Solution Overview

1
 Solution Solution Overview
Overview
Industry Certifications

Here is a list of the lessons included in this Cloud Fundamentals R63 course.

2
Business data is increasingly accessed on mobile devices and other end points that
are outside of the corporate network. Security for this modern era is different than
traditional enterprise security and has a mobile focus.

To keep up with today’s security needs, enterprises need to consider how they can
best >>>provision end points like mobile phones and laptops, how they can grant
access based on a full set of imperative data, not just a user’s credentials, how they
can protect data at rest and in motion, as well as be able to perform actions that
need to be taken when enforcement is required.

3
 A MOBILE-CENTRIC ZERO TRUST APPROACH
Where are you on your journey to zero trust?

Enabling new types

of devices and
users? Adding cloud
MAM only, services?
task workers, Mac OS

Want to enforce Protect data on

the broadest set of the device from
security policies? threats?

MobileIron’s solution to this modern problem meets all four of these challenges.

>>>For example when it comes to provisioning, MobileIron’s UEM platform creates a

secure workspace on any device with apps, configurations, and policies for the user
based on their role. This gives users easy and secure access to resources they need
for productivity.

>>>When it comes to the important task of granting access to data, MobileIron

Access incorporates all the salient elements needed to truly know if access should be
granted. MobileIron’s Access works to verify the user, posture of the device, app
authorization, network type, presence of threats and a variety of other signals. This
adaptive access control check is the basis of the zero trust model. When the
verification is completed successfully, access is granted.

>>>Further, MobileIron uses a combination of solutions found in the UEM platform

and MobileIron Threat Defense to work together to protect data. This mixture of
technologies protects data on-device and on-the-network with state-of –the-art
encryption and threat monitoring to detect device, network, and app level attacks.

4
>>>Lastly, once you gain clarity on the signals occurring in your environment it is
essential you take the appropriate action. With the use of MobileIron’s UEM
platform, MobileIron Access and MobileIron Threat Defense you can monitor any
change in signals and trigger adaptive policies to remediate threats, quarantine
devices and maintain compliance.

4
Solution Architecture

Next let’s take a look at the mobile-centric zero trust architecture for the hybrid
enterprise.

5
As an overview, the main components of MobileIron’s layered security model
include:
>>> Our unified endpoint management or UEM system which is for provision and
managing endpoints
>>>Our in-line intelligent gateway Sentry, which is for securing access to on-
premise resources
>>>MobileIron Access which is for cloud security and passwordless access
>>>And MobileIron Threat Defense or MTD which is for threat detection and
remediation
Together, these components help organizations realize the mobile-centric zero
trust framework.

Now let’s take a look at how these components flow within the architecture.

6
MobileIron security architecture for the mobile enterprise

MobileIron implements a layered security approach across the modern mobile centric
platform. A layered security model is about multiple types of security measures, each
protecting against a different vector for attack.

>>>UEM is the foundation and enables the ability to secure, control and provide
policy enforcement for desktop computers, laptops, smartphones and tablets in a
connected, cohesive manner from a single console. With UEM, we provision a trusted
workspace to the endpoint. This workspace includes secure email, apps,
configurations, and connectivity like Wi-Fi and VPN, that your employees require to
be productive. We then separate personal from business data on employee devices
so that business data does not leak into personal apps and personal data is not
inadvertently accessed by IT.

>>>Sentry encrypts data between the data center back end and the device. Sentry
works to protect the back end from threats. It provides identity and access services
to on-prem users including single sign on and seamless authentication.

>>>Using MobileIron Access ensures secure, conditional access control for cloud
services such as Microsoft Office 365, Salesforce, G Suite, Box, and others. We
provide seamless authentication for the end-user, with single sign-on and
passwordless authentication. This makes for a great user experience. We block

7
untrusted endpoints and apps from accessing cloud services so that your corporate
data does not get compromised.

>>>The last MobileIron component in this layer security model includes MobileIron
Threat Defense. Once the back end is protected, you need to protect the network
from external threats on the device side. This is accomplished with MobileIron Threat
Defense. MTD enables you to protect company data by detecting and remediating
known and zero-day threats on the mobile device, whether they are online or not.
Additionally, there is no need for your users to take any action when threats are
detected as actions are automated and invisible to the user so they can continue
being productive.

As a whole these solutions create a modern layered security model for a mobile
centric world.

7
Products

Next let’s get familiar with additional MobileIron products.

8
 MobileIron Unified Endpoint Management

Policy Application
configuration & management & Access control Threat detection
enforcement distribution

Beginning with our management console, MobileIron Unified Endpoint Management

or UEM is the security foundation for modern work. UEM enables your
>>>employees to enjoy seamless access to business apps and data >>>through
secure modern mobile devices, desktops and cloud services, >>>while still
maintaining complete control over their privacy.

For IT, the MobileIron UEM platform provides the fundamental visibility and IT
controls needed to secure, manage, and monitor any corporate or employee-owned
mobile device or desktop that accesses business-critical data. It allows organizations
to secure a vast range of employee devices being used within the organization while
managing the entire lifecycle of the device including:
>>>Policy configuration and enforcement
>>>Enterprise app distribution and management
>>>Access control and multifactor authentication with MobileIron Access
>>>And threat detection and remediation with MobileIron Threat Defense

MobileIron’s UEM is a proven, secure, scalable, and enterprise-ready architecture

that puts the user experience first while also maintaining the highest quality security
standards.

9
 Advanced security for the mobile enterprise

Zero sign-on Multi-factor authentication Secure your cloud

Next let’s discuss MobileIron Access.

Protecting your mobile and cloud resources from unauthorized or malicious access is
one of the biggest challenges organizations face today — and password-only security
is no longer up to the task. MobileIron Access introduces zero sign-on technology
that evaluates a comprehensive set of attributes before granting access to enterprise
resources, without ever requiring a password.

>>>MobileIron Access can use your secure mobile device as your identity. With your
mobile device as your identity, accessing any business app, device, or resource
requires no more than a glance or the tap of your finger. By making mobile devices
your identity, we create a world free from the constant pains of password recovery
and the threat of data breaches due to easily compromised credentials. This is zero
sign-on!

>>>MobileIron Authenticator is a straightforward multi-factor authentication app that

replaces cumbersome and expensive hard tokens with a secure mobile solution that’s
easy to use and cost-efficient. This provides an adaptive security and conditional
access engine for any cloud service or in-house apps.

10
>>>With regards to securing your cloud resources, MobileIron Access provides
standards-based security for the mobile to cloud world so that business information
is only available to verified users on authorized endpoints, apps, and cloud services.
Access helps you make smart access control decisions that go beyond a user’s
identity and includes validating the device, app, service, user location, and network
before granting access.

10
 Client Mobile threat detection
and remediation,
on-device
One integrated client
Advanced apps analytics engine

UEM MTD Management console

Server Management Console

Now let’s cover MobileIron Threat Defense.

Securing business data in a perimeter-less, zero trust world requires more than
traditional firewall-based protection. Since every endpoint, app, network, and user is
potentially compromised, you have to continually verify the security and compliance
of everything that tries to access your enterprise resources. >>>MobileIron Threat
Defense or MTD supports a mobile-centric, zero trust security. It uses machine-
learning algorithms optimized to run continuously on the device and can detect
threats even when the device is offline.

>>>MTD achieves 100% user adoption with one app making it easy to deploy and
manage because MTD is built into the MobileIron client. Users are not required to
take any action to activate MTD and they cannot remove it. This integrated client
supports local actions and notifications.

>>>MTD has an advanced app analytics engine that helps you gain immediate
and ongoing visibility into malicious threats across all mobile devices, and detailed
analyses of risky apps. This analytics engine helps you identify privacy and security
risks.

11
>>>For the admin, MTD helps them easily manage corporate and employee-owned
devices with the integration of MTD’s cloud-based management console with
MobileIron’s unified endpoint management server.

11
 In-line gateway that manages, encrypts, and secures traffic
between the mobile device and back-end enterprise systems

Security Scalability User Experience

Securing data in motion is essential. MobileIron Sentry, >>>an in-line gateway that
manages, encrypts, and secures traffic between the mobile endpoint and back-end
enterprise systems. Data and traffic between the mobile device and corporate
resources can be configured to flow through Sentry, providing real-time secure
tunneling and access control. Sentry enforces the security policies set by IT, enabling
it to allow or deny access to corporate information and resources in real time.

>>>Sentry Security:
Sentry prevents unauthorized interception and malicious manipulation of data
through its support for certificate-based authentication. Sentry can encrypt email
attachments to protect them from unauthorized apps or cloud services. Sentry
ensures the integrity of mobile app traffic by restricting access to the right corporate
destinations and applications.

>>>Sentry Scalability
Sentry can scale to meet the high-volume performance and redundancy requirements
of global organizations. Organizations can set up multiple Sentry gateways in a
cluster to accommodate standard and peak data volume scenarios.
>>>Sentry User Experience
Sentry supports certificate-based SSO authentication, which can eliminate the need
for users to enter their username and password when accessing email, intranet sites,
and corporate data behind the firewall. Sentry provides on-demand, app-specific
VPN’s, greatly improving user experience by eliminating the need for manually
enabling device-wide VPN’s.

12
End users want to be equipped with the apps they need and want to be able to get
work done wherever they are. Admins want to enable users to have what they need
to succeed. As a result, MobileIron has focused on enhancing the process involved
with configuring and deploying apps with the App Catalog.

>>>MobileIron’s App Catalog is a customizable enterprise app storefront. IT

administrators can directly publish private or in-house apps to their end-users
without putting them in a commercial storefront like the App Store or Google Play
Store. >>>This accelerates the App Discovery process for the end-user. From within
the App Catalog the administrator can also recommend external applications so that
the end-user knows exactly which ones are supported by IT.

>>>The MobileIron App Catalog can also be combined with Apple Volume Purchase
Program to facilitate secure distribution of mobile apps on iOS devices. Further
MobileIron can harness the capabilities found in iOS managed apps and Android
Enterprise. This allows for easy configuration within MobileIron’s UEM platform of
app-level settings and security policies for both of these advanced app security
functions. All of these choices, help IT cultivate the right level of security for their
users and their organization.

>>>Additionally, in the realm of app management, MobileIron’s App Analytics is an

actionable dashboard which provides valuable insight into app deployments. This
helps with improved visibility into both public and in-house app deployments as well
as enables admins to quickly identify app distribution issues, plus take actions
necessary to ensure the best user experience.

13
When you need to secure enterprise data at rest MobileIron’s app containerization
technology is essential. >>>MobileIron AppConnect containerizes apps to protect
app data at rest without touching personal data. Each app becomes a secure
container whose data is encrypted, protected from unauthorized access, and
removable. Each app container is also connected to other secure app containers
through MobileIron UEM, so policies such as app single sign-on can be easily shared
and updated across devices.

>>>MobileIron offers two ways to secure your in house app with AppConnect.
- You can include our SDK in your in-house app when you develop it.
- Or MobileIron can wrap your in-house app.

Both methods put a security ring around your application that allows for the app to
be managed by MobileIron’s UEM platform.

14
Now let’s cover four UEM apps that keep the user productive and secure.

>>>Email+ is a cross-platform, secure PIM application for iOS and Android. Security
controls include government-grade encryption, certificate-based authentication,
S/MIME, application-level encryption, and passcode enforcement.

>>>Docs@Work allows users to access, create, edit, markup, and share content
securely from repositories such as SharePoint, Box, Google Drive, and more. This is
important so users can maximize productivity on the go.

>>>Web@Work enables secure web browsing by protecting both data in motion and
data at rest on the endpoint. Custom bookmarks and secure tunneling ensure that
users have quick and safe access to business information. With Web@Work users
can access internal web resources quickly and easily.

>>>Help@Work is an app that lets IT remotely view and control a user’s screen, with
the user’s permission, to help solve issues in an efficient manner.

15
These secure productivity apps keep the user productive without sacrificing security.

15
 Per-app VPN capabilities
Authorize select apps to
seamlessly access resources
behind the corporate firewall
Multi-OS app Seamless user Support all
VPN experience apps
Securely use Split-tunnel Secure, simple
browsers capabilities access

Maintaining user privacy is critical to the success of any mobile enterprise. User
privacy isn’t just limited to personal apps and content on the device; it extends to the
network as well. That means IT must be able to secure traffic from enterprise apps
without capturing personal traffic. Protecting employee privacy requires IT to move
beyond device-wide VPNs to more secure, intelligent, and granular app VPNs.

>>>Tunnel allows organizations to authorize any business app, including in-house and
third-party apps, to access resources on the corporate intranet using a secure
network connection.
- Further, per app VPNs can be established over any network, including public Wi-Fi
networks or cellular networks to ensure business data is always secure.
- Tunnel also leverages MobileIron’s advanced closed-loop compliance engine to
ensure jailbroken and otherwise non-compliant devices are not allowed to access
sensitive business data.
- Finally, Tunnel significantly improves the user experience by establishing on-demand
or always-on app VPN connections without requiring the user to take any additional
steps.

16
Secure the entire PC lifecycle:

Unifies mobile and

desktop operations for
Windows 10

MobileIron Bridge allows IT to simplify and modernize Windows operations on UEM

without giving up critical functionality.

IT can apply policies and scripts already in place without requiring a systems image,
domain join, or multiple channels of communication to the device. Further
MobileIron Bridge allows IT to deploy legacy apps and set granular policies to
Windows 10 PCs through MobileIron’s UEM platform.

17
Extensibility

18
MobileIron’s UEM platform is enhanced by having integration points with a vibrant
ecosystem of partners. These integrations include both client and server side
integrations and encompass major functionality like network access control, identity
providers, VPNs, communication apps and a myriad of cloud services.

This concludes our overview of MobileIron’s solution.

19
Industry
Certifications

20
In this lesson, the certifications that MobileIron has achieved in order to provide the
industries leading Unified Endpoint Management products are covered.

MobileIron products and services have been validated against the following set of
security standards and certifications. For certain certifications or qualifications,
MobileIron leverages independent third-party evaluators to ensure all security
requirements are met.

>>>As part of our commitment to trust and security, MobileIron has successfully
completed a SOC 2 Type 2 assessment. As part of the SOC 2 assessment, the
operational and security processes of MobileIron Cloud was reviewed by an
independent certified public accounting firm.

>>>MobileIron Cloud platform received FedRAMP Authority to Operate from the

United States Postal Service. The FedRAMP Agency Authority to Operate recognizes
that MobileIron Cloud has passed the federal risk management process defining
standard security requirements for all cloud providers.

>>>FIPS 140-2 is a National Institute of Standards and Technology standard for

21
cryptography and it's utilization. This standard is recognized by many governments
and public sector organizations including the US federal government.

>>>MobileIron became the first company in the world to receive Common Criteria
certification against Version 2.0 of the Mobile Device Management Protection Profile
from the National Information Assurance Partnership. The National Information
Assurance Partnership is the United States’ government initiative, operated by the
National Security Agency, that oversees the national program to evaluate technology
products for conformance to Common Criteria.

>>>The EU-US Privacy Framework was developed by the US Department of

Commerce and the European Commission to provide a legal transfer mechanism for
the transfer of personal data from the European Union to the United States. The
framework also provides EU citizens greater transparency with respect to the
personal data collected by US organizations as well as an enhanced mechanism for
resolving privacy disputes.

>>>The MobileIron Core platform has received Security Technical Implementation

Guide approval from the Defense Information Systems Agency. This approval allows
U.S. Department of Defense agencies to deploy MobileIron on both Android and iOS
devices within certain Department of Defense networks.

>>>CSA STAR is the industry’s most powerful program for security assurance in the
cloud. STAR encompasses key principles of transparency, rigorous auditing, and
harmonization of standards. STAR certification provides multiple benefits, including
indications of best practices and validation of security posture of cloud offerings.

>>>The National Security Agency’s Commercial Solutions for Classified Program has
been established to enable commercial products to be used in layered solutions
protecting classified NSS data. This provides the ability to securely communicate
based on commercial standards in a solution that can be fielded in months, not years.

As you can see MobileIron security certifications are extensive all with the goal of
building a secure UEM offering.

21
22