The MDM has overshadowed the real dilemma - what solution will provide the same type of service RIM has provided over several years?
Before we can discuss mobile device management we have to provide the email delivery in a timely manner that users have come to expect.
We have looked at the sandbox approach (GoodLink) and the ActivSync native client solutions (McAfee).
Does anyone know of any other vendors that deliver email from the messaging system to the smartphones besides these two?
Respectfully, I disagree. MDM is a vital part to the overall approach, in all but one situation.
(situation - you're only providing email)
Would you deploy windows or blackberry devices without a management strategy?
MDM is what we asked for Apple to provide so we could manage, supervise, inventory devices.
The solution _IS_ MDM. The implementation is up to the rich 3rd party ecosystem.
Email is the easiest item to deliver. Exchange ActiveSync (from Exchange Server, Lotus Notes, Google Apps) using the native mail.app.
It doesn't involve additional licensing.
It works extremely well.
It's timely, thanks to MSFT DirectPush.
It's not impacted by NOC downtime (like RIM)
GOOD makes sense when it comes to FIPS-140-2 (govt requirement) & for organizations that have very specific needs.
It dependent upon your risk.
I've seen companies try deliver iPhones is a staggered, drawn out model.
4. App delivery
It's a terrible approach. The right MDM will provide all 4 items in 1 step.
Other vendors... LRW Pinecone
Thanks for the response. One of our current vendors is partnering with LRW so we will be looking at them.
I didn’t mean to imply that MDM isn’t a vital part of the approach to providing a mobility solution. And I concur that it wouldn’t be wise to stagger a delivery of a mobile strategy.
I think we are in agreement since I assume we are looking at the operations side of this issue. But from a customer perspective, they don’t care about Mobile Device Management. And that isn’t the service we provide.
The service we provide meets the needs of our customers that require synchronization of e-mail, calendar entries, address books, tasks and memos to their handheld device in a reliable and timely manner. We know that in the past this meant BlackBerry but has evolved to include non-BlackBerry devices. And that MUST be obtained first otherwise the best MDM solution for managing, supervising, and inventorying the devices won’t mean much.
I can’t agree that email is the easiest and is “cake”. But more likely it depends on the environment.
Always on is crucial for us. In the early days of RIM users would start calling if they had a message that took more than 30sec to get to their devices. Our users will not accept any latency and they do not want to have to keep authenticating (WIFI/VPN) to gains access – AnyConnect does decent job but still falls short. We have already run into the latency issue issues with our first solution – moved to a second solution (2000 users) only to have the authentication issues.
There are also just as important legal and security issues to consider
And just because there is no NOC doesn’t mean there will be no impact or downtime. We found that out recently when the current vendor’s mgmt. hub failed.
If you have any suggestions/options, I would like to hear about them.
While looking at MDM vendors (who seemed to be solely focused on securing the device) I noticed BoxTone's EMM product "Continuously Monitors & Manages Message Flows in Real-Time" for delivery assurance and troubleshooting - http://boxtone.com/solutions/the-difference.aspx
We have BoxTone currently but have some things to work out since the current delivery system uses MDM and you can have two MDM at the same time.
As per my subject, you're either Big Government or Big Money. (don't answer) I get it.
Email services being 'cake' is relative to other endeavors an IT shop is undertaking. Like PKI. And whether you're the one running the project or the VP that's telling the project manager to do it.
Which partially explains I've seem some peer organizations shift their mail systems to hosted solutions.
That's the 'cake' part.
A 30 second SLA seems difficult to achieve.
Strictly speaking, Exchange ActiveSync uses DirectPush. The device maintains an open connection to the server, thus, messages are received more/less instantly.
Many factors as you are aware: mail server load / volume & bandwidth...cellular carrier network availability. et al.
Why does the customer need to to authenticate to WiFi / VPN to gain access to email?
Are you not putting your Exchange behind a reverse proxy?
Speaking of PKI from before, you may want to investigate machine identity (certificate authentication for WiFi (EAP-TLS) & VPN.
This, certificates, is 1 of the places MDM is instrumental in automatically generating keys & certificate for authentication.
NOC. Downtime doesn't go away, but you reduce the complexity by removing it from the equation.
To your original question...
I have not come across a more balanced approach (cost, complexity, security & user experience) than ActiveSync, especially on Exchange 2010 SP1 or BPOS.
I see email getting to EAS devices faster than MAPI clients.
The typical rollouts I've been involved in:
Device > Internet > DMZ Firewall > Reverse Proxy > Data Center Firewall > CAS Server > Mailbox Server
There are 2 other means I've seen, both of which I recommend strongly against.
Suicidal - putting CAS server in DMZ
Sadistic - putting CAS server behind VPN & requiring RSA / Cryptocard access
Where I do see EAS work poorly is in the instance where infrastructure isn't sized accordingly.
2 ideas to ponder.
1. You can use AD credentials and/or certificates for EAS authentication. I prefer certificate only over AD credentials.
And the certificate purpose is only for EAS. Not the same one as you would leverage for WiFi / VPN.
If you run your own CA, this is cheaper.
2. Take a look at MobileIron's VSP/Sentry strategy.
Same as above, but you leverage MobileIron for the Reverse Proxy role.
Device > Internet > DMZ Firewall > MobileIron box > Data Center Firewall > CAS Server > Mailbox Server
Since an EAS connection presents user, deviceMake, deviceModel, deviceSerial, deviceOSVersion, MobileIron intercepts that and only allows connections from devices it manages.
If you do go down the path of certificates for EAS & MobileIron enrollment is THE ONLY way to acquire a machine identity, you can infer that only managed devices can check email.
You should take a look at what BoxTone has to offer and see if it meets your requirements.
BoxTone can provide visibility into the wireless environment. It is one key differentiator's of theirs vs. traditional MDM vendors. MDM vendors are focused on securing the devices and don't answer the fundamental problem "Why did the device go down"? Is it the ActiveSync device, carrier, cloud or BB/Good NOC issue?