Remote Users and the Need for Mobile Containerization

ProductsSophos MobileTechnical News

Perhaps unsurprisingly, over the last few months there’s been a definite upsurge in the number of conversations I’m having with customers and partners around end users wanting to use their personal devices for both home and work purposes, in a secure fashion and without risk of data loss.

The need for this is likely further on the rise where individuals are tired of being locked up in back to back video conference meetings and may decide they want to mix up their day up a bit by answering emails on their phone during their daily walk, whilst also still having access to corporate apps and data. Obviously, the challenge for IT admins and MSPs when providing corporate access on personal devices is also providing security and integrity of company data. This is where Sophos Mobile can come into play and has some great containerisation capabilities which are worth a reminder!

The first form of containerisation we brought out in Sophos Mobile and perhaps the most well-known is our container apps “Sophos Secure Workspace” and “Sophos Secure Email”. These two apps are what are known as container apps and allow an organisation to only manage the data for those apps and not the rest of the phone. An overview of the features of these two apps can be found here.

A key benefit of these container apps is the provision of a simple and non-intrusive way of giving end users access to corporate data. The apps and sensitive data can swiftly be removed via Sophos Central by an admin or an end user that may have had the phone stolen from them for example. The other great feature is that these container apps provide is “geo-fencing” and “WIFI-fencing”. This means the admin can define what geographical location the phone is required to access the corporate data on these apps, or what access points can be used when accessing corporate data.

One of the main requirements around BYOD I often see, however, is for corporate email to only be accessed via a corporate app. This can also be achieved by the secure email app in conjunction with the Sophos EAS proxy and alterations made in O365 Exchange admin centre which I will explore further below.

The Sophos container apps do have their limitations and to those of you who are new to Sophos Mobile, you may find yourselves wondering if it’s possible to create a container area on the device and push corporate apps to devices rather than just the use of Sophos container apps. The answer to this is yes and this is where “Android Enterprise Work Profiles” come in to play.

The two main methods of Android Enterprise enrolment are full device management and work profile management. The former is often the most well-known, as it’s the main and current way we provide corporate management of devices. It provides full control and requires a factory reset to enrol the device in this way.

AE Work Profile is sometimes overlooked since Sophos Container Only mode (Container Apps) is mistaken as the only way of providing containerisation and BYOD capabilities. AE Work profile sits nicely in the middle and provides a lot of the of functionality you would want in a BYOD deployment and does not require you to factory set your end user’s personal device. Thank goodness!

The Android Enterprise Work Profile allows you to create a separate space on the Android device when running Android 5.0 and above. This enables you to use both the advantages of the Sophos Container apps, whilst also being able to control a portion of the end user’s phone required for work purposes. The work profile is natively kept separate from the rest of the device. This means work data is not shared across to the personal part of the phone and corporate apps can be silently installed or just made available via the play store within the work profile.

Play store apps can be prepopulated with company settings before being delivered to the device and there are further controls around stopping screenshots and clipboard share. There are also two device settings you have some control over. You can require that the device has an access pin and you can deploy Wi-Fi settings from Sophos Mobile.

As with Sophos Container only mode you can also completely remote wipe this “work partition” and leave the rest of the device untouched. The end user experience can vary slightly depending on firmware version, but the underlying technology functionality is the same. It is provided via the Android Enterprise API, which has incorporated the some of the KNOX capabilities into the base Android OS.

 

End user Setup for any of the BYOD modes is the same and very simple. It is a case of getting the user to download the “Sophos Mobile Control App” and scanning a QR code. This can be done via an email sent to the end user and/or getting the them to login to the Sophos Central Self-Service Portal to enrol.

Lastly, the Sophos EAS proxy provides you with a way of telling your email server which mobile devices can receive corporate email. There is also an option to enforce that only the Sophos secure email app can receive corporate email. The EAS proxy works with a traditional on-premise mail server as a man in the middle, but there is also a powershell script that we have published. With some configuration in O365 Exchange admin centre this can also enable you to only allow emails sent to dynamically approved devices by Sophos Mobile.

You will need an available server to act as the proxy; this can be hosted wherever you like.

Setup documentation can be found here.

If you want to get it to work with O365 there are some additional steps listed here.

In summary, Sophos Mobile can really enable your customers to be more flexible with the way they work. It can help you fulfill the BYOD and security requirements you’re getting from customers and it can be managed alongside all their other Sophos Security products.