13. Choices
• Mobile Device Management (MDM) applies
enterprise policy to the device as a whole
– PIN, wipe, VPN etc
• Mobile Application Management (MAM)
focuses on the business apps ON the device
– App store, security added onto binaries
either through SDK or 'wrapping'
18. Productivity vs time
ideal reality
'Now what was my
password again??'
productivity
'Whoa, I can still
login!'
'Well I guess I can
play Angry Birds until
IT sets me up'
hired fired
time
19. GTD Requirements
1. Initial GTD - Quickly get new
employees up and running with the
applications their role demands
2. Ongoing GTD - Provide employees
single sign on experience in day to
day work
3. Stop GTD - Reduce/remove
permissions when necessary
23. Partioning for privacy
1. Divide the phone in
'half' – one side for
business applications &
data, another for
personal
2. IT's mandate is to
manage & secure the
apps & data on the
business side
3. IT has no mandate
(nor, hopefully, desire)
27. Protecting the data
1. Ensure that user/app can access only appropriate
data
– Authorization based on role
2. Protect data in transit
– SSL IDM
3. Protect data on device
– PIN, Encryption
4. Remove access to data when appropriate MAM
– Wipe stored data (or keys)
– Revoke access to fresh data
MDM
31. Why standards?
• Framework implies interplay between
– Enterprise IdM
– MAM architecture
• MAM servers
• MAM agent
– Applications
• On-prem
• SaaS
32. Enterprise
Components
SaaS SaaS
1 2
MAM
Device
MAM
Browser SaaS1 SaaS2
33. Standards
• SCIM (System for Cross-Domain Identity
Management) to provision identities as
necessary to MAM and SaaS providers
• SAML (Security Assertion Markup
Language) to bridge enterprise identity to
MAM and SaaS providers
• OAuth to authorize MAM agents, and SaaS
native apps
34. Enterprise
Components
SCIM
SaaS SaaS
SCIM 1
SAMLMAM O
SCIM O A
SAML
A U
SAML O U T
A T H
U H
Device
MAMT
Browser H SaaS1 SaaS
35. Bob 'pursuing other ventures'
EnterpriseSCIM (delete)
SaaS SaaS
SCIM (delete) 1
MAM
SCIM (delete)
W
I
p
e
Device
MAM
Browser SaaS1 SaaS
wipe
wipe
36. Bob 'loses phone in cab'
EnterpriseSCIM (status=0)
SaaS SaaS
SCIM (status=0) 1
MAM
SCIM (status=0)
L
O
C
K
=
Device
Y
MAM
Browser SaaS1 SaaS
41. Summary
1. Divide device & leave employee personal data
alone
2. Provision apps via MAM based on employee
identity & roles into employee 'side'
3. Provision tokens to those apps via IdM based on
employee identity & roles
4. Apps use tokens on API calls to corresponding
Cloud
Editor's Notes
Managing the device is misguided – CISO do not loose sleep over the loss of devices, but rather ……
Managing the device is misguided – CISO do not loose sleep over the loss of devices, but rather ……