While smartphones are streaming fast into the enterprise and organizations are rapidly adopting ActiveSync to secure the environment, ActiveSync alone has traditionally not delivered the access, control and visibility features demanded by security-conscious enterprises. In addition, it has been difficult to restrict devices from connecting to ActiveSync based on posture (e.g., OS version, security posture, etc.), beyond the standard policy enforcement criteria offered by the ActiveSync platform. Basic policies, like enforcing password policies on mobile devices, have been problematic in some hosted e-mail environments.
MobileIron’s mobile device management tool MobileIron Sentry, provides the infrastructure needed for enterprises to meet these challenges and enable ActiveSync and devices like iPhones, with confidence. It gives IT the visibility and control needed to protect the enterprise perimeter, as well as offering a smart interface that’s designed to fully utilize iPad’s large screen and multi-touch features.
According to the white paper titled, Smart about Smartphones Volume IV which was generated by MobileIron, MobileIron Sentry provides the tools needed to gain visibility over connected devices, prohibit unauthorized devices from gaining access to ActiveSync and blocks devices that either do not meet requirements or have fallen out of compliance from connecting to corporate e-mail. Virtually any ActiveSync environment is supported, either via a network-based approach or integrated mailbox-based approach, ensuring that the right model is available for any organization.
Fundamentally, as described in the white paper, to manage mobile devices, MobileIron Sentry uses two distinct architectural models, MobileIron Sentry Standalone and MobileIron Sentry Integrated. While there are no feature differences between the two models, both ensure only authorized devices are able to connect to ActiveSync and meet organizational policy assessments. Plus, they provide visibility into all devices attempting to connect to ActiveSync, regardless of whether those devices are under MobileIron management and perform DM commands, such as remote wipe.
The model chosen for deployment by a given enterprise depends on the enterprise’s security goals, network topology, and back-end mail infrastructure, the white paper states. As a note, the Integrated Sentry must be used if only client-certificates will authenticate users to the Exchange infrastructure. Two-factor authentication using certificates plus username and password, when deployed in conjunction with a front-end proxy or load balancer that can handle certificate verification, is supported by either Sentry model, the white paper explains.
In essence, the MobileIron Sentry Standalone acts as a proxy between clients and the mail infrastructure, sitting in-line between an ActiveSync client and the organization’s ActiveSync mail server(s). As per the details in the paper, this model supports a variety of back-end mail infrastructures. For instance, customers have successfully deployed MobileIron Sentry Standalone connected to Microsoft (News - Alert) Exchange, Lotus Notes when used with Notes Traveler and hosted solutions such as BPOS-S, BPOS-D or Google Gmail.
MobileIron Sentry Integrated acts as a policy agent within Exchange 2007 and Exchange 2010 mail clusters, the paper concludes. Support is also offered for Microsoft’s BPOS-D hosted mail system. This model is perfect for organizations that want to enforce policies on the mail cluster itself, rather than through an appliance that sits within the communication flow for ActiveSync. With MobileIron Sentry Integrated, organizations can also leverage their existing high availability (HA) environment, as the Sentry is not directly in the mail flow.
Ashok Bindra is a veteran writer and editor with more than 25 years of editorial experience covering RF/wireless technologies, semiconductors and power electronics. To read more of his articles, please visit his columnist page.
Edited by Jamie Epstein