iOS 13 and Android Enterprise simplify the use of BYOD devices

_iOS 13 and Android Enterprise simplify the use of BYOD devices

The professional use of personal devices can be an attractive approach for companies and employees. But so far, data protection has been a problem – for companies as well as for employees. To ensure the protection of corporate data, many companies rely on a Unified Endpoint Management solution that can securely manage the devices and data. However, while the UEM APIs at Android were not sufficient to protect corporate data for a long time, UEM at iOS impaired the protection of personal data because UEM there had extensive access to the device – including personal data.

Many users have therefore refused to install a UEM client on their devices. Business use of the devices was therefore not possible or entailed a risk in terms of data protection. And this is exactly why many companies have decided not to adopt the use of BYOD devices.

iOS 13 introduces a completely new way of enrollment, with a major change that takes care of users‘ privacy: the introduction of User Enrollment, a fundamentally new form at Apple for device management. And Android is also well positioned for BYOD scenarios since the introduction of Android Enterprise and the Work Profile.

We will show you why you can now integrate private devices into your device landscape both with iOS 13 and Android Enterprise.

_BYOD – an attractive approach for companies and employees

Bring Your Own Device (BYOD) – this approach allows employees to use their personal devices for business purposes. At first glance, an advantage for the employee and the company: employees can work with the devices of their choice and do not have to carry multiple devices around. Employers save on device costs and increase their employer attractiveness through the flexibility they offer their employees. But what about the security of company data and the protection of personal data? Privacy continues to be a concern in this scenario.

_BYOD scenarios require clear guidelines

If personal devices are used for business purposes, they could have access to the company’s IT infrastructure and sensitive data.

_A comprehensive security concept including usage guidelines is therefore enormously important for BYOD scenarios and is also required both for compliance reasons and by the legislature_ Markus Adolph Founder and Managing Partner EBF

Because laws define clear regulations for the protection of data – both personal and business-related – and require clear separation.

Companies should, therefore, provide their employees with clear guidelines for the professional use of private devices – for example for passwords, screen locking, anti-virus protection, operating system updates, and app updates – and make the employees aware of their own responsibility for protecting sensitive data.

_We also recommend using a Unified Endpoint Management system to manage applications and data on the devices and delete company data from the device when needed_ Thierry Lammers CEO BLAUD

_iOS 13: User Enrollment now provides privacy for BYOD devices

_iOS 13 introduces the so-called User Enrollment. This puts a much greater focus on BYOD and user privacy which makes it a major step forward in data protection for both users and businesses_ Ronan Murphy Managing Director CWSI

Because so far the UEM profile had extensive access to the device. This has led to inconvenience for many users which resulted in not wanting to put their device under the management of an UEM solution.

Under iOS 13, enrolled using User Enrollment, for example, a UEM will no longer be able to do the following:

  • Have an insight into the installed applications or the device identifier
  • Erase the device and the device password
  • Define complex password requirements

However, the UEM can still do everything that is necessary to manage the enterprise applications, accounts, and data, e.g.:

  • Install and configure enterprise apps
  • Force a passcode
  • Query data relevant for enterprise applications, certificates, and profiles

With iOS 13 data of managed applications is stored in a separate managed and encrypted APFS volume that is created during registration, separately from user data, and deleted when unrolled.

With iOS 13, enterprise data, apps and policies are no longer bound to a single device, but to a managed Apple ID that can be created through Apple Business Manager and optionally connected to the Microsoft Azure Active Directory using Security Assertion Mark-up Language. Users can use their AD user credentials as a Managed Apple ID and log on to the device.

The user registration process is streamlined with iOS 13, as the interface is clearer and the dialog is simplified. The UEM system makes the profile available for which the managed Apple ID is stored as a reference to the user for download. After the download, the user selects the profile in the settings and performs the installation. In the last step, the user authenticates himself to the UEM with the Managed Apple ID.

_Android Enterprise: The Work Profile ensures data protection on both sides

With the introduction of Android Enterprise, Google has implemented „Work Profile“, which can be rolled out for BYOD and company-owned devices. It ensures that business and personal data and applications are separated from each other and professional applications and data are stored in a container. This is protected by special security guidelines and does not affect personal data.

_This ensures that sensitive company data is secure and the privacy of users is protected_ Philipp Klomp Founder & CEO Nomasis

For enterprise applications, restrictions can be made for example:

  • Taking screenshots can be prevented.
  • The sharing of data via NFC and Bluetooth may be restricted.
  • „Copy & Paste“ from business to private areas can be forbidden.

In addition, the download of applications from unknown sources can be prevented.

For the personal use of the BYOD devices, a personal Google ID is required, which is also used once for the installation of the UEM app.

_iOS 13 vs. Android Enterprise: Where are BYOD scenarios supported better?

_With iOS 13, Apple is now catching up and offers, like Google with Android Enterprise, significantly more security for corporate data and more protection for the privacy of users_ Ulrik Van Schepdael CEO mobco

In contrast to Google, Apple doesn’t use a multi-user approach, but a multi-account approach.

Android Enterprise therefore offers the following advantages:

  • The Google PlayStore for Work serves as a separate app store for business applications, where business apps can optionally be distributed.
  • For professional apps, the Work Profile on Android offers the possibility to implement global settings – e.g. the use of VPN for business apps.
  • With Android, there are no restrictions on device access.
  • The Work Profile can be deactivated after closing time or during vacation and the professional area can be switched off temporarily.

Apple, on the other hand, has advantages compared to Android in other regards when it comes to BYOD devices:

  • Different calendars can be shown all at once in one app.
  • Apple offers a per App-VPN functionally.
  • Certain domains can be declared as managed domains. For example, downloaded documents remain in the managed area.

Summary

All in all iOS 13 and Android Enterprise offer companies completely new possibilities for handling BYOD devices. For more information on iOS 13 and Android Enterprise, please contact us at any time.

If you want to learn more about iOS 13 in general, you can download our whitepaper here:

Download

Life-Cycle Management: Device-as-a-Service as an alternative to traditional equipment procurement

_Life-Cycle Management: Device-as-a-Service as an alternative to traditional equipment procurement

Working becomes more and more mobile, flexible and time independent. As a result, the number of mobile devices in companies is constantly increasing. But more endpoints also mean additional management, maintenance and operational effort for IT teams. One way of relieving the burden on companies can be to use a so-called “Device-as-a-Service” (DaaS) offer.

IT service providers in the enterprise mobility environment are currently increasingly incorporating this into their product portfolio and are thus following the trend „Using instead of owning“.

_Using instead of owning

Consumers want to be able to use more and more products and services flexibly. But this is only affordable if they no longer possess all things themselves. Many industries have already recognized this change and reacted to it by adapting their offerings. The entertainment industry with streaming products such as Netflix or Spotify and the automotive industry with car sharing models – to name just two of many successful examples.

With regard to enterprise mobility, this development is particularly evident in the fact that companies are increasingly consciously avoiding the purchase of their own hardware devices for their employees. Instead, they choose to use devices provided by an external service provider and ideally rounded off with additional services, up to complete administration

_Property and possessions are always associated with responsibility and additional expenditure. Companies also increasingly want to avoid this and rely on a holistic lifecycle management of devices_ Markus Adolph Founder and Managing Partner EBF

_Comprehensive support – throughout the life of the device

Companies can take advantage of services that cover all phases of the use of the equipment: from purchase, through use, administration and maintenance, to disposal or replacement. In this way, companies relieve their own IT resources and ensure greater efficiency and productivity in the company through lifecycle management.

Possible components of the service:

  • Provision of the device, equipment & their first delivery
  • Commissioning and setup of the device – incl. applications and contents
  • Delivery to and instruction of the employee
  • Securing a device warranty
  • Equipment maintenance and replacement service
  • Return, data privacy compliant deletion and recycling of equipment at the end of its service life
  • Insurance options in the event of damage, accident or theft

How the Device-as-a-Service offering is structured in detail varies from provider to provider.

_We can put service packages together individually for every company. This gives us the opportunity to find a solution for its specific needs and expectations._ Thierry Lammers CEO Blaud

_Clear advantages – financial flexibility and modern equipment

The equipment remains the property of the service provider for the entire period of use. Services can usually be variably adapted and flexibly changed. Financially, companies remain flexible due to low costs: a monthly service fee is due for the device and its accessories – for a pre-defined period of time. There are no upfront investments (CAPEX) or connections, repair and disposal costs.

Thus, the overall operating costs (OPEX) are significantly lower, and the saved budget can be used elsewhere. In addition, by using the Device-as-a-Service offer, companies can enable their employees to work with the latest technological equipment and replace it with the latest technology on a regular basis.

Advantages of the Device-as-a-Service approach:

  • Improved cash flow: lower investment and operating costs compared to acquisition and operation by the company
  • Relief for your own IT department: increased efficiency and productivity through outsourcing of tasks, reliable support and permanent contact persons
  • Satisfied employees: use of state-of-the-art technical equipment

How the Device-as-a-Service offering is structured in detail varies from provider to provider.

_Companies today want to become more flexible and independent and be able to react more quickly to changing conditions. This touches more and more areas and affects, among other things, the procurement of equipment. We have recognized this need of our clients and are responding with a suitable offer_ Ronan Murphy Managing Director CWSI

_For which companies is lifecycle management of devices particularly suitable?

_The Device-as-a-Service offer, especially for large and medium-sized enterprises, offers the advantage of enabling employees to work with the most modern technological equipment while at the same time being and remaining financially flexible_ Ulrik Van Schepdael CEO mobco

_Choosing a suitable provider

Companies should seek a provider that can understand their current mobility strategy- a provider that has the requisite know-how to incorporate this equipment seamlessly into the IT environment.

_When selecting a suitable lifecycle management provider for your company, you should make sure that it offers different runtimes and that you can put together package contents and services individually. Main focus should always lie on end user centric packages (“Happy User”)_ Philipp Klomp Founder & CEO Nomasis

Learn more about the Device-as-a-Service offerings of EMEA partners here:

CWSI mobco

Would you like to learn more about the Device-as-a-Service offer and be advised on its implementation in your company?

Contact us now!

Relevant trends of MobileIron Live! 2019: IT security as a big challenge

_Relevant trends of MobileIron Live! 2019: IT security as a big challenge

IT security poses major challenges for all companies and is therefore also of central importance for technology providers. This became clear during the event and is also reflected in the choice of topics.

Simon Biddiscombe, CEO of MobileIron, pointed out an increase in cybercrime and the associated costs:

_Despite growing investments in IT security products, 2 out of 3 companies were already affected by a security attack._ Simon Biddiscombe CEO MobileIron
Would you like to discuss these and other IT security topics with our EMEA partners? Then feel free to contact us We will advise you on the coming developments in the industry and help you to position yourself and your IT well. Find out more about the EMEA initiative’s appearance at MobileIron Live! in Berlin. Find out more

_Topics such as zero trust, a passwordless future and IT security that concerns everyone were therefore discussed intensively at MobileIron Live! 2019.

_1_Zero Trust

Zero Trust stands for a concept that proposes a new way to ensure IT security.

As the term Zero Trust implies, it is assumed that no user, device or application service should be trusted within or outside of one’s own network. The intention is not to distinguish between internal and external sources, which is a novelty in contrast to current practices. Every user or device should be mistrusted in principle, so that authentication must be checked for every interaction.

_The Zero Trust concept represents a paradigm shift for IT departments. As an IT consulting and service company, we analyze different approaches, compare them and align them with the requirements of our customers and technological developments. Here, we are constantly working together with our technology and EMEA partners to provide our customers with the best possible solutions._ Bastian Klein Head of Business Development and Marketing EBF

_2_Passwordless future

Due to current technological developments, passwords alone are no longer a sufficient means of protecting data. Two-factor authentication (2FA) is considered much more secure, in which two independent login components are queried, so that cyber attacks are unsuccessful if hackers lack the second authentication component. The development of technologies now points to a passwordless future in which the device is at the center of identity.

_MobileIron is taking a big step forward with its updated zero-password strategy and will challenge other specialized authentication players with its solution._ Martin Blattmann Deputy Managing Director Nomasis

_3_IT security concerns everyone

All enterprise mobility technology is not just about making device management and security easier for IT teams. Rather, it puts us in a position where it is easier for more people to use their own devices and work more securely through continuous controls, authentication, and better risk knowledge. In the future, IT security should be better understood and actively implemented by employees so that everyone can play a part in ensuring that company data is protected and employees can work securely.

_To ensure IT security in companies, it is not sufficient to invest only in IT products and measures. The company’s own employees are an equally important linchpin. IT security can only be implemented in the Digital Workplace, the workplace of the future, if they are made aware of the issue and are prepared to assume responsibility for data-protected and secure work on their own in the long term._ Adam Monks Marketing Executive CWSI

The Enterprise Mobility Expert Alliance at MobileIron Live! 2019

_The Enterprise Mobility Expert Alliance at MobileIron Live! 2019

Customers and partners get to know the EMEA partners and learn about the network’s extensive offerings.

In the middle of May the time had come again: Our partner MobileIron hosted the MobileIron Live! in Berlin, Germany and called for the annual meeting of the enterprise mobility and IT security industry. This year for the first time the EMEA initiative was an official Gold Sponsor of the event. Together employees of BLAUD, CWSI, EBF, mobco and Nomasis welcomed partners, customers and industry interested parties. In addition to a reunion with many familiar faces, the event also provided the perfect setting for making new contacts and exchanging views on relevant trends and topics in the industry

First public successful EMEA participation

_First public successful EMEA participation

For the first time, the EMEA Group’s partners presented themselves to the industry as an expert network in the field of enterprise mobility and can look back on a successful appearance.

_The EMEA Group was well received by our customers and perceived as an added value. Customers are aware that they also benefit from the shared knowledge of the EMEA partners_ Martin Blattmann Deputy Managing Director Nomasis
Direct exchange with customers

_Direct exchange with customers

In particular, the possibility of open exchange was greatly appreciated by the participants at the event. The discussions between the EMEA partners were just as valuable as the discussions with MobileIron, other technology partners and customers:

_We were able to talk to our customers about their challenges on site and discuss joint solutions with our EMEA partners_ Nienke Roseboom Account Manager BLAUD
Future of the EMEA network

_Future of the EMEA network

The EMEA initiative took advantage of the industry meeting to also get in touch with potential new partners:

_Such events are always a good opportunity for us to get to know other companies in the mobility sector. As an EMEA initiative, we are always interested in expanding our network with the right partners. This is the only way we can further expand our expertise and knowledge and thus complement our portfolio_ Ulrik Van Schepdael CEO Mobco
The EMEA Academy

_The EMEA Academy

EMEA used MobileIron Live! to present its Academy program to the industry. For example, the EMEA partners offer various training courses and continuing education opportunities for mobility solutions. From MobileIron Administrator Class to Office 365 Management to Mobile Security Master Class, there is something for everyone in the course offering.

Learn more about the EMEA Academy
_The combination of the EMEA initiative allows us to continuously invest in expertise and provide specific training for a wider audience_ Ulrik Van Schepdael CEO Mobco

Find out more about trends presented at MobileIron Live! in Berlin in our blog.

Find out more

Single-Sign-On – more user-friendliness and security now also for Android

_Single-Sign-On – more user-friendliness and security now also for Android

Single Sign-On (SSO) provides users with convenient access to resources released for them – without compromising the security of sensitive data. After one-time authentication, they can access authorized accounts and applications without having to log on again each time. The logout of all these systems is also possible via a single logout.

For a long time, however, companies could only use the Single Sign-On option for iOS devices. Android users were forced to sacrifice convenience due to a lack of Kerberos support, which limited usability and compromised security.

That has now changed. We’ll show you how Hypergate can help you give your employees easy access to relevant resources on Android devices.

_The dilemma of comfort and safety

_When choosing access data, a balancing act between convenience and security is required. We help our customers meeting this challenge_ Thierry Lammers CEO BLAUD

On the one hand, passwords must be secure and ideally vary for each portal to ensure that sensitive data is adequately protected. On the other hand, users must be able to remember their access data easily – which is difficult with complex passwords and a large number of portals

_Single Sign-On for greater user-friendliness and security

Access via Single Sign-On is the perfect solution for this: After one-time authentication, all subsequent accesses by an authorized device give users direct access to shared resources event if they use different credentials. It is no longer necessary to enter a user name and password. The identity of the user is confirmed via the Single Sign-On portal

Access without SSO

  • Launching the platform

    01
  • Entering the username

    02
  • Entering the password

    03
  • If necessary, reentering the password in case of incorrect entry or reseting of the password

    04
  • Use the platform

    05

Access with SSO

  • 01

    Launching the platform

  • 02

    Use of the platform

_This considerably increases the user-friendliness for the account owner, relieves IT by reducing the number of password reset requests at the help desk and prevents users from resorting to light passwords for convenience, using them several times and thus endangering the security of sensitive data_ Ulrik Van Schepdael CEO Mobco

Conversely, a user can also be separated from all resources by Single-Sign-Out with a single log-out.

_This allows sensitive data to be protected in the shortest possible time in the event of a hacker attack or if the employee leaves the company. We consider fast action enormously important here_ Ronan Murphy Managing Director CWSI

The advantage of Single Sign-On can otherwise become a major disadvantage and give an attacker access to a large number of accounts.

_After iOS, Android now joins the list

Active Directory is used in many organizations to manage users and uses the standard Kerberos protocol for authentication. This is supported by iOS, but not by Android. So far, companies could only use Single Sign-On for iOS devices and not use a cross-device mobile strategy. Hypergate now closes this gap and is a fast and secure single sign-on solution for Android that enables the use of the standard Kerberos protocol.

Hypergate is easy to configure, implement and deploy: In the backend it can be defined for which applications and users a Single Sign-On is offered, which guidelines apply and whether this should be based on user name and password or on a certificate. The solution is compatible with all leading Unified Endpoint Management systems such as MobileIron, Microsoft Intune, VMware Workspace ONE and BlackBerry® UEM and can be deployed to all employees via the app.

_With Hypergate, we now offer a solution that provides companies with the ability to apply a holistic strategy to their devices and give employees with Android and iOS devices equal access to relevant applications while maintaining full control_ Philipp Klomp Founder & CEO Nomasis

_Intelligent policies and multi-factor authentication for increased security

By combining the Single Sign-On option with intelligent policies and multi-factor authentication, security of mobile accesses can be significantly enhanced. This allows policies to be enforced that define that access data entry is not required in secure environments with approved software and hardware.

_This prevents unauthorized endpoints, users and applications from connecting to the enterprise cloud_ Marco Föllmer Founder and Managing Partner EBF

You would like to know more about Hypergate?

Get in touch with us if you want to know more about Single-Sign-On or Hypergate. Our experts will be delighted to advise you.

Feel free to contact us

_Full control over apps and associated enterprise data

_Full control over apps and associated enterprise data

Mobile devices bring flexibility to employees and enable them to work regardless of time and place. While companies require their employees to use certain apps because they are secure and important for efficient work, employees also expect a certain amount of freedom – especially when it comes to using apps. They want to be able to install the apps they are interested in so that they can use the devices for both professional and private purposes. But this is a risk for companies – after all, apps can be a gateway for malicious software and thus endanger sensitive company data.

Organizations must be able to centrally control which applications are installed on a device, which applications an employee can install, and they must be able to easily manage the entire lifecycle of an app: from deployment to update to uninstallation. Mobile Application Management is the keyword here – and this is still comparatively easy with company-owned devices, but much more difficult with private and thus generally unmanaged devices.

_Purpose and types of Mobile Application Management

Mobile Application Management (MAM) involves the central management of applications throughout their entire lifecycle – with the aim of securing these and, above all, the associated company data, with a manageable amount of IT effort and without impairing the user experience.

The MAM functions can be provided in two different ways:

  • Mobile Application Management can be part of Unified Endpoint Management, formerly Enterprise Mobility Management, which serves the central management of devices, content and applications and offers significantly more functions in addition to the administration and security functions for applications. The administration of the devices is absolutely necessary for this.
  • Mobile Application Management is also available as a stand-alone solution (MAM only). The administration and security functions are integrated directly into the app. An administration of the devices is not necessary for this.

Mobile Application Management as part of UEM

_Mobile Application Management as part of Unified Endpoint Management for enterprise devices

With enterprise devices, companies can centrally manage and secure devices, content, and even applications using Unified Endpoint Management (UEM). All functions related to applications are combined under Mobile Application Management and take place at the device level.

_The prerequisite is therefore that all devices are managed centrally, which makes it difficult to use for private devices and those of freelancers. Because their privacy must not be compromised – and this applies to both private and company equipment_

Ulrik Van Schepdael
CEO
Mobco

Mobile Application Management as part of Unified Endpoint Management offers the following functions:

Administrative functions:

  • Implementation of an Enterprise App Store to distribute mandatory or optional applications – including own apps as well as approved apps from the Public App Stores
  • Use of payment and licensing mechanisms for apps and license management (e.g. the Apple Volume Purchasing Program)
  • Configuration, installation, update and uninstallation of applications
  • Monitoring the app status

Safety functions:

  • Securing apps through policies, encryption, VPN technology, multi-factor authorization or single sign-on
  • Introduction of data loss prevention controls to prevent unauthorized disclosure of company data (limitation of file opening to authorized applications and limitation of copy and paste functions)
  • Option to selectively delete enterprise apps and data in the event of device loss, theft, or non-compliance

Further functionalities:

  • Most Unified Endpoint Management systems have deep integrations with OS apps or offer custom applications for standard tasks such as email, contacts, calendar and browser that meet high security criteria.
  • The UEM systems offer management frameworks – such as AppConfig – that can distinguish between professional and private apps and data.
  • In addition, the UEM systems usually also provide software development kits that make it possible to add a security component to company-internal applications.

Mobile Application Management

_Mobile Application Management as a stand-alone solution for private and unmanaged devices

Companies can exert less influence on employees‘ private equipment and freelancers‘ equipment than they can on their own.

_Companies may not fully manage such equipment, unless the employee expressly consents, and exactly as with company-owned equipment may not touch private information in any way_

Ronan Murphy
Managing Director
CWSI

Does this mean that companies on unmanaged devices have no control over applications that affect professional data?

Or can apps also be controlled on devices that are not managed by IT?

The answer is: Yes. The MAM functions can also be used as a stand-alone solution on private, unmanaged devices. The corporate apps are either separated from the private applications by a container that can be controlled by the IT and secured with high security standards, or by a software development kit that integrates the management function directly into the app and ensures a secure configuration of the respective apps.

Companies can use it to perform the following functions:

  • Definition and enforcement of minimum requirements that a device or app must meet to run the app (e.g. version of operating system and app)
  • Jailbreak/Root detection

A registration of the devices is not necessary for this.

_For businesses, this is a great added value, as even non-enterprise devices are often used professionally and access sensitive data_

Philipp Klomp
Founder & CEO
Nomasis

However, app development and deployment take a little longer and MAM functions cannot be integrated into every app.

App Management Development

_Software Development Kits for proactive protection also for customer data?

Some vendors even offer Software Development Kits (SDKs) that enable companies to add a security component to their own apps and proactively protect customer data. This component ensures that an app can no longer be executed as soon as a risk is detected on the customer’s device.

_In this way, companies can protect their customers‘ data even if the user does not have security software on the mobile device. Especially for apps that manage sensitive data, this protection is a great added value_

Markus Adolph
Founder and Managing Partner
EBF

App Management Future

_App management in the future

_In the future, both containers and Software Development Kits will no longer play a role. Instead, all operating systems will support a multi-user approach that securely separates professional and personal applications and data_

Thierry Lammers
CEO
BLAUD

Expertise for efficient and effective app management

In companies, there are various players involved in app management and security: IT administrators on the one hand, developers on the other, and data protection and security officers in the middle. As a rule, they have different areas of interest, responsibilities and levels of knowledge in this area. Therefore, companies are well advised to consult the expertise of an app management expert.

Feel free to contact us and let us advise you on optimal application management

_How to change Unified Endpoint Management – simply and efficiently

_How to change Unified Endpoint Management – simply and efficiently

Unified Endpoint Management is a non-negotiable requirement for many companies. It helps them manage their end devices efficiently, and makes mobile working a reality for their employees. And yet, once a company has introduced this kind of system, it can seem far too much effort to change over to a new system. Not least because this would mean transferring a large number of devices over to the new system, and doing this quickly, seamlessly, with minimal outlay, and without affecting users in the interim.

EBF Onboarder is the perfect tool for doing exactly this. Thanks to a largely automated process, EBF Onboarder enables companies to switch quickly and easily to one of the leading UEM systems, requiring little effort on the part of the end users or their IT departments.

EBF Onboarder

Why do we need a UEM system in the first place?

Companies are finding managing end devices an increasingly complicated and laborious process. On one side of the equation, employees need rapid and straightforward access to key business data and applications, but this is balanced by the need to meet strict data protection requirements and protect the devices from third party attacks.

The aim of Unified Endpoint Management (UEM) is to manage and protect all end devices, including their content and applications – from initial registration right through to deactivation. Employees are granted controlled access to relevant data and applications, making mobile working a reality while maintaining the highest safety standards and with reasonable IT outlay. This in turn leads to huge gains in productivity and agility.

_Why might we need to change systems?

There are many reasons why it might be necessary to change UEM.

  • Technological developments: suppliers’ systems are changing all the time, reflecting the transition from Mobile Device Management to Enterprise Mobility Management, and then to Unified Endpoint Management. The integration possibilities of the various solutions into existing infrastructures and ecosystems differ fundamentally.
  • Technological interaction: the various UEM systems work particularly well with different ecosystems and different types of software. If a company extends the functions or changes the software supplier, it may be worth considering changing UEM system.
  • Consolidating systems: when companies merge, it’s not inconceivable that the resulting group may end up with a number of different UEM systems. When this happens, consolidating the systems is eminently sensible.
_EBF Onboarder has a range of uses. It’s an invaluable tool for migrating, consolidating, and changing from an on-premise to a cloud solution, or to a hosted UEM system_ Marco Föllmer Founder and Managing Director EBF

_A large number of UEM source systems can be migrated to the leading system

The migration process can be initiated from a whole range of different systems. For example, EBF Onboarder can be used if a company is currently using CITRIX XenMobile, jamf, MaaS360, SOPHOS, Good, or SOTI. Possible destination systems include popular solutions such as MobileIron, Microsoft Intune, VMware Workspace ONE or BlackBerry® UEM. It even supports changing from an on-premise to a cloud solution.

EBF Onboarder

_How does the process work?

The EBF Onboarder platform allows you to prepare for the changeover with minimal effort. An administrator specifies the destination system, selects the devices to be migrated, informs users of the upcoming changes and provides them with a link to start the migration. Users can then initiate the process on their mobile device at a suitable time, and are guided through the intuitive steps in the process. Changing to the new UEM system takes a matter of minutes, with administrators on hand to monitor the status of the process via the platform throughout. This is a great way to effortlessly migrate even large numbers of devices.

_Advantages of EBF Onboarder

  • Optimization of resource utilization: The automated process frees up resources in the IT department. Fewer manual steps and less support is required.
  • Time savings: The migration per device is done within a few minutes.
  • Cost savings: Downtimes and the risk of errors are minimal.
  • User-friendliness: Users will initiate the migration once their time allows and are not forced to act immediately. The process can be done intuitively.
  • Reporting and migration status is included. IT managers will be able to track the overall progress for the migration at any time by getting an overview of pending, done and failed migrations
EBF Onboarder

_Manual migration vs Automated migration with EBF Onboarder

Manual

  • IT admins configure the new UEM system

    01
  • IT admins prepare a guideline for users in order to guide them through the migration

    02
  • Users are provided with the guideline

    03
  • Users go through the guideline and try to follow the steps

    04
  • Users have trouble with the migration process and contact the help desk

    05
  • The help desk spends some time to solve the problem

    06
  • The users continues and finalizes the migration

    07
  • IT admins know only how many devices have been migrated, they can’t tell which devices have been migrated

    08
  • All users need to be contacted to remind them of the migration

    09

Automated

  • 01

    IT admins configure the EBF Onboarder and specify the destination system

  • 02

    Devices to be migrated are selected

  • 03

    Users are provided with a link to start the migration

  • 04

    Users initiate the process and go through some migration steps

  • 05

    IT admins monitor the status of all devices to be migrated

  • 06

    Users which did not migrate yet, can be contacted automatically after a certain time

We have already successfully migrated more then 550,000 devices – with a scope of 500 devices as well as with a scope of 100,000 devices. Are you considering changing your UEM system? No problem – we’re here to help.

EMEA – Move your mobile strategy in the right direction: be proactive, not reactive

_Move your mobile strategy in the right direction: be proactive, not reactive

Mobile devices have an important role to play in the digitalization process and can open up a whole host of new opportunities for businesses. Employees are able to access relevant data such as production times and delivery deadlines straight from client meetings. They can write e-mails and set up meetings while on the go. Factory workers can report damage details if they find a defect in a machine, show it via video conference and retrieve information about spare parts.

Yet this throws up many challenges, not least because of the strict requirements regarding usability, data protection, and security. Cyberattacks and data leaks are becoming increasingly frequent. They pose a significant risk, as mobile devices offer access to sensitive data that could wreak serious havoc if it fell into the wrong hands.

Nevertheless, experience shows that businesses still view the security of desktop computers as their number one priority, and this needs to change. Instead, companies should focus on developing an IT strategy specifically tailored to mobile devices that follows the Mobile First approach. Learn from the experts at BLAUD, CWSI, EBF, mobco and Nomasis about how to design a mobile strategy, with a focus on security aspects.

Security weaknesses:

According to IDC analysts, only 19% of businesses currently have an underlying or largely strategic IT security concept. Around 40% tend to tackle the problem on a tactical basis. While there are solutions for individual critical situations, they have no long-term plan for preventing this kind of thing happening in the first place. Ultimately, they are taking a huge risk considering the ever-increasing threats facing mobile devices.

_1. Analysis

Carry out analyses to establish how your mobile landscape is currently set up and assess its maturity level. The number of devices, the purpose of use, the sensitiveness of data and other factors play an important role here. Find out which questions you need to answer here.

_2. Concept

Draw up a concept for mobile devices based on this analysis. Learn who should be involved, how to ensure a degree of flexibility and how to define the right budget here.

_2.1 Security concept

The security concept for mobile devices forms a hugely important part of your mobile strategy. It must be based on the company’s general security guidelines and contain aspects like password policies, update and app guidelines as well as encryption standards and countermeasures in case of a cyberattack. Find out what you need to consider here.

_2.2 Device concept

Determine whether your employees should bring their own devices for business purposes or whether you provide them with company devices. If so, define the device type and decide whether they may also be used privately. Read which consequences this decision has here.

_2.3 Process, application and data concept

Define the operations employees are to perform via their devices, and the applications, interfaces and data they require for this purpose. Classify data according to its protection requirements and specify which applications employees should or should not install.

Why are mobile devices such a risk?

  • Fewer security precautions
  • Used outside company networks
  • Lack of mobile security expertise
  • Difficult to identify attacks (link destinations cannot be identified by hovering your mouse over the link)
  • User errors due to a lack of security awareness or insufficient knowledge in this field
  • Attacks are becoming ever smarter
  • Numerous potential gateways for cyberattacks (apps, Messenger,
  • Wi-Fi networks, etc.)
  • Private and professional use of devices

_2.4 Technology concept

Decide on the most suitable solution for your requirements. This might be Enterprise Mobility Management, where all mobile devices can be managed on a central basis; container software, in which private and professional applications and data are kept separate; or other, additional security software. Learn how to make the decision and how to switch from one system to another here.

_2.5 Resource and operating concept

Decide whether the solutions need to be installed in your own computer center or in the supplier’s computer center. In the latter case, there is the possibility of using a public cloud solution, which may be used by a number of businesses, or a private cloud solution where a specific service is set up for your business. Read more about the advantages and disadvantages of the different solutions here.

_2.6 Implementation concept

Draw up a detailed implementation concept describing the initial requirements, installation and configuration of mobile solutions, as well as rollout phases, personnel resources and outlay.

_3. Implementation

Now you can put your concept into practice – ideally with the help of an Enterprise Mobility expert. Learn how an expert can support you here.

By applying a mobile strategy in this way, you can make efficient and secure mobile working a reality for your employees, while making the most of the potential offered by mobile devices.
We would be delighted to help you define your requirements, identify and implement the right solution for you, and offer you ongoing advice on your mobile strategy and mobile IT matters
Feel free to contact us for more information.

_Android Enterprise – Google’s operating system is becoming interesting for companies

_Android Enterprise – Google’s operating system is becoming interesting for companies

According to a Gartner study, the share of Android devices sold worldwide was around 86 percent in 2017. However, companies account for only a small proportion of this, as, according to Egnyte, around 83 percent of all mobile activities performed by employees are carried out using Apple devices. Many companies continue to depend on Apple for their smartphones and tablets because security concerns about Android, Google’s operating system, remain considerable. Without good reason, as Android devices are now very well suited for corporate use. With its Android Enterprise initiative, Android is now offering new functions that ensure greater security and scope for personal customization.

While the initiative initially struggled to gain momentum, with the rebrand from Android for Work to Android Enterprise and a renewed focus, Google is now meeting the higher security requirements of businesses – both for company-owned devices as well as for those that employees bring with them (BYOD).

This blog post reveals what new functions Android Enterprise offers and how companies that have previously relied on Android can switch from “Device Administrator” to the new system. If they wish to remain effective, this should be done urgently.

Android vs iOS: How are updates dealt with?

Fragmented environment: Android is an open system that gives device manufacturers and app developers a great deal of latitude. The number of devices and apps is therefore correspondingly high, meaning that new updates and apps need to be customized for a large number of devices. This often means a long wait for updates that are then only offered for a limited period.

Clear setup: iOS, on the other hand, is a closed system that is available for a limited number of devices. Updates can therefore be offered faster and for a longer period, and apps can be developed more easily, allowing security gaps to be closed a lot faster.

_Android Enterprise Recommended – A seal of approval for devices

Google collaborates closely with device manufacturers to identify devices that meet the high demands of businesses.

_Manufacturers choose to submit their devices for validation. Devices that comply are awarded the ‘Android Enterprise Recommended’ seal of approval. This shows companies that they are especially suited for corporate use and provides useful guidance_

Markus Adolph
Founder and Managing Partner
EBF

The seal is available for knowledge work and rugged devices. The latter is a category that Google has added in order to provide guidance to manufacturers who use mobile devices to digitalize their production processes.

Certified devices of both categories must meet minimum requirements with regard to performance, integrability and security. For example, they have to support Android zero-touch enrollment, i.e. the automatic roll-out of devices, security updates have to be made available within 90 days of release, and it must be possible for them to be managed using an EMM. Rugged devices also have to be certified for ingress protection and rated for drop testing as they need to withstand harsh conditions and security updates have to be available for a period of five years following the launch of a device. Read more about all requirements here.

Knowledge work devices that have received such approval include: BlackBerry Motion, Google Pixel, Huawei Mate 10, and Sony Xperia XZ2. Rugged devices that have received such approval include: DolphinTM CN80, Sonim XP8 and Zebra Technologies TC75x. You can find a complete device list in this link.

_Android zero-touch enrollment – Simple roll-out of devices

Rolling out mobile devices causes considerable work for corporate IT departments, as all the devices need to be configured to meet the company’s specifications, or employees need to be instructed and supported to do this themselves.

Android zero-touch enrollment enables smartphones and tablets to be automatically connected to an Enterprise Mobility Management (EMM) system that manages and protects them the very first time they are set up. This eliminates the need for manual software downloads, installation and registration. Administrators purchase devices from an authorized reseller who provides access to the Android zero-touch enrollment platform, where they establish a connection to the EMM, define the settings and specify the serial number of the devices.

_The device connects to the EMM as soon as the user boots it, allowing users to use the devices in the way the company intends within a very short space of time_

Ronan Murphy
Managing Director
CWSI

_Managed Google Play Store – Complete control over apps

The Managed Google Play Store is a managed version of Google’s Play Store that can be integrated into an EMM. Here, administrators have complete control over the apps that are offered and can disable the ability to install apps from unknown sources by default. The Managed Google Play Store ensures only applications approved by administrators may be installed into the managed environment.

_This prevents any personal application being downloaded alongside corporate and protects against data leakage_

Thierry Lammers
CEO
BLAUD

_Android Management API (Beta) – easy connection with an EMM

Until now, it has been difficult to control Android devices via an EMM because a control app was needed – the Device Policy Controller. Its development was complex and time-consuming. The Android Management API, which is currently still in the beta phase, will help to manage devices in the future and to implement all functions and updates of Android promptly. Device Policy Controllers will continue to be supported in future as they offer a level of customization and flexibility for EMM vendors the AMAPI solution does not.

_Kiosk mode

Android devices can be used as payment terminals, digitals signs or informational kiosks. To control these devices, companies can use the kiosk mode, which makes it possible to lock an app to the screen. Before Android Pie, only one app could be locked to a device and a custom launcher was needed to switch between different apps.

The new kiosk mode enables IT admins to lock multiple apps to a device and to switch between them with the help of a dedicated launcher. And it also allows IT admins to limit access to device options, to block error messages when the kiosk mode is turned on and to customize the user interface (including the ability to hide the home button, the power button etc.).

_Switching from Device Administrator to Android Enterprise

Businesses that already deploy Android devices generally use “Device Administrator” to manage their devices. This will only be supported until Android Pie which has already been available on Google Pixel devices since August and from now on also on first Huawei devices. However, not all functions – such as the compulsory password – will still be available in the subsequent version (Android Q 10.0), announced for 2019, and important applications need significant adjustments.

_We therefore recommend that all companies should plan to migrate to Android Enterprise in good time as it will no longer be possible to manage them via an EMM as soon as Android Q 10.0 becomes available_

Philipp Klomp
Founder & CEO
Nomasis

Google has therefore significantly improved its offering for companies with its Android Enterprise initiative, gaining ground in terms of security.

Expert recommendation

Migrate from Device Administrator to Android Enterprise preferably before the end of 2018 to continue to be able to use all functions and to make necessary adjustments in good time.
I need migration support

_Android devices can be deployed in companies without any concerns, provided they are managed appropriately_

Ulrik Van Schepdael
CEO
Mobco

This development is good news for businesses, as they can now choose from a substantially larger number of mobile devices that are sometimes significantly cheaper. This means that the right device can be found for every requirement. And the “Android Enterprise Recommended” seal of approval provides excellent guidance.

Please contact us if you would like advice on the deployment of Android devices or assistance in switching from Device Administrator to Android Enterprise.

_Corporate data under threat from phishing attacks

_Corporate data under threat from phishing attacks

An e-mail with the request to “Please click here to confirm your data” or a fake landing page – these are the types of tricks scammers repeatedly use in their attempts to steal sensitive user data. So-called phishing is and remains one of the greatest security risks of the digital era.

Security experts from Mobco, Nomasis, CWSI and EBF explain why phishing constitutes such a threat, and how companies can protect themselves and their employees from being caught.

Phishing

ˈfɪʃɪŋ/

The name is derived from the word fishing, i.e. angling. The bait is a bogus landing page, e-mail or text message. One very common trick, for example, is an e-mail informing the user that their account information and access data (e.g. user name and password) are no longer secure or up-to-date, and that they need to change them following the link in the e-mail. However, the link doesn’t lead them to the original page of the relevant service provider (e.g. the bank), but to a website that has been set up by the scammer.

Mobile Device Phishing Threat

_Is phishing a threat on mobile devices?

In a regular office environment, the security officer can control attacks by using high-performance network security measures. However, we usually don’t have these on mobile devices.

So yes, phishing is probably the most dangerous attack method on mobile to date. And it is also far more complex for the user to identify a fake website or app on a mobile device, which heightens the risk even further.

Björn Kemps


Director Business Development
mobco

Facebook Messenger Phishing

_Many people are aware of phishing attacks that are carried out by e-mail. Do people also have to be careful when using other channels?

Yes, unfortunately they do. While phishing e-mails are the most frequent channel used to propagate phishing attacks, other methods have now been developed, such as attacks via text messaging or Facebook messages. And this is especially insidious, as the victims are convinced they are communicating with a friend and don’t suspect anything untoward is happening. They follow the link that the supposed contact has sent and fall straight into the trap.

On the other hand, scepticism now tends to be somewhat greater. The biggest danger is that new phishing methods are constantly being developed.

_Where do we need to be especially vigilant?

The main threat is in WiFi networks, because it’s especially easy to place fraudulent landing pages there. And to reach them, you don’t even have to click on a link that you might judge to be dangerous. In addition, special equipment can be used to read the data of all users located in the same network.

Philipp Klomp


Founder and CEO
Nomasis

Password Policy

_There are obviously enough points of attack. But how can companies protect themselves and their employees from cyberattacks?

In the first place, they need to have a sensible password policy. Users should not just use a secure password but, ideally, a different password for each platform. In case of misuse, this prevents criminals from being given access to a wide range of sensitive data.

If possible, companies should look to two-factor authentication, which, in addition to the input of user data, also requires a second step, for instance a text message code to be entered that is sent to the user’s cell phone. This raises security for an account enormously.

Secondly, in addition to a smart password policy, there are also a number of different solutions that support device security and guarantee protection for company data in the event of misuse.

_What solutions are available in this case?

Companies should seek to ensure the security of their mobile fleet across the board. It is advisable, for example, to implement Enterprise Mobility Management, or EMM for short, that can manage all mobile devices. It can be used to enforce security standards – for example the password requirements described above – and to protect company data in the event of attack.

Container solutions, which separate company data and apps from other data, also offer the possibility to delete sensitive data from a device in the event of a cyberattack. There are also several special solutions that can help you to take preventative measures against app, web, device and network-based threats, to detect mobile attacks and to take countermeasures in case of an attack.

Additionally, they can help to block malicious destinations before a connection is established, monitoring login data and warning the user immediately in the event of misuse. In the past, we could only rely on employee awareness to avoid mobile phishing attacks, but these days we have technology to help us prevent such incidents from happening.

Ronan Murphy


CEO
CWSI

WiFi and User Security

_What do employees need to bear in mind to protect themselves from phishing attacks?

As a basic rule, always be alert. Any e-mail or text message calling on you to open a link and enter your data is more than just a little suspicious. For this reason, always navigate to a website via your browser, and only then log in to be certain that you are accessing the right address. Also make sure the page is encrypted; if https is in the web address, it’s a secure connection.

A common indication of a phishing e-mail is also in the way you are addressed. Since these e-mails are sent out as mass mailings, you will often just see a generic salutation. Your bank would know your name and use it to address you.

Marco Föllmer


Founder and Managing Partner
EBF

_You already mentioned the subject of WiFi: how can people protect themselves when using a public WiFi network?

It’s not so much a question of protecting yourself but more one of avoiding public WiFi networks. If this is not possible, people should avoid using sensitive platforms when logged into a public WiFi network – such as online banking portals, for example.

Markus Adolph


Founder and Managing Partner
EBF

Please do not hesitate to contact us if we can assist you in securing your mobile devices.

EBF Status Check