This document discusses IBM's endpoint management solution called Tivoli Endpoint Manager. It provides unified device management across environments from servers to smartphones. It gives IT visibility, speed, control and precision to manage assets. Key capabilities include systems lifecycle management, security and compliance management, patch management, and mobile device management. The solution uses a single intelligent agent and cloud-based infrastructure to manage assets from a single server and console. It helps organizations address the challenges of BYOD and a globally distributed IT environment.
1. “BYOD – So What ?”
UNIFIED Device Management across your
environment: From Server to Smartphone.
Keith Poyser.
Director: IBM Mobility and End Point.
UKI, SPGI, NORDICS,BENELUX.
IBM.
2. Visibility is key in a constantly changing,
distributed world
Critical systems are globally distributed and in constant flux
Patch hundreds of thousands
Find all assets on your of workstations, laptops and
network – NOW! servers in minutes.
Find, Manage and Secure your
Deploy a software BYOD and Smart Devices
application worldwide in
days.
Continuously enforce security
configuration baselines, even
Patch anywhere, anytime over any on mobile and off-network
network. devices.
4. What Does End Point Manager Do?
RESULTS IN MINUTES:
• Gives IT the visibility, speed, adaptability, • How many machines are hardware-compatible
control, and precision to do more with less with Win7?
• Which laptops are affected by a manufacturer’s
• Packaged Specific Solution Areas: battery recall?
– Systems Lifecycle Management • What software are we paying for vs. what we’re
– Core Protection & DLP & DC using? What is installed on employee Mobile
Devices ?
– Security & Compliance Management
– Patch Management (s/alone)
– Power Management (s/alone) RESULTS IN MINUTES:
– Mobile Device Management • Automatically target machines for migration
that are hardware-ready
– Software Use Analysis
• Precisely manage battery/hw replacements
• As well as solving unforeseen • Reduce software spend based on accurate
problems such as… usage patterns
4
5. End Point Manager : Secret Sauce….
Lightweight, Robust Infrastructure
• Use existing systems as Relays
• Built-in redundancy Cloud-based Content Delivery
• Support/secure roaming endpoints • Highly extensible
• Automatic, on-demand functionality
Single Server & Console
• Highly secure, highly scalable
• Aggregates data, analyzes & reports
• Pushes out pre-defined/custom policies
Single Intelligent Agent
• Performs multiple functions
• Continuous self-assessment & policy enforcement
• Minimal system impact (< 2% CPU)
5
6. Tivoli Endpoint Manager, built on BigFix
technology: Converged Capability.
Tivoli Tivoli
Endpoint Manager Endpoint Manager
IT Operations Solutions Unifying IT
IT Security Solutions
operations and
Tivoli Endpoint Manager
for Lifecycle Management security Tivoli Endpoint Manager for
Security and Compliance
Tivoli Endpoint Manager
for Mobile Device Tivoli Endpoint Manager
Management for Core Protection
Tivoli Endpoint Manager Tivoli Endpoint Manager
for Patch Management
for Mobile Device
Management
Tivoli Endpoint
Manager for Power
Management Tivoli Endpoint Manager
for Patch Management
Tivoli Endpoint Manager
for Software Use
Analysis
7. BYOD and Mobile is a mandatory transformation
10 Billion devices
by 2020
61% of CIOs put
mobile as priority
45% increased productivity
with mobile apps
8. Traditional Endpoint Management Mobile Device Management
Device inventory
Security policy mgmt
OS provisioning Application mgmt Device Wipe
Patching Device config (VPN/Email/Wifi) Location info
Power Mgmt Encryption mgmt Jailbreak/Root
Anti-Virus Mgmt Roaming device support detection
Integration with internal systems Enterprise App
store
Scalable/Secure solution
Self-service
Easy-to-deploy
portal
Multiple OS support
Consolidated infrastructure
9. Benefits of an Endpoint Manager based Approach to
Mobile Device Management
“Organizations…would prefer to use the same tools across PCs, tablets and smartphones,
because it's increasingly the same people who support those device types”
– Gartner, PCCLM Magic Quadrant, January 2011
Although at some level mobile is unique, the devices are just another form of endpoints in your
infrastructure. This means whichever technologies you procure should have a road map for
integration into your broader endpoint protection strategy.
– Forrester, Market Overview: Mobile Security, Q4, 2011
Reduces Hardware &
Fast Time-to-Value
Administration Costs
• “Single pane” for mobile devices, • Enterprise-grade APIs enable
laptops, desktops, and servers integration with service desks,
• Single Endpoint Manager Server CMDBs, etc (Integrated Service
scales to 250,000+ devices Management)
• Unified • Cloud-based content delivery
infrastructure/administration model allows for rapid updates
model reduces FTE requirements with no software upgrade or
installation required
9
10. Mobile OS vendors move very quickly
Microsoft Windows Apple iOS Google Android
Google and Apple have released2007
Release Year 1985 major Android and
2008
iOS versions 6x and 3x faster, respectively, than
# of Versions 11 6 10 * ** ***
Versions per Year 0.4 1.2 2.5
Microsoft has released major Windows PC versions
OS “velocity” vs.
- 3x 6.3x
Microsoft
How quickly does your management vendor support new OS
versions?
* Microsoft Windows 1.0, 2.0, 3.0, 95, 98, 2000, ME, XP, Vista, 7, 8; excludes server platforms
** Apple iOS 1, 2, 3, 4, 5, 6
*** Google Android 1.0, 1.1, Cupcake, Donut, Éclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean
11. Mobile devices magnify existing challenges and
also pose unique ones that significantly disrupt
traditional management paradigms
Traditional Mgmt Model New Device Mgmt Paradigm
Enterprises provide all equipment Employees bring personal devices (BYOD)
Small set of supported platforms / models Many different manufacturers / models
IT initiates and manages upgrades OS/app upgrades managed by carriers, OEMs, users
IT tightly controls apps and security Users control their own devices
Options for IT departments
Don’t allow mobile devices because they are too hard to manage
Allow unmanaged and insecure mobile devices
Invest in tools to secure and manage devices
12. Management capabilities vary greatly by mobile
operating system, but one thing is consistent
– the user is king
Management Supported by Supported by
Notes Notes
Function Apple? Google?
Android doesn’t have a native email client that
Selectively Wipe Mail / Standard part of Apple’s MDM supports selective wipe, so integration with 3rd-
Calendar / Contacts interface party email clients (e.g., Lotus Traveler or
NitroDesk TouchDown) is necessary
iOS doesn’t currently support forcible
“Vanilla” Android doesn’t currently support
app install without user permission, so
Forcibly Install Apps forcible app install without user permission, so
enterprise app store approach is
enterprise app store approach is needed.
needed.
With iOS 5, apps (both public and
Forcibly Uninstall private) provisioned via the enterprise “Vanilla” Android doesn’t currently support
Apps app store can be uninstalled remotely forcible app uninstall without user permission.
without user intervention
Apps are sandboxed – there is no
“Vanilla” Android doesn’t currently support
Remote Control ability for an app to gain
remote control
visibility/control over the entire device
13. Apple enables remote management of its capabilities
via one set of remote APIs for all MDM vendors, while
Google allows on-device, agent-based management
Sample of Apple Capabilities
14. Data Separation
Native Data Separation
Personal Apps Enterprise Apps
Based on platform-specific APIs
Enterprise Data
1 from OS vendors or from OEMs
(Samsung, Lenovo, etc)
Personal Data Operating System Preserves native user experience
Hardware
No Data Separation
3rd-Party Separation Apps Container
Native Enterprise & Personal Apps 3rd-party app
acts as container and
Apps replicates native OS functionality
2 such as email, calendar, contacts
Some apps live in container
Operating System Disrupts native user experience Operating System
Hardware
Hardware
Virtualization Personal Domain Enterprise Domain
Hypervisor layer allows separate
3 OSes
Currently possible on Android OS OS
Hypervisor
Hardware
15. IBM’s Approach to Managing BYOD
• Deploy a secure technology framework: “Shark Cage”!
• Leverage the SAME Technology Framework as Desktop Management
• Develop a strong usage policy
• Educate employees
– Digital IBMer Education
– Business Conduct Guidelines
• Support personally-owned devices through social software
16. Tivoli Endpoint Manager in IBM Globally on Desktops
3Q 2010 Normalized ITMS infections (similar results through Q4/2010)
IBM CIO Office pilot
Normalized: ITMS detected malware per country divided by number of employees per country
17. IBM Pilot Desktops Production results
BAU BigFix
Patch availability typically 3-14+ days Patch availability within 24 hours
92% compliance within 5 days (ACPM only) 98% within 24 hours
EZUpdate sometimes misses application of Detected about 35% of participants missing at
patches on required machines least one previous patch
Compliance model, completely reliant on user 90% of Windows requirements can be
automatically remediated
Exceptions at machine level Exceptions at setting level
18. IBM Office of the CIO then includes Mobile…
Extending Corporate Access
“IBM's BYOD program “really is about supporting employees in the
way they want to work. They will find the most appropriate tool to
get their job done. I want to make sure I can enable them to do
that, but in a way that safeguards the integrity of our business.”
Jeanette Horan, IBM CIO
Customer Needs Key Features & Outcomes
Support BYOD for a variety of mobile 120,000 mobile devices, 80,000 personally
platforms securely for a highly mobile owned, supported in months
population
Integrated Lotus Traveler, IBM Connections,
Scale to hundreds of thousands of devices IBM Sametime, and IBM Endpoint Manager
19. Tivoli Endpoint Manager: Lifecycle, Security and Compliance
From Datacentre to Desktop to Device.
See More, Secure More; We Guarantee it….
• Patch Management
• Security Config Mgmt Discover 10% - 30% Library of 5,000+ compliance
• Vulnerability Mgmt more assets than settings, including support for
• Asset Mgmt previously reported FDCC SCAP, DISA STIG
• Network Self-
Quarantine
• Multi-Vendor
Endpoint Protection
Mgmt
• Anti-Malware & Web Automatically and Achieve 95%+ first-pass
Reputation Service, continuously enforce success rates within hours
D.C and DLP. policy at the end point of policy or patch
• Software Distribution deployment
• O.S Distribution
• Mobile Device
Management
20. Thank You !
Keith Poyser.
Director: IBM Mobility and End Point.
UKI, SPGI, NORDICS,BENELUX.
IBM.
+447711 773878 / keith.poyser@uk.ibm.com
Hinweis der Redaktion
Single agent, single server so..ExtremeScaleExtreme Speed (impl, exec, remed) + VISIBILITY TO EDGEHeterogeneous, Distributed networks.Proactive V’s Reactive. ZERO DAY TO SEMI STRUCTURED.Converging Security and System ManagementJOBURG EXAMPLE + LAPTOP AND PHONE QUESTION
SO NOW YOU KNOW WHERE BIGFIX FITS WITHIN THE TIVOLI FRAMEWORK.WE ARE IN THE BUSINESS OF SOLVING PROBLEMSIT IS IN THE BUSINESS OF MAKING SURE THE LIGHTS ARE ON.UNDERSTAND WHAT IS THERE, FIX PROBLEMS, STANDARDISE, MANAGE.WE WORK THROUGH POLICY BASED CONTENT.ARE MACHINES ? IS THEIR POWER MANAGED ? DO THEY HAVE UP TO DATE AV ? ARE YOU COMPLIANT WHETHER ON OR OFF LINE ? DO YOU HAVE HARDWARE COMPATIBILITY FOR WINDOWS 7 ? WHAT IS AFFECTED BY THE DELL HARDWARE RECALL ?Cost-effective scalabilitySupport for roaming and remote endpointsSingle, multi-purpose agentUnified management of heterogeneous platformsSingle console for endpoint security and systems mgmtDistributed intelligenceReal-time inventory and asset discoveryProduct certificationsSecure PKI infrastructureAd-hoc IT Query SupportClosed loop change confirmation
MIXED BANDWIDTH, MIXED DEVICES, INTERMITANTLY CONNECTED.WE ARE RADICALLY DIFFERENT FROM EVERYONE ELSE.CUSTOMER HQ AND NICE PRIOR HISTORIC PERIMETER BASED SECURITY MODEL. NO LONGER EXISTS AND OLD TECH BREAKS IN THE NEW WORLD!AGENTS ARE SMART AND ENFORCE POLICY, NOT SERVER SCAN BASED. (NAME/ CINEMA EXAMPLE).CDN LIKE POINT FOR CACHING.Most enterprise networks are highly distributed. Users are connecting to your HQ site from across the Internet, while on the road, and also from remote offices – which makes security and systems management extremely challenging. Additionally, most enterprise networks have bandwidth constraints – over wireless, shared MPLS, satellite links, etc - which makes pushing fat software packages and security patches over these latency-prone links a huge burden for the IT organization. Moreover, many of these devices are intermittently connected – particularly those roaming laptops – which makes validating and updating their configuration virtually impossible. Finally, most enterprises have many different types of servers, desktops, laptops and handheld devices, making cross-platform support a must for any security and systems management solution.Unlike alternative solutions, BigFix was purpose-built to work efficiently within these types of environments. As you can see from the diagram, BigFix Agents can be deployed on all types of devices, whether those are running Windows, Windows Mobile, different flavors of UNIX, Linux and Mac. The BigFix Agent is the “brains” of the BigFix Unified Management Platform and continuously assesses the state of the endpoint against policy, whether connected to the network or not. As soon as it notices that an endpoint is out of compliance with a policy or checklist, it informs the BigFix server and executes the configured remediation strategy, and immediately notifies the BigFix Server of task status (completed, in process, not completed).The BigFix Server manages policy content – delivered in messages called “BigFixFixlets” and updated continuously via the BigFix Content Delivery cloud-based service – and enables the BigFix Operator to maintain real-time visibility and control over all devices in the environment – including instantaneous discovery of devices that aren’t managed by BigFix. Because most of the analysis, processing and enforcement work is done by the BigFix Agent rather than the Server, ONE BigFix Server can support more than 200K endpoints, enabling customers to make the most of their security and systems management investment. Whatever specific BigFix solution a customer uses – whether it’s endpoint protection, systems lifecycle management or security configuration and vulnerability management – it’s delivered via a single management console view. Additionally, new services can be provisioned and delivered via the BigFix Content Delivery cloud with no additional hardware or software installations or network changes.Deployment is straightforward, and is typically completed within hours or days. Agents can automatically be installed within minutes, without disrupting end-users. Additionally, most customers deploy BigFix Relays to help manage distributed devices and policy content and as you can see in the diagram – an existing workstation can be leveraged for this purpose. Promoting an Agent to a Relay takes minutes and doesn’t require dedicated hardware or network configuration changes. It’s entirely up to the customer how many Relays to deploy and where they’d like to place them; however, we can certainly make recommendations based on business and technical considerations. In addition to caching patches and other software updates close to end user devices, BigFix Relays manage the bandwidth used by BigFix to ensure that systems and security management tasks don’t consume all available network bandwidth.To a world accustomed to multiple, fragmented technologies and point solutions, BigFix offers an alternative: the industry’s only single-console, single-agent platform that addresses operations, security and compliance initiatives in real-time and at global scale. HIGHLY EXTENSIBLE – AUTO ON DEMAND FUNCTIONALITY ADD WITH JUST SWITCH ON CONTENT.Most enterprise networks are highly distributed. Users are connecting to your HQ site from across the Internet, while on the road, and also from remote offices – which makes security and systems management extremely challenging. Additionally, most enterprise networks have bandwidth constraints – over wireless, shared MPLS, satellite links, etc - which makes pushing fat software packages and security patches over these latency-prone links a huge burden for the IT organization. Moreover, many of these devices are intermittently connected – particularly those roaming laptops – which makes validating and updating their configuration virtually impossible. Finally, most enterprises have many different types of servers, desktops, laptops and handheld devices, making cross-platform support a must for any security and systems management solution.Unlike alternative solutions, BigFix was purpose-built to work efficiently within these types of environments. As you can see from the diagram, BigFix Agents can be deployed on all types of devices, whether those are running Windows, Windows Mobile, different flavors of UNIX, Linux and Mac. The BigFix Agent is the “brains” of the BigFix Unified Management Platform and continuously assesses the state of the endpoint against policy, whether connected to the network or not. As soon as it notices that an endpoint is out of compliance with a policy or checklist, it informs the BigFix server and executes the configured remediation strategy, and immediately notifies the BigFix Server of task status (completed, in process, not completed).The BigFix Server manages policy content – delivered in messages called “BigFix Fixlets” and updated continuously via the BigFix Content Delivery cloud-based service – and enables the BigFix Operator to maintain real-time visibility and control over all devices in the environment – including instantaneous discovery of devices that aren’t managed by BigFix. Because most of the analysis, processing and enforcement work is done by the BigFix Agent rather than the Server, ONE BigFix Server can support more than 200K endpoints, enabling customers to make the most of their security and systems management investment. Whatever specific BigFix solution a customer uses – whether it’s endpoint protection, systems lifecycle management or security configuration and vulnerability management – it’s delivered via a single management console view. Additionally, new services can be provisioned and delivered via the BigFix Content Delivery cloud with no additional hardware or software installations or network changes.Deployment is straightforward, and is typically completed within hours or days. Agents can automatically be installed within minutes, without disrupting end-users. Additionally, most customers deploy BigFix Relays to help manage distributed devices and policy content and as you can see in the diagram – an existing workstation can be leveraged for this purpose. Promoting an Agent to a Relay takes minutes and doesn’t require dedicated hardware or network configuration changes. It’s entirely up to the customer how many Relays to deploy and where they’d like to place them; however, we can certainly make recommendations based on business and technical considerations. In addition to caching patches and other software updates close to end user devices, BigFix Relays manage the bandwidth used by BigFix to ensure that systems and security management tasks don’t consume all available network bandwidth.To a world accustomed to multiple, fragmented technologies and point solutions, BigFix offers an alternative: the industry’s only single-console, single-agent platform that addresses operations, security and compliance initiatives in real-time and at global scale.
NOTE: CLICKING ON THE GRAPHIC WILL BRING UP A SHORT VIDEO IF YOU HAVE AN INTERNET CONNECTIONThe explosion of capable, connected smartphones and tablets is changing the way IBM employees want to work. Like most enterprises around the world, IBM is experiencing rapid growth in requests from employees who want to use their personal mobile devices — smartphones, tablets, even personally owned laptops — to access the data and applications they need to do their jobs. The profile of these mobile users is changing as well, further driving demand for any device, anytime access to work email, calendar, contacts, IM and collaboration applications (like Sametime, Connections, and integrated Lotus Traveler) as well as the information on IBM’s vast intranet. No longer limited to salespeople and executives who spend much of their time away from an office, employees seeking mobile access today could be any IBMer who wants more flexibility to balance work and personal life. And many want to bring their own device (BYOD) to work – something we recognized we knew we needed to get ahead of. We figured that if we don’t support these employee-owned devices, employees would figure out how to support them themselves, potentially putting corporate information at risk.Some of the challenges faced by our CIO Office were to accommodate requests for broad mobile access from a multitude of devices while protecting enterprise data, delivering business value while safeguarding the integrity of our business, and defining a mobile strategy that can adapt to changing technologies – and be able to scale to accommodate hundreds of thousands of devices. IBM began its assessment and planning for deploying mobile devices for its employees back in 1999, as we envisioned the benefits – and the challenges – of securely delivering a mobile infrastructure to our very large workforce. IBM Global Technology Services has helped design and support IBM’s internal mobile infrastructure and manage device, application, networking, collaboration for social business all along this journey. In addition to supporting mobile collaboration tools, we are managing mobile devices using tools like IBM Endpoint Manager platform that allows us to wipe devices in the event they are lost or stolen, or if the employee leaves the company. Like other enterprises, one of the top concerns keeping our CIO up at night has been how to secure the mobile network, devices, data, and applications.Our services teams are moving fast to support the proliferation of devices and mobile operating systems to keep up with employee demand. And our mobile strategy and deployment is managed by the same IBM Global Technology Services delivery organization that supports IBM’s commercial Mobile Enterprise Services clients. Good content to help you prepare to deliver the IBM mobile deployment story is available in the new profile video, case study, and this Computerworld article:http://www.computerworld.com/s/article/9225563/IBM_CIO_discusses_Big_Blue_39_s_BYOD_strategyVideo: http://www.youtube.com/watch?v=w5_QrFjg4yECase Study: http://public.dhe.ibm.com/common/ssi/ecm/en/enc03011usen/ENC03011USEN.PDF
The Security and Compliance offering includes these sorts of capabilities:Security Configuration Management – maps to desktop configuration standards such as FDCC, SCAP, DISA STIGs, etc and provides for custom-mapping to other standards such as PCI, HIPAA/HITECH, etc.Vulnerability MgmtAsset DiscoveryPatch Management – for OS updates as well as third party application updates to protect against Adobe, Firefox, IE, Quicktime and other vulnerabilities/exploitsClient Manager for Endpoint Protection – where multiple third party AV products can be monitored and managed via the TEM console, for those customers who are interested in migrating from one AV to another, this functionality is also very useful. BTW, we also have an optional add-on AV product through Trend Micro called CPM.Network Self Quarantine (IPSEC) – our version of NAC where we can quarantine infected machines within minutes while we remediate them and allow access back to the network.The really cool thing about this technology is that a customer can choose any of the four to start with and then add on functionality later – without installing software, without making network configuration changes, without even rebooting a single machine… this is not possible with any other type of management solution. This is a key differentiator that should make Tivoli sellers very happy since it gives them a straightforward upsell/cross-sell approach.