Digital Workspace

EMM Solutions Keep Mobile Devices Secure at USDA, DHS and SBA

Enterprise mobility management tools help agencies create a comfortable user experience while simultaneously protecting information.

Dan Tynan

Google+ Twitter

Dan Tynan is a freelance writer based in San Francisco. He has won numerous journalism awards and his work has appeared in more than 70 publications, several of them not yet dead.

At the Department of Homeland Security, workers rely on Personal Identity Verification cards to authenticate their identity on desktops and notebooks, but the cards don’t work on smartphones. DHS relies on enterprise mobility management to handle credentials for more than 100,000 mobile devices.

The sprawling department, made up of nine component agencies, uses a variety of EMM solutions, says Tom McCarty, director of DHS’ Enterprise IT Services division.

The Federal Emergency Management Agency and the Coast Guard have standardized on MobileIron, while the Transportation Security Administration and Immigration and Customs Enforcement use BlackBerry’s Enterprise Mobility Suite. The other agencies rely on AirWatch or Apple’s device enrollment program.

When it comes to devices, DHS employees can choose between iOS and Android, and that can pose management issues.

“Particularly with credentialing, because the way Apple manages keys and the way Samsung does it for Android are different,” McCarty says. “I’m hopeful we’ll get more consistency across the agency, so we can standardize some of those things.”

Agencies turn to EMM solutions to guarantee that only authorized personnel can use their devices to access department resources while ensuring that the device remains a convenient way to work outside the office.

Having a unified way to manage endpoints is a top priority for agencies, says Adam Holtby, senior analyst of workspace services at Ovum.

“Mobility should be at the core of any digital transformation effort,” he says. “Adopting a single solution to manage a broad range of devices and apps can improve security and productivity, ease endpoint and application administration and deliver new insights into how the modern employee works.”

Managing mobile app security while still providing a positive user experience remains a great challenge, McCarty says. Apps used to process government data, such as Microsoft Outlook for email, undergo an internal vetting process known as Carwash before they’re added to a whitelist in the department’s mobile apps catalog.

DHS Balances BYOD and EMM Other Models

A DHS pilot program integrates Lookout Mobile Security with AirWatch to identify and blacklist potentially malicious third-party apps.

“It’s a delicate balance,” McCarty says. “You want to make sure you don’t lock down the device so much that it’s not a good user experience.

“With different applications,” he adds, “there are always different kinds of threats. That’s why mobile threat protection will be really helpful.”

One question agencies face is whether to allow employees to use their personal mobile devices for work, or let them use work phones for personal business.

61%

Percentage of agencies reporting a security incident involving mobile devices

Source: Lookout, “Policies and misconceptions: How government agencies are handling security in the age of breaches,” December 2017

Although some DHS agencies are experimenting with BYOD, McCarty says most rely on the corporate-owned, personally enabled model, where workers carry devices provided by their employer that they can use for personal needs in a highly managed way.

“The area we need to be most careful about is making sure there’s no data going from our corporate apps to apps that aren’t necessarily bad, but could potentially allow information to leak,” McCarty says.

Because DHS is migrating to Office 365, it’s taking a close look at Microsoft Intune as a potential enterprise mobility and security (EMS) solution.

The big benefit is that they now have an experience that’s more like they’re used to in their everyday lives, and they gain access to things they could never get to before on their mobile devices.”

Tom McCarty Enterprise IT Services Director, DHS

“When we started this effort, Intune wasn’t very mature, but it’s made big strides lately,” he says. “We’re definitely taking a closer look at Intune, not only for its tighter integration with Office 365, but also for security benefits, such as conditional access controls for mobile apps.”

Adopting mobile device management at the same time that DHS is migrating to the cloud means asking agency employees to adapt to a lot of change over a short period of time.

“We’re throwing a lot at our users these days,” McCarty admits. “But the big benefit is that they now have an experience that’s more like they’re used to in their everyday lives, and they gain access to things they could never get to before on their mobile devices.”

SBA Provides Mobile Security for a Dispersed Workforce

With more than 2,000 permanent employees spread across 128 locations, the Small Business Administration has a workforce that’s not only diverse but also dispersed. That’s why the SBA relies on 2,200 agency-issued smartphones and some 400 portable Wi-Fi hotspots to keep everyone connected.

Last year, the SBA moved from using only iPhones running on the AT&T network to a mix of iOS and Samsung Galaxy devices across the three major U.S. carriers, says Russ Miller, director of IT services. That allowed the agency to maximize coverage in remote areas not served by AT&T, as well as to run internal apps that were not iOS-compatible.

The SBA also migrated from IBM MaaS360 mobile device management software to Microsoft Intune, and added Zimperium mobile device security to protect against malicious apps.

“We had a small library of apps our employees could access, but Zimperium let us enlarge that a bit more because it blocks the viruses and malware that can come with rogue apps,” he adds. “If you allow people to download any application they want, you open yourself up to a host of vulnerabilities and risks.”

Using Intune allows SBA employees to securely access their Microsoft OneDrive accounts, which lets them read and edit files stored in the cloud from their phones.

“That can be risky,” he adds. “But if you have the right security software on the phone, you can always remotely lock or wipe the device. If it gets lost or stolen, it’s a brick — it can’t be used.”

USDA Evolves Its Approach to EMM

Miller says EMM software has evolved a great deal since the first solutions appeared.

“Seven or eight years ago, most of the device management tools didn’t let you lock the device or secure the data you had on it,” he says.

“Today, if someone leaves the agency and has password-protected their device, we have to throw the phone away — even Verizon or AT&T wouldn’t be able to clear the device so we could reuse it.”

Like DHS and SBA, the Agriculture Department has a mixed mobile environment, with more than 90 percent of its 32,000 government-issued mobile devices using iOS. And like those agencies, the USDA’s biggest security concerns center on application-based threats, says Frank Chad Hoeppel, acting associate CIO for the USDA’s Client Experience Center.

USDA technicians
USDA Animal and Plant Health Inspection Service Plant Protection and Quarantine technicians Bethany Benedict and Brendon Miller inspect an adhesive band used to sample insects in the area. The number of insects of interest that are stuck to the band are identified counted and the data is entered into a smart tablet. Photo credit: Lance Cheung/USDA

The USDA has used MobileIron since 2013 to manage the devices, alongside Symantec-owned Appthority to screen apps for potential malware or vulnerabilities.

The department is currently implementing blacklisting and whitelisting capabilities to create a roster of third-party apps approved for business use, as well as finalizing its BYOD policies, Hoeppel says.

“Five years ago, our mobile program provided email access to mobile devices,” Hoeppel says. “Today, using mature EMMs, we securely manage devices and provide a flexible suite of productivity applications to our employees, allowing them to work anytime, anywhere.”

3 Ways to Make Enterprise Mobile Management Work

Managing disparate mobile devices is a challenge for every organization. These three EMM best practices make it a little easier:

Establish ground rules: Make sure users know the rules of appropriate mobile behavior, says Tom McCarty, director of DHS’ Enterprise IT Services division. "You need to be very clear about restrictions. We're trying to make it as user friendly as possible, but they need to treat their phones as they would any government computer."
Find an experienced partner: Connect with a service provider who can tell you what each EMM solution can and can't do — the capabilities, the risks and any trade-offs you might need to make, says Russ Miller, director of IT services for the Small Business Administration.
Stay up to speed: Mobile device management is rapidly evolving, so agencies need to stay on top of the latest developments, says Frank Chad Hoeppel, acting associate CIO at USDA. "It's important for agencies to review their existing solution every two or three years to ensure it still meets both security and customer needs."

Adam Theo/Department of Homeland Security