An exciting new role at VMware

It’s been a privilege to work with wonderful people and the various organisations of IBM.

Initially I worked for many years in IBM Services (ITS projects team on VMware, Microsoft and Citrix solutions), then Systems (Systems Management) and more recently in Security Software.

My last six years working in IBM Security allowed me to work with a number amazing people from around the world.  I enjoyed working with customers of all sizes, carriers and partners about endpoint management, including sharing my knowledge on this blog about IBM’s endpoint solutions.

It’s with great excitement (and indeed a touch of sadness) that I’m leaving IBM and starting a new role at VMware as a Strategic Solution Engineer in the A/NZ End User Computing team.

I have been following VMware’s Workspace One solution these past few years.  The more I delved into it’s capabilities, the more I was impressed with VMware’s Workspace One vision, strong unified endpoint management capability and extensive 3rd party integration.



VMware has large community of passionate specialists and partner community.   I look forward to sharing my experiences and the new things I learn about Workspace One (powered by Airwatch and Horizon).

As always, you can contact me via my blog via the “About” page.


How to better manage mobile (iOS and Android), Windows and macOS updates with MaaS360

I wrote this article when I worked at IBM.  I’m now working at VMware supporting partners and clients with Workspace One.  See here for further details. 


MaaS360 is well regarded to providing support for a broad range of mobile, PC and Mac operating systems.   MaaS360 currently supports iOS, Android (including ruggedized devices), Windows (from XP to Windows 10) and macOS.

Keeping these devices secure with the latest features and security patches (if applicable for the operating system) can be simplified using MaaS360 Unified Endpoint Management.

Mobile operating systems have different approaches for both providing updates.  Applying patches for Windows operating systems is particular important from a security perspective.

As outlined in the IBM article Six Major Data Breach Trends From 2017“while advanced zero-day attacks can be a formidable threat, they are more often the stuff of fear and legend. In fact, according to the IBM X-Force vulnerability database, less than 1 percent of vulnerabilities in 2016 were considered zero-day vulnerabilities — that is, flaws exploited in the wild for which patches do not exist. Failure to patch existing critical vulnerabilities is most often the cause of havoc on a global scale, particularly when there is a huge number of vulnerable endpoints”

The following article details how MaaS360 can not only provide the visibility organizations require on their cross platform operating systems, but provides a range of technologies to easily update operating systems and 3rd party applications.

Operating System Inventory

The MaaS360 portal allows administrators to easily know the operating system versions across all operating systems as shown below.

Hardware Inventory - OS

MaaS360 includes a readiness report for Windows 10, to allow an organisation to determine if their PC fleet has the hardware resources to support this operating system based on free space, memory and processor speed.

Windows 10 Readiness

Compliance Rules

MaaS360 includes a range of automated compliance rules including minimum and maximum operating system versions.  A minimum version can be details as shown below.

Compliance - OS Version


If the operating system version isn’t updated to the minimum, a range of compliance rules can be enabled.

Compliance - Enforcement

MaaS360 Advisor

Made possible by the MaaS360 integration with Watson, MaaS360 Advisor delivers opportunities, risks and general information.  Advisor sources insights from structured data, such as cloud-sourced content from MaaS360 customer environments, and unstructured data, such as information from the X-Force Exchange, giving administrators ample, relevant context to make their most important decisions.  This capability as shown below can highlight particular operating system issues which should be given higher priority.

Watson Advisor

Manage iOS Updates

Apple iOS is renowned for its speed and user experience to update the operating system.  According to Apteligent, iOS 11 is now deployed on over 81% of all devices (as of March 2018)

iOS provides alerts for new updates and allows a convenient scheduled option, to allow updates to occur overnight if the device is plugged into power.

If the iOS devices are supervised, MaaS360 can push iOS updates as shown.

iOS - Push update

MaaS360 also supports the shutdown and restart of iOS supervised devices.

Some organisations need additional time to test their applications on new versions of iOS. Therefore starting with iOS 11.3 and macOS 10.13.4, administrators are able to specify a number of days to delay a software update, with a maximum delay of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.

Manage Android Updates

The mix of different Android versions according to Apteligent is quite different.  There is quite an even use of Android KitKat (12.27%), Lollipop (20.16%), Marshmellow (25%) and Nougat (34.7%).  The latest Oreo release is only 3.3% as of March 2018.  Google’s Project Treble will certainly allow Android releases to be updated much faster over time.

MaaS360 supports Android system update management with Android Enterprise (Device Owner operation) as shown below:

Android - Update management

Previously, all users received and installed firmware updates, without IT having any control over it. On top of that, the unplanned firmware updates would sometimes break the enterprise apps due to compatibility issues.

MaaS360 can now address this by managing firmware for Samsung devices.  MaaS360 integrates with Samsung Enterprise FOTA (Firmware Over-The-Air) and includes selective, forced and time controlled firmware management.  For further details, please see this article.

E-FOTA Updates

Manage Windows Updates

MaaS360 supports updates (via patches) of Windows 7 through to Windows 10.  This is provided via our native patch management service.  Patches are delivered via our worldwide content delivery network.  The necessary patches required for each workstation are shown in the portal as follows:

OS Patches - Windows

You’ll also see that MaaS360 supports the patches of a range of 3rd party applications such as Adobe Reader, Flash, Java, Firefox, Notepad and many other applications.

App Updates - Windows

Alternatively, MaaS360 can configure Windows 10 to apply firmware updates to be applied directly from Microsoft or an internal WSUS server as shown below:

Windows 10 - Update Management

Manage macOS Updates

MaaS360 also provides an integrated service to update Apple macOS and 3rd party applications as shown below:

macOS - OS Patches

Alternatively, MaaS360 can configure macOS to apply updates from a software update server and App Store settings as shown below:

macOS - Software Update Settings

Unified Endpoint (OS) Management

As outlined above, MaaS360 provides organizations a truly unified management platform to keep all devices updated and therefore more secure.

If you have any questions on any of the above capabilities, please feel free to post your query to our community forum, or contact me directly via my blog contact page.

Enable secure mobile Intranet access in less than 30 minutes with IBM MaaS360

I wrote this article when I worked at IBM.  I’m now working at VMware supporting partners and clients with Workspace One.  See here for further details. 


Many organisations provide mobile access to corporate email/calendar services. Enabling more advanced collaboration services can be more complex and expensive to deploy.  MaaS360 offers a new approach to deploy a range of new mobile collaboration services:

  • Secure Document access (SharePoint, Fileshares, CMIS, Box, One Drive for Business, Connections, Google Drive)
  • Web Browser Intranet access
  • Mobile Application Intranet access

These services can be accessed without the need to deploy a more powerful and typically expensive VPN solution.

Clients love MaaS360’s unified mobility management features and new mobile application and App Catalog look and feel as shown below:

container1      appcatalog2

Mobile collaboration is enabled by deploying the MaaS360 Cloud Extender/Enterprise Gateway on-premises.  This provides a micro-VPN service from your company Intranet to the MaaS360 application on each device protected by FIPS 140-2 compliant / AES-256 encryption.  Regardless of the security of the mobile device, MaaS360 protects all information inside of the encrypted MaaS360 application.

This article steps you through the steps to enable this capability in less than 30 minutes.

Step 1: Start your free 30 day MaaS360 production trial

If you haven’t already, go to and enter your details to start a MaaS360 trial.  This is a production trial so everything you configure / setup is available beyond the trial period without any activation charges.

Once you’ve started a trial, enrol a number of devices and get familiar with the MaaS360 portal.  The MaaS360 administrator portal is very easy to use, however you can also review this video which provides a great overview.

Step 2: Install the MaaS360 Cloud Extender

Next install the MaaS360 Cloud Extender (CE) on an internal Windows server.  This allows you to connect on-premises resources such as Active Directory, Certificate Authorities to the MaaS360 SaaS service.  You can follow the instructions here to install and configure the CE.

Step 3: Install and configure the Mobile Enterprise Gateway (MEG)

The following instructions detail how to enable the Enterprise Gateway as a feature within the Cloud Extender.

  1. Next contact our ops team via the 24×7 technical chat service 3 - maas360 chat and ask for the Enterprise Gateway service to be enabled for your trial account. Also advice them to select either the US, Europe or AP hub if you use the MEG in relay mode.
  2. Next select SetupServices and enable Enterprise GatewayMEG 0.8
  3. Start the Cloud Extender Configuration Tool and select Enterprise Gateway.  Select either Active Directory or LDAP directory using the same configuration you used for User Authentication/User Visibility.MEG 1
  4. The config tool will perform a number of checks for connectivity and Active Directory authentication:MEG 3  MEG 4
  5. Next select the Standalone configuration mode, choose a name for your MEG gateway (ie. in my case I chose MEG1-AP) and the gateway Relay mode.  You should then see in the drop down box the correct relay server.MEG 5
  6. It’s important to ensure you select WebDav Server Setup for Network File Share access. You might also like to select the checkbox to re-use the user’s credentials.MEG 6Ensure you do not select Internet Proxy Settings.  This will route all requests for your intranet to a proxy first.  Only select this feature if really needed.MEG 7
  7. Next within the MaaS360 Workplace persona policy, enable the following services:MEG 8
  8. Next under BrowserEnterprise Gateway, select your MEG gateway and choose the DNS wildcard for all your Intranet services.MEG 9
  9. From your mobile device using the MaaS360 secure browser, you should be able to access your company Intranet as shown.MEG 13
  10. Next from the MaaS360 administrator portal, select DocsContent Sources.  Add a Windows File share using the example below.  It’s important to get the Folder path correct including upper/lower case letters.  Ensure you can browse to the file share without any issues from the Cloud Extender server itself.MEG 10
  11. From your mobile device, you should be able to also access the documents from the file share from with the MaaS360 Docs application as shown:MEG 12
    MEG 11

That’s it !  As you can see, it’s quick and easy to provide company information securely to your mobile workforce.  With the comfort that this information is protected and leveraging additional mobile services such as MaaS360 Threat Protection (integrated anti-malware for iOS and Android).

If you would like further information, please ask a question on the new MaaS360 forum or contact me directly via my blog contact page.


Ten things you might not know about IBM MaaS360

I wrote this article when I worked at IBM.  I’m now working at VMware supporting partners and clients with Workspace One.  See here for further details. 


As we start 2016, there is a renewed focus on doing more with less.  Our clients are looking more than ever to consolidate and simplify their IT management solutions.

IBM MaaS360 resonates with our clients when we detail it’s unique unified mobility management capabilities.  This management is available across a wide variety of mobile, PC and Mac devices.  MaaS360 was recently named the clear leader in the Forrester Wave: Enterprise Mobile Management, Q4 2015 report.

1-MaaS360 Overview

The following article outlines ten solution capabilities, which are unique to the enterprise mobility management (EMM) market.

#1 – Fastest Time to Trust (Trial and On-premises components)

The MaaS360 solution is unique, in that anyone can easily start a production trial in just a few minutes.  Simply go to and start a free 30-day trial of our solution.  As part of the 30 day trial you’ll be provided technical assistance as you need it at anytime (via remote Webex or 24×7 chat service).

The trial is in our production service, so you can the validate how easy our solution is to use.  When you wish to proceed as an active client, there is no additional migration effort or activation fees.  Your account status is changed in a few minutes, it’s that easy.

Likewise, the on-premises components are very easy to setup and configure.  For the example the Cloud Extender is a small Windows executable (which can be downloaded from the MaaS360 portal).   The MaaS360 Cloud Extender (CE) communicates outbound to our SaaS platform on port 443, so is very firewall and proxy friendly.  You can typically install and setup the cloud extender in less than 30 minutes. The Enterprise Gateway is now an activated module as part of the CE, so also very easy to enable too.

2-MaaS360 Architecture

#2 – Multi Tenant Hierarchy for Mobile Service Providers (MSPs)

As mentioned in a previous post, IBM MaaS360 provides inherant multi-tenancy services, which provides the following services for a MMS organisation:

  • Multi-Tenant Hierarchy
  • Easily supports multi-channel model
  • Easily onboard new customers/partners
  • Single login to manage customers
  • Branding
  • Dashboards and Reports

This is depicted in the following diagram:

MaaS360 multitenant architecture

The key benefit for MSPs (and large organisations) is the speed and simplicity in managing large number of devices with complete separation (client or division).  The ability for an MSP to provide their clients a unique trial URL is very compelling.  This allows an MSP’s client to start a production trial in less than 3 minutes.

#3 – Flexible Branding Options

Various elements of MaaS360 can be easily branded via the MSP portal.  This includes the trial registration page, service name, portal logo etc.  Elements of MaaS360 can also be branded for each client of the MSP too (such as inside the Secure Productivity Suite, the logo can be changed).

3 - Flexible Branding

#4 – Secure Container for iOS, Android and Windows Phone

MaaS360 Secure Productivity Suite (secure container) keeps your staff work services in one secure easy-to-use app. They can manage all their emails, contacts, calendars, enterprise applications and the web (+intranet) from an isolated workspace on their mobile devices.

4 - SPS 3 in one

This is great for BYOD and is available for iOS, Android and even Windows Phone !   The application is fully encrypted (includes FIPS 140-2 compliant, AES-256 encryption for iOS, Android and Windows Phone) so doesn’t rely on any device encryption or policies.

#5 – Integrated Mobile Threat Management

MaaS360 is the only leading EMM with integrated mobile anti-malware capability.  This includes anti-malware services for iOS and Android.

Threat Management detects, analyses and remediates mobile risks delivering a new layer of security (without the need of another application or system).  Threat Protection leverages IBM Security Trusteer® using over the air updates to protect against:

  • Mobile malware (iOS and Android)
  • Suspicious system configurations
  • Compromised devices
  • Seek out hiders & active hiding techniques that try to mask detection of jailbroken & rooted devices

Here is a link to a great video overview.

#6 – Leading technology integrations

MaaS360 provides a range of integration capabilities with IBM and 3rd party solutions.  For example:

  • Directory Services – Microsoft Active Directory, Open LDAP, Novell eDirectory, SAML, Open LDAP
  • Email Systems – Exchange, Office 365, Google Apps, Lotus, Blackberry BES
  • Certificate PKI – Microsoft, Symantec and Entrust
  • Network Access – Cisco, ForeScout, Aruba, Bluecat, Juniper, F5, BlueCoat, Airpatrol, Aruba, Dell SonicWALL
  • IT Service Management – ServiceNow, Continuum, LabTech, Spiceworks
  • Content Repositories – Sharepoint, Office 365, Box, DAV, Connections
  • Mobile App Platforms – Worklight, Xamarin
  • Containers – Android for Work, Samsung Knox
  • APIs – REST
  • Security Information Event Management (SIEM) – QRadar
  • Single Sign-On – IBM Security Access Manager
  • App Reputation – Trusteer (Integrated), Veracode, Appthority, Checkpoint

No matter what your IT environment, we’re sure to have you covered!

#7 – Manage PCs (Windows 7 – 10) and Mac OS X

MaaS360 has a number of unique PC and Mac Management capabilities, even for older operating systems as far back as Windows XP!

7 - PC and Mac

The following is a summary of MaaS360’s PC and Mac services:

Gain Instant Insight

  • Hardware inventory
  • Software inventory
  • Security & compliance
  • Custom attributes
  • Operating system details, patch levels
  • Location history

Take Immediate Action

  • Enroll over-the-air
  • Locate, lock, restart or shutdown device
  • Deploy OS patches for latest security updates
  • Distribute software and documents
  • Send message
  • Wipe the hard drive
  • Update Antivirus definitions
  • Patch Management (Windows)

I highlighted some of those unique capabilities above in bold.  With MaaS360 you can distribute software to Windows PC and Apple Mac OS X.

#8 – MaaS360 can work alongside an existing MDM

For those clients who have an existing MDM and cannot yet change, MaaS360 can also work alongside those MDM solutions.  For example, iOS only allows one MDM solution to be managing a device at a time.  MaaS360 can still be deployed to provide a secure productivity suite or enterprise application distribution capabilities.

8 - Alongside another MDM

This capability has proven effective for clients who have struggled with an existing legacy MDM solution. Particularly those solutions which struggle to scale with larger numbers of enterprise applications.

#9 – SaaS scalability and automatic updates & monitoring

The MaaS360 multi-tenant SaaS service provides a number key benefits.  Clients are always on the latest version of the product and new mobile features from iOS, Android and Windows Phone.    This delivers much faster time-to-value than any on-premises solution, with set-up measured in minutes.  See here for further information.

In addition, the on-premises components included integrated health check and monitoring services.  This is particularly valuable for clients and mobile service providers (as no customer monitoring is required)

9 - SaaS monitoring

#10 – Readily Delivered MaaS360 Packages (Per device/Per User)

With MaaS360 clients pay only for what you need, when you need it: start managing a small group of users now, and scale upwards as needed.  Clients can choose the license bundles they need, plus IBM can provide a fixed MaaS360 licensing in Australian or New Zealand dollar licensing.  Both per device or per user (unlimited number of devices) is available.

10 - MaaS360 bundles

When we’ve outlined some of the above features with organisations, they recognise how MaaS360 can provide a powerful platform for their clients.   Of course, if you would like to try out MaaS360, you can register for a free 30-day trial by going to

If you would like further information, you can contact me via my blog contact page.


Don’t Drown in a Sea of Cyberthreats

Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputational damages to an organization. You need a security system that can detect an attack, prioritise risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints and data.

Businessman in crisis

The integration of IBM BigFix with IBM Qradar provide accelerated risk prioritisation and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your corporate and customer data secure.

My colleague Roshan Royan and I provided an overview of both solutions and how they are seamlessly integrated on the following Webinar (recording).

Thanks to everyone who attended the Webinar!


Setting up IBM BigFix Compliance for PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a well know IT security standard for organisations that handle credit card data.  The PCI standard is actually mandated by the Payment Card Industry Security Standards Council, and the potential fines for non compliance and ramifications for a business if they hacked can be significant.

For example in 2013 Target was hacked and the credit card details of over 40 million customers were stolen.  A report for the US Congress in February 2015 provided some sobering statistics:

“Target has reported data breach costs of $248 million. Independent sources have made back-of-the-envelope estimates ranging from $240 million to $2.2 billion in fraudulent charges alone. This does not include additional potential costs to consumers concerned about their personal information or credit histories; potential fines or penalties to Target, financial institutions, or others; or any costs to Target related to a loss of consumer confidence. The breach was among the largest in U.S. history.”

pci dss logo

How can BigFix Compliance assist ?

The PCI DSS standard consists of 12 requirements as outlined here.  The BigFix Compliance PCI DSS Add-on provides reporting and compliance services for server and workstations.   IBM also provides solutions such as Netcool and Qradar to assist with other network and security components for PCI DSS.  So clients have a set of tools to provide a holistic PCI DSS solution.

The continuous monitoring and compliance features of BigFix are well known.  In 2012, Orb-Data wrote an excellent article outlining how IBM BigFix (Endpoint Manager) can assist clients in a number of areas of the PCI DSS standard.  Previously, clients would develop their own Fixlets for PCI DSS, potentiallly leveraging content shared by the BigFix community or professional services.

In June 2015, IBM released the first set of PCI DSS content, which will be expanded with additional content and features over the next 12 months. An overview video is available here.

Setting up BigFix Compliance

To install BigFix compliance, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Security and Compliance section.   Next to SCM Reporting select Enable
  2. Click on SCM Reportingunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select Security Configuration – Configuration Management – IBM BigFix Compliance Install/Upgrade
  4. Select the IBM BigFix Compliance 1.7 First-Time Install Fixlet
  5. Select Take Action and select the server where BigFix Compliance will operate.  The latest installer will be automatically downloaded and sent to the server.
  6. From the nominated BigFix Compliance server, run the ibm_bfc_1.8.exe self-extracting archive located in the “C:\Program Files (x86)\BigFix Enterprise\BES Installers\TEMA” directory
  7. After extracting, open the resulting directory and as an Administrator run the bfc_setup.exe file, which will open the IBM BigFix Compliance install wizard
  8. Follow the steps in the IBM BigFix Compliance install wizard, including the browser-based configuration steps following the completion of the wizard.  Some of the screens from my installation are shown below:SCA - 1 SCA - 2 SCA - 3 SCA - 4
  9. Once BigFix Compliance is installed, it automatically launched a web browser and I configured the server.  Settings from my install are also shown below:SCA Config - 1 SCA Config - 2 SCA Config - 3 SCA Config - 4
  10. BigFix Compliance is now installed.  BigFix Compliance consists of a wide variety of security such as CISDISA STIGFDCC and USGCB.  In the next section we’ll then add PCI DSS too.

Enabling the PCI DSS Add-On

You must be licensed for this feature or ask your local IBMer to have it enabled as a trial.  To enable the PCI DSS Add-On, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the PCI DSS Security and Compliance section.   Next to the various checklists such as PCI DSS Checklist for Windows 7 and PCI DSS Checklist for SQL 2012 select Enable
  2. Click on each of the PCI Sites you enabled in the previous stepunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. For each checklist you can enable the require Analysis for specific items where you would like data collected from those endpoints.  ie. Analysis – Password requirements. Maximum age should be 90 days.  If you enable this Analysis it will collect the Maximum password age setting from all computers.The information from these Analysis can be accessed by selecting Configured View and selecting Measured Values.  As shown below:measured values - 1
    measured values - 2
  4. The PCI DSS checklists will automatically download and be tested against the computers in your environment.
  5. When you login to the BigFix Compliance portal, it will start reflecting compliance information.  I’ve included a number of screen captures from my lab environment.

That’s it!   BigFix Compliance for PCI DSS is now up and running and you can easily report on your compliance.   If you have any problems,  please post your query to the new Bigfix forum.   If you’re interest in more details, please contact me.


Is your organisation ready for iOS 9?

With the release of iOS9 just around the corner, is your organisation ready?  Your staff will be eager to upgrade to the latest capabilities once the final release is made available.  No longer can you ask your staff not to upgrade their iOS device, they will be doing it !


Since June, IBM has offered an Upgrade Service for iOS 9 to ensure your enterprise applications are ready.

IBM is also ensuring our solutions will be ready for iOS9, particularly MobileFirst Protect (MaaS360) our enterprise mobility management (EMM) service.  MaaS360 clients have been testing our solution (in the production SaaS solution) for several weeks.  You can see some of the new Restriction settings in the screen capture below:


You can be confident that the moment iOS 9 is available, MaaS360 will instantly support these new management capabilities.  This is without any effort or upgrade charges for your organisation.

You can register for a free 30 day trial of MaaS360 at and take it for a test drive within minutes.

Please contact me if you need any information on MaaS360.