BYOD Management Made Easy
•Als PPTX, PDF herunterladen•
1 gefällt mir•841 views
This document discusses IBM's endpoint management solution called Tivoli Endpoint Manager. It provides unified device management across environments from servers to smartphones. It gives IT visibility, speed, control and precision to manage assets. Key capabilities include systems lifecycle management, security and compliance management, patch management, and mobile device management. The solution uses a single intelligent agent and cloud-based infrastructure to manage assets from a single server and console. It helps organizations address the challenges of BYOD and a globally distributed IT environment.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (19)
Ähnlich wie BYOD Management Made Easy
Ähnlich wie BYOD Management Made Easy (20)
Mehr von IBM Sverige
Mehr von IBM Sverige (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
BYOD Management Made Easy
- 1. “BYOD – So What ?” UNIFIED Device Management across your environment: From Server to Smartphone. Keith Poyser. Director: IBM Mobility and End Point. UKI, SPGI, NORDICS,BENELUX. IBM.
- 2. Visibility is key in a constantly changing, distributed world Critical systems are globally distributed and in constant flux Patch hundreds of thousands Find all assets on your of workstations, laptops and network – NOW! servers in minutes. Find, Manage and Secure your Deploy a software BYOD and Smart Devices application worldwide in days. Continuously enforce security configuration baselines, even Patch anywhere, anytime over any on mobile and off-network network. devices.
- 3. End Point Manager: The Power of One
- 4. What Does End Point Manager Do? RESULTS IN MINUTES: • Gives IT the visibility, speed, adaptability, • How many machines are hardware-compatible control, and precision to do more with less with Win7? • Which laptops are affected by a manufacturer’s • Packaged Specific Solution Areas: battery recall? – Systems Lifecycle Management • What software are we paying for vs. what we’re – Core Protection & DLP & DC using? What is installed on employee Mobile Devices ? – Security & Compliance Management – Patch Management (s/alone) – Power Management (s/alone) RESULTS IN MINUTES: – Mobile Device Management • Automatically target machines for migration that are hardware-ready – Software Use Analysis • Precisely manage battery/hw replacements • As well as solving unforeseen • Reduce software spend based on accurate problems such as… usage patterns 4
- 5. End Point Manager : Secret Sauce…. Lightweight, Robust Infrastructure • Use existing systems as Relays • Built-in redundancy Cloud-based Content Delivery • Support/secure roaming endpoints • Highly extensible • Automatic, on-demand functionality Single Server & Console • Highly secure, highly scalable • Aggregates data, analyzes & reports • Pushes out pre-defined/custom policies Single Intelligent Agent • Performs multiple functions • Continuous self-assessment & policy enforcement • Minimal system impact (< 2% CPU) 5
- 6. Tivoli Endpoint Manager, built on BigFix technology: Converged Capability. Tivoli Tivoli Endpoint Manager Endpoint Manager IT Operations Solutions Unifying IT IT Security Solutions operations and Tivoli Endpoint Manager for Lifecycle Management security Tivoli Endpoint Manager for Security and Compliance Tivoli Endpoint Manager for Mobile Device Tivoli Endpoint Manager Management for Core Protection Tivoli Endpoint Manager Tivoli Endpoint Manager for Patch Management for Mobile Device Management Tivoli Endpoint Manager for Power Management Tivoli Endpoint Manager for Patch Management Tivoli Endpoint Manager for Software Use Analysis
- 7. BYOD and Mobile is a mandatory transformation 10 Billion devices by 2020 61% of CIOs put mobile as priority 45% increased productivity with mobile apps
- 8. Traditional Endpoint Management Mobile Device Management Device inventory Security policy mgmt OS provisioning Application mgmt Device Wipe Patching Device config (VPN/Email/Wifi) Location info Power Mgmt Encryption mgmt Jailbreak/Root Anti-Virus Mgmt Roaming device support detection Integration with internal systems Enterprise App store Scalable/Secure solution Self-service Easy-to-deploy portal Multiple OS support Consolidated infrastructure
- 9. Benefits of an Endpoint Manager based Approach to Mobile Device Management “Organizations…would prefer to use the same tools across PCs, tablets and smartphones, because it's increasingly the same people who support those device types” – Gartner, PCCLM Magic Quadrant, January 2011 Although at some level mobile is unique, the devices are just another form of endpoints in your infrastructure. This means whichever technologies you procure should have a road map for integration into your broader endpoint protection strategy. – Forrester, Market Overview: Mobile Security, Q4, 2011 Reduces Hardware & Fast Time-to-Value Administration Costs • “Single pane” for mobile devices, • Enterprise-grade APIs enable laptops, desktops, and servers integration with service desks, • Single Endpoint Manager Server CMDBs, etc (Integrated Service scales to 250,000+ devices Management) • Unified • Cloud-based content delivery infrastructure/administration model allows for rapid updates model reduces FTE requirements with no software upgrade or installation required 9
- 10. Mobile OS vendors move very quickly Microsoft Windows Apple iOS Google Android Google and Apple have released2007 Release Year 1985 major Android and 2008 iOS versions 6x and 3x faster, respectively, than # of Versions 11 6 10 * ** *** Versions per Year 0.4 1.2 2.5 Microsoft has released major Windows PC versions OS “velocity” vs. - 3x 6.3x Microsoft How quickly does your management vendor support new OS versions? * Microsoft Windows 1.0, 2.0, 3.0, 95, 98, 2000, ME, XP, Vista, 7, 8; excludes server platforms ** Apple iOS 1, 2, 3, 4, 5, 6 *** Google Android 1.0, 1.1, Cupcake, Donut, Éclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean
- 11. Mobile devices magnify existing challenges and also pose unique ones that significantly disrupt traditional management paradigms Traditional Mgmt Model New Device Mgmt Paradigm Enterprises provide all equipment Employees bring personal devices (BYOD) Small set of supported platforms / models Many different manufacturers / models IT initiates and manages upgrades OS/app upgrades managed by carriers, OEMs, users IT tightly controls apps and security Users control their own devices Options for IT departments Don’t allow mobile devices because they are too hard to manage Allow unmanaged and insecure mobile devices Invest in tools to secure and manage devices
- 12. Management capabilities vary greatly by mobile operating system, but one thing is consistent – the user is king Management Supported by Supported by Notes Notes Function Apple? Google? Android doesn’t have a native email client that Selectively Wipe Mail / Standard part of Apple’s MDM supports selective wipe, so integration with 3rd- Calendar / Contacts interface party email clients (e.g., Lotus Traveler or NitroDesk TouchDown) is necessary iOS doesn’t currently support forcible “Vanilla” Android doesn’t currently support app install without user permission, so Forcibly Install Apps forcible app install without user permission, so enterprise app store approach is enterprise app store approach is needed. needed. With iOS 5, apps (both public and Forcibly Uninstall private) provisioned via the enterprise “Vanilla” Android doesn’t currently support Apps app store can be uninstalled remotely forcible app uninstall without user permission. without user intervention Apps are sandboxed – there is no “Vanilla” Android doesn’t currently support Remote Control ability for an app to gain remote control visibility/control over the entire device
- 13. Apple enables remote management of its capabilities via one set of remote APIs for all MDM vendors, while Google allows on-device, agent-based management Sample of Apple Capabilities
- 14. Data Separation Native Data Separation Personal Apps Enterprise Apps Based on platform-specific APIs Enterprise Data 1 from OS vendors or from OEMs (Samsung, Lenovo, etc) Personal Data Operating System Preserves native user experience Hardware No Data Separation 3rd-Party Separation Apps Container Native Enterprise & Personal Apps 3rd-party app acts as container and Apps replicates native OS functionality 2 such as email, calendar, contacts Some apps live in container Operating System Disrupts native user experience Operating System Hardware Hardware Virtualization Personal Domain Enterprise Domain Hypervisor layer allows separate 3 OSes Currently possible on Android OS OS Hypervisor Hardware
- 15. IBM’s Approach to Managing BYOD • Deploy a secure technology framework: “Shark Cage”! • Leverage the SAME Technology Framework as Desktop Management • Develop a strong usage policy • Educate employees – Digital IBMer Education – Business Conduct Guidelines • Support personally-owned devices through social software
- 16. Tivoli Endpoint Manager in IBM Globally on Desktops 3Q 2010 Normalized ITMS infections (similar results through Q4/2010) IBM CIO Office pilot Normalized: ITMS detected malware per country divided by number of employees per country
- 17. IBM Pilot Desktops Production results BAU BigFix Patch availability typically 3-14+ days Patch availability within 24 hours 92% compliance within 5 days (ACPM only) 98% within 24 hours EZUpdate sometimes misses application of Detected about 35% of participants missing at patches on required machines least one previous patch Compliance model, completely reliant on user 90% of Windows requirements can be automatically remediated Exceptions at machine level Exceptions at setting level
- 18. IBM Office of the CIO then includes Mobile… Extending Corporate Access “IBM's BYOD program “really is about supporting employees in the way they want to work. They will find the most appropriate tool to get their job done. I want to make sure I can enable them to do that, but in a way that safeguards the integrity of our business.” Jeanette Horan, IBM CIO Customer Needs Key Features & Outcomes Support BYOD for a variety of mobile 120,000 mobile devices, 80,000 personally platforms securely for a highly mobile owned, supported in months population Integrated Lotus Traveler, IBM Connections, Scale to hundreds of thousands of devices IBM Sametime, and IBM Endpoint Manager
- 19. Tivoli Endpoint Manager: Lifecycle, Security and Compliance From Datacentre to Desktop to Device. See More, Secure More; We Guarantee it…. • Patch Management • Security Config Mgmt Discover 10% - 30% Library of 5,000+ compliance • Vulnerability Mgmt more assets than settings, including support for • Asset Mgmt previously reported FDCC SCAP, DISA STIG • Network Self- Quarantine • Multi-Vendor Endpoint Protection Mgmt • Anti-Malware & Web Automatically and Achieve 95%+ first-pass Reputation Service, continuously enforce success rates within hours D.C and DLP. policy at the end point of policy or patch • Software Distribution deployment • O.S Distribution • Mobile Device Management
- 20. Thank You ! Keith Poyser. Director: IBM Mobility and End Point. UKI, SPGI, NORDICS,BENELUX. IBM. +447711 773878 / keith.poyser@uk.ibm.com
Hinweis der Redaktion
- Single agent, single server so..ExtremeScaleExtreme Speed (impl, exec, remed) + VISIBILITY TO EDGEHeterogeneous, Distributed networks.Proactive V’s Reactive. ZERO DAY TO SEMI STRUCTURED.Converging Security and System ManagementJOBURG EXAMPLE + LAPTOP AND PHONE QUESTION
- SO NOW YOU KNOW WHERE BIGFIX FITS WITHIN THE TIVOLI FRAMEWORK.WE ARE IN THE BUSINESS OF SOLVING PROBLEMSIT IS IN THE BUSINESS OF MAKING SURE THE LIGHTS ARE ON.UNDERSTAND WHAT IS THERE, FIX PROBLEMS, STANDARDISE, MANAGE.WE WORK THROUGH POLICY BASED CONTENT.ARE MACHINES ? IS THEIR POWER MANAGED ? DO THEY HAVE UP TO DATE AV ? ARE YOU COMPLIANT WHETHER ON OR OFF LINE ? DO YOU HAVE HARDWARE COMPATIBILITY FOR WINDOWS 7 ? WHAT IS AFFECTED BY THE DELL HARDWARE RECALL ?Cost-effective scalabilitySupport for roaming and remote endpointsSingle, multi-purpose agentUnified management of heterogeneous platformsSingle console for endpoint security and systems mgmtDistributed intelligenceReal-time inventory and asset discoveryProduct certificationsSecure PKI infrastructureAd-hoc IT Query SupportClosed loop change confirmation
- MIXED BANDWIDTH, MIXED DEVICES, INTERMITANTLY CONNECTED.WE ARE RADICALLY DIFFERENT FROM EVERYONE ELSE.CUSTOMER HQ AND NICE PRIOR HISTORIC PERIMETER BASED SECURITY MODEL. NO LONGER EXISTS AND OLD TECH BREAKS IN THE NEW WORLD!AGENTS ARE SMART AND ENFORCE POLICY, NOT SERVER SCAN BASED. (NAME/ CINEMA EXAMPLE).CDN LIKE POINT FOR CACHING.Most enterprise networks are highly distributed. Users are connecting to your HQ site from across the Internet, while on the road, and also from remote offices – which makes security and systems management extremely challenging. Additionally, most enterprise networks have bandwidth constraints – over wireless, shared MPLS, satellite links, etc - which makes pushing fat software packages and security patches over these latency-prone links a huge burden for the IT organization. Moreover, many of these devices are intermittently connected – particularly those roaming laptops – which makes validating and updating their configuration virtually impossible. Finally, most enterprises have many different types of servers, desktops, laptops and handheld devices, making cross-platform support a must for any security and systems management solution.Unlike alternative solutions, BigFix was purpose-built to work efficiently within these types of environments. As you can see from the diagram, BigFix Agents can be deployed on all types of devices, whether those are running Windows, Windows Mobile, different flavors of UNIX, Linux and Mac. The BigFix Agent is the “brains” of the BigFix Unified Management Platform and continuously assesses the state of the endpoint against policy, whether connected to the network or not. As soon as it notices that an endpoint is out of compliance with a policy or checklist, it informs the BigFix server and executes the configured remediation strategy, and immediately notifies the BigFix Server of task status (completed, in process, not completed).The BigFix Server manages policy content – delivered in messages called “BigFixFixlets” and updated continuously via the BigFix Content Delivery cloud-based service – and enables the BigFix Operator to maintain real-time visibility and control over all devices in the environment – including instantaneous discovery of devices that aren’t managed by BigFix. Because most of the analysis, processing and enforcement work is done by the BigFix Agent rather than the Server, ONE BigFix Server can support more than 200K endpoints, enabling customers to make the most of their security and systems management investment. Whatever specific BigFix solution a customer uses – whether it’s endpoint protection, systems lifecycle management or security configuration and vulnerability management – it’s delivered via a single management console view. Additionally, new services can be provisioned and delivered via the BigFix Content Delivery cloud with no additional hardware or software installations or network changes.Deployment is straightforward, and is typically completed within hours or days. Agents can automatically be installed within minutes, without disrupting end-users. Additionally, most customers deploy BigFix Relays to help manage distributed devices and policy content and as you can see in the diagram – an existing workstation can be leveraged for this purpose. Promoting an Agent to a Relay takes minutes and doesn’t require dedicated hardware or network configuration changes. It’s entirely up to the customer how many Relays to deploy and where they’d like to place them; however, we can certainly make recommendations based on business and technical considerations. In addition to caching patches and other software updates close to end user devices, BigFix Relays manage the bandwidth used by BigFix to ensure that systems and security management tasks don’t consume all available network bandwidth.To a world accustomed to multiple, fragmented technologies and point solutions, BigFix offers an alternative: the industry’s only single-console, single-agent platform that addresses operations, security and compliance initiatives in real-time and at global scale. HIGHLY EXTENSIBLE – AUTO ON DEMAND FUNCTIONALITY ADD WITH JUST SWITCH ON CONTENT.Most enterprise networks are highly distributed. Users are connecting to your HQ site from across the Internet, while on the road, and also from remote offices – which makes security and systems management extremely challenging. Additionally, most enterprise networks have bandwidth constraints – over wireless, shared MPLS, satellite links, etc - which makes pushing fat software packages and security patches over these latency-prone links a huge burden for the IT organization. Moreover, many of these devices are intermittently connected – particularly those roaming laptops – which makes validating and updating their configuration virtually impossible. Finally, most enterprises have many different types of servers, desktops, laptops and handheld devices, making cross-platform support a must for any security and systems management solution.Unlike alternative solutions, BigFix was purpose-built to work efficiently within these types of environments. As you can see from the diagram, BigFix Agents can be deployed on all types of devices, whether those are running Windows, Windows Mobile, different flavors of UNIX, Linux and Mac. The BigFix Agent is the “brains” of the BigFix Unified Management Platform and continuously assesses the state of the endpoint against policy, whether connected to the network or not. As soon as it notices that an endpoint is out of compliance with a policy or checklist, it informs the BigFix server and executes the configured remediation strategy, and immediately notifies the BigFix Server of task status (completed, in process, not completed).The BigFix Server manages policy content – delivered in messages called “BigFix Fixlets” and updated continuously via the BigFix Content Delivery cloud-based service – and enables the BigFix Operator to maintain real-time visibility and control over all devices in the environment – including instantaneous discovery of devices that aren’t managed by BigFix. Because most of the analysis, processing and enforcement work is done by the BigFix Agent rather than the Server, ONE BigFix Server can support more than 200K endpoints, enabling customers to make the most of their security and systems management investment. Whatever specific BigFix solution a customer uses – whether it’s endpoint protection, systems lifecycle management or security configuration and vulnerability management – it’s delivered via a single management console view. Additionally, new services can be provisioned and delivered via the BigFix Content Delivery cloud with no additional hardware or software installations or network changes.Deployment is straightforward, and is typically completed within hours or days. Agents can automatically be installed within minutes, without disrupting end-users. Additionally, most customers deploy BigFix Relays to help manage distributed devices and policy content and as you can see in the diagram – an existing workstation can be leveraged for this purpose. Promoting an Agent to a Relay takes minutes and doesn’t require dedicated hardware or network configuration changes. It’s entirely up to the customer how many Relays to deploy and where they’d like to place them; however, we can certainly make recommendations based on business and technical considerations. In addition to caching patches and other software updates close to end user devices, BigFix Relays manage the bandwidth used by BigFix to ensure that systems and security management tasks don’t consume all available network bandwidth.To a world accustomed to multiple, fragmented technologies and point solutions, BigFix offers an alternative: the industry’s only single-console, single-agent platform that addresses operations, security and compliance initiatives in real-time and at global scale.
- NOTE: CLICKING ON THE GRAPHIC WILL BRING UP A SHORT VIDEO IF YOU HAVE AN INTERNET CONNECTIONThe explosion of capable, connected smartphones and tablets is changing the way IBM employees want to work. Like most enterprises around the world, IBM is experiencing rapid growth in requests from employees who want to use their personal mobile devices — smartphones, tablets, even personally owned laptops — to access the data and applications they need to do their jobs. The profile of these mobile users is changing as well, further driving demand for any device, anytime access to work email, calendar, contacts, IM and collaboration applications (like Sametime, Connections, and integrated Lotus Traveler) as well as the information on IBM’s vast intranet. No longer limited to salespeople and executives who spend much of their time away from an office, employees seeking mobile access today could be any IBMer who wants more flexibility to balance work and personal life. And many want to bring their own device (BYOD) to work – something we recognized we knew we needed to get ahead of. We figured that if we don’t support these employee-owned devices, employees would figure out how to support them themselves, potentially putting corporate information at risk.Some of the challenges faced by our CIO Office were to accommodate requests for broad mobile access from a multitude of devices while protecting enterprise data, delivering business value while safeguarding the integrity of our business, and defining a mobile strategy that can adapt to changing technologies – and be able to scale to accommodate hundreds of thousands of devices. IBM began its assessment and planning for deploying mobile devices for its employees back in 1999, as we envisioned the benefits – and the challenges – of securely delivering a mobile infrastructure to our very large workforce. IBM Global Technology Services has helped design and support IBM’s internal mobile infrastructure and manage device, application, networking, collaboration for social business all along this journey. In addition to supporting mobile collaboration tools, we are managing mobile devices using tools like IBM Endpoint Manager platform that allows us to wipe devices in the event they are lost or stolen, or if the employee leaves the company. Like other enterprises, one of the top concerns keeping our CIO up at night has been how to secure the mobile network, devices, data, and applications.Our services teams are moving fast to support the proliferation of devices and mobile operating systems to keep up with employee demand. And our mobile strategy and deployment is managed by the same IBM Global Technology Services delivery organization that supports IBM’s commercial Mobile Enterprise Services clients. Good content to help you prepare to deliver the IBM mobile deployment story is available in the new profile video, case study, and this Computerworld article:http://www.computerworld.com/s/article/9225563/IBM_CIO_discusses_Big_Blue_39_s_BYOD_strategyVideo: http://www.youtube.com/watch?v=w5_QrFjg4yECase Study: http://public.dhe.ibm.com/common/ssi/ecm/en/enc03011usen/ENC03011USEN.PDF
- The Security and Compliance offering includes these sorts of capabilities:Security Configuration Management – maps to desktop configuration standards such as FDCC, SCAP, DISA STIGs, etc and provides for custom-mapping to other standards such as PCI, HIPAA/HITECH, etc.Vulnerability MgmtAsset DiscoveryPatch Management – for OS updates as well as third party application updates to protect against Adobe, Firefox, IE, Quicktime and other vulnerabilities/exploitsClient Manager for Endpoint Protection – where multiple third party AV products can be monitored and managed via the TEM console, for those customers who are interested in migrating from one AV to another, this functionality is also very useful. BTW, we also have an optional add-on AV product through Trend Micro called CPM.Network Self Quarantine (IPSEC) – our version of NAC where we can quarantine infected machines within minutes while we remediate them and allow access back to the network.The really cool thing about this technology is that a customer can choose any of the four to start with and then add on functionality later – without installing software, without making network configuration changes, without even rebooting a single machine… this is not possible with any other type of management solution. This is a key differentiator that should make Tivoli sellers very happy since it gives them a straightforward upsell/cross-sell approach.