Establishing a security model is essential to a successful mobile device deployment for organizations of any size. Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined network control, it is not always a good practice. Every organization that manages IT security may have a slightly different or tailored approach to security for mobile devices.
The same logic applies to mobile device security. The vast numbers of mobile devices and types, quantities of mobile devices per user, and the array of operating system platforms and applications available make the very idea of using a permissive model a weak choice. In most organizations the restrictive model will be the most logical choice. However, it will involve some thinking to successfully roll-out the Secure Mobile Gateway security model. Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined network control, it is not always a good practice
The configuration scenarios that Citrix allows for integrating Secure Mobile Gateway with XenMobile Device Manager is as follows:
The permissive security model operates on the premise that everything is either allowed or granted access by default. Only in the case of rules and filtering will something be blocked and a restriction applied. The permissive security model is good for organizations that have a relatively loose security concern about mobile devices and only applies restrictive controls to deny access where appropriate (when a policy rule is failed).
The restrictive security model is based on the premise that nothing is allowed or granted access by default. Everything passing through the security check point is filtered and inspected, and is denied access unless the rules allowing access are passed. The restrictive security model is good for organizations that have a relatively tight security criterion about mobile devices. The mode only grants access for use and functionality with the network services when all rules to allow access have passed.
The following procedure describes how to set up Secure Mobile Gateway successfully with the restrictive mode (block mode). This configuration for Secure Mobile Gateway and XenMobile Device Manager assumes that both are installed and operational and that mobile devices are enrolled with Device Manager and connecting to ActiveSync services properly. Through and understanding the principles of Secure Mobile Gateway Rules, Filters within Device Manager, Static and Dynamic updates for rules, and the enforcement of an Secure Mobile Gateway restrictive Block mode policy, you can implement a secure device management solution with Device Manager and Secure Mobile Gateway.
Understanding how to set the granularity of security policy and apply it correctly from Device Manager and Secure Mobile Gateway is important with regard to global device management for a large set of users or an entire organization. The following example of a best practice restrictive, or blocked policy, for Secure Mobile Gateway will enable the following results: