ibm endpoint manager - executive overview
DESCRIPTION
An executive overview of IBM Endpoint Manager (IEM)TRANSCRIPT
1 1
Darryl Miles Client Technical Professional @vtdarryl
Overview of IBM Endpoint Manager Webinars – July to October 2013
2 2
Presentation Overview
• Overview of IBM Endpoint Manager
– Patch Management
– So.ware Usage Analysis
– Mobile Device Management
• IBM’s Internal Experience deploying IEM
• Case Studies
• Summary
3
Today’s leading organizations are dealing with powerful new technology forces
BYOD: BYOD users expected to double by 2014 to 350 million
Security: 13 billion security events monitored per day
13 billion
Data: 1.2 trillion gigabytes in the digital universe.
1.2 zettabytes
Mobility: Nearly ½ of devices accessing applications will be mobile
1/2
350 million
4
IBM Endpoint Manager continuously monitors the health and security of all enterprise computers in real-time via a single, policy-driven agent
Endpoints
• Common management agent
• Unified management console
• Common infrastructure
• Single server
IBM Endpoint Manager
Patch Management
Lifecycle Management
Software Use Analysis
Power Management
Mobile Devices
Security and Compliance
Core Protection
Desktop / laptop / server endpoint Mobile Purpose specific
Systems Management Security Management
Server Automation
5
Desktop / laptop / server endpoint Mobile Purpose specific
IBM Endpoint Manager continuously monitors the health and security of all enterprise computers in real-time via a single, policy-driven agent
Endpoints
• Common management agent
• Unified management console
• Common infrastructure
• Single server
IBM Endpoint Manager
Patch Management
Lifecycle Management
Software Use Analysis
Power Management
Mobile Devices
Security and Compliance
Core Protection
Systems Management Security Management
Server Automation
Why IBM Endpoint Manager ?
Concord Hospital achieves 98% first-pass success in hours on their Microsoft
and 3rd party patches
Hutchinson Builders can now easily track the software installed and running
computers across the company’s 16 offices and up to 160 construction sites
Bendigo Bank expects to save $175,000 off its power bill within 12 months and avoid 2190 tonnes
of carbon emissions
IBM has deployed Endpoint Manager to over
700,000 endpoints on three servers. Expects to save over $10M in Year 1
Over 13,000 mobile devices enrolled in 72
hours!
6
Single Server & Console • Highly secure, highly scalable • Aggregates data, analyzes & reports • Pushes out pre-defined/custom policies
Cloud-based Content Delivery • Highly extensible • Automatic, on-demand functionality
Single Intelligent Agent • Performs multiple functions • Continuous self-assessment & policy enforcement • Minimal system impact (< 2% CPU)
Lightweight, Robust Infrastructure • Use existing systems as Relays • Built-in redundancy • Support/secure roaming endpoints
How it Works
7
Patch Management
• IBM Cloud content delivery service (operaAng systems and 3rd party applicaAons)
• Patch capabiliAes for mulAple plaGorms: Windows, Mac OS X, Linux and UNIX
• Intelligent agent
• ReducAon in patch and update Ames from weeks and days to hours and minutes
• Increase first-‐pass success rates from 60-‐75% to 95-‐99+%
• Real-‐Ame reporAng
• Automated self-‐assessment, no centralised or remote scanning required
Benefits: Services:
"We compressed our patch process from 6 weeks to 4 hours" "We consolidated eight tools/infrastructures to one" "We reduced our endpoint support issues by 78%" "We freed up tens of admins to work on higher value projects"
8
Overview of Patch Management
Patch Management Video (6:33) Local Video File (6:33)
Start with the Patch Management domain
The patches dashboard provides a real-time view on Windows patches
requirement across your environment
See any New Content here
Application vendor patches
• Adobe Acrobat • Adobe Reader • Apple iTunes • Apple QuickTime • Adobe Flash Player • Adobe Shockwave Player • Mozilla Firefox • RealPlayer • Skype • Oracle Java Runtime Environment • WinAmp • WinZip
…and operating system patches
9
Patch Management for Windows now supports non-security updates, specifically critical updates and service packs for
the Microsoft Windows product family
10
• For Windows Servers and PCs
• Unix/Linux Servers • So^ware Asset Discovery • So^ware Use Metering
• So^ware Use ReporAng
• Near real Ame so^ware inventory
• Near real Ame so^ware usage reporAng
• Search, browse, and edit the Endpoint Manager so^ware idenAficaAon catalogue, which contains over 105,000 signatures out of the box
• Periodic catalogue updates are released regularly
• Easily customize the so^ware idenAficaAon catalogue to include tracking of home-‐grown and proprietary applicaAons
Benefits: Services:
Software Usage Analysis
Software publishers
5000+
Application signatures out of the box
105,000+
11 11
Software Usage Analysis (13:58) Local Video File (13:58)
Software Usage Analysis
12
• Providing enterprise-‐wide visibility (eg. device details, apps installed, device locaAon)
• Ensuring data security and compliance
• Device configuraAon • Support devices on the Apple iOS, Google Android, Microso^ Windows Phone, Blackberry, Nokia Symbian
• Address business and technology issues of security, complexity and bring your own device (BYOD) in mobile environments
• Manage enterprise and personal data separately with capabiliAes such as selecAve wipe
• Leverage a single infrastructure to manage all enterprise devices—smartphones, tablets, desktops, laptops and servers
Benefits: Services:
Apple iOS Google Android
“IBM's MDM capability is very complementary to that of PCs, and it is one of the few vendors in this Magic Quadrant that can support PCs and mobile devices”
Gartner, MQ for Mobile Device Management So^ware, 2012
Mobile Device Management
Windows Phone Blackberry
Nokia Symbian Windows Mobile
13
Security & Management Challenges § Potential unauthorized
access (lost, stolen) § Disabled encryption § Insecure devices
connecting to network § Corporate data leakage
13
• Mail / Calendar / Contacts • Access (VPN / WiFi) • Apps (app store) • Enterprise Apps
iCloud
iCloud Sync
iTunes Sync
Encryption not enforced
End User
VPN / WiFi Corporate Network Access
Managing Mobile Devices – The Problem
14
iCloud
iCloud Sync
iTunes Sync
End User
VPN / WiFi Corporate Network Access
• Personal Mail / Calendar • Personal Apps
Corporate Profile • Enterprise Mail / Calendar • Enterprise Access (VPN/WiFi) • Enterprise Apps (App store or
Custom)
Secured by BigFix policy
Encryption Enabled
Endpoint Manager for Mobile Devices § Enable password policies § Enable device encryption § Force encrypted backup § Disable iCloud sync § Access to corporate email,
apps, VPN, WiFi contingent on policy compliance!
§ Selectively wipe corporate data if employee leaves company
§ Fully wipe if lost or stolen
Managing Mobile Devices – The Solution
15
What’s New in Endpoint Manager for Mobile Devices
Integration with Enterproid’s Divide container technologies for iOS and Android Web-based administration console for performing basic device management tasks with role-based access control Integration with BlackBerry Enterprise Server for integrated support of BlackBerry v4 – v7 devices Enhanced security with support for FIPS 140-2 encryption and bi-directional encryption of communications with Android agent Additional Samsung SAFE APIs for expanded management and security of SAFE devices SmartCloud Notes & Notes Traveler 9.0 support, including cloud and high-availability versions
IBM Endpoint Manager’s cloud-based content delivery system enables customers to benefit from frequent feature enhancements without the difficulty of performing upgrades
16
Implement BYOD With Confidence
• App container. Deploy, manage, configure, and remove Enterproid Divide containers to separate personal and work environments on iOS and Android devices
• PIM container. Separate personal and corporate email and prevent sensitive data from being copied into other apps with NitroDesk TouchDown integration
• Dual-persona OS. Manage BlackBerry 10 devices, which provide a native user experience to personal and work personas
• Extend BYOD to laptops. IBM Endpoint Manager’s unified device management approach brings together containers, smartphones, tablets, laptops, desktops, and servers under one infrastructure
How do I deal with the business mandate that employees be allowed to "Bring Your Own Device"?
Manage and secure only the apps and data inside the enterprise container, leaving users free to control the personal side of their device with
Enterproid Divide.
17
Secure Sensitive Data, Regardless of the Device
• Unified compliance reporting across all devices, including CIS Benchmarks
• Configure security settings such as password policy, encryption, WiFi, iCloud sync
• Full wipe, remote lock, map device location, and clear passcode options if device is lost or stolen
• Blacklist apps and automate alerts, policy response
• Detect jailbroken / rooted devices to notify users, disable access
• Integrate with mobile VPN and access management tools to ensure only compliant devices are authorized
How do I ensure the security of mobile devices as they access more and more sensitive systems?
Multiple user communication and alert methods, including Google Cloud Messaging (GCM),
enables users to be part of the security solution.
18
Minimize Administration Costs
• Multiple authenticated device enrollment options, including LDAP/AD integration
• Employee self-service portal to enable employees to protect personal and enterprise data
• Enterprise app store directs employees to approved apps, includes support for Apple’s Volume Purchase Program (Apple VPP)
• Integration with IBM Worklight for 1-click transfer of internally-developed mobile apps from dev to production
• A ‘single device view’ enables IT personnel to easily view device details and take required action
How do I cost-effectively manage the sheer volume of these tiny devices with average replacement rates of 12-18 months?
A flexible enrollment process enables organizations to include a EULA and to collect critical device and
employee data via customizable questions
19
Apple iOS Google Android
IEM approach for Mobile Device Management
Nokia Symbian Windows Phone
Blackberry Nokia Symbian
Windows Mobile
• Advanced management on iOS through Apple’s MDM APIs
• Agent based management / server communication • iOS • Android • Windows Phone
• Email-based management through Exchange (ActiveSync) and Lotus Traveler (IBMSync)
• iOS • Android • Windows Phone • Windows Mobile • Symbian
• Symbian • BlackBerry OS 10 • BlackBerry Playbook
20
MDM Functionality Overview
Category
Platform Support
Management Actions
Application Management
Policy and Security Management
Location Services
Enterprise Access Management
Endpoint Manager Capabilities
Selective/full wipe, deny email access, remote lock, user notification, clear passcode
Application inventory, enterprise app store, iOS WebClips, whitelisting/blacklisting
Configuration of Email, VPN, Wi-Fi, Authenticated Enrollment, Self Service Portal
Track devices and locate on map
Expense Management Enable/disable voice and data roaming
Cloud Email Device Management Office 365 support
Apple iOS, Google Android, Windows Phone, Blackberry, Symbian, Windows Mobile
Password policies, Samsung SAFE, device encryption, jailbreak/root detection
Containerisation Nitrodesk Touchdown (Android), Enterproid Divide, Red Bend
21
Fast and cost-effective development, integration and management of rich, cross-platform mobile applications
Client Challenge
Key Capabilities
Using standards-based technologies and tools and delivering an enterprise-grade services layer that meets the needs of mobile employees and customers
Mobile optimised middleware • Open approach to 3rd-party integration • Mix native and HTML • Strong authentication framework • Encrypted offline availability • Enterprise back-end connectivity • Unified push notifications • Data collection for analytics • Direct updates and remote disablement • Packaged runtime skins
Delivering for multiple mobile platforms IBM Worklight
Encrypted cache on-device
• A mechanism for storing sensitive data on the client side
• Encrypted - like a security deposit box
22
Publish applications to your mobile devices directly from Worklight
Endpoint Manager customers can directly import and distribute Worklight-built apps via Enterprise App Store, thereby improving workflow between Development and Operations
Distribute App to Employees
Import into Endpoint Manager App Store 2
3
Build app in Worklight 1
23
An Evaluators Guide is available for MDM
24
IBM’s experience using IBM Endpoint Manager
Before After Patch availability typically 3-14+ days Patch availability within 24 hours
92% compliance within 5 days (ACPM only) 98% within 48 hours
EZUpdate sometimes misses application of patches on required machines
Detected about 35% of participants missing at least one previous patch
Compliance model, completely reliant on user
90% of Windows requirements can be automatically remediated
Exceptions at machine level Exceptions at setting level
IBM gained real-time visibility into endpoints, and automatically remediates issues across over 500,000 endpoints and supports multiple policies based on employee role and data access
Reference - http://ibm.co/Ikm5xR
25
Summary
• IBM Endpoint Manager enables unified management of all enterprise devices – desktops, laptops, servers, smartphones, and tablets
• Real-time/proactive endpoint management: Patch
management, anti-virus/malware, power management and device location information
• Continuous compliance reduces costs and risk • Power management • Management of assets