IBM Fiberlink MaaS360 a Leader in the 2014 Gartner Magic Quadrant for Enterprise Mobility Management
MaaS360 has earned IBM Fiberlink a leadership position in the Magic Quadrant for the 3rd year in a row.
IBM was selected a Magic Quadrant leader for Enterprise Mobility Management (EMM) based on completeness of vision and ability to execute.
Gartner highlighted the MaaS360 mature shared-processing multi tenant architecture. In addition, reference customers who consistently praise MaaS360’s ease of use for both end-user and administrator.
MaaS360 is one of the few MDM products, where you can literally use their MDM product in minutes. A customer can register their details at www.maas360.com for a 30 day trial, and take it for a test drive within minutes
Get your complimentary copy of Gartner’s latest report for in-depth analysis of where enterprise mobility by registering your details here.
Please contact me if you need any information on MaaS360.
IBM BigFix can not only provide software distribution but also Operating System Deployment (or OSD). OSD includes the ability to upgrade operating systems (such as Windows XP to Windows 10) but also perform bare metal installations. I’ve recorded two edited video’s of OSD in action for an upgrade and bare-metal installation.
OSD is a feature of IEM’s Lifecycle Management service and a lot of detailed documentation is available here. My colleagues have now produced an excellent step-by-step guide of the setup and use of OSD.
- Setup of OSD
- Deploying the Windows 7 Image to a Windows XP system
- Bare Metal Imaging
- Quick Reference Guides
MaaS360’s Secure Productivity Suite (SPS) or secure container is available on iOS, Android and now Windows Phone. Clients have been particularly interested in MaaS360’s secure container for Windows Phone. The different mobile experience and something different is quite a discussion point in live demonstrations.
Organisations realise that Windows Phone will be a viable third force in mobile devices. Windows Phone 8 is just beginning to see broader adoption in the U.S. and in Europe, and I’d agree in Australia and Asia Pacific too.
I’m still looking for a OS X / iPhone Reflector equivalent for Windows Phone (if possible) for live demonstrations. So for the clients who have asked, I wanted to share a number of screen captures of Windows Phone 8 running the MaaS360 SPS (‘secure container’).
You’ll notice the MaaS360 SPS not only features email and calendar, but also the ability the securely share documents and your internal web resources via the secure browser.
I look forward to doing more testing with the Windows Phone 8 and MaaS360, and demonstrating this capability to our clients.
Samsung Australia were kind enough to loan me Galaxy Note 3 to test it’s capabilities with MaaS360. It’s a fantastic smartphone and the screen resolution was amazing.
MaaS360 provides a range of Android device management. Samsung have extended this capability for their devices via Samsung SAFE (Samsung for Enterprise). MaaS360 also has the capabilities to provide remote control of these devices, just like a traditional PC or Mac.
Enrolling a device to MaaS360 is very simple. The administrator can configure all users to enrol in a pre-defined URL, which they can then be authenticated to a companies Active Directory server. The following are a set of screen captures when I enrolled my device.
The Samsung phone would then register to MaaS360 and I could then manage the device. I was then able to distribute the MaaS360 Remote Control application.
The user would install the application as shown in these screen captures:
The MaaS360 administrator can then select to remote control the device as shown:
The user is then prompted on their phone to accept remote control.
After a few seconds, the administrator can view and take control of the device as shown in this video.
MaaS360 is a multi-tenant SaaS based Enterprise Mobility Management (EMM) solution. It not only manages mobile devices (iOS, Android, Windows etc) but also your traditional Windows and Apple Macs (OS X) too. To provide visibility of a companies internal resources such as Active Directory, Exchange, Domino or Blackberry in a secure manner to MaaS360, Fiberlink created the “Cloud Extender” (CE). The Cloud Extender is a small Windows application that you can install on an internal Windows server (physical or virtual machine) as shown in the following diagram:
This article details how I setup the Cloud Extender in our lab running on Softlayer, which consists of Active Directory (x2) and Exchange 2010 server (I tested with the Exchange 2007 Exchange Management Tool and PowerShell options below).
Setting up the Cloud Extender on your internal server
- The setup guide and Cloud Extender Configuration Tool executable is available from the Setup MaaS360 console as shown
- On your nominated intranet server, run the MaaS360_Cloud_Extender.exe and follow the defaults until it is installed.
- Run the Cloud Extender Configuration Tool and select if it’s communicating to the Internet directly or via a proxy. The CE needs communication to *.fiberlink.com and *.maas360.com on ports 80 and 443:
- Select the Services to be configured. You can select various Exchange versions, Lotus Traveller, Blackberry BES, User Authentication (Active Directory or LDAP), User Visibility (Active Directory or LDAP) and Certificate Integration:
- The Cloud Extender Configuration Tool runs a series of prerequisite checks:
- I next configured the Service account to communicate to Active Directory and Exchange. I then tested Authentication:
- I didn’t apply any device managmeent restrictions as shown below:
- The Cloud Extender then completes it’s configuration and it automatically downloads any required components from MaaS360:
- The Cloud Extender has an Automatic Software Update feature which is nice. Finally click Finish.
Cloud Extender from the MaaS360 console
Now login to the MaaS360.com console and select Setup and Cloud Extender. You can see the range of services configured and last communication times.
You can then run a series of tests to ensure the Extender running correctly.
So that’s it! Incredibly easy and I took less than 30 minutes to walk myself through the installation and configuration. If you have any questions, the MaaS360 MDM forum looks a great place look first. Of course, if you would like to try out MaaS360, you can register for a free 30-day trial by going to www.maas360.com/IBM.
Today IBM announced the aquisition closure of Fiberlink Communications. Fiberlink have developed an amazingly simple to use Enterprise Mobility Management (EMM) service. MaaS360 is one of the few MDM products, where you can literally use their MDM product in minutes. A customer can register their details at www.maas360.com for a 30 day trial, and take it for a test drive within minutes. No waiting for sales contacts to contact you first, no migration to other services if you like to use the product after the trial.
I’ve found MaaS360 extremely easy to use. Which is feedback I’ve also heard from clients evaluating other MDM solutions. The MDM in minutes video provides a great overview:
The team at Fiberlink also provide PC and Mac management, which is based on IBM Endpoint Manager (BigFix) technology. So I look forward sharing with you how IBM Endpoint Manager technology will integrate with MaaS360 in the future. I’ll also post my experiences and insights into MaaS360 on this blog too.
IBM BigFix is popular with Managed Service Providers (MSPs) for it’s ability to manage hundreds of thousands of endpoints via a single multi-tennant architecture. BigFix provides MSP’s the flexibility for either centralised or delegated administration models.
Bigfix is typically installed in a centralised architecture as show below. A single Bigfix server is installed at the MSP to manage several clients from one platform. The BigFix server may be installed with Distributed Server Architecture (DSA) for larger environments. Some MSP’s prefer to leverage virtualisation technologies for disaster recovery such as VMware Site Recovery Manager (SRM).
BigFix can manage thousands of separate customer networks (each with thousands of endpoints), without requiring a VPN connection to each client. This is achieved via BigFix relays. A relay is essentially any endpoint but performing some additional responsibilities. BigFix can also manage roaming endpoints which may have left those clients and are working at other remote locations (home, hotels etc).
Top Level Relays (MSP Relays)
To manage these endpoints, the MSP will need to separate the BigFix server from the public internet via one or more relays. These relays can be designated relay1, relay2, relay3 etc. as extra capacity is required. The suggested guideline is approximately one of these MSP’s will support 1000 child relays, which you can think of is approximately 1000 MSP managed customers.
Including another relay for redundancy is good practice. So for most MSP’s with two top level relays, this could support around 2000 child relays (or managed customers). For the purposes of this.. example, I have called this top level relay relay1.msp.com.
At each customer office that will be managed by the MSP, it’s recommended to install a relay. If you don’t, each endpoint will communicate back directly to the top level relays. So there is additional bandwidth requirements. Each endpoint will most likely need to have command polling enabled. So each endpoint ‘phones home’ on a regular basis.
If you deploy a relay, this can be an existing server already in the DMZ (running a range of Windows, Linux or Unix operating systems). The BigFix agent is installed which communicates back to the top level relay called relay1.msp.com. The server relay1.internal.org is promoted as a relay using Fixlet ID 1642 Install IBM Endpoint Manager Relay (Version 9.0.787.0). Check of course for later versions.
Network and DNS Requirements
Ensure you have TCP ports 52311 open at both the MSP and client firewalls. You can check this by performing the following telnet commands:
telnet relay1.msp.com 52311 telnet relaycust1.msp.com 52311
You can also also use a web browser and browsing to the relay’s address and append :52311/relaydiagnostics as shown below:
The MSP should designate the DNS name of the top level relays for client registration purposes (see below). The MSP doesn’t need to define DNS entries for the client relays (such as the name relaycust1.msp.com), although you might simple do this to assist with future network diagnosis.
Endpoints at each of the remote offices need to register back to the MSP’s BigFix server. This is not possible via direct communication. It’s achieved by configuring the remote client to register via a nearby relay. In our example above, this is to relay1.internal.org as detailed in this article. The client then registers all the way back to the MSP’s BigFix server via the relay servers.
Most MSP’s allocate each client a unique Client Identification (CID) as outlined in this wiki article. They do this so all the endpoints can be easily classified and grouped together. Select Computers, Tools – Manage Properties and create the following cid property:
The cid value can be defined at endpoint registration time via a clientsettings.cfg setting. This number can be allocated from the BigFix console, by selecting the server, clicking the right mouse button, then selecting Edit Computer Settings… Then select Add, and enter a setting name of cid and the appropriate number you’ve designated. ie. 0001. Once you’ve clicked ok, it can take a few minutes for this new value to be applied to the endpoint and the results sent back to the BigFix console.
You can define separate administrator accounts to only manage those clients endpoints. To do this, create a local account or LDAP role. Then as shown below, only assign computers that match the appropriate cid value. When the user logs back into the BigFix console, they will only be able to administer computers with the cid of 0001.
As outlined in this article, circumstances may arise whereby the MSP is required to manage and/or deploy custom content for a specific customer. To avoid all customers BigFix Clients downloading and evaluating this custom content, the MSP must create “Custom Sites” and subscribe only the specific customers BigFix Clients to that site. Create custom sites for each client and assign computers to them using the following example:
Also note that by default, the BigFix Operator accounts you create for each customer cid will have no access to the IBM External sites, such as Patches for Windows, Asset Discovery, Inventory & License, etc, so you will need to give “Reader” access for any of these sites that are required by these customer specific BigFix Console Operator accounts.
Running Actions to remote endpoints
With the above BigFix architecture in place, the administrator can deploy a patch to a remote endpoint and see it’s progress in realtime. Here is a short five minute video showing a small Microsoft hotfix being applied to a remote server. Remember that this server is isolated at the remote clients network, and has no direct communication to the Internet or central MSP BigFix server. All communication is performed via the BigFix relays.
You can see how BigFix provides a flexible multi-tenant service for Managed Service Providers (MSPs) without complex networking or server requirements.
It was recently reported that a Microsoft Windows and Office vulnerability was already being targeted by criminals. If you search on Google for keywords such a Windows and zero day exploit, it’s interesting to summarise the respective web pages mentions:
- Windows – Approximately 7 Million web pages
- Mac – Approximately 500K web pages
- Linux – Approximately 500K web pages
IBM’s X-Force team publish all new threats via their X-Force Alerts and you’ll see the usual suspects. As outlined in this CRN Article, IBM’s X-Force Team advised that attackers “use a path of least resistance to gain a maximum return on exploits”.
It’s one thing to be notified of these threats, but how do you confidently address them easily within your organisation? This is a particular challenge with thousands of PCs and Macs and a mobile workforce. Some of whom may be travelling for days and not regularly connecting to a corporate network.
The good news is, there are tools that can help. Within hours of vulnerability being identified, IBM’s BigFix team will package and re-test a published hotfix (or suggested alternative). For example for the Windows and Office vulnerability outlined above, this in in the form of a temporary hot fix. This is then published by IBM in the form of a Fixlet, making this critical fix immediately available for all IBM Endpoint Manager servers and their clients. Each IEM agent then reports to it’s vulnerability status back to the customers BigFix console, so you have a realtime view of the number of endpoints effected.
The BigFix administrator can “Action this Fixlet” (ie. go ahead and fix those PCs and Servers thanks!), which will dynamically download the hotfix and apply it to tens or hundreds of thousands of endpoints. The administrator can once again view in realtime the remediation status. So at anytime, the BigFix administrator report this information to their organisation or security auditors.
In addition to the range of operating system vulnerabilities/patches addressed by BigFix, the following is a list of applications managed by the IBM Content Delivery Team include the following (thanks to Peter Tuton for putting together this list):
- Flash Player (including browser plug-ins)
- Shockwave Player
- Remote Desktop
- Internet Explorer
- SQL Server
- Mozilla Firefox
- Nullsoft WinAmp
- Oracle Java Runtime Environment
How is your organisation addressing the Zero Day threat?
IBM BigFix provides clients with the ability to manage hundreds of thousands of endpoints from a single console. These can be a range of operating system types such as Windows, Linux, Apple Mac OSX and Unix. Oh, don’t forget mobile devices too!
You can install your BigFix environment with an relay running in your DMZ, you can also manage your mobile workforce and public cloud resources too. A BigFix relay is simply any existing IEM agent thats been given a few more additional tasks. They provide bandwidth and server scaling benefits and a proxy between externally managed devices and your internal network.
Your public instances will typically be Windows or Linux operating systems running on your public cloud of choice such as Amazon Web Services (AWS), IBM Softlayer or Microsoft Azure.
Configuring the IEM Client for Public Internet Instances
Each operating system you wish to manage needs to have the BigFix agent installed. IBM offers a range of agents for Windows, Mac OSX, IBM AIX, HP-UX and Solaris. The BigFix agent when it’s started, will attempt to register itself back to your BigFix server. This will be via details stored within the actionsite.afxm (renamed from the masthead.afxm file). This file is unique to your IEM server and is stored on your IEM server in the Program Files (x86)\BigFix Enterprise\BES Installers\Client directory.
Of course, if you have a public cloud instance the BigFx client won’t be able to reach your privately hosted BigFix server. You need to provide the client a few additional details so it can ‘phone home’. This will be your relay in the DMZ and it’s DNS name or IP address. These details are stored in the clientsettings.cfg file. The following article provides details on how to configure this, but all it requires is just one or two lines as shown in this example:
Of course, use your DNS server names. The clientsettings.cfg file is used when the BigFix client is installed.
Deploying your IEM Clients
You may wish to deploy your BigFix clients using the client deployment tool, Active Directory or login script as I detailed here. However for a public cloud environment, some platforms provide image deployment capabilities. Much like VMware’s powerful image template feature, with your cloud provider you will create a ‘gold image’ with your desired operating system, fixes, software and IEM agent installed. You need to follow the instructions in this article so the IEM agent ready to work correctly as new instances are deployed from this image.
Amazon Web Services (AWS)
With AWS, you can create your gold image by creating an instance, shutting it down and selecting Actions – Create Image. You then have an AMI from which you can deploy new Instances as shown below. AWS provide the EC2Config service to also provide Sysprep and other image configuration features.
With Softlayer, you can use the same approach with their Flex Image. Softlayer also provide the ability to execute a script which will be executed on a newly provisioned SoftLayer device, which is another approach to configure client settings if required.
When your instances start for the first time, they will automatically register to the BigFix server and be visible in the console. You’ll then be able to provide the following services from your console. This is possible for your private AND public instances !
- Patch Management – Operating System Patches, plus a number of 3rd party applications such as Java, Adobe etc.
- Core Protection – Anti-virus/Anti-malware
- Security and Compliance – security checklists such as CIS, DISA STIG, FDCC and USGCB.
- Software Usage
- Remote Control
If you have BigFix baselines enabled, you can then be assured that those endpoints are automatically patched to a minimum level and an appropriate security posture is applied. IBM BigFix provides per server licensing, so you pay as those instances need to be managed. It would be great to hear from you if you’re managing Windows or Linux instances on AWS or Softlayer.
Buried inside many devices we don’t consider as PCs lurks Windows XP. These are devices like cash registers, vending machines, parking meters and automatic teller machines (ATMs).
Whilst Linux is one alternative, Windows XP has provided the right mix of a reliability, multitasking and wide device support many organisations have needed. This trusty operating system was released back in 2001 and it’s support is finally ending on April 8, 2014. That’s less than 162 days from now!
For your home PC, popping in a Windows 7 DVD and doing an upgrade isn’t a big deal. However for organisations running ‘purpose specific’ devices on XP, this will involve an incredible amount of time and effort.
A recent article by Kevin Casey from Information Week advised that presently “around 75% of ATMs in the U.S. are based on XP”. I recently met with a retailer who advised their cash registers were tuned only for Windows XP. They simply won’t have the CPU and memory resources to run Windows 7. When you consider they have thousands of cash registers that might need to be replaced, it’s a significant outlay. So many organisations are understandably looking for solutions to manage XP for longer if they can.
The good news is that IBM Endpoint Manager (IEM) continues to support the Windows XP operating system. This includes our Core Protection module which provides anti-virus/anti-malware. This capability is critical for ATM’s and cash registers, as hackers being to target these devices. For example, the reported example of malware detected on ATM’s in Mexico running Windows XP.
If you are in the position to upgrade these devices, IBM Endpoint Manager has an operating system deployment capability. This means you can remotely upgrade these endpoints to Windows 7 or Windows 8 (whether that be in-place or bare metal).
IBM Endpoint Manager can protect hundreds of thousands of endpoints, even those connected on very low bandwidth and high latency networks. This capability ensures a bank running IEM can update their ATM’s reliably from a single console. For another financial client SunTrust, this meant their patch cycle times reduced from 2-3 weeks to 2-3 days.
How are you preparing to migrate from Windows XP? How will you support it if you don’t?