Enable secure mobile Intranet access in less than 30 minutes with IBM MaaS360

Many organisations provide mobile access to corporate email/calendar services. Enabling more advanced collaboration services can be more complex and expensive to deploy.  MaaS360 offers a new approach to deploy a range of new mobile collaboration services:

  • Secure Document access (SharePoint, Fileshares, CMIS, Box, One Drive for Business, Connections, Google Drive)
  • Web Browser Intranet access
  • Mobile Application Intranet access

These services can be accessed without the need to deploy a more powerful and typically expensive VPN solution.

Clients love MaaS360’s unified mobility management features and new mobile application and App Catalog look and feel as shown below:

container1      appcatalog2

Mobile collaboration is enabled by deploying the MaaS360 Cloud Extender/Enterprise Gateway on-premises.  This provides a micro-VPN service from your company Intranet to the MaaS360 application on each device protected by FIPS 140-2 compliant / AES-256 encryption.  Regardless of the security of the mobile device, MaaS360 protects all information inside of the encrypted MaaS360 application.

This article steps you through the steps to enable this capability in less than 30 minutes.

Step 1: Start your free 30 day MaaS360 production trial

If you haven’t already, go to MaaS360.com/trial and enter your details to start a MaaS360 trial.  This is a production trial so everything you configure / setup is available beyond the trial period without any activation charges.

Once you’ve started a trial, enrol a number of devices and get familiar with the MaaS360 portal.  The MaaS360 administrator portal is very easy to use, however you can also review this video which provides a great overview.

Step 2: Install the MaaS360 Cloud Extender

Next install the MaaS360 Cloud Extender (CE) on an internal Windows server.  This allows you to connect on-premises resources such as Active Directory, Certificate Authorities to the MaaS360 SaaS service.  You can follow the instructions here to install and configure the CE.

Step 3: Install and configure the Mobile Enterprise Gateway (MEG)

The following instructions detail how to enable the Enterprise Gateway as a feature within the Cloud Extender.

  1. Next contact our ops team via the 24×7 technical chat service 3 - maas360 chat and ask for the Enterprise Gateway service to be enabled for your trial account. Also advice them to select either the US, Europe or AP hub if you use the MEG in relay mode.
  2. Next select SetupServices and enable Enterprise GatewayMEG 0.8
  3. Start the Cloud Extender Configuration Tool and select Enterprise Gateway.  Select either Active Directory or LDAP directory using the same configuration you used for User Authentication/User Visibility.

    MEG 1

  4. The config tool will perform a number of checks for connectivity and Active Directory authentication:MEG 3  MEG 4
  5. Next select the Standalone configuration mode, choose a name for your MEG gateway (ie. in my case I chose MEG1-AP) and the gateway Relay mode.  You should then see in the drop down box the correct relay server.

    MEG 5

  6. It’s important to ensure you select WebDav Server Setup for Network File Share access. You might also like to select the checkbox to re-use the user’s credentials.MEG 6

    Ensure you do not select Internet Proxy Settings.  This will route all requests for your intranet to a proxy first.  Only select this feature if really needed.

    MEG 7

  7. Next within the MaaS360 Workplace persona policy, enable the following services:MEG 8
  8. Next under BrowserEnterprise Gateway, select your MEG gateway and choose the DNS wildcard for all your Intranet services.MEG 9
  9. From your mobile device using the MaaS360 secure browser, you should be able to access your company Intranet as shown.

    MEG 13

  10. Next from the MaaS360 administrator portal, select DocsContent Sources.  Add a Windows File share using the example below.  It’s important to get the Folder path correct including upper/lower case letters.  Ensure you can browse to the file share without any issues from the Cloud Extender server itself.MEG 10
  11. From your mobile device, you should be able to also access the documents from the file share from with the MaaS360 Docs application as shown:

    MEG 12
    MEG 11

That’s it !  As you can see, it’s quick and easy to provide company information securely to your mobile workforce.  With the comfort that this information is protected and leveraging additional mobile services such as MaaS360 Threat Protection (integrated anti-malware for iOS and Android).

If you would like further information, please ask a question on the new MaaS360 forum or contact me directly via my blog contact page.



Ten things you might not know about IBM MaaS360

As we start 2016, there is a renewed focus on doing more with less.  Our clients are looking more than ever to consolidate and simplify their IT management solutions.

IBM MaaS360 resonates with our clients when we detail it’s unique unified mobility management capabilities.  This management is available across a wide variety of mobile, PC and Mac devices.  MaaS360 was recently named the clear leader in the Forrester Wave: Enterprise Mobile Management, Q4 2015 report.

1-MaaS360 Overview

The following article outlines ten solution capabilities, which are unique to the enterprise mobility management (EMM) market.

#1 – Fastest Time to Trust (Trial and On-premises components)

The MaaS360 solution is unique, in that anyone can easily start a production trial in just a few minutes.  Simply go to www.maas360.com/trial and start a free 30-day trial of our solution.  As part of the 30 day trial you’ll be provided technical assistance as you need it at anytime (via remote Webex or 24×7 chat service).

The trial is in our production service, so you can the validate how easy our solution is to use.  When you wish to proceed as an active client, there is no additional migration effort or activation fees.  Your account status is changed in a few minutes, it’s that easy.

Likewise, the on-premises components are very easy to setup and configure.  For the example the Cloud Extender is a small Windows executable (which can be downloaded from the MaaS360 portal).   The MaaS360 Cloud Extender (CE) communicates outbound to our SaaS platform on port 443, so is very firewall and proxy friendly.  You can typically install and setup the cloud extender in less than 30 minutes. The Enterprise Gateway is now an activated module as part of the CE, so also very easy to enable too.

2-MaaS360 Architecture

#2 – Multi Tenant Hierarchy for Mobile Service Providers (MSPs)

As mentioned in a previous post, IBM MaaS360 provides inherant multi-tenancy services, which provides the following services for a MMS organisation:

  • Multi-Tenant Hierarchy
  • Easily supports multi-channel model
  • Easily onboard new customers/partners
  • Single login to manage customers
  • Branding
  • Dashboards and Reports

This is depicted in the following diagram:

MaaS360 multitenant architecture

The key benefit for MSPs (and large organisations) is the speed and simplicity in managing large number of devices with complete separation (client or division).  The ability for an MSP to provide their clients a unique trial URL is very compelling.  This allows an MSP’s client to start a production trial in less than 3 minutes.

#3 – Flexible Branding Options

Various elements of MaaS360 can be easily branded via the MSP portal.  This includes the trial registration page, service name, portal logo etc.  Elements of MaaS360 can also be branded for each client of the MSP too (such as inside the Secure Productivity Suite, the logo can be changed).

3 - Flexible Branding

#4 – Secure Container for iOS, Android and Windows Phone

MaaS360 Secure Productivity Suite (secure container) keeps your staff work services in one secure easy-to-use app. They can manage all their emails, contacts, calendars, enterprise applications and the web (+intranet) from an isolated workspace on their mobile devices.

4 - SPS 3 in one

This is great for BYOD and is available for iOS, Android and even Windows Phone !   The application is fully encrypted (includes FIPS 140-2 compliant, AES-256 encryption for iOS, Android and Windows Phone) so doesn’t rely on any device encryption or policies.

#5 – Integrated Mobile Threat Management

MaaS360 is the only leading EMM with integrated mobile anti-malware capability.  This includes anti-malware services for iOS and Android.

Threat Management detects, analyses and remediates mobile risks delivering a new layer of security (without the need of another application or system).  Threat Protection leverages IBM Security Trusteer® using over the air updates to protect against:

  • Mobile malware (iOS and Android)
  • Suspicious system configurations
  • Compromised devices
  • Seek out hiders & active hiding techniques that try to mask detection of jailbroken & rooted devices

Here is a link to a great video overview.

#6 – Leading technology integrations

MaaS360 provides a range of integration capabilities with IBM and 3rd party solutions.  For example:

  • Directory Services – Microsoft Active Directory, Open LDAP, Novell eDirectory, SAML, Open LDAP
  • Email Systems – Exchange, Office 365, Google Apps, Lotus, Blackberry BES
  • Certificate PKI – Microsoft, Symantec and Entrust
  • Network Access – Cisco, ForeScout, Aruba, Bluecat, Juniper, F5, BlueCoat, Airpatrol, Aruba, Dell SonicWALL
  • IT Service Management – ServiceNow, Continuum, LabTech, Spiceworks
  • Content Repositories – Sharepoint, Office 365, Box, DAV, Connections
  • Mobile App Platforms – Worklight, Xamarin
  • Containers – Android for Work, Samsung Knox
  • APIs – REST
  • Security Information Event Management (SIEM) – QRadar
  • Single Sign-On – IBM Security Access Manager
  • App Reputation – Trusteer (Integrated), Veracode, Appthority, Checkpoint

No matter what your IT environment, we’re sure to have you covered!

#7 – Manage PCs (Windows 7 – 10) and Mac OS X

MaaS360 has a number of unique PC and Mac Management capabilities, even for older operating systems as far back as Windows XP!

7 - PC and Mac

The following is a summary of MaaS360’s PC and Mac services:

Gain Instant Insight

  • Hardware inventory
  • Software inventory
  • Security & compliance
  • Custom attributes
  • Operating system details, patch levels
  • Location history

Take Immediate Action

  • Enroll over-the-air
  • Locate, lock, restart or shutdown device
  • Deploy OS patches for latest security updates
  • Distribute software and documents
  • Send message
  • Wipe the hard drive
  • Update Antivirus definitions
  • Patch Management (Windows)

I highlighted some of those unique capabilities above in bold.  With MaaS360 you can distribute software to Windows PC and Apple Mac OS X.

#8 – MaaS360 can work alongside an existing MDM

For those clients who have an existing MDM and cannot yet change, MaaS360 can also work alongside those MDM solutions.  For example, iOS only allows one MDM solution to be managing a device at a time.  MaaS360 can still be deployed to provide a secure productivity suite or enterprise application distribution capabilities.

8 - Alongside another MDM

This capability has proven effective for clients who have struggled with an existing legacy MDM solution. Particularly those solutions which struggle to scale with larger numbers of enterprise applications.

#9 – SaaS scalability and automatic updates & monitoring

The MaaS360 multi-tenant SaaS service provides a number key benefits.  Clients are always on the latest version of the product and new mobile features from iOS, Android and Windows Phone.    This delivers much faster time-to-value than any on-premises solution, with set-up measured in minutes.  See here for further information.

In addition, the on-premises components included integrated health check and monitoring services.  This is particularly valuable for clients and mobile service providers (as no customer monitoring is required)

9 - SaaS monitoring

#10 – Readily Delivered MaaS360 Packages (Per device/Per User)

With MaaS360 clients pay only for what you need, when you need it: start managing a small group of users now, and scale upwards as needed.  Clients can choose the license bundles they need, plus IBM can provide a fixed MaaS360 licensing in Australian or New Zealand dollar licensing.  Both per device or per user (unlimited number of devices) is available.

10 - MaaS360 bundles

When we’ve outlined some of the above features with organisations, they recognise how MaaS360 can provide a powerful platform for their clients.   Of course, if you would like to try out MaaS360, you can register for a free 30-day trial by going to www.maas360.com/trial.

If you would like further information, you can contact me via my blog contact page.


Enabling carriers and MSPs in the cloud mobile era with IBM MaaS360’s multi-tenant capabilities

Tens of thousands of clients use MaaS360 everyday to provide unified management (for mobile, PC and Mac).  These clients benefit from the simplicity, scalability and security of the SaaS platform.  This was recognised in the recent Forrester Wave: Enterprise Mobile Management, Q4 2015, which highlighted “MaaS360 product allows customers to easily add modules with appropriate functionality as they need them. the vendor provides customers with a wide variety of mobility and security tools via integration of the EMM product with other IBM MobileFirst products such as ISAM for identity and access management, the MobileFirst platform for application development, and QRadar for security intelligence“.

Many clients also turn to external IT services providers (particularly Mobile Service Providers) to operate their mobile infrastructure and BYOD initiatives.  With Mobile Managed Services (or MMS) are expected to grow at around 27% per year through 2016, it’s a strategic managed service provider capability.  Therefore, MaaS360 can provide the perfect platform for any MSP organisation of any size.

MaaS360 – Built with multi-tenancy services

Analysts and clients recognise MaaS360 provides a mature shared-processing multi tenant architecture, which is the best-in-class cloud among ranked EMM vendors.  MaaS360 initially provided management of Windows PCs and Mac OS X (which is why it can managed older operating systems as old as Windows XP SP3!)   The platform has evolved to support a large variety of mobile operating systems including a secure productivity suite (or container) for iOS, Android and Windows Phone.

MaaS360 provides inherant multi-tenancy services, which provides the following services for a MMS organisation:

  • Multi-Tenant Hierarchy
  • Easily supports multi-channel model
  • Easily onboard new customers/partners
  • Single login to manage customers
  • Branding
  • Dashboards and Reports

This is depicted in the following diagram:

MaaS360 multitenant architecture

These services are provided on a highly secure platform, which is all managed by IBM.  For example, IBM MaaS360 is the only Unified Endpoint Management (Mobile and PC including Windows XP, 7, 8, 10 & OSX) SaaS platform have successfully completed a SOC 2 Type II audit since 2007.  In addition, MaaS360 also has FedRAMP mobile authorisation. With IBM MaaS360, your clients data is safe.

maas360 certs


Benefits of using MaaS360 for an MSP

The MaaS360 MSP portal can allow an authorised administrator to create and manage separate customer accounts.  Each customer account is completely separate from the other.  This allows an MMS complete visibility and control of each customer they are managing.

MaaS360 MSP portal
Account Management
Via the MaaS360 portal each mobile managed services provider can generate their own trial registration URL.  This allows MMS to allow clients to start production trials within a few minutes in their own MSP portal.  This URL can include associated branding and customisation.  A good example is the trial registration link for O2 in the UK.

Various elements of MaaS360 can be easily branded via the MSP portal.  This includes the trial registration page, service name, portal logo etc.  Elements of MaaS360 can also be branded for each client of the MSP too (such as inside the Secure Productivity Suite, the logo can be changed).


MaaS360 provides a range of client and MSP reports.  For example an MSP can easily see what clients are in a trial phase and which are production:

MaaS360 MSP Account Overview

The good news for an MSP, is that there is no charge to change a trial account to a customer (live) account. It’s simply a change of status from within the portal.  Each client will have been testing using a production service.

Integrate to on-premises systems with certainty
The MaaS360 on-prem components such as the Cloud Extender and Enterprise Gateway can be installed and activated within a few minutes.  The CE/MEG are integrated into a single installer, and communicate to the MaaS360 cloud via port 443 (and via customer proxy systems).  The CE/MEG provide health check alerts, which provide alerts to an administrator if the CE or associated systems such as Active Directory or Exchange is unavailable.

MaaS360 CE Health Check

For an MSP organisation, all of these features result in less installation and ongoing effort to manage and maintain.


Unified Management
MSP organisations are also branching into other platforms such as PC and Mac management (which have traditionally been serviced by on-prem solutions).  MaaS360 can provide a range of more advanced services that other MDM solutions don’t provide.  For example:

  • Lock
  • Shutdown
  • Restart
  • Remote Wipe
  • Distribute Software (PC and Mac)
  • Distribute software for Windows PC and Mac OS X
  • Patch compliance for Windows

I’ve provided a link to the full list of services for PC and Mac.

Integrated Threat Protection
MaaS360 is the only leading EMM with integrated mobile anti-malware capability.  This includes anti-malware services for iOS and Android.  Here is a link to a great video overview.


Power your MSP business with MaaS360

MSP organisations are looking unified endpoint management solutions with zero infrastructure requirements.   When we’ve outlined some of the above features with organisations, they recognise how MaaS360 can provide a powerful platform for their clients.   Of course, if you would like to try out MaaS360, you can register for a free 30-day trial by going to www.maas360.com/trial.

If you would like further information, you can contact me via my blog contact page.


Don’t Drown in a Sea of Cyberthreats

Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputational damages to an organization. You need a security system that can detect an attack, prioritise risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints and data.

Businessman in crisis

The integration of IBM BigFix with IBM Qradar provide accelerated risk prioritisation and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your corporate and customer data secure.

My colleague Roshan Royan and I provided an overview of both solutions and how they are seamlessly integrated on the following Webinar (recording).

Thanks to everyone who attended the Webinar!


Setting up IBM BigFix Compliance for PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a well know IT security standard for organisations that handle credit card data.  The PCI standard is actually mandated by the Payment Card Industry Security Standards Council, and the potential fines for non compliance and ramifications for a business if they hacked can be significant.

For example in 2013 Target was hacked and the credit card details of over 40 million customers were stolen.  A report for the US Congress in February 2015 provided some sobering statistics:

“Target has reported data breach costs of $248 million. Independent sources have made back-of-the-envelope estimates ranging from $240 million to $2.2 billion in fraudulent charges alone. This does not include additional potential costs to consumers concerned about their personal information or credit histories; potential fines or penalties to Target, financial institutions, or others; or any costs to Target related to a loss of consumer confidence. The breach was among the largest in U.S. history.”

pci dss logo

How can BigFix Compliance assist ?

The PCI DSS standard consists of 12 requirements as outlined here.  The BigFix Compliance PCI DSS Add-on provides reporting and compliance services for server and workstations.   IBM also provides solutions such as Netcool and Qradar to assist with other network and security components for PCI DSS.  So clients have a set of tools to provide a holistic PCI DSS solution.

The continuous monitoring and compliance features of BigFix are well known.  In 2012, Orb-Data wrote an excellent article outlining how IBM BigFix (Endpoint Manager) can assist clients in a number of areas of the PCI DSS standard.  Previously, clients would develop their own Fixlets for PCI DSS, potentiallly leveraging content shared by the BigFix community or professional services.

In June 2015, IBM released the first set of PCI DSS content, which will be expanded with additional content and features over the next 12 months. An overview video is available here.

Setting up BigFix Compliance

To install BigFix compliance, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Security and Compliance section.   Next to SCM Reporting select Enable
  2. Click on SCM Reportingunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select Security Configuration – Configuration Management – IBM BigFix Compliance Install/Upgrade
  4. Select the IBM BigFix Compliance 1.7 First-Time Install Fixlet
  5. Select Take Action and select the server where BigFix Compliance will operate.  The latest installer will be automatically downloaded and sent to the server.
  6. From the nominated BigFix Compliance server, run the ibm_bfc_1.8.exe self-extracting archive located in the “C:\Program Files (x86)\BigFix Enterprise\BES Installers\TEMA” directory
  7. After extracting, open the resulting directory and as an Administrator run the bfc_setup.exe file, which will open the IBM BigFix Compliance install wizard
  8. Follow the steps in the IBM BigFix Compliance install wizard, including the browser-based configuration steps following the completion of the wizard.  Some of the screens from my installation are shown below:SCA - 1 SCA - 2 SCA - 3 SCA - 4
  9. Once BigFix Compliance is installed, it automatically launched a web browser and I configured the server.  Settings from my install are also shown below:SCA Config - 1 SCA Config - 2 SCA Config - 3 SCA Config - 4
  10. BigFix Compliance is now installed.  BigFix Compliance consists of a wide variety of security such as CISDISA STIGFDCC and USGCB.  In the next section we’ll then add PCI DSS too.

Enabling the PCI DSS Add-On

You must be licensed for this feature or ask your local IBMer to have it enabled as a trial.  To enable the PCI DSS Add-On, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the PCI DSS Security and Compliance section.   Next to the various checklists such as PCI DSS Checklist for Windows 7 and PCI DSS Checklist for SQL 2012 select Enable
  2. Click on each of the PCI Sites you enabled in the previous stepunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. For each checklist you can enable the require Analysis for specific items where you would like data collected from those endpoints.  ie. Analysis – Password requirements. Maximum age should be 90 days.  If you enable this Analysis it will collect the Maximum password age setting from all computers.The information from these Analysis can be accessed by selecting Configured View and selecting Measured Values.  As shown below:measured values - 1
    measured values - 2
  4. The PCI DSS checklists will automatically download and be tested against the computers in your environment.
  5. When you login to the BigFix Compliance portal, it will start reflecting compliance information.  I’ve included a number of screen captures from my lab environment.

That’s it!   BigFix Compliance for PCI DSS is now up and running and you can easily report on your compliance.   If you have any problems,  please post your query to the new Bigfix forum.   If you’re interest in more details, please contact me.


Is your organisation ready for iOS 9?

With the release of iOS9 just around the corner, is your organisation ready?  Your staff will be eager to upgrade to the latest capabilities once the final release is made available.  No longer can you ask your staff not to upgrade their iOS device, they will be doing it !


Since June, IBM has offered an Upgrade Service for iOS 9 to ensure your enterprise applications are ready.

IBM is also ensuring our solutions will be ready for iOS9, particularly MobileFirst Protect (MaaS360) our enterprise mobility management (EMM) service.  MaaS360 clients have been testing our solution (in the production SaaS solution) for several weeks.  You can see some of the new Restriction settings in the screen capture below:


You can be confident that the moment iOS 9 is available, MaaS360 will instantly support these new management capabilities.  This is without any effort or upgrade charges for your organisation.

You can register for a free 30 day trial of MaaS360 at www.maas360.com and take it for a test drive within minutes.

Please contact me if you need any information on MaaS360.


Both named Gartner Leaders: IBM MobileFirst Protect (MaaS360) and IBM BigFix (Endpoint Manager)

IBM MobileFirst Protect (MaaS360) has earned IBM a leadership position in the Magic Quadrant for the 4th year in a row.

IBM was selected a Magic Quadrant leader for Enterprise Mobility Management (EMM) based on completeness of vision and ability to execute.

Gartner highlighted the MobileFirst Protect’s mature shared-processing multi tenant architecture.  In addition, reference customers who consistently praise MobileFirst Protect’s ease of deployment.


Likewise, it was the 4th year in a row for IBM BigFix (Endpoint Manager) to be named a leader in the Gartner Client Management Tools Magic Quadrant.

Gartner highlighted how BigFix excels in patch management, multiplatform support and overall scalability. In additional organisations also frequently use it to manage servers, particularly midsize organisations that prefer a single tool to manage PCs and servers.

Get your complimentary copy of Gartner’s latest report for enterprise mobility by registering your details here.

Please contact me if you need any information on either IBM solution.