In-Depth

Virtual Mobility Is the Question: How Do VMware, Microsoft and Citrix Answer?

Users are demanding access to increasingly larger sets of sensitive corporate resources on any device from anywhere, any time. Your challenge is to make it look easy. Citrix, VMware and Microsoft have been developing strategies that can help you meet that challenge head on.

The basic premise of consumerization of IT is that end users are no longer content to work from desktop PCs in the office. They want access to corporate resources from any device, no matter where they're working from, anywhere in the world.

End-user demands have long been a source of frustration for IT pros, but the requirement for ubiquitous access from any device poses a special set of challenges. While it might be tempting to ignore the mobile device usage trend, you can't ignore some studies that show users who work from mobile devices tend to be more productive because they're able to take advantage of idle time, such as time spent commuting.

Mobile Device Management in the Enterprise
Administrators who are tasked with facilitating BYOD or choose your own device (CYOD), while also ensuring adherence to established security and compliance requirements, have a number of different choices for mobile device management. Vendors such as Citrix Systems Inc., VMware Inc., and Microsoft all offer their own mobile device management products, and each vendor takes a somewhat unique approach. I'll explore each vendor's offerings (current as of this writing).

How Citrix Is Tackling Mobility
The Citrix mobile device management solution is based around XenMobile. XenMobile is designed to complement the functionality provided by XenApp and XenDesktop. In doing so, XenMobile addresses two main challenges. First, XenMobile is designed to ensure mobile device security. Second, the software addresses the challenge of application portability.

Citrix addresses these two challenges separately through two different products, both of which are designed to be used in conjunction with XenApp and XenDesktop.

XenMobile MDM, which is designed to provide device-level security, is one of the products.

XenMobile MDM provides four basic capabilities. First, it allows you to set policies that can be used to enforce password security on the device's lock screen.

Second, it allows you to set policies controlling the types of devices that can access resources on the corporate network. For example, you might wish to block devices that are running specific applications or devices that have been jail broken.

The third capability provides data protection for data stored on the device and for data that is being transmitted to or from the device. This capability is facilitated through the use of a digital certificate that's deployed to the device as a part of the initial provisioning process.

Why Mobility Makes IT Cringe

Although IT pros are under a lot of pressure to allow users to connect from any device, mobility can pose a number of different challenges. These challenges tend to fall into four main areas.

Security: The first -- and arguably most important -- challenge that you must address is security. The bring your own device (BYOD) trend has led to users attempting to connect to corporate resources from all manner of devices. To put the scope of this challenge into prospective, consider that you must guarantee data security when users connect to corporate resources from untrusted devices over an untrusted network (the Internet).

In order to ensure that network resources remain secure, you must find a way to apply security policies and storage encryption to mobile devices. This is no small challenge when you consider the variety and number of devices that one user might use to connect to the data. Then multiply that by the number of users. Furthermore, there are some types of devices that probably shouldn't be allowed to access the corporate network, so you need a way of keeping these types of devices off of the network.

Manageability: The second major challenge is mobile device manageability. In a way, manageability goes hand-in-hand with security. After all, it's difficult to guarantee security unless you have a way of monitoring who's connecting to your network, and from what type of device. Only then does it become possible to apply security policies to keep the network secure.

Supportability: The third major challenge in BYOD environments is supportability. One of the big problems with allowing end-user access from any device is that the users inevitably expect the help desk to support personal devices. This can lead to a number of frustrating situations, such as help desk staff being asked to provide technical support for mobile OSes about which they know nothing. By extension, users might also assume help desk personnel are able to perform repair work or upgrades on those personal devices.

These types of situations have caused some organizations to abandon BYOD initiatives in favor of a choose your own device (CYOD) program. The essence of CYOD is that rather than asking the help desk to support any and all manner of end-user devices, the organization issues devices to the users, but provides the user with a choice from several different device types that the IT staff is prepared to support.

Compatibility: The fourth major challenge is device compatibility. Every mobile device type runs a different OS, and there's no application format that runs on all mobile devices. Even devices from a common vendor can lack compatibility with one another. Windows 8, Windows RT, and Windows Phone 8 all run different types of applications, even though all three device types run current generation Microsoft OSes.

The problem with the lack of compatibility across device types is that users expect to be able to work seamlessly regardless of device type. Some organizations have addressed this challenge through virtualization. Rather than attempting to run native applications, the devices run a client component that connects the device with a remote app or a remote desktop session.

Other organizations have historically tried to solve the compatibility problem by using Web apps. A Web app that has been built using HTML5 should run on any mobile device so long as it has an HTML5-compatible browser.

Still, other organizations attempt to address compatibility by using apps that exist on several different platforms, such as allowing an app as long as it's available through both the Windows Phone Store and iTunes App Store.

The fourth major security function is remote lock and selective remote wipe capabilities. A remote lock can be issued by the help desk and locks a device that has been misplaced. The help desk can even assign a new lock code to the device as an extra security measure.

The selective remote wipe capabilities allow the help desk to de-provision the device by removing all corporate applications and data, but without removing the user's personal apps or data in the process.

The other mobile device management product is XenMobile Enterprise Edition. It's designed to complement the XenMobile MDM device-level security capabilities by providing application-level security. XenMobile Enterprise Edition offers four primary features.

First, XenMobile Enterprise Edition uses a feature that Citrix calls Worx Mobile to secure access to enterprise messaging data and to Web-based apps. WorxMobile uses a subcomponent called WorxMail to store e-mail messages and attachments in an encrypted and semi-sandboxed area (access to the users contacts and calendar is allowed). Similarly, a component that Citrix calls WorxWeb encrypts Web browsing and access to internal network resources.

A second feature is a mobile enterprise app store. Citrix has taken the time to compile a collection of Windows, Software as a Service (SaaS), and native mobile apps that have been verified to be secure.

The third major feature is application-level security policies. Being able to apply security policies to mobile devices is nothing new, but Citrix supports creating different policy sets for different apps. An organization might allow users to secure their mobile devices using a PIN unless users want to run one specific app, in which case true password protection will be required. In essence, security policies can be matched to the sensitivity of individual applications.

The fourth XenMobile Enterprise Edition feature is integration with Citrix ShareFile, which allows users to securely access data within virtual apps or from virtual desktops, or through native mobile apps. ShareFile also allows data to be securely stored within a device.

The VMware Work-in-Progress Mobility Strategy
For the time being, the mobile device management offerings from VMware are somewhat modest in scope. The VMware solution is based around desktop virtualization. This approach requires you to host virtual desktops on vSphere and to make them available to clients through VMware Horizon View.

VMware collectively refers to its mobility strategy as the Mobile Secure Workplace solution. This solution is based on the concept of moving desktops and applications to the cloud and then delivering them as a managed service. This allows user accounts to be tied to virtual desktops rather than to physical devices, thereby allowing users to work from a variety of devices.

Although VMware Horizon View doesn't offer the robust mobile device management capabilities found in products from Citrix and other competitors, VMware is looking to expand its mobility offerings. Earlier this year, VMware announced that it has agreed to purchase AirWatch for a cool $1.54 billion dollars. AirWatch is a mobile device management company that directly competes with Citrix and with smaller vendors such as MobileIron.

Microsoft Catches Up on Mobility
Microsoft has been involved in the mobile device management business since long before the concept of consumerization of IT really took hold. Microsoft initially offered mobile device management capabilities through Exchange Server. Exchange Server has long offered ActiveSync mailbox policies, which allow administrators to enforce security on any mobile device that's used for mobile messaging. ActiveSync mailbox policies can be used to enforce passwords, disable device hardware (such as a Bluetooth radio or camera), and to perform a number of other mobile security functions.

Although Exchange Server continues to offer mobile device management capabilities (including the ability to perform remote wipes against mobile devices), Microsoft seems to have come to the realization that end users use mobile devices for much more than just mobile messaging. As such, Microsoft has introduced other products and features that are specifically geared toward mobile device management.

Microsoft currently uses a two-pronged approach for mobile device management (not counting the capabilities that are built into Exchange Server). The company's primary product for managing mobile devices is Windows Intune. The other is a Windows Server 2012 R2 feature called Workplace Join.

Windows Intune provides cloud-based management capabilities for mobile devices. This subscription service is designed to provide device security and application deployment capabilities for a variety of mobile device platforms.

Windows Intune application deployment capabilities are somewhat unique. In any BYOD environment, users are likely to be using a wide variety of device types. That being the case, there's no such thing as an app that will run on every conceivable device. Windows Intune solves this problem by offering two different app deployment methods.

The first of these methods involves providing an external link to an app within the appropriate app store. You might provide a Windows Phone user with a link to an app within the Windows Phone Store. Similarly, you might provide an iPhone user with a link to the Apple version of the same app within the iTunes App Store.

The second method of delivery involves side loading an app to a managed device. This method allows you to deploy custom code without having to acquire the app through an app store.

When it comes to providing mobile device security, Windows Intune can work in conjunction with Exchange ActiveSync Mailbox Policies or it can provide direct management capabilities. When Windows InTune is combined with Exchange ActiveSync mailbox policies, Windows RT, Windows Phone 8 and iOS devices are automatically discovered.

Regardless of whether Exchange ActiveSync Mailbox Policies are being used, Windows Intune provides a single pane of glass for PC and mobile device management, with a user-centric device inventory view.

In addition to being able to use policies to enforce mobile device security, it's possible to establish a set of security rules that apply to specific device types. For example, you might provide access to certain network resources only to users who are using Windows devices.

Workplace Join is the other mobile device management approach from Redmond. For more than a decade, PCs on Windows networks have been joined to Active Directory. Doing so gave the device access to authorized resources and allowed the device to be managed through Group Policy settings. The problem was that only Windows PCs could be joined to Active Directory. With the exception of Windows Mobile 6.x, there was no way to join mobile devices to Active Directory.

Even if it had been possible to domain join mobile devices, doing so might not necessarily have been desirable. In BYOD environments, end users want to maintain control of their own personal devices. Joining a device to Active Directory would have theoretically put the device under the organization's control, thereby limiting what the device's owner was able to do with it.

The Windows Workplace Join feature is based on Active Directory Federation Services (AD FS), and provides a way for mobile devices to participate in Windows domain networks, but without the end user relinquishing all control over his devices.

Users are able to register their own devices with Active Directory by using an app that's found in the app store. Upon completing the registration process, an Active Directory object is created for the device and a certificate is installed to the device. This certificate provides device identity and facilitates encryption.

Workplace Join makes it possible for you to differentiate between mobile devices and fully domain-joined PCs. As such, access to network resources can be provided in an appropriate manner. For instance, there are probably some resources that are suitable for BYOD access, while other resources might only be suitable for access from highly secure, domain-joined PCs.

One nice thing about the Workplace Join feature is that users can de-provision personal devices whenever necessary, through a self-service interface. Doing so causes the certificate and any corporate applications or data to be wiped from the device while leaving personal apps and data untouched.

In addition to Windows Intune and the Workplace Join feature in Windows Server 2012 R2, Microsoft continues to offer Remote Desktop Services, which allows mobile users to access remotely hosted applications or even full-blown virtual desktops on their mobile devices.

Wrapping Up
The BYOD trend poses a considerable set of challenges. You must give users the tools they need to work while on the go, but must also ensure network resources remain secure. Fortunately, the momentum of the IT consumerization trend has led major software vendors to develop solutions to the challenges of supporting BYOD environments.

Featured

Most   Popular

Subscribe on YouTube