The quarterly publication of the International Legal Technology Association
Issue link: http://read.uberflip.com/i/67910
case studies Mixed Device Mania by Aaron Peterson of Loeb & Loeb LLP I have to admit, I've never carried a BlackBerry. While most people at the firm had one, I always had to have something "different." My gumption to go against the grain started with Good, Treo, Windows Mobile and Symbian, and I was one of the first in my firm to have the iPhone when it was released. Although having the latest and greatest devices was fun, the ability to utilize my firm's email application was obviously critical. I was fortunate enough to be in IT with the motivation (and permission) to set up a proof of concept for ActiveSync. It's been quite an adventure since then. No Substitute for Enterprise Server In our environment, ActiveSync only enabled email connectivity and some basic security enforcement tools and policies. We couldn't "manage" mobile devices with the level of security and granularity we had been with RIM's BlackBerry Enterprise Server. With the onslaught of users switching to iPhones and iPads, we knew current provisioning processes were unsustainable. Fortunately, Apple and about a dozen other mobile device management (MDM) vendors were anticipating the iOS enterprise tidal wave. Implementing MDM While we looked at several MDM systems on the market, we eventually decided on MobileIron — primarily due to its maturity, support and ability to run as a VM appliance within our DMZ. We found that most MDM systems have feature parity when it comes to iOS security/policies due to the controls and restrictions Apple defines and imposes on its platform and developers. Setting up the MDM was no small task, and while vendors and Apple have made it much easier, there are still a few hoops to jump through. Once we chose our MDM platform, the next requirement was registering with Apple's Developer Enterprise Program to obtain our unique MDM certificate. This allows Apple to trust our MDM system (i.e., some control verifications are still done through Apple headquarters). Once the MobileIron client was installed and we had the devices registered, we ventured to make them useful. • Exchange Email: In our case, the MobileIron MDM works as a complement to their Sentry product, which is essentially an ActiveSync security proxy, allowing us to further lock down, manage and secure the ActiveSync public interface. Once in place, pushing down Exchange email profiles was a breeze. • Wi-Fi: We then set up Wi-Fi SSIDs for our Wi-Fi-enabled mobile devices in each office. This allowed each device within range to seamlessly connect and authenticate to our Wi-Fi infrastructure. • VPN: We currently use Juniper SSL gateways to allow VPN connectivity to iOS devices. The VPN connection is made "on-demand" from the iOS device based on domain-matching rules and certificate-based authentication. This allows iOS apps to seamlessly and transparently connect to internal resources, such as SharePoint and Citrix/VDI, from anywhere. To avoid having users continually prompted for authentication, both our VPN and Wi-Fi policies leverage client certificate-based authentication using Simple Certificate Enrollment Protocol (SCEP) to generate unique certificates for each device. Our initial adventures in configuring our internal Certificate Authority and Microsoft IAS proved fruitless due to limitations in IAS/2003 at the time. We were, however, able to configure and trust the CA and SCEP server built into the MobileIron MDM. • Citrix/Desktops: Our VDI environment is based on XenDesktop 5.5, where we present full-production Windows 7 desktops. This allows our users to have full desktop functionality from their iPads, should they choose to do so. 52 Peer to Peer