Modernizing Authentication — What It Takes to Transform Secure Access
List Price: $6/month per managed device
No matter who owns them, unsecured iPhones, Android-based smartphones, and Windows Mobile devices can jeopardize business credentials and data. IT-issued BlackBerries have long been popular because employers could enforce strong security on them. But increasingly, workers are using their own consumer smartphones for business, forcing employers to consider alternative acquisition, management, and security strategies.
Some businesses squeeze these "employee-liable" smartphones into Microsoft Exchange, using ActiveSync (EAS) to check a few settings or invoke remote wipe. However, comprehensive control requires much morespecifically, a versatile Mobile Device Manager (MDM) that can provision, track and enforce policies and programs on many different kinds of smartphones, independent of ownership.
AirWatch is no device management newbie. Parent company Wandering WiFi manages 30,000 access points at 8,000+ commercial hotspots. And AirWatch software already runs on custom servers and dedicated appliances at customer sites and AirWatch data centers, managing hundreds of thousands of mobile devices. These WLAN and WWAN device management offerings are supported 24/7 by AirWatch's Atlanta NOC.
In this review, we focus on AirWatch's Software-as-a-Service delivery option. Specifically, we tested turn-key MDM packages purchased directly from the AirWatch Store and activated immediately, without any hardware installation, integration, or customization. Each smartphone user simply downloads an agent that registers itself with AirWatch. Subscribers can then manage all registered smartphones through the AirWatch console a scalable service running "in the cloud" on multi-tenant platforms at redundant data centers.
Currently, three turn-key packages can be purchased through the AirWatch Store.
- The AirWatch Basic package ($2/month/managed device) delivers fundamental mobile asset tracking capabilities, including real-time device status, statistics, alerts, and reports. This can provide quick visibility into employee-liable smartphone use.
- The AirWatch Professional package ($4/month/device) adds remote support and trouble-shooting features like central access to each managed device's files, processes, screen, system tools, network interfaces, and remote control. This can assist help desks struggling to diagnose problems on employee-liable smartphones.
- The AirWatch Enterprise package ($6/month/device, reviewed here) adds device provisioning, bulk management, and application control to Professional. We reviewed this package because employers can use it to centrally configure and enforce security policies on employee-liable smartphones although what can be accomplished still depends on OS type.
- We did not expect these turn-key packages to deliver everything possible from a custom install and they don't. Notably, when we started our review, trials were only offered for Windows Mobile and iPhone OS 3.x devices. An iOS4 AirWatch agent was posted at the iTunes AppStore in July, but will not be fully supported by the AirWatch console until August. [Stay tuned for our review in August.]
According to CEO John Marshall, AirWatch agents also exist for BlackBerry, Symbian, and Android smartphones. For example, the AirWatch BlackBerry agent enables asset tracking, but not BES-like provisioning. An AirWatch Android 2.2 agent with similar capabilities is under development. However, these agents cannot yet be ordered through the AirWatch Store.
Bottom line: If you only need Windows Mobile or iPhone 3.x, head to the AirWatch Store. Otherwise, contact AirWatch to discuss your OS/version needs, negotiate compatible services, and (optionally) arrange for any desired enterprise integration (e.g., ActiveDirectory enrollment).
The AirWatch console provisions, secures, and monitors all registered devices in a consolidated fashion, minimizing (but of course not eliminating) differences between mobile OS's. However, due to trial agent availability, we started by managing Windows Mobile devices.
The AirWatch service is built upon the Odyssey Athena platform. Thus, the first thing a Windows Mobile user does is establish Internet access, open Pocket IE, browse a supplied URL, and download the right .cab file (2003, 4.x, 5.x, 6.x). The download installs the agent, requiring just one user input: a location group (see console screen capture below).
After installation, we never noticed this Windows Mobile agent -- except when we wanted to. For example, using the Professional package, we could send messages to be displayed on unlocked managed devices. Using the Enterprise package, we could push new apps to devices, optionally prompting users to select from a list of available products. In other words, AirWatch enables over-the-air (OTA) admin interaction with remote users, but is not otherwise intrusive a critical characteristic on employee-owned smartphones.
Under the covers, the agent maintains contact with the AirWatch console over any available Internet data connection (e.g., Wi-Fi, 3G). Traffic routinely exchanged over this IP tunnel appeared minimal, an important consideration for metered 3G users. Running AirWatch did reduce our mobile's battery life a bit, but that impact varies by device and network type.
Back at the console
After placing your AirWatch Store order, you will receive an email containing a multi-tenant Web admin portal URL, a unique admin login and location group, a Management Manual URL, and agent download instructions. We successfully used this SSL-secured portal from IE and Firefox but could not do so from an iPhone or iPad due to the portal's use of Silverlight.
The portal is cleanly divided into five areas: Home, Location, Devices, Monitor, and Configure. Home starts with a roll-up of location group health (# devices active, inactive, errored), with drill down into subgroups that can represent geographic or organizational units. A search bar can also be used to jump to any device or location.
According to AirWatch, this tiered GUI can navigate thousands of managed devices, using role-based access controls to constrain each admin's views and actions. For example, although we tested a multi-tenant trial portal, we could only see devices registered to our account and menus items included in our AirWatch Enterprise package. During our month-long trial, this portal threw perhaps half a dozen errors, all resolved by a page refresh.
Other Home menus let you view unacknowledged alerts and scheduled reports. But alerts and reports must be configured before anything appears a flexible approach that must be configured with care to ensure that important events are seen. For example, every admin responsible for surveillance must set Alert Preference to "display in console" and will then only see alerts triggered by Alert Setup / Routing Policies during a Consolidation Window.
AirWatch alerts are succinct and largely reflect device health (e.g., low battery/signal, high memory use, device down > 1 hour or 10 minutes, provisioning error). Reports deliver richer detail, generated on-demand or scheduled in six handy formats. For example, we used PDF reports to diagnose provisioning failures. Additional reports include detailed hardware inventories, call records, and devices unreachable by WWAN or WLAN and when they were last seen. A smartphone that has not checked in lately or refuses to be provisioned could be detected this way, but we did not spot reports or alerts to flag security events like remote wipe or policy compliance.
These Home panels can deliver overall insight about a fleet of managed devices, but we spent most of our time using AirWatch Device panels especially the Device Dashboard (below).
Like Home, this Dashboard rolls up and drills down by location group. But here, each managed device is accompanied by status icons and OS-specific actions. For example, click the red X to view only devices that are currently down in the selected location. Or click the blue M to view only Motorola (WinCE) devices. Click any device's name to open an OS-specific Device Control Panel, providing ready access to MDM actions, which are supported by that device.
The location of any device can be tracked by clicking the Globe icon (current GPS) or Bread Crumb icon (GPS history). Both plot the device's position on a map (below), which can be useful to find a lost device or spot suspicious movement. However, these GPS readings are obtained from managed devices. If a device's clock is wrong (as in this example) or its GPS is disabled, AirWatch cannot display accurate tracking data.
Managing Windows Mobile devices
Clicking Device Details or Device Console brings up a powerful series of panels used to monitor, diagnose, and troubleshoot a remote device. During our trial, this detailed insight and control was only available for Windows Mobile smartphones, not those running iOS 3.x. (Next month, we hope to see how this limitation is lifted by the iOS 4 agent stay tuned for Part 2 in August.)
Actions that can now be performed using Windows Mobile Device Details include:
- Editing AirWatch attributes for a device (e.g., location, category)
- Browsing a remote device's File Manager
- Remotely controlling and recording a remote device's display
- Sending a message to a remote device (displayed when unlocked)
- Changing a remote device's power-on password or PIN
- Restarting the AirWatch agent or tunnel on a device
- Warm or cold reboot of a remote device
- Wiping a remote device clean (only possible when connected)
The Windows Mobile Device Console can also edit an AirWatch agent's config file or registry, view or stop running processes, register/unregister DLLs, remove individual apps, and view (but not add) certificates. WLAN and WWAN details can be displayed, including signal strength for nearby Wi-Fi SSIDs, 3G network status and QoS, listening ports, and call logs.
AirWatch delivers quite a bit of depth here, although once again, what you can do depends on OS version and device. Clearly, only trusted admins should have access to these actions. Some of these could be very useful for security purposes, such as resetting forgotten PINs or removing unauthorized apps. However, we'd like an audit trail report for these and other actions initiated through AirWatch.
Provisioning policies and programs
There are times when you just need to reconfigure one device. However, to efficiently manage a fleet of devices and deploy consistent policies and applications, AirWatch Enterprise offers device profiling, product provisioning, and bulk management.
To get started, subdivide your account's top location group into subgroups. Location groups can represent geographic or organizational or functional divisions however you wish to divvy views and policies. Attributes associated with each location group can be inherited from parent groups and include min/max password length, complexity, expiration, history, max login attempts, and the lockout period applied when that limit is exceeded.
The next step is to define Device Management Profiles standard configs for each location group and mobile OS version. Device Management Profiles for Windows Mobile 6.x can specify AirWatch security attributes, network and Mobile Outlook parameters, and Wi-Fi keys. Here, you can enforce device-level encryption, auto-wipe after N failed logins or M days without check-in, and prohibit use of Bluetooth or Wi-Fi. You can also configure one SSID and supply a (remotely rotatable) WEP key or WPA PSK.
To manage software, add or edit Products bundles of programs, files, and instructions that govern over-the-air download, install/uninstall, reboot, and validation. Products are OS-specific, but can be mandatory or optional. Installation can occur during first device contact (to establish a baseline), next device check-in (for new programs and updates), or immediately. Validation checks determine success or trigger provisioning alerts; details can then be obtained from provisioning reports.
Given Profiles and Products, AirWatch can be used to provision individual devices, filtered device collections, or profiled device groups (above). This gives an employer extensive control over mobile devices by enforcing security settings (PINs, encryption, auto-wipe) and correct program installation. AirWatch does not have a black-list per se, but we used it to remove a banned program from a specified location. AirWatch doesn't provide security features like firewall or malware detection, but could be used to install third-party programs that do.
Bulk management makes it easier to consistently apply settings and programs to profiled groups. However, we found that using these tools correctly requires experience and care and permission to exert this control. In the end, you may opt to manage Products on enterprise-issued devices, but enforce just a few key settings on personal smartphones. AirWatch makes both possible (subject to OS limitations) how to use this power is up to you.
The next review
Thus far, we have described turn-key packages available from the AirWatch Store, focusing on Windows Mobile. During our trial, we also managed a couple of iOS3.x devices, but we have not described those experiences because we prefer to wait for iOS4 to be fully supported. So check back next month for Part 2, where we'll dig into managing Apple iPhones, iPads, and iPods.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A frequent contributor to eSecurityPlanet, Lisa has been an avid user of wireless mobile data devices and services for 15 years.
Find out whenever new reviews post. Follow eSecurityPlanet on Twitter @eSecurityP.