papers):







No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2011 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.