Disclaimer: This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated.
I have just recently joined BlackBerry as a Senior Sales Engineer covering the MEA region. For a couple of weeks now I have been exploring some of BlackBerry offerings specifically around Unified Endpoint Management (UEM) and here is what I found to be truly unique and different from other vendors in the market.
Truly Secure Apps, Only !
BlackBerry is the only vendor in the market, at least to my knowledge, that provides the ability to secure applications by means of containerization and remote access that being proprietary, ISV, and/or in-built SDK wrapped without the need to install any UEM client and/or Enroll the endpoint/device to an UEM infrastructure.
Essentially users can just install BlackBerry Access for example (A custom-built security driven chromium browser) and access internal web resources (without the need to publish these resources online) securely without having to install any special agent or go through lengthy MDM/MAM enrollment procedures. Same goes for ISV and custom in-built applications by customers that can be wrapped with BlackBerry SDK.
Users receive an auto-generated email ( linked to AD attribute ) with an access code that is generated by the administrator and that access code is used to authorize the application which is then completely containerized and securely remotely accessible with administrators having full control over that specific application and its data in case wipe or lock is required at any time.
Administrators that being infrastructure, networking, and security on the other hand have an easier time providing secure access to internal resources with full AD integration and without having the end user risk their domain password on endpoints (given how long and complex they have become !) on top of not having to publish internal web resources online with the ability to control business related apps settings and data at anytime.
Easy User Enrollment .
Users do not need to remember their UEM URLs to enroll or use BlackBerry UEM as they can simply enter their email address (No need for any custom DNS records) or more easily use the UEM agent built-in QR scanner which automatically pulls all needed configuration without any manual input (The user receives an automated email with the enrollment QR code). This applies to all kinds of enrollment including the use of BlackBerry applications-only deployment.
Intrinsically & Inherently Secure ?
One huge misconception I often face at customer engagements is the presumption that UEM which as of now covers MDM, MAM, and MCM is all the security an endpoint requires or that an MDM/MAM/MCM solution covers the whole security portfolio needed for a secure remote digital workspace .
MDM is all about policy management for different types of endpoints such as mobile devices with different operating systems, very similar to Group Policy for Windows machines. MAM is about securing application data by means of containerization. MCM is all about content secure storage and collaboration. So yes a UEM solution is a core security requirement and covers a big attack surface for digital workspace users nevertheless it does not protect users from viruses, malware, ransomware, phishing attacks, rootkits, and so on …
Think about the normal IT infrastructure for thick Windows endpoints for example, AD is used for authentication, GP is used for policy enforcement, AV agent is used for antivirus protection, APT agent is used for advanced persistent threats, malware, ransomware, rootkits, and maybe phishing attacks, SCOM is used for operations, SCCM is used for OS/application deployment/configuration, and so on … On the infrastructure part you have Firewalls, Intrusion Prevention Systems, Application Firewalls, Mail protection appliances, Application Delivery Controllers, Advanced Persistent Threat appliances, AV server, SIEM, SOC, Secure File Services with encryption, and so on … Bare in mind that many of these services are either being consolidated or depreciated by vendors as we move to a new architecture such as Modern Management, Identity Federation, and “Zero” Trust.
The digital workspace is different in that endpoints and users are not bound physically to the infrastructure, well they could be when working from office but from an architecture perspective for securing a digital workspace especially under “Zero Trust” which I like to call “Minimal Trust”, we always assume users are external and a constant security “threat” thus as much security products that a company invests in for local users, it does not necessarily apply to remote users. The Digital Workspace requires some of these infrastructure bound security services to be part of an UEM solution to offer true holistic endpoint security called Mobile Threat Defense (MTD).
An interesting thought here, before I reach my point, is that research has shown that humans intrinsically feel secure using mobile devices despite the fact that we have no security products installed on them, seems because of sociological and psychological reasons apparently. Do you have an AV installed on your mobile device ? Do you have an anti-ransomware agent installed on your endpoint ? Do you know if your SMS provider has an phishing protection appliance in place filtering SMS messages ? Did you ever consider reviewing the permissions every installed application on your mobile requests ? Did you ever debug an mobile application log for illegal or unauthorized access ? Did you ever question or suspect an application that is already verified by Google Play or Apple App Store ? Have you heard of mobile grayware or side-loaded applications ?
Mobile in my very humble opinion represents a very big or the biggest security attack vector especially for social engineering attacks because first they target human beings ! second they have become an indispensable part of our day-to-day lives including our work and third because of the very dangerous presumption that mobile devices OS’s are inherently secure. Although Mobile manufacturers and providers do their best to secure their platforms, they are still vulnerable to many attacks, take my word for it, mobile devices and endpoints are not inherently nor intrinsically secure.
BlackBerry recently acquired Cylance, a company that uses state of the art Machine Learning algorithms and Data Science to secure and protect all kinds of endpoints from attacks such as viruses, malware, rootkits, memory exploitation, application manipulation, phishing, and others without requiring any signatures or utilizing heavy endpoint resources. Cylance Protect combined with BlackBerry UEM is our solution for intrinsically secure user experience with protection from advanced persistent threats on both the device and applications level. Note that this protection will also work completely offline even protecting from zero-day exploits.
Cylance Protect will now be built into all BlackBerry Dynamics applications and its UEM client out of the box with all the machine learning driven security goodies targeting different types of endpoints especially mobile devices threats such as side-loaded application detection, malware scanning, app store malware scanning, phishing and malicious URL detection/prevention, offline protection, and IOS app integrity all from a unified UEM console integrated within the applications SDK so no need to deploy or manage any additional agents. This makes Blackberry a UEM provider with intrinsic built-in MTD capabilities, something that I have never seen in other UEM vendors up till now (Lets see what VMware does with Carbon Black/Workspace One and what Microsoft does with its Azure driven Endpoint Manager and Windows Defender ATP).
Windows 10 & macOS Live On … !
Modern Management in Windows 10 is not just a term but an actual attempt by Microsoft to get rid of Group Policy and SCCM by any means necessary, consolidate Intune with SCCM, and onboard users to Azure hosted Endpoint Manager that can handle all types of devices even non Microsoft ones such as IOS and Android while maintaining the same level of control users had with the combination of GP/SCCM/Intune. One reason is that the proliferation of devices that being Microsoft or otherwise has become a reality from an endpoint perspective so customers started moving to better UEM solutions that can handle all these different Operating Systems with the same level of security and policy management. Secondly and more importantly is User/Device context in the digital workspace has become core to the real balance between security and productivity proving much needed context driven security agility & adaptability which is the ultimate goal of any digital workforce initiative (BlackBerry is handling that with Spark Intelligent Security).
The Legacy way of doing policy and identity management is now dead simply because it was not built with Minimal Trust and Contextual Access in mind. Microsoft has recently made the move to consolidate SCCM and Intune in an effort to drive modern management from a consolidated console but more so to force customers to move to Azure but that is a different discussion. Anyhow, the story here is that thick endpoints that utilize Windows 10 and MacOS are still a major part of the digital workspace and will continue to be so in the coming years so any plan should take this point into consideration.
BlackBerry Access secure browser and BlackBerry Work secure email client both have a complete working production version for Windows 10 and MacOS which provide the same security features such as containerization/encryption/lock/wipe/settings on top of more importantly access to internal resources without the need to publish these resources publicly online. Top that with the fact that this also works without the need for any kind of MDM enrollment and is completely managed from the same unified UEM console. BlackBerry Work integrated with Access for Desktop devices is not outlook feature/look&feel wise I should add but is still a fully working email client that gets the job done with the additional BlackBerry NOC provided at-rest and in-transit encryption and in the near future Cylance provided ML driven protection.
BlackBerry Access on Windows 10 and MacOS can also connect to back-end VDI environments that support HTML5 thus completely removing the need for any VPN even if full desktop functionality is required from within the browser. BlackBerry partnered with Awingu for the same and has certified their solution to be fully supported on BlackBerry Access.
Other vendors still rely on per-app VPN, continuous VPN, SDN, ADC and other means to secure applications from desktops but BlackBerry took the time and effort to build its secure SDK to Windows 10 and MacOS using a proprietary chromium browser with an email client integrated into it thus enabling customers to fully utilize its built-in UEM security features for all types of endpoints without having to invest in Application Delivery Controllers.
NAT, PAT, FW Rules, IP’s, AD Creds, LB ??? … Nah !
If you have every worked with any UEM solution from the most prominent vendors out there, you would know how many Firewall rules, Public IP addresses, NAT/PAT, and Application Delivery Controllers required to get the whole solution portfolio production running. That is not necessarily a negative thing, I believe that every product has its own architecture and subsequently requirements that provide a certain add-value so don’t get me wrong on this one.
Blackberry UEM requires no public IP addresses (except for certain customer specific scenarios) and subsequently does not require any NAT/PAT or inbound ports. It also uses one outbound port that needs to be opened to the outside world and that’s about it. It also supports connections through proxy servers that support HTTP connect (any decent proxy server does) so that it maintains established connections. Blackberry UEM also supports simple Load Balancers or even DNS round-robin for that matter because of the BlackBerry NOC orchestrating connections and even Multi-Site deployments do not require an application delivery controller (except for certain customer specific scenarios). You can run a highly available multi-site BlackBerry UEM infrastructure without requiring expensive application delivery controllers for GSLB or additional components (except for certain customer specific scenarios).
If UEM self-service is to be enabled for external users and/or direct connect is required which basically skips the BlackBerry operated NOC then only a single public IP is required with 2 ports NAT and related Firewall rules. More so, no public DNS record is required (except for certain customer specific scenarios) and UEM enrollment can be done with simply an email address and a provided secure enrolment code so no need for any AD credentials while enrolling to apps only, MAM only, MDM only, or full UEM.
Cloud Infrastructure & NOC
The ability to operate without any public IP addresses or NAT, with minimal ports, and using low infrastructure resources is not magic. BlackBerry has cloud hosted infrastructure in most regions worldwide and operates a NOC for secure applications as well. Customers have the option to bypass the NOC for any specific requirements such as government regulations but then again the NOC does not store any personally Identifiable Information (PII) nor does it store any AD credentials.
The added value of utilizing BlackBerry NOC for UEM application delivery is that it adds an additional layer of protocol encryption that prevents man-in-the-middle attacks which can come in handy for protecting remote workers in high security risk countries. This ensures that data at rest, data in-transit, and data exchanged between applications is encrypted and secured all the time.
Microsoft Azure & Office 365 Integration …
Like it or not, Office 365 is becoming De facto standard for organizations worldwide and Microsoft has made sure that securing Off365 applications for endpoints is bound to Intune. BlackBerry has worked with Microsoft to ensure that customers that want to use office 365 applications with BlackBerry secure proprietary applications can do using BlackBerry Enterprise Bridge. Customers still need an Intune license because of Microsoft licensing requirements but configuration and management can be done from BlackBerry UEM console.
“BlackBerry Enterprise BRIDGE is a BlackBerry Dynamics-enabled and Microsoft® Intune protected app. It provides a secure bridge between BlackBerry Dynamics apps such as BlackBerry Work and Intune managed mobile apps such as Microsoft Office. This secure bridge ensures that data encryption and document fidelity are preserved in the document-sharing process, and that common1 data leakage policies are applied.”
Single Unified Management Console
The management of all four components of a secure UEM solutions that being MDM/MAM/MCM/MTD is done from a single unified console with BlackBerry UEM. More so, all other Blackberry portfolio products related to UEM are even integrated within this unified console such as BBM Enterprise, SSO, Identity Management, and 2FA Multi-Factor Authentication.
On-Premises/Cloud Feature Parity
Another interesting BlackBerry UEM differentiator is feature parity between on-premises and cloud deployments so customers enjoy full support and new features wherever they decide to host their UEM infrastructure without any compromise and the same goes for licensing in terms of perpetual or subscription.
Ease of Installation & Management
The ease of deployment and management of BlackBerry UEM is also an important factor, as administrators do not need to juggle between different interfaces or manage/support different components. Two Windows server machines are more than enough to support thousands of users in a highly available production environment.
I have had my hands dirty with many mobility implementations over the last couple of years from different vendors out there and I have honestly found BlackBerry the easiest to install and manage, Of course, there are other features you get from different vendors that have additional components but that will always depend on the customer requirements and desired outcome of any proposed solution.
This was by no means a marketing or sales oriented blog nor was it a comparison between BlackBerry UEM and other vendors but rather what I found different in this platform based on my experience with many other platforms. Having joined BlackBerry only adds to my convictions which I have listed many times in earlier blogs, no product is ultimately superior to its competitors, every product has its own architecture, features, requirements, value proposition and so on … What really matters is how a solution features meets customer requirements and achieves a desirable outcome.