Wednesday, 29 January 2014

Pros and Cons of BES10 V "the others"

Mobile device management tools are design to control who can access your enterprise network and applications from particular phones and tablets. To effectively evaluate these products, you should first identify what you're trying to control: the apps on particular devices, the pairing of a user with his device, the device itself, or the files on each device.
There were six products evaluated: AirWatch, Apperian EASE, BlackBerry Enterprise Server 10 (BES10), Divide, Fixmo, and Good Technology's Good for Enterprise.  Each has a somewhat different perspective and different strengths in terms of what it can control best.
All support Android and iOS devices, and some also support BlackBerry’s, Windows Phones, and in the case of AirWatch, desktops. Pricing varied between $20 to $75 per user or per device per year, and will depend on the particular features, with quantity discounts typically available. The most transparent pricing schemes came from AirWatch and BlackBerry. The other pricing methods were rather opaque.
For example, some of the solutions we tested work with Active Synch so that you can save deployment time and use your existing security policy frameworks in Active Directory. But your own Active Directory implementation may not have any of these fields itemised, so this may not be as useful as it sounds.
If you have a variety of mobile phones from various vendors running vintage OSs, you will quickly run into installation issues. In this test a Kindle Fire was used to test the concept of an oddball Android version.
Some devices have some quirky issues: First, for iOS in particular, you can't have more than one vendor's profile active at any given time. This means if your phone or tablet has to traverse two or more networks that are using different MDMs, you are going to have problems. Second, while these products can identify once a phone has been rooted, they can't "unroot" it: you'll have to go through the process on each phone individually.
No winners
This was an assessment not a competition, each product had pro's and con's.
For example, AirWatch had the widest phone/tablet/desktop support. But it also requires a messy collection of different downloaded apps that are confusing to use.
Fixmo doesn't support many device OS versions and its cloud server still needs a supplemental VPN to be secure. However, if you’re going the secure container route, Fixmo is a potential solution.
BES10 supports Android and iOS devices, but the integration is being rapidly developed to smooth out some of the complications.  Network world recommended that BlackBerry should be on a CTO’s short list if his primary goal is protecting the messaging infrastructure.
Good Technology is a mature product that features email security, fast device enrolment, extensive security policies and wide device support. But Good has weak support for sharing files and apps and has not got the bullet proof end to end security of BES10.
Divide had the most appealing management console and overall simple setup routines, and also supports licensing unlimited devices per user. It features the best overall approach to MDM and is the easiest to operate, but has the most limited device OS version support.
Apperian does a great job with setting up a protected app portal, but falls down on some basic MDM issues. Network world recommended Apperian if you have developed a large collection of your own apps and want a consistent set of security policies when deploying them.

The Nuts and bolts
BlackBerry Enterprise Server (BES) v10.1

BES is the original MDM platform developed by the "Artist Formerly Known As Research In Motion ". Until recently, BES was designed to manage BlackBerry devices. Now it is capable of managing both Android and iOS too, via a new Universal Device Service. The extension into managing its competitors is full of solid advantages, but at the moment it is somewhat complex to administer.
Network World state that BES, along with Good, are probably the two best MDM solutions that were tested and can securely lock down your mobile email. If this is a primary concern then it was recommended that it should be considered just on that alone. Second, BES has a solid collection of iOS/Android device management policies that you wouldn't expect from an early product release.
The policies cover everything from password policies to turning off specific phone peripherals (and not just disabling the camera itself but more subtle things like being able to hide the icon on the phone desktop or disable screen captures). There are policies to wipe the phone or to require particular iOS or Android versions. For each policy, you can see which version of iOS or Android is relevant right on the screen: that is a nice touch and Network world opined that they wished other vendors were as forthcoming in documenting this.
BES will remake Android and iOS phones as close to the security model of the BlackBerry as it can and they have two scenarios: one called "Balanced" which divides the phone into personal and business sections, and one called Secure that locks the phone 100% into a corporate and protected device. The Balanced selection is only available on more recent devices and BES10 servers, with the exception of iOS7. All communication is encrypted between the device and BES, and then from BES to the appropriate enterprise services, so no VPN is required. If BES detects a rooted/jail broken device, it will shut down all communications.
With all the negative press surrounding BlackBerry in recent years it is sometimes forgotten that BlackBerry has more security certifications from more government agencies than any other MDM vendor. BlackBerry is also the only vendor to date to be awarded an ‘Authority to Operate’ certification from the US Department of Defence. 
Furthermore it should be noted that 87% of the Fortune 500 use BlackBerry services.  There are over 30,000 BES10 commercial and test servers installed to date and a global enterprise customer base exceeding 80,000 customer.
BES10 is reasonably priced at $19 per device per year, with an additional $99 per user per year for its secure workspace features for Android and iOS devices. BlackBerry offers BES10 as a 60-day free trial including 50 secure workspace licenses and 50 device licenses. The company offers (or will soon offer) a subset of the on-premises BES features in a cloud version.
Click here if you are Technically minded

AirWatch supported the largest collection of devices, and was the only product that had both mobile and desktop management support. It supports iOS7 and the MDM API that Apple developed for its latest mobile OS, and it has an app in the BlackBerry World app store as well.
The bad news is that AirWatch sells three different products: one for MDM, one for mobile content management and one for mobile applications management. They use a single integrated management console, but have different client pieces for each mobile device. All of this software is delivered from the cloud, although they will work with companies that want on-premises servers or virtual appliances.
Network World had some initial confusion over separating out administrative and user accounts, but once that was resolved, getting all the various tasks completed was mostly obvious. AirWatch's workflow and set-up process was reported as pretty good.  
AirWatch has a decent collection of policy settings, down to the minimum sub-version of Android OS allowed, being able to disable a device's camera, adding geo-fencing or being able to restrict a device to a particular Wi-Fi network.
It has a particularly rich pass-code policy that can override the device OS defaults. These various elements are spread across about a dozen sub-menus in the policy section of the product, where you would set up specific policies for each particular device type. When you create a policy, you can either apply it to the device itself or to a group of users, which is nice. When you are finished, you save and publish your profile settings to your device collection with a click.
There are three different services for AirWatch: the base MDM and a second service to secure files (called Content Locker) and a third to run protected apps. Each service works with its own downloaded app on your device. That’s a lot of apps to download and add to your phone, and it can get confusing to keep switching among them. One caveat: these supplementary apps will require at least iOS v5 or later, although the base AirWatch MDM works on iOS v4 devices.
AirWatch's pricing is very transparent and published on its website. Each of the three modules (MDM, content, and apps) are priced a la carte either as a perpetual license with a one-time, per-device fee, or on a subscription basis, also on a per-device but monthly fee.
The MDM starts at $48 per device per year and the other modules can triple this annual cost. There is also a free 30-day trial for 50 devices that offers full functionality. AirWatch plans to begin selling a lighter-weight version called Pro that will have fewer features and be lower priced.
Click here if you are technically minded
Apperian EASE

Apperian is all about the apps. While it sells its product with its own MDM, it is very lightweight in terms of device and user control. If you have a lot of corporate mobile apps and you want to wrap them in a very secure mechanism to keep track of who uses them on what particular devices, then this is the product for you
Apperian has two separate functional modules: an application control system and a built-in MDM. The MDM module doesn't support BlackBerry’s, they are just supported on the app module. It has fewer features than the other MDM products reviewed, although you can do the basics including wiping data from the phone, rootkit detection, controlling copy/paste from the mobile's clipboard, and some rudimentary password control on your devices.
Initially, you don't download anything to your phone, instead you use your phone's Web browser to bring up the enrolment link and download a customized app store for your particular device and user name. However, this simple process is balanced with a tedious app wrapping process to add your security layer.
Click here if you are technically minded

Divide (the company recently changed its name from Enterproid) supports both iOS and Android devices but nothing else. Getting each device enrolled is very straightforward and involves downloading the app from iTunes or Google Play and registering your email address that will be used for that phone. Multiple devices can use the same email address, which is handy if you want to share information (such as contacts or files) among them
However, Divide is somewhat particular about its iOS and Android support: while it appeared to have installed successfully on the older Android phone (running v2.3.4), the app wouldn't execute at all, and didn't even install on the Kindle Fire. It did work fine on an Android phone running v4.3. It supports devices running at least iOS v6.
Divide creates a separate and protected container and workspace on your phone where all business-related apps are launched. These include a wide range of their own contact manager, email, calendar, task list, and other items that share content with each other but not outside the protected environment.
You are limited to a single container per device. If you use a cloud-based email service for your business and you don't want your end users to download messages to an unprotected device, you will have to set your email provider to disable Web, POP and IMAP access and use a proxy server that points to the MDM server.
It doesn't support the free version of Google Apps, you will have to make use of the paid accounts because they are the only ones to support use of Active Synch. This is how Divide distributes its policies and apps. You can bulk add users via uploading a CSV, and download a list via a CSV as well.  
It also has its own protected file system and it integrates with so you can download files from your Box account that could be viewed on the protected client. However, to make this work properly, you need a helper app to view the files, such as In my opinion this badly compromises Divide's security, given how insecure Box could be.

According to Network world its device password policies weren't up to the standards of some of the other products we used, such as forcing a device-wide PIN to be used.  In my opinion its reliance on a cloud-based manager to handle all devices, apps, and enterprise settings id particularly risky for Enterprise.
Divide's pricing of $60 per year per user includes unlimited devices for each user, something that may be of interest if your users have a lot of phones and tablets. 
Fixmo co-founder Rick Segal loving his BlackBerry
Fixmo is a Canadian company and boasts that many of its top people worked at Blackberry.  It originally came from the government compliance reporting space and it shows with its approach to device security. Its software is part of the Android Knox platform that Samsung uses on most of its smartphones. It also supports iOS, although didn't have an iOS7 client at the time of the tests, and it only works on iOS v5 or v6.
Fixmo is betting that consumers, especially in the wake of the NSA Prism scandal, will demand BlackBerry-like encryption on non-BlackBerry devices. The company, it seems, has more than a passing idea of how to do this, with much of its top talent having served under RIM co-CEOs Mike Lazaridis and Jim Balsillie.

Fixmo’s Chief MRM Architect, Jonas Gyllensvaan, founded Conceivieum Business Solutions, Inc., which specialized in the development and marketing of BlackBerry mobile platform management solutions, before moving to Fixmo. And Fixmo’s Chief Marketing Officer, Tyler Lessard, was once Vice President of BlackBerry Global Alliances and Developer Relations at RIM, again specializing in nurturing the BlackBerry ecosystem by launching BlackBerry App World. Lee Cocking, Fixmo’s VP of Corporate Strategy, spent a decade working at RIM where he managed core components of the BlackBerry Enterprise Solution.
Setup of the solution is relatively straightforward via Fixmo's cloud service. There is also an on-premises Windows server that has additional features, with a web front end. You add users and devices and services via the menus, and these produce a series of emails with QR codes and URLs that direct the user to install the necessary configuration profiles for each device. Fixmo uses three profiles: one for MDM, one for passcodes, and one for its self-service portal.
Network world reported that this can get a bit tedious, compared to some of the other MDM products, but like others you can also bulk import and export users using CSV files. Network world reported some problems with reading the QR codes because the Fixmo server wants to see the link sent coming from the phone's Web browser. Some of the QR readers open their own browser – Network world needed to use an app that allowed them to open the URL in Safari or Chrome.
The cloud server doesn't support end-to-end secure sessions, requires a supplemental VPN.
Each policy can have one of three actions: send an email alert to an administrator, lock the device, or wipe the device. The Fixmo client automatically does a jailbreak/root detection upon launch. If it finds your phone has been compromised, it won't allow you access to its secure container. There is also a feature where you can automatically wipe the container with a time bomb if it hasn't called home within a certain interval, which is nice for lost or stolen phones.
Fixmo has services that it licenses separately, including the SafeZone secure container for iOS/Android, its MDM and security service called Integrity (which is also available for BlackBerries). Fixmo pricing for a full 250-user configuration is $18,000 per year. Each device is licensed separately starting at one service at $12 per month with quantity discounts and multiple-service discounts available.
Click here if you are technically minded
Good Technology for Enterprise
Good for Enterprise has been around for a while now and was originally envisioned as a protected messaging environment that expanded into the MDM sphere. You can tell its longevity by the platforms it supports: in addition to Android and iOS devices, Good also supports Windows Mobile and even Palm OS devices. Noticeably absent is any support for BlackBerries, but also notable is its inclusion of the Kindle Fire. They have well developed integrations with Boxtone, Sailpoint and others, showing the maturation of their product.
Good actually has an additional product, for file sharing called Good Share. This is more of a mobile collaboration tool. It wasn’t tested it, but it allows you to view files and connect to a SharePoint server. The main Good for Enterprise client has rudimentary file storage, but the files you save to your device aren't sharable, unlike some of the other MDMs.
Enrolment is very straightforward and like other MDMs, you can bulk add users via uploading a CSV.
Like Fixmo, you can have its client connect with its servers on a regular basis, and wipe the phone clean if the phone isn't used or is stolen. Other MDMs block file attachments from being downloaded: with Good you can block specific file types as well as set a size limit (up to 32MB). After you make changes to your policies, you are brought to a summary screen that shows you which devices have been affected.
Good sells its server for Windows, but it is managed via a Web browser. The UI is very straightforward, although some of the policy details are tucked away in odd places. It has extensive password policies including smartcard support for second factor authentication. It also has solid online help that is quite searchable.
One downside is that the Good client has limited app sharing: while it is supported, it isn't as useful as some of the other products.  There is also a small question about its security credentials.  Open Security Research ( reported a hack method to
Identify the Good Enterprise Server
Determine the Good Administrator
Obtain the Good Administrator Credentials
Access the Management Interface (Good Mobile Control)
Provision devices and read emails (Note: don’t try this at home, it is illegal!)
I am not linking to the article as that would be rude but you can find it yourself if you want.
Good for Enterprise costs $60 per user per year
Click here if you want more information

David Strom
The websites of all the vendors listed