ibm endpoint manager for mobile devices (overview)
DESCRIPTION
Manage all devices - smartphones, tablets, laptops, desktops, and servers - from a single console. IBM Endpoint Manager also integrates Enterproid Divide secure container and NitroDesk TouchDown secure email technologies for separation of organizational content on BYOD and contractor devices.TRANSCRIPT
© 2012 IBM Corporation
IBM Endpoint Manager for Mobile DevicesProduct Introduction and Overview
[NAME], [TITLE][DATE]
© 2012 IBM Corporation2
Today’s leading organizations are dealing with powerful new technology forces
BYOD:BYOD users expected to double by 2014 to 350 million
Security:
13 billion security events monitored per day
13 billion
Data:
1.2 trillion gigabytes in the digital universe.
1.2 zettabytes
Mobility:
Nearly ½ of devices accessing applications will be mobile
1/2
350 million
© 2012 IBM Corporation3
IBM Endpoint Manager Continuously monitor the health and security of all enterprise computers in real-time via a single, policy-driven agent
Endpoints• One infrastructure:
management server, console, agent for Windows, Mac, Unix, Linux, Mobile
• Scales to 250,000 endpoints per management server
• Robust, flexible architecture with built-in failover
• Nearly-invisible impact to network, endpoints
• Operates in low-bandwidth / high-latency environments
• Physical or virtual, network or Internet-connected
IBM Endpoint Manager
Patch Management
Lifecycle Management
Software Use Analysis
Power Management
Mobile Devices
Security and Compliance
Core Protection
Desktop / laptop / server endpoint
Mobile Purpose specific
Systems Management Security Management
Server Automation
© 2012 IBM Corporation4
Security & Compliance
Vulnerability Assessment
Compliance Analytics
3rd Party Endpoint Protection Management
Patch Management
Security Configuration Management
Core Protection
Anti-Malware
Firewall
Data Protection (add-on)
Software Use Analysis
Software Catalog Correlation
Software Usage Reporting
Software Inventory
Patch Management
Offline VM Patching
Application Patching
OS Patching
Mobile Devices
Compliance
App Mgmt
Mobile Device Mgmt
The IBM Endpoint Manager Family
Middleware Management
Multi-Platform OS Deployment
Physical & VirtualServer Lifecycle Management
Cross-Server Sequenced Task Automation (e.g. Patch OS on Server Cluster)
Server Automation
Power Management
Windows & Macs
Carbon, cost reduction reports
End-user Dashboard
Lifecycle Management
Software Distribution
OS Deployment
Remote Control
Patch Management
Basic HW & SW Inventory
Lifecycle Management
Starter Kit
© 2012 IBM Corporation5
Stores / Kiosks
WAN
Data center
Headquarters
Remote offices
Distribution center
Internet
Cab
le/D
SL
WiFi
Airport
Hotel
Coffee shop
Home
Leased line3G
WiFi
IBM Endpoint Manager, built on BigFix technology
Whether it’s a Mac connecting from hotel WiFi, a Windows laptop at 30K feet or a Red Hat Linux Server in your data center, IBM Endpoint Manager has it covered. In real time, at any scale.
Satellite
Network-friendly architecture delivers large packages without disrupting critical business applications
Single, intelligent agent uses <2% CPU, <10MB RAM
Cloud-based service continuously provides new patch, policy updates
Full command and control of Internet-connected devices
Use existing computers as Relays to minimize network traffic
Content Update Service
Leased line
© 2012 IBM Corporation6
IBM Endpoint Manager elements
Single server and console• Highly secure, highly available• Aggregates data, analyzes and reports• Manages up to 250K endpoints per server
Flexible policy language (Fixlets)• Thousands of out-of-the-box policies• Best practices for operations and security• Simple custom policy authoring• Highly extensible/applicable across all platforms
Virtual infrastructure• Designate IBM Endpoint Manager agent as a relay
or discovery point in minutes• Provides built-in redundancy • Leverages existing systems/shared infrastructure
Single intelligent agent• Continuous self-assessment• Continuous policy enforcement• Minimal system impact (<2% CPU, <10MB RAM)
© 2012 IBM Corporation7
Device Lifecycle, Data ProtectionIBM Endpoint Manager, part of the IBM Mobile Foundation
Implement BYOD withconfidence
Secure sensitive data, regardless of device
Handle multi-platform complexities with ease
Minimize administration costs
Endpoint Management
SystemsManagement
Security Management
Common agent
Unified console
Single mgmt server
Managed = Secure
Desktops, Laptops, & Servers
Smartphones & Tablets
Purpose-specific Endpoints
© 2012 IBM Corporation8
What’s New in Endpoint Manager for Mobile Devices
Integration with Enterproid’s Divide container technologies for iOS and Android
Web-based administration console for performing basic device management tasks with role-based access control
Integration with BlackBerry Enterprise Server for integrated support of BlackBerry v4 – v7 devices
Enhanced security with support for FIPS 140-2 encryption and bi-directional encryption of communications with Android agent
Additional Samsung SAFE APIs for expanded management and security of SAFE devices
SmartCloud Notes & Notes Traveler 9.0 support, including cloud and high-availability versions
IBM Endpoint Manager’s cloud-based content delivery system enables customers to benefit from frequent feature enhancements without the difficulty of performing upgrades
© 2012 IBM Corporation9
Implement BYOD With Confidence
App container. Deploy, manage, configure, and remove Enterproid Divide containers to separate personal and work environments on iOS and Android devices
PIM container. Separate personal and corporate email and prevent sensitive data from being copied into other apps with NitroDesk TouchDown integration
Dual-persona OS. Manage BlackBerry 10 devices, which provide a native user experience to personal and work personas
Extend BYOD to laptops. IBM Endpoint Manager’s unified device management approach brings together containers, smartphones, tablets, laptops, desktops, and servers under one infrastructure
How do I deal with the business mandate that employees be allowed to "Bring Your Own Device"?
Manage and secure only the apps and data inside the enterprise container, leaving users free to control the personal side of their device with
Enterproid Divide.
© 2012 IBM Corporation10
Secure Sensitive Data, Regardless of the Device
Unified compliance reporting across all devices, including CIS Benchmarks
Configure security settings such as password policy, encryption, WiFi, iCloud sync
Full wipe, remote lock, map device location, and clear passcode options if device is lost or stolen
Blacklist apps and automate alerts, policy response
Detect jailbroken / rooted devices to notify users, disable access
Integrate with mobile VPN and access management tools to ensure only compliant devices are authorized
How do I ensure the security of mobile devices as they access more and more sensitive systems?
Multiple user communication and alert methods, including Google Cloud Messaging (GCM),
enables users to be part of the security solution.
© 2012 IBM Corporation11
Handle Multi-Platform Complexities With Ease
Device management via Android agent, iOS APIs, Lotus Traveler, Microsoft Exchange, and Office 365
Complete device hardware and software inventory in near real-time
Web reports provide at-a-glance mobile device deployment overviews
Pass mobile device data to network management, service desk, asset management, and security and compliance systems
Multi-tenancy support for service providers and organizations that need to completely separate different parts of the organization
How do I manage an ever-expanding list of OS and hardware platforms when the user controls what apps are loaded and the carrier controls when the OS is updated?
Better plan internal mobile projects with easy access to near-real time data about your mobile
environment.
© 2012 IBM Corporation12
Minimize Administration Costs
Multiple authenticated device enrollment options, including LDAP/AD integration
Employee self-service portal to enable employees to protect personal and enterprise data
Enterprise app store directs employees to approved apps, includes support for Apple’s Volume Purchase Program (Apple VPP)
Integration with IBM Worklight for 1-click transfer of internally-developed mobile apps from dev to production
A ‘single device view’ enables IT personnel to easily view device details and take required action
How do I cost-effectively manage the sheer volume of these tiny devices with average replacement rates of 12-18 months?
A flexible enrollment process enables organizations to include a EULA and to collect critical device and
employee data via customizable questions
© 2012 IBM Corporation13
Consolidate management of endpoints – PCs, laptops, mobile devices
HIPAA compliance
Minimize on-going operational costs
Minimize device replacement costs
Customer Needs Key Features & Outcomes
Large Healthcare Provider
This regional healthcare provider purchased IBM Endpoint Manager for its unified approach to endpoint management
1 employee is able to manage and secure 30,000 PCs + 4,000 mobile devices
Extending the reach of healthcareThis innovative healthcare provider in the southeastern United States is piloting a program to improve patient outcomes by providing secure healthcare support remotely through mobile devices, such as:
Home Health Care: iPads provided to home health care diabetes patients to enable direct input of diagnostic data; Facetime sessions with home health nurses reduce the need for on-site visits, which improves nurse utilization while reducing costs
Education: iPod Touches with pre-loaded educational apps provided to parents of babies in Neonatal Intensive Care Unit (NICU)
© 2012 IBM Corporation14
Endpoint Manager for Mobile Devices, Part of IBM MobileFirst
AnalyticsSecurityManagement
IBM & Partner Applications
Application Platform and Data Services
Banking Insurance Transport Telecom Government
Industry Solutions
HealthcareRetail Automotive
Application & Data Platform
Str
ateg
y &
Des
ign
Ser
vice
sD
evelop
men
t & In
tegratio
n S
ervices
Cloud & Managed Services
Devices Network Servers
© 2012 IBM Corporation15
1 Download the IBM Endpoint Manager for Mobile Devices 30 day trial ibm.co/EndpointMgrTrial
Talk with your IBM representative or Business Partner to find the right next step for you
23
Learn more: ibm.com/mobilefirsttwitter.com/IBMMobileFirst (#IBMMobileFirst)facebook.com/IBMMobileFirst
Three ways to get started with IBM MobileFirst
© 2012 IBM Corporation16
Legal Disclaimer
• © IBM Corporation 2011. All Rights Reserved.• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.
• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:UNIX is a registered trademark of The Open Group in the United States and other countries.
• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.
© 2012 IBM Corporation17
BACKUP SLIDES• Enterproid Divide details• Additional Case Studies• Screen shots• Architecture diagrams
© 2012 IBM Corporation18
IBM Endpoint Manager + divide: Complete MDM & BYOD Solution
Dual Persona
Leverages the sophisticated policies and features of IBM MDM and Endpoint Management
Marry full device management for enterprise-owned devices with Divide containers for personally-owned devices- Deploy, configure, update, and remove Divide
containers- Display individual data from devices and
integrate into overview reports- Execute basic Divide container commands
such as wipe and lock
+ +
Immediate solution for BYOD challenges and security concerns for Mobile OS’s
Seamless delivery: same Divide App, binding to IBM MDM at time of enrollment
Business AppsIBM Endpoint Manager
© 2012 IBM Corporation19 19
What it organizations need for byodDivide Container Security
Data Protection• Device PIN/passcode• Passcode history and complexity• Passcode failure actions• FIPS 140-2 validated encryption • Full and selective device wipe• Wipe on SIM removal/rooted• VPN support• S/MIME support
OTA Self-Service Provisioning• ActiveSync email • VPN configuration
Container Controls
• Whitelisting – application push
• Blacklisting
• Location based services
• Data leakage prevention
• URL blocking
Compliance Management and Reporting• Device hardware• Operating system• Policy compliance• Compromised device status • Voice, Data, and SMS usage reporting
© 2012 IBM Corporation20
• Professional-grade email, contacts, calendar and browser
• Data-at-rest is protected with AES 256 bit
encryption
• Data-in-motion leverages existing VPN
investments
• Secure cloud based file storage (optional)
• Separate voice and messaging(including future 2-number UC)
• Internally developed apps uploaded and
assigned via policy – in minutes and with
no developer modifications
• Divide App security automaticallyprovides data-at-rest AES-256 bit encryption
• Divide Extensions provide extraordinary
integration with 3rd party Apps and Cloud services
GEARED FOR INNOVATIONLeveraging the App Ecosystem
STANDARD DIVIDE APPS THIRD PARTY APPS
© 2012 IBM Corporation21 21
Extensible for the future
© 2012 IBM Corporation22 22
Divide is licensed by the user
Others licensed by the device
1 Cisco IBSG Horizons Study of 600 U.S. IT and business leaders
“ By 2014, the average number of connected devices per knowledge worker will reach 3.3, up from an average of 2.8 in 2012.” 1
Licensed to scale…..cost effectively
© 2012 IBM Corporation23 23
The right solution for byod?
A first generation
solution purpose-built for email sync
A next generation
solution purpose-built
for BYOD
Device Management
X
✔Manages the
Divide workspace
and integrates with IBM Endpoint
Manager for device MDM
Does not integrate with
deployed MDM
solutions
Secure “Workspace”
✔
X
Provides a secure
workspace that preserves the native iOS and Android
user experience
Provides an email sandbox
with a proprietary
user interface
Secure VPN
✔
X
Provides VPN connectivity between the workspace
and corporate apps
No VPN integration -
all data traverses the
Good NOC
App Choice
✔
X
App wrapper technology enables the use of any third party
app within the workspace
Third-party apps must be modified and recompiled using the
Good SDK ($)
Avg TCO/ User
$$$$$$$$
$
© 2012 IBM Corporation24
PCs and mobile devices have many of the same management needs
Device inventory
Security policy mgmt
Application mgmt
Device config (VPN/Email/Wifi)
Encryption mgmt
Roaming device support
Integration with internal systems
Scalable/Secure solution
Easy-to-deploy
Multiple OS support
Consolidated infrastructure
Device Wipe Location info Jailbreak/Root detection Enterprise App store Self-service portal
OS provisioning
Patching
Power Mgmt
Traditional Endpoint Management Mobile Device Management
© 2012 IBM Corporation25
IBM’s CIO Office is managing 56,000+ smartphones and tablets with IBM Endpoint Manager (60% iOS, 40% Android) and projecting 125,000 enrolled devices by end of March
Deployment Time (days)
Mobile Devices Enrolled
13k devices in first 24
hours
24k in first month
46k in first 2.5 months
125k projected by end of March
MDM Deployment Progress
Shared Under NDA
© 2012 IBM Corporation26
Support 20,000+ mobile devices Corporate and employee-owned, many platforms
and OS versions High availability for certain devices used in the field Adherence to internal security policies, external
regulations
Customer Needs Key Features & Outcomes
Public Utility
Scalability to 250,000 endpoints provides room to grow without adding infrastructure
Added mobile devices to existing IEM deployment in days
Ability to integrate with Maximo, Remedy Responsiveness and agility of product and product
team
Adding Mobile Devices Without Adding Infrastructure
Serving 4.5 million customers in the southwestern region of the United States, this electric company of 25,000 employees is a leader in clean energy while exceeding reliability standards and keeping consumer costs below average. They are experiencing a migration from traditional endpoints to mobile devices.
© 2012 IBM Corporation27
Security & Management Challenges Potential unauthorized
access (lost, stolen) Disabled encryption Insecure devices
connecting to network Corporate data leakage
27
• Mail / Calendar / Contacts• Access (VPN / WiFi)• Apps (app store)• Enterprise Apps
iCloud
iCloud Sync
iTunes Sync
Encryption not enforced
End User
VPN / WiFi Corporate Network Access
Managing Mobile Devices – The Problem
© 2012 IBM Corporation28
iCloud
iCloud Sync
iTunes Sync
End User
VPN / WiFi Corporate Network Access
• Personal Mail / Calendar• Personal Apps
Corporate Profile• Enterprise Mail / Calendar• Enterprise Access (VPN/WiFi)• Enterprise Apps (App store or
Custom)
Secured by BigFix policy
Encryption Enabled
Endpoint Manager for Mobile Devices Enable password policies Enable device encryption Force encrypted backup Disable iCloud sync Access to corporate email,
apps, VPN, WiFi contingent on policy compliance!
Selectively wipe corporate data if employee leaves company
Fully wipe if lost or stolen
Managing Mobile Devices – The Solution
© 2012 IBM Corporation2929
Management by Email Fully-Managed Devices
IEM ServerIEM Server
DB
ActiveSyncAgent Comms / Management APIs
Consolidated Reports / Management
TEM RelayMgmt Extender for iOS
TEM RelayMgmt Extender for iOS
Lotus Traveler / Exchange Server
Lotus Traveler / Exchange Server
ActiveSync
IBM Endpoint Manager for Mobile Devices Architecture
Apple Push Notification Servers
Google Cloud Messaging (optional)
© 2012 IBM Corporation30
Endpoint Manager for Mobile Devices Dashboard
© 2012 IBM Corporation31
A unified report of password policies across all mobile OS’ makes it easy for administrators to identify non-compliant devices
© 2012 IBM Corporation32
A “Single Device View” enables administrators and helpdesk personnel to easily view device details and take required action
View Location information is also available
© 2012 IBM Corporation33
Create your own Enterprise AppStore
33
© 2012 IBM Corporation34
A user-friendly iOS Profile Configuration Wizard exposes all of the configuration capabilities exposed by Apple’s MDM APIs
© 2012 IBM Corporation35
A flexible enrollment process can include an EULA and collect critical device and employee data via customisable questions
© 2012 IBM Corporation36
Optional Authenticated Enrollment and Self Service portal
© 2012 IBM Corporation37
View installed apps on Android and iOS devices
© 2012 IBM Corporation38
IBM Endpoint Manager for Mobile Devices Architecture
TEM Server
DB
Console / Web Reports
Relay(s)
Android
Email Server (Exchange/Lotus)
Android Apple
Apple Push Notification Servers
w/Email
ActiveSync
Phones / TabletsDesktops /Laptops
Full Agents
http / 52311
http / 52311
http / 52311
ActiveSync / IBM Sync
https
Apple MDM Interaction
Apple Push Notification
Servers
Full Agents
Management Extender for (Exchange or Lotus)
http / 52311
Mgmt Extender for iOS
Apple AppAndroid AppWindows, Symbian,
BlackBerry
© 2012 IBM Corporation39
Fast and cost-effective development, integration and management of rich, cross-platform mobile applications
Client Challenge
Key Capabilities
Using standards-based technologies and tools and delivering an enterprise-grade services layer that meets the needs of mobile employees and customers
Mobile optimised middleware
• Open approach to 3rd-party integration
• Mix native and HTML
• Strong authentication framework
• Encrypted offline availability
• Enterprise back-end connectivity
• Unified push notifications
• Data collection for analytics
• Direct updates and remote disablement
• Packaged runtime skins
IBM Worklight - Developing for multiple mobile platforms
Encrypted cache on-device
• A mechanism for storing sensitive data on the client side
• Encrypted - like a security deposit box
© 2012 IBM Corporation40
Mobile Foundation Potential Integration ScenarioStreamlined App Deployment Workflow
TodayEndpoint Manager customers could directly import and distribute Worklight-built apps via Enterprise App Store, thereby improving workflow between Development and Operations
Distribute App to Employees
Import into Endpoint Manager App Store
2
3
Build app in Worklight 1
© 2012 IBM Corporation41
An Evaluators Guide is available for MDM