Enable secure mobile Intranet access in less than 30 minutes with IBM MaaS360

Many organisations provide mobile access to corporate email/calendar services. Enabling more advanced collaboration services can be more complex and expensive to deploy.  MaaS360 offers a new approach to deploy a range of new mobile collaboration services:

  • Secure Document access (SharePoint, Fileshares, CMIS, Box, One Drive for Business, Connections, Google Drive)
  • Web Browser Intranet access
  • Mobile Application Intranet access

These services can be accessed without the need to deploy a more powerful and typically expensive VPN solution.

Clients love MaaS360’s unified mobility management features and new mobile application and App Catalog look and feel as shown below:

container1      appcatalog2

Mobile collaboration is enabled by deploying the MaaS360 Cloud Extender/Enterprise Gateway on-premises.  This provides a micro-VPN service from your company Intranet to the MaaS360 application on each device protected by FIPS 140-2 compliant / AES-256 encryption.  Regardless of the security of the mobile device, MaaS360 protects all information inside of the encrypted MaaS360 application.

This article steps you through the steps to enable this capability in less than 30 minutes.

Step 1: Start your free 30 day MaaS360 production trial

If you haven’t already, go to MaaS360.com/trial and enter your details to start a MaaS360 trial.  This is a production trial so everything you configure / setup is available beyond the trial period without any activation charges.

Once you’ve started a trial, enrol a number of devices and get familiar with the MaaS360 portal.  The MaaS360 administrator portal is very easy to use, however you can also review this video which provides a great overview.

Step 2: Install the MaaS360 Cloud Extender

Next install the MaaS360 Cloud Extender (CE) on an internal Windows server.  This allows you to connect on-premises resources such as Active Directory, Certificate Authorities to the MaaS360 SaaS service.  You can follow the instructions here to install and configure the CE.

Step 3: Install and configure the Mobile Enterprise Gateway (MEG)

The following instructions detail how to enable the Enterprise Gateway as a feature within the Cloud Extender.

  1. Next contact our ops team via the 24×7 technical chat service 3 - maas360 chat and ask for the Enterprise Gateway service to be enabled for your trial account. Also advice them to select either the US, Europe or AP hub if you use the MEG in relay mode.
  2. Next select SetupServices and enable Enterprise GatewayMEG 0.8
  3. Start the Cloud Extender Configuration Tool and select Enterprise Gateway.  Select either Active Directory or LDAP directory using the same configuration you used for User Authentication/User Visibility.

    MEG 1

  4. The config tool will perform a number of checks for connectivity and Active Directory authentication:MEG 3  MEG 4
  5. Next select the Standalone configuration mode, choose a name for your MEG gateway (ie. in my case I chose MEG1-AP) and the gateway Relay mode.  You should then see in the drop down box the correct relay server.

    MEG 5

  6. It’s important to ensure you select WebDav Server Setup for Network File Share access. You might also like to select the checkbox to re-use the user’s credentials.MEG 6

    Ensure you do not select Internet Proxy Settings.  This will route all requests for your intranet to a proxy first.  Only select this feature if really needed.

    MEG 7

  7. Next within the MaaS360 Workplace persona policy, enable the following services:MEG 8
  8. Next under BrowserEnterprise Gateway, select your MEG gateway and choose the DNS wildcard for all your Intranet services.MEG 9
  9. From your mobile device using the MaaS360 secure browser, you should be able to access your company Intranet as shown.

    MEG 13

  10. Next from the MaaS360 administrator portal, select DocsContent Sources.  Add a Windows File share using the example below.  It’s important to get the Folder path correct including upper/lower case letters.  Ensure you can browse to the file share without any issues from the Cloud Extender server itself.MEG 10
  11. From your mobile device, you should be able to also access the documents from the file share from with the MaaS360 Docs application as shown:

    MEG 12
    MEG 11

That’s it !  As you can see, it’s quick and easy to provide company information securely to your mobile workforce.  With the comfort that this information is protected and leveraging additional mobile services such as MaaS360 Threat Protection (integrated anti-malware for iOS and Android).

If you would like further information, please ask a question on the new MaaS360 forum or contact me directly via my blog contact page.



Ten things you might not know about IBM MaaS360

As we start 2016, there is a renewed focus on doing more with less.  Our clients are looking more than ever to consolidate and simplify their IT management solutions.

IBM MaaS360 resonates with our clients when we detail it’s unique unified mobility management capabilities.  This management is available across a wide variety of mobile, PC and Mac devices.  MaaS360 was recently named the clear leader in the Forrester Wave: Enterprise Mobile Management, Q4 2015 report.

1-MaaS360 Overview

The following article outlines ten solution capabilities, which are unique to the enterprise mobility management (EMM) market.

#1 – Fastest Time to Trust (Trial and On-premises components)

The MaaS360 solution is unique, in that anyone can easily start a production trial in just a few minutes.  Simply go to www.maas360.com/trial and start a free 30-day trial of our solution.  As part of the 30 day trial you’ll be provided technical assistance as you need it at anytime (via remote Webex or 24×7 chat service).

The trial is in our production service, so you can the validate how easy our solution is to use.  When you wish to proceed as an active client, there is no additional migration effort or activation fees.  Your account status is changed in a few minutes, it’s that easy.

Likewise, the on-premises components are very easy to setup and configure.  For the example the Cloud Extender is a small Windows executable (which can be downloaded from the MaaS360 portal).   The MaaS360 Cloud Extender (CE) communicates outbound to our SaaS platform on port 443, so is very firewall and proxy friendly.  You can typically install and setup the cloud extender in less than 30 minutes. The Enterprise Gateway is now an activated module as part of the CE, so also very easy to enable too.

2-MaaS360 Architecture

#2 – Multi Tenant Hierarchy for Mobile Service Providers (MSPs)

As mentioned in a previous post, IBM MaaS360 provides inherant multi-tenancy services, which provides the following services for a MMS organisation:

  • Multi-Tenant Hierarchy
  • Easily supports multi-channel model
  • Easily onboard new customers/partners
  • Single login to manage customers
  • Branding
  • Dashboards and Reports

This is depicted in the following diagram:

MaaS360 multitenant architecture

The key benefit for MSPs (and large organisations) is the speed and simplicity in managing large number of devices with complete separation (client or division).  The ability for an MSP to provide their clients a unique trial URL is very compelling.  This allows an MSP’s client to start a production trial in less than 3 minutes.

#3 – Flexible Branding Options

Various elements of MaaS360 can be easily branded via the MSP portal.  This includes the trial registration page, service name, portal logo etc.  Elements of MaaS360 can also be branded for each client of the MSP too (such as inside the Secure Productivity Suite, the logo can be changed).

3 - Flexible Branding

#4 – Secure Container for iOS, Android and Windows Phone

MaaS360 Secure Productivity Suite (secure container) keeps your staff work services in one secure easy-to-use app. They can manage all their emails, contacts, calendars, enterprise applications and the web (+intranet) from an isolated workspace on their mobile devices.

4 - SPS 3 in one

This is great for BYOD and is available for iOS, Android and even Windows Phone !   The application is fully encrypted (includes FIPS 140-2 compliant, AES-256 encryption for iOS, Android and Windows Phone) so doesn’t rely on any device encryption or policies.

#5 – Integrated Mobile Threat Management

MaaS360 is the only leading EMM with integrated mobile anti-malware capability.  This includes anti-malware services for iOS and Android.

Threat Management detects, analyses and remediates mobile risks delivering a new layer of security (without the need of another application or system).  Threat Protection leverages IBM Security Trusteer® using over the air updates to protect against:

  • Mobile malware (iOS and Android)
  • Suspicious system configurations
  • Compromised devices
  • Seek out hiders & active hiding techniques that try to mask detection of jailbroken & rooted devices

Here is a link to a great video overview.

#6 – Leading technology integrations

MaaS360 provides a range of integration capabilities with IBM and 3rd party solutions.  For example:

  • Directory Services – Microsoft Active Directory, Open LDAP, Novell eDirectory, SAML, Open LDAP
  • Email Systems – Exchange, Office 365, Google Apps, Lotus, Blackberry BES
  • Certificate PKI – Microsoft, Symantec and Entrust
  • Network Access – Cisco, ForeScout, Aruba, Bluecat, Juniper, F5, BlueCoat, Airpatrol, Aruba, Dell SonicWALL
  • IT Service Management – ServiceNow, Continuum, LabTech, Spiceworks
  • Content Repositories – Sharepoint, Office 365, Box, DAV, Connections
  • Mobile App Platforms – Worklight, Xamarin
  • Containers – Android for Work, Samsung Knox
  • APIs – REST
  • Security Information Event Management (SIEM) – QRadar
  • Single Sign-On – IBM Security Access Manager
  • App Reputation – Trusteer (Integrated), Veracode, Appthority, Checkpoint

No matter what your IT environment, we’re sure to have you covered!

#7 – Manage PCs (Windows 7 – 10) and Mac OS X

MaaS360 has a number of unique PC and Mac Management capabilities, even for older operating systems as far back as Windows XP!

7 - PC and Mac

The following is a summary of MaaS360’s PC and Mac services:

Gain Instant Insight

  • Hardware inventory
  • Software inventory
  • Security & compliance
  • Custom attributes
  • Operating system details, patch levels
  • Location history

Take Immediate Action

  • Enroll over-the-air
  • Locate, lock, restart or shutdown device
  • Deploy OS patches for latest security updates
  • Distribute software and documents
  • Send message
  • Wipe the hard drive
  • Update Antivirus definitions
  • Patch Management (Windows)

I highlighted some of those unique capabilities above in bold.  With MaaS360 you can distribute software to Windows PC and Apple Mac OS X.

#8 – MaaS360 can work alongside an existing MDM

For those clients who have an existing MDM and cannot yet change, MaaS360 can also work alongside those MDM solutions.  For example, iOS only allows one MDM solution to be managing a device at a time.  MaaS360 can still be deployed to provide a secure productivity suite or enterprise application distribution capabilities.

8 - Alongside another MDM

This capability has proven effective for clients who have struggled with an existing legacy MDM solution. Particularly those solutions which struggle to scale with larger numbers of enterprise applications.

#9 – SaaS scalability and automatic updates & monitoring

The MaaS360 multi-tenant SaaS service provides a number key benefits.  Clients are always on the latest version of the product and new mobile features from iOS, Android and Windows Phone.    This delivers much faster time-to-value than any on-premises solution, with set-up measured in minutes.  See here for further information.

In addition, the on-premises components included integrated health check and monitoring services.  This is particularly valuable for clients and mobile service providers (as no customer monitoring is required)

9 - SaaS monitoring

#10 – Readily Delivered MaaS360 Packages (Per device/Per User)

With MaaS360 clients pay only for what you need, when you need it: start managing a small group of users now, and scale upwards as needed.  Clients can choose the license bundles they need, plus IBM can provide a fixed MaaS360 licensing in Australian or New Zealand dollar licensing.  Both per device or per user (unlimited number of devices) is available.

10 - MaaS360 bundles

When we’ve outlined some of the above features with organisations, they recognise how MaaS360 can provide a powerful platform for their clients.   Of course, if you would like to try out MaaS360, you can register for a free 30-day trial by going to www.maas360.com/trial.

If you would like further information, you can contact me via my blog contact page.


Setting up IBM BigFix Compliance for PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a well know IT security standard for organisations that handle credit card data.  The PCI standard is actually mandated by the Payment Card Industry Security Standards Council, and the potential fines for non compliance and ramifications for a business if they hacked can be significant.

For example in 2013 Target was hacked and the credit card details of over 40 million customers were stolen.  A report for the US Congress in February 2015 provided some sobering statistics:

“Target has reported data breach costs of $248 million. Independent sources have made back-of-the-envelope estimates ranging from $240 million to $2.2 billion in fraudulent charges alone. This does not include additional potential costs to consumers concerned about their personal information or credit histories; potential fines or penalties to Target, financial institutions, or others; or any costs to Target related to a loss of consumer confidence. The breach was among the largest in U.S. history.”

pci dss logo

How can BigFix Compliance assist ?

The PCI DSS standard consists of 12 requirements as outlined here.  The BigFix Compliance PCI DSS Add-on provides reporting and compliance services for server and workstations.   IBM also provides solutions such as Netcool and Qradar to assist with other network and security components for PCI DSS.  So clients have a set of tools to provide a holistic PCI DSS solution.

The continuous monitoring and compliance features of BigFix are well known.  In 2012, Orb-Data wrote an excellent article outlining how IBM BigFix (Endpoint Manager) can assist clients in a number of areas of the PCI DSS standard.  Previously, clients would develop their own Fixlets for PCI DSS, potentiallly leveraging content shared by the BigFix community or professional services.

In June 2015, IBM released the first set of PCI DSS content, which will be expanded with additional content and features over the next 12 months. An overview video is available here.

Setting up BigFix Compliance

To install BigFix compliance, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Security and Compliance section.   Next to SCM Reporting select Enable
  2. Click on SCM Reportingunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select Security Configuration – Configuration Management – IBM BigFix Compliance Install/Upgrade
  4. Select the IBM BigFix Compliance 1.7 First-Time Install Fixlet
  5. Select Take Action and select the server where BigFix Compliance will operate.  The latest installer will be automatically downloaded and sent to the server.
  6. From the nominated BigFix Compliance server, run the ibm_bfc_1.8.exe self-extracting archive located in the “C:\Program Files (x86)\BigFix Enterprise\BES Installers\TEMA” directory
  7. After extracting, open the resulting directory and as an Administrator run the bfc_setup.exe file, which will open the IBM BigFix Compliance install wizard
  8. Follow the steps in the IBM BigFix Compliance install wizard, including the browser-based configuration steps following the completion of the wizard.  Some of the screens from my installation are shown below:SCA - 1 SCA - 2 SCA - 3 SCA - 4
  9. Once BigFix Compliance is installed, it automatically launched a web browser and I configured the server.  Settings from my install are also shown below:SCA Config - 1 SCA Config - 2 SCA Config - 3 SCA Config - 4
  10. BigFix Compliance is now installed.  BigFix Compliance consists of a wide variety of security such as CISDISA STIGFDCC and USGCB.  In the next section we’ll then add PCI DSS too.

Enabling the PCI DSS Add-On

You must be licensed for this feature or ask your local IBMer to have it enabled as a trial.  To enable the PCI DSS Add-On, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the PCI DSS Security and Compliance section.   Next to the various checklists such as PCI DSS Checklist for Windows 7 and PCI DSS Checklist for SQL 2012 select Enable
  2. Click on each of the PCI Sites you enabled in the previous stepunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. For each checklist you can enable the require Analysis for specific items where you would like data collected from those endpoints.  ie. Analysis – Password requirements. Maximum age should be 90 days.  If you enable this Analysis it will collect the Maximum password age setting from all computers.The information from these Analysis can be accessed by selecting Configured View and selecting Measured Values.  As shown below:measured values - 1
    measured values - 2
  4. The PCI DSS checklists will automatically download and be tested against the computers in your environment.
  5. When you login to the BigFix Compliance portal, it will start reflecting compliance information.  I’ve included a number of screen captures from my lab environment.

That’s it!   BigFix Compliance for PCI DSS is now up and running and you can easily report on your compliance.   If you have any problems,  please post your query to the new Bigfix forum.   If you’re interest in more details, please contact me.


Is your organisation ready for iOS 9?

With the release of iOS9 just around the corner, is your organisation ready?  Your staff will be eager to upgrade to the latest capabilities once the final release is made available.  No longer can you ask your staff not to upgrade their iOS device, they will be doing it !


Since June, IBM has offered an Upgrade Service for iOS 9 to ensure your enterprise applications are ready.

IBM is also ensuring our solutions will be ready for iOS9, particularly MobileFirst Protect (MaaS360) our enterprise mobility management (EMM) service.  MaaS360 clients have been testing our solution (in the production SaaS solution) for several weeks.  You can see some of the new Restriction settings in the screen capture below:


You can be confident that the moment iOS 9 is available, MaaS360 will instantly support these new management capabilities.  This is without any effort or upgrade charges for your organisation.

You can register for a free 30 day trial of MaaS360 at www.maas360.com and take it for a test drive within minutes.

Please contact me if you need any information on MaaS360.


Both named Gartner Leaders: IBM MobileFirst Protect (MaaS360) and IBM BigFix (Endpoint Manager)

IBM MobileFirst Protect (MaaS360) has earned IBM a leadership position in the Magic Quadrant for the 4th year in a row.

IBM was selected a Magic Quadrant leader for Enterprise Mobility Management (EMM) based on completeness of vision and ability to execute.

Gartner highlighted the MobileFirst Protect’s mature shared-processing multi tenant architecture.  In addition, reference customers who consistently praise MobileFirst Protect’s ease of deployment.


Likewise, it was the 4th year in a row for IBM BigFix (Endpoint Manager) to be named a leader in the Gartner Client Management Tools Magic Quadrant.

Gartner highlighted how BigFix excels in patch management, multiplatform support and overall scalability. In additional organisations also frequently use it to manage servers, particularly midsize organisations that prefer a single tool to manage PCs and servers.

Get your complimentary copy of Gartner’s latest report for enterprise mobility by registering your details here.

Please contact me if you need any information on either IBM solution.


Setting up BigFix Inventory 9.2

IBM BigFix (Endpoint Manager) has released a new Software Usage Analysis (SUA) module. This release includes a number of new capabilities, specifically SQL support.  BigFix Inventory (or SUA) also provides IBM sub-capacity measurement capability. IBM has provided a number of installation and administration guides here.   In the following article, I’ll step you through the key elements to setup SUA 9.2: Prerequisites

  • I’d created a new Windows 2008 R2 server to run SUA 9.2.  My virtual machine had at least 8GB of memory and 2 vCPU
  • On the SUA server I had installed Microsoft SQL 2012 and updates
  • I had installed an IEM Agent and it was reporting back to the IEM server successfully.

Install and Configure the SUA 9.2 Server

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Software Usage Analysis section.   Next to IBM Endpoint Manager for Software use Analysis v9, select Enable
  2. Click on IBM Endpoint Manager for Software use Analysis v9, under the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select System Lifecycle – Software Use Analysis – Server Setup and Software Use Analytics.
  4. From the SUA install screen you’ll want to choose a server which will run SUA.  For small environments, SUA could run on the same server as IEM.  However as you grow beyond several thousand endpoints, you’ll want to dedicate a separate server for SUA 9.2.   Select that server and click Deploy Installer.SUA9 install
  5. SUA 9.2 will then show you the following screen as it downloads the SUA 9.2 software and then mirrors it to that server.   In my lab environment this took about 10 minutes.  You can check the progress of the download by looking at the running Actions too:Deployment Status Pending download completed successfully sua installer next steps
  6. On the SUA 9.2 server (my server was called SFTSGSUA9 – as it’s on Softlayer) I ran the installer setup-server-windows-x86_64.bat (as an Administrator).
  7. During the SUA 9.2 installation, select the default including accepting the license agreement. Change the default installation path if required:sua 9 path
  8. I select the default https port 9081 in my environment (you could choose another port if required)
  9. I selected System Account and finally reviewed the settings before clicking Installfinal SUA installer review
  10. When SUA was completed I was shown the following screen: sua 9 installer complete
  11. Click on Done and a web browser is then launched to complete the SUA 9.2 configuration.  You might need to click the certificate warning in your web browser. I entered the following information below to configure SUA.sua config 1 sua config 2 sua config 3sua config 4
  12. After the import was completed (which did take a few hours in my lab), the SUA 9.2 application was then launched:SUA login
  13. Back in the IEM console I could click Finish and configure it with the URL of my IEM9TSUA2 server:SUA Finish launch url
  14. Now SUA 9.2 is up and running,  we’ll now setup the endpoints for SUA scanning.

Setup your Endpoints for SUA scanning

  1. From the IEM console,  select System Lifecycle.  Then select Software Use Analysis, select Setup – Activate Analysis.  You should see seven Analysis as shown in the example below.  Activate each of these.activate analysis
  2. Next select Setup – Deploy Scanner to Endpoints and select Install Scanner,  select Take Action.   Select Target and select Dynamic target by property and select All Computers, if you want the scanner applied to every computer with an IEM Agent installed.  Otherwise you might create a manual group (called SUA 9 clients) and select it instead.  Click OK to run the Action.  The scanner will then be deployed to the endpoint.
  3. Select Setup – Schedule Scans on Endpoints.  Select Initiate Software Scan.  Select Target and select Dynamic target by property and select All Computers.  Select the Execution tab.  By default the scanning process will run every 7 days as shown below.  You can change this value if you like.  Select OK when complete.software scan - default
  4. Finally, select Setup – Schedule Uploads on Endpoints.  Select the Upload Software Scan Results fixlet.  Click OK to run the Action.   Select Target and select Dynamic target by property and select All Computers.  Select the Execution tab.  You’ll see below the Fixlet will run anytime new scan results are available and retry this 3 times if there is an error.  Select OK when complete.upload scan results

Note:  As mentioned above, it’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing. Software Catalog Update You’ll want to use the latest software catalog from IBM, which we see has been automatically detected within the console.  You’ll need to perform a similar task roughly every month as IBM releases new SUA catalogs.  The update process is documented within the Fixlet, so check there on what you need to do, especially if you customise the catalog.

  1. From the IEM console,  select Systems Lifecycle – Software Use Analysis – Software Catalog Update – Software Catalog Update.  Select Take Action and select your SUA 9.2 server.  The action will download the latest catalog and install this on your SUA 9.2 server.sua 9 catalog update
  2. Login to the SUA 9.2 server console.
  3. Go to Management – Catalog Update
  4. Click Browse and locate the downloaded catalog file  (I expanded the ZIP file first)
  5. Click Upload.   Then select Import Now within the SUA console and browse to the file (D:\Program Files\ibm\SUA\sua_catalog)   and select the ZIP file.
  6. Click Upload 

    Note:  There is a Fixlet 1002 – Upgrade to the newest Software Usage Analysis 9.x catalog that can be run.  This will automatically download the latest catalog to the SUA 9.2 server.  The above task of applying this catalog via the SUA console is still required (thank’s David Kosenko for this information).

That’s it!   SUA is now up and running and you can easily see what software is installed and being utilised in your company.   If you have any problems,  please post your query to the new Bigfix forum. Are you benefiting from IBM Endpoint Manager SUA?    If so we’d love to hear from you. Darryl

Is Unified Endpoint Management (UEM) the new Enterprise Mobility Management (EMM)?

The IT industry loves buzzwords and acronyms.  We we have RAM, SOA, EMM, VM, AJAX, HTTP…  luckily we have Glossary‘s available to help us decode what we’re talking about!

I suggest there is another acronym that is growing in popularity, UEM or Unified Endpoint Management.

In the past, organisations ran “traditional” server management tools, which extended to managing Windows PCs.  These are the traditional on-premises solutions such as IBM Endpoint Manager (IEM/BigFix), Microsoft Systems Center Configuration Manager (SCCM) etc.  Some solutions such as IEM did a great job to manage a variety of new devices, even when the devices were disconnected from the office network.

As smartphones arrived, IT needed a way to provide visibility and ensure devices were secured if they were lost or stolen. So independently, new mobile device management (MDM) solutions emerged.

Some MDM solutions have since evolved to provide advanced device and data security management.  These advanced solutions such as MaaS360, include secure container solutions which separate business from persons personal data.  MaaS360 provides a secure container across a range of mobile form factors such as iOS, Android and Windows Phone.  These solutions are what Gartner, and the industry have termed Enterprise Mobility Management or EMM solutions.


However very few EMM’s are also providing a true Unified Endpoint Management or UEM solution.  Integrated solutions which can manage new and old PCs, Macs and mobile devices.   Many claim “we manage PCs and Macs”, but when you scratch below the surface, you soon realise it’s only the latest operating systems and via an initial set of management API’s in Windows 8 or Mac OS X.

MaaS360 has been managing PCs and Macs for over 10 years.  So it provides a set of more advanced PC and Mac management services.  Even those running Windows XP SP3!

So you can implement a SaaS solution in minutes, that can manage a wide variety of form factors from old Windows XP PCs to Microsoft SurfacePro 3,  iOS, Android, Mac OS X, Windows Phone and Blackberry.

I conducted a Webinar on Thursday 27th 2014.  You can register here and see a replay of the recording plus slides.