Professional Documents
Culture Documents
Industry Awards
2009 Award for Mobile Enterprise Platforms
Leader in mobile device management for the 9th year; Leader in mobile middleware for the 9th year
2009 Global Product Excellence award for Wireless/Mobile Security Solution Customer Trust
SOTI BES
Collaboration Tools
Productivity Enhancements
- Applications
-
Workflows
Afaria modules
is a modular product, with the solution being divided into a number of optional Channels, each Channel being independent of the others and being enabled or disabled based on the license key used to install the product:
Afaria Software Inventory
Manager deliver and install commercial or custom-built software packages on client devices Manager interrogate and report on the hardware and software resources available on client
devices
Manager publish and deliver groups of documents to client devices, be they text files, images, HTML web pages, etc
Document
Manager enable, disable and configure hardware and software elements on the client device, delivering connection settings, blacklisting applications, disabling camera and Bluetooth features, for example
Configuration
Manager backup and restore specified files from the client device to a specified location on the corporate network
Backup
Manager the most powerful feature of the solution, enabling automation of file distribution, directory management, registry management. I will examine this feature in more detail later
Session
Protection Manager define and enforce security settings on the client device, including power-on passwords, encryption settings. Users can be allowed a set number of attempts to enter the password correctly, after which specific events can be triggered automatically, including removal of specific PIM data and/or files and applications, or a complete device hard reset
Data Patch
Manager deliver operating system patches and security updates to clients automatically (Windows 32
only)
Reduce calls into support Full disk encryption for laptops and Collects a variety of hardware and desktops Two software data protection remote layers of information from devices Pre-boot authentication Fixes & Refreshes Detect device changes, Full disk encryption Troubleshoot in the Multiple User Support issues Field Policy enforcement Track installed licenses versus Removable Storage Media Support Automatically enforce license purchase data Visibility to Assets corporate configuration and and Their Usage SYSTEM License counts security policies OTA End to End transport Assure complianceto IT encryption License expiration dates policies foruser authentication End yourTrack application usage remote/mobile workers
Skip Details
WIN32
Asset Visibility
Limited Allows administrators to Helpdesk Compression Remote App/OS create custom task and workflow Management with a point-and-click Resources automation File differencing scripting Seamlessly distribute, install, interface
repair and update softwaredesired state Maintain Intelligent file updates system Create and deploy custom or status Segmented file fixes adhoc delivery Integrate with back-end
Remote Patching applications Dynamic Bandwidth Throttling Content publish Maintain virusCorporate andand subscription applications definitions Opportunistic connections
Provision
Skip
Details
Logical Architecture
Devices Server and Web Management Console Logging Database
Optional Components
Certificate Services
Exchange
SMS Gateway
Directory Services
Deployment Services
Policies
Responses
Events
Window
Power Schedule Network
Channels
Group 1
Group 2
Group 3
Scalability
Highly Scalable
Centralized Management
Remote web based administration Customizable permissions based access to management tasks and data
Hostability
Multi-tenanted architecture for data and task separation Comprehensive APIs for customization and system integration
Virtualization support
Software
Device Security
Deployment
Process Automation
Asset Tracking
Afaria Console
File Synchronization
Device Backup
Device Configuration
Help Desk
Software Deployment
Distribute and support software for both push model (WM, Symbian, Win32, BB) and pull model (iOS, Android) with minimal impact to user Seamlessly distribute, install, repair and update software
Automatically checks and updates application (if necessary) during each connection End user application portals for iOS and Android
Track the installation status of your packages for transparency into your mobile deployments Compress or segment applications for efficient distribution over low-bandwidth connections
Maintain visibility into your devices with extensive hardware and software inventory Automatically detect changes on your devices and notify administrator for real time protection Use exception-based reporting to maintain uniformity of install base Troubleshoot problems quickly and maintain high level of service
Compliant Devices
Device Security
Device password policy configuration Lock out after failed attempts Format and change frequency controls Disallow previously used passwords
Encryption of PIM data and administrator specified files/folders Uses industry standard AES encryption algorithm with a 256 bit key
Process Automation
Easily handle non standard management tasks such as conditional file transfers, application installation, or device troubleshooting Easy-to-use graphical scripting tool
Designed for system administrators (not programmers) to create custom tasks or workflows
Device Backup
Reliably backup and restore mission-critical data for easy retrieval when re-provisioning a device Users can recover lost or corrupted data without requiring IT or help desk services Restoration is managed through centralized console
Device Configuration
Easy on-boarding of end users by configuring network, security and email settings Easy administration and fast recovery of user-modified settings by automatically maintaining critical device settings to IT standards
iPhone
Passcode settings WiFi settings Restrict application usage and installation Exchange setup information VPN settings IMAP and POP email settings LDAP connections CalDav Connections APN settings Connections Device DNS/IP Formats Network User Info Owner Info Sounds Customer Configurations Windows Update Port Control
Camera, Microphone, Bluetooth lock down or limit to device class
Windows Mobile
BlackBerry
Synchronization Security Messaging Applications
Symbian Access points Packet data Wireless LAN Exchange Roaming Control
Managing iOS 4
Deliver and remove device policies behind the scenes through a trusted relationship
Device Information, Device Network Information ,Security Information, Installed Profile List, installed 3rd party apps, certificate list, and applied restrictions
Corporate Security
Managing Android
Supports communication through the Relay Server Outbound notifications from the server to initiate a client connection
Can distribute enterprise applications Integrated application download logging and reporting data for accurate tracking
Displays packages grouped by admin defined categories Allows for end-user selection and installation
Native device lock, unlock and wipe options (will not rely on MS Exchange) Administrator can enforce the use of password policies and control the format, min/max length, failures before wipe, etc.
Afaria Architecture
Afaria Components
Manager Components
Afaria Components
Function
Distribute and support software
Configure device settings Encryption and data protection
Software Manager
Configuration Manager Data Security Manager
Inventory Manager
Session Manager License Manager
Backup Manager
Document Manager Patch Manager Remote Control Manager AV & Firewall Manager
Software Mgr Inventory Mgr License Mgr Session Mgr Data Security Mgr Configuration Mgr Backup Mgr
Document Mgr
Patch Mgr Remote Control
Mobile Devices
WAN/VAN/ISP
DMZ
LAN
Dev
firewall
Test
Export/Import
Master
Dev
Export/Import
Router Test
Export/Import
Replication Traffic
Replication Traffic
Afaria Architecture
Windows 32 DB Repository firewall File Systems firewall
iPhone
DMZ
Afaria Server(s)
IIS Server
BlackBerry Android
Reverse Proxy
Administrative Console Browser
Symbian
Relay Server
Relay Server installed in network DMZ Afaria clients connect in to the Relay Server Afaria servers connect out to the Relay Server No need to open an inbound port in the interior firewall Runs on Windows/IIS
System Requirements
Server
Server
Windows Server 2003 Standard Ed R2 Windows Server 2003 Standard Ed SP 1&2 Windows Server 2003 Enterprise Ed R2 Windows Server 2003 Enterprise Ed SP 1 Windows Server 2008 Standard Edition R2 Windows Server 2008 Enterprise Edition R2 Windows Server 2008 Datacenter Edition R2
Database Support
Sybase SQL Anywhere[1,2] 11 Microsoft SQL Server 2008 R2 Enterprise Edition Microsoft SQL Server 2008 R2 Standard Edition Microsoft SQL Server 2008 R2 Datacenter Edition Microsoft SQL Server 2008 R2 Parallel Data Warehouse Edition Microsoft SQL Server 2008 SP1 Enterprise Edition Microsoft SQL Server 2008 SP1 Standard Edition Microsoft SQL Server 2005 Enterprise Edition (SP1, SP2, SP3) Microsoft SQL Server 2005 Standard Edition (SP1, SP2, SP3) Oracle Database 11g Release 2 Oracle Database 10g Release 2
Administrator
Windows Server 2003 Standard Ed R2 Windows Server 2003 Standard Ed SP 1&2 Windows Server 2003 Enterprise Ed R2 Windows Server 2003 Enterprise Ed SP 1&2 Windows Server 2008 Standard Edition R2 Windows Server 2008 Enterprise Edition R2 Windows Server 2008 Datacenter Edition R2 Windows Server 2008 Web Server Edition R2 IIS 5.0 or 6.0 ASP.NET
Supported protocols
HTTP, HTTPS, XNET, XNETS
System Requirements
Clients
Windows (Win32)
Windows 7 Windows Server 2008 Windows Vista Business Windows Vista Enterprise Windows Vista Home Ultimate Windows Vista Business SP1, SP2 Windows Vista Enterprise SP1, SP2 Windows Vista Home Ultimate SP1, SP2 Windows Server 2003 SP2 Windows Server 2003 R2 SP2 Windows Server 2003 Windows XP SP2 Windows XP SP3
Windows Mobile
Windows Mobile 6.5 Professional Windows Mobile 6.5 Classic Windows Mobile 6.1 Professional Windows Mobile 6.1 Classic Windows Mobile 6.0 Professional Windows Mobile 6.0 Classic Windows Mobile 5.0 Windows Mobile 5.0 Phone Edition Windows Mobile 2003 Windows Mobile 2003 Phone Edition Windows Mobile 2003 SE Windows Mobile 2003 SE Phone Edition Windows Mobile 6.5 Standard Windows Mobile 6.1 Standard Windows Mobile 6.0 Standard Windows Mobile 5.0
BlackBerry
J2ME version 4.2, 4.5,4.6,4.7
Java Client
JVM version 1.4
Palm OS
Version 5.2, 5.4
iPhone
Version 3.1, 4.0
Symbian
Version 9, 9.1, 9.2, 9.3 for Series 60 3rd Edition devices Version 9.4 for Series 60 5th Edition devices
Android
Android 2.0.1, 2.1, 2.2
Software Manager
The
Software Manager
Software Manager allows the administrator to deliver pre-built application installers to client devices and run them:
Distribute and support software with minimal impact to user Maintain and monitor applications, supplying missing or corrupted files Compressing or segmenting applications for efficient distribution over low-bandwidth connections
Software Manager...Continued
Automatically checks and updates application (if necessary) during each connection Uses all Afaria bandwidth optimizations
Criteria checking on disk space, memory, OS version, other applications Support for alternate distribution locations
Win32
WM Pro
WM Std
Symbian
iPhone
RIM
Java
Palm
Software Manager
Inventory Manager
the administrator to define an inventory collection task on the server. Inventories can be hardware-only, or both hardware and software
alllows
Detect device changes and notify administrator of changes Ensure applications are current & compatible Provide rule-based software distribution Troubleshoot problems quickly and maintain high level of services
Inventory Manager...Continued
Plan for mobile system upgrades Collect data on handheld phone devices including: phone number, IMEI, IMSI, mobile operator, current network, WiFi information (WiFi enabled/disabled, MAC address, current network), Bluetooth status, Bluetooth name/address and IR status
Win32
WM Pro
WM Std
Symbian
iPhone
RIM
Java
Palm
Inventory Mgr
License Manager
License counts
License expiration dates Track application usage on client machines
Win32
WM Pro
WM Std
Symbia n
iPhone
RIM
Java
Palm
Android
License Mgr
Session Manager
That
is the most powerful feature of the Afaria solution, and effectively all of the above Channels can be invoked for inclusion in a Session Manager worklist, so it is the Session Manager that I shall look at in the most detail.
Offers an easy-to-use graphical scripting tool thats designed for system administrators, not programmers Allows administrators to create custom task / workflow automation with pointand-click scripting interface:
Session Manager...Continued
Automating data delivery and retrieval Pre and Post software distribution processes Enhancing application Self-Healing Enabling proactive control of devices Provides information to enable better business decisions Maintain desired state system status Integrate with back-end applications
Win32
WM Pro
WM Std
Sym
iPhone
RIM
Java
Palm
Android
Session Mgr
Lock out after failed attempts Format and change frequency controls Disallow previously used passwords
Selectable data for encryption, including PIM / external media Strong encryption algorithm (Blowfish, AES, 3DES, RC2) Removable memory can only be read by the device that encrypted the data Improves performance and usability Improves battery life and power management Certified Encryption Modules - Ensures FIPS 140-2 Compliance
Administrators can build partial expression that can be combined to meet different requirements for groups of users Test passwords against expressions in the administrative UI
Win32
WM Pro
WM Std
Symbian
iPhone
RIM
Java
Palm
Lockdown based in invalid credentials entry or too much time passing since last connection Administrator has multiple lockdown options: Disable, wipe or hard reset device Lockdown of device based on SIM change or removal
Password Recovery
Admin or web portal to generate temporary password to unlock device Self-service password recovery option
Block rogue devices from accessing Microsoft Exchange Server White and black list windows mobile devices Administrator can define policies Executive exception policies are allowed
Data at-rest encryption for PIM data and file/folder on Symbian devices
Data fading options to hard reset, disable password or delete data on the device when device has not connected to Afaria within a specified time
Uses industry standard AES encryption algorithm with a 256 bit key
Ensures that all sensitive data is protected at all times No reliance on users or applications to store sensitive data in correct location Protects PC from brute-force insertion of malicious code Supports compliance audits with predefined reports and detailed logging
Securely allows numerous users per one computer Allows administrators access to machines without requiring the users credentials
Outstanding Reporting
Reports the encryption status of all Security Manager Clients that do not have a disk status of 100% encryption complete Provides defensible reporting and logging for security audits Detailed USB logging reporting
Can be deployed to a work group or require a per user password Data may be shared at data owners discretion Fully encrypted
Unattended Reboot
Allows patches and software updates to occur off-peak when bandwidth is high, providing excellent time utilization IT is not required to perform a reboot to complete the process
Configuration Manager
Automatically configures critical device settings Verifies successful implementation of settings on mobile devices Provides ease of administration and fast recovery of inadvertently modified settings Enhances the user experience Policy-based Utilizes Microsofts CSP configuration model on WM
Win32 WM Pro WM Std Symbian iPhone RIM Java Palm Android
Configuration Mgr
iPhone
Passcode settings WiFi settings Restrict application usage and installation Exchange setup information VPN settings IMAP and POP email settings LDAP connections CalDav Connections APN settings
BlackBerry
Synchronization Security Messaging Applications
Symbian Access points Packet data Wireless LAN Exchange Roaming Control
Roaming Controls
Roaming Management that detects roaming state changes and provide administrative control of device actions while roaming Provides real time protection of roaming costs Supports both Symbian and Windows Mobile Allows administrators several options to disable data connections based on roaming state of the device
Disable all data connections Disable Afaria scheduled or client-initiated connections when roaming
(Outbound connections are still available)
Display message on device when entering or exiting roaming state Disable email attachments (WM Only) Disable IMAP and POP3 (WM Only)
Log event - Create custom logs for roaming events Execute program Execute a program locally Run channel Run an Afaria worklist Run script Execute a customized script
Roaming Report
Controls applications access specifying the certificate used to sign the application or hash-based identification of the installed applications
Restricts access to device settings such as phone, sound, profiles, home screen, clock & alarm, connections and security settings Tamper-resistant implementation so applications cannot simply be renamed
Automatically creates library of embedded and installed applications on Afaria clients. Log attempts to access disallowed applications
Backup Manager
Backup and restore mission-critical data Users can recover lost or corrupted data Backup
Folders or files Schedule backup frequency Backup data store at Afaria server or file server
Restore is managed through centralized console Folders or files Selective or full restore
Win32
WM Pro
WM Std
Symbian
iPhone
RIM
Java
Palm
Backup Mgr
Document Manager
Win32
WM Pro
WM Std
Symbian
iPhone
RIM
Java
Palm
Document Mgr
Patch Manager
Leverages Microsoft patch scanning technology and patch catalogs to automatically update laptops and desktops with key security patches
Automatically pulls new patch catalogs from Microsoft Scheduled scans of client machines for missing patches
One Button patch deployment from the Afaria console Impersonation support for machines where the end user does not have administrative privileges
Patch Manager...Continued
Provides visibility and discovers vulnerabilities Target and schedule patch deployment Automates patch management without user involvement Assess severity level of patch and deploy accordingly
Win32
WM Pro
WM Std
Symbian
iPhone
RIM
Java
Palm
Patch Mgr
The capability to monitor device settings/characteristics on Windows devices and trigger connections, logging or execution of local processes when characteristics change.
Monitor Types:
(Eg. 1) Monitor battery level, and run executable to copy key files to external card when
available battery drops below xx%. (Eg. 2) Monitor directories on external card and write log message whenever a new file is written to an external card.
Win32
WM Pro
WM Std
Symbian
iPhone
RIM
Java
Palm
Off-line Monitor
Remote Control
Real-time remote control capability for Windows-based PCs and handheld devices Interactively train end users on new applications or troubleshoot specific devices.
Win32
WM Pro
WM Std
Symbian
iPhone
RIM
Java
Palm
Remote Control
Remote Control superior quality supporting a large range of platforms Remote Management computer management controlling services, registry, tasks, event log, shares and system state File Transfer split screen, copy, move, sync, clone, crash recovery and delta transfer Scripting schedule file transfers and other operations Chat, Audio Chat, Video Chat allow users to communicate in text mode or verbally supported by webcam video Multi Console session allows a number of Console users to view and control the same Client desktop Run Program launch programs at the remote computer Supports WIFI or any cellular network (TCP/IP)
Send Message distribute popup messages in Rich Text Format which allows links to e.g. web sites.
Request Help contact the help desk via remote control and run an external application to auto-generate trouble tickets.
Security local and centralized, Native NetOp, Directory Services and Windows-integrated.
WebConnect, side-steps firewalls, proxies and routers. Now you can offer your company world-class support from anywhere and avoid costly deskside visits. Connect with help desk initiated connections over the internet without requiring holes in your firewall
No need for firewall or router configuratio n to access the host
Secure remote access and control for supporting people on the move
Overview of Webconnect
Administration module
WebConnect
Account data (Microsoft SQL) Connction Manager (Microsoft IIS) Connection Server
DMZ
Request and location information Connection
GUEST
HOST
Malware and Viruses Intrusion by using an IP based firewall Unwanted SMS or phone calls by blacklisting
Technology licensed from SMobile, leader in mobile Antivirus and Firewall software
Mobile viruses and malware can propagate through multiple mechanisms, including email attachments, Bluetooth or Infrared file transfer channels, SMS links, MMS attachments, etc. Typical threats in the wild which are classified as:
Malware for profit - FlexiSpy/MobiSpy Bluetooth exploits - Cabir/Bluesnarfing Backdoor Trojans - Brador/BBProxy Exploiting PC syncs - Crossover/Mobler Malware crashing devices - Skulls, Fontal Mobile IP - P2P Worms SMS and MMS dialer Trojans -CommWarrior/RedBrowser
Identity theft attacks where personal information such as customer names, street addresses, credit card information and other sensitive corporate data is stolen off of a mobile device Unauthorized device usage, where an infected device can trigger unauthorized mobile payments, unauthorized purchases or extraneous data connections, resulting in fraudulent charges or excessive data or minute usage which would lead to large monthly billing and additional cost to the enterprise Snoopware , mobile malware that is capable of stealthily and remotely monitoring activities on mobile devices. Includes voice calls, messages, e-mails, and remote activation of functions such as a microphone
Compatible with all major operating systems, including Windows Mobile and Symbian devices
Background scans of all files received via SMS, MMS, Bluetooth, WiFi, infrared, or desktop sync in real time
Industrys only handheld antivirus to use heuristics Based upon an independent study Afaria outperforms the competition in CPU calculation, CPU performance, user performance, write access, read access, and bitmap drawing which all equates to better handset performance and better user experience. Only mobile AV focused solely on mobility, not a retrofit of a desktop solution Full logging of scan and detection activity all viewable by the system administrator Remotely invoke device scans, updates, policy changes and reports on device activity from a single management console.
IP based firewall protection based upon black list or white list filtering, and provides both in and outbound network packet monitoring Monitors GPRS, EDGE, CDMA, WIFI and phone to PC traffic Enables administrator to control inbound and outbound access (either denying/blocking by blacklisting or approving by whitelisting) to sites hosted by the outside world based on IP address
Employees can be restricted to access only the corporate website or certain authorized sites Only allow Line of Business applications to communicate through the network Blocking a particular port when utilizing a VOIP application Protect against IP based intrusion attacks
Allows administrators and users to establish a customized blacklist to block incoming SMS, MMS and/or calls from selected contacts or unwanted calls/messages Includes tracking logs of blocked calls and messages Call Filtering and MMS/SMS filtering are separately configurable Primarily used to block spam sent to devices
Offline processing Minimize expensive online processing over bandwidth-limited networks Checkpoint restart Tolerance for in-and-out of coverage conditions Compression Proprietary algorithms reduce time required for file transfer File differencing Send only needed changes within files (Byte Level) Intelligent file updates Send only files/data that need to be updated
Opportunistic connections
Afaria Access Control ISAPI filter installs on a Microsoft Exchange 2003 through 2010 server. Works with Afaria server to deny sync requests to handheld devices that are not properly managed and/or secure
Define the amount of time during which a device must have connected to Afaria server to confirm presence of Afaria client and/or security manager on the device Administrators can create a white list of devices that should always be allowed to synchronize with Exchange, even if they fail the security verification policy Administrators can create a black list of devices that should never be permitted to synchronize with Exchange, even if the fail the security verification policy
An added layer of security that is certificate based that will ensure that only properly credentialed clients can connect to a customers server
Administratively enabled and configured
Internationalization
Internationalization
Support for Afaria server, administrator and clients operating on a doublebyte character set language system Client support for:
Configuration Manager Session Manager Inventory Manager Security Manager (for WM devices)
Localized Windows Mobile client UI available for Simplified Chinese, Traditional Chinese and Korean
Administration
Web-based administrative console built on .NET framework with all the functionality of a full Graphical User Interface Manage Afaria servers from any PC on the network, including virtualization technology Secure access to the web console leveraging the NT security model User access rights to the web console; role-based user access
Policy / profile based model for channel scheduling, monitors and assignments Easier management of schedules and assignments Consolidated administrator view of schedules/monitors and channels assigned to a particular device (or group)
Thank You