Apologies firstly if this has already been asked before.
With more and more businesses implementing BYOD such as iPads etc, I wanted to ask what is the best method that have worked in real life situations for you guys?
In our situation which is not a very complex on, we have a sa4500 cluster and the business is giving ipads out like candy.
What are your views on creating a BYOD realm and then implementing controls on the realm? What have you done to:
1. Provide secure access
2. Not affect end user ease of connecting to the network?
I know with Junos Pule 7.2r2 you can implement some basic HC checks such denying access to rooted or jailbroken devies?
Thanks in advance guys!
Juniper | Guy
Outside the SA host check you may also consider what resources are allowed on any portable device that you cannot be sure is encrypted. Loss of unencrypted data of certain types can be expensive or reportable affairs.
If the iPads are company purchased and owned you may consider getting an MDM solution. There are a number of third parties that offer on-site or cloud options to control and manage the devices. Leading features are requiring the addtion of a lock code that on iPads will also encrypt the data. And providing a simple interface to remote wipe a lost/stolen device. And a simple interface to locate lost/stolen devices. Many solutions also support Android and windows mobile phones.
For iPads also consider the email connection and information that is downloaded to the device. If you have exchange 2007 you can control the activeSync connector by account so only those authorized can remote sync. You can also use policies in exchange to require the passcode and have some remote wipe control on the device.
I would start with your corporate legal representative or risk management area. They can give a run down of what the business and regulator issues are around data loss. These typically drive both the need for these types of efforts and also how big the risk is for your company. This really varies a lot by industry. In healthcare the data loss fines are very high and the reporting requirements make losses very public.
We kept it simple because it's really just Outlook-type traffic for us. We used the Apple iPhone Configuration Utiity to set some minor restrictions like no iCloud, require a passcode and encrypted backups. We then set up a virtual port on the SA and require a client certificate to connect to the SA. The client certificate is distributed with the Apple .mobileconfig file. We then direct all ActiveSynctraffic through the virtual port to a Websense "Mobile Agent". It's not really an agent because it's a virtual server in our data center and it runs as an ActiveSync proxy. We apply our normal DLP policies to the ActiveSync traffic via the Websense Mobile Agent. If something gets blocked by DLP, the iPad user gets an email telling them to use their laptop or desktop to read the email.