Azure Hybrid & Cloud Migration Blog

How to provide Secure Corporate Email Access on Employees Personal Smart-Phones | Deploying Mobile Device Management (MDM) solution for Microsoft Exchange Server ActiveSync Users

Over a couple of years of time we all have witnessed of a great boost in the smart-phone industry, where huge number of smart-phone are being now designed for allowing the end-users to connect to their corporate e-mail messaging system. While this fever was getting in motion organization didn’t see this as challenge and many organizations allowed their end-users to configure their corporate e-mail account on their mobile devices. But recently when businesses got affected by this free use of technology either in the same of virus infection being spread by this free use of technology, or in some sort of denial of service attack by misconfigured device to eaten the available resources on the messaging system.

On the flip getting affected by virus or denial of service attack launch from the malfunctioning device is one thing, but licensing part is also getting worse where changing licensing model turned businesses in bad shape, especially for users where a single user has more than four or five device (more devices than their toothbrush J). This all is turning the table and making the situation even tough for businesses. So here comes the control statement, after all this now businesses have started thinking to see whether they need to make this service as free for everyone to put a barrier so only the allowed folks can pass the security check-post and all other will turn their vehicles after seeing a board of “Only Authorized Personnel’s are allowed”… Let’s do some talk about first do we really need to allow users to have corporate e-mail access on their mobile devices?

Uncontrolled Access of Corporate E-mail for Employees Smart-Phones

Let’s first see some history… From my eyes I started seeing people having corporate e-mail access on their smart-phone with BlackBerry. This blacklady (BB) initially came into the higher management hands and then got slipped and came under the executives and when executive understood value of being controlled all the times this lady got slipped again and finally reached to the normal employees (subordinate’s hands). During this transition we saw that having this gadget in someone’s hand is considered as the important freak to the business but later when IPhone era started along with some other smart-phone where Microsoft ActiveSync logo enabled devices came into the market, they started giving tough times to BlackBerry. Because on one side BlackBerry for corporates asked them to have BlackBerry Enterprise Server or to have Telecom’s BlackBerry’s internet based service. Which is in both ways was bit difficult and expensive method for an organization to going forward with. While on the other side Microsoft approach was to allow users to bring their own device and get connected to e-mail system with few clicks and they are all good to go…

Okay now since users can bring their own device so they can configure their corporate e-mail account on their smart-phone device, so the question is: Shall we keep this service open for all guests (users) or this should be a sign board saying only authorized and controlled users are allowed? To better answer this question let’s consider the below points:

 

  • ·         Incompatibility of Smart-Phone disturbs Messaging System If we talk about a recent issues happened with Iphone IOS 6.x devices with Microsoft Exchange Server, where Apple Iphone IOS 6.x based devices started mishandling the meeting request with the Exchange Server and thus the loop of communication turned Exchange Server in sort of denial of service attack.
  • ·         Cracked Mobile OS and Zero-day Attacked Launches with brand new Mobile Apps
  • Cracked (Jailbroken) operating system and brand new apps are being released to the end-user in every single minute we breathe. This put another challenge to ensure that the device user holding is safe and doesn’t contain any application which is not tested and can be used to launch a zero-day attack.
  • ·         Accessing and Modifying Corporate Data on the Smart-PhonesSo now I don’t wana say but you have got your answer that there is definitely a need of putting the road-block in front of the open services door, and should allow only the legitimate users holding healthy and secure devices. Personal Phone V/S Mobile Device Management (MDM) Policies and Restrictions This discomfort factor between end-users and controlling party (administrator) might not allow end-users for signing up their device for this service, and this will result of users will shop their devices for being configured for the corporate e-mail service on their personal smart-phone. And as a result either the company has to provide the end-user with company owned smart-phone or making the policies relax which can encourage the end users to sign up their devices for e-mail service.
  • Following points can be taken under consideration for encouraging end-users for setting up their personal smart-phones for accessing corporate e-mail service:
  • As we said in the above paragraphs that the initial boost we saw in the use of corporate e-mail access on the smart-phones was because end-users were allowed to bring their own devices for e-mail access. But now when the Security or Exchange administrator puts a MDM (Mobile Device Management) tool/software in front of the e-mail system to white-list and black-list users based on their device health, and only allows users to access the service after comply with the security policy for their personal devices. And since these policies at times look horrible for end-users because they think that the company or the administrator (bad guy) will get full control on their device for getting an insight of their PERSONAL WORLD. So this gap discourages those to bring their personal device and configure it against the company security policy by limiting their personal device use.
  • To further continue with this article, let’s now first discuss one point which becomes big concern when try to put a management control. This is the concern of having user’s personal device (smart-phone) controlled by Mobile Device Management tool/software. So let’s discuss this as this is an interesting point and can be tough one for your end-users….
  • If the user has access to e-mail system in first place so it means that the user is accessing the corporate data on his or her smart-phone. And when needed the user is also modifies this data on his cell phone and then uploads or share the same modified data from this smart-phone to the company’s users and data store. And in case if the end-user smart-phone device is not patched, secured and encrypted so in case of any infection or snatch the device all the data which is stored on the device can be a cause of disclosure of information.
  • ·         Awareness and Guidance:
  • By making your users more self-aware about MDM (Mobile Device Management) policies and practice, and also clearing their glitches about getting an insight about their personal world would encourage them to come back to the service.
  • ·         Building Blocks Strategy: Mobile Device Management (MDM) Solutions SelectionI recently did some research and also happened to attend few of the vendor marketing and technical presentations for their mobile device management solution, and what I came across is that I really liked the AirWatch as mobile device management, for a company who wants to put a solution which is independent of the vendor or supplier. Because there are few solutions available out there like Good, which works as managed service provider (MSP). AirWatch I would also recommend from the Microsoft Exchange Server prospective, because being an MVP for Exchange Server, I also happened to see the value this solution adds to your MS Exchange Server mobile device management and the feature this application has are remarkable and doesn’t comes with other solutions. Remember AirWatch or any other MDM solution should not try to put with production messaging systems, because by doing this you might need to see a downtime for your corporate existing users. And due to the architectural needs you would find it difficult to enroll production users for this POC. So it’s better to have POC Exchange system for the AirWatch POC. I don’t want to be seen as stupid because you would say that why somebody would do a POC with production Exchange, but I have witnessed of such situation where your AirWatch or any other MDM solution vendor would suggest you to put with production messaging system, but later you would see it difficult so it’s simply a time waste. If you do see this as difficult to procure and put a “MDM” solution, then you can take benefit of Exchange Server native mobile device management side. With Exchange you can create ActiveSync block and quarantine lists based on firmware, device manufacturer, and model. You can read more about Exchange Mobile Device Management solution here. Cheers!
  • I hope this article helps you to understanding this area of controlling the access while also giving a enterprise class secure messaging service to your end-users for their personal and company’s provided smart-phone.
  • Exchange Server Native Policies and Restriction for Mobile Device Management
  • So if you are planning to have a MDM solution implementation where your Email System is Microsoft Exchange Server (On-prem / Hybird / Cloud Only) then AirWatch is a good choice for your MDM solution selection. Important note for POC for AirWatch:
  • Note: What so ever I will discuss here in this article is my personal opinion so if select solution A, so this doesn’t mean that all other X, Y, and Z solution are not good, but is just that as per my knowledge and understanding I can give my recommendation.
  • At last now we will conclude this article by discussing the SOLUTION… That which solution should one chooses for its Mobile Device Management. So here we go…
  • An organization can start with relax policy for end-users personal devices for enrolling in the MDM solution but the policy should not be weak. Having a relax policy doesn’t mean to have weak policy from the security prospective. And once the users trust is gained than organization can see the room for improvements and go further to strengthen the MDM solution policies and restrictions with more awareness and user trust.

At last now we will conclude this article by discussing the SOLUTION… That which solution should one chooses for its Mobile Device Management. So here we go…

Mobile Device Management (MDM) Solutions Selection

Note: What so ever I will discuss here in this article is my personal opinion so if select solution A, so this doesn’t mean that all other X, Y, and Z solution are not good, but is just that as per my knowledge and understanding I can give my recommendation.

I recently did some research and also happened to attend few of the vendor marketing and technical presentations for their mobile device management solution, and what I came across is that I really liked the AirWatch as mobile device management, for a company who wants to put a solution which is independent of the vendor or supplier. Because there are few solutions available out there like Good, which works as managed service provider (MSP). AirWatch I would also recommend from the Microsoft Exchange Server prospective, because being an MVP for Exchange Server, I also happened to see the value this solution adds to your MS Exchange Server mobile device management and the feature this application has are remarkable and doesn’t comes with other solutions.

So if you are planning to have a MDM solution implementation where your Email System is Microsoft Exchange Server (On-prem / Hybird / Cloud Only) then AirWatch is a good choice for your MDM solution selection. Important note for POC for AirWatch:

Remember AirWatch or any other MDM solution should not try to put with production messaging systems, because by doing this you might need to see a downtime for your corporate existing users. And due to the architectural needs you would find it difficult to enroll production users for this POC. So it’s better to have POC Exchange system for the AirWatch POC. I don’t want to be seen as stupid because you would say that why somebody would do a POC with production Exchange, but I have witnessed of such situation where your AirWatch or any other MDM solution vendor would suggest you to put with production messaging system, but later you would see it difficult so it’s simply a time waste.

Exchange Server Native Policies and Restriction for Mobile Device Management

If you do see this as difficult to procure and put a “MDM” solution, then you can take benefit of Exchange Server native mobile device management side. With Exchange you can create ActiveSync block and quarantine lists based on firmware, device manufacturer, and model. You can read more about Exchange Mobile Device Management solution here.

I hope this article helps you to understanding this area of controlling the access while also giving a enterprise class secure messaging service to your end-users for their personal and company’s provided smart-phone.

Cheers!

Azure Hybrid Blog
, , , , , , ,
, , , ,

Leave a comment