Home > Blogs > VMware Consulting Blog > Tag Archives: Mobile Workforce

Tag Archives: Mobile Workforce

How to Set Up a BYOD/Mobility Policy

By TJ Vatsa, Principal Architect, VMware Americas Professional Services Organization

TJ Vatsa

Smart phones have surpassed one billion worldwide for the first time in 2012 and that number will likely double by 2015, says Bloomberg. Smart phone sales are even surpassing desktop and laptop sales, according to IDC’s Worldwide Smart Connected Device Forecast Data.

Rolling out a bring-your-own-device (BYOD) policy and infrastructure to handle the influx of personal devices can be a harrowing journey if it’s not well planned. With users today demanding anytime access to business productivity apps, devices, and data on personal devices, not having a policy in place can be even more detrimental.

The first step to implementing a BYOD policy is to think about the devices themselves, how you’ll manage them, and the applications that are being used. VMware’s Horizon EUC (End User Computing) suite can act as the broker and management platform between devices and applications to ensure that the corporate network stays secure. (And users stay happy.)

The recent acquisition of AirWatch makes VMware the undisputed leader in the space of BYOD and mobility, providing the most mature EUC solution portfolio on the market today. This solution portfolio includes some of the key capabilities, such as:

  1. MDM: Mobile Device Management
  2. MAM: Mobile Application Management
  3. MCM: Mobile Content Management
  4. MEML Mobile Email Management
  5. SCL: Secure Content Locker
  6. And a plethora of additional features and functionalities

Now, having touched on the “why” above, let’s take a look at the “what” and “how” of the BYOD/mobility policy.

What: Devices, Applications, Management, Customizations

Below, I’ll lay out general steps to think about in your BYOD policy and tips to putting it in place. That said, every policy requires its own customizations: there’s no-one-size-fits-all approach. Healthcare has different requirements than a financial institution would, for example.

First Step: Devices and Access
With many solutions in the market, customers and integrators can overlook design. So the burning question an architect needs to ask is: “What kind of access for what types of devices?” For the purposes of this blog, we’ll look at the three most typical categories: LAN, VPN, and public network access (see chart below). You can use the sample matrix below to better assess the access you’d like to grant.

For instance, you’ll put devices on the X axis and network access on Y axis. Your LAN will need to be the most secure; therefore, only company-issued devices will have access. But BYOD devices can still gain network access through VPN or a public network, just no access to the LAN itself. These access and device controls need to be driven by your corporate security policies.

How: Design Dos and Don'ts (Devices & Access)

 

Second Step: Features and Capabilities
Once you’ve figured out access levels, next create a matrix to assess the desktop features and capabilities you’d like to grant. Public network settings will be the most stringent, but VPN and LAN will provide the security you need to enable most desktop features. You’ll want feature category on the X axis against network access on the Y axis, like so:

How: Design Dos & Don'ts (Features & Capabilities)

With your LAN, multimedia redirection is another consideration. If a user is accessing a desktop on the corporate network, audio and video capabilities might require provisioning on the end device. In certain cases, WAN bandwidth may cause an issue accessing corporate recordings. The same issue may happen with printing as well. Ensure that you comply with corporate IT policies while evaluating and enabling such features.

Third Step: Applications
Last, consider your applications entitlement. It’s easy to restrict applications through the catalog of applications provided in the Virtual Workspace Catalog, and the entitlements can be adjusted by department–so your finance department will get access to a different catalog of applications than HR would. Or you can restrict application entitlements based on security rules. For instance, Active Directory GPOs (Group Policy Objects) can be effectively used to enforce business/department specific security policies.
image4-Entitlements-Vatsa-4.18.14

As you can see, creating a BYOD policy doesn’t need to be daunting. If you think through the various steps, you’ll have a secure network access, happy end-users, and a policy that ensures a successful and a mature adoption of your enterprise BYOD/mobility strategy.

I hope you will find this information handy and useful during your BYOD/mobility architecture design and deployment strategy.


TJ Vatsa has worked at VMware for over four years, with over 19 years of expertise in the IT industry, mainly focusing on the enterprise architecture. He has extensive experience in professional services consulting, cloud computing, VDI/End-User Computing infrastructure, SOA architecture planning, implementation, functional/solution architecture, and technical project management related to enterprise application development, content management, and data warehousing technologies. Catch up with TJ on Twitter, Facebook, or LinkedIn.

Horizon Mirage 4.4: Game Changer for Mobile Workforce Backup and Recovery

John KramerBy John Kramer, Consultant at VMware

I am excited to share what I think is a game changing feature of the new release of Horizon Mirage: its ability to do remote backup and recovery in the cloud. This provides a huge boost in both ease of use and security of end user data on your corporate endpoints.

Previously, using Mirage off network required some form of VPN access to connect to the Mirage servers in the data center, but new enhancements mean that’s no longer the case. With Horizon Mirage 4.4, VMware introduces the Mirage Edge Gateway. Thanks to collaboration between the Mirage development team, the VMware Light House program, and VMware Professional Services, our behind-the-scenes efforts have brought this new feature to all Mirage customers with this release.

This new feature is something I have been asking product management to consider for a while now, as more and more people no longer use VPN to access corporate resources. It’s a pain to constantly log into VPN—a complaint I’ve heard often in my years supporting sales reps who say that the VPN just gets in the way of getting their jobs done.

How Does It Work?
The Mirage Edge Gateway sits in the DMZ of the enterprise network and allows a Mirage client to securely sync with the Mirage servers in the data center whenever a laptop has an active Internet connection.

Deployment is simple. The diagram below gives you an overview of how to put all the pieces together. Most companies have an external firewall and the Mirage Edge Gateway simply sits in the DMZ and proxies Mirage traffic back to the Mirage Cluster that sits on the corporate network.

Mirage Edge Implementation Architecture

There is one main difference between an on-network and off-network Mirage client connection: when off network, all Mirage traffic is directed to the Mirage Edge Gateway during which time the Mirage client will prompt the end user for credentials.

This added layer of security is based on Active Directory or LDAP credentials and a security token is granted for a specific amount of time that a network administrator determines. This means the end user could be prompted for a password once a week, twice a month, or whatever a security team deems appropriate.

Using a security token means end user credentials are not stored or cached and end users aren’t constantly bombarded with prompts for credentials to accomplish a Mirage sync. (I do recommend a longer timeout value versus a shorter timeout because you want to make sure the endpoints are backed up at the end of the day.)

Mirage on Site with Customers

A few customers recently told me that they have remote workers who rarely or never come into the office. In one particular customer’s case, a third of its workforce is completely mobile—meaning 4000 mobile end points. Before Mirage, those mobile workers said they would rather come into the office than log into the VPN.

This is why the Mirage Edge Gateway is such a genius solution. Not only does the Mirage solution allow remote users to protect the data on their endpoints, but also they don’t need to be at the office or on the VPN for backups to take place.

With the addition of the Mirage Edge gateway, Mirage can completely replace cloud-based backup solutions like CrashPlan, Mozy, and Carbonite, with the benefit of allowing IT to securely control the solution in the corporate data center

Commercial cloud-based backup solutions don’t typically offer the image management and layer management features that are included out of the box with Mirage. Furthermore, while Mirage secures mobile workforce data in your corporate data center, it allows both IT and end users flexibility when they need to recover data. For example end users can recover deleted files or previous versions of files directly from Windows Explorer by right clicking a file or folder.

Mirage Edge in Windows Explorer

 

Mirage also makes a great solution for migrating user data when it comes time for a lease refresh of old endpoints to new hardware. If you’re still running Windows XP, Mirage can help reduce the effort around a Windows 7 migration.

With its remote backup and recovery in the cloud, Mirage means ease of use for remote users and a more secure solution for IT. The only problem now is that those remote users may never head into the office.


John Kramer is a Consultant for VMware focusing on End-User-Computing (EUC) solutions. He works in the field providing real-world design guidance and hands-on implementation skills for VMware Horizon Mirage, Horizon View, and Horizon Workspace solutions for Fortune 500 businesses, government entities, and academics across the United States and Canada. Read more from John at his blog: www.eucpractice.com

Slowing Down for Strategy Speeds Up the Move to Mobile

By Gary Osborne, Senior Solutions Product Manager – End User Computing

Today’s workers are more reliant on—and demanding of—mobility than ever before. They need personalized desktops that follow them from work to home. They need to connect from multiple devices through rich application interfaces. The challenge for IT organizations is that bring-your-own-device (BYOD) initiatives are often wrapped in, and encumbered by, tactical issues—perpetually pushing strategic discussion to the back burner.

Working hard, but standing still

By focusing on a tactical approach, many IT organizations find themselves on the BYOD treadmill—they get a lot of exercise but never really get anywhere!  Developing an overarching strategy before setting out on the journey provides much needed guidance and positioning along the way. This isn’t a step-by-step plan, but rather a clear vision of the business challenges being addressed and the value being delivered back to the organization. This vision, including direction, a clear definition of phased success, and defined checkpoints along the way, should be articulated and understood throughout the organization.

Getting your organization to buy into the importance of an overarching strategy can be a tough sell, especially if near-term goals are looming. But it will pay off many times over. According to a recent study by IBM, “Those IT organizations that treat mobile as both a high priority and a strategic issue are much more likely to experience the benefits that mobile can bring to an organization. The July report, Putting Mobile First: Best Practices of Mobile Technology Leaders, reveals a strong correlation between mobile success and establishing a strategic mobile vision, along with external help to implement it.

Take the time – but not too much

Those IT organizations that achieve measurable success with their VDI and BYOD initiatives found the right balance between too little time developing a sound strategy and the all-too-common “analysis paralysis” of taking too much time. we  We have worked with customers that have found that balance in part by keeping a clear focus on the business value that BYOD solutions can provide and an eye toward what they need to achieve and deliver to the business to declare success.

Jumping straight to the tactical activities and placing orders for “guestimated” infrastructure without knowing the strategy that will support it are two of the most common pitfalls I see lead to failed or stalled BYOD initiatives. By focusing on the value mobility can deliver to the business rather than get bogged down in the technical details, a strategic exercise can be completed swiftly and deliberately, meeting the speed of change in today’s mobility.


Gary Osborne is an IT industry veteran and is part of the VMWare Global Professional Services engineering team responsible for the End User Computing Services Portfolio.  Prior to his current role, he provided field leadership for the VMware End User Computing Professional Services practice for the Americas.

Staying Ahead in the Boom of the Mobile Workforce

Today’s IT department is inundated by new devices, new applications and new ways to work. It used to be that IT defined, provided and supported the device or endpoint; they defined the refresh or upgrade cycle; they assessed, procured and installed all the applications. Users had very little influence or input into what they used at work. Today, that’s all changed.

In this 2-part video blog, Ted Ohr, Sr. Director of Professional Services and Mason Uyeda, Sr. Director of Technical Marketing and Enablement discuss the incredible explosion around end-user computing and the mobile workforce, the challenges that IT faces and what VMware is doing about it.

In this new landscape, we have users with choice, multiple devices and multiple ways for IT to approach the challenges of control vs. agility vs. cost. In Part 2, Ted and Mason highlight VMware’s IT solutions space for the customer, providing users access to the data and applications they need to get the job done

With over 18 years of technology experience, Ted Ohr is the Senior Director of Americas Service Delivery, which includes Software Defined Data Center, Mobility, Project Management and Technical Account Management. In addition to driving services revenue growth in Latin America, he is also responsible for leading all aspects of service delivery, thought leadership and best practices for VMware’s Professional Services business for both North and Latin America, helping to ensure customer success and satisfaction.
Mason Uyeda joined VMware in November 2007 and leads technical and solution marketing for VMware’s end-user computing business, bringing more than 18 years of experience in strategy, product marketing, and product management. He is responsible for the development and marketing of solutions that feature such end-user computing technologies as desktop virtualization and workspace aggregation.