A simple solution for administering phones and tablets + an invitation to tests
This morning we launched the first in Russia platform for administering mobile devices from the cloud to pilot production.
You can pick up employee devices there and get the following features:
Smartphone Restriction Settings Screen
')
Below, I will tell you in detail about all this, as well as how to implement normal security in your company in two days. And if you're interested, you can get free access to the platform until January 1, 2014 as part of commercial development.
The last three years, probably, the topic of administering mobile devices of employees (smartphones and tablets with different operating systems) is one of the most frequently discussed both at security conferences and among system administrators. Each time at such conferences it is said about “safety and convenience of the user”, but we will be honest - the convenience lies only in the fact that they don’t take away the phone at the entrance to the company and can configure mail and VPN without it. The main profits are that a lot of work is removed from the IT department and security personnel.
The MDM system was deployed on the company's servers or integrator servers. Usually, implementation alone for a company with more than 1000 employees cost from several million rubles and took from a month. There are examples of one and a half year implementation projects. Our MDM solution allows you to connect and turn around in a day (the longest part is signing a contract) and work right here and now.
Login page
Several agents are put on its device (depending on the OS), each with its own functionality. After that, the device can roll corporate applications, for example, an electronic document management system - and this is just a great plus to convenience. The MDM platform (Mobile Device Management) itself is simply an administration tool, but a tool that provides adequate security so that critical data can be stored on the user's device. And convenience, not to do it for each device by hand.
A screenshot of the settings, you can see some of the features on the tabs.
Decreases the flow of running around the settings. Now the scheme looks like this:
Once again: you received a number, registered it and indicated a group. Everything, the system works further. You do not even need to see the device or the employee himself.
The headache stops with the possibility of the removal of data and mail leaks. It is clear that who needs to be carried away will somehow find a way, but the leaks due to human stupidity will stop for sure. Plus, you can not worry about lost or stolen devices - you can simply wipe them remotely.
You connect to the platform on the page mdm.beeline.ru as an administrator. Then you start groups, for example, for different departments (you can work at the level of individual devices, but it is more convenient in groups). For each group you register your settings and triggers for events. Then simply enter the device by phone numbers and assign a group. Moreover, one device can be in different groups.
Simply reassign groups to it, the platform does the rest.
Any device with or without any SIM. That is, any personal and corporate phones and tablets.
All major mobile OSes are supported: Android above 2.3, iOS 5 and above, as well as Windows Phone (7+), and even integration with BlackBerry is possible, but through their BES server. Plus, there is a separate part of the system that supports devices for Symbian (we have deployed for compatibility with old Nokia devices, although in the US it is not nearly used, we still have a high share). It is important to understand that the control capabilities and settings of devices on Android depend not only on the version of the OS itself, but also on the vendor of a particular device. For example, the latest generation of Samsung has the largest number of features from Android devices. The usual distribution of functionality: 2.3 - passwords, Exchange, communications, wipe, geolocation. Camera control, VPN, device encryption is added to 3+. In 4+, the map management, its encryption, USB management, GPS module management, settings management (prohibiting changes and so on) appear.
In addition, we will constantly update the capabilities of our MDM platform. This migration will not affect end users.
It's simple - only 200 rubles per device per month with daily charging. The fee is taken only for activated devices, that is, if you send a mobile device to the Urals, and activate it in the system only after six months, the payment will go from the moment of its activation.
Now there is an opportunity, you can get free access to the MDM platform until January 2014 as part of testing - at the very end of the topic it is written where to write for this.
Configuration backups are stored on our platform servers in the cloud. Mail and other data that may be relevant to the concept of "commercial secret" is not stored on the intermediate servers. Roughly speaking, we provide transport for management, but do not store your data.
In addition to basic tools like SSL, your mail is not. All data is transferred as you send it. There is no additional encryption service: this is done so that you do not have to obtain the appropriate permissions from supervisory authorities. At the same time, 95% of questions in practice are closed by properly configuring the VPN.
Not. Maximum - he can see the counting of mail traffic, but the messages themselves will not get into any agent applications or into the system. The solution does not touch the personal data on the device.
Theoretically, yes, there are such solutions for placement in their data centers, they are offered by various integrators. As I wrote above, in practice it turns out quite expensive at the implementation stage and for a long time. This is clearly not suitable for small and medium businesses. Our solution is very convenient even for companies of 35 employees with 30 smartphones and 20 tablets.
About two minutes.
Applications can be seen on the device as normal mobile applications. When installing you need a couple of times to agree with all the conditions. He needs a channel on the Internet to get control commands. In practice, the user on average once a month clicks “OK” on the changes that have occurred.
From a single interface (separate for Symbian only), you can configure device settings, restrictions, corporate application market, event triggers, etc. The web interface works, by the way, on popular mobile browsers on tablets.
It all depends on the task. For example, an IB specialist can see the log of the time and duration of calls (but not hear them themselves), the log of SMS sending time (but not the messages themselves), system events, trigger responses, geolocation data (if enabled), search for corporate content.
Voice data is not affected by the MDM application in any way, as well as personal mail. But do not forget that at the same time you can see the call details by time and numbers, the time of sending SMS / MMS and if the geo-location preservation function is enabled (according to the requirements of your company's security department) - this data can be compared.
To implement - to know what the "cloud" or SaaS. For support - read the instructions 1-2 times. To install on your phone - to be able to press "OK".
The fee is charged on devices activated on the platform for the month. That is, if you know how many pipes and tablets you have in control, then you can plan costs with an accuracy of a ruble.
Yes. You can configure the triggers that make certain sequences of commands. In particular, various threats to corporate data are collected in triggers. Here is an example of setting up an event:
Here is an example of setting up a reaction to it:
Yes, every single device belongs to a group and can be managed. Here, for example, is the data cleaning screen for one of the devices:
This is one of the frequent questions of journalists. I will explain that the platform does not allow to receive RDP or analogs for remote workplaces. The platform allows you to administer the device, provides security policies and many other functions. With MDM, you can install any applications, including solutions for RDP access to your workstation or virtual machine. These applications can be registered on the platform as corporate, and the user will receive them along with a package of settings.
1) First you need to understand why you need MDM. To evaluate this, you need:
2) Subscribe to the beta test below, find three or four devices, figure out what can be done and what is not. And how specifically your tasks are solved in practice.
3) Then you need to stock up on the fingers that it will give to explain to the rest of the departments. The security men will throw their own to you, if necessary. Usually they convincingly give an example of the last incident with the loss of important data.
4) Then the most important thing is to go through the financial department. They will be happy to know that the costs are not capital (a lot of money right away - and only then it will work), but operating costs (after use).
5) After that, it is necessary to gather the leaders of the IT-department, information security, financial department and those involved in mobile workers (possibly personnel), if any, and tell about the possible implementation. Most likely, everyone will have their own wishes. By the way, AXO will also be interested - with MDM it is very easy to make an inventory of both software and hardware.
6) As a result, you will need to collect:
7) Sign an additional agreement (you need a new document if you are not working with us or a simple additional agreement to a corporate contract of communication, if you are already our corporate client). A new contract can be taken at any sales office or ordered by phone + 7-499-277-77-77 .
8) After that, you can get users on the platform, you can, together with personnel officers. It is better not to connect all at once, but by department. On one department (better - on its own) it is worthwhile to run in the procedure until widespread implementation.
9) The first settings traditionally do:
Then there are all sorts of local features like “turn off the camera at the entrance to the production area” and so on.
Usually, the task goes down to the IT department either from the management or through the IS. If there is no such request, but you just got tired of working manually with a very large fleet of mobile devices, then our platform is also for you. In such a situation, it is necessary to calculate the possible profits from the implementation for all (see above) and run.
You can “cleanly” delete all data from the platform. In addition, each user can remove certificates himself and uninstall MDM applications from the device. When the platform is disabled without additional actions, the certificate is revoked.
Write a request for services@beeline.ru mail with the heading "Application for MDM test from Habr." Please note that the service is available only for individual entrepreneurs or legal entities, therefore, the letter must include the full company name, company TIN, full name and administrator's email to receive the password, plus the mobile phone administrator for communication.
In response, I really ask you to tell about all the features you need and send bug reports if something strange comes to your eyes.
You can pick up employee devices there and get the following features:
- Send security certificates , including data for corporate email, Wi-Fi, VPN, and other settings.
- Create a container for corporate data and, if necessary, clean it.
- Assign security policies like turning off the camera, tracking the device, and so on.
- Assign triggers to various events , for example, wipe corporate data when trying to jailbreak.
Smartphone Restriction Settings Screen
')
Below, I will tell you in detail about all this, as well as how to implement normal security in your company in two days. And if you're interested, you can get free access to the platform until January 1, 2014 as part of commercial development.
Why is all this necessary?
The last three years, probably, the topic of administering mobile devices of employees (smartphones and tablets with different operating systems) is one of the most frequently discussed both at security conferences and among system administrators. Each time at such conferences it is said about “safety and convenience of the user”, but we will be honest - the convenience lies only in the fact that they don’t take away the phone at the entrance to the company and can configure mail and VPN without it. The main profits are that a lot of work is removed from the IT department and security personnel.
How was this done before the cloud solution?
The MDM system was deployed on the company's servers or integrator servers. Usually, implementation alone for a company with more than 1000 employees cost from several million rubles and took from a month. There are examples of one and a half year implementation projects. Our MDM solution allows you to connect and turn around in a day (the longest part is signing a contract) and work right here and now.
Login page
What does the user get?
Several agents are put on its device (depending on the OS), each with its own functionality. After that, the device can roll corporate applications, for example, an electronic document management system - and this is just a great plus to convenience. The MDM platform (Mobile Device Management) itself is simply an administration tool, but a tool that provides adequate security so that critical data can be stored on the user's device. And convenience, not to do it for each device by hand.
A screenshot of the settings, you can see some of the features on the tabs.
What does the IT department get?
Decreases the flow of running around the settings. Now the scheme looks like this:
- The employee sends you his phone number (and mail, if we are talking about an iPad that cannot read SMS),
- You hook this number into the MDM platform and assign a group (for example, roll up the settings like all call center employees),
- The system itself sends an SMS to the user with a link to the application agent application,
- The user downloads it, clicks OK a couple of times on what he is prescribed in the rights and receives all the settings.
Once again: you received a number, registered it and indicated a group. Everything, the system works further. You do not even need to see the device or the employee himself.
What is important for IB?
The headache stops with the possibility of the removal of data and mail leaks. It is clear that who needs to be carried away will somehow find a way, but the leaks due to human stupidity will stop for sure. Plus, you can not worry about lost or stolen devices - you can simply wipe them remotely.
What is usually set up first?
- A block of typical Wi-Fi settings, corporate VPN settings, and so on.
- Access to corporate mail.
- If the company uses corporate applications, then access to them.
- Backup to the platform in case of loss of the device, so that you can raise the profile in a matter of minutes back to the new device.
- Vipe corporate data on dismissal, attempted jailbreak, etc.
What does system setup look like?
You connect to the platform on the page mdm.beeline.ru as an administrator. Then you start groups, for example, for different departments (you can work at the level of individual devices, but it is more convenient in groups). For each group you register your settings and triggers for events. Then simply enter the device by phone numbers and assign a group. Moreover, one device can be in different groups.
What if an employee moves from department to department?
Simply reassign groups to it, the platform does the rest.
What device can I connect?
Any device with or without any SIM. That is, any personal and corporate phones and tablets.
What are supported by the OS?
All major mobile OSes are supported: Android above 2.3, iOS 5 and above, as well as Windows Phone (7+), and even integration with BlackBerry is possible, but through their BES server. Plus, there is a separate part of the system that supports devices for Symbian (we have deployed for compatibility with old Nokia devices, although in the US it is not nearly used, we still have a high share). It is important to understand that the control capabilities and settings of devices on Android depend not only on the version of the OS itself, but also on the vendor of a particular device. For example, the latest generation of Samsung has the largest number of features from Android devices. The usual distribution of functionality: 2.3 - passwords, Exchange, communications, wipe, geolocation. Camera control, VPN, device encryption is added to 3+. In 4+, the map management, its encryption, USB management, GPS module management, settings management (prohibiting changes and so on) appear.
In addition, we will constantly update the capabilities of our MDM platform. This migration will not affect end users.
How much is?
It's simple - only 200 rubles per device per month with daily charging. The fee is taken only for activated devices, that is, if you send a mobile device to the Urals, and activate it in the system only after six months, the payment will go from the moment of its activation.
Now there is an opportunity, you can get free access to the MDM platform until January 2014 as part of testing - at the very end of the topic it is written where to write for this.
Where are corporate data stored?
Configuration backups are stored on our platform servers in the cloud. Mail and other data that may be relevant to the concept of "commercial secret" is not stored on the intermediate servers. Roughly speaking, we provide transport for management, but do not store your data.
Is there data encryption?
In addition to basic tools like SSL, your mail is not. All data is transferred as you send it. There is no additional encryption service: this is done so that you do not have to obtain the appropriate permissions from supervisory authorities. At the same time, 95% of questions in practice are closed by properly configuring the VPN.
Can an administrator access personal email on a smartphone?
Not. Maximum - he can see the counting of mail traffic, but the messages themselves will not get into any agent applications or into the system. The solution does not touch the personal data on the device.
Is it possible to deploy all the server at home?
Theoretically, yes, there are such solutions for placement in their data centers, they are offered by various integrators. As I wrote above, in practice it turns out quite expensive at the implementation stage and for a long time. This is clearly not suitable for small and medium businesses. Our solution is very convenient even for companies of 35 employees with 30 smartphones and 20 tablets.
How quickly does a new device connect?
About two minutes.
Does the employee know about MDM applications, sees traces of its activity?
Applications can be seen on the device as normal mobile applications. When installing you need a couple of times to agree with all the conditions. He needs a channel on the Internet to get control commands. In practice, the user on average once a month clicks “OK” on the changes that have occurred.
How to admin manage devices?
From a single interface (separate for Symbian only), you can configure device settings, restrictions, corporate application market, event triggers, etc. The web interface works, by the way, on popular mobile browsers on tablets.
What does the IB see?
It all depends on the task. For example, an IB specialist can see the log of the time and duration of calls (but not hear them themselves), the log of SMS sending time (but not the messages themselves), system events, trigger responses, geolocation data (if enabled), search for corporate content.
“Do they not listen to my personal conversations?”
Voice data is not affected by the MDM application in any way, as well as personal mail. But do not forget that at the same time you can see the call details by time and numbers, the time of sending SMS / MMS and if the geo-location preservation function is enabled (according to the requirements of your company's security department) - this data can be compared.
What is the qualification of employees and what is required for?
To implement - to know what the "cloud" or SaaS. For support - read the instructions 1-2 times. To install on your phone - to be able to press "OK".
How accurately are the costs planned?
The fee is charged on devices activated on the platform for the month. That is, if you know how many pipes and tablets you have in control, then you can plan costs with an accuracy of a ruble.
Is it possible to detect jailbreak on the device?
Yes. You can configure the triggers that make certain sequences of commands. In particular, various threats to corporate data are collected in triggers. Here is an example of setting up an event:
Here is an example of setting up a reaction to it:
Is it possible to administer one single device?
Yes, every single device belongs to a group and can be managed. Here, for example, is the data cleaning screen for one of the devices:
How quickly can you access the document on your desktop desktop while sitting in a cafe in Amsterdam?
This is one of the frequent questions of journalists. I will explain that the platform does not allow to receive RDP or analogs for remote workplaces. The platform allows you to administer the device, provides security policies and many other functions. With MDM, you can install any applications, including solutions for RDP access to your workstation or virtual machine. These applications can be registered on the platform as corporate, and the user will receive them along with a package of settings.
How to implement MDM in your company?
1) First you need to understand why you need MDM. To evaluate this, you need:
- Rate who is doing what with mobile devices. Most likely, it is primarily about mail. If there is something critical to the "plum", it is necessary to protect.
- If you have enterprise applications, then with MDM it will be much easier.
- Understand how many people in the company use their personal devices and how often they ask for help on Wi-Fi and VPN settings
- If you distribute your tablets or phones (often important for, for example, merchandisers), MDM will be very useful in the work of the IT department for managing them.
- Find out if there is a task to collect statistics for Gender or Commercial on employees working day or to increase productivity. If yes, then this MDM will help to do this.
2) Subscribe to the beta test below, find three or four devices, figure out what can be done and what is not. And how specifically your tasks are solved in practice.
3) Then you need to stock up on the fingers that it will give to explain to the rest of the departments. The security men will throw their own to you, if necessary. Usually they convincingly give an example of the last incident with the loss of important data.
4) Then the most important thing is to go through the financial department. They will be happy to know that the costs are not capital (a lot of money right away - and only then it will work), but operating costs (after use).
5) After that, it is necessary to gather the leaders of the IT-department, information security, financial department and those involved in mobile workers (possibly personnel), if any, and tell about the possible implementation. Most likely, everyone will have their own wishes. By the way, AXO will also be interested - with MDM it is very easy to make an inventory of both software and hardware.
6) As a result, you will need to collect:
- List of users and their contacts.
- List of devices.
- Security policies (what is allowed to which department, what to do when receiving an employee, what to do when dismissing).
- Certificates for authorization on your mail servers.
7) Sign an additional agreement (you need a new document if you are not working with us or a simple additional agreement to a corporate contract of communication, if you are already our corporate client). A new contract can be taken at any sales office or ordered by phone + 7-499-277-77-77 .
8) After that, you can get users on the platform, you can, together with personnel officers. It is better not to connect all at once, but by department. On one department (better - on its own) it is worthwhile to run in the procedure until widespread implementation.
9) The first settings traditionally do:
- Rolling in corporate applications and jailbreak detection.
- VPN for communication with corporate systems.
- Mail (for example, Exchange).
- Corporate Wi-Fi.
- Setting up a wipe of corporate data.
- Setting up a full wipe when calling an employee in technical support with the incident "stole the phone."
- Strict password policy on the piece of iron (solves 95% of cases of theft of devices).
- Backup device settings.
- Geoposition definition for employees in the fields, for example, couriers.
Then there are all sorts of local features like “turn off the camera at the entrance to the production area” and so on.
How intuitively to understand that the company needs a solution?
Usually, the task goes down to the IT department either from the management or through the IS. If there is no such request, but you just got tired of working manually with a very large fleet of mobile devices, then our platform is also for you. In such a situation, it is necessary to calculate the possible profits from the implementation for all (see above) and run.
What you need to remember?
- Payment - 200 rubles per device per month, but now you can work for several months for free.
- The service is available for legal entities and individual entrepreneurs (and is not available to individuals).
- To activate the service, it is enough to conclude an additional agreement if you are already our corporate client. Or an agreement on Beeline mobile communication from one SIM, if not yet our client.
- At the end of each month, a single invoice is issued for all communication services, where there will be a subscription fee for MDM, which must be paid within 25 days. If the bill is not paid - the platform goes into freezing mode (saving all the settings and data for a while). You can configure automatic notifications to administrators about the status of the account.
- In the additional agreement, the administrator's details for accessing the platform are registered (mail, telephone, full name). They can be changed immediately after the first login.
What happens when you turn off?
You can “cleanly” delete all data from the platform. In addition, each user can remove certificates himself and uninstall MDM applications from the device. When the platform is disabled without additional actions, the certificate is revoked.
How to get free access to the system?
Write a request for services@beeline.ru mail with the heading "Application for MDM test from Habr." Please note that the service is available only for individual entrepreneurs or legal entities, therefore, the letter must include the full company name, company TIN, full name and administrator's email to receive the password, plus the mobile phone administrator for communication.
In response, I really ask you to tell about all the features you need and send bug reports if something strange comes to your eyes.
Source: https://habr.com/ru/post/200468/
All Articles