chris - Fotolia

Manage Learn to apply best practices and optimize your operations.

How to deploy IBM MaaS360 for EMM

MaaS360, IBM's cloud-based EMM service, provides MAM, secure document sharing and a simple cross-platform management interface.

Since the early days of mobile device management, MaaS360 by Fiberlink, an IBM company, has evolved into a full-featured enterprise mobility management suite.

IBM MaaS360 is designed to deliver mobility management as a service so it requires no hardware installation, setup or maintenance. Subscribers log into Fiberlink's website, activate the enterprise mobility management (EMM) services they desire and they're ready to roll. With cloud-based EMM, it's easy to start with a small pilot and pay-as-you-grow. IBM MaaS360 is also available as MaaS360 On-Premises, which lets IT admins deploy the product on a virtual appliance inside their own data centers.

MaaS360 is basic enough for small businesses, but flexible enough to support diverse enterprise use cases. A large enterprise, for example, can use IBM MaaS360 Secure Mail on all employee-owned devices and still use mobile application management (MAM) for employees with more extensive mobility needs.

How to deploy IBM MaaS360

Once a company creates a MaaS360 account, IT administers all EMM services through MaaS360's intuitive dashboard that supports a range of options without creating a cluttered interface. Admins can add users and groups manually or import them from an enterprise user directory such as Active Directory, Lightweight Directory Access Portal or Oracle. IBM MaaS360 invites users via email or SMS message to enroll their devices once admins specify a username, email address and phone number. It also applies a default mobile OS platform, policy and compliance rule set unless admins specify otherwise.

The user follows the QR code or URL to complete enrollment on her devices, follows the prompts to log in, accepts MaaS360's terms of use and the company's usage policy and completes the appropriate policy installation for each mobile OS. For example, on iOS devices, users must agree to Apple's iOS mobile device management (MDM) profile installation.

Depending on the mobile OS, basic MDM services may not require IBM MaaS360 apps, but some services require the MaaS360 agent, Browser or Secure Editor -- prerequisites admins can automate with MaaS360 MAM.

How to operate IBM MaaS360

MaaS360 is largely invisible on smartphones and tablets. Users are not involved in EMM operations such as security policy and compliance enforcement unless absolutely necessary.

IT administers all EMM services through MaaS360's intuitive dashboard.

For example, a MaaS360 admin can configure policies consisting of iOS profile settings such as passcode length, complexity and age. Additional settings include application rules, VPN, cellular, calendar subscriptions, certificates, web domains and more. Although each mobile OS supports different settings based on the version and device capabilities, the IBM MaaS360 dashboard still presents admins with similar settings in a consistent manner no matter the platform.

Admins can create compliance rule sets to determine what happens when a device deviates from policy. For example, admins may choose to notify the user, quarantine the device by temporarily removing Wi-Fi, VPN, or email access, or perform a full or selective device wipe. The latter removes MDM control and all settings, content and apps MaaS360 installed but leaves personal apps and data intact.

Depending on the capabilities of a device and an organization's privacy policy, admins can use IBM MaaS360 to locate or send a message to a lost device, wipe or lock a device or reset its passcode. They can also use Apple AirPlay to troubleshoot a problem.

How to use IBM MaaS360 for MAM

MaaS360 provides a relatively comprehensive set of MAM tools, but it's up to each subscriber to decide if and how to apply them.

IBM MaaS360 admins can add iTunes and Google Play apps, iOS and Android Enterprise Apps, Android for Work private channel apps and Web apps on iOS, Android and Windows Phones. They can apply different policies to specific apps, including configuring enterprise app settings. Admins can also push apps individually or in bundles to users, groups or individual devices. As a result, it's easy to auto-install and update business apps without user involvement.

Admins can also let users choose if and when to install apps, and notify them if they have bad apps on their devices by creating whitelist and blacklist application compliance policies that, for example, prevent devices from installing known-malicious apps. To do so, admins can pair MaaS360 with an app risk management service, warning them which devices are running apps with a bad reputation and providing tools to quarantine devices that pose a risk to business data or apps.

IBM MaaS360's top features include:

  • MDM for cradle-to-grave lifecycle management of iOS, Android, Windows Phone and BlackBerry mobile devices;
  • Mobile application management for policy-driven over-the-air software installation, maintenance, containerization and control;
  • Secure Document Sharing for IT-managed enterprise file access, sharing and synchronization across mobile devices;
  • Secure Mail and Secure Browser for authenticated, encrypted business productivity applications, governed by IT-managed policies;
  • Secure Productivity Suite, combining Secure Mail, Secure Browser and MAM for containerized protection and segregation of business data;
  • Mobile Threat Management for mobile malware detection and remediation; and
  • App Risk Management for mobile app vulnerability analysis and policy enforcement.

How to use IBM MaaS360 for Secure Document Sharing

To protect corporate assets, admins can specify MaaS360 compliance rules to detect devices that are not up to snuff, including devices running outdated mobile OS versions, devices lacking file or block-level encryption capabilities and jailbroken/rooted devices. If a device violates any rule, quarantine actions trigger automatically.

With Secure Document Sharing, IBM MaaS360 admins pair documents and folders with policies to deter data leaks. For example, restrictions can block export, cut/copy/paste, preview and/or deletion for individual documents or entire folders.

Admins can deploy these documents in authenticated, encrypted containers to users, groups or devices. Admins can permit mobile access to enterprise Sharepoint sites with similar restrictions to stop data leaks. If a device is lost or compromised, the locked container prevents unwanted access to downloaded files, and admins can remove the document container and further enterprise file access with a selective wipe.

Bottom line

IBM MaaS360 continues to grow with new capabilities such as geofencing, which applies policies when a device is near a specified location or connected to a named WLAN. The company also added integrated mobile app reputation analysis and Secure Email and Browser apps. Monitoring and reporting tools let admins eyeball application reputations, quickly spot compromised or noncompliant devices, and create custom views that reflect both common queries and concerns specific to each workforce.

MaaS360's cloud approach makes it easy to deploy and scale. IBM's acquisition of Fiberlink undoubtedly means tighter integration between MaaS360 and offerings such as MobileFirst, giving enterprises a suite of tools to facilitate enterprise mobility.

Next Steps

EMM brings MDM, MAM and MIM together

Create the right EMM strategy

Important EMM security considerations

Dig Deeper on EMM tools | Enterprise mobility management technology