Essential Guide

Browse Sections


This content is part of the Essential Guide: Consumerize This: Supporting consumer devices and cloud
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Different security policy strokes for different mobile folks

One way to support mobile devices and personal computers in the enterprise is to create different security policies for different devices.

There are plenty of security concerns that come into play when you support bring your own device (BYOD) -- whether that device is an iPad, Android phone or even a personally owned PC.

Applying corporate policies through the application delivery mechanism is one way to ease security management, said Michael Thompson, an IT contractor for a large financial institution and technology consultant for Aurora Blue Technologies. Many of the developers and contractors at the financial institution use personal computers to do their work, so IT applies different Citrix NetScaler policies to different devices depending on what the worker needs to access.

In this Q&A, Thompson talks about how a bring your own device program can include personal laptops for workers who need them -- plus, the tools that help manage the devices and allow for file sharing.

What support do you offer for people accessing personal mobile devices or laptops?

Michael ThompsonMichael Thompson

Michael Thompson: The only thing that we support is whatever we provide to you. We don't say, 'No, we're not going to help you,' though. If it's something we believe we can fix, we'll try to fix it. For the most part, what we work on the most is Citrix Receiver and XenApp -- that's the stuff we [officially] support.

With Citrix Receiver, it's doesn't matter what [the endpoint] is, whether it's Android, iPhone, iPad, computer, laptop. On phones and iPads, people are mostly accessing XenApp [applications]. That's because the experience is usable, but it's not preferable. As far as laptops and computers, that's all XenDesktop desktops. Where we're seeing [bring your own PC or Mac] the most is offshore developers and contractors.

What are the restrictions or policies you have for those PCs or mobile devices?

Thompson: The only thing that changes [depending on the device] is the corporate policy that they get. Policy is done through Citrix NetScaler. According to what 'bucket' you're in, that allows you access to specific things.

For corporate-owned devices, there's a cert that it looks for. There's a Citrix policy that says if you have this certificate on your corporate-owned PC, then you have access to all the VLANs, network resources, etc. Then, if it's an offshore developer [using a personal computer], they're done under a whole different piece. All of their desktops are completely locked down; they can only access the stuff that they're working on. They can't get to any network resources except the ones we provide to them. Contractors are enabled on a case-by-case basis. There are internal VLANs, and then other free-roaming VLANs, and those are pretty locked down.

Whatever application you access within XenApp is going to be the same experience no matter what device you're on, because that's also locked down by policy. Internet Explorer is a good example, because that can be a big hole if you're not careful with it. Typing in the address bar, you can launch anything you want through Internet Explorer. … So we lock down everything except the actual Internet Explorer .exe executable; when you launch Internet Explorer, you can't launch anything else.

What management tools and methods do you use for mobile devices?

Thompson: As far as MDM, MobileIron is what we're using. XenMobile is something that on the virtualization team we've looked at, not just for the device management, but also for the statistics we can get out of it. We can get more information out of XenMobile than we can out of MobileIron.

Clients and end users are happy as long as they can get to their stuff, no matter where they're at. The big thing has always been any device, anytime, anywhere. So as long as they can get to what they need to get to, they don't care how we deliver it. NetScalers have been a huge help because we can push policies across the board and make them more even. That's been the easiest way for us to handle [mobility].

But the hard point [with BYOPC] is that, in a financial institution you've got people out there who are making a million dollars a month for the company, so it's hard to say, 'Sorry, I can't fix your computer.' That's where the gray area is. It's a new way of doing business; it's a new way of how you deal with your end users. The other piece is: Do you give the people who are willing to buy their own device a voucher? How do you handle that financial aspect?

Do you support any consumer cloud-based services for employees?

Thompson: We use Podio, ShareFile, Dropbox for us internally and also for demos for clients. We do everything from timesheet management, hourly work, contracts [in the cloud]. All of our customer information is in Podio. Then there's a ShareFile app for everything. I use Dropbox for personal stuff too, as a backup solution currently. … We also use Amazon Web Services; currently we're doing a build out to be a Citrix Service Provider.

Some companies are still leery about the whole cloud piece because of the control factor. It's a cultural change for a lot of people, and they're used to having that in-house. But things in the [cloud] have become more secure. … And with AWS, for one, they're doing that resource metering for you; you don't have to track it yourself. It makes things easier because it's easier to manage. When you need to build up, you build up; when you need to tear down, you tear down.

Dig Deeper on Enterprise mobility strategy and policy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.