February 25, 2013

Enterasys OneFabric Connect and Mobile Device Management

Mobile Device Management (or MDM) is one of the hot new solutions that network administrators want to add to their networks – and it’s not hard to see why. With an MDM an administrator can extend the visibility of network connected devices out into the individual mobile devices that are constantly connecting to the network, whether they are corporate devices or personal ones supported under Bring-Your-Own-Device (BYOD). The advantage is that an MDM can provide a wealth of information beyond of what can be detected via network access control features about the device, including more granular device type information, asset information like IMEI, IMSI, phone number and more – right down to the individual apps currently installed.

But there are also problems which all MDM products face: they don’t provide that data when their agent is not installed – which is true for a lot of devices on the network and they cannot enforce policies for those. Furthermore they don’t provide network access control based on the compliance state, ownership or other attributes. In fact, most MDM solutions only provide two options to network administrators when they want to control a mobile device: refuse network access or remotely wipe the device entirely. According to this infographic, almost 60% of employees worldwide are participating in BYOD. However, it also indicates that employees become much less enthusiastic about using their personal devices on a corporate network that can wipe them without warning – only 31% would keep doing it. The possibility of wiping a device by accident (or because the user made a minor mistake) is pretty much guaranteed to give administrators nightmares about furious support calls. Likewise, blocking access for reasons incomprehensible to users defeats the whole point of providing network connectivity, so it’s fair to say that MDMs are being approached with caution, especially for true BYOD scenarios.

However, when you supplement an MDM with an access control solution (like Enterasys’s Mobile IAM, part of our OneFabric Connect solution) you get a much more flexible and granular level of control. By integrating the wealth of information from the MDM with a sophisticated policy-based management system, administrators can very effectively manage how any kind of mobile device can be used within the network – without the sledgehammer-like consequences of a full device wipe! The result is a much friendlier management and control system for Enterprise Mobility.

While all MDM solutions are slightly different, they all support a number of specific variables or functions that report the status of the mobile device. When these are seamlessly integrated into OneFabric Connect administrators have a wide variety of policy-based solutions that can be automatically applied to maintain network security and control. Here are some use cases:


Zero Effort Onboarding for a high quality user experience

Combine your guest access and BYOD registration portal as well as the MDM enrollment into a single workflow so users and guests will experience an easy and straight-forward onboarding for any scenario.

Context-based policy enforcement based on a specific installed application or the compliance state of the device

Does the device have a specific unwanted app installed? Or an app that gives untrusted third parties access to the device? Instead of just refusing access, OneFabric Connect can automatically inform the user (via text, remediation portal or email) of the problem and/or provide access to a less secure Wi-Fi network (if available). The same can be done if the MDM solution determines that the device is out of compliance based on the MDM configured policies.

Find devices effectively to reduce time to troubleshoot: For better helpdesk support enrich the information in the Mobile IAM real time device and user tracking database

Additional information like phone number, device model number, OS version details, mobile operator/provider, IMSI, IMEI are provided within the context of the network management. So devices and users can be located and services can be provided more rapidly without the need to find out network attributes before like MAC, IP and others.

Context-based policy enforcement based on the configuration of the device: Configuration items like password required, SD card encryption enabled, Backups encrypted, Device rooted or jailbroken, Sync to cloud enabled, Max idle time before password must be reentered

OneFabric Connect allows network administrators to enforce very granular and effective security policies. Is it even password enabled? How much idle time before that password has to be re-entered? Are cloud backups enabled automatically?  Are they encrypted? Is the SD card encryption enabled? Based on any of these criteria you can set a policy that refuses or restricts access or even forces the device to activate or deactivate the functions as required. Also, you can keep your users happy by letting them know why their device is behaving the way it is (something guaranteed to reduce user frustration and help desk calls). When someone can’t connect to the network with their iPad and can’t tell why, it’s time to call IT and complain. However, when they can’t connect and they instantly get a notification telling them that they have to disable cloud backups before they’re granted access, they understand the problem and can actually resolve it themselves without having to trouble the IT staff. The result is a network that’s as secure as IT wants to make it and users that automatically understand what they need to do in order to access that network.

Context-based policy enforcement based on the status of the device: Device rooted or jailbroken, stolen, wiped, decommissioned

Is the device rooted, ‘jailbroken’ or otherwise compromised? Wiped, stolen or decommissioned? Based on any of these criteria you can set a policy that refuses or restricts access or even forces the device to activate or deactivate the functions as required. Also, you can keep your users happy by letting them know why their device is behaving the way it is (something guaranteed to reduce user frustration and as help desk calls). And again when someone can’t connect to the network with their iPad and can’t tell why, it’s time to call IT and complain. Or just wipe it by yourself – initiated by Mobile IAM, done through the MDM solution.

Context based policy enforcement based on the ownership and enrollment status on the device: Employee or business owned mobile device, MDM agent installed and configured, or if any other MDM agents are installed

Want your users to access your network and no one else’s? Differentiate employee owned and business owned devices to grant access? This can be done as well.

This list is really only the tip of the iceberg as some MDMs support a lot of variables – most of which can trigger policies. Furthermore the market has evolved into data and application management, towards full enterprise mobility management including content management, application deployment and containerization of applications and data. The combinations with network access are limited only by your imagination and your business requirements. However, an MDM alone can only refuse access or wipe a mobile device. It takes policies to create a more flexible, granular and user-friendly mobile ecosystem and that takes OneFabric Connect and MobileIAM.

About The Contributor:
Markus NispelVice President Solutions Architecture and Innovation

Markus Nispel is the Vice President Solutions Architecture and Innovation at Extreme Networks. Working closely together with key customers his focus is the strategic solution development across all technologies provided by Extreme. In his previous role he was responsible as the Chief Technology Strategist and VP Solutions Architecture for the Enterasys Networks solutions portfolio and strategy, namely NAC Network Access Control, SDN Software Defined Networks, DCM Data Center Management, MDM Mobile Device Management Integration, OneFabric, OneFabric Connect and OneFabric Data Center as well as the network management strategy. This position is tied to his previous role in Enterasys as Director Technology Marketing and as a member of the Office of the CTO. In addition to this role he advises key accounts on a worldwide basis in strategic network decisions. Before its activity for Enterasys Markus Nispel was active as system Engineer at Cabletron Systems. Markus Nispel studied at the university of applied sciences in Dieburg and graduaded 1996 as Dipl. – Engineer for communications technology. He collected first professional experience at E-Plus Mobile Communications within the group of network optimization of their DCS cellular mobile network.

See My Other Posts