This article was originally written as a guest blogger for Intense School IT educational services. When I started out in the IT business just short of 15 years ago, mobile phones were a big deal, a privilege to have and use, and if you were allowed to use it privately, that basically meant you were the man! Nowadays it’s all about mobility, smart phones, tablets, net and notebooks, and the list goes on. Internet is cheap, wireless, and it’s everywhere, for most people today, it’s hard to imagine going even one day without their mobile device, whether it’s an iPhone, an Android phone, or some sort of tablet device. In this post, I’d like to focus on some of the challenges we as IT admins face when it comes to managing and securing, not only these (mobile) devices, but the accompanying corporate applications and data as well.
To give you an idea, according to the Online Publishers Association (OPA) in the U.S. alone 31% of the internet users own a tablet (meaning around 80 million!), up from 12% in 2011 with an expected growth of another 16% for 2013. Amazing numbers, and we haven’t even looked at the mobile (smart) phone market, which is even bigger; in fact it’s huge. Of course, it was only a matter of time before consumers began to look for ways to use their newly purchased mobile devices for work-related tasks as well, checking their email on the go, for example; that’s where it all started.
Having said that, with the introduction of all of these new mobile technologies the IT landscape as we know, or should I say knew, it is changing dramatically. With the rise and growing popularity (and that’s an understatement) of mobile (smart) phones and divers tablet devices, the whole bring your own device (BYOD), concept has evolved from being a hype to something we can no longer ignore and must take seriously before it’s too late. Because of this, more and more companies are interested in mobile device management solutions and want to be able to deliver their corporate (mobile) applications to any device without compromising security. It’s a fine line between corporately and privately owned devices, so why not mix and match?
Challenges We Face
This is where it gets complicated. For example, you don’t want to roll out corporately owned devices and let your users install and use all sorts of personal apps, do you? No, you want to keep every device as secure and safe as you possibly can. You don’t want your corporate data to be accidentally exposed on Facebook or Twitter, right? Of course not, but will this keep your users happy? Probably not.
On the other hand, users would gladly bring in their own devices to the office and start using their corporate applications, work on their latest reports, and share out other enterprise related data. The same rules apply: From an IT perspective, you would like to restrict these devices to not being able to install and/or use personal applications to avoid corporate data leakage. Unfortunately, this is easier said than done. First of all, these devices are private, so who are you to restrict them in any way? Secondly, if users were to agree, how would you technically implement such a solution? Both dilemmas could lead you back to the first option: corporately owned, locked-down devices and thus unhappy users. Never mind that they would probably need to carry around two mobile smart phones or tablets, one for business and one for private use.
To complicate matters even more, iOS and Android are leading the pack by far, but what about BlackBerry, Windows (8) Phones, and Symbian? Especially when looking at BYOD solutions, these could come into play as well. Fortunately, technology is also moving forward and this is where my passion for Citrix technologies comes in. Let me try to explain why Citrix’s XenMobile (this is Citrix’s flagship product when it comes to mobile management) is just a bit different then all others.
In an ideal world, we would all just have one device holding both our personal and corporate applications, data included, without us worrying about the two getting mixed up. Well, Dual Persona can help us achieve that. What does it do? It splits our mobile device into two separate spaces (more on the technology involved in a minute), a private space used for all of our personal apps and data and a corporate space for IT to manage, holding all of our work-related applications and enterprise data. These two halves are completely isolated (containerized) from each other, with applications on one half not being able to “talk” with applications on the other, so no data exchange whatsoever can take place. In the event that a device gets lost or stolen it can be remotely locked and wiped. Wipe it completely or just the corporate container part, it’s up to you. Sounds pretty safe, doesn’t it?
Today we have basically two ways of accomplishing this. First, as I already mentioned, all enterprise data and applications get containerized and thus separated from the rest of the device. This is referred to as mobile application management or MAM (see the abbreviations section below). Second, some sort of hypervisor could be used to create a stand-alone virtual machine on the mobile device, separating it from the rest. This has a few drawbacks though: Using this method, you will need to have permission from the OS manufacturer, Apple’s iOS or Android, to develop a virtual machine based on their bits and bytes, a no-go when it comes to Apple. MAM uses another approach: Applications get “wrapped,” using some sort of SDK tool, which varies by vendor. Wrapped applications all have the same characteristics, although these may vary slightly depending on your mobile solution of choice. For example, Citrix uses a technology called MDX for this, which I’ll address later on. Using this technology (app wrapping), you can manage specific aspects of an application, such as general security, data encryption, password or passkey authentication, or application-specific micro VPNs, at least in the case of Citrix’s XenMobile. All this will then be configurable through an extensive set of policies.
Be aware that this is as secure as it gets. There is no way to guarantee a 100% secure device, since technology can only go so far, but it certainly does help! Make sure you have your users read and understand your company security policies and have them sign some sort of user agreement before handing out devices or giving them access to your corporate resources.
Before moving on, lets first have a look at some of the most commonly used abbreviations when referring to mobile management, which can be confusing at times. These are not Citrix-specific per se, but are used in general when referring to mobile device, application and data management:
- MDM = mobile device management
- MAM = mobile application management
- MIM = mobile information management
- EMM = enterprise mobility management
I’ll elaborate a bit more on the above in a minute, but for now here’s the short version. With MDM you monitor, secure, and manage your physical mobile devices; it should include, native application distribution capabilities including a broad set of configuration- and data-related policies that you can apply to keep your device compliant and as secure as possible. MAM focuses on the installed (corporate) applications. It offers a unique technology for separating your personal applications from your corporate applications and data. This tends to become the preferred standard and rightfully so, as far as I’m concerned. Although this may sound similar to MDM, there’s a big difference; just read on. MIM applies to information management, safely accessing and modifying your corporate data everywhere on all your devices. And finally, EMM is basically the whole package, combining the first three. Don’t worry, you’re not the only one getting a headache…it’s all very complicated.
Mobile Management Solutions
This is a pretty tough subject to handle but I’ll give it a go anyway. I’ll start with my personal favourite. For those of you not familiar with the Citrix portfolio, Citrix offers a whole range of products primarily focused on desktop and application virtualization, networking, and cloud computing in general. Just have a look at their product page on Citrix.com. Last year they acquired a company called Zenprise, which specializes in mobile application management. A few months later, XenMobile was launched; this is Citrix’s main product for enterprise mobility management.
Since I’m a Citrix hugger, I’d like to talk a bit more about XenMobile and how it can help you solve the challenges mentioned earlier, but first a word on the competition: VMware has its Horizon application suite, in which it offers Horizon Mobile, a comparable mobile management solution for iOS and Android devices. VMware uses the hypervisor/virtual machine approach as part of its dual persona solution for Android devices (for now limited to two phones from Verizon, the LG Intuition and the Motorola RAZR M) and, since Apple won’t allow virtualization of its iOS OS they use MAM, or app wrapping, (both mentioned earlier) as their iPhone solution; but that’s it, no other devices are supported.
BlackBerry offers Secure Work Space for Android and iOS devices as part of the BlackBerry Enterprise Service 10 suite (separate licenses available), which also uses the MAM/app wrapping concept. BlackBerry devices are managed by BlackBerry Balance (their own containerization product) which also separates your private applications from your business apps and data. Besides these three, no other type of devices are supported. Although they are a bit late to the party, their product offers some real nice and comparable features to XenMobile. Both are fine replacements. We also have Samsung’s KNOX, but they only support Android devices. They created a dual persona framework build into the mobile Android OS, offering deeper integration. Samsung also has a partnership with Citrix and as of XenMobile version 8,5 support for the Samsung KNOX container and security policies are both integrated.
Before I continue, I’d like to point out that most of the technologies and features discussed in the upcoming sections are applicable to mobile management in general, giving you a good idea of the possibilities out there. Although some of the features below are specifically developed and patented by Citrix, other vendors do offer similar functionality, with a few exceptions, as we will see shortly.
XenMobile comes in three flavors. The first two editions are, or can be used as, stand-alone products offering different functionality. They can be installed, configured, and bought completely independently from each other. The Enterprise edition combines the first two and adds Citrix ShareFile (also sold as a separate product) to the equation. Below you’ll find an overview of the editions available, including their core features. Next, I’ll discus each edition separately, without going into too much technical detail, showing you how each edition can help you overcome some of the most common challenges we face with bringing our own devices, as well as using corporately owned devices.
XenMobile MDM Edition
MDM is used to manage your physical mobile devices; all major vendors are supported: Apple’s iOS, Android, Symbian, BlackBerry, and Windows (8) Mobile. Some might be more limited in functionality then others, but at least they’re all there. Once your devices are enrolled and bound to a user, the possibilities are endless. Well, let’s just say that as far as device management goes there isn’t much you can’t do.
MDM is primarily made up of hundreds of configurable policies, letting you control your devices as you feel fit. A few examples: Remotely lock or wipe devices if they get lost or stolen. You can allow or disable factory resets, device backups, the camera, microphone, clipboard, and more. You can also set password complexity, encryption, and so on. It’s also possible to configure specific SSL and VPN connections, force Wi-Fi configuration parameters, GPRS and firewall settings. It’s all configurable with the same granularity and it doesn’t end there. Native applications (from the iTunes Apple store or Google Marketplace for example) and files can also be distributed to your mobile devices, including XML configuration files, scripts, Registry Keys and so on. To give you an idea on its look and feel:
XenMobile version 8.5, the latest version, also includes a one-click live chat and support function made possible by the integrated Citrix Worx Home application, which is part of the Worx Mobile Apps suite developed by Citrix, which we will discuss shortly. You can imagine that, by putting all this together, your mobile infrastructure will become manageable and more secure.
XenMobile App Edition
This is where it gets really interesting. This edition introduces the AppController, one of its core components, along with the Citrix Worx Mobile application suite and a new technology called MDX, developed by Citrix. As a side note: It goes without saying that XenMobile, whichever edition you buy, is made up of multiple components, of which some are mandatory and some are optional. For now I’ll just focus on the ones mentioned. Perhaps in one of my future posts I’ll demystify the whole XenMobile product suite one step at the time. Let’s continue.
The AppController is the heart of it all. It provides you with your own corporate app store, from which your users will be able to select (self-service capabilities) the applications they need or want, given the proper permissions, of course. It lets you securely deliver mobile, web and software-as-a-service (SaaS) applications, including HTML5-based applications and integrated ShareFile-based data as part of the enterprise edition. It also lets you, on a per-application basis, configure single sign-on. When used in combination with Citrix StoreFront, these two interact perfectly. StoreFront has its own built-in SSO functionality, compatible with AppController. It also offers the ability to launch your “normal” Windows applications and desktops provisioned by Citrix XenApp and or XenDesktop—sweet! This is how it looks from an architectural point of few:
It includes application requests and automated workflow capabilities, through which users can request applications from a list of available applications. These applications will be accompanied by a request button. Submitting such a request triggers an administrator defined workflow that will route the app request to its designated approvers. These automated workflows take place behind the scenes and are powered by, in most cases, Active Directory to discover all details about the user(s) before creating the final app account. Does it get any better?
My personal favourite! This is what makes your corporate applications as safe as they’ll ever be! For this to work your mobile applications need to be made Worx/MDX-enabled (the Worx concept will be discussed shortly); see the section on “Making your apps Worx / MDX enabled” below on how this works. It’s quite simple, actually. MDX enables management, security and control over all mobile, web and software-as-a-service (SaaS) applications, including HTML5-based applications. Using MDX, you can host both business and personal applications together on the same device without them being able to interfere with each other. It also provides IT administrators with the ability to manage business apps completely separate from all personal applications and data. Here are the MDX technologies that make all this possible.
It separates all corporate web, SaaS, HTML5-based, and mobile applications, including data from personal applications on the same device by placing them in the MDX vault. This enables IT administrators to manage only the business apps instead of the whole device, providing the end users with the freedom they want! All apps in the vault can be secured with encryption, remotely locked, and wiped by IT.
This ensures that all MDX-enabled applications can interact with each other. MDX-enabled apps only open other MDX-enabled apps; for example, a link clicked in Worx Mail automatically opens Worx Web and not Safari. Using MDX Interapp IT can also create and enforce policies to control communication between applications such as allowing cut-and-paste actions between MDX-enabled apps but not to applications that are not protected by MDX.
With MDX access, IT administrators can configure policy-based access and management control over all web, SaaS, HTML5-based, and mobile applications. It can check the type of device or network you are working on, the device passcode, jail broken policies, and more. Based on the rules you define, apps will either start or they won’t, providing you with an extra layer of security and keeping your business apps and data as secure as possible. It also offers, and this is a first, an application-specific VPN connection to your internal corporate network, called a micro VPN, used for internal web and SaaS applications. This way a so-called device-wide VPN, opening up access to the whole network, isn’t necessary. Again, increased security! You will need to use a Citrix NetScaler for this to work. This way, only the web or mobile application has a direct connection into the corporate network.
Worx Mobile Application Suite
As part of the XenMobile App and Enterprise edition, but also available as a separate product, Citrix developed the Worx Mobile Apps suite (Worx/MDX-enabled applications). Worx-enabled applications offer any developer or administrator the ability to add enterprise capabilities such as data encryption, password authentication, or an application-specific micro VPN. They are configured and managed from the AppController. Simply put, Worx-enabled applications can only interact with other Worx-enabled applications (also called MDX Interapp communication) and are kept in a secure container (MDX Vault see above) on the mobile device, made possible by Citrix’s MDX technology. This is often referred to as MAM.
Depending on the edition you buy, you get four (app edition) or five (enterprise edition) Citrix Worx Mobile App (suite) applications to start with. The first is used to enrol your mobile device into XenMobile, simplifying the process; it’s called Worx Enrol (it has no other use) The second one is Worx Home and is downloaded and installed automatically when your device enrolment has successfully finished. Worx Home, from then on, is used to communicate with XenMobile replacing Citrix Receiver! Employees use this app to access their unified corporate app store(s) and live support services. XenMobile communicates with Worx Home to deliver MDM- and Worx-enabled applications and their accompanying policies. It also includes a support button with which live support Helpdesk services can be initiated; you can use GoToAssist (one license is included with the enterprise edition) chat, e-mail or just use your (voice) phone.
The third and fourth Worx apps are Worx Mail and Web—obvious, right? Both are specifically designed for Android and iOS operating systems. As mentioned, all apps are installed and operate in a secure container on the mobile device and cannot “talk” with other applications. This way, you completely separate and manage your business applications from your personal applications. So when you initiate an internal web or SaaS application, HTML5-based included, it will leverage the Worx Web app instead of your personal Safari or Firefox explorer, for example, safe and secure within the vault. By the way, the fifth app is ShareFile, but that only comes with the enterprise edition.
Note that the June 2013 release of Worx Home, which is still relatively new, only supports Mobile, SaaS, and Web applications for now. It communicates with the AppController. If you want to use your Windows apps and (VDI) desktops as well, which you easily can in combination with Citrix StoreFront, you will also need to install Citrix Receiver on your device; this will leverage the StoreFront app store. Don’t worry, this will all be taken care of in the next release of Worx Home, where Windows apps and desktops will also be supported.
For me this (Worx/MDX enabled apps) is where Citrix has the edge over their competitors. It’s not that other vendors don’t offer a similar concept, because they certainly do, but Citrix has taken it one step further and developed their own Citrix-ready Worx program in which, next to the Worx mobile apps developed by Citrix, a whole bunch (over 65 already) of other software vendors, including big names such as Adobe, IBM, and Cisco (yes, they do software as well) also showed their support of the Worx Program as well and have committed to join the community by making their mobile applications Worx-enabled, giving their apps the exact same capabilities as the Citrix Worx Mobile App suite mentioned earlier.
Soon customers will be able to download a broad array of fully secure and enterprise-ready, Worx-enabled mobile apps from the new Citrix Worx App Gallery. Over 65 leading mobile app vendors already announced their support for the Citrix Ready Worx-verified program and new ones are added daily. Have a look here for an overview on participating vendors. (Soon to be released.)
Making Your apps Worx/MDX-Enabled
So how do mobile apps get Worx-enabled? Citrix developed the Worx App SDK, a simple SDK that can Worx/MDX-enable any mobile app out there; it takes just a single line of code. Developers that participate in the Citrix-ready Worx program use this SDK to Worx-enable their applications before releasing them, simplifying life!
XenMobile Enterprise Edition
This one sounds big and expensive, and it is as far as licenses go, but that’s where it ends, to be honest. It combines both the MDM and app editions into one product and adds ShareFile functionality. Remember that the MDM and app editions are separate products offering different functionality (see the product matrix earlier). They can be combined but you’re probably better off buying some enterprise licenses instead.
With ShareFile we have our MIM solution, secure follow-me data on all your (mobile) devices, which is not something every vendor can offer you. Users again have the advantage of SSO through AppController, as discussed earlier, which, if ShareFile is integrated, also gives them direct access to their data, including the ability to securely edit and save their data, as well. It also includes a full suite of secure mobile tools supporting all popular phones and tablets out there. Your corporate data can be stored securely in the Citrix cloud (Amazon web services) or on premises in your own data center using StorageZones (CIFS shares) or StorageZone Connectors (SMB shares), keeping it close to your users. ShareFile has a central management system for maintaining user account information and brokering services. All of this is securely stored in Citrix-managed data centers, as opposed to cloud or on-premises storage; this is not a choice.
I realize this is a lot of information, but it’s important to understand the possibilities and possible pitfalls when it comes to picking your mobile management solution; it can save you a lot of time and money in the end. Ones you have your MDM infrastructure up and running the right way, it almost takes care of itself. Well…soft of. Unfortunately, there’s no one-size-fits-all model, so to wrap things up, I’d like to end with some general recommendations regarding MDM, perhaps helping you decide which route to follow, because as all self respecting consultants will tell you…it all depends. Although I focused on Citrix’s XenMobile for the majority of this article (as far as ‘the solution’ goes, anyway) it needs to be said that almost all major vendors offer a similar solution in one way or the other. They all offer some sort of containerization mechanism to separate business from private applications and data; security features like remote device locking, wiping, black and whitelist apps and URL’s; and a broad set of policies, hundreds in most cases, to enforce compliance keeping your devices as secure as possible. These are part of most packages.
Don’t put all your eggs in one basket, though. Look at different vendors! Just because company X recommends product Y doesn’t mean it’s right for you. Contact different vendors/consultants and let them explain why you should use their product. What makes it stand out from the rest? Make sure they supply you with demo material, see how it works, perhaps play around with it yourself and ‘feel’ the product. If you’re not into the technology yourself ask one of your IT Admins to fill up a seat as well, he or she will know what to look for.
Prepare yourself the best you can, and take as much time as necessary understanding your exact needs. Don’t just look at the benefits — be sure to identify and understand any risks that might come with the introduction of MDM and exposing your corporate apps and data on mobile devices, especially when BYOD comes into play. Consult with your IT department, assuming you’re not one of them; they may have specific needs or demands as well. There are always at least one or two Admins who already spent some time investigating the matter, making life easier. They’ll probably be the ones who need to manage the chosen MDM solution anyway.
Well, that’s about it for now. There’s so much more left to discuss but I hope this gives you a general idea of what is possible regarding mobile device management, especially when using Citrix’s XenMobile. Again, some of the other products out there offer similar functionality and features, I just feel that Citrix has the more mature and complete solution, that’s all.