From BlackBerry to BYOD White Paper

citrix.com

From BlackBerry to BYODLearn how Citrix XenMobile can empower your organization to move from traditional corporate-issued BlackBerry devices to any user-owned mobile device without sacrificing security and control.

2

citrix.com

From BlackBerry to BYOD White Paper

There was a time when enterprise mobile computing meant IT-issued laptops for creating content and BlackBerry devices for sending and receiving email. Thanks to the popularity of Apple iOS and Google Android platforms, the consumerization of IT and enterprise bring-your-own-device (BYOD) programs, the entire mobility landscape has shifted. Today’s mobile workers are more likely to be using the same iPad, iPhone and Android-based devices at work that they use at home. IT departments have tried to accommodate these users to reap the proven productivity, job satisfaction and customer service benefits of BYOD.

How do organizations shift from a BlackBerry-for-all approach to true mobile device diversity while maintaining the control, management, security and compliance they were used to before BYOD? What can they use to provide secure connectivity to enterprise networks, email, contacts, calendars and applications? What is the best way to protect proprietary information on the device and the enterprise network from hackers and mobile, web and personal application-based malware? Finally, how can mobile device users be prevented from sending sensitive information in a personal email or posting it to a social network site?

The good news is that there are mobile device management (MDM) tools and other solutions available for just these purposes. BlackBerry Limited (formerly Research in Motion) recently introduced a solution for managing and securing iOS and Android devices in addition to its BlackBerry devices. However, only Citrix provides a comprehensive enterprise mobility management (EMM) solution that offers mobile iOS and Android device users secure access to Windows applications and online file sharing, in addition to providing IT with robust mobile device management and mobile application management (MAM).

BlackBerry vs. Android and iOSIn evaluating the challenges of migrating from BlackBerry to iOS and Android devices, it’s important to understand the management and security options offered by each mobile device platform. BlackBerry has always been enterprise focused and, unlike iOS and Android, always packaged with its own enterprise mobility platform, the BlackBerry Enterprise Server (BES).

Both Android and iOS started as consumer-focused mobile platforms, but over the past few years Google and Apple have increased their built-in management and security features and made them available to third-party enterprise mobility management solutions for centralized management from a single console.

3

citrix.com

From BlackBerry to BYOD White Paper

Data protection on the deviceWith mobile users connecting to the enterprise network for email and enterprise applications, taking and sharing enterprise files and data on the road and mixing personal and enterprise applications and data on the same device, enterprise mobile data protection has become vitally important.

BlackBerry has always been the gold standard for enterprise security and data protection, and remains one of the only platforms with Federal Information Processing (FIPS) 140-2 certification, which means it’s approved for government use. However, while BlackBerry security and management were once head and shoulders above those of the competition, this is no longer the case. Android and iOS security and management features have been upgraded over the years to the point where they are usually acceptable for all but the most security-conscious enterprise environments.

BlackBerry protects content stored on the device with FIPS 140-2 certified device data encryption using the highly secure AES 256 standard, allowing enterprises to encrypt all data on the device if necessary. BES 10, the current version, also offers a feature called BlackBerry Balance, which allows the device to isolate personal and work applications, files and network connections from each other, helping to prevent the spread of personal malware and leakage of sensitive information. The workspace is always encrypted and the personal space can be encrypted as well.

With BlackBerry Balance, any data sent to the BlackBerry workspace is inaccessible to personal applications. Users cannot cut and paste work information into personal applications or email messages. Highly granular policies for further data loss protection can be set up as well, either alerting users when they are about to send confidential enterprise information to personal contacts or social media or preventing them outright from doing so.

In the event the BlackBerry device is stolen or an employee leaves the organization, IT can wipe all information and applications from the device remotely, or just wipe work-related information to prevent sensitive information from getting into the wrong hands.

Apple has been adding similar enterprise security features with every iOS upgrade. The most recent version, iOS 7, uses AES 256 device encryption for all data and applications by default. It also includes a new feature called Managed Open that allows IT to define managed apps and unmanaged apps and create a containerized work space that restricts managed apps from sending data to unmanaged and vice versa. However, IT cannot restrict interactions among managed apps.

iOS 7 native applications, including its email client, are not tagged as managed apps, so enterprises can prevent users from sending data from managed applications through email. Another feature, Managed Accounts, lets IT configure a Microsoft Exchange account so that files can be opened only in designated managed applications. If a managed application supports sharing in social media, such sharing cannot be restricted, however.

4

citrix.com

From BlackBerry to BYOD White Paper

If an iPhone is lost or stolen, the iOS Find My iPhone capability allows users to locate the device with GPS and/or wipe it and display a message. The same capability can be managed centrally through iOS 7 MDM interfaces. However, selective wipe is not a native feature of the iOS platform itself.

Since Android is open source and has so many versions and devices, it’s difficult to spell out its security features as easily as with iOS 7 or BlackBerry. The current default device encryption is 128-bit AES, vs. 256-bit for the other two platforms. Available third-party applications can separate work and personal applications and data much the way iOS and BlackBerry can, and MDM agents can be harnessed by IT for full or selective remote wipe. A number of Android platforms, such as Samsung SAFE and Knox for the popular Galaxy devices, add a host of powerful security and management features, including AES 256-bit encryption. The Knox platform is one of the few, aside from BlackBerry, that boasts FIPS 140-2 certification.

Data protection over the wireAs with its device encryption, the BlackBerry platform protects enterprise data sent over the airways with AES 256 encryption. The BlackBerry platform is also famous for its network operations center (NOC) architecture, which adds a layer of security that tunnels email to the NOC and then to the BES server using encryption and compression. BES servers only accept email from the NOC, so it’s not necessary for enterprises to open ports for inbound Internet communication. This architecture is inherently more secure than other platforms.

However, some customers may be concerned about possible NOC outages and some critics argue that the NOC architecture is not necessary now that wireless IP connections are so much faster and more reliable than they once were.

With iOS 7, Apple has introduced per-app VPNs that allow IT to assign VPNs to individual applications, rather than across the system, so the enterprise is not exposed to all the applications and personal data on the device every time it connects.

Android has built-in support for PPTP and L2TP VPNs and the option to enable always-on VPN mode. Several third-party platforms, such as Samsung Knox, can achieve FIPS 140-2 certified 256-bit AES encryption over wireless connections. Per-app VPN is not available natively in Android yet.

Protecting applicationsAside from the aforementioned workspace, BES 10 offers a built-in enterprise app store, BlackBerry World for Work, which can be used by IT to push and install mandatory enterprise applications remotely and list recommended and approved apps for download as well. BES also provides the ability to set policies for whitelisting mobile applications.

The iOS Developer Enterprise program enables companies to publish enterprise app stores of approved applications for internal use. Enterprises can also control which applications become managed apps with the containerization features outlined earlier.

5

citrix.com

From BlackBerry to BYOD White Paper

Android includes none of these features natively but provides APIs for integrating with MDM and EMM solutions offering equivalent features, depending on the device. For example, Samsung SAFE offers multiple MDM features for its Android Galaxy line, include application whitelisting and blacklisting, which are available to enterprise MDM applications via APIs.

The BlackBerry email client application is famous for its tight security, encrypting email at rest and over the wireless connection and securing it via the BlackBerry NOC architecture. Both Android and iOS provide native and third-party email clients that use Exchange ActiveSync for accessing enterprise email, calendars and contacts. Android email is not always encrypted at rest but can be protected by using platforms such as SAFE or a secure third-party email client such as Citrix WorxMail, and can be encrypted over the wireless connection using a VPN. iOS 7 encrypts email natively and can encrypt it over the wire via a per-app VPN.

Browser-based Outlook web access (OWA) is another email option that accesses Exchange services via mobile device web browsers. Microsoft offers a native OWA client app for Apple iOS that takes greater advantage of iPhone and iPad hardware features than using OWA in a browser. Sandboxing can be implemented via iOS 7 Managed Open In feature and via third-party applications in Android-based devices.

MDM, EMM and virtualization alternativesWhile the native features of iOS and Android have improved greatly, the management and deployment package offered by BlackBerry Limited makes its devices more enterprise friendly compared to devices running the other platforms, which have no such packages. However, enterprises looking to migrate to iOS and/or Android can achieve comparable management capabilities using a third-party EMM platform such as Citrix XenMobile. Instead of wrestling independently with each mobile platform and its particular features, enterprises can apply a common management infrastructure and set of policies across all three. EMM solutions also provide automated device management features that allow users to self-enroll their devices and enable IT teams to track, provision and support the devices throughout their lifecycle.

With BES 10, BlackBerry is a relative newcomer to the universal EMM marketplace. It provides a number of management features to support iOS and Android devices in addition to BlackBerry 10 devices. BlackBerry Fusion, a previous product, included some of these features.

However, BES 10 will not work with previous BlackBerry device versions, which means enterprises deploying them will need to run two different versions of BES. Nor does BlackBerry Limited make management APIs available to third-party EMM platforms, so these solutions can only provide basic device management for BlackBerry devices, not the centralized mobile application management and other features they provide for other device platforms.

BES 10 offers a number of powerful management features for iOS and Android, including centralized device provisioning, monitoring and management across the

6

citrix.com

From BlackBerry to BYOD White Paper

lifecycle. It also offers a host of policies that can be configured for Android and iOS devices centrally. Perhaps the most significant feature of BES 10, however, is the new Secure Workspace, an application wrapping, containerization and connectivity function similar to BlackBerry Balance, which separates work and personal domains, applications and data. It also provides enterprise-level iOS and Android applications for access to enterprise email, calendars, and contacts; a secure Work Browser; and Documents to Go for secure viewing of email attachments. All data in the Secure Workspace, both at rest and in transit, is protected with AES 256 encryption, and data in transit moves through the same NOC as BlackBerry data.

Users can self-enroll devices after IT configures appropriate policies, and IT can push out mandatory applications and updates and wipe work applications and data remotely from Android and iOS devices in the event they are lost or stolen.

BES 10 has many attractive capabilities for BYOD organizations, but companies making the transition should also consider EMM alternatives that have additional features to address more use cases.

The Citrix solutionEnterprises seeking a comprehensive, seasoned MDM and EMM platform, together with mobile access to Windows applications and a virtualization option, should take a close look at XenMobile. Citrix offers a raft of powerful features, such as secure mobile access to Windows applications, online secure file sharing and per-app VPNs, which BES 10 does not provide.

XenMobile MDM Edition is a comprehensive MDM platform that discovers and manages all mobile devices on the network, including iOS, Android and BlackBerry devices. Administrators can configure its mobile management servers via a web-based administrative console and import user group accounts from Microsoft Active Directory. Once policies are configured, mobile staff can self-enroll devices, which are then configured automatically with granular IT policies and designated applications. XenMobile MDM Edition also offers an enterprise app store that provides access to additional suggested and approved applications. In contrast to most competing MDM solutions, including BES 10, the app store serves as a central point of access to approved SaaS and Windows applications as well.

The Citrix solution is one of the few that lets iOS and Android devices access enterprise Windows applications virtually using the market-leading Citrix XenApp and Citrix XenDesktop software. XenApp and XenDesktop provide unmatched performance over wireless networks, even over low-bandwidth or inconsistent connections. There’s even the option of offline access to Windows applications via a secure, encrypted virtual machine on the device subject to powerful policy enforcement.

Also, XenApp and XenDesktop are excellent solutions for the most security-conscious organizations looking to provide access without storing anything at all on the mobile device. Citrix Receiver provides tools to create a more mobile-friendly Windows experience adjusted for tablet and smartphone displays, with features such as touch, pinch and zoom. For organizations that don’t want to

7

citrix.com

From BlackBerry to BYOD White Paper

spend a lot of resources porting or rewriting Windows applications to each device platform, Citrix provides a powerful, cost-effective alternative not offered in the BlackBerry ecosystem.

With XenMobile MDM IT can configure devices with role-based authentication and access and implement policies that prevent enterprise mobile applications from sharing sensitive data or interacting with personal applications on the device. Citrix ShareFile is a powerful alternative to consumer file-sharing services such as DropBox. ShareFile encrypts all data and retains it within the enterprise, subject to stringent IT policies. It adds to the advantages of XenMobile over BlackBerry BES 10.

The XenMobile Worx environment provides Android and iOS devices with secure mobile applications for email, calendars and web browsing, protecting the enterprise from the hazards of native and third-party clients. The user experience is very similar to that of native clients and browsers. However, the WorxWeb mobile browser opens all links, including enterprise web and third-party SaaS applications, in a secure, sandboxed environment that protects the organization from hackers and malware.

The sandboxed WorxMail mobile client provides a rich user experience with extensive enterprise visibility and policy enforcement, and its email and contacts are inaccessible to personal applications. Both email and attachments can be encrypted and IT can enforce polices to prevent attachments from being opened, edited or saved in unapproved applications. Email users can also be prevented from forwarding sensitive information or cutting and pasting confidential company information into other documents. IT can enforce secure remote email connectivity via a micro VPN and can disallow attachments in outgoing emails, forcing users to provide ShareFile links for downloading instead.

In addition to Worx email and browsing applications, Citrix provides an SDK that IT can use to add mobile policy enforcement to enterprise and third-party line-of-business applications with as little as one line of code. The Worx App Gallery is an online marketplace of hundreds of third-party Worx-enabled mobile applications providing scores of useful mobile functions. Both the Worx environment and per-app VPNs, as well as support for Samsung SAFE and Knox, are attractive advantages of Citrix XenMobile compared to BlackBerry BES 10.

If a mobile device is lost or stolen, XenMobile MDM allows IT to remotely lock the device and/or wipe sensitive applications and data.

Finally, Citrix NetScaler, an application delivery appliance, gives mobile users secure, remote access to corporate web-based and virtual applications using highly granular, IT-configured access control. In addition to robust authentication and an application-level firewall, NetScaler acts as an application load balancer to provide reliable, high performance for enterprise and web applications during peak use periods. All web application components, including OWA, are deployed behind the enterprise firewall, rather than in the less-secure DMZ. Only Citrix provides an application delivery appliance as part of its EMM offering.

About CitrixCitrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, easily and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing, Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.

Copyright © 2013 Citrix Systems, Inc. All rights reserved. Citrix, XenMobile, XenApp, XenDesktop, NetScaler, Citrix Receiver, ShareFile, Worx, WorxMail and WorxWeb are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.

citrix.com1213/PDF

8

Corporate HeadquartersFort Lauderdale, FL, USA

Silicon Valley HeadquartersSanta Clara, CA, USA

EMEA HeadquartersSchaffhausen, Switzerland

India Development CenterBangalore, India

Online Division HeadquartersSanta Barbara, CA, USA

Pacific HeadquartersHong Kong, China

Latin America HeadquartersCoral Gables, FL, USA

UK Development CenterChalfont, United Kingdom

From BlackBerry to BYOD White Paper

ConclusionOrganizations looking to migrate from a BlackBerry to a BYOD environment have more options than ever before. Both Apple and Android now provide a host of enterprise-friendly management and security features, and several third-party EMM platforms offer consistent, automated, centralized management of these devices. The Citrix XenMobile platform provides the most seasoned, comprehensive EMM solutions for making migration to BYOD speedy and successful.