ATF & USMS Mobility Pilot, 9 Feb2011

Office of Science and Technology

ATF & USMS Mobility Pilot:Deploying and Supporting iPads/iPhones

in the DOJ Environment

Rick Holgate

ATF Assistant Director for Science & Technology / CIO

DOJ Cyber Security Conference

February 9, 2011


Factors Driving Mobility at ATF (& USMS)

• Law enforcement and regulatory missions

– Most work happens away from the office

– Productivity enhancement

• Emergent situations

– Special operations, major events, ESF 13

• Increasing demand for real-time information

– “Knowing what we know”

• Telework / real estate costs

• Predominantly controlled unclassified information

9 February 2011 innovative applications of science and technology 2


Why A(nother) Mobility Pilot

• Spectrum relocation – video surveillance

• Highly mobile ATF (& USMS) workforce

• Right mobility model for the future

– Usability and functionality

• Lessons learned from mobility pilot v 1.0

– Affordability



ATF Organizational Snapshot (round numbers)

2,560

806

1,738

2,400

-

2,000

4,000

6,000

8,000

10,000

12,000

Contractors / Task Force Officers / Others

Other Professional Staff

Industry Operations Investigators

Special Agents

6,500

3,100

1,800

150

-

2,000

4,000

6,000

8,000

10,000

12,000

Windows Mobile

BlackBerries

Cellular Broadband

Laptops (w/secure WiFi)


Personnel Mobile Data Devices


Overall Pilot Objectives

• Deliver meaningful functionality

• Test relevant and complete use cases

• Understand technical and cost obstacles and

implications

• Demonstrate the ability to secure and manage

the devices


…while maintaining device/OS-independence


Why iOS?

• Market and mind share

• Grass roots adoption

• Intuitive applications readily adopted for law

enforcement

• Appealing form factor(s)

• Easy to use



Secure Email

Security Features

Scalability and Reliability Features

Usability Features

Mobile Workforce

Enterprise Applications

Collaboration Applications

Centralized Device

Management

Provisioning

Production

Decommission

Mobility Solution

9 February 2011 7innovative applications of science and technology


End User Mobile Devices

Outside Sandbox

(Apple, iTunes, Android Market)

Secure Sandbox

Distribution

ATF

Application Distribution Store

Packaging

Mobile Applications

Mobile

Profiles

ATF Enterprise


Collaborating Applications

Security Policy Profile

Device Control Profile

Configuration Profile

Mobility Solution Architecture



Core Technical Objectives

Device Management

Policy Implications

Application Deployment Strategies



Feature & Functionality

Security

Software Management

Asset Management

Configuration Management

Performance & Diagnostic

Backup and Restore

Platform

Apple iOS

Android

Blackberry

Windows Mobile

Symbian

Palm WebOS

Security Compliance

FIPS 140

Data at Rest

FIPS 140

Data OTA

AES 256

Enterprise Integration

MS ActiveSync

MS Exchange

Active Directory

Tivoli, HP Operation Manager, etc.

ArcSight

BES

Mobile Device Management Considerations



Mobility Scenarios

Application Deployment

Scenarios

Functional User Scenarios

Executive

ATF & USMS

Operational

USMS 1811

Operational

ATF 1811

Operational

ATF 1801

Office productivity

(email, calendar, contacts)X X X X

Legacy/desktop applications via Citrix X X X X

Document collaboration X X X X

App Store applications with

enterprise dataX X X X

Custom applications X X

Web applications (internal, external) X X X X

Video management X X





Pinecone

Enterprise Data:

Business Intelligence

Document Authoring,

Collaboration using

Enterprise Content:

• WebDAV

• Enterprise Content

Management System

• IDEA/MyFX (?)

Enterprise Apps:

• NFOCIS (ATF case

management)

• JDIS (USMS)

• MS Office

• Content repository

Sandboxed Access to

Enterprise Productivity

(Exchange, etc.),

Internal Web Apps

(ATFWeb, HRConnect)

Training and Reference

Materials

(internal content

management)




PineconeExternal Web Apps:

• WebTA

• learnATF/learnDOJ

• eTrace

Personal accounts (?)

Gmail, Yahoo, Hotmail

Video surveillance and

evidence management

(Provided as a cloud-

based service)

Dictation for

integration with

productivity apps

Personal applications

(?)


“How Big is My Sandbox?”


MailCon-

tactsWebApp

App

App

Ever-

note

Phone

Mail

File

Mgr.

eReader

Office2

HD

Web

Con-

tacts

Phone

Anno-

tate

Pages

App

Store

Calen-

dar

Calen-

dar

Camera

Dragon

Notes

Camera

Good

PineconeDedicated

apps in a

FIPS 140-2

sandbox

Native (OS) or

App Store apps

AirWatch,

BoxTone

“Managed

Space”

through

MDM

Functionally

segregated


“Demo”



Application Deployment Principles

• Don’t break the usability and convenience

• Strive for simplicity

• Identify minimum technology footprint necessary

to deliver the required functionality

• Deliver cross-application integration where

logical

• Provide single sign-on where/whenever possible



Policy Implications

• Personal vs. government devices

• Personal uses

– Applications

– Data

• Commercial application purchase and

distribution



iOS Devices: More Like a Browser or a PC?

Personal “Apps” (Facebook, YouTube, …) –

white/black list

Secure. Managed Browser (“Sandbox”)

Reasonable Use

Locked/Managed Desktop

No User-Installed (Personal) Apps

Device-Wide Management

Device Encryption


Browser PC


Where This is Leading:

Notional Future Mix of User Devices

• Phone, Slate, Virtual Desktop Infrastructure

– Simple, manageable, highly functional mobile devices

– Apps and data available anywhere / from any platform

– Desktop interface and power if/when needed

• Office “kiosks”; home

– Tighter security management

– Significantly lower cost per user



Staying Engaged

• Regular progress meetings – open to DOJ

Components

• ATF POC

– Michael Wallace, [email protected],

(202) 648-9322

• USMS POC

– Roland Perez, [email protected],

(608) 661-8225


mailto:[email protected]

mailto:[email protected]


Questions?


Backup



Architecture:

ATF vs. Traditional Environment



Security

• AES 256 bit encryption email and data

• Certified FIPS 140-2 cryptography

• Secure Sandbox solution and run time protection

• Secure browser, file manager, camera, and image storage in the sandbox

• ATF Application Distribution Store authentication

Scalability & Reliability

• Ownership of data, does not rely on external relay or Network Operation Center (NOC)

• Dedicated and secured relay

• Scalability by chained and redundant relays

• Provide ATF with a flexible deployment strategy. Different Sandbox IPA to target different user groups

Usability

• Highly customized ATF Application Store

• Over-the-Air (OTA) download and install Sandbox to the handheld device

• Multiple home screen options inside the Sandbox

• Support ZIP file attachment

Secure Email Solution




• Dashboard

• Business Intelligence

• WebTA

• HRConnect

• FO PettyCash

• FO Documents Publishing

Collaborating Applications

• iWalkie

• Secure Chat Room

• GoToMeeting

• eReader

Mobility Workforce Solution



Provisioning

• Assign group membership and policies

• Configuring device for connectivity

• OTA delivery of management client

Production

• Track asset data

• Update/repair software

• Distribute and update Large Object Binary (LOB) data and files

• Software license usage and tracking

• Schedule and automate activities

• Remote control of devices

Decommission

• Disable lost/stolen device (remote kill/lock, access violation lock)

• Restore data, redeploy software assets, re-provisioning and re-image device

Centralized Device Management Solution



Afaria AirWatch Boxtone MobileIron

Disable applications X X X X

Broadcast SMS, APNs X X X X

OTA Enrollment X X X X

Over-the-air download and update X X X X

Passcode policy enforcement X X X X

Platform - Apple iOS X X X X

Track inventory & audit compliance for corporate governance X X X X

OTA self-provisioning of devices with central control X X X X

OTA app deployment via enterprise app catalog X X X X

Certificate management & distribution (SCEP) X X X X

Enterprise Integration - Microsoft ActiveSync X X X X

Web-based console X X X X

AD integration (authentication, authorization, policy mapping) X X X X

Feature enable/disable (camera, SD, Bluetooth, WiFi, apps, iTunes, cookies) X X X X

Password enforcement (length, age, complex, inactivity, expiration, history) X X X X

Application Blacklisting X X X X

Application Whitelisting X X X X

Asset management X X X X

Fully integrated audit trail X X X X

Enterprise Integration - Microsoft ActiveDirectory & LDAP X X X X

Lockdown device port (Infrared, WiFi, Bluetooth) X X X X

WiFi pre-config (SSID, Hidden Network, Security Type, Password) X X X X

Detailed deployment & utilization by user, device, carrier, platform X X X X

Centralized Device Management Solution
