Enabling carriers and MSPs in the cloud mobile era with IBM MaaS360’s multi-tenant capabilities

Tens of thousands of clients use MaaS360 everyday to provide unified management (for mobile, PC and Mac).  These clients benefit from the simplicity, scalability and security of the SaaS platform.  This was recognised in the recent Forrester Wave: Enterprise Mobile Management, Q4 2015, which highlighted “MaaS360 product allows customers to easily add modules with appropriate functionality as they need them. the vendor provides customers with a wide variety of mobility and security tools via integration of the EMM product with other IBM MobileFirst products such as ISAM for identity and access management, the MobileFirst platform for application development, and QRadar for security intelligence“.

Many clients also turn to external IT services providers (particularly Mobile Service Providers) to operate their mobile infrastructure and BYOD initiatives.  With Mobile Managed Services (or MMS) are expected to grow at around 27% per year through 2016, it’s a strategic managed service provider capability.  Therefore, MaaS360 can provide the perfect platform for any MSP organisation of any size.

MaaS360 – Built with multi-tenancy services

Analysts and clients recognise MaaS360 provides a mature shared-processing multi tenant architecture, which is the best-in-class cloud among ranked EMM vendors.  MaaS360 initially provided management of Windows PCs and Mac OS X (which is why it can managed older operating systems as old as Windows XP SP3!)   The platform has evolved to support a large variety of mobile operating systems including a secure productivity suite (or container) for iOS, Android and Windows Phone.

MaaS360 provides inherant multi-tenancy services, which provides the following services for a MMS organisation:

  • Multi-Tenant Hierarchy
  • Easily supports multi-channel model
  • Easily onboard new customers/partners
  • Single login to manage customers
  • Branding
  • Dashboards and Reports

This is depicted in the following diagram:

MaaS360 multitenant architecture

These services are provided on a highly secure platform, which is all managed by IBM.  For example, IBM MaaS360 is the only Unified Endpoint Management (Mobile and PC including Windows XP, 7, 8, 10 & OSX) SaaS platform have successfully completed a SOC 2 Type II audit since 2007.  In addition, MaaS360 also has FedRAMP mobile authorisation. With IBM MaaS360, your clients data is safe.

maas360 certs

 

Benefits of using MaaS360 for an MSP

The MaaS360 MSP portal can allow an authorised administrator to create and manage separate customer accounts.  Each customer account is completely separate from the other.  This allows an MMS complete visibility and control of each customer they are managing.

MaaS360 MSP portal
Account Management
Via the MaaS360 portal each mobile managed services provider can generate their own trial registration URL.  This allows MMS to allow clients to start production trials within a few minutes in their own MSP portal.  This URL can include associated branding and customisation.  A good example is the trial registration link for O2 in the UK.

Branding
Various elements of MaaS360 can be easily branded via the MSP portal.  This includes the trial registration page, service name, portal logo etc.  Elements of MaaS360 can also be branded for each client of the MSP too (such as inside the Secure Productivity Suite, the logo can be changed).

 

Reporting
MaaS360 provides a range of client and MSP reports.  For example an MSP can easily see what clients are in a trial phase and which are production:

MaaS360 MSP Account Overview

The good news for an MSP, is that there is no charge to change a trial account to a customer (live) account. It’s simply a change of status from within the portal.  Each client will have been testing using a production service.

Integrate to on-premises systems with certainty
The MaaS360 on-prem components such as the Cloud Extender and Enterprise Gateway can be installed and activated within a few minutes.  The CE/MEG are integrated into a single installer, and communicate to the MaaS360 cloud via port 443 (and via customer proxy systems).  The CE/MEG provide health check alerts, which provide alerts to an administrator if the CE or associated systems such as Active Directory or Exchange is unavailable.

MaaS360 CE Health Check

For an MSP organisation, all of these features result in less installation and ongoing effort to manage and maintain.

 

Unified Management
MSP organisations are also branching into other platforms such as PC and Mac management (which have traditionally been serviced by on-prem solutions).  MaaS360 can provide a range of more advanced services that other MDM solutions don’t provide.  For example:

  • Lock
  • Shutdown
  • Restart
  • Remote Wipe
  • Distribute Software (PC and Mac)
  • Distribute software for Windows PC and Mac OS X
  • Patch compliance for Windows

I’ve provided a link to the full list of services for PC and Mac.

Integrated Threat Protection
MaaS360 is the only leading EMM with integrated mobile anti-malware capability.  This includes anti-malware services for iOS and Android.  Here is a link to a great video overview.

 

Power your MSP business with MaaS360

MSP organisations are looking unified endpoint management solutions with zero infrastructure requirements.   When we’ve outlined some of the above features with organisations, they recognise how MaaS360 can provide a powerful platform for their clients.   Of course, if you would like to try out MaaS360, you can register for a free 30-day trial by going to www.maas360.com/trial.

If you would like further information, you can contact me via my blog contact page.

Darryl

Leave a comment

Don’t Drown in a Sea of Cyberthreats

Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputational damages to an organization. You need a security system that can detect an attack, prioritise risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints and data.

Businessman in crisis

The integration of IBM BigFix with IBM Qradar provide accelerated risk prioritisation and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your corporate and customer data secure.

My colleague Roshan Royan and I provided an overview of both solutions and how they are seamlessly integrated on the following Webinar (recording).

Thanks to everyone who attended the Webinar!

Darryl

Leave a comment

Setting up IBM BigFix Compliance for PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a well know IT security standard for organisations that handle credit card data.  The PCI standard is actually mandated by the Payment Card Industry Security Standards Council, and the potential fines for non compliance and ramifications for a business if they hacked can be significant.

For example in 2013 Target was hacked and the credit card details of over 40 million customers were stolen.  A report for the US Congress in February 2015 provided some sobering statistics:

“Target has reported data breach costs of $248 million. Independent sources have made back-of-the-envelope estimates ranging from $240 million to $2.2 billion in fraudulent charges alone. This does not include additional potential costs to consumers concerned about their personal information or credit histories; potential fines or penalties to Target, financial institutions, or others; or any costs to Target related to a loss of consumer confidence. The breach was among the largest in U.S. history.”

pci dss logo

How can BigFix Compliance assist ?

The PCI DSS standard consists of 12 requirements as outlined here.  The BigFix Compliance PCI DSS Add-on provides reporting and compliance services for server and workstations.   IBM also provides solutions such as Netcool and Qradar to assist with other network and security components for PCI DSS.  So clients have a set of tools to provide a holistic PCI DSS solution.

The continuous monitoring and compliance features of BigFix are well known.  In 2012, Orb-Data wrote an excellent article outlining how IBM BigFix (Endpoint Manager) can assist clients in a number of areas of the PCI DSS standard.  Previously, clients would develop their own Fixlets for PCI DSS, potentiallly leveraging content shared by the BigFix community or professional services.

In June 2015, IBM released the first set of PCI DSS content, which will be expanded with additional content and features over the next 12 months. An overview video is available here.

Setting up BigFix Compliance

To install BigFix compliance, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Security and Compliance section.   Next to SCM Reporting select Enable
  2. Click on SCM Reportingunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select Security Configuration – Configuration Management – IBM BigFix Compliance Install/Upgrade
  4. Select the IBM BigFix Compliance 1.7 First-Time Install Fixlet
  5. Select Take Action and select the server where BigFix Compliance will operate.  The latest installer will be automatically downloaded and sent to the server.
  6. From the nominated BigFix Compliance server, run the ibm_bfc_1.7.exe self-extracting archive located in the “C:\Program Files (x86)\BigFix Enterprise\BES Installers\TEMA” directory
  7. After extracting, open the resulting directory and as an Administrator run the tema-windows-x86_64.bat file, which will open the IBM BigFix Compliance install wizard
  8. Follow the steps in the IBM BigFix Compliance install wizard, including the browser-based configuration steps following the completion of the wizard.  Some of the screens from my installation are shown below:SCA - 1 SCA - 2 SCA - 3 SCA - 4
  9. Once BigFix Compliance is installed, it automatically launched a web browser and I configured the server.  Settings from my install are also shown below:SCA Config - 1 SCA Config - 2 SCA Config - 3 SCA Config - 4
  10. BigFix Compliance is now installed.  BigFix Compliance consists of a wide variety of security such as CISDISA STIGFDCC and USGCB.  In the next section we’ll then add PCI DSS too.

Enabling the PCI DSS Add-On

You must be licensed for this feature or ask your local IBMer to have it enabled as a trial.  To enable the PCI DSS Add-On, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the PCI DSS Security and Compliance section.   Next to the various checklists such as PCI DSS Checklist for Windows 7 and PCI DSS Checklist for SQL 2012 select Enable
  2. Click on each of the PCI Sites you enabled in the previous stepunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. For each checklist you can enable the require Analysis for specific items where you would like data collected from those endpoints.  ie. Analysis – Password requirements. Maximum age should be 90 days.  If you enable this Analysis it will collect the Maximum password age setting from all computers.The information from these Analysis can be accessed by selecting Configured View and selecting Measured Values.  As shown below:measured values - 1
    measured values - 2
  4. The PCI DSS checklists will automatically download and be tested against the computers in your environment.
  5. When you login to the BigFix Compliance portal, it will start reflecting compliance information.  I’ve included a number of screen captures from my lab environment.

That’s it!   BigFix Compliance for PCI DSS is now up and running and you can easily report on your compliance.   If you have any problems,  please post your query to the new Bigfix forum.   If you’re interest in more details, please contact me.

Darryl

Leave a comment

Is your organisation ready for iOS 9?

With the release of iOS9 just around the corner, is your organisation ready?  Your staff will be eager to upgrade to the latest capabilities once the final release is made available.  No longer can you ask your staff not to upgrade their iOS device, they will be doing it !

ios9

Since June, IBM has offered an Upgrade Service for iOS 9 to ensure your enterprise applications are ready.

IBM is also ensuring our solutions will be ready for iOS9, particularly MobileFirst Protect (MaaS360) our enterprise mobility management (EMM) service.  MaaS360 clients have been testing our solution (in the production SaaS solution) for several weeks.  You can see some of the new Restriction settings in the screen capture below:

ios9_maas360

You can be confident that the moment iOS 9 is available, MaaS360 will instantly support these new management capabilities.  This is without any effort or upgrade charges for your organisation.

You can register for a free 30 day trial of MaaS360 at www.maas360.com and take it for a test drive within minutes.

Please contact me if you need any information on MaaS360.

Darryl

Leave a comment

Both named Gartner Leaders: IBM MobileFirst Protect (MaaS360) and IBM BigFix (Endpoint Manager)

IBM MobileFirst Protect (MaaS360) has earned IBM a leadership position in the Magic Quadrant for the 4th year in a row.

IBM was selected a Magic Quadrant leader for Enterprise Mobility Management (EMM) based on completeness of vision and ability to execute.

Gartner highlighted the MobileFirst Protect’s mature shared-processing multi tenant architecture.  In addition, reference customers who consistently praise MobileFirst Protect’s ease of deployment.

ibmMobileFirstProtect_circleBlue

Likewise, it was the 4th year in a row for IBM BigFix (Endpoint Manager) to be named a leader in the Gartner Client Management Tools Magic Quadrant.

Gartner highlighted how BigFix excels in patch management, multiplatform support and overall scalability. In additional organisations also frequently use it to manage servers, particularly midsize organisations that prefer a single tool to manage PCs and servers.

Get your complimentary copy of Gartner’s latest report for enterprise mobility by registering your details here.

Please contact me if you need any information on either IBM solution.

Darryl

Leave a comment

Setting up BigFix Inventory 9.2

IBM BigFix (Endpoint Manager) has released a new Software Usage Analysis (SUA) module. This release includes a number of new capabilities, specifically SQL support.  BigFix Inventory (or SUA) also provides IBM sub-capacity measurement capability. IBM has provided a number of installation and administration guides here.   In the following article, I’ll step you through the key elements to setup SUA 9.2: Prerequisites

  • I’d created a new Windows 2008 R2 server to run SUA 9.2.  My virtual machine had at least 8GB of memory and 2 vCPU
  • On the SUA server I had installed Microsoft SQL 2012 and updates
  • I had installed an IEM Agent and it was reporting back to the IEM server successfully.

Install and Configure the SUA 9.2 Server

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Software Usage Analysis section.   Next to IBM Endpoint Manager for Software use Analysis v9, select Enable
  2. Click on IBM Endpoint Manager for Software use Analysis v9, under the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select System Lifecycle – Software Use Analysis – Server Setup and Software Use Analytics.
  4. From the SUA install screen you’ll want to choose a server which will run SUA.  For small environments, SUA could run on the same server as IEM.  However as you grow beyond several thousand endpoints, you’ll want to dedicate a separate server for SUA 9.2.   Select that server and click Deploy Installer.SUA9 install
  5. SUA 9.2 will then show you the following screen as it downloads the SUA 9.2 software and then mirrors it to that server.   In my lab environment this took about 10 minutes.  You can check the progress of the download by looking at the running Actions too:Deployment Status Pending download completed successfully sua installer next steps
  6. On the SUA 9.2 server (my server was called SFTSGSUA9 – as it’s on Softlayer) I ran the installer setup-server-windows-x86_64.bat (as an Administrator).
  7. During the SUA 9.2 installation, select the default including accepting the license agreement. Change the default installation path if required:sua 9 path
  8. I select the default https port 9081 in my environment (you could choose another port if required)
  9. I selected System Account and finally reviewed the settings before clicking Installfinal SUA installer review
  10. When SUA was completed I was shown the following screen: sua 9 installer complete
  11. Click on Done and a web browser is then launched to complete the SUA 9.2 configuration.  You might need to click the certificate warning in your web browser. I entered the following information below to configure SUA.sua config 1 sua config 2 sua config 3sua config 4
  12. After the import was completed (which did take a few hours in my lab), the SUA 9.2 application was then launched:SUA login
  13. Back in the IEM console I could click Finish and configure it with the URL of my IEM9TSUA2 server:SUA Finish launch url
  14. Now SUA 9.2 is up and running,  we’ll now setup the endpoints for SUA scanning.

Setup your Endpoints for SUA scanning

  1. From the IEM console,  select System Lifecycle.  Then select Software Use Analysis, select Setup – Activate Analysis.  You should see seven Analysis as shown in the example below.  Activate each of these.activate analysis
  2. Next select Setup – Deploy Scanner to Endpoints and select Install Scanner,  select Take Action.   Select Target and select Dynamic target by property and select All Computers, if you want the scanner applied to every computer with an IEM Agent installed.  Otherwise you might create a manual group (called SUA 9 clients) and select it instead.  Click OK to run the Action.  The scanner will then be deployed to the endpoint.
  3. Select Setup – Schedule Scans on Endpoints.  Select Initiate Software Scan.  Select Target and select Dynamic target by property and select All Computers.  Select the Execution tab.  By default the scanning process will run every 7 days as shown below.  You can change this value if you like.  Select OK when complete.software scan - default
  4. Finally, select Setup – Schedule Uploads on Endpoints.  Select the Upload Software Scan Results fixlet.  Click OK to run the Action.   Select Target and select Dynamic target by property and select All Computers.  Select the Execution tab.  You’ll see below the Fixlet will run anytime new scan results are available and retry this 3 times if there is an error.  Select OK when complete.upload scan results

Note:  As mentioned above, it’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing. Software Catalog Update You’ll want to use the latest software catalog from IBM, which we see has been automatically detected within the console.  You’ll need to perform a similar task roughly every month as IBM releases new SUA catalogs.  The update process is documented within the Fixlet, so check there on what you need to do, especially if you customise the catalog.

  1. From the IEM console,  select Systems Lifecycle – Software Use Analysis – Software Catalog Update – Software Catalog Update.  Select Take Action and select your SUA 9.2 server.  The action will download the latest catalog and install this on your SUA 9.2 server.sua 9 catalog update
  2. Login to the SUA 9.2 server console.
  3. Go to Management – Catalog Update
  4. Click Browse and locate the downloaded catalog file  (I expanded the ZIP file first)
  5. Click Upload.   Then select Import Now within the SUA console and browse to the file (D:\Program Files\ibm\SUA\sua_catalog)   and select the ZIP file.
  6. Click Upload 

    Note:  There is a Fixlet 1002 – Upgrade to the newest Software Usage Analysis 9.x catalog that can be run.  This will automatically download the latest catalog to the SUA 9.2 server.  The above task of applying this catalog via the SUA console is still required (thank’s David Kosenko for this information).

That’s it!   SUA is now up and running and you can easily see what software is installed and being utilised in your company.   If you have any problems,  please post your query to the new Bigfix forum. Are you benefiting from IBM Endpoint Manager SUA?    If so we’d love to hear from you. Darryl

3 Comments

Is Unified Endpoint Management (UEM) the new Enterprise Mobility Management (EMM)?

The IT industry loves buzzwords and acronyms.  We we have RAM, SOA, EMM, VM, AJAX, HTTP…  luckily we have Glossary‘s available to help us decode what we’re talking about!

I suggest there is another acronym that is growing in popularity, UEM or Unified Endpoint Management.

In the past, organisations ran “traditional” server management tools, which extended to managing Windows PCs.  These are the traditional on-premises solutions such as IBM Endpoint Manager (IEM/BigFix), Microsoft Systems Center Configuration Manager (SCCM) etc.  Some solutions such as IEM did a great job to manage a variety of new devices, even when the devices were disconnected from the office network.

As smartphones arrived, IT needed a way to provide visibility and ensure devices were secured if they were lost or stolen. So independently, new mobile device management (MDM) solutions emerged.

Some MDM solutions have since evolved to provide advanced device and data security management.  These advanced solutions such as MaaS360, include secure container solutions which separate business from persons personal data.  MaaS360 provides a secure container across a range of mobile form factors such as iOS, Android and Windows Phone.  These solutions are what Gartner, and the industry have termed Enterprise Mobility Management or EMM solutions.

maas360-udm

However very few EMM’s are also providing a true Unified Endpoint Management or UEM solution.  Integrated solutions which can manage new and old PCs, Macs and mobile devices.   Many claim “we manage PCs and Macs”, but when you scratch below the surface, you soon realise it’s only the latest operating systems and via an initial set of management API’s in Windows 8 or Mac OS X.

MaaS360 has been managing PCs and Macs for over 10 years.  So it provides a set of more advanced PC and Mac management services.  Even those running Windows XP SP3!

So you can implement a SaaS solution in minutes, that can manage a wide variety of form factors from old Windows XP PCs to Microsoft SurfacePro 3,  iOS, Android, Mac OS X, Windows Phone and Blackberry.

I conducted a Webinar on Thursday 27th 2014.  You can register here and see a replay of the recording plus slides.

Darryl

Leave a comment

Unified Reporting with IBM Endpoint Manager and MaaS360

IBM has released a new extender for IBM Endpoint Manager (IEM) to MaaS360.  The extender (or connector) allows MaaS360 mobile device information to be accessible within IEM alongside PC, Mac and Server endpoints.  Hence the Unified Reporting capability.

The setup is relatively straightforward and the development team have created some excellent documentation here.   With some information provided by Fiberlink which is specific to your MaaS360 account, you’re ready to get started.

You start by activating the MaaS360 site and deploying the Management Extender for MaaS360.   I decided to use a dedicated virtual machine which was already an IEM relay in my test environment.

The only issue I came across was the information I received wasn’t correct for my MaaS360 account.   I was provided a Platform ID of 3, and the extender didn’t function after I configured it.  After re-confirming this with ops@fiberlink.com, they provided a Platform ID of 5 for my account.   The extender was then configured correctly, and a list of mobile devices from my MaaS360 account was displayed!

I’ve included a bunch of screen captures from the setting up the extender, to the list of devices, and drilling down to an iOS device and obtaining inventory information and sending commands to a device.

This capability allows clients to view a mixture of endpoint types from a single console.   I expect more integration will be progressively released over time.

Darryl

 

3 Comments

IBM Fiberlink MaaS360 a Leader in the 2014 Gartner Magic Quadrant for Enterprise Mobility Management

MaaS360 has earned IBM Fiberlink a leadership position in the Magic Quadrant for the 3rd year in a row.

IBM was selected a Magic Quadrant leader for Enterprise Mobility Management (EMM) based on completeness of vision and ability to execute.

Gartner highlighted the MaaS360 mature shared-processing multi tenant architecture.  In addition, reference customers who consistently praise MaaS360’s ease of use for both end-user and administrator.

maas360globalheader

MaaS360 is one of the few MDM products, where you can literally use their MDM product in minutes.  A customer can register their details at www.maas360.com for a 30 day trial, and take it for a test drive within minutes

Get your complimentary copy of Gartner’s latest report for in-depth analysis of where enterprise mobility by registering your details here.

Please contact me if you need any information on MaaS360.

Darryl

Leave a comment

IBM Endpoint Manager Windows 7 Migration Cookbook

IBM Endpoint Manager (IEM) can not only provide software distribution but also Operating System Deployment (or OSD).  OSD includes the ability to upgrade operating systems (such as Windows XP to Windows 7) but also perform bare metal installations.  I’ve recorded two edited video’s of OSD in action for an upgrade and bare-metal installation.

windows-7

OSD is a feature of IEM’s Lifecycle Management service and a lot of detailed documentation is available here.   My colleagues David Kosenko and John Golembiewski have now produced an excellent step-by-step guide of the setup and use of OSD.

Topics include:

  • Setup of OSD
  • Deploying the Windows 7 Image to a Windows XP system
  • Bare Metal Imaging
  • Quick Reference Guides

This guide can be downloaded from IBM developerWorks from here.   If you have any questions on OSD, you can post them to the IEM forum.

Darryl

 

2 Comments

Follow

Get every new post delivered to your Inbox.

Join 491 other followers