Download pdf - Enterprise Mobile Device Configuration ... - Tachyon · PDF fileEnterprise Mobile Device Automated Configuration and Deployment Systems Integration Perspective White Paper 4 June 2015

Enterprise Mobile Device

Automated Configuration and Deployment

Systems Integration Perspective

White Paper

4 June 2015

Kaprica Security Inc.

12110 Sunset Hills Road, Suite LL4, Reston, VA 20190 USA

kaprica.com • [email protected] • +1 (202) 430-6685

Enterprise Mobile Device Automated Configuration and Deployment

© 2011-15 Kaprica Security Inc. 2 of 11

Executive summary

This short white paper provides a high-level of overview of the state of the art of automated configuration and deployment for Apple and Samsung devices from a systems integration perspective, featuring own brand tools from Apple, Samsung and also introduces Kaprica’s Tachyon tool as part of the Samsung Business ecosystem. Table of contents

Executive summary ................................................................................................................................................... 2 Table of contents ....................................................................................................................................................... 2 Keywords .................................................................................................................................................................. 2 Audience ................................................................................................................................................................... 2 Introduction ............................................................................................................................................................... 3 Objectives ................................................................................................................................................................. 3 What is the current state of play? .............................................................................................................................. 4 Best practice for Apple ............................................................................................................................................. 5 Apple Configurator ................................................................................................................................................... 6 Apple Device Enrollment Program (DEP) ............................................................................................................... 6 Samsung Device Configuration Tool (DCT) ............................................................................................................ 8 Samsung Knox Mobile Enrollment (KME) .............................................................................................................. 8 Kaprica Tachyon ....................................................................................................................................................... 9 Tachyon case study ................................................................................................................................................. 10 Tachyon video demos ............................................................................................................................................. 10 Conclusions ............................................................................................................................................................. 10 Abbreviations .......................................................................................................................................................... 11 About Kaprica Security Inc. ................................................................................................................................... 11 Keywords

• Apple • Android • BYOD • Carrier • Configuration • Configurator • CYOD • DCT • DEP • Deployment

• EMM • Enterprise • GFE • Google • Kaprica • Kitting • KME • Knox • MAM • MDM

• MMS • Mobile Enrollment • Samsung • Self service • Provisioning • Systems integrator • Tachyon • VAR • VPP • White glove

Audience

• Enterprise mobile infrastructure engineers, administrators and executives

• Systems integrators • VAR (Value Added Resellers) and resellers

• MMS (Managed Mobile Services) providers • EMM (Enterprise Mobile Management)

vendors • Telco Carriers



Introduction

Government and commercial organizations want to take advantage of the latest smartphone and tablet mobile devices for employees and potentially partners and customers1. Unlike in the consumer realm, where everyone receives a standard factory build and customizes it to their personal tastes, organizational rollouts involve numerous standardized configuration steps between that factory build and end user delivery. This white paper deals with automation of configuration and deployment of mobile devices for enterprise, minimization of risk, time lines and costs for the two most popular groups of mobile devices – Apple and Samsung2. The main focus is initial configuration and deployment, or refreshes, and in maintaining quality, compliance and security. Consideration is also given to the related issues of partial, or complete, updates of devices already in use. While EMM are valuable tools for mobile management, recommended by Kaprica and industry analysts alike, the fallacy of EMM3 as a “hammer for which any and all issues of enterprise mobility configuration and deployment are nails” is also addressed. Historically, enterprise admins, integrators, carriers or manufactures themselves carried out these steps either manually, or with partial automation, so called “pre-staging”. Combining setup steps and corporate data like usernames, email addresses and passwords along with QA and testing can take from several minutes per device in simple use cases, to over an hour in complex environments. Since organizations have 100s to 1,000s of devices, this can add up not only to man weeks or months of manual setup and data entry but also rollout risk, with potential impacts to admin productivity, end user adoption, direct costs and indirect costs around end user productivity, help desk calls and re-work. Objectives

High level goals such as driving productivity, reducing direct and indirect costs, imply attention to a number of areas: • A strong and intuitive user experience to drive acceptance • An accurate and timely process • Flexibly supporting the needs of various groups across an organization • Choosing between shipping directly to end users for “self service” and / or having one or more

centralized locations staffed with admins offering a “white glove” (end-to-end) service • Having security (confidentiality, integrity and availability) appropriate for each group • Coverage of a supportable envelope of hardware, OS (Operating System), apps, updates and

infrastructure

1 Organizationally or government furnished (GFE) and also BYOD (Bring Your Own Device), CYOD (Configure Your Own Device) and COPE (Corporate Owned, Personally Enabled) devices. 2 Generic Google Android is not recommended for enterprise usage given the fragmented and hard to support nature of the OS (over 18,000 variants per Open Signal in 2014) and that it does not offer a secure base on which to run enterprise software. 3 Previous iterations of EMM (Enterprise Mobile Management) were known as MAM (Mobile App Management) or MDM (Mobile Device Management).



• Maintenance of audit trails for QA and compliance purposes appropriate to the industry vertical e.g. DISA STIG, HIPAA or PCI DSS for government, healthcare or financial organizations.

In an automated configuration and deployment context, these translate into attention to: • Setup of both enterprise and custom in-house apps • Settings, especially networking and security e.g. VPN, proxy and certificates • Personalized data e.g. Google, email and IAM such as usernames, passwords and PINs • App layout, wallpapers, screen savers and the like for branding • Optionally installing or using tools such as EMM or Samsung’s Knox™ What is the current state of play?

Product life cycles are much faster in the enterprise mobility space than in traditional IT, so what was true 6 or 12-months ago many not be today. For example, Microsoft, the once dominant vendor in enterprise desktop and laptop IT prior to cloud, and BlackBerry, the once dominant vendor in mobile IT, are not covered here given their niche market shares compared to Apple and Samsung4. EMM from leading vendors such as AirWatch, MobileIron, Good Technology, Citrix, IBM, Samsung EMM and others have been marketed as solutions to all enterprise mobility issues. Not all organizations choose to deploy EMM. For example, organizations with 100 to 200 devices or less, organizations with straightforward setups at large scale, organizations where there is push back from users over privacy concerns5, or organizations having a high sensitivity to monthly fees may choose to not deploy EMM. Similarly, regarding Samsung, not all organizations need to take advantage of the additional features of Knox Premium, when Knox Standard is built-in at no additional cost. EMM’s strength in management does not mean that they cover all configuration and deployment needs. In fact, there is a gap between what can be done (so called “pre-staging”), and what needs to be done for an end-to-end automated solution. In figure 1, a typical EMM for Samsung is shown as an example. It is able to setup certain aspects of devices well. The area bounded by the bold blue lines is what can be pre-staged, the area outside of those lines typically requires manual setup. An ideal automated solution would cover the entire area of the figure. Many EMMs are not able to cover requests such as icon layouts, configuring Google accounts, or setting up VPN. Gartner predicts that 75% of mobile security breaches6 will be the result of basic misconfiguration, not the lack of security tools such as EMM, anti-virus, IDP / IDS systems or app vetting. 4 2015 MWC Cleveland Research Report – Market share estimate May 15, 2015 Smartphones - Samsung 26%, Apple 18%, Microsoft / Nokia 3% and BlackBerry 0%, Tablets - Samsung 18%, Apple 26%, Microsoft 4%, BlackBerry 0% 5 2015 How Medical College of Wisconsin designed a policy that mandated MDM enrollment for school-owned devices and is widely accepted by faculty and students 6 2014 Gartner Says 75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration



Figure 1 – Gap between pre-staging with an EMM and end-to-end configuration requirements

Best practice for Apple

Apple’s business environment7 has two tools, one USB-oriented, Apple Configurator, and one OTA-oriented, Apple Device Enrollment Program (DEP). These, although not offering end-to-end configuration and deployment, offer pre-staging, which in most cases will still require some manual setup and final QA per device, as illustrated in Figure 2. Neither tool is appropriate for partial or complete updates of devices already in use. Apple specifically does not permit staging of OS updates. As a “walled garden” system, the only third party tools allowed are EMM, which largely share the same Apple API abilities and limitations. As the diagram below summarizes, Apple DEP with a leading EMM will cover in the best of cases ~80% of needs, the remaining ~20% might need the device to then be run through the Configurator and/or to have manual setup work. In the worst of cases, only ~20% of needs are covered, so depending on the exact use case and the specific EMM, true end-to-end automation and/or user “self service” is unlikely.

7https://www.apple.com/iphone/business/docs/iOS_Enterprise_Deployment_Overview_EN_Feb14.pdf

0

10

20

30

40 Rollout/Update

Enterprise apps

Custom apps

Settings

Corporate data

Branding/layout

EMM installation

Knox API / setup

Typical EMM on Samsung / Aribitrary Scale



Figure 2 – Intersection of end-to-end Apple configuration needs, Configurator, DEP and EMM

Apple Configurator

Configurator8 is a USB based tool that can be used to configure multiple Apple mobile devices at a time. Its strengths are partial automation and support for EMM. However, it does not support OTA configuration, has no app configuration, no ties to corporate data or audit trails and the EMM can simply be removed at any time. Apple Device Enrollment Program (DEP)

DEP9 is an OTA tool that can be used for mass / bulk device enrollment. Its strengths are partial automation and support for EMM. The EMM is “locked” around device activation and cannot simply be removed.

8 http://help.apple.com/configurator/mac/1.7.2/#/cadf1802aed 9 http://www.apple.com/business/dep/

End-to-end Needs

AppleConfigurator

AppleDEP with EMM



However, EMM usage is mandatory. There is no support for USB configuration, no app configuration, no ties to corporate data or audit trails. It is only available in certain geographies, a limitation shared with Apple’s VPP (Volume Purchase Program) for apps. Best practices for Samsung Samsung’s business environment has two own-brand tools, one USB-oriented, Device Configuration Tool (DCT), and one OTA-oriented, Knox Mobile Enrollment (KME), that with one important exception (detailed below) do not offer end-to-end configuration and deployment, instead offering pre-staging, which in most cases will still require some manual setup and final QA per device. Neither tool is appropriate for partial or complete updates of devices already in use. Cellular carriers do not permit staging of OS updates for Samsung devices. The Samsung system is more open to third parties than Apple’s. It supports several EMM, although there is a wide degree of variation in their support of Samsung’s extensive APIs among them. A third party tool, Tachyon, from Kaprica Security, is able to leverage all Samsung Knox APIs and extend both USB and OTA scenarios to offer end-to-end configuration. It accomplishes this running independently, or as a compliment to Samsung Knox or EMM tools. It can be also be used for partial or complete updates of devices already in use. As Figure 3 summarizes, Samsung KME with a leading EMM will cover in the best of cases ~80% of needs, the remaining ~20% of needs may require the device to have manual setup work. In the worst of cases, only ~20% of needs are covered, so depending on the exact use case and the specific EMM, true end-to-end automation and/or user “self service” is unlikely. Kaprica’s Tachyon, working with KME and/or EMM, can cover 100% of configuration and deployment needs, allowing the flexibility to offer both end user “self service”, or admin “white glove service” (faster, more accurately and less expensively), as required.



Figure 3 - Intersection end-to-end Samsung configuration needs, DCT, KME, EMM & Tachyon

Samsung Device Configuration Tool (DCT)

DCT10 is a USB based tool that can be used to configure multiple Samsung mobile devices at a time. Its strengths are partial automation and the ability to call KNOX APIs. However, it does not support OTA or EMM configuration, has no app configuration, no ties to corporate data or audit trails. It requires Android’s ADB / USB debugging mode to be enabled, which is a painful manual process in itself. Samsung Knox Mobile Enrollment (KME)

KME11 is an OTA tool that can be used for mass / bulk device enrollment. Its strengths are partial automation with EMM and full end-to-end automation with Tachyon. To parallel the discussion with Apple’s DEP. It is possible for certain EMM (and also Tachyon independently) to “lock” the device so that settings and/or EMM cannot simply be removed.

10 http://www.samsung.com/pl/business/mobile/others/device-configuration-tool/banner.html 11 https://www.samsungknox.com/en/products/knox-mobile-enrollment

Tachyon, EMM & KME cover 100% end-to-end needs

Samsung DCT

EMM &Samsung KME



However, with EMM alone, there is no support for USB configuration, no app configuration, no audit trails and no ties to corporate data. KME is only available in certain geographies, although access to apps via Google Play or private app stores is very flexible. Kaprica Tachyon

Tachyon12 is a Samsung exclusive technology, consisting of an app and a browser admin portal. It automates end-to-end mass / bulk configuration, deployment and QA of all current Samsung tablets and smartphones. It is not an EMM or a replacement for an EMM since its focus is configuration, being invoked and then finishing (reporting back to the portal), rather than running continuously for management and monitoring purposes as EMM do. In a nutshell, Tachyon is a superset of the Samsung configuration and deployment capabilities detailed above: • Runs independently, or as a compliment to EMM and Knox • Supports Offline and OTA scenarios • KME, as well as QR code or traditional usernames / passwords • Knox Standard and optionally Knox Premium • Every Knox API is supported e.g. blacklisting phone numbers (EMMs cover only subsets) • Every native Android setting supported e.g. VPN and Google • Third party and in-house app configuration • Custom home screen arrangement • Pulls in specific corporate data for each device and maintains an audit trail for compliance purpose Rather than being just a generic configuration tool, Tachyon offers a growing library of off-the-shelf configurations to match specific industry verticals or use cases, for example:

• 1-click DISA STIG setup • 1-click handling of sophisticated IAM / certificate / networking environments • 1-click healthcare patient privacy and security for HIPAA compliance • 1-click migration from one EMM to another

Popularly, its an “easy button” for the complex process of bulk Samsung configuration and deployment. The last two examples from the list above, data sanitization and EMM migration, illustrate updating of devices in specific areas, without requiring the users to visit or ship devices to centralized locations. Other uses might include updating versions of custom apps, for example, in retail services or banking scenarios.

12 https://kaprica.com/tachyon



Tachyon case study

A large Systems Integrator (SI), with locations in North America and in Europe, leverages Samsung for its enterprise mobile solutions practice. Its customer, a leading Ohio-based healthcare provider, needed an automated approach for deploying over 3,000 Samsung Galaxy Note devices to over 500 skilled nursing and rehabilitation locations across the US. The manual configuration of devices, including 70 individual steps and ending with a traditional EMM installation, was taking too long and the error rates were too high. The SI deployed Kaprica Security’s Tachyon automated solution to speed up configuration, deployment and improve quality. An automated script was developed and tested to cover the 70 steps, leveraging the Tachyon Portal and its library of ready to use steps. Tachyon dramatically reduced configuration and deployment time and associated costs while increasing quality. The SI standardized on Tachyon for this and additional new clients with similar large deployments. The SI’s administrators were able to continue to offer a white glove service, configuring 10 devices at once rather than configuring one at a time manually as they had previously done. The total time taken to configure each device was reduced from 30 to 5 minutes (not counting the charging or boot time). The QA time per device was reduced from 5 minutes to 0 since reporting and compliance are automated in the tool. With the new KME functionality, the time per device will be close to zero. The SI, like the majority of Tachyon's clients already have EMM tools, with Tachyon adding the additional configuration and deployment automation that they do not have built-in. Tachyon video demos

1-click from a QR code http://kaprica.com/s/tachyonapp2 0-touch with Knox Mobile Enrollment http://kaprica.com/s/tachyonapp3 Conclusions

This white paper presented best practices for Apple and Samsung mobile devices automation and configuration, detailing industry standard tools from Apple’s Configurator and DEP, to Samsung’s DCT and KME, to EMM. It introduced the Tachyon tool that can run independently or extend the capabilities of existing tools on Samsung platforms, to move from pre-staging, to end-to-end configuration and deployment, offering a much finer grain of control of both initial setups and on-going updates, with increased speed, accuracy and reduced costs.



Abbreviations

ADB Android Debug Bridge API Application Programming

Interface BYOD Bring Your Own Device COPE Company-issued,

Personally-Enabled Device CYOD Choose Your Own Device DARPA Defense Advanced Research

Projects Agency DC District of Columbia DEP Device Enrollment Program DISA Defense Information Systems

Agency EMM Enterprise Mobile Management GFE Government Furnished

Equipment HIPAA Health Insurance Portability and

Accountability Act IAM Identity and Access Management IDP Intrusion Prevention Systems IDS Intrusion Detection System

IT Information Technology KME Knox Mobile Enrollment MAM Mobile App Management MDM Mobile Device Management MMS Managed Mobility Services PCI DSS Payment Card Industry

Data Security Standard OS Operating System OTA Over The Air QA Quality Assurance QR Quick Response SI Systems Integrator STIG Security Technical

Implementation Guide TX Texas USB Universal Serial Bus VA Virginia VAR Value Added Reseller VPP Volume Purchase Program VPN Virtual Private Network

About Kaprica Security Inc.

Kaprica is an expert in mobility and security, providing hosted and on premise solutions. It was founded in 2011 by a team of cyber security experts from Lockheed Martin and Carnegie Mellon University, with the goals of delivering high quality cyber security services to a wide government and enterprise audience, and simultaneously developing easy to use and deploy software tools to support them. Today, clients range from DARPA, to the Department of Transportation, Lockheed, Intel and the University of Maryland. Kaprica is a Silver-Level Samsung partner and its enterprise software products include the Skorpion™, Tachyon™ and RunSafe™ lines and associated patents. Kaprica is headquartered just outside Washington, DC, in Reston, VA, with offices in Austin, TX. Learn more at kaprica.com.