MDM Solution: Air-Watch and mobilEcho implementation

Over the past few months I have been working on a system to unify the management of our mobile devices and allow a BYOD policy at the same time. Currently we do not allow Androids in our business because of the security risk associated with them. But there is a lot of drive from our employees to go to them, as well as some good business reasons to do so as well. These reasons include the wide selection of carriers and the relative low cost of both the phones and the tablets. This makes the Android a very attractive platform. The security and fragmentation of the platform, however, have made it kind of hard to make a jump to the Android OS company-wide.

And being a small IT department of two people managing 300+ users, I didn’t want to manage another device or server to accomplish these goals.

So with that in mind, I began looking for a MDM solution that would meet the following criteria:

The solution should

1) Manage multiple platforms including iOS, Android, Windows Mobile, and even Blackberry.

2) Be easy to use. I don’t want to go through six weeks of training just to figure out how to use it.

3) Allow apps to be rolled out en masse.

4) Allow enforcement of security policies.

5) Allow selective wipe of company data from personal phones.

6) Roll out company settings for mail, VPN, WiFi, etc.

I chose four different solutions to evaluate. (Well, technically five, but since the Apple Configurator won’t magange Androids, Blackberries and Windows phones, it was DOA.)

The first was MobileIron. I was enthralled by MobileIron, but that soon waned when I discovered that MobileIron was on “on-premises” box that would need to be configured and maintained. But I was still tempted. MobileIron definitely has the security nailed down. I liked how it could handle rouge apps and the management seemed very smooth and tuned.

Next I looked at Meraki. Meraki was just bought by Cisco and honestly that’s the reason I took a look at them. And oddly, it was also the thing that drove me away from them. Right now, the price is free. Yup, free. However, while they state they have no intentions of changing that, I have seen things like this change dramatically shortly after the little fish is eaten by the big fish. This would force me to either reevaluate the MDM solution and possibly re-implement another MDM solution at some point in the future. Worse yet, they could discontinue it all together and leave me in the lurch. It is a fine solution, and spreads far beyond just mobile devices to include PCs and Macs, but I need to minimize disruptions to the employees and this uncertainty didn’t leave me with a warm fuzzy feeling.

The next two on my list were Air-watch and MaaS360, both at the recommendation of my CDW rep. After asking some folks I know at other companies and at the recommendation of some folks over at the IT Admin Forum at LinkedIn, I decided to try Air-watch first.

After they went through a short tutorial and got the initial test server configured, there were some minor issues but nothing huge. It did seem, at the beginning, that the profiles that Air-watch pushed out were hit or miss in regards to their implementation and their effectiveness. But after a while the basics were covered and everything was working fine. I was ready to broaden the test and implement an EIS (Enterprise Integration server) server internally and start rolling it out to some test users. Now I know, dear reader, that this flies in the face of my requirement of not having another server to manage, but please understand that this is merely a piece of software that runs on an existing server and has an agent that synchs Active directory information with the off-site Air-watch server. It also allows the Air-watch Secure Content Locker to map internal WebDAV shares, network shares, and Sharepoint Shares. This was going to be, for my company, the true selling point and power of Air-Watch.SCL

Or so I thought. Initially everything worked fine. But then I started adding more shares and the problems began. Without getting into to gory of details, the shares that I had way exceed the normal capacity of Air-watch. And truthfully, even I was surprised by the quantity of documents we had and were trying to share. It turns out that in our main folder structure there were over 2,500,000 documents. It seems that currently (and I am speculating here because it is where AW stopped indexing the documents) that AW is limited to about 184,000 files. Which is probably fine for 99% of the users, but we needed either a) something that would get all of them, b) change the way the data is retained and structured or c) limit what we put in the SCL.

Before I continue, however, I want to take a moment to mention the customer support at Air-watch. From the sales rep to the tech support, they are one of the most dedicated group of folks I have ever seen in the industry. I could be cynical and say it was just because I was testing the software that they were so dedicated, but honestly the numbers just don’t support such cynicism. We simply don’t have a large enough user base for that to be true. So I feel they were doing it out of the commitment to the product and the customer. A number of times I had called it quits on AW because I didn’t think it was going to be a good fit, but they worked with me and held my hand until I realized that it was a good fit and had a place in my organization. And more than that, they were going to help me make this MDM solution a success come hell or high-water. You don’t find that often enough in IT companies.

Because of their dedication to product and customer, I never even made it to testing MaaS360.

So with the MDM solution secure, except for the ability to get network documents on the mobile devices, I decided to see if there as a piece of software dedicated to just that: putting data in network shares on mobile devices.

So after some investigation, I found MobileEcho by GroupLogic. Like AW, it also places a a few small files on the server (which I placed on the same server with the AW EIS software) and runs two services: one to index the files in the locations you want to share on the mobile device and the other to me1manage some extended permissions, handle wiping data, sending out enrolment notices, etc. All the management for the software, other than the indexing portion, is done through a simple but effective web interface.

Out of all the installations I have done and software I have implemented, I would have to say that this one of the simplest and easy to configure software packages I have ever seen. I had it up and running in about ten minutes. And the speed is incredible. Navigating the network shares on the mobile device is literally faster than doing it on the computer. I don’t make this statement lightly: this software is amazing. The reaction from my test users were as follows:


“Buy it.”

“Holy S*%$”

“How can I get this on my PC?”

The only caveat to it, and this is really a matter of choice, is that we are not going to open it up on the firewall. So my end users will need to access it via VPN. That means there is an additional step or two they will need to do to get access to their data which they would not have needed to do using the AW SCL. But in the
end, that’s okay because the tradeoff is speed is well worth those couple of extra steps.

I am now working on getting a firm count on mobile devices and users and working out pricing. I think these two products are going to benefit my company enormously and increase our competitive edge in our market.

God has an interesting sense of humor sometimes…

I recently encountered a neighbor at a local supermarket.  She asked me if I had called the police on the neighbors next door.  I stated I hadn’t and asked her why she was asking.  She stated the she had noticed a lot of odd activity next door with a lot of people coming and going at all hours of the day and night.  She spoke to the police about this activity.  She then informed me that (without going into too much detail) they were apparently recovering addicts.

Being a father of small children, I got very concerned.  I immediately went into hyper-protective mode.  I was going to get a CCTV system and put it up and monitor the house.  I was going to take some serious steps here.  I was going to call the landlord and ask her what she thought she was doing…renting to THOSE kind of people.  How dare she put my family at risk!

The whole while, a little voice kept chiding me not to judge even as I was ranting about the situation in front of my children.  I struggled with it because I was torn between wanting to protect my family and wanting to follow the words of Christ and withhold judgement.  Thankfully, between the little voice and the price tag of the CCTV systems I looked at, I decided to hold off until I learned a little more.  After all, all I had against them was the word of a neighbor.  And honestly, I every respect they had thus far been good neighbors. They were quite, they put up holiday decorations.  They even shoveled my sidewalk one day.

The very next day guess who shows up in our church…the same neighbors.

My wife and I couldn’t believe it. What a poor example I was in front of our kids…trash talking the neighbors and the landlord.  All the while we had folks right next door looking for a church.  And instead of meeting them, getting to know them,  and asking them if they were interested in coming to church, we assumed the worst and hid ourselves away.

I cannot believe that this was a chance occurrence.

God has a interesting sense of humor…

Well played, God, well played….lesson learned.