Mobile Device Management

The Mobile Device Management (MDM) service is a cloud based management system for mobile devices that utilizes Exchange Active Sync, to provide a secure, robust, and flexible platform to manage your mobile device workforce. MDM is a service enabling Customers to centrally manage (i.e., to distribute, install, and maintain) and secure mobile device data, applications, configurations and policies including applications that allow Customers to track device locations. MDM is provided on a fully managed and hosted, shared-use multi-tenant platform. The system is device and carrier agnostic. Although MDM is provided by Verizon, the service supports multiple carriers and device types.

  • This offering is classified as an Emerging Service.
Z

Highlights

  • Hosted environment that frees the customer from additional server costs and support.
  • Enforce security compliance – MDM pushes customer-defined security policies to the devices to enforce security passwords and other restrictions such as disabling cameras, iCloud, Siri, etc.
Z

 

  • System set up in line with the customer existing security policies.
  • Advanced application management and distribution capabilities.
  • Dedicated Verizon help desk team supporting a help desk to help desk model.
Z

 

  • Selected self-service functionalities for the customer help desk and user.
  • Standardized email client across all mobile platforms by deploying the Nitrodesk Touchdown client to each device.
  • Ability to wipe entire device or just corporate data allowing the device to be reset back to factory settings or only delete the data pushed out by MDM.

TECHNICAL ARCHITECTURE

MDM Diagram

Technical architecture of MDM using Microsoft Exchange ActiveSync.

 

Training
Computer Based Training for Administrators 

Verizon’s Service Delivery team, via WebEx, will provide Customer Admin training during the implementation phase. Detailed training to include how to set polices, enroll devices, administrator applications, run reports, and set up the Nitrodesk Touchdown client.

Reporting

  • Roaming subscribers view – Lists subscribers whose last known state was roaming.
  • Exceed threshold summary views – List subscribers who have exceeded user-defined thresholds for at least one kind of activity within an accounting period.
  • Activity summary views – Show aggregate values for data, call, and message activities for each subscriber within an accounting period.
  • Activity thresholds views – Let you compare aggregate values for data, call, and message activities to user-defined thresholds.
  • Location view – Shows last determined latitude and longitude of devices enrolled in device activity.
  • Network info view – Shows worldwide cellular networks.
  • Activity Details view for each subscriber – Shows call, data, and message activities for individual subscribers
Touchdown

Nitrodesk for Android and IOS provides device users with a robust, easy-to-use user interface that has the PIM features device users want and need. Nitrodesk Touchdown can be pushed and configured for each Android and/or iOS device from the Afaria Admin portal.

Features

This is a general feature list for both Android and iOS devices. Detailed information can be found in the Touchdown Features (PDF) document.

ANDROID
Widgets Client Certificates
PIN Enforcement Remote Data Wipe
Email-initiated Data Wipe SMS confirm on Wipe
Manual and Scheduled Sync Data Encryption at rest
Encrypt Attachments on SD card S/MIME Signing and Encryption
Tablet optimized version Mobile Device Management support

 

IOS
Force Password Device Password Complexity Options
Allow Simple Password Options Minimum Password Length
Number of Failed Attempts Allowed Device Encryption
Enforce Password History Max Attachment Size Download Limit
Remote Device Wipe Password Timeout
Password Expiration Max Email Size
Allow HTML Email Allow Attachments
Max Attachment Size
Data at Rest

TouchDown is wrapped with the Mocana Mobile App Protection (MAP) providing data at rest encryption.

Mocana received a FIPS 140-2 Level 1 certificate for the core encryption engine inside of MAP. This engine supports NSA’s “Suite B” algorithms. The “Encrypted Data-at-Rest” policy wrapped into apps by MAP uses FIPS 140-2 Level 1 certified cryptography.

Every instance of an app wrapped with MAP’s data-at-rest encryption policy has a unique “master key.” This master key unlocks a high-entropy encryption key, allowing for the app’s data-at-rest to be accessed by the app itself, never by any other app – or piece of malware. MAP’s design diminishes the feasibility of brute-force attacks by both expanding the search space and increasing the time-cost of testing each key.

When a MAP-wrapped app writes data to the device – whether to the onboard file system (“disk”) or to external media like removable SD cards – the data is written in an encrypted form that only that app can decrypt. The data can be created within the app, or it could be data downloaded to the app (i.e., email attachments); in either case, if the data gets written locally, it is encrypted.

Security

TouchDown allows the MDM system to specify a variety of controls that dictate the level of security offered on the client devices. These controls include the ability to set the following:

SECURITY
Application Level PIN or a device level PIN Perform remote wipe of the touchdown data
Disable copy content from emails Disable showing information in Notifications
Disable showing information in Widgets Disable or control export of contact information to the device phone book
Disable the user from changing sensitive settings or performing ad-hoc configurations

Afaria is an enterprise tool for securing and managing corporate-owned and personally owned user devices with enterprise policies. Devices include phone and computing devices, such as smartphones and tablets. Through the End User Self Service portal, end users can easily enroll their devices within minutes.

Features

This is a general feature list for both Android and iOS devices. More detailed information can be found in the Afaria Features (PDF)document.

PROVISION AND ENROLL DEVICES IN MANAGEMENT
Define device settings Secure devices and data
Collect inventory Distribute software

 

Reporting

  • Roaming subscribers view – Lists subscribers whose last known state was roaming.
  • Exceed threshold summary views – List subscribers who have exceeded user-defined thresholds for at least one kind of activity within an accounting period.
  • Activity summary views – Show aggregate values for data, call, and message activities for each subscriber within an accounting period.
  • Activity thresholds views – Let you compare aggregate values for data, call, and message activities to user-defined thresholds.
  • Location view – Shows last determined latitude and longitude of devices enrolled in device activity.
  • Network info view – Shows worldwide cellular networks.
  • Activity Details view for each subscriber – Shows call, data, and message activities for individual subscribers

 

Computer Based Training for Administrators 

Verizon’s Service Delivery team, via WebEx, will provide Customer Admin training during the implementation phase. Detailed training to include how to set polices, enroll devices, administrator applications, run reports, and set up the Nitrodesk Touchdown client.

As part of our service we offer the following SLAs:

  • Platform Availability – 99.5%
  • All maintenance upgrades occur during standard maintenance windows (weekends and/or 12:00 am – 6:00 am EST).
  • Pro-active Notifications will be sent out in an Emergency Maintenance window.
  • Ability to access management portal from anywhere in the world – Both the Self-Service Portal and the Admin Portal is a secure 24/7 web portal that can be accessed from anywhere that has an internet connection and a browser.
  • Publish/assign applications – Apps can be delivered to end users either from the App Store, Google Play, or as an enterprise app outside of the marketplaces.
  • Ability to disable local email backup on device – Either via Touchdown setting and/or we can set this on the iOS native client. Encrypt device data with FIPS 140-2 as part of the NitroDesk Touchdown client.
  • Configure email settings from portal – The email configurations for all devices are accessible and can be modified from the Admin Portal.
  • Apply multiple policies – Different policies can be set up for different groups of users.

Does this service require a specific carrier or device?

The system is carrier and device agnostic. Refer to compatible device list.

Will I be able to incorporate a BYOD (bring your own device) policy, and a separate corporate policy?

Yes

Will this solution detect Jail Broken or Rooted devices?

Yes, if you so choose to implement the policy setting.

Will I have the ability to publish a customized Apple App Store and-or GooglePlay application list?

Yes. You can open the entire application store from both systems, or publish applications that you desire your workforce to have.

Does this solution provide FIPS 140-2 encryption?

Yes.

What mail client should I use for this service?

Nitro Desk Touchdown for government will be included as part of the service. This will standardize the mail client across device platforms.

Will I have to install applications on our devices to utilize this service?

Yes, there are two. The SAP-Afaria client encryption and the Nitro Desk client.

Will CDT manage my devices?

No. Each customer will receive their own portal, which will allow them to manage, configure, deploy, and maintain their mobile device population.

Will training be provided?

Yes, computer based training will be provided by the vendor for administration of the system.

What if I am having trouble accessing the portal?

You have a direct line to Verizon support 24 hours a day.

Will my department's IT still be able to wipe my device if I lose it?

Yes. Your department’s IT will be able to wipe just the corporate email or the entire device depending on the event.

Can I delegate certain roles to help desk staff to manage adding and removing devices?

Yes, there is a help desk role within the portal which will allow those individuals to manage devices while restricting policy configurations.

Are there any policies that I am required to implement?

Yes, if you are a state entity (Department or Agency), all devices must comply with the standards put forth by the State Information Security Officer.

Can I still use OWA to wipe my device?

No. Once a device is provisioned on the MDM system, the wipe command must originate there.

Is MDM mandatory for existing CA.mail or CES customers?

No. This is an optional service to augment device security related to email.

Can I prevent my users from using the native Active Sync solution once I have provisioned them on the MDM platform?

Yes.

Can I schedule reports to be emailed to me?

At this time, the reporting feature is limited to on demand reporting.

Does or will Afaria tie into WebSense?

Afaria MDM nor any other MDM platform integrates into WebSense. This is a back off application which monitors web connectivity looking for specific parameters allowing a user access to specific websites. If the device needs access, a URL may be pushed to down to the device, but only if the user selects that URL and doesn’t opt for a different browser.

During the enrollment of a device is the time out feature for completing that enrollment changeable? When does the timer actually start, when the user receives the initial email?

The length of time that the enrollment code is active can be changed. It starts when assigned to the end user.

Will other consumers of the service be able to see my provisioned devices?

No, only devices that consumers provision will be available to them in their portal.

Subscriptions to this service are available and can be referenced in the CDT Rate Schedule.

Service CodeService DescriptionUnit of MeasurementRateGroupComment(s)
E125Mobile Device ManagementPer Device/Month$5.25Statewide E-Mail
E126Mobile Device Management Activation FeeOne-Time/Per Device$1.05Statewide E-Mail
To request to Add or Delete Mobile Device Management service: Order Service Now
Please Note: A completed Mobile Device Management Authorization Form (PDF) is required prior to the start of work. To aid in the preparation of providing this technology, complete the Authorization Form and attach it to the Service Request.
Once your request is received, CDT staff will work with Verizon to establish a new Customer portal.  The Customer will be contacted by Verizon with the portal information.
As part of the implementation process, Verizon will work with each agency to set up their environment. This includes:
  • Assign a Project Manager and Implementation Technical Lead
  • Review Project Plan
  • Confirm Customer Checklist and Requirements
  • Establish customers sFTP account and point of contact
  • Document questions and follow ups
  • Schedule Admin Training
  • Schedule Weekly Touch point Calls
  • Verizon Project Manager and Customer point of contact agree on date devices will be provisioned via the End User Self Service Portal (EUSSP).