iPhone vs BlackBerry-Lee Neely

8/4/2019 iPhone vs BlackBerry-Lee Neely

1/13

Lawrence Livermore National Laboratory

Lee NeelyCISSP, MSP ISSO

LLNL-PRES-412835

Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551

This work performed under the auspices of the U.S. Department of Energy byLawrence Livermore National Laboratory under Contract DE-AC52-07NA27344

iPhone vs. BlackBerry:young upstart meets old standard

June 2, 2009


2/13

2LLNL-PRES-412835


Why are we here?

LLNL Users are asking for the iPhone LLNL BlackBerry implementation not production

Claims were made the iPhone can be implemented forfree

Rumors of using personally owned iPhones doing LLNLwork


3/13

3LLNL-PRES-412835


Examine the devices

Basic assumptions Corporate email/VPN pre-exists

ActiveSync/Exchange on internal network

Blackberry Enterprise Server (BES) can reach

Internet Not looking at illegal device configurations

What to look at:

Device focus

Device startup Device configuration status

Device security settings


4/13

4LLNL-PRES-412835


Device Focus

BlackBerry

Corporate device

Many security features

Business applicationsnew app store released

Optimized for centralizedmanagement

Runs device specificsoftware

CDMA/GSM/Wi-Fi

Verizon/AT&T/Sprint/etc.

iPhone

Consumer device

Nominal security

Lots of new and coolapps

Optimized for individualmanagement

Runs a version of MacOS X

GSM/Wi-Fi

AT&T service only


5/13

5LLNL-PRES-412835


Device Startup minimal impact

BlackBerry

Use Blackberry InternetService (BIS) to get mail

to device userconfigures

If using Wi-Fi, use VPN toreach corporate apps

Time Per device ten minutes

Pre-setup nominal

iPhone Configure built-in VPN to

access corporate network(Configuration can be sent

to device) Device accesses existing

services user configures ActiveSync if Exchange

POP/IMAP services if using

Web Applications

Time Per device ten minutes

Pre-setup configurationsetting file (optional)


6/13

6LLNL-PRES-412835


Device Startupfull corporate integration

BlackBerry Install and configure BES Enterprise Activate device

Email/Calendar/etc.

configured Applications pushed/white

listed

Corporate applicationaccess depends on MDS

Time Per device enterprise

activation time (5-20minutes)

Pre-setup BES

iPhone Create configuration w/iPhone

Configuration Utility (ICU) anddeploy to secure web server inDMZ

Edit iPhone policies inExchange (optional)

Install and configureActiveSync in DMZ

User finalizes configuration

(Username/Passwords) Time

Per devicetwo minutes

Pre-setup configuration,ActiveSync, etc.


7/137LLNL-PRES-412835


Simplified Infrastructure: Exchange access


8/138LLNL-PRES-412835


Simplified Infrastructure: Application access


9/139

LLNL-PRES-412835


Where does that leave you?

BlackBerry

Managed whenconnected to BES

which is full time Continuous user content

push

Immediate access to

corporate applications Security policies

permanent

iPhone

Managed when it can reachActiveSync (VPN, DMZ, orhole in firewall.)

User content updates onlywhen it can reachActiveSync DMZ solves

Access to corporateapplications when VPNconnected.

Settings can be removeddeletion removes data


10/1310

LLNL-PRES-412835


Security Features

Function BlackBerry iPhone

Secure Contents Content Encryption (memory card separate) Need application e.g.: Sybase iAnywhere

Mobile Office Suite

Security Configuration store BES Exchange Policies/iPhone Configuration

Utility (ICU)

Communication Model Device connects to RIM then to BES, BES is

corporate gateway.

Device connects to ActiveSync over VPN

and/or Internet. VPN for corporate apps

Live Policy Updates BES providescontinuous connection -tight coupling

When ActiveSync is reachable, over VPN orInternet loosely coupled

Wipe Yes, Remote or manual - BES initiateshas

DOD spec wipe. Memory card separate

Yes, remote must be connected to

ActiveSync, manual has erase option.

Inactivity Lock BES configures Policy can be pushed from ActiveSync

Remote Lock Yes, BES initiates N/A

Sync email/calendar/notes Via BES Via ActiveSync

Encrypted communications Certificate Exchange PKI protects end-to-

end

ActiveSync server connected via SSL. IPSec

VPN to corporate network.

Web Browser functionality MDS provides gateway, some applications

work, BES admin must configure

Business Applications work, need VPN or

gateway, device configured

Access to internal Net BES /MDS Need VPN or gateway device configured


11/1311

LLNL-PRES-412835


Security Features cont.

Function BlackBerry iPhoneConfiguration BES pushes to device Policy can be pushed from ActiveSync

S/MIME Works- with right SW, and exportable cert. Need application e.g.: Sybase iAnyware

Mobile Office Suite

Wireless WEP, WPA personal & enterprise, WPA2

personal & enterprise

WEP, WPA personal & enterprise, WPA2

personal & enterprise, 802.1X EAP, PEAP &

LEAPVPN IPSec VPN some models works with Wi-Fi,

not required with BES/MDS

Cisco IPSec, L2TP/IPSec, PPTP

L/Q Building Remove Battery Only option is airplane mode

Startup BES/MDS (Centralized) VPN (Decentralized) or ICU configuration

Device Management and Software Updates BES or Desktop Manager iTunes SW update

Target Audience Business user Consumer

Applications Many business focus. Can control tightly. Many consumer focused. Issue of

personally licensed software and introduction

of Malware

Application restrictions Lock w/BES, white list No limit


12/1312

LLNL-PRES-412835


Conclusion

BlackBerry Moderate setup

Moderate entry fee

Strongly managed

Always on synchronization Structured device software

updates

BES or Desktop Software canrestore configuration

Limited applicationcompatibility you may need alaptop for full functionality

Content protection or S/MIMEsupport -native

iPhone Quick Startup Low entry fee Loosely managed

Syncs when ActiveSyncreachable Immediate device software

updates iTunes can restore configuration

(from desktop)

High degree of applicationcompatibility are able to runmost business apps/webmail.

Content protection or S/MIMEsupport additional application.


13/1313

LLNL-PRES-412835


Questions?

My contact information:

Email: [email protected]

Phone: (925) 422-0140
mailto:[email protected]:[email protected]

Documents

iPhone vs BlackBerry-Lee Neely