Nukona Policy Management

Similar documents
Securing Office 365 with MobileIron

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Managing Devices and Corporate Data on ios

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Integrating AirWatch and VMware Identity Manager

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

AirWatch Container. VMware Workspace ONE UEM

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

PrinterOn Mobile App MDM/MAM. Basic Integration Guide

Application / Document Management. MaaS360 e-learning Portal Course 3

Colligo Briefcase. for Good Technology. Administrator Guide

SECURE, CENTRALIZED, SIMPLE

ForeScout Extended Module for MaaS360

MaaS360 Secure Productivity Suite

ForeScout Extended Module for VMware AirWatch MDM

VMware Workspace ONE UEM Integration with Apple School Manager

Enhancing and Extending Microsoft SharePoint 2013 for Secure Mobile Access and Management

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

Apple ios Enterprise Mobility Management (cloud based)

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

XenApp, XenDesktop and XenMobile Integration

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

An Enterprise Approach to Mobile File Access and Sharing

Kony MobileFabric. Release Notes. On-Premises. Release 6.5. Document Relevance and Accuracy

VSP18 Venafi Security Professional

2016 BITGLASS, INC. mobile. solution brief

VMware AirWatch and Office 365 Application Data Loss Prevention Policies

3-Part Guide to Developing a BYOD Strategy

VMware AirWatch - Mobile Application Management and Developer Tools

Vodafone Secure Device Manager Administration User Guide

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

Table of Contents. VMware AirWatch: Technology Partner Integration

Product Brief. Circles of Trust.

Mobilize with Enterprise Security and a Productive User Experience

Table of Contents HOL-1757-MBL-6

1Y0-371 Q&As. Designing, Deploying and Managing Citrix XenMobile 10 Enterprise Solutions. Pass home 1Y0-371 Exam with 100% Guarantee

XenMobile MDX Toolkit 10.x Fixed Issues

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

BYOD: BRING YOUR OWN DEVICE.

VMware AirWatch Mobile Device Management Guide Managing your organization's mobile devices

This brief will explain the integration between AirWatch and TeleMessage. TeleMessage AirWatch Integration Brief Page 2 of 5

ForeScout Extended Module for MobileIron

Augmenting security and management of. Office 365 with Citrix XenMobile

JUNIPER NETWORKS PRODUCT BULLETIN

VMware AirWatch: Directory and Certificate Authority

This guide illustrates how to set up an Apple device for deployment, and deploy an application. It covers how to:

The Device Has Left the Building

Systems Manager Cloud-Based Enterprise Mobility Management

Introduction to application management

RHM Presentation. Maas 360 Mobile device management

Pulse Workspace Appliance. Administration Guide

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

INSTALLATION AND SETUP VMware Workspace ONE

VMware AirWatch Mobile Application Management Guide Enable access to public and enterprise apps

Securing Enterprise or User Brought mobile devices

Comodo Certificate Manager. Centrally Managing Enterprise Security, Trust & Compliance

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Unified Endpoint Management: Security and productivity for the digital workspace

PCI DSS Compliance. White Paper Parallels Remote Application Server

High-performance. Enterprise Scale. Global Mobility.

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1



MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Administering Jive Mobile Apps for ios and Android

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

Deploying Lookout with IBM MaaS360

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Engage ios App Administrator s Guide

BOMGAR.COM BOMGAR VS. WEBEX UPDATED: 2/28/2017

Partner Center: Secure application model

Application management in Nokia: Getting the most from Company Apps

IBM Bluemix platform as a service (PaaS)

THE MOBILE HELIX DATA SECURITY PLATFORM

Google Identity Services for work

IBM. Configuration Guide. IBM MobileFirst Protect On-Premise. Version 2 Release 4

Table of Contents HOL-1757-MBL-5

Overcoming Objections to Smartphones as Your Credential

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

ipad in Business Mobile Device Management

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Android Enterprise Device Management with ZENworks 2017 Update 2

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

Update on new Microsoft Cloud Technology

VMware AirWatch Books Deployment Guide Distribute and deploy books

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

How Microsoft s Enterprise Mobility Suite Provides helps with those challenges

PULSE CONNECT SECURE APPCONNECT

Six steps to control the uncontrollable

CounterACT Afaria MDM Plugin

VMware AirWatch Android Platform Guide

Enterprise Mobility Management: completing the EMM story

Enterprise Mobile Management (EMM) Policies

To the Designer Where We Need Your Help

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Transcription:

Nukona Policy Management An approach to managing applications and securing corporate data on smart mobile devices Chris Perret CEO Nukona,Inc. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 1

Table of Contents Purpose of Document... 3 Overview... 3 Policy Management Basic Concepts... 5 Policies That Can Be Enforced... 7 How the Policy Engine Works... 8 Summary... 11 Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 2

Purpose of Document In this paper we will describe the basic theory of operations of the Nukona Policy Engine, a critical component of Nukona App Center TM, Enterprise Edition. The paper will outline both the concepts and the process required to deploy secured and managed native and web applications to smart mobile devices, in particular ios and Android devices, and detail the types of policies and security that can be applied to the apps. Overview Nukona s App Center product has been designed from the ground up to allow large enterprises to reliably and at scale deploy apps to their employees that are using either ios or Android devices for work purposes. Unlike competitive products, Nukona s products allow Enterprise IT to set the policies and information assurance they care about without requiring any modifications to the source code of apps. This approach was taken by Nukona to ensure that apps deployed by Enterprise IT are not reliant on internal or third-party app developers to be compliant with the policies and compliance needs of the organization. This approach also allows organizations to apply policy across hundreds, if not thousands of apps, being deployed across multiple geographic regions to thousands of employees. A change in policy, or an update to app logic can be deployed to the entire employee community with a simple push of a button from the management console. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 3

In the above diagram, an app is developed, sourced or modified (1). If the app is coming from a developer, the new app is delivered to the appropriate IT administrator with a simple notification. If the app is sourced, the IT administrator can simply upload the app directly. The IT administrator creates sets of policies and selects the appropriate policy set to be applied to the app, based on the target audience and the information that the app accesses (2). A Nukona Policy Container is invoked around the app logic and the app is provisioned in the Enterprise App Store to be accessed by employees and other approved users. When installed on the user s device (3), the wrapped or containerized app is subject to the policy controls set by Enterprise IT, both at launch-time and while it is running. Using this model, all manner of policies can be set, from simple access and authentication policies, to keys management strategies, off-line access policies, re-authentication and refresh policy, and even policies related to single-sign on for related productivity apps. Since the container controlling the policy is delivered with the app and any data written locally on the device is being policy-managed, an enterprise can immediately support BYOD (Bring Your Own Device) using this approach. The corporate policy-managed apps and data can be co-resident on a device with personal apps and data. The remainder of the paper will provide detail on the concepts behind policy management, exactly what policies can be applied and more detail on how the wrapping of apps actually works in order to deliver the full policy management functionality outlined above. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 4

Policy Management Basic Concepts There are a few fundamental concepts that are key to understanding the operation, power and benefits of the Nukona Policy Engine: Apps may come from any source Nukona s policy management capability is not limited to internal apps. Any application where the IT department has access to the object code (.IPA file for ios,.apk file for Android) can have policy applied. Additionally, Nukona s Policy Engine can support applying policy to both internal and external web apps. Separation of app logic from policy Fundamental to corporate application governance is the requirement to be able to separate corporate policy from the application logic. The policy sets are created independently and applied on an app-by-app or app group basis. When policies change, the IT Administrator simply updates the apps with the new policy and re-deploys. No SDK or API s required Fundamental to the Nukona approach is the premise that an enterprise s ability to manage apps at scale is impossible if an SDK is required. Therefore the Nukona Policy Engine was designed to sit outside the app and not require any code changes whatsoever. This approach has the added benefit of not requiring application developers to have to learn about the complicated and often arcane world of mobile security, keys management and identity. The Policy Engine takes care of all those critical aspects prior to app deployment. Per-app container When Nukona Policy Engine applies a set of policies to an app, it is wrapped in a container prior to deployment. The container keeps the app completely independent from any other corporate or personal app that may be resident or running on the user s device. Therefore it is entirely feasible to concurrently be running multiple corporate apps that have different security profiles. The same app can also have different policies applied for different roles or groups of users. Policy control through distribution Apps are deployed via Nukona s enterprise app store that may be privatebranded to suit the enterprise or service provider. The enterprise app store provides the capability for full tiered access controls, role/group management and can be easily integrated with an organization s identity infrastructure such as Active Directory. Since the policies are applied statically to the apps before distribution, it is guaranteed that the policies will be in force when the users run the apps. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 5

App revocation The app container includes logic that will check on launch if the app is still current and also self-destruct code. Therefore the IT Administrator can revoke an app and the next time a user tries to launch the app it will delete all its data and itself. None of the other corporate or personal apps, or their data, is impacted. Policy updates When a policy is updated (e.g. a requirement to enforce encryption on all corporate data), the apps can be updated by the IT Administrator with no requirement to go back to the app developer or third party. If an app has already been distributed with policy management enabled, then the updated app is effectively pushed to the user since one of the features of the container is its ability to version check at launch. The actual mechanism employed is simply that the app is revoked and then redeployed. Future-proofing The design of the Policy Engine is such that the policies enforced can be extended based on changing requirements. Any functions that make system calls to the mobile operating system and any API s used by the apps can be controlled. So it is anticipated that the initial set of policies outlined below will be extended to meet future enterprise requirements. External app store / marketplace apps Nukona s App Center includes a store pointer capability to allow IT Administrators to include external apps from sources such as the itunes store or Android Market in the set of apps that a user can access. Note however that policies cannot be applied to apps downloaded from external stores. In order to apply policy to third party apps, an organization needs to acquire the rights to distribute the app through its own enterprise app store. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 6

Policies That Can Be Enforced In Nukona App Center, Enterprise Edition v2.0, the following policies can be enforced on an app-by-app basis: User authentication and re-authentication Before the app launches, the user is required to enter their credentials based on the identity infrastructure (e.g. Active Directory) Re-authentication on a periodic basis (e.g. every 30 minutes) can also be enforced Local storage rules Whether the app is allowed to write data to the local device If so, whether the data is required to be encrypted. If encryption is selected, the device s operating system encryption libraries are used but the keys for decryption are stored by default off the device in the App Center, thus delivering a dramatically improved level of security. Offline access rules Whether the app can be accessed offline If so, whether PIN access is required for authentication before launching the app Document sharing Whether document sharing from within the app is allowed. This is increasingly used by many apps to support file-sharing and collaboration apps such as Dropbox, Box.net, Evernote, etc. All major document sharing API s can be blocked or enabled: inter-app, itunes, icloud API access Whether specific API s are allowed. The initial set is: - copy / cut / paste: prevent user from being able to use editing functions - openurl: prevent app from being able to open any web page Jailbroken devices Whether to allow the app to launch on jailbroken devices or not Restrict Network Connections o Limit the application s ability to connect to only certain IP addresses / servers / ports Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 7

How the Policy Engine Works The key to the delivering on the promise of per app policy control is Nukona Policy Engine s ability to wrap or containerize an app. Let s take a closer look at how this works: 1 2 The application is uploaded into the App Center. This may be done by the developer or the IT Administrator. The IT Administrator creates appropriate sets of policies that can be applied to different groups of apps depending on the level of security required. For example: A policy for apps accessing no sensitive data with limited security requirements (e.g. an expense reporting app) o User authentication required? NO o Allow local storage? YES Enforce encryption? NO o Offline access allowed? YES Require PIN? NO o Restrict document sharing? NO o Restrict copy/cut/paste? NO o Restrict openurl? YES o Restrict network connections? YES Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 8

A policy for apps accessing sensitive data with high security requirements (e.g. a client billing app) o User authentication required? YES Re-authentication? Every 15 minutes o Allow local storage? YES Enforce encryption? YES o Offline access allowed? NO o Restrict document sharing? YES o Restrict copy/cut/paste? YES o Restrict openurl? YES o Restrict network connections? YES 3 4 The IT Administrator selects which policy set is appropriate for the app and applies it. Nukona Policy Engine then automatically opens up the app, replaces any of the relevant standard library calls (e.g. file open, file write) with policy-managed versions, creates the container for the app and re-certifies the app with the enterprise certificate. The app is now ready for distribution. The IT Administrator drags and drops the app into the enterprise app store and selects which users or groups of users should get access to the app. The icon for the app is badged to indicate that this a policy managed version. First time users are notified via email to download the App Center Client, after which they can download the apps to which they are entitled. After that, a notification that new or updated apps are available will come on their mobile device: Updates to apps which have been policy managed can be pushed automatically (assuming offline access is not enabled or being used). Apps which are not policy managed require the user to choose to update. Web Applications Web apps can be policy managed in the same way that native apps are. When the web app is selected, the container that Nukona Policy Engine wraps around the app is a secure browser that has been specifically enabled to manage policies. The user will download the app in the same way that they do with native apps. Unlike normal web clip apps that launch in the local browser (e.g. Chrome, Safari), the policy-managed web apps launch in the secure browser and so policy integrity is maintained. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 9

Mix of Corporate and Personal Apps When the policy-managed apps are running on a user s device, each corporate app is running with its own set of policies and all of the data written locally is under the control of the policy libraries. Thus the co-mingling of business and personal apps and data on any corporate-owned or employee-liable device is fully supported without risk of corporate data loss or compliance issues. Additionally, specific apps may be revoked by the IT Administrator on an app-by-app basis. The data associated with the app is also deleted without having to have the entire device wiped. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 10

Summary Enterprises are already increasingly dependent on smart mobile devices to run their business. The combination of new apps being specifically designed to run on devices such as the ipad together with the current wave (which is going to become a tidal wave) of BYOD means that IT needs to be in a position to take control of corporate apps and data as they are deployed on these devices. For that control to scale to support dozens, hundreds and eventually thousands of apps it is essential that corporate policies can be applied to all the apps that are required for the business native and web, in-house, third-party or COTS (commercial-off-the-shelf) apps and that these policies can be updated without recourse to an SDK or the requirement to have access to the source code in any way. This is what the Nukona Policy Engine is set up to deliver. In this model, all manner of policies can be set, from simple access and authentication policies, to keys management strategies, off-line access policies, reauthentication and refresh policy, and even policies related to single-sign on for related productivity apps. And the sound architectural approach of separating policy from application logic means that the ability to scale to thousands of apps and tens of thousands of users is built into the model. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback