best practices securing android in the enterprise
DESCRIPTION
IT consumerization and bring your own device (BYOD) policies are key trends driving businesses to expand Android enterprise support. Walk through a proven methodology to provision your organization's in-house applications and data on the Android device without affecting a user's access to personal information. Determine if and how you can minimize IT resource requirements in managing your Android devices. View the Replay: http://spr.ly/AndroidEnterpriseTRANSCRIPT
© 2011 SAP AG. All rights reserved. 0
Social Media We want to hear from you
T
http://twitter.com/SAPStore
http://twitter.com/SAPMobile
http://facebook.com/sapstore
(SAP Store)
http://www.facebook.com/sapmobility
(SAP Mobile)
linkedin.com (SAP Store)
Webcast Highlights
Participate in today’s TweetChat about mobile app development
#MobileInsights
SAP Mobile Insights Webcast Series
http://bit.ly/sapmobileinsight
Mobile Sense Thought Leadership Series (webcasts & white papers):
http://fm.sap.com/mobilesense
Best Practices for Securing and Managing
your Android Devices
July, 2012
Peter Mitchelmore, Mobility Solutions Principal
© 2011 SAP AG. All rights reserved. 3
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without
the permission of SAP. This presentation is not subject to your license agreement or any other service or
subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
document or any related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation and SAP's strategy and possible future developments, products and
or platforms directions and functionality are all subject to change and may be changed by SAP at any time
for any reason without notice. The information in this document is not a commitment, promise or legal
obligation to deliver any material, code or functionality. This document is provided without a warranty of any
kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement. This document is for informational purposes and may not be
incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except
if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results
to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-
looking statements, which speak only as of their dates, and they should not be relied upon in making
purchasing decisions.
Legal Disclaimer
© 2011 SAP AG. All rights reserved. 4
Today’s Presenters
Peter Mitchelmore
Mobility Solutions Principal, SAP
Nick Rea
Senior Sales Staff Engineer,
Samsung Telecommunications America
© 2011 SAP AG. All rights reserved. 5
Agenda
Android as an Enterprise Device
Considerations when Planning an Android Deployment
Securing and Managing Android: SAP’s Approach
Afaria Advanced Enterprise Security (AES) for Samsung Android
Secure Email with Nitrodesk
Wrap-up
© 2011 SAP AG. All rights reserved. 6
Business value Productivity Engagement
Innovation approach Deductive Inductive
Mobile technology Substitution Net-new
Complexity Low High
Systems
interoperability Low High
Two Stages of Mobility
© 2011 SAP AG. All rights reserved. 7
The Future is Bright
400 million Android devices activated
Android’s chief architect Andy Rubin has revealed that Android mobile
device activations have now reached 900,000/day
600,000 apps and games available from Google Play
Choose the best smartphones and tablets through a global partnership
network of over 300 carriers in over 169 countries
© 2011 SAP AG. All rights reserved. 8
Top Five Smartphone Platforms (US subscribers), May 2012
*Source: comScore
Google 50.9%
Apple 31.9%
RIM 11.4%
Microsoft 4.0%
Symbian 1.1%
© 2011 SAP AG. All rights reserved. 9
Customer Preferences
*Source: Enterprise Management Associates @2011
Android as an Enterprise Device
© 2011 SAP AG. All rights reserved. 11
Mobilizing The Enterprise Is Complex
Device and Backend Diversity
Device Choice
Device & App Management
Development Tools & TCD/TCO
Security Ease of Use
Apps & More Apps!
End User Requirements
Enterprise Requirements
© 2011 SAP AG. All rights reserved. 12
Android Strengths
Easy platform for development;
JAVA and Eclipse
Robust platform for developing
advanced mobile apps
Established App Portal
Many form factors available to
meet various needs
© 2011 SAP AG. All rights reserved. 13
Challenges
Limited enterprise management capabilities in comparison to other
mobile operating systems
Each release of the OS has started to add additional enterprise enhancements
Afaria Advanced Enterprise Security (AES) overcomes management issues with
Samsung devices
User-based security approach
© 2011 SAP AG. All rights reserved. 14
Form Factors
© 2011 SAP AG. All rights reserved. 15
Things to Think About
How to better integrate personal devices
into the enterprise
Device fragmentation
No control over firmware update
How you might use the ‘pad’ form factor to
improve your business process
Securing and Managing Android SAP’s Approach
© 2011 SAP AG. All rights reserved. 17
A leader yesterday, today and tomorrow
Enterprises Must Mobilize
Apps and Embrace Content Portals
… AFARIA DEPLOYS
Multiple OS Environment,
Increased Demand for
Consumer and Corporate Apps
Ignite Risk
… AFARIA SIMPLFIES
Critical Email Security Needed
for Corporate Standardized
Devices
… AFARIA SECURES
IT Departments Struggle to
Secure Ruggadized
Laptops for Task Workers
… AFARIA IS BORN
© 2012 SAP AG. All rights reserved. 17
© 2011 SAP AG. All rights reserved. 18
What is Afaria?
Afaria
Award winning MDM + App Management
Legacy, heritage of leadership
Intregation to Analytics and MEAP
Afaria mobile device and application management
solution allows administrators to centrally manage,
secure, and deploy mobile data, applications, and
devices
© 2011 SAP AG. All rights reserved. 19
Our simple yet comprehensive solution
© 2011 SAP AG. All rights reserved. 20
Beyond MDM
1 Personal to enterprise ready in minutes
2 Application management
3 Simple, targeted administrative experience
© 2011 SAP AG. All rights reserved. 21
Personal to enterprise ready in minutes
Not safe for the enterprise
Lacking enterprise controls
No security
No app management
No enterprise app portal
No certificates
Safe for the enterprise
Simple enrollment takes users from unmanaged device to fully controlled device
Enterprise control
Power-on-password
Enterprise App Portal fully configured
Certificates for SSO, WIFI, VPN,
and Email are deployed
Apps enabled for not touch
configuration
Policies are automatically deployed
© 2011 SAP AG. All rights reserved. 22
Application management
Un-configured
Application Configured
Application
Confused User Happy User
It works
automatically!
??? What is the server
name and port?
© 2011 SAP AG. All rights reserved. 23
Simple, targeted administrative experience
One “size” administration does
not fit all • ERP
• Automation
• Managed Service
Administrative
UI
Analytics
On-the-Go
API
© 2011 SAP AG. All rights reserved. 24
Keys to Adopting Android
Manage and secure corporate assets and
data without affecting personal data
Protect the device
Deliver and manage enterprise
applications
Configure and maintain devices
© 2011 SAP AG. All rights reserved. 25
Afaria Advanced Enterprise Security (AES)
Deliver advanced enterprise management
capability for Android
Samsung has developed APIs for much
deeper device management
Advanced features available on Samsung Galaxy S
and Galaxy S2 devices (Android 2.3)
© 2011 SAP AG. All rights reserved. 26
Afaria Capabilities with Android, Application Management
Feature Native Android
V2.2 AES for
Samsung 2.3 Native Android
V3.0 Native Android
V4.0
List applications install via MDM agent
•
Install & remove enterprise applications silently
•
Install enterprise applications via portal • • • •
Enable & disable enterprise applications
•
Enterprise applications information
•
Remove managed applications
•
Update application
•
Certificate installation
•
Prevent uninstall applications by user
•
Check if application installed
•
Check if application currently running
•
Add/Remove applications to/from blacklist
•
Enable uninstall application by user
•
Enable & disable applications
•
Wipe application data
•
© 2011 SAP AG. All rights reserved. 27
Afaria Capabilities with Android, Configuration Management
Feature Native
Android V2.2
AES for Samsung
2.3
Native Android V3.0
Native Android V4.0
Enable & disable camera
•
Allow automatic synchronization while roaming
•
Configure VPN
Disable push while roaming
•
Remove managed exchange account and data
•
Check WiFi is enabled or disabled
•
Enable & disable WiFi • • • •
Access point control
•
Enable & disable Bluetooth
•
Start/Stop Bluetooth discovery
•
Enable & disable microphone
•
© 2011 SAP AG. All rights reserved. 28
Afaria Capabilities with Android, Exchange Server Policies
Feature Native Android
V2.2
AES for Samsung
2.3
Native Android V3.0
Native Android V4.0
Active Sync host •
Create new exchange account •
Set exchange account display/account name •
Set exchange account sync interval •
Set exchange account protocol version •
Set exchange account sender name •
Set exchange account sender signature •
Set exchange account setting to always vibrate on email notification
•
Set exchange account setting to vibrate when silent only on email notification
•
Set exchange account setting to use TLS •
Set exchange account setting to accept all SSL related certificates
•
Set Active Sync client auth certificate •
Set the Exchange user •
Set user's email address •
Use SSL •
Domain •
Password •
Number of past days to sync •
© 2011 SAP AG. All rights reserved. 29
Afaria Capabilities with Android, Exchange Server Policies
Feature Native
Android V2.2
AES for Samsung
2.3
Native Android V3.0
Native Android V4.0
Password Policy
Allow simple values for password • • • •
Require alphanumeric values for password • • • •
Minimum password length • • • •
Maximum password age in days • • •
Minimum complex characters in password • • •
Password history • • •
Get device password •
Set device password •
Maximum number of failed attempts before device is wiped
• • • •
Security Management
Remote lock & unlock • • • •
Remote wipe • • • •
Remote reset •
Remove configuration data •
Ability to lock management on phone •
Full device encryption •
Wipe encrypted data •
SD card encryption • • •
Add blacklist •
Remove blacklist •
Disable application •
Enable application •
Delete email account •
Delete VPN account
Wipe application data
Wipe SD card data •
© 2011 SAP AG. All rights reserved. 30
AES For Android (Samsung) – NEW in Afaria 7.0 SP1
Application policy
Block all except white list
Allow all except blacklist
Bluetooth policy
Enable desktop/laptop connectivity
Location policy
Enable location provider
Clear installed certificates
Credential storage password
Reset credential storage
Unlock credential storage
Restriction Policy
Allow Non-market apps
Allow settings changes
Enable background data
Enable backup
Enable clipboard
Enable SD card
Enable USB debugging
Enable US Mass storage
Enable USB media player
Enable USB tethering
Enable WiFi tethering
© 2011 SAP AG. All rights reserved. 31
Afaria Android Application Management
Deliver and control in-house enterprise apps
OTA to Android devices
Assign applications to user groups by admin-
defined categories
Enterprise app installation is tracked and
reported providing transparency into app
distribution status
Client-side Portal for Application Selection
• Organize Apps into admin defined Categories
• Both Marketplace and Enterprise apps
• Allows for end-user selection and installation
© 2011 SAP AG. All rights reserved. 32
Secure Email with Afaria and Nitrodesk Touchdown™
Touchdown is a third party ActiveSync
email client provided by partner Nitrodesk.
• SAP has a reseller agreement with NitroDesk
Afaria manages Nitrodesk Touchdown to
provide a secure email client for Android
• Integrates with MS Exchange or Lotus Domino
• Does not require a separate email infrastructure
• Configure corporate email settings through the
Afaria console
Distribute the Touchdown app using Afaria
Available Touchdown settings
• Additional passcode requirements
• Maximum lock time for Touchdown
app
• Maximum email size/age
• Encryption settings
• Require encryption of email store
• Require encryption of SD card
• Attachment control
• Allow/disallow attachments
• Allow attachments on SD card
• Maximum size in bytes
• Allow HTML email to device
Samsung Electronics. All Rights Reserved. Confidential and Proprietary.
Mobile Device Management (MDM)
Corporate Email / Calendar / Contacts
On-Device Encryption (ODE)
Virtual Private Network (VPN)
SAFE Overview
33
Quickly and easily access corporate email, meeting details, contact info and other critical information on the go
Wirelessly and securely access data from your corporate network while traveling or working in the field
Working with leading third-party providers, Samsung offers efficient and scalable mobile deployment solutions with 338 or more IT policies, addressing the most challenging management and security concerns
SAFE devices provide an intuitive and consistent user interface through enhanced Microsoft Exchange ActiveSync (EAS) features, sync functions and policy control
State of the art, AES 256-bit ODE helps prevent unauthorized access to all data on the device, including the microSD® storage card
Samsung works with a number of leading VPN providers enabling IP-based encryption for secure, persistent access to critical enterprise assets via Wi-Fi® and cellular network connections
WHY
HOW
Store proprietary documents, presentations and other corporate data on your mobile device – while keeping that sensitive data protected
Employees remain mobile, secure and compliant with remote management of applications and device features that meet company-specific requirements
Samsung Electronics. All Rights Reserved. Confidential and Proprietary.
Unprecedented Android IT Compliance
Leading VPN and MDM providers leverage Samsung’s advanced Software Development Kit (SDK) to provide industry-leading Android security and control for IT managers
VPN Mobile Device Management (MDM)
Microsoft Exchange ActiveSync (EAS) – Up to 80 EAS policies and features
On-Device Encryption (ODE) – AES 256-bit encryption on device and SD card
338 IT policies (substantially more than the nearest smartphone competitor) and 723 APIs by Samsung – the most comprehensive in the industry
Solid partnerships with leading vendors enables customer flexibility
Extended SSL (and soon IPsec) VPN protocols through leading providers ensures accessibility
Competitor Native Android Samsung Android 2011
Samsung Android 2012
338 (723)
#Policies (#APIs)
276 (537)
35 (33)
199
34
Samsung Electronics. All Rights Reserved. Confidential and Proprietary.
Business Requirements w/ Mobile Workforce How MDM Addresses …
Remote management Security Management/Security and Remote Configuration
Limit features and functions Kiosk Mode
Access to application store(s) Application Management
Geo-fencing Location-Based Services
Real-time access to device status and activity Inventory Monitoring
Manage voice and data usage Expense Management
Real-time mobile user support Help Desk / Remote Access
BEN
EFIT
S Support BYOD
Maximize ROI
Provide Strong Security
Balance security requirements with need for personal privacy without compromise
Boost end-user satisfaction, Increase mobile productivity and decrease IT support
Deploy IT policy and certificate management, along with comprehensive data integrity
Samsung goes well beyond native Android to provide new and enhanced security options and features that meet and exceed business requirements
Mobile Device Management Value Proposition
Samsung Electronics. All Rights Reserved. Confidential and Proprietary. 36
Applications developed through the SDK benefit from enhanced functionality and increased security
Samsung works closely with partners to thoroughly vet and understand each solution and address key industries and segments
A few examples include … • SAP EMR (Electronic Medical Record) solution on Galaxy S III allows for
enhanced connectivity to medical devices through healthcare-specific API’s integrated into the device (meeting Continua standards)
• Differentiated WebEx conferencing solution on Samsung devices with call/contact escalation and other user-friendly features
• VMware virtualization solution helps to securely separate corporate and personal data
• MicroStrategy dashboard solution was optimized on Samsung Galaxy Tabs
The Samsung SAFE SDK (Software Development Kit) is an application development framework that allows our business partners to design differentiated applications
that leverage Samsung’s highly-desirable products and solutions
SAFE’s Impact on Solution Development
With access to more than 700 API’s (Application Programming Interfaces), ISV’s (Independent Software Vendors) are able to develop enhanced applications
© 2011 SAP AG. All rights reserved. 37
Next Steps
Browse the Afaria AES for Samsung Android website
http://sybase.com/android
Whitepapers, videos, webcast replays, etc...
Contact your SAP account rep to schedule a more in-depth presentation
Register at http://frontline.sybase.com
Knowledgebase, Product documentation, software updates, case management
Wrap-up
© 2011 SAP AG. All rights reserved. 39
7 Key Points to Take Home
1. Android fragmentation will continue to pose challenges for its adoption in the
enterprise
2. Sybase/SAP has the strongest security solution for Android in the industry with
Afaria
3. Afaria can provide security for Android in both BYOD and corporate-owned device
populations
4. Sybase’s partnership with NitroDesk provides a secure email solution for all
Android devices
5. Afaria AES for Samsung provides additional security capabilities on their devices,
and talks are underway with other leading handset manufacturers
6. Afaria can be used to manage, provision, and configure both Enterprise (custom
developed) Android apps, and Android Marketplace apps.
7. Afaria can be used to manage your entire population of mobile devices, including
iOS devices, Blackberries, and Windows-based laptops and tablets.
Questions
Closing and Q&A
Participate in today’s TweetChat about mobile app development
#MobileInsights
SAP Mobile Insights Webcast Series
http://bit.ly/sapmobileinsight
July 25th – The Merits of Mobile App Development for Android Devices
August 15th – Syclo Overview
August 29th - Mobility for Utilities
Mobile Sense Thought Leadership Series (webcasts & white papers):
http://fm.sap.com/mobilesense
© 2011 SAP AG. All rights reserved. 43
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2011 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.