Professional Documents
Culture Documents
STEPHEN SAUER
DeepDive
E
L
I
B
O
Y
T
M CURI
SE VS
iOS
RO
AND
.
S
V
R RY
E
B
K
B L AC
.
S
V
S
D OW
ID
WIN HONE
P
P AOABSI L E S E C U R I T Y
M
InfoWorld.com InfoWorld.com
DEEP DIVE SERIES
Deep Dive
e
y
l
t
i
i
r
b
u
o
c
M se
iOS
vs.
Android
vs.
BlackBerry
vs.
Windows
Phone
P AOABSI L E S E C U R I T Y
M
InfoWorld.com
Deep Dive
Apples iPhone and iPad long ago pushed
out the BlackBerry as the corporate standard for
mobile devices, in all but the highest-security
environments. Google whose Android platform reigns outside the corporate world is
now trying to push out Apple, with a new effort
called Android for Work. And Samsung is upping
the game with a new version of its own Android
security suite, Knox.
MOBILE SECURITY
InfoWorld.com
Deep Dive
first version of Microsofts mobile platform to
support device encryption.)
Apples
approach
is to handle
apps and
their contents
directly, which
means app
developers
must implement
the APIs for a
management
server to be able
to work with
them.
MOBILE SECURITY
InfoWorld.com
Deep Dive
Apple
Samsung
BlackBerry Microsoft
Policy
IOS 7, 8
ANDROID 4, 5
ANDROID 5
+ KNOX
BLACKBERRY 10
WINDOWS
PHONE 8, 8.1
YES
YES
YES
YES
YES
YES
YES [1]
MDM
YES
YES
NA
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
Password history
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
MDM
NO
MDM
MDM
NO
Disable camera
YES
YES
YES
MDM
NO
NO
NO
MDM
MDM
NO
Disable Wi-Fi
MDM
NO
MDM
MDM
YES [2]
Disable Bluetooth
MDM
NO
MDM
MDM
NO
Disable IrDA
NA
NO
NO
NO
NO
YES
NO
YES
MDM
NO
MDM
NO
MDM
MDM
MDM
MDM
NO
MDM
NO
NO
Disable email
attachment access
YES
MDM
YES
NO
YES
MDM
NO
MDM
YES
NO
NO
NO
MDM
YES
NO
Allow browser
YES
MDM
MDM
NO
MDM
NO
NO
MDM
NO
NO
YES
NO
MDM
YES
YES
NO
NO
MDM
NO
YES [2]
NO
NO
MDM
NO
YES [2]
YES
NO
MDM
YES
NO
YES
NO
MDM
MDM
YES [2]
Require encrypted
S/MIME messages
YES
NO
MDM
MDM
YES [2]
YES
NO
MDM
MDM
YES [2]
Require encrypted
S/MIME algorithm
YES
NO
MDM
MDM
YES [2]
YES
NO
MDM
MDM
YES [2]
NO
NO
YES
MDM
YES [2]
MOBILE SECURITY
InfoWorld.com
Deep Dive
APIs vary
widely across
the major
mobile OSes,
and each
requires a
management
tool.
Most MDM
tools support
multiple
mobile OSes,
providing a
single console
for IT admins.
work on, into a separate workspace not accessible by the users personal apps. Users have to
switch between the two workspaces, as if they
were using two devices.
For years, several providers such as Divide have
offered such containers for iOS and Android, but
they required that the apps running in them be
tied to their proprietary APIs, which in turn were
tied to a specific vendors mobile management
server. Thus, theyve gained little adoption.
In 2013, Samsung announced a container
technology called Knox that was available
for a handful of its Galaxy smartphones and
supported by few mobile management servers,
so it too has gained very little adoption. But the
company is renewing its Knox effort with the 2.4
version released on April 10, 2015.
Also in 2013, BlackBerry introduced BlackBerry Balance, the first platform-level containerization approach, for BlackBerry 10 devices. It
also has a Balance container app, called Secure
Work Space, for iOS and Android.
Last spring, Google purchased containerization vendor Divide and later said it would make
containerization part of Android now the
Android for Work technology that became available last week.
Container policies differ widely from
container to container, which can make management difficult. However, now that popular
mobile management servers support both iOSs
APIs and Androids containers, IT admins should
be able to create consistent policies that are
largely compatible across the two platforms
much as they can when using the extended
device management APIs in iOS and Android.
Note that BlackBerrys BES12 supports some
of the iOS 7 app-management APIs, few than
those from, for example, Citrix, MobileIron, and
VMware AirWatch. Among the iOS 7 app policies supported by BES12 are per-app VPN, singleapp mode, single sign-on, and Apple Volume
Purchase Plan (its corporate app store).
BES12 supports some app-management APIs
for BlackBerry devices, but the policies available
vary widely based on the type of app managed:
Java, recompiled or Fire OS-compatible Android,
BlackBerry 5- or 7-native, or BlackBerry
10-native. Frankly, its a mess.
MOBILE SECURITY
InfoWorld.com
Deep Dive
cant install apps themselves in the secured
workspace if IT enables this policy. IT can also
install, update, and remove apps in the business
workspace without user involvement.
There are policies to disable copy and paste
from the business workspace into the personal
one (but not vice versa) and to prevent screenshots being taken in the business workspace. IT
can also determine which IT-managed apps use a
VPN for access, as well as retract personal apps
communication from the corporate VPN.
( T Y P I C A L LY R E Q U I R E S A M O B I L E D E V I C E M A N A G E M E N T S E R V E R T O U S E )
Apple
Samsung
BlackBerry Microsoft
Capability
IOS 7, 8
ANDROID 4, 5
ANDROID 5
+ KNOX 2.4
BLACKBERRY 10
BES12
WINDOWS
PHONE 8, 8.1
Encryption
YES
(LEVEL 1)
NO
SOME MODELS
(LEVEL 1)
YES
(LEVEL 2)
YES
(LEVEL 1)
YES
YES
YES
YES
YES
S/MIME
YES
NO
YES
YES
YES [2]
VPN
YES
YES
YES
YES
YES [2]
Configure VPN
YES
YES
YES
YES
YES [2]
Per-app VPN
YES
YES [3]
YES
YES
YES [2]
YES
NO
YES
YES
YES
YES
YES [3]
YES [3]
YES
NO
YES
NO
YES
YES
YES [2]
YES
YES
YES
YES
YES [2]
YES
NO
YES
YES
YES
YES
YES [3]
YES
YES
YES [2]
YES
YES [3]
YES
YES
YES
Secure boot
YES
YES [1]
YES
YES
YES
NA
NO
YES [3]
NO
NO
App sandboxing
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES [2]
Disable iCloud/Microsoft
Account/Google Account
sync and storage
YES
NO
YES
YES
YES [2]
[1] Added by some smartphone makers. [2] In Windows Phone 8.1 only (and VPN support is partial). [3] In secured container only.
MOBILE SECURITY
InfoWorld.com
Deep Dive
Its a no-brainer
that iOS and
BlackBerry OS
have what it
takes for almost
any businesss
security needs.
MOBILE SECURITY
InfoWorld.com
Deep Dive
STEPHEN SAUER
BY GALEN GRUMAN
Mobile and
PC management:
The tough but
unstoppable union
MOBILE SECURITY
InfoWorld.com
10
Deep Dive
Thats why
MDM is
shifting away
from mobile
to encompass
anything and
everything
a user might
access: smartphones, tablets,
computers,
even cloud
desktop
services.
MOBILE SECURITY
InfoWorld.com
Deep Dive
so Microsoft may also be trying to keep both
approaches available as the market continues to
experiment.
11
MOBILE SECURITY
InfoWorld.com
Deep Dive
Hoping to
impose a
common set of
devices, applications, and
services is a
pipe dream.
But that doesnt
mean IT
shouldnt seek
unity.
12
MOBILE SECURITY
InfoWorld.com
Deep Dive
r
u
o
y
n
i
a
s
h
r
c
e
Un bile us tect
o
r
o
p
m just
and data
the
IT and the
security industry
are both focused
on dubious
protection plans.
This proposed
standard shows a
better way
BY GALEN GRUMAN
13
MOBILE SECURITY
InfoWorld.com
Deep Dive
Authoring and
editing tools
should be able
to assign both
usage rights
and two of the
access rights:
the password
requirement and the
encryption
requirement.
14
MOBILE SECURITY
InfoWorld.com
Deep Dive
Identity
management needs
to be done at
the source.
That means
InfoTrust needs
APIs to communicate with
existing enterprise identity
management
tools.
15
MOBILE SECURITY
InfoWorld.com
Deep Dive
validate against the identity management server,
but theres no way around that reality.
platform vendors.
Traditional, backward-thinking vendors (such
as those in the antivirus industry) should be
kept at arms length, at least in the initial stages.
Theyve shown repeatedly that they cant get out
of the broken defensive-perimeter trap.
IT keeps saying its security concerns are
about protecting information. So, tech vendors,
stop focusing on straitjacketing devices and
apps and instead protect that valuable information wherever it is.
Galen Gruman is an executive editor at
InfoWorld and its columnist on mobile and
consumerization of IT.
16