iPhone and Android securely in the enterprise

I was recently doing some investigation, thinking and evaluating how to bring the iPhone and Android securely into the enterprise (also called Bring Your Own Device (BYOD). I was interested in implementing not just a point solution but as a strategic initiative that could still be deployed in phases.

The following diagram is a conceptual architecture of how I think think this should be done:

The key aspects of this architecture:
  • Any endpoint - it supports use of any endpoint; be that a traditional Windows PC or Laptop to a Mac, Linux and the mobile revolution: iPhone, iPad, Android, Windows Surface etc. Also zero client and thin client devices such as Sunrays, Wyse Desktops.
  • Anywhere - it supports connecting over the Internet from any location (home, on the train, Starbucks, in an internet cafe) and your traditional office locations. It also supports seamlessly moving from any of those locations to any other location completely transparent to the user and with minimal change to their experience
  • SSL gateway and the browser - The SSL gateway can be purchased from any leading vendor you have relationship with e.g. Juniper, Cisco, F5, Citrix Netscreen. With this you can provide do http/https, Exchange Active-Sync for email, calendar and contacts, RDP, and even full layer 3 IPSEC tunnel if you so wish. This gives you the benefits of full encrypted transit (via SSL), network access control (NAC/UAC), host integrity check (make sure some smart user hasn't installed a rootkit on your device), and most important for users WAN acceleration for improved performance
  • Endpoint policy and Mobile Device Management (MDM) - some server side software is required to allow management of endpoints, for policy and software deployment, authentication, freezing/erasing corporate data, backup, obtaining usage and geo-location of the device and obtaining logs for monitoring. Suitable MDM software would be something like Juniper Pulse or Sybase Aferia. This can be cloud hosted or purchased as a service from a supplier.
  • Endpoint agent - this is ideally avoided, and maybe in the future Apple and Google will integrate these features natively, but for now an agent is required on the device to allow you to: encrypt the corporate data in storage and in use, sandbox the corporate applications and data from the users personal applications and data (and stop them e.g. from copy pasting that HR list to their Google email),  add a Firewall and Antivirus and log everything that user does on the corporate data and applications. Again Juniper Pulse or Sybase Aferia have agents that work on iPhones and Androids. Of course for your truly zero or thin client endpoints you don't need agent

The benefits this architecture are:
  • It implements BYOD which will save the business money and make users more productive
  • A strategic solution rather than tactical - it has a goal of not just providing iPhones / iPads, Androids to senior executives but rather the loftier goal of enabling any user to connect from any location, on any endpoint. This is done securely, with great performance and with a great user experience i.e. completely transparent to the user and with very similar experience regardless of what device and where they connect from.
  • It leverages many components that enterprises already have e.g. terminal services, virtualization, remote access gateway, active-sync with Exchange, web servers, two factor authentication and even allows some of these components to be purchased as a service rather than internally hosted
  • It can built one piece at a time (e.g. allowing implementation in quarterly releases) - so you can provide quick wins such as email and calendar to executives quickly while building the strategic architecture
Why Good is actually bad:
I belive a container based solution such as Good is actually a poor choice due to:
  • Flexibility - Good provides a container for email, calendar, contacts and applications primarily for iOS devices. However as it  builds upon the Blackberry model it does not meet the flexible goals of any endpoint, anywhere. There is also a fair amount of vendor lock-in. Corporate applications developed for Good will only run in the Good container.
  • Upgrade problem - Good in their infinite wisdom has decided that it could develop a better e-mail client than Apple and Google. They will have to release a new version every time the OS is updated, this includes development, testing, release and the inevitable bug fixing. This could mean that you don't get the befits of upgrades that Apple and Google release for their native clients in a timely manner.
  • Different apps for corporate email and personal email - which maybe desirable for some users (separating work and personal), however for others it will be less efficient.

Business benefits of BYOD and any endpoint anywhere:

A. Why we should iPhones and Androids be allowed in the corporation?
  • Reduce cost - it is potentially a lot cheaper than paying for your Blackberry license, BES server management, Blackberry devices. Especially if you have already invested in many of what I describe above such as Exchange Active-sync etc. But do the sums - make sure you consider the total cost including: software licensing, support and maintenance, hardware refresh and maintenance, people/costs to maintain and support and change these environments, training, help-desk calls (deduct a reasonable % because iPhones are easier to use). Takeaway any current costs that are re-usable e.g. Exchange licenses and maintenance
  • User experience and productivity - usually all you need is the above, but just in case: give them an iPhone, iPad or Android, put that next to their laptop and Blackberry and ask them to do some similar tasks such as open and reply to email, browse the web, launch an application. I would wager that most people will prefer and be more productive on the Apple or Android device.
B. Why should we allow users to use any endpoint from anywhere?
  • Reduce cost - Work out the total cost of ownership of software for all your endpoints (PC's, laptops, mobiles), licensing and maintenance, hardware provision and refresh, staff/costs to issue, maintain and support these, % of helpdesk calls. Off set this vs. providing users £300 (US$500 for a mobile and same again for a laptop/tablet), asking them to get their own endpoint or use their current one and pocket the cash, give them £50 (US$80) a month as an allowance for a mobile and broadband data plan (or use their own and pocket the cash) and using this endpoint(s) both in the office, at home. If you have a good investment in zero client or thin clients already, and users have laptops/workstations at home forget about the money for the laptop part. The users contract with the mobile and endpoint providers themselves (with a coupon corporate code), the currently and support and helpdesk is completely outsourced. If you can't get the security and mobile management outsourced from your current mobile provider for a like £3-5/user/month potentially talk to other mobile providers.
  • User experience and productivity - do a feasibility study, run a user survey. What would they rather use an iPhone or their Blackberry, that awful Dell/HP/IBM laptop you give them or a Mac book pro / iPad. What would they be more productive on? 
Remember this is the overall strategy - implement it in phases. Run a proof of concept, perform a pilot, role it out one site at a time, one feature at a time.


  1. Do you really think that it is easier to use a smartphone (regardless of type) to do PRODUCE things rather then a traditional laptop / desktop? Note I'm not talking about communicate, but actually PRODUCE things. I'd suggest you take you're own challenge and type out this blog entry on an ipad / iphone and then do it on a laptop and tell me which you prefer.

  2. I actually did write this on my iPhone! Try an app called BlogPress, and then did a bit of formatting on my laptop Also with the iPad/iPhone and most smartphones you can can output to a large screen via a VGA adaptor, take a bluetooth keyboard and mouse. The PC is dead long live the mobile :)

  3. I think Bring Your Own PC (BYOPC) - or smart phone or general computing device is going to be huge and heard a lovely quote the other day - "If you have any of your end users with local admin, you're already running a BYOPC PoC"



Written by