In-Depth
Virtual Mobility Is the Question: How Do VMware, Microsoft and Citrix Answer?
Users are demanding access to increasingly larger sets of sensitive corporate resources on any device from anywhere, any time. Your challenge is to make it look easy. Citrix, VMware and Microsoft have been developing strategies that can help you meet that challenge head on.
The basic premise of consumerization of IT is that end users are no longer content to work from desktop PCs in the office. They want access to corporate resources from any device, no matter where they're working from, anywhere in the world.
End-user demands have long been a source of frustration for IT pros, but the requirement for ubiquitous access from any device poses a special set of challenges. While it might be tempting to ignore the mobile device usage trend, you can't ignore some studies that show users who work from mobile devices tend to be more productive because they're able to take advantage of idle time, such as time spent commuting.
Mobile Device Management in the Enterprise
Administrators who are tasked with facilitating BYOD or choose your own device (CYOD), while also ensuring adherence to established security and compliance requirements, have a number of different choices for mobile device management. Vendors such as Citrix Systems Inc., VMware Inc., and Microsoft all offer their own mobile device management products, and each vendor takes a somewhat unique approach. I'll explore each vendor's offerings (current as of this writing).
How Citrix Is Tackling Mobility
The Citrix mobile device management solution is based around XenMobile. XenMobile is designed to complement the functionality provided by XenApp and XenDesktop. In doing so, XenMobile addresses two main challenges. First, XenMobile is designed to ensure mobile device security. Second, the software addresses the challenge of application portability.
Citrix addresses these two challenges separately through two different products, both of which are designed to be used in conjunction with XenApp and XenDesktop.
XenMobile MDM, which is designed to provide device-level security, is one of the products.
XenMobile MDM provides four basic capabilities. First, it allows you to set policies that can be used to enforce password security on the device's lock screen.
Second, it allows you to set policies controlling the types of devices that can access resources on the corporate network. For example, you might wish to block devices that are running specific applications or devices that have been jail broken.
The third capability provides data protection for data stored on the device and for data that is being transmitted to or from the device. This capability is facilitated through the use of a digital certificate that's deployed to the device as a part of the initial provisioning process.
The fourth major security function is remote lock and selective remote wipe capabilities. A remote lock can be issued by the help desk and locks a device that has been misplaced. The help desk can even assign a new lock code to the device as an extra security measure.
The selective remote wipe capabilities allow the help desk to de-provision the device by removing all corporate applications and data, but without removing the user's personal apps or data in the process.
The other mobile device management product is XenMobile Enterprise Edition. It's designed to complement the XenMobile MDM device-level security capabilities by providing application-level security. XenMobile Enterprise Edition offers four primary features.
First, XenMobile Enterprise Edition uses a feature that Citrix calls Worx Mobile to secure access to enterprise messaging data and to Web-based apps. WorxMobile uses a subcomponent called WorxMail to store e-mail messages and attachments in an encrypted and semi-sandboxed area (access to the users contacts and calendar is allowed). Similarly, a component that Citrix calls WorxWeb encrypts Web browsing and access to internal network resources.
A second feature is a mobile enterprise app store. Citrix has taken the time to compile a collection of Windows, Software as a Service (SaaS), and native mobile apps that have been verified to be secure.
The third major feature is application-level security policies. Being able to apply security policies to mobile devices is nothing new, but Citrix supports creating different policy sets for different apps. An organization might allow users to secure their mobile devices using a PIN unless users want to run one specific app, in which case true password protection will be required. In essence, security policies can be matched to the sensitivity of individual applications.
The fourth XenMobile Enterprise Edition feature is integration with Citrix ShareFile, which allows users to securely access data within virtual apps or from virtual desktops, or through native mobile apps. ShareFile also allows data to be securely stored within a device.
The VMware Work-in-Progress Mobility Strategy
For the time being, the mobile device management offerings from VMware are somewhat modest in scope. The VMware solution is based around desktop virtualization. This approach requires you to host virtual desktops on vSphere and to make them available to clients through VMware Horizon View.
VMware collectively refers to its mobility strategy as the Mobile Secure Workplace solution. This solution is based on the concept of moving desktops and applications to the cloud and then delivering them as a managed service. This allows user accounts to be tied to virtual desktops rather than to physical devices, thereby allowing users to work from a variety of devices.
Although VMware Horizon View doesn't offer the robust mobile device management capabilities found in products from Citrix and other competitors, VMware is looking to expand its mobility offerings. Earlier this year, VMware announced that it has agreed to purchase AirWatch for a cool $1.54 billion dollars. AirWatch is a mobile device management company that directly competes with Citrix and with smaller vendors such as MobileIron.
Microsoft Catches Up on Mobility
Microsoft has been involved in the mobile device management business since long before the concept of consumerization of IT really took hold. Microsoft initially offered mobile device management capabilities through Exchange Server. Exchange Server has long offered ActiveSync mailbox policies, which allow administrators to enforce security on any mobile device that's used for mobile messaging. ActiveSync mailbox policies can be used to enforce passwords, disable device hardware (such as a Bluetooth radio or camera), and to perform a number of other mobile security functions.
Although Exchange Server continues to offer mobile device management capabilities (including the ability to perform remote wipes against mobile devices), Microsoft seems to have come to the realization that end users use mobile devices for much more than just mobile messaging. As such, Microsoft has introduced other products and features that are specifically geared toward mobile device management.
Microsoft currently uses a two-pronged approach for mobile device management (not counting the capabilities that are built into Exchange Server). The company's primary product for managing mobile devices is Windows Intune. The other is a Windows Server 2012 R2 feature called Workplace Join.
Windows Intune provides cloud-based management capabilities for mobile devices. This subscription service is designed to provide device security and application deployment capabilities for a variety of mobile device platforms.
Windows Intune application deployment capabilities are somewhat unique. In any BYOD environment, users are likely to be using a wide variety of device types. That being the case, there's no such thing as an app that will run on every conceivable device. Windows Intune solves this problem by offering two different app deployment methods.
The first of these methods involves providing an external link to an app within the appropriate app store. You might provide a Windows Phone user with a link to an app within the Windows Phone Store. Similarly, you might provide an iPhone user with a link to the Apple version of the same app within the iTunes App Store.
The second method of delivery involves side loading an app to a managed device. This method allows you to deploy custom code without having to acquire the app through an app store.
When it comes to providing mobile device security, Windows Intune can work in conjunction with Exchange ActiveSync Mailbox Policies or it can provide direct management capabilities. When Windows InTune is combined with Exchange ActiveSync mailbox policies, Windows RT, Windows Phone 8 and iOS devices are automatically discovered.
Regardless of whether Exchange ActiveSync Mailbox Policies are being used, Windows Intune provides a single pane of glass for PC and mobile device management, with a user-centric device inventory view.
In addition to being able to use policies to enforce mobile device security, it's possible to establish a set of security rules that apply to specific device types. For example, you might provide access to certain network resources only to users who are using Windows devices.
Workplace Join is the other mobile device management approach from Redmond. For more than a decade, PCs on Windows networks have been joined to Active Directory. Doing so gave the device access to authorized resources and allowed the device to be managed through Group Policy settings. The problem was that only Windows PCs could be joined to Active Directory. With the exception of Windows Mobile 6.x, there was no way to join mobile devices to Active Directory.
Even if it had been possible to domain join mobile devices, doing so might not necessarily have been desirable. In BYOD environments, end users want to maintain control of their own personal devices. Joining a device to Active Directory would have theoretically put the device under the organization's control, thereby limiting what the device's owner was able to do with it.
The Windows Workplace Join feature is based on Active Directory Federation Services (AD FS), and provides a way for mobile devices to participate in Windows domain networks, but without the end user relinquishing all control over his devices.
Users are able to register their own devices with Active Directory by using an app that's found in the app store. Upon completing the registration process, an Active Directory object is created for the device and a certificate is installed to the device. This certificate provides device identity and facilitates encryption.
Workplace Join makes it possible for you to differentiate between mobile devices and fully domain-joined PCs. As such, access to network resources can be provided in an appropriate manner. For instance, there are probably some resources that are suitable for BYOD access, while other resources might only be suitable for access from highly secure, domain-joined PCs.
One nice thing about the Workplace Join feature is that users can de-provision personal devices whenever necessary, through a self-service interface. Doing so causes the certificate and any corporate applications or data to be wiped from the device while leaving personal apps and data untouched.
In addition to Windows Intune and the Workplace Join feature in Windows Server 2012 R2, Microsoft continues to offer Remote Desktop Services, which allows mobile users to access remotely hosted applications or even full-blown virtual desktops on their mobile devices.
Wrapping Up
The BYOD trend poses a considerable set of challenges. You must give users the tools they need to work while on the go, but must also ensure network resources remain secure. Fortunately, the momentum of the IT consumerization trend has led major software vendors to develop solutions to the challenges of supporting BYOD environments.