Oct
28
2019
--

Kandji announces $3.375M seed for sophisticated Apple MDM solution

Kandji, a new Apple MDM solution that promises to go far beyond Apple’s base MDM protocol and other solutions on the market, emerged from stealth today with a $3.375 million seed investment. The product is also publicly available for the first time starting today.

The round, which closed in March, was led by First Round Capital with help from Webb Investment Network, Lee Fixel, John Glynn and other unnamed investors.

Company co-founder and CEO Adam Pettit says the company’s founders have a deep knowledge in Apple. They all worked at Apple before leaving to run an Apple IT consultancy for more than 10 years.

He said that while they were at the consultancy, they developed a proprietary stack of tools to help with highly sophisticated Apple device deployments at large organizations, and it occurred to them that there was an unserved market opportunity to turn that knowledge into a new product.

Two years ago they sold the consultancy, took that knowledge and built Kandji from the ground up. Pettit says the new product gives customers access to a set of management tools that they would have charged six figures to implement at that their old firm.

One of the key differentiators between Kandji and other MDM solutions, or even Apple’s base MDM functionality, is a set of one-click compliance tools. “We’re the only product that has almost 200 of these one-click policy frameworks we call parameters. So an organization can go in and browse by compliance framework, or we have pre-built templates for companies that don’t necessarily have a specific compliance mandate in mind,” he said.

The parameters have all of the tools built-in to automatically deploy a set of policies related to a given compliance framework without having to go through and manually set all of those different switches yourself. On the flip side, if you want to get granular and create your own parameters, you can do that too.

He says one of the reasons he and his partners were willing to give up the big-dollar consultancy was because they saw a huge opportunity for firms that couldn’t afford those kind of services, but still had relatively large Apple device deployments. “I mean there’s a big need outside of just the specific kind of sophisticated compliance work we would do [at our previous firm]. We saw this big need in general for an Apple MDM solution like ours,” he said.

After selling their previous firm, the founders bootstrapped for a year while they developed the initial version of Kandji before seeking funding. Today, the company has 16 employees and a set of initial customers that have been testing the product.

Jun
10
2019
--

Apple is making corporate ‘BYOD’ programs less invasive to user privacy

When people bring their own devices to work or school, they don’t want IT administrators to manage the entire device. But until now, Apple only offered two ways for IT to manage its iOS devices: either device enrollments, which offered device-wide management capabilities to admins or those same device management capabilities combined with an automated setup process. At Apple’s Worldwide Developer Conference last week, the company announced plans to introduce a third method: user enrollments.

This new MDM (mobile device management) enrollment option is meant to better balance the needs of IT to protect sensitive corporate data and manage the software and settings available to users, while at the same time allowing users’ private personal data to remain separate from IT oversight.

According to Apple, when both users’ and IT’s needs are in balance, users are more likely to accept a corporate “bring your own device” (BYOD) program — something that can ultimately save the business money that doesn’t have to be invested in hardware purchases.

The new user enrollments option for MDM has three components: a managed Apple ID that sits alongside the personal ID; cryptographic separation of personal and work data; and a limited set of device-wide management capabilities for IT.

The managed Apple ID will be the user’s work identity on the device, and is created by the admin in either Apple School Manager or Apple Business Manager — depending on whether this is for a school or a business. The user signs into the managed Apple ID during the enrollment process.

From that point forward until the enrollment ends, the company’s managed apps and accounts will use the managed Apple ID’s iCloud account.

Meanwhile, the user’s personal apps and accounts will use the personal Apple ID’s iCloud account, if one is signed into the device.

Third-party apps are then either used in managed or unmanaged modes.

That means users won’t be able to change modes or run the apps in both modes at the same time. However, some of the built-in apps like Notes will be account-based, meaning the app will use the appropriate Apple ID — either the managed one or personal — depending on which account they’re operating on at the time.

To separate work data from personal, iOS will create a managed APFS volume at the time of the enrollment. The volume uses separate cryptographic keys which are destroyed along with the volume itself when the enrollment period ends. (iOS had always removed the managed data when the enrollment ends, but this is a cryptographic backstop just in case anything were to go wrong during unenrollment, the company explained.)

The managed volume will host the local data stored by any managed third-party apps along with the managed data from the Notes app. It also will house a managed keychain that stores secure items like passwords and certificates; the authentication credentials for managed accounts; and mail attachments and full email bodies.

The system volume does host a central database for mail, including some metadata and five line previews, but this is removed as well when the enrollment ends.

Users’ personal apps and their data can’t be managed by the IT admin, so they’re never at risk of having their data read or erased.

And unlike device enrollments, user enrollments don’t provide a UDID or any other persistent identifier to the admin. Instead, it creates a new identifier called the “enrollment ID.” This identifier is used in communication with the MDM server for all communications and is destroyed when enrollment ends.

Apple also noted that one of the big reasons users fear corporate BYOD programs is because they think the IT admin will erase their entire device when the enrollment ends — including their personal apps and data.

To address this concern, the MDM queries can only return the managed results.

In practice, that means IT can’t even find out what personal apps are installed on the device — something that can feel like an invasion of privacy to end users. (This feature will be offered for device enrollments, too.) And because IT doesn’t know which personal apps are installed, it also can’t restrict certain apps’ use.

User enrollments will also not support the “erase device” command — and they don’t have to, because IT will know the sensitive data and emails are gone. There’s no need for a full device wipe.

Similarly, the Exchange Server can’t send its remote wipe command — just the account-only remote wipe to remove the managed data.

Another new feature related to user enrollments is how traffic for managed accounts is guided through the corporate VPN. Using the per-app VPN feature, traffic from the Mail, Contacts and Calendars built-in apps will only go through the VPN if the domains match that of the business. For example, mail.acme.com can pass through the VPN, but not mail.aol.com. In other words, the user’s personal mail remains private.

This addresses what has been an ongoing concern about how some MDM solutions operate — routing traffic through a corporate proxy meant the business could see the employees’ personal emails, social networking accounts and other private information.

User enrollments also only enforces a six-digit non-simple passcode, as the MDM server can’t help users by clearing the past code if the user forgets it.

Some today advise users to not accept BYOD MDM policies because of the impact to personal privacy. While a business has every right to manage and wipe its own apps and data, IT has overstepped with some of its remote management capabilities — including its ability to erase entire devices, access personal data, track a phone’s location, restrict personal use of apps and more.

Apple’s MDM policies haven’t included GPS tracking, however, nor does this new option.

Apple’s new policy is a step toward a better balance of concerns, but will require that users understand the nuances of these more technical details — which they may not.

That user education will come down to the businesses that insist on these MDM policies to begin with — they will need to establish their own documentation, explainers, and establish new privacy policies with their employees that detail what sort of data they can and cannot access, as well as what sort of control they have over corporate devices.

Jan
07
2015
--

Sources: Good Technology Axes More Than 100 Jobs

Folder with 'layoffs" written in black marker. According to multiple sources, Good Technology, a company that sells mobile device management services, has laid off more than 100, and perhaps as many as 140 of its staff. According to LinkedIn, the company has more than 1,000 employees, making it a significant reduction to its workforce, if the rumor is correct. Good Technology filed for a $100 million IPO in May of last year. Its… Read More

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com