11

Darryl MilesClient Technical Professional

@vtdarryl

Overview of IBM Endpoint ManagerWebinars – July to October 2013

22

Presentation Overview

• Overview of IBM Endpoint Manager

– Patch Management

– Software Usage Analysis

– Mobile Device Management

• IBM’s Internal Experience deploying IEM

• Case Studies

• Summary

3

Today’s leading organizations are dealing with powerful new technology forces

BYOD:BYOD users expected to double by 2014 to 350 million

Security:

13 billion security events monitored per day

13 billion

Data:

1.2 trillion gigabytes in the digital universe.

1.2 zettabytes

Mobility:

Nearly ½ of devices accessing applications will be mobile

1/2

350 million

4

IBM Endpoint Manager continuously monitors the health and security of all enterprise computers in real-time via a single, policy-driven agent

Endpoints

• Common management agent

• Unified management console

• Common infrastructure

• Single server

IBM Endpoint Manager

Patch Management

Lifecycle Management

Software Use Analysis

Power Management

Mobile Devices

Security and Compliance

Core Protection

Desktop / laptop / server endpoint Mobile Purpose specific

Systems Management Security Management

Server Automation

5

Desktop / laptop / server endpoint Mobile Purpose specific

IBM Endpoint Manager continuously monitors the health and security of all enterprise computers in real-time via a single, policy-driven agent

Endpoints

• Common management agent

• Unified management console

• Common infrastructure

• Single server

IBM Endpoint Manager

Patch Management

Lifecycle Management

Software Use Analysis

Power Management

Mobile Devices

Security and Compliance

Core Protection

Systems Management Security Management

Server Automation

Why IBM Endpoint Manager ?

Concord Hospital achieves 98% first-pass success in hours on their Microsoft

and 3rd party patches

Stena Lines achieved a 12:1 labor savings ratio by reducing administrative

overhead time for patch processes

Hutchinson Builders can now easily track the software installed and running

computers across the company’s 16 offices and up to 160 construction sites

Bendigo Bank expects to save $175,000 off its power bill within 12 months and avoid 2190 tonnes

of carbon emissions

IBM has deployed Endpoint Manager to over 700,000 endpoints on three servers. Expects to

save over $10M in Year 1

Over 13,000 mobile devices enrolled in 72 hours!

6

Single Server & Console• Highly secure, highly scalable• Aggregates data, analyzes & reports• Pushes out pre-defined/custom policies

Cloud-based Content Delivery• Highly extensible• Automatic, on-demand

functionality

Single Intelligent Agent• Performs multiple functions• Continuous self-assessment & policy

enforcement• Minimal system impact (< 2% CPU)

Lightweight, Robust Infrastructure• Use existing systems as Relays• Built-in redundancy • Support/secure roaming endpoints

How it Works

7

Patch Management

• IBM Cloud content delivery service (operating systems and 3rd party applications)

• Patch capabilities for multiple platforms: Windows, Mac OS X, Linux and UNIX

• Intelligent agent

• Reduction in patch and update times from weeks and days to hours and minutes

• Increase first-pass success rates from 60-75% to 95-99+%

• Real-time reporting• Automated self-assessment, no

centralised or remote scanning required

Benefits:Services:

"We compressed our patch process from 6 weeks to 4 hours" "We consolidated eight tools/infrastructures to one" "We reduced our endpoint support issues by 78%" "We freed up tens of admins to work on higher value projects"

8

Overview of Patch Management

Patch Management Video (6:33) Local Video File (6:33)

Start with the Patch Management domain

The patches dashboard provides a real-time view on Windows patches

requirement across your environment

See any New Content here

Application vendor patches

• Adobe Acrobat• Adobe Reader• Apple iTunes• Apple QuickTime• Adobe Flash Player• Adobe Shockwave Player• Mozilla Firefox• RealPlayer• Skype• Oracle Java Runtime Environment• WinAmp• WinZip

…and operating system patches

9

Patch Management for Windows now supports non-security updates, specifically critical updates and service packs for

the Microsoft Windows product family

10

• For Windows Servers and PCs• Unix/Linux Servers• Software Asset Discovery• Software Use Metering• Software Use Reporting

• Near real time software inventory• Near real time software usage

reporting• Search, browse, and edit the

Endpoint Manager software identification catalogue, which contains over 105,000 signatures out of the box

• Periodic catalogue updates are released regularly

• Easily customize the software identification catalogue to include tracking of home-grown and proprietary applications

Benefits:Services:

Software Usage Analysis

Software publishers

5000+

Application signatures out of the box

105,000+

1111

Software Usage Analysis (13:58) Local Video File (13:58)

Software Usage Analysis

12

• Providing enterprise-wide visibility (eg. device details, apps installed, device location)

• Ensuring data security and compliance

• Device configuration• Support devices on the

Apple iOS, Google Android, Microsoft Windows Phone, Blackberry, Nokia Symbian

• Address business and technology issues of security, complexity and bring your own device (BYOD) in mobile environments

• Manage enterprise and personal data separately with capabilities such as selective wipe

• Leverage a single infrastructure to manage all enterprise devices—smartphones, tablets, desktops, laptops and servers

Benefits:Services:

Apple iOSGoogle Android

“IBM's MDM capability is very complementary to that of PCs, and it is one of the few vendors in this Magic Quadrant that can support PCs and mobile devices” Gartner, MQ for Mobile Device Management Software, 2012

Mobile Device Management

Windows PhoneBlackberry

Nokia Symbian Windows Mobile

13

Security & Management Challenges Potential unauthorized

access (lost, stolen) Disabled encryption Insecure devices

connecting to network Corporate data leakage

13

• Mail / Calendar / Contacts• Access (VPN / WiFi)• Apps (app store)• Enterprise Apps

iCloud

iCloud Sync

iTunes Sync

Encryption not enforced

End User

VPN / WiFi Corporate Network Access

Managing Mobile Devices – The Problem

14

iCloud

iCloud Sync

iTunes Sync

End User

VPN / WiFi Corporate Network Access

• Personal Mail / Calendar• Personal Apps

Corporate Profile• Enterprise Mail / Calendar• Enterprise Access (VPN/WiFi)• Enterprise Apps (App store or

Custom)

Secured by BigFix policy

Encryption Enabled

Endpoint Manager for Mobile Devices Enable password policies Enable device encryption Force encrypted backup Disable iCloud sync Access to corporate email,

apps, VPN, WiFi contingent on policy compliance!

Selectively wipe corporate data if employee leaves company

Fully wipe if lost or stolen

Managing Mobile Devices – The Solution

15

What’s New in Endpoint Manager for Mobile Devices

Integration with Enterproid’s Divide container technologies for iOS and Android

Web-based administration console for performing basic device management tasks with role-based access control

Integration with BlackBerry Enterprise Server for integrated support of BlackBerry v4 – v7 devices

Enhanced security with support for FIPS 140-2 encryption and bi-directional encryption of communications with Android agent

Additional Samsung SAFE APIs for expanded management and security of SAFE devices

SmartCloud Notes & Notes Traveler 9.0 support, including cloud and high-availability versions

IBM Endpoint Manager’s cloud-based content delivery system enables customers to benefit from frequent feature enhancements without the difficulty of performing upgrades

16

Implement BYOD With Confidence

• App container. Deploy, manage, configure, and remove Enterproid Divide containers to separate personal and work environments on iOS and Android devices

• PIM container. Separate personal and corporate email and prevent sensitive data from being copied into other apps with NitroDesk TouchDown integration

• Dual-persona OS. Manage BlackBerry 10 devices, which provide a native user experience to personal and work personas

• Extend BYOD to laptops. IBM Endpoint Manager’s unified device management approach brings together containers, smartphones, tablets, laptops, desktops, and servers under one infrastructure

How do I deal with the business mandate that employees be allowed to "Bring Your Own Device"?

Manage and secure only the apps and data inside the enterprise container, leaving users free to control the personal side of their device with

Enterproid Divide.

17

Secure Sensitive Data, Regardless of the Device

• Unified compliance reporting across all devices, including CIS Benchmarks

• Configure security settings such as password policy, encryption, WiFi, iCloud sync

• Full wipe, remote lock, map device location, and clear passcode options if device is lost or stolen

• Blacklist apps and automate alerts, policy response

• Detect jailbroken / rooted devices to notify users, disable access

• Integrate with mobile VPN and access management tools to ensure only compliant devices are authorized

How do I ensure the security of mobile devices as they access more and more sensitive systems?

Multiple user communication and alert methods, including Google Cloud Messaging (GCM),

enables users to be part of the security solution.

18

Minimize Administration Costs

• Multiple authenticated device enrollment options, including LDAP/AD integration

• Employee self-service portal to enable employees to protect personal and enterprise data

• Enterprise app store directs employees to approved apps, includes support for Apple’s Volume Purchase Program (Apple VPP)

• Integration with IBM Worklight for 1-click transfer of internally-developed mobile apps from dev to production

• A ‘single device view’ enables IT personnel to easily view device details and take required action

How do I cost-effectively manage the sheer volume of these tiny devices with average replacement rates of 12-18 months?

A flexible enrollment process enables organizations to include a EULA and to collect critical device and

employee data via customizable questions

19

Apple iOSGoogle Android

IEM approach for Mobile Device Management

Nokia Symbian Windows Phone

BlackberryNokia Symbian

Windows Mobile

• Advanced management on iOS through Apple’s MDM APIs

• Agent based management / server communication• iOS• Android• Windows Phone

• Email-based management through Exchange (ActiveSync) and Lotus Traveler (IBMSync)

• iOS• Android• Windows Phone• Windows Mobile• Symbian

• Symbian• BlackBerry OS 10• BlackBerry Playbook

20

MDM Functionality Overview

Category

Platform Support

Management Actions

Application Management

Policy and Security Management

Location Services

Enterprise Access Management

Endpoint Manager Capabilities

Selective/full wipe, deny email access, remote lock, user notification, clear passcode

Application inventory, enterprise app store, iOS WebClips, whitelisting/blacklisting

Configuration of Email, VPN, Wi-Fi, Authenticated Enrollment, Self Service Portal

Track devices and locate on map

Expense Management Enable/disable voice and data roaming

Cloud Email Device Management Office 365 support

Apple iOS, Google Android, Windows Phone, Blackberry, Symbian, Windows Mobile

Password policies, Samsung SAFE, device encryption, jailbreak/root detection

Containerisation Nitrodesk Touchdown (Android), Enterproid Divide, Red Bend

21

Fast and cost-effective development, integration and management of rich, cross-platform mobile applications

Client Challenge

Key Capabilities

Using standards-based technologies and tools and delivering an enterprise-grade services layer that meets the needs of mobile employees and customers

Mobile optimised middleware

• Open approach to 3rd-party integration

• Mix native and HTML

• Strong authentication framework

• Encrypted offline availability

• Enterprise back-end connectivity

• Unified push notifications

• Data collection for analytics

• Direct updates and remote disablement

• Packaged runtime skins

Delivering for multiple mobile platformsIBM Worklight

Encrypted cache on-device

• A mechanism for storing sensitive data on the client side

• Encrypted - like a security deposit box

22

Publish applications to your mobile devices directly from Worklight

Endpoint Manager customers can directly import and distribute Worklight-built apps via Enterprise App Store, thereby improving workflow between Development and Operations

Distribute App to Employees

Import into Endpoint Manager App Store

2

3

Build app in Worklight 1

23

An Evaluators Guide is available for MDM

24

IBM’s experience using IBM Endpoint Manager

Before After

Patch availability typically 3-14+ days Patch availability within 24 hours

92% compliance within 5 days (ACPM only) 98% within 48 hours

EZUpdate sometimes misses application of patches on required machines

Detected about 35% of participants missing at least one previous patch

Compliance model, completely reliant on user

90% of Windows requirements can be automatically remediated

Exceptions at machine level Exceptions at setting level

IBM gained real-time visibility into endpoints, and automatically remediates issues across over 500,000 endpoints and supports multiple policies based on employee role and data access

Reference - http://ibm.co/Ikm5xR

25

Summary

• IBM Endpoint Manager enables unified management of all enterprise devices – desktops, laptops, servers, smartphones, and tablets

• Real-time/proactive endpoint management: Patch management, anti-virus/malware, power management and device location information

• Continuous compliance reduces costs and risk• Power management • Management of assets

26

ibm.com

Contacts:TEM@dk.ibm.com or @vtdarryl