Embed Size (px)
DESCRIPTION
In this tip, session speakers Bill Wimer and Paul miller detail the out-of-the-box security features for IBM Notes Traveler around connecting devices, restricting access, remote data wipes, device security policies (iOS, Android, Windows Phone, BlackBerry 10, etc.), and attachment security for iOS and Android.
Citation preview
© 2014 IBM Corporation
ID611: Mobile Security Roundup Bill Wimer, IBM Senior Technical Staff Paul Miller, IBM Notes Traveler & IMC Development Manager
2 2
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
Please Note
6 6
Out of the box security features
7
Notes Traveler – Connecting Devices
Data in motion is encrypted − All device clients support SSL
connections − Notes Traveler server can enforce that
and SSL connection is required
Administrator can block devices of a specific type or class ( https://ibm.biz/BdRZSi )
Administrator can require that devices must be pre-approved before they can sync data
8
Notes Traveler – Restricting Access
Only users that are authorized to use this server can connect devices to the server
9
Notes Traveler – Restricting Access
Require devices to connect from a specific IP address or range of addresses
10
Notes Traveler – Restricting Access
Administrator can explicitly deny access to specific devices
11
Notes Traveler – Remote data wipe
Performed by administrator
(admin console) or device owner (self service user page)
Option to erase just Notes Traveler data or reset the device to factory settings
Once wiped, administrator (or user) must clear wipe command
12
Notes Traveler - Device security policies
Notes Traveler Administrator can define basic device security policies using the Notes
Traveler administration console (https://traveler_host/LotusTraveler.nsf) − If policies change, they are pushed to the devices − Device enforces policies, locks out the application if device is not compliant
Security capabilities vary slightly by device type
13
Notes Traveler – Apple iOS security policies
Most settings enforced using Apple EAS account
Settings apply to entire device, not just PIM account
14
Notes Traveler – Windows Phone/RT/Pro security policies
Most settings enforced using EAS account
Settings apply to entire device, not just PIM account
15
Notes Traveler – BB10 security policies
Most settings enforced using EAS account
Settings only apply if device is not managed via BES 10
Use BES 10 policies to separate work and personal data
16
Notes Traveler – Android security policies
Notes Traveler client installs Android Device Administrator account
Supports both device wide policies and Notes Traveler application only policies
17
Notes Traveler – Attachment security policies
Problem − Attachment file data can be “opened in” untrusted or unapproved 3rd party
applications − Business no longer able to control access to the file data − Could be uploaded to Dropbox or other cloud based service − Shared with editors that allow “save as” to the SD Card
Solution − Notes Traveler Attachment Security Policies − IBM Notes Traveler Clients and Administration updated for 9.0.0.1 − Policy is administered via Notes Traveler web based administration − Clients Supported
Apple iOS using Traveler Companion Notes Traveler for Android (9.0.0.1+ version)
18
Notes Traveler – Attachment security policies
Administrator defines attachment handling policies − View only option for files where the platform supports embedded viewing (iOS) − Define which applications are allowed to consume attachments (Approved
Applications) Notes Traveler clients modified to recognize attachment policies and limit attachment
sharing Advantages
− Can be used out of the box with a small amount of definition needed by the administrator
− No additional software or hardware requirements (no separate MDM solution needed) − No application wrapping, app vendor integration or testing of wrapped applications
required − Able to leverage built-in viewer technology on iOS
19
Traveler administrator enables a policy to only
allow built-in viewers or approved applications to access attachments
Notes Traveler – Attachment security policies
Android
Apple iOS
20
Notes Traveler clients enforce that attachments can only be shared with applications in this list
Changes to Approved Application list are pushed to clients
Notes Traveler administrator defines list of Approved Applications for attachment handling If no applications are defined, only built-in viewers are allowed (where supported)
Notes Traveler – Attachment security policies
21
User clicks on attachment in email. If Approved Applications are installed, user selects which application to use to view the file.
Only viewers defined by the administrator as an Approved Application are considered for file handling.
Allows for disconnected viewing/handling of attachments
3rd party viewer unless open document format (Lotus Symphony)
Notes Traveler – Attachment security for Android
22
No file attachments are present in the Apple iOS mailbox
Built-in viewing scenario File data never leaves Companion
Traveler Companion App Apple iOS Email App
Supported document types Microsoft Office documents
Rich Text Format (RTF) documents
PDF files
Images
Attachment security for iOS iWork documents Text files
Comma-separated value (csv) files
23
Traveler Companion using Approved Applications − Open In menu will display all possible apps, as there is no way to suppress
individual apps from the list − If user selects an app that is not approved, Open In operation fails with message − Apps defined using Approved Applications use Open In normally
Long Press
Attachment security for iOS
61 61
© Copyright IBM Corporation 2014. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, Domino and Notes are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
MobileIron is a trademark of MobileIron, LLC.
Airwatch is a trademark of Skysocket, LLC.
Fiberlink is a trademark of Fiberlink Communications Corporation.
Other company, product, or service names may be trademarks or service marks of others.
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
Acknowledgements and Disclaimers
