ranbijay kumar - blackberry jam americas 2013
TRANSCRIPT
Secure Work Space Apps Deep Dive for iOS and Android Ranbijay Kumar May 16th, 2013
Agenda
� Secure Work Space – What Is It? � BlackBerry Balance Comparison � Secure Work Space – Developer Insights � What Is Required? � Container Demo � Resources � Q&A
Secure Work Space – What Is It?
Screen shots are conceptual renderings only.
Secure Work Space Overview � A device work space where applications are secured
� Integrated Email, Calendar, Contacts, Notes* and Tasks* � Secure Browser � Secure attachment viewing and editing � Ability to secure enterprise applications
� A separation of work and personal data that is secured and controlled � Authentication is required � Data is saved to the secure file system as work data � Work data cannot be shared outside the secure work space
� Cut / copy / paste is only allowed within the secured work space � Personal applications cannot access work data
*iOS only
Secure Work Space Secure Connectivity
� Provides an AES 256bit secure connection between the Secure Workspace and corporate network via BlackBerry Enterprise Service 10
� All apps provided in the Secure Work Space will use this secure connection, including securely wrapped enterprise applications
� Does not require a 3rd party VPN for Secure Workspace apps
� Uses the port 3101 already configured for communication between BES and BlackBerry smartphones
� Robust Connection for Anything and Everything!
� Out-of-the-box connection behind the firewall
� Secure � Managed
� Browse behind the firewall � Immediate access to Web-based
Enterprise Tools � Provides deployed apps with a
connection to internal servers � Complete solution for your
mobile future
Secure Work Space Architecture
Screen shots are conceptual renderings only.
BlackBerry Device Service
BlackBerry Protocol 256 AES Encryption
IOS/Android
Secure Work Space
Application Server(s)
Activesync Port 443 Port 3101
BlackBerry Infrastructure
Secure Work Space Secure Browser
Enterprise Grade Browser � Supports cookies, bookmarks,
tabbed viewing, saved passwords and content caching
� Supports HTML5 and TLS/SSL
Securely integrated into the users workflow � Files/images are downloaded only to
the secure work space � Open web pages in the secured browser � Prevent copy/paste to personal
applications
Secure Work Space Document Editing and Viewing
� Fully featured document viewing and editing solution
� Support for various document types and file formats
� Used to open/edit documents in Secure Work Space
BlackBerry Balance Comparison
Secure Work Space for iOS and Android • Separate and Secure
• Work Inbox • Work Calendar • Work Contacts • Work Browser • Securely wrapped Enterprise Apps
• Complete separation of work and personal data at the UI
• Only enterprise owned applications can be secured*
BlackBerry Balance • Unified and Secure
• Unified inbox • Unified Calendar • Unified Contacts
• Flexible separation of data based on organization specific requirements
• Apps from BlackBerry World and enterprise owned apps can be secured
Managed by BlackBerry Enterprise Service 10 Security measures can apply against work data only All devices supported by BlackBerry Secure Connectivity Data secured at rest and in transit
*Dependent on application distribution rights
BlackBerry Balance Comparison
BlackBerry Enterprise Service 10 Application Deployment
Secure Work Space for iOS/Android App Store Secure delivery of company hosted apps
- With secure connectivity Mandatory Applications
- Compliance based Optional Applications
- User Self-Service Delivery of third-party apps outside container
BlackBerry World for Work Secure delivery of company hosted apps Optional
-Self Service user installation Mandatory applications
-Silently installed on end user devices Secure delivery of BlackBerry World apps
-Self-Service user installation
Secure Work Space
Developer Insights
Container Approach – Comparison
Embedding of SDK Application Wrapping
� No source code modification required � Saving effort � Preventing error
� Decision on whether app can be securely deployed with MDM Admin
� Additional development effort � Risk: Potential for error
integrating the SDK � Decision on whether app can
be securely deployed during app development
Container Approach – Comparison Method Chosen
Embedding of SDK Application Wrapping
� No source code modification required � Saving effort � Preventing error
� Decision on whether app can be securely deployed with MDM Admin
� Additional development effort � Risk: Potential for error
integrating the SDK � Decision on whether app can
be securely deployed during app development
System APIs
OS
App
Unwrapped App
� Create application � Interact with API’s
and available OS entry points
� Manage all security for data at rest
Application Wrapping Traditional Application Architecture
Wrapped App
Wrapping
System APIs
OS
App
System APIs
OS
License/lock/policy validation, basic accounting Secure file I/O, copy & paste, network accounting
App
Unwrapped App
� Secure wrapping manages interaction with system APIs � Compliance � Authentication � Application level
controls
� Network
� Data encryption using AES 256 for data-at-rest
Application Wrapping Under the Covers
BlackBerry Secure Connectivity
AApp is wrapped and returned to BES10
2
Work Space Managment
Customer 1
Customer 2
Customer 3
,,, RIM
Clo
ud
BlackBerry Enterprise Service 10 Customer A
1 A
Work Space enabled app provided to mobile dev team for signing
3A
Signed App uploaded to BES 10
4
AApp sent to Secure service
1 A App after Secure Work Space Process
N iOS Distribution/Android signing Cert for customer
A App after Secure Work Space Process and Signing
A App before Secure Work Space Process
Application Wrapping High Level Process Look
AApp sent to Secure service
1
A2
A Signed app deployed to device
5
Work Space Managment
Customer 1
Customer 2
Customer 3
,,, RIM
Clo
ud
A Signed app deployed to device
5
BlackBerry Enterprise Service 10 Customer A
1 A
Work Space enabled app provided to mobile dev team for signing
3A
Signed App uploaded to BES 10
4
A App after Secure Work Space Process
N iOS Distribution/Android signing Cert for customer
A App after Secure Work Space Process and Signing
A App before Secure Work Space Process
App is wrapped and returned to BES10
Application Wrapping How It All Works
What Is Required?
BES 10 BlackBerry Data Center
3101
APNs
443
Enterprise Application Servers
443
2195
VPN
Customer Network Internet AES 256 Encrypted Tunnel
BlackBerry Enterprise Service 10 (10.0) iOS and Android Management
BlackBerry Enterprise Service 10 iOS and Android Management With Secure Work Space
BES 10 BlackBerry Data Center
3101
APNs
C2DM
443
MS Exchange / IBM Traveler
Enterprise Application Servers
AES 256 Encrypted Tunnel
Customer Network Internet
Developer Input Application – Obviously
Application that is working and packaged (.ipa or .apk)
Administrative Cooperation Wrapping the Application
� The Administrator uploads your application to start the secure app process
� Rebuilding applications is not required
Administrative Cooperation Wrapping the Application (cont.)
24
• Wait for the process to secure the app to finish
A2
Work Space Managment
Customer 1
Customer 2
Customer 3
,,, RIM
Clo
ud
BlackBerry Enterprise Service 10 Customer A
1 A
Work Space enabled app provided to mobile dev team for signing
3A
Signed App uploaded to BES 10
4
AApp sent to Secure service
1 A App after Secure Work Space Process
N iOS Distribution/Android signing Cert for customer
A App after Secure Work Space Process and Signing
A App before Secure Work Space Process
App is wrapped and returned to BES10
Administrative Cooperation Process Review
Administrative Cooperation Downloading the Wrapped App
� Administrator downloads the wrapped app and provides to the development team for final signing
Developer Input – Again Android Application – Resigning
� Applications need to be signed with a certificate to run on the device (certificate requirements for Android not very strict)
� Signing involves running a few commands � App developers typically familiar with
the procedure � At the end of process you have an .apk
file, which can be distributed OTA � More info
http://developer.android.com/tools/publishing/app-signing.html#signapp
Developer Input – Again iOS Application – Resigning
� Application need to be signed to run on an iOS device
� For in-house apps signed using distribution certificate for Apple Enterprise Developer Program
� Signing involves running a few commands on a Mac (tool codesign)
� At the end of the process you have an .ipa file, which can be distributed OTA
Administrative Cooperation – Last One Creating Access to Application
� Administrator adds wrapped and signed app to the Software Configuration
� The Software config is assigned to a user or group
� The application is deployed to the Enterprise App Store on the device
� The user clicks install
Container Demo
Resources
Resources
BlackBerry Live Sessions: � BPD06 – Understanding Secure Work Space for iOS and
Android Devices � BPD04 – Understanding Multi-platform Management � BPD11 – Q&A Panel: Managing iOS and Android Devices � JAM13 – BlackBerry Enterprise Service 10 Connection
Service versus VPN ... Fight! Websites: � www.bes10.com
Resources BlackBerry Partners for Enterprise Gives you access to: � Latest news, updates, and exclusive webinars � Product toolkits containing the latest
product collateral � Creative assets to support your
marketing campaigns � Technical content focused on enterprise
applications and solutions � BlackBerry Enterprise Server and
BlackBerry Enterprise Service 10 software1
� Latest BlackBerry devices for application testing2, 3
For more details and to register, visit us today at https://partners.blackberry.com
1 Some fees apply 2 Subject to regional availability 3 On loan for a fixed period of time
Q&A
THANK YOU
Ranbijay Kumar May 16th, 2013