In this blog, let’s discuss some of the best practices you can implement to improve security, productivity, and user experience for your work from home (WFH) staff with IBM Security MaaS360 and partner products. There are a lot of topics to cover!
Your WFH staff might include employees, contractors or partners that are full-time, part-time, or temporary. Your organization might need to support any of these depending on your current business environment or the personal circumstances of your staff. For example, a new parent who works from home for a year; an office or an employee that gets relocated; or an emergency situation which requires temporary office closure.
In addition to the technical and logistical aspects of getting your WFH staff provisioned with the appropriate devices and software, you also need to consider the security and support policies you need to implement, with a spotlight on bring your own device (BYOD). For example, consider:
- Developing an acceptable use policy that must be confirmed when using personally owned and corporate owned devices that will be used to access company resources
- Creating an eligibility and constraints list for personal device use
- Providing a go-to resource guide for your WFH staff
Implementing an acceptable use policy
Setting up an acceptable use policy is one of the first steps you can take to prepare for your WFH and mobile workforce. MaaS360 can help you enforce an acceptable use policy when devices enroll in MaaS360. You write up the policy and then you have two options of enforcing it through MaaS360.
- Add your Corporate Usage Policy to Setup> Settings> Device Enrollment Settings>Advanced in the MaaS360 portal to prevent anyone from enrolling in MaaS360 who does not accept it. As a result, these users will not be able to access apps, docs, mail, and other corporate resources. You can view and manage all the failed enrollments in the MaaS360 portal and follow up with these users as needed.
- Add a policy-driven End User License Agreement (EULA) which must be accepted at enrollment. The policy can be set up with a grace period, and can also be applied to users who are already enrolled. Administrators can set up automatic actions when the grace period expires--for example selective wipe, wipe, remove control, and sign out. MaaS360 also provides reporting around the policy driven EULA which gives you insights into status of acceptance.
Provisioning WFH devices
When users work from home, they typically can’t get to the office easily or perhaps there is no office nearby. So they are going to be using their personal devices (e.g., tablet, smartphone, laptop), using a company-issued device that gets shipped to their home, or a combination of the two. For example, as a WFH employee, I typically work with a personal smartphone and tablet, and a corporate owned laptop. In any case, the user might be responsible for getting the device set up which will be critical for them to be productive and for your corporate resources to be secured.
MaaS360 supports provisioning both corporate and employee owned devices for work use. Let’s look at three common provisioning use cases and how IBM MaaS360 supports them.
- A new or factory reset corporate owned devices can be shipped from the device reseller directly to the user’s home. In this case, a MaaS360 administrator might be responsible for setting up a third party portal such as Apple Business Manager, Android Enterprise, or Knox Mobile Enrollment portal depending on device type. The device reseller must load the device information into the respective partner portal (except in the case of Windows OOBE). The MaaS360 Administrator configures the integration between MaaS360 and third-party portal. The user receives the device, starts it up, enters credentials and the device is automatically provisioned with IBM MaaS360, policies, apps, docs, and access to corporate resources.
- Apple Business Manager
- Android Enterprise token
- Knox Mobile Enrollment
- Windows Out of the Box Enrollment (OOBE) with Azure AD
- A new or re-purposed corporate owned device that is shipped to a user’s home can be set up in bulk by an IT administrator by entering user credentials for each device, or provisioning without authenticating and assigning a user later. Then the administrator can ship the device to the user at which time the user will enter their credentials to gain access to the device. In this case, the administrator goes through the MaaS360 enrollment steps on the device, ensures the device meets requirements, and then ships the device to user.
- Apple Business Manager or Apple Configurator
- Android Enterprise with IBM MaaS360 using Zero touch, QR Code or NFC Bump
- Knox Mobile Enrollment with IBM MaaS360
- Windows 10 OOBE with Azure AD
- Windows 10 Bulk Provisioning Tool
- Users can also enroll their personal devices. There might be technical prerequisites that must be met for each device and enrollment type. Your organization should publish a list of eligibility and constraints for personal device use to your remote and mobile workforce. Otherwise, this can result in an increased number of support calls when the user tries to enroll a device that is not supported by your program.
- User enters a self-service URL in the browser on the device to enroll in MaaS360
- Administrator generates an individual enrollment request to a user via SMS or Email
- Administrator bulk generates enrollments requests to multiple users via SMS or Email
Keeping your remote workforce happy
A critical aspect of your infrastructure should include remote support of devices. Having an effective remote access and control solution saves time and improves productivity both for your support team and users. With a remote workforce potentially using a wide variety of device types and OS’s with no in-person contact possible, this can pose a real challenge for support teams.
MaaS360 partners with TeamViewer to provide remote access and control capabilities for devices as an extension of the MaaS360 platform. TeamViewer is multilanguage, cross platform supporting iOS, macOS, Android, and Windows (7,8,10) on all types of hardware. It is a cloud-based solution that pairs with MaaS360 and provides secure end-to-end encryption when communicating between support and end user. The support person simply sends an invitation to the user’s device and the user accepts. Support can interact with the user over chat, voice, or video call. The set up within MaaS360 is straightforward and includes the following:
- Enabling the TeamViewer service in the MaaS360 portal
- Distributing the TeamViewer App to devices via the MaaS360 App Catalog
- Initiating Remote Support to the device from MaaS360’s Device Inventory view
Easy access to corporate resources while enforcing compliance
When a device enrolls with MaaS360, it is immediately visible within the MaaS360 portal for your administrators to monitor and for the MaaS360 compliance engine to evaluate. Whether your workforce is at home, in the office, or on the go, your administrators can view and manage all your device types in one portal. As part of the enrollment of your devices, your administrators can also provide important configurations and policy settings that dictate what resources a device can access, restrictions you want to impose on devices, and compliance rules to enforce.
When you are supporting a remote workforce, the less configuration they have to do on a device the better. For example, it’s good practice to configure VPN profiles, Email, Wifi and Certificates in MaaS360 Security Policies. When the device enrolls, the user will automatically have access to their corporate VPN, Email, and certificates if applicable.
In addition, you want to be able to take action on devices that are violating your corporate policies that you configured using MaaS360 policies. With MaaS360, you can set up compliance rules that can automatically block access to corporate resources, wipe a device, selectively wipe devices, or send a warning to users. With MaaS360 Compliance rules, you can set up rules with corresponding actions. For example, you might want to ensure your devices have a certain OS level for security purposes, send an initial warning, and then follow up with wiping a corporate device, or selectively wiping a personally owned device. With MaaS360’s compliance engine, these actions are initiated automatically without the need for an administrator, and if the user remediates the out of compliance event, the compliance engine revokes the action.
Administrators also have the ability to initiate actions manually from the MaaS360 portal on a device or group of devices. For example, if a remote user must turn in their device, the administrator can initiate a remote wipe from the MaaS360 portal.
I hope that helps you get started or further into your WFH and BYOD program. We have more MaaS360 best practices and tips to help you so in Part Two of this blog. I will cover unified application catalog capabilities, single sign-on (SSO) and user access, and mobile threat defense.
If you have any question, reply to the blog or reach out to your MaaS360 Client Success Manager (CSM). Not sure who your CSM is? Contact firstname.lastname@example.org.
If you are not a current MaaS360 customer you can request access to an extended no-cost trial here.
We also posted a blog on SecurityIntelligence where you can learn more about IBM Security efforts to help our customers transition to the rapid increase in working from home and BYOD.