MobileIron MDM APM Integration iApp Template
Problem this snippet solves: The MobileIron MDM iApp Template is meant to quickly and accurately configure BIG-IP APM objects for integrating MobileIron into the BIG-IP infrastructure. For specific instructions on deploying the MobileIron MDM iApp, see the online help or the tech tips. Integrating APM with MobileIron MDM - Part 1 How to use this snippet: Code : 45226
iOS and Android F5 Edge Client enrolled in MDM - prevent ability for manually created profiles
Hi all, Hoping to get some help or advise..... I have a client who we are setting up in AirWatch and deploying F5 VPN Edge Client to devices (Android and iOS). Authentication with F5 APM is via user certificate, issued from NDES server via AirWatch. We have configured for per-app vpn use. Once device is enrolled and VPN policy installed on to device, we have found that it is possible for an end user to create an additional profile in client, using same certificate that was issued via AirWatch, thus enabling an end user to create a secondary profile and then have whole device vpn into their infrastructure. We would like to prevent this from happening - ability for whole device to vpn into their infrastructure. Is there a way to either: - Prevent end user from creating their own profiles in F5 Edge client - Prevent end user, when creating their own profiles, to create additional profile using certificate in configured profile - Prevent whole device from vpn'ing into infrastructure and only accept per-app vpn connections Or am I going about this completely the wrong way. Thanking the community in advanced. Cheers, Tina.
Third Party VPN configuration blob
Greetings, We're trying to implement MDM VPN configuration policy for Windows Phone 8.1 and Windows Phone 10 using the VPN CSP. We are able to push Custom VPN policies to device. However, we're unable to obtain the 3rd party VPN profiles for F5 Big-IP Edge (it is one of the third party vendors currently supported by Windows Phone 8.1). Would it possible to share the xml blobs? If not, what would be the procedure to obtain the xml blobs? Regards, SGBring Your Own A-Z
The #BYO craze has taken the world by storm and now infiltrates every sector of out lives. Here is a partial list, in alpha-order, of various bring your owns. BYO Apple: For the teacher in your life, the princess you'd like to put to sleep or to keep the doctor away for a day. BYO Beer: The original classic, college style. And BYO Booze for when you're out of college and got a little cash. BYO Candy: With Halloween approaching this could see a surge over the next 30 days. BYO Device: Or danger, destruction, demolition, detonator or any other dastardly 'D' word to represent risk. BYO Everything: When Internet of Things takes over our lives. Chocolate Chips have a whole new meaning. BYO Food: The newest Potluck Parties. BYO Game: Actually sitting at a table playing the physical versions of Monopoly, Life, Candy Land, Scrabble, or any other favorite. BYO Hacker: Bodyguards in the 21st Century. BYO Intelligence: Actually using your brain to figure out something...or when AI robots take over the world. BYO Jump Drive: A whistleblower's favorite. BYO Kittens: For making that irresistible, can't-stop-watching, almost viral video. BYO Litigation: The new term for Small Claims Court. BYO Money: What Cash with be called 10 years from now. BYO N: BYO's maximum amount. As far as BYOingly possible. BYO OMG: The Surprise Party. BYO Presents: What you take to the BYO OMG. BYO Quarrel: The updated version of an older brother's favorite 'Stop Hitting Yourself.' BYO Raven: Quoth he. BYO Sushi: The new 'Gone Fishing' Bumper sticker. BYO Time: It's all relative anyway. BYO Utopia: Happiness comes from within. BYO Vacation: The latest Griswold adventure this time with a Hybrid LTD Country Squire. BYO Warnings: Wouldn't be cool if everyone had to announce the hazards of interacting with them? BYO X: Half of a Tic-Tac-Toe game or how Hawaiians greet each other. BYO Yawn: What you did right now when you read this entry. BYO Zombie: Pretty much anyone walking around fully engaged with their BYOD. Well that was fun. C'mon play along - it's easy and works with almost any word! ps Related: How Terms Have Changed over Time BYOD Injuries BYOD–The Hottest Trend or Just the Hottest Term Is BYO Already D? Will BYOL Cripple BYOD? Freedom vs. Control The Prosecution Calls Your Smartphone to the Stand Technorati Tags: byod,mobile,smartphone,lists,humor,fun,byo,silva,human,society,mam,mdm Connect with Peter: Connect with F5:The Problem with Consumer Cloud Services...
…is that they're consumer #cloud services. While we're all focused heavily on the challenges of managing BYOD in the enterprise, we should not overlook or understate the impact of consumer-grade services within the enterprise. Just as employees bring their own devices to the table, so too do they bring a smattering of consumer-grade "cloud" services to the enterprise. Such services are generally woefully inappropriate for enterprise use. They are focused on serving a single consumer, with authentication and authorization models that support that focus. There are no roles, generally no group membership, and there's certainly no oversight from some mediating authority other than the service provider. This is problematic for enterprises as it eliminates the ability to manage access for large groups of people, to ensure authority to access based on employee role and status, and provides no means of integration with existing ID management systems. Integrating consumer-oriented cloud services into enterprise workflows and systems is a Sisyphean task. Cloud-services replicating what has traditionally been considered enterprise-class services such as CRM and ERP are designed with the need to integrate. Consumer-oriented services are designed with the notion of integration – with other consumer-grade services, not enterprise systems. They lack even the most rudimentary enterprise-class concepts such as RBAC, group-based policy and managed access. SaaS supporting what are traditionally enterprise-class concerns such as CRM and e-mail have begun to enable the integration with the enterprise necessary to overcome what is, according to survey conducted by CloudConnect and Everest Group, the number two inhibitor of cloud adoption amongst respondents. The lack of integration points into consumer-grade services is problematic for both IT – and the service provider. For the enterprise, there is a need to integrate, to control the processes associated with, consumer-grade cloud services. As with many SaaS solutions, the ability to collaborate with data-center hosted services as a means to integrate with existing identity and access control services is paramount to assuaging the concerns that currently exist given the more lax approach to access and identity in consumer-grade services. Integration capabilities – APIs – that enable enterprises to integrate even rudimentary control over access is a must for consumer-grade SaaS looking to find a path into the enterprise. Not only is it a path to monetization (enterprise organizations are a far more consistent source of revenue than are ads or income derived from the sale of personal data) but it also provides the opportunity to overcome the stigma associated with consumer-grade services that have already resulted in "bans" on such offerings within large organizations. There are fundamentally three functions consumer-grade SaaS needs to offer to entice enterprise customers: Control over AAA Enterprises need the ability to control who accesses services and to correlate with authoritative sources of identity and role. That means the ability to coordinate a log-in process that primarily relies upon corporate IT systems to assert access rights and the capability of the cloud-service to accept that assertion as valid. APIs, SAML, and other identity management techniques are invaluable tools in enabling this integration. Alternatively, enterprise-grade management within the tools themselves can provide the level of control required by enterprises to ensure compliance with a variety of security and business-oriented requirements. Monitoring Organizations need visibility into what employees (or machines) may be storing "in the cloud" or what data is being exchanged with what system. This visibility is necessary for a variety of reasons with regulatory compliance most often cited. Mobile Device Management (MDM) and Security Because one of the most alluring aspects of consumer cloud services is nearly ubiquitous access from any device and any location, the ability to integrate #1 and #2 via MDM and mobile-friendly security policies is paramount to enabling (willing) enterprise-adoption of consumer cloud services. While most of the "consumerization" of IT tends to focus on devices, "bring your own services" should also be a very real concern for IT. And if consumer cloud services providers think about it, they'll realize there's a very large market opportunity for them to support the needs of enterprise IT while maintaining their gratis offerings to consumers.BYOD 2.0 -- Moving Beyond MDM
#BYOD has quickly transformed IT, offering a revolutionary way to support the mobile workforce. The first wave of BYOD featured MDM solutions that controlled the entire device. In the next wave, BYOD 2.0, control applies only to those apps necessary for business, enforcing corporate policy while maintaining personal privacy. The #F5 Mobile App Manager is a complete mobile application management platform built for BYOD 2.0 ps Related: F5's Feeling Alive with Newly Unveiled Mobile App Manager Inside Look - F5 Mobile App Manager (Video) BYOD - More Than an IT Issue (Video) Is BYO Already D? Will BYOL Cripple BYOD? Freedom vs. Control BYOD Uptake Has Only Just Begun BYOD Policies – More than an IT Issue Part 1: Liability BYOD Policies – More than an IT Issue Part 2: Device Choice BYOD Policies – More than an IT Issue Part 3: Economics BYOD Policies – More than an IT Issue Part 4: User Experience and Privacy BYOD Policies – More than an IT Issue Part 5: Trust Model Technorati Tags: f5,byod,mam,mdm,mobile,smartphone,big-ip,policy,security,privacy,legal,video,silva,mobile app manager Connect with Peter: Connect with F5:BYOD - More Than an IT Issue
I explain the various organizational entities that should be involved when creating a BYOD policy. ps Related: F5's Feeling Alive with Newly Unveiled Mobile App Manager Inside Look - F5 Mobile App Manager Is BYO Already D? Will BYOL Cripple BYOD? Freedom vs. Control BYOD Uptake Has Only Just Begun BYOD Policies – More than an IT Issue Part 1: Liability BYOD Policies – More than an IT Issue Part 2: Device Choice BYOD Policies – More than an IT Issue Part 3: Economics BYOD Policies – More than an IT Issue Part 4: User Experience and Privacy BYOD Policies – More than an IT Issue Part 5: Trust Model Technorati Tags: f5,byod,mam,mdm,mobile,smartphone,big-ip,policy,security,privacy,legal,video,silva,mobile app manager Connect with Peter: Connect with F5:BYOD Policies – More than an IT Issue Part 2: Device Choice
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device choice, Economics, User Experience & Privacy and a trust Model. Today we look at Device Choice. Device Choice People have become very attached to their mobile devices. They customize and personalize and it's always with them, to the point of even falling asleep with the device. So ultimately, personal preference or the 'consumerization of IT' notion is one of the primary drivers for BYOD. Organizations need to understand, what devices employees prefer and what devices do employees already own. That would could dictate what types of devices might request access. Once organizations get a grasp on potential devices, they then need to understand each device's security posture. About 10 years ago, RIM was the first technology that really brought the Smartphone into the workplace. It was designed to address the enterprise's needs and for years was the Gold Standard for Enterprise Mobility. Management control was integrated with the device; client certificate authentication was supported; Active Directory/LDAP servers were not exposed to the external internet; the provisioning was simple and secure; organizations could manage both Internet access and intranet access, and IT had end point control. When Apple's iPhone first hit the market, it was purely a consumer device for personal use and was not business centric, like the BlackBerry. Initially, the iPhone did not have many of the features necessary to be part of the corporate environment. It was not a business capable device. It did not support applications like Exchange, which is deployed in many organizations and is critical to a user's day-to-day activities. Over time, the iPhone has become a truly business capable device with additional mechanisms to protect end users. Android, very popular with consumers, also offers numerous business apps but is susceptible to malware. Device selection is also critical to the end user experience. Surveys show that workers are actually more productive when they can use their personal smartphone for work. Productivity increases since we prefer to use our own device. In addition, since many people like to have their device with them all the time, many will answer emails or do work during non-work hours. A recent survey indicated that 80% of Americans work an extra 30 hours a month on their own time with BYOD. But we are much happier. A few blogs ago, I wrote about Good Technology’s BYOD survey, found that organizations are jumping on the phenomenon since they see real ROI from encouraging BYOD. The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service. They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD. This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD. Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work. As part of the BYOD Policy the Device Choice Checklist, while not inclusive, should: · Survey employees about their preferences and current devices · Define a baseline of acceptable security and supportability features · Do homework: Read up on hardware, OS, and regional variances · Develop a certification program for future devices · Work with Human Resources on clear communication to employees about which devices are allowed–or not–and why ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSAFreedom vs. Control
No sooner had I posted BYOD–The Hottest Trend or Just the Hottest Term, last week than yet another BYOD survey hit the news. The full results will be released in a webinar tomorrow but SANS announced their First Annual Survey Results on Mobility Security. Last December, SANS launched its first ever mobility survey to discover if and how organizations are managing risk around their end user mobile devices. The survey of 500 IT pros found that a meager 9% of organizations felt they were fully aware of the devices accessing corporate resources, while 50% felt only vaguely or fairly aware of the mobile devices accessing their resources. In addition, more than 60 % of organizations allow staff to bring their own devices. With so many companies allowing BYOD, controls and policies are very important to securing business environments. Courtesy: SANS Mobility BYOD Security Survey Deb Radcliff, executive editor, SANS Analyst Program said, ‘Another interesting note is that organizations are reaching for everything at their disposal to manage this risk,…Among them are user education, MDM (mobile device management), logging and monitoring, NAC and guest networking, and configuration controls.’ Less than 20% are using end point security tools, and out of those, more are using agent-based tools rather than agent-less. According to the survey, 17% say they have stand-alone BYOD security and usage policies; 24% say they have BYOD policies added to their existing policies; 26% say they "sort of" have policies; 3% don't know; and 31% say they do not have any BYOD policies. Over 50% say employee education is one way they secure the devices, and 73% include user education with other security policies. The BYOD challenges, I think, falls under an age old dilemma: Freedom vs. Control. We see this clash in world politics, we’ve seen it pertaining to the internet itself, we may even experience it at home with our offspring. The freedom to select, use, work and play with the desired mobile device of our choosing bumping up against a company’s mandate to protect and secure access to sensitive corporate information. There can be tension between a free and open culture verses the benefits of control and information management. Sometimes people equate freedom with having control over things yet when it comes to controlling others, many of us feel slightly uncomfortable on either end of the leash. Sometimes oversight is necessary if someone does not have self-control. BYOD is a revolution, a drastic change in how organizations manage devices and manage access to information. If you look at revolutions through the years, often it’s about freedom vs. control. I’m certainly not suggesting an employee coup of the executive floor but remember there are two distinct and diverse powers at play here and successful BYOD deployments need to involve both people and technology. ps Resources SANS Mobility BYOD Security Survey Are your employees on a BYOD binge? SANS Survey: BYOD Widespread But Lacking Sufficient Oversight SANS First Annual Survey Results on Mobility Security: Lack of Awareness, Chaos Pervades with BYOD BYOD–The Hottest Trend or Just the Hottest Term Only 9 Percent of Organizations Are Aware of the Devices Accessing Their Corporate Data Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Audio Tech Brief - Secure iPhone Access to Corporate Web Applications Freedom vs Control – important lessons to be learned New security flaws detected in mobile devices Freedom and Control | Psychology Today Devo - Freedom Of Choice (Video)Why MDM May Save IT from Consumerization
#Mobile convergence may drive demand for #VDI and other less invasive technologies When you’re traveling you carry devices. I’ve got my smart phone, of course, to keep connected via e-mail and text and, if need be, voice. But I also carry my tablet and the old stand-by, my laptop. Because writing a blog post on my tablet or smart phone just isn’t my thing. While status updates and tweets are easy enough to compose on such constrained-size keyboards, I (and many others) need a full keyboard to really crank out the copy. But when I’m wandering around a conference it’d be nice to be able to focus on just one, which is where convergence comes in. My phone is a corporate resource, completely managed by our more than able IT department but the tablet? That’s mine (well, and the Little Man who’s in charge of our household at the moment). So while traveling out to Cloud Connect I tried to set up access to my corporate e-mail account on my tablet. It’s a Samsung Galaxy Tab 10.1 and it’s an Android device. It supports standard e-mail access via POP3 and IMAP – I already have my Gmail and personal accounts connected – but it also, apparently, supports Microsoft Exchange ActiveSync which supports hundreds of devices. It’s through ActiveSync that our growing iPhone using population accesses e-mail when they’re on the road. So I thought I’d give it a try. It worked like a charm, until I got to the warning part. HYPER-STRICT SECURITY That was the part that gave over complete – and I do mean complete – control to the fine IT folks at headquarters. The list of actions required to be allowed would not be surprising (and indeed are not) when applied to a corporate managed resources, like my Blackberry. But when I read through what I had to allow administrators to potentially perform on my device, I had second thoughts. It all makes perfect sense. If I’m going to have corporate e-mail messages, which in addition to their sensitive nature often times include attachments that have even more confidential data – product roadmaps, marketing strategies, detailed internal discussions on functionality and features – then it would be necessary to follow best practices like locking the screen with a password and requiring stored data to be encrypted. I stopped right there. Not because I didn’t think it was good practice and a requirement, but because my four year old routinely uses my device. He’s quite adept at getting around on an Android device (I’ve finally managed to teach him to ask before installing or buying new games) and while he occasionally deletes items – permanently and purposefully – generally he’s a good steward of the technology while he’s using it. But can he learn to enter a password that may be required (and forced on the device) by IT administrators? And even if he could, is that even acceptable? The rule is never share your password, and perhaps in today’s increasingly consumerized IT that should be amended to “especially not with your four year old.” And what if I allowed the administrator to do these things – require a password with a complex rule – and then the young man tried to access it without my presence? Sure, he always asks before he uses it today, but tomorrow? This is a child, we’re talking about. What if he grabs it and tries to unlock it – and fails? Would IT automatically delete everything on the device, as I’ve granted them permission to do? And would IT be willing to talk him down from the hysteria when he realizes every one of his games has been deleted remotely? I’m guessing not. AT an IMPASSE And so I hit “cancel”, because ultimately I wasn’t willing give over that much control and suffer the potential “damage” just for the convenience of converged e-mail. Then I considered what that meant. I am perfectly fine with the same control over my corporate owned and issued resources – my laptop, my Blackberry – but not my own, personal mobile device. The hyper-security policy scared me away from using a personal, consumer grade device because they wanted to turn it into an enterprise-grade device. I spent much of the rest of the flight wondering if VDI was the solution to this problem. It effectively sandboxes corporate resources within an enterprise-grade container and they can do whatever they want to it without any impact on my device. But not all VDI solutions are equal – and most assume connectedness, which is not entirely compatible with the on-again off-again nature of roaming, mobile devices when on the road. Certainly a less invasive MDM policy would also suffice (I’m sure administrators can pick and choose which actions they want to be allowed) but that would defeat the purpose of managing the device in the first place. If they can’t secure the corporate data that might be on my device, in a way that’s compliant with corporate (and potentially industry and government) policies, then there’s no point in offering the option. We’re at an impasse, it seems. And maybe that’s not necessarily a bad thing. If overly strict security policies are required in order to access something as simple as e-mail and users are scared away by the potential wiping of their device, maybe that’s a good thing. Corporate resources are kept secure and one less headache (managing yet another device) is averted until we can come up with a solution that balances the need for security with the need for me to ensure games like Yoo Ninja and Tank Hero don’t inadvertently end up in the trash bin. Ultimately there will be a solution that does just that – a combination of a secure storage vault on the device, managed exclusively by IT, in which e-mail – and other resources retrieved via secure remote access solutions – can be encrypted and managed as per their specific security needs. And that area can be protected by specific passwords and strength policies and wiped at a moment’s notice – without disturbing the all important Reading Monster or Captain America. But that technology doesn’t yet exist, though the need certainly does. Trusting that the old adage 1 continues to be right – that necessity is indeed the mother of invention – I’ve no doubt someone will come up with that technology in the near future. 1 The source of this idiom is apparently hotly contested – Plato, Whistler, and Victor Hugo are all cited as being the source. Desktop VDI May Be Ready for Prime Time but Is the Network? The Mobile Chimera The Magic of Mobile Cloud Mobile versus Mobile: An Identity Crisis What Does Mobile Mean, Anyway? At the Intersection of Cloud and Control… WILS: WPO versus FEO The Three Axioms of Application Delivery
