Kony Write Once, Run Everywhere Mobile Technology

WHITE PAPER July 2012

Mobile Application Management

Meeting the BYOD challenge with next-generation application and device management

White Paper Mobile Application Management

Overview...... 3 The Mobile Application Management Challenge...... 4 MAM Functions ...... 5 MAM Principles ...... 6 MAM Users ...... 7 MAM Workflow ...... 8 Policy Management ...... 9 Enterprise App Store ...... 11 Application and Data Security ...... 12 Analytics & Reporting ...... 14 Summary ...... 15

2 White Paper Mobile Application Management

Overview

Chief Information Officers (CIOs) across a variety of industries are today recognizing and grappling with a new and difficult challenge to their ability to secure mission-critical corporate data and applications. This challenge, variously dubbed the Consumerization of IT or the Bring Your Own Device (BYOD) trend, refers to end users’ increasing demands to access corporate resources from their personal , tablets, and . As the lines between work and leisure continue to blur, professionals of all types want to be able to review reports, enter data into applications, and access corporate directories from the same devices on which they capture video of their kids’ sports performances. To meet this demand, IT teams must be able to provision, update, manage, analyze, and report on corporate applications, without impinging on users’ privacy rights or damaging end users’ personal property. A well-designed Mobile Application Management (MAM) solution enables IT teams to achieve fine-grained control over applications across a range of devices, over every type of network and deployment mode.

3 White Paper Mobile Application Management

The Mobile Application Management Challenge

Traditionally, application management has been part and parcel of IT’s core function, whether across mainframe, minicomputer, client/server, or Web- Mobile Application based application systems. Provisioning, updating, patching, inventorying, Management monitoring, and retiring applications is most often the province of a (MAM) centralized IT administrator or admin team, utilizing a variety of application management and security tools, both third-party and custom-developed. Mobile Application Management refers to With the advent of mobile devices and software, most IT shops have the ability to manage adopted management (MDM) tools to control and manage applications on mobile company-issued laptops, tablets, and smartphones, ranging from devices, remotely and Blackberrys and Windows Mobile phones for knowledge workers to from a centralized ruggedized phones and tablets for field workers. As their name suggests, console. Applications MDM tools enable administrators to control these devices at the hardware are provisioned to a layer – providing such functions as remote lockdown/wipe clean for lost or secure container on stolen devices, as well as restriction or suspension of device functions such device, from which as camera or barcode scanning. policies and data storage can be For company issued mobile devices, the type of command-and-control established and management provided by MDM has been sufficient, if sometimes controlled. Security overbearing. However, as IT shops now grapple with Bring Your Own procedures such as Single Sign On and Device (BYOD) strategies, they are increasingly seeking a more finely tuned, LDAP authentication nuanced approach that mirrors traditional desktop application are handled within a management: the new technology that meets this need is Mobile consistent MAM Application Management (MAM) software. framework.

In many ways, MAM solutions bring together the best of both worlds: the sophisticated and layered approach of desktop application management & security systems with the reach and remote, over-the-air capabilities of MDM systems. Mobile Device Management (MDM)

Mobile Device Management refers to software that enables IT to control device functions – such as camera, GPS, on-device data stores, and more – on remote mobile devices including smartphones and tablet computers.

4 White Paper Mobile Application Management

MAM Functions

MAM solutions help addresses the following key points:

Policy enforcement – Using a centralized administration console, security administrators can extend and enable policies on mobile applications. Mobile application delivery – Using an embedded Enterprise App Store and management console, administrators provision apps to remote devices and make them available within an on-device secure container. Mobile application security – Administrators use the centralized console to set policies around application access and usage by roles and other parameters. Mobile application updating – Updates can be managed from the centralized consoles, and new application versions can be provisioned “over the air” or through scheduled synchronizations. User authentication – As with desktop application management systems, MAM solutions utilize LDAP and other standardized authentication mechanisms to ensure user authentication User authorization – Users can be authorized for application access and usage based on roles and other parameters such as location Version checking – Administrators can remotely monitor application versions and usage from the centralized console Push services – Managers can push updates and notifications to all remote/mobile users or to subsets as events dictate Reporting and tracking – The MAM solution enables complete reporting and analytics on usage, application issues, user activation, downloads, updates, etc.

A well-designed MAM solution should be able to manage applications built for the following environments:

Native iOS (Apple) Android apps Windows Mobile Blackberry HTML5 apps Corporate developed apps (using Apple XCode, Microsoft Visual Studio, etc.) Third party-developed apps

MAM solutions enable administrators to add code to mobile apps that utilize specific MAM policy APIs. The APIs let the app communicate with the MAM server to enforce policies for that app and/or user, such as restricting usage to geo locations or copy/paste into/out the app or deleting on device data if the user’s permissions are revoked.

The MAM solution allows administrators to monitor activities – such as app access/usage – so that they can then check the current device and application state against the policies. Via the embedded libraries, the app communicates its status and activity back to the server – not entire device status, which may allay concerns from employees, contractors, and business partners over how invasive the device management approach may be.

Importantly, management is embedded in the app, so administrators do not have to manage the device itself. Thus, IT teams should be able to extend legitimate application management to a greater number of users than the universe of devices you actually manage.

5 White Paper Mobile Application Management

MAM Principles

Well-designed Mobile Application Management solutions follow a set of guidelines or principles to ensure they meet the needs of corporate IT ACL teams grappling with BYOD challenges. These principles include: ACL is Access Control Management primarily at the application, not hardware or firmware List which provides the layer – By focusing on provisioning corporate apps within a secure privilege to an assigned container on device and by abstracting the application and data away user to perform various from the specifications of the device and OS, MAM solutions ensure tasks such as deleting that corporate assets can be securely controlled, without impacting an application, editing users’ personal device functions or assets including ring tones, games, an application, and photos, videos, and personal apps. publishing an application.

Management based on policies, rules and roles – with the ability to set and enforce policies and assign roles and privileges to users and user groups, MAM software enables finely grained control of applications even on remote devices. Geofencing

Management as collaboration – With the use of an enterprise app Geofencing refers to store, IT administrators can dispense with the “command and control” the ability to restrict or approaches of the past and enable users to see and select suspend mobile device recommended apps from within an app store view, much as they select and/or mobile application functions and download apps, games, music, videos, and ringtones from the based on the location Apple App Store or Google’s Android Marketplace. This ability to offer of the device. A classic users corporate apps within pre-defined policies meets the needs of example is the ability to BYOD environments while still ensuring corporate data integrity. turn off a device’s camera function when Configure once, run everywhere. Because a well-designed MAM the mobile worker is in solution can incorporate management of mobile applications, data, a restricted or sensitive and native device functions (such as GPS and camera), as well as building or campus management of embedded HTML and desktop web applications, IT area. teams can leverage the solution to configure all of their policies and rules, then manage the full range of applications – mobile and desktop – from a single source.

Visibility everywhere. With the basic foundation of application management within a secure container, MAM solutions can deliver complete visibility into application activity, down to the feature layer. App management policies and rules can also be created and established in the application design and build stage, using MAM development tool extensions.

6 White Paper Mobile Application Management

MAM Users

As with desktop application management systems, Mobile Application Management software functions are typically driven by IT or security LDAP administration teams, who can leverage MAM technologies to extend corporate data management and security procedures to end users’ Lightweight Directory personal mobile devices, without the need to control hardware or Access Protocol is an firmware layers. authentication server which verifies user name and password. IT Administrators Deploy apps through a corporate-branded enterprise app store

Security and Compliance Officers Extend current security policies and procedure from the back office to the new mobile front office Enforce policies such as user authentication, encryption, offline access, document sharing restrictions without requiring changes to the apps Support BYOD – apps on both personal and corporate-owned devices without compromising corporate policies or risking sensitive data loss

Software Developers Corporate developers: Write apps with included policies and rules within interactive development environment (IDE) or scripting tools. Easily distribute apps for testing via the enterprise app stores or a custom app store ISV’s: Enable apps to go mobile with policy management integrated into the offering

7 White Paper Mobile Application Management

MAM Workflow

Mobile Application Management follows a clear workflow beginning with IT management and incorporating IT administrators, application designers, and end users.

The IT administrator manages the apps, users and devices from a web-based management console. A developer submits apps for distribution (or IT installs acquired apps) and the IT administrator then chooses which of the corporate policies to apply to the app before distribution. There may be a range of different policies depending on the sensitivity of the app or the data that it accesses. The policies are then applied with no changes required to the app. The IT administrator can then identify the category that the app should reside in and which users or groups of users will have access to it.

When a new user is enrolled, the user receives an email with a link to download the secure application container client onto their device. The device can either be corporate-owned or employee-owned. The app installs just like any other mobile app. The user then logs into the Enterprise App Store and can see all of the applications that they are entitled to download and install.

If the user already has an app container client, he or she will receive a push notification that there is an app available for them (or an update to an existing app).

The user runs the app like any other on their device – the fact that the corporate apps are policy-managed is transparent.

Following is an example policy establishment and management workflow:

Role Action Outcome Define IT Management Guidelines IT Management defines policy guidelines. Create & Assign Administrators create and assign a set of Policies, IT Administrator Groups, Roles, and ACLs to the users as per the Policies enterprise guidelines. They can do this manually or import through the ADS. Submit / Deploy Administrators or users submit and deploy IT Admin / User applications. Administrators or users publish Applications applications. Once published, it is available for targeted groups with appropriate privileges.

8 White Paper Mobile Application Management

Policy Management

Policies are a set of rules which govern the device operations while the device is accessing enterprise resources. Policies can be created based on Example Policies various constraints such as Current Security Rules, Network Permissions, Device Storage Permissions, Clipboard Permissions, Application Feature Offline access Permissions, and Phone Features. Policy management enables administrators to create, edit, publish, unpublish, delete, and change the On Device Data state of the policy. protection

Administrators create policies in a centralized web management console, Restrict /Secure Data then adjust and apply them to applications in the enterprise app store. To communication b/w extend policies developed in other environments, administrators would device and server follow these steps: Authentication The administrator first understands the signature of the API definition on a per platform basis. Camera, SMS, Phone, The administrator writes a custom policy for native API’s and packages GPS, Email, and other API it as a library which then will co-exist with an existing MAM policy library. Document Sharing The administrator then registers the custom policy for a native API in the MA policy XML file. Restrict Cut, Copy The infrastructure then invokes the new policy and as part of the build and Paste from App process, the admin console is regenerated. to other App The administrator then carries out all the testing (including regression) necessary. App - Idle time out and Expiration Time The following is an example of customizing/extending a policy in the Kony Mobile App Manager solution: Allow App usage for pre- determined Identify the native API (e.g. the camera open () API) time [business hours Extend the KonyPolicyWrapper class where policies are passed (i.e. only] allow or deny camera) is passed (for example: XYZPolicyWrapper) Write a method in XYZPolicyWrapper to implement the policy Deny access to app Map the native camera API with XYZPolicyWrapper in the XML file and while driving [GPS & the MAM infrastructure takes care of the rest. cell triangulation The Kony policy framework will invoke custom or Kony policy for a data] native API as defined in the MAM policy xml file.

9 White Paper Mobile Application Management

Fig 2: Example MAM management console screen

10 White Paper Mobile Application Management

Enterprise App Store

As mentioned previously, for IT teams to enable Bring Your Own Device strategies, a collaborative approach with users is called for. With an Enterprise App Store, employees are able to browse, discover, access, download and install approved apps quickly and conveniently, just as they can in Apple's App Store™ or Google's Android Market™. To enable this, the well-designed MAM solution includes a customizable enterprise app store that is tightly integrated with the MAM console to ensure application distribution, security and policy administration. From a design standpoint, the ideal solution delivers this as an end-to-end, integrated approach to ensure any administration changes are immediately enabled and the employee experiences the appropriate storefront content and policies without errors or delays.

Fig 3: Apps are submitted to the Enterprise App Store through the Management Console

11 White Paper Mobile Application Management

Application and Data Security

Mobile Application Management solutions handle application and data security primarily through the use of a secure app container, which gets Push Notifications delivered to the mobile device as its own “meta” application. The primary benefit of the secure container is total security of all its applications and Push Notifications is a data on the device. Initial provisioning of the container itself can be generic service which controlled through the use of trusted “whitelists,” profiles and passwords. allows you to send notifications to the All configurations, application definitions and data are encrypted. Even if registered devices on the device is hijacked, jail broken or the container is copied, the contents an event occurrence to are protected. All data transmissions over the network are encrypted. In multiple platform addition, the container can be locked to a specific device, meaning that it devices. will not start if copied to another device.

If needed, the container can also be “blacklisted,” i.e., all applications and data will be automatically removed if an attempt is made to connect to the host. The container may be configured to automatically shut down if idle for a period of time or if the device goes into sleep mode. HTML can be securely executed inside of the container without the risks associated with a browser. All provisioning and access requests are audited.

Secure App Container Following are some of the key features of a secure app container:

Decommissioning and Blacklisting At any stage, an entire container or specific user may be blacklisted. This means that the next time that the container is started and has network access, all the relevant applications and data will be automatically removed from the device, i.e., reset back to its initial provisioning state. This functionality is essential if a device is lost or stolen.

Device Lock Administrators may “lock” a container to a specific device, i.e., if it is illegally copied to another device, it will not start. This prevents any unauthorized backup or replication of the container data.

Security The primary benefit of the secure container is complete security of all its applications and data on the device. The following is a summary of the security features:

Initial provisioning of the container itself can be controlled through the use of trusted “whitelists”, profiles and passwords. All configuration, application definitions and data are encrypted. Even if the device is hijacked, jail broken or the container is copied, the contents are protected. All data transmissions over the network are encrypted. The container can be locked to a specific device, meaning that it will not start if copied to another device. The container may be “blacklisted,” i.e., all applications and data will be automatically blocked from being accessed.

12 White Paper Mobile Application Management

A range of identity management options can be used to authenticate user access to the container through standard directory services, 3rd party security applications, custom functionality etc. Users can only access the applications and data that they are authorized to. The role-based provisioning is strictly controlled through the user profiling facility on the central Kony admin console. The container may be configured to automatically shut down if idle for a period of time or if the device goes into sleep mode. HTML can be securely executed inside of the container without the risks associated with a browser. All provisioning and access requests are audited.

The secure container feature provides a flexible solution for mobility by allowing for identity management/role- based provisioning and modular application implementation.

13 White Paper Mobile Application Management

Analytics & Reporting

To enable complete and effective BYOD strategies, the well-designed MAM solution should deliver integrated analytics and reporting capabilities. Administrators should be able to report, analyze and audit mobile application activity using build-in modules and industry standard analytic tools such as Adobe Omniture, IBM Coremetrics, Google Analytics, and Webtrends Analytics.

Below are some example reports that can be run via the console:

Apps: Total apps per platform Downloads: Total downloads per platform Mandatory apps not installed per user Information on users per device and per OS – number of apps downloaded Information on apps – number of users per device and per OS

Fig 4: Example MAM analytics screen

14 White Paper Mobile Application Management

Summary

As end users accelerate the trend toward consumerization, IT leaders will need to implement management solutions that address the variety of devices, apps, and operating systems that make up today’s increasingly diverse corporate computing environment. Mobile Application Management systems offer an approach that takes into account both the need to manage and control corporate data and the need to support end user autonomy and control over their own personal computing assets. Through innovations such as secure on- device containers, policy injection and management, and targeted device management, MAM solutions can empower IT with the type of finely tuned architecture they need to meet the BYOD challenge.

15

About Kony

Kony and the KonyOne Platform™ enable Fortune 500 companies to offer consumers and employees feature-rich mobile applications in less time and at lower costs than any other solution. Leveraging a Write Once, Run Everywhere single application definition, applications are designed and developed just once, in a device independent manner, and deployed across multiple channels, including native applications, device-optimized HTML5 and HTML4 mobile web, SMS, web gadgets, kiosks, and tablets.

Kony’s unique platform is proven to future-proof a company’s mobile investment by enabling applications to be changed once for all channels, ensuring faster adoption of new operating systems and standards as they are introduced, while eliminating maintenance, upgrade and future development costs.

Learn more at www.kony.com

KONY SOLUTIONS, INC 7380 West Sand Lake Road #390 Orlando, Florida 32819 +1.321.293.KONY (5669) Toll Free: 1.888.323.9630

© 2012 Kony Solutions, Inc. All rights reserved. Kony and the Kony Mobile Application Platform are trademarks of Kony Solutions. Apple and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries. BlackBerry is a registered trademark of Research In Motion. Android is a trademark of Google Inc. Other product names mentioned are the property of their respective holders.