RFI Template for Enterprise Mobile Device Management

MDM SOLUTION – RFI TEMPLATE

About This RFI Template

A secure mobile device management solution is an integral part of any effective enterprise mobility program. Mobile devices are similar to other endpoints in the enterprise and require similar security as corporate issued desktops and laptops. Many businesses are also subject to regulatory requirements and compliance standards that drive the need for specific mobile security capabilities. Enterprise mobility is fast-changing with a crowded field of products and solutions from several vendors. Businesses have to choose carefully to pick the correct solution that will not only address their needs today but also those of the future. Not all MDM solutions are created equal. There are several products that only offer basic asset management capabilities for mobile devices. Some others support only a limited range of features on some platforms. Very few solutions offer a full complement of capabilities that address enterprise mobile security, availability, and manageability requirements that go beyond device management to address content security and “business-ready” apps. This document provides guidelines on key requirements that should be addressed by an MDM solution.

The requirements for MDM solutions are grouped into the following categories:

1. Core MDM capabilities

2. Simplicity of MDM solution for administrators and end-users

3. End-to-end security and compliance

4. Enterprise-grade architecture

5. Best-in-class support, services and training

1 Core MDM Capabilities

1.1 Delivery Model:

1.1.1 Solution should provide deployment options that fit the business model and budget, with cloud and on-premises options, as well as a hybrid option with a mix of cloud solution and back-end integrations with LDAP, PKI, and application servers, as well as subscription options.

1.1.2 Are the identical set of features available both in the on-premise version as the cloud version

1.1.3 What are the SLAs for the cloud delivery model?

1.1.4 Does the cloud or hosted solution use shared database instances for customer data or dedicated database instances? Have customers experienced data-corruption issues?

1.1.5 What is longest outage that customers have experienced with the cloud solution? What was it due to?

1.2 Integration with Systems and Services:

Solution must offer out-of-the-box integration with enterprise infrastructure.

1.2.1 How does the solution integrate with Active Directory / LDAP?

1.2.2 How does integration with Microsoft® Exchange Server / ActiveSync work for securing access to corporate email/calendar? How are non-compliant devices blocked from accessing email/calendar?

1.2.3 Explain how the solution provides additional functionality over and above what is available with Microsoft Exchange™ ActiveSync (EAS) – Direct OS-MDM API integration instead of relying only on ActiveSync policies.

1.2.4 Can the solution integrate with PKI / certificate systems for access to common service and for two-factor authentication and single sign-on?

1.2.5 Can the solution integrate with security information and event management (SIEM) systems like ArcSight, Splunk, or Envision for advanced correlation, reporting, and incident forensic analysis?

1.3 Provisioning:

1.3.1 Explain the provisioning process for devices on different platforms – iOS™, Android™, Symbi- an™, and WindowsMobile™. Is the enrollment process similar or are there platform specific variations?

1.3.2 Explain how the solution provides a secure registration process in which users and devices

cannot partially register (e.g., register with the Microsoft Exchange server but not with the MDM).

1.3.3 Explain how the solution performs a compliance check pre-enrollment, to ensure that jail- broken, rooted, or non-compliant devices can be enrolled into the system.

1.4 Presence Awareness:

1.4.1 Explain how the solution provides device status, tracking, and monitoring. Does it provide a full software inventory and a range of device statistics?

1.5 Platform Support:

1.5.1 Provide a matrix of platforms and operating systems your service supports. At a minimum the solutions should support all of the major mobile OSes – iOS, Android (including non-C2DM like Amazon Kindle Fire), Windows, Symbian, and Blackberry™.

1.5.2 Does the solution support advanced integration with Samsung SAFE approved devices to provide advanced management and control for these device?

1.5.3 What is your turn around time to support new devices after they are launched?

1.5.4 Explain how the solution manages devices remotely per platform and operating system. What remote service and troubleshooting capabilities does it provide? Does it enable device service functions such as chat and remote control?

1.6 Inventory Management:

1.6.1 Explain how the solution captures and stores information about the user, device, user location, compliance, quantity, groups, device type, OS type, etc.

1.6.2 Explain how the solution manages and enforces the number of devices and types of devices per user.

1.6.3 Does the solution support the Apple® VPP program to enable automated provisioning of volume licenses purchased from the Apple enterprise store?

1.7 Security and Compliance Management:

The MDM solution must have the capability to detect, block/allow, and report on devices that are not compliant with security requirements and policies. It must also enable IT to specify certain device compliance checks prior to enrollment.

1.7.1 How does the solution identify, report, and handle violations from compliance criteria?

1.7.2 Which of the following device compliance checks are available in the system?

• Jail-breaking

• Rooting

• Encryption

• Managed vs. unmanaged

• Policy compliance

• Revoked

• Application blocking

• Software version

• Firmware version

1.7.3 How does selective wiping and full wiping work? Under what conditions can they be triggered?

1.7.4 What kind of information logging and auditing capability is available for compliance audits?

1.7.5 Do you support application deployment to managed devices?

1.7.6 Do you support selective wiping of Active Sync information?

1.7.7 How do you secure applications and over the air data exchanged with applications?

1.8 Handling of Corporate Liable versus Individually Liable Devices:

1.8.1 How does the solution handle the BYOD (bring your own device)? How are new devices sup- ported? Is the system capable of supporting Amazon Kindle Fire devices?

1.8.2 How does the solution identify corporate liable vs. individually liable devices? Does it enable users to self-identify device ownership, or does it keep that in the hands of IT or security pro- fessionals?

1.8.3 Does the solution provide a secure container for secure distribution of corporate documents that can be time-expired?

1.9 Reporting:

1.9.1 Provide a list of common reports that are available from the system.

1.9.2 Can the system provide reports by the following parameters?

• By Device Count

• By Device Type

• By User Name and User Count

• By Carriers

• By OSes

• By Inventory

• By Status

• By Location/Region

2 Simplicity for administrators and end-users

IT administrators and security personnel are constantly under pressure to serve their internal customers efficiently. Every new task or activity adds incremental burden that causes costly additions of temporary personnel, resources, training needs or service-level challenges. Explain how the MDM solution addresses the following user experience criteria.

2.1 Deployment:

MDM solutions should ease the IT administrator’s burden by making it simple to deploy policies and match them to user groups and devices.

2.1.1 Does the solution offer a console with a dashboard based view of the MDM deployment? Is the dashboard customizable by administrators?

2.1.2 Can an administrator initiate bulk actions on sets of devices directly from the dashboard view?

2.1.3 Does the console display system alerts like jail-broken or rooted devices, blocked devices, or inactive devices?

2.1.4 Can the administrator initiate enrollment notifications to unmanaged devices from the dashboard view?

2.1.5 Explain the information architecture that is used store users, groups, policies and configura- tions. Can users be associated with multiple groups (e.g., can a user be part of “West Coast”, “Management” and “Sales”, or is it a one-to-one mapping)?

2.1.6 How many steps are required to deploy a new policy?

2.1.7 How does the solution present the set of policy choices available by platform? How does it prevent selecting the wrong policy for a device type (e.g., Associating an Android policy to iOS)?

2.1.8 Can you change the policy once and have the change reflected everywhere the policy is deployed, or do you have to change it everywhere it’s deployed? As an example, can a passcode policy be changed once and applied across multiple groups or entities?

2.2 Active Directory/LDAP integration:

Having up-to-date information in the MDM system is important for security. The system should allow the

setting of policies and rules and the inheritance of policies across groups and users.

2.2.1 Does the solution automatically handle the addition or removal of groups and users based Ac- tive Directory/LDAP changes?

2.2.2 Are changes seamlessly propagated to all intended user groups and devices? For example, if a user is moved between groups in AD does the system change the policies associated with that user in the MDM system without requiring the administrator to do anything?

2.2.3 Is the integration real-time or based on a periodic sync interval? How soon can a change made in the Active Directory system be seen in the MDM administration console?

2.3 Automated Compliance and Reporting Capabilities:

2.3.1 Does the solution support initiating automated actions to deal with compliance violations? For example, can the system mark a device out of compliance or selectively wipe it if a user installs a blacklist app or jail breaks the device?

2.3.2 For company-issued devices that must be kept within the facility or premises, is the system capable of geo-fencing devices within a specified perimeter or safe zone?

2.3.3 How will devices that breach the geographic perimeter be handled? Does the system allow setting up actions (audible alarms, selective wipe, or full wipe) to be triggered if a device leaves the perimeter?

2.3.4 Explain how the MDM solution supports generating reports to analyze data, performance and compliance reporting.

2.4 Notifications

2.4.1 Does the solution allow administrators to trigger automatic notifications based upon certain conditions or ad-hoc notifications to communicate with end-users?

2.4.2 Can the administrator select a group of devices to send a notification to?

2.5 Mix and match mobile configuration resources:

One of the ways that MDM solutions can reduce the time and effort for administrative tasks is by allowing the reuse of policies and profiles among groups.

2.5.1 Does the system allow administrators to create a policy once and deploy it across many groups?

2.5.2 Can users derive policies from two or more groups without the need to create a third combined group?

2.6 Enrollment and ease-of-use for end users:

The end user on-boarding experience must be simple for any enterprise mobility solution to work and to be adopted by employees. The solution must cause minimal support impact to IT administrators.

2.6.1 Is the end user on-boarding experience consistent across devices? Do enrollment of some device types require special considerations?

2.6.2 IT administrators and help desk personnel have found that support calls tend to be the highest during enrollment. Does the system simplify enrollment for users and reduce support calls by auto-discovering the MDM server during enrollment?

2.6.3 Can administrator set up one- time passcodes to simplify enrollment

2.6.4 Can administrators ?

2.6.5 Does Android enrollment require users to create a new Google® account?

2.6.6 Do administrators have to pre-register a user’s device in the system before the user is allowed to enroll the device?

2.6.7 Many users do not prefer to turn on location services since it drains their device battery. Also many international offices cannot require users to turn on location services. Do users have to turn on location services on their devices in order to enroll?

3 End-to-end security and continuous compliance

Enterprise MDM solutions typically focus on device security. This is necessary but not sufficient. Enterprise mobility deployments particularly in highly regulated industries with compliance standards need to account for multiple points of vulnerability.

3.1 Always on device compliance checks:

3.1.1 Does the MDM system check device compliance before the devices attempt to enroll? Can jail- broken devices enroll before being blocked?

3.1.2 Do administrators have a choice of enforcement actions - prevent enrollment, allow enrollment but block, or allow enrollment?

3.1.3 Does the MDM system block devices with blacklisted applications?

3.1.4 Do automated compliance checks require the administrator to turn on location based services?

3.1.5 Explain how the solution goes beyond just device level security to address security for apps, the network, and data.

3.1.6 How does the solution provide upfront and ongoing assurance that devices are compliant with corporate and regulatory policies?

3.2 Mobile Data Leakage Prevention (mobile DLP):

When it comes to data, mobile devices are similar to other endpoints in the enterprise. Increasingly, employees use them to access sensitive corporate data. The ability to distribute documents securely and easily to users and preventing leakage of sensitive corporate data is a critical capability for the MDM solution.

3.2.1 Explain the mobile DLP capabilities of the MDM system with respect to data security and other regulatory compliance needs.

3.2.2 Does the MDM system provide a secure encrypted container on the devices for corporate documents?

3.2.3 Can it perform a selective wipe of corporate documents and an automated wipe upon jail-break detection?

3.2.4 Can the system prevent the data from being emailed, printed, copied/pasted, or locally saved to prevent data leakage?

3.2.5 Can data be marked for time-based expiration and automatic wipe after the defined expiration?

3.2.6 Does the system allow automated data synchronization with the server with the ability to block such synchronization over cellular networks to prevent data overages?

3.3 Mobile App Security and Optimization:

Mobile apps will be and in some cases are already key components of most enterprise mobility strategies. The ability to control and secure the apps and protect against bad, risky or non-compliant mobile apps are important app-level security requirements.

3.3.1 Does the MDM system allow blacklisting and whitelisting of apps?

3.3.2 Does the system restrict the type of apps that can be installed or run?

3.3.3 Can the system control device resources on Android devices? Can the system prevent a user from opening a blacklisted application on their Android device?

3.3.4 Does the solution offer the ability to lock or kill apps upon being launched on the device

3.3.5 Does the solution enable IT to offer app access to apps on a granular, one-by-one basis?

3.3.6 Does the system encrypt data at rest as well as data in transit?

3.3.7 Does the system also provide encryption and compression of app traffic?

3.4 Mobile Security Intelligence:

Mobile administrators must have the ability to analyze and identify mobile threats by correlating security events from multiple sources.

3.4.1 Does the MDM system offer integration with SIEM systems (e.g., Splunk®, ArcSight™, etc.) for advanced analysis of threats and security events?

3.4.2 Does the system report data on any potential unauthorized accesses or attempts at such access to the corporate network? 4 Enterprise-grade Architecture

The system architecture of the MDM solution can make or break the overall security of the system. The MDM solution must be architected for security from the ground up. The number of ports that need to be opened to the backend infrastructure must be kept to a minimum without compromising the overall usability of the solution. The MDM solution should integrate seamlessly into the existing infrastructure without requiring the network architecture to be rearranged or exposing data in the DMZ.

4.1 Security Architecture:

4.1.1 Introducing the MDM solution should not require changes to the IT security architecture. Ex- plain how the MDM solution is architected with security best practices in mind.

4.1.2 Is any corporate data stored in the DMZ?

4.1.3 Do you require Active Directory data to be replicated to your system and stored in the DMZ or outside the firewall?

4.1.4 How many ports does the MDM solution require to backend infrastructure?

4.1.5 Does the system share databases/instances among customers in cloud deployments? Is there an incremental charge for a dedicated instance?

4.2 High Availability:

A technology failure or interruption shouldn’t take down the mobile management solution or create security holes. The very advantage of mobility and anytime, anywhere access to information would be lost if the system is not architected to handle failures.

4.2.1 Explain how the MDM solution is architected for high availability? How will it handle system failures?

4.2.2 What type of clustering architecture is the system built on?

4.3 Scalability:

4.3.1 Explain how the architecture can address enterprise mobility needs today and scale to keep pace with growth.

4.3.2 Can the MDM solution scale out to thousands of devices? Can it grow with the organization as needs change? 5 Support services and training

Enterprise grade MDM solutions must have world-class support, services and training.

Support must “follow the sun” in that it should be available across all geographies and time zones.

5.1 Customer support

5.1.1 Do you offer global and 24x7x365 “always on” support for P1 issues? Do you offer local lan- guage support in my global locations?

5.1.2 Explain your professional services offerings to help deploy the solution quickly and to help get the most out of the solution including application specific customizations.

5.2 Educated and experienced support staff

5.2.1 Explain how you ensure that your support personnel can handle support calls and escalations.

5.3 Services offering

5.3.1 Explain what types of enterprise services are available for turn-key deployments.

5.3.2 Can we receive consulting assistance with evaluating our enterprise mobility deployment and best practices on policies to implement?

5.4 Training programs

5.4.1 Explain the training options that are available for our IT staff and our internal support personnel.

© 2012 Zenprise, Inc. All rights reserved. Zenprise is a registered trademark of Zenprise Inc. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. OT-29-2

Zenprise, Inc. • 1600 Seaport Blvd. Suite 200 • Redwood City, CA 94063 • +1 650 365 1128 • www.zenprise.com