1

IBM MaaS360 UMM

Unified Mobility Management

MaaS360 UMM Solution Overview

10th of March 2016. Version 1.1

1

Table of Contents

1 Overview ...................................................................................... 3

2 Solution Overview ........................................................................ 42.1 MaaS360 Advanced Mobile Management..................................................................................................6

2.1.1 MaaS360 Mobile Device Management..................................................................................................................62.1.2 MaaS360 Mobile Application Management...........................................................................................................62.1.3 MaaS360 Mobile Expense Management...............................................................................................................62.1.4 MaaS360 Laptop Management...............................................................................................................................7

2.2 MaaS360 Secure Productivity Suite.............................................................................................................72.2.1 MaaS360 Secure Mail..............................................................................................................................................72.2.2 MaaS360 Secure Browser.......................................................................................................................................72.2.3 MaaS360 Mobile Application Security...................................................................................................................8

2.3 MaaS360 Secure Document Sharing...........................................................................................................82.3.1 MaaS360 Mobile Content Management................................................................................................................82.3.2 MaaS360 Secure Editor...........................................................................................................................................82.3.3 MaaS360 Document Sync.......................................................................................................................................8

2.4 MaaS360 Mobile Enterprise Gateway..........................................................................................................92.4.1 MaaS360 Mobile Enterprise Gateway for Browser..............................................................................................92.4.2 MaaS360 Mobile Enterprise Gateway for Docs....................................................................................................92.4.3 MaaS360 Mobile Enterprise Gateway for Apps....................................................................................................9

3 Solution Details ............................................................................ 113.1 MaaS360 Advanced Mobile Management..................................................................................................11

3.1.1 MaaS360 Mobile Device Management..................................................................................................................123.1.2 Mobile Application Management.............................................................................................................................253.1.3 Mobile Expense Management.................................................................................................................................273.1.4 Laptop Management Management.........................................................................................................................27

3.2 MaaS360 Secure Productivity Suite.............................................................................................................303.2.1 MaaS360 Secure Mail..............................................................................................................................................313.2.2 MaaS360 Secure Browser.......................................................................................................................................33 ...............................................................................................................................................................................................333.2.3 MaaS360 Mobile Application Security...................................................................................................................34

3.3 MaaS360 Secure Document Sharing...........................................................................................................363.3.1 MaaS360 Mobile Content Management................................................................................................................373.3.2 MaaS360 Secure Editor...........................................................................................................................................393.3.3 MaaS360 Document Sync.......................................................................................................................................40

3.4 MaaS360 Mobile Enterprise Gateway..........................................................................................................41

2

3.4.1 MaaS360 Mobile Enterprise Gateway for Browser..............................................................................................413.4.2 MaaS360 Mobile Enterprise Gateway for Docs....................................................................................................423.4.3 MaaS360 Mobile Enterprise Gateway for Apps....................................................................................................42

4 MaaS360 SaaS ............................................................................ 444.1 MaaS360 Cloud Security Details..................................................................................................................45

4.1.1 Data Center Redundancy........................................................................................................................................454.1.2 Physical Security.......................................................................................................................................................454.1.3 Network Security.......................................................................................................................................................454.1.4 Customer Data..........................................................................................................................................................464.1.5 System and User Account Administration and Management.............................................................................464.1.6 Disaster Recovery/Business Continuity.................................................................................................................464.1.7 Audits/Compliance....................................................................................................................................................46

3

1 OverviewThis document outlines the MaaS360 solution for the Company name. It provides a set of solution capabilities at an Overview and Solution Detail level.

Revision History

Version IssueDate

DescriptionofVersion/Changes Author

1.0 22nd of February 2016 Draft Darryl Miles

1.1 10th of March 2016 Draft Tim Youm

4

2 Solution Overview

MaaS360 is a unified mobility management platform that enables IT to deliver end-to-end security and management for devices, applications, documents, emails and Web access. Businesses use MaaS360 to provide their employees with secure access to corporate resources and information from corporate- or personally-owned mobile devices, without compromising the user experience, data security or privacy. MaaS360 delivers maximum flexibility for bring your own device (BYOD) with a dual persona approach, multi-platform support, self-service enrollment, customized over-the-air configuration, automated policy enforcement, and secure distribution of apps and documents. MaaS360 provides a range of product modules and bundles to enable customers to effectively meet their mobility requirements.

Key benefits for Company name:

• MaaS360 is the easiest UMM product to deploy and scale with the best user experience. Set-up is fast and does not require a complicated installation process, on-site hardware, professional services, or ongoing change control activities.

• MaaS360 Secure Productivity Suite provides the most flexible mobile container options for complete separation of corporate and personal information to secure your data and maintain employee privacy. You can deploy this as a standalone solution to manage just the MaaS360 WorkSpace container or integrated with MDM.

• MaaS360 offers the most seamless enterprise integration. You can securely integrate with your Lotus Notes, Exchange, AD/ LDAP, Certificate Authorities, and other systems in a easy, plug-n-play fashion. Unlike other solutions, MaaS360 is non-intrusive and does not sit in the critical path of your emails.

• MaaS360 is the most secure UMM platform with Federal Information Security Management Act (FISMA) certification since 2011 and SOC 2 Type II certification since 2007. In addition, MaaS360 WorkPlace container is FIPS 140-2 compliant with AES-256 bit encryption to prevent enterprise data leaks from emails, apps, documents and web access.

• IBM delivers the best customer experience with streamlined provisioning, automated workflows, and an intuitive user interface, all backed by the most responsive, industry-acclaimed support staff in the business. You always get 24x7x365 live support via phone, email, chat, or our MaaSter Center forums. According to Gartner, “IBM's performance with clients is rated highly, as proven by excellent reference client feedback. Clients greatly appreciate its presales and postsales support, smooth and uneventful implementations, and technical assistance during installations.”

MaaS360 is the only solution in the market with the credentials to give customers confidence in the areas that matter most:

• Simple and fast deployments with an exceptional customer experience for IT and employees • Powerful management and security capabilities to address the full mobility lifecycle • Flexible mobile application container options to separate work and personal data • Seamless integration with existing enterprise systems such as email, directories, and certificate

authorities • The most trusted and proven approach to delivering enterprise mobility management

5

Proof Points:

• Named a Gartner Magic Quadrant leader in Mobile Device Management for past 4 years • MaaS360 ranked “Excellent” in Gartner Critical Capabilities for MDM products • Over 20 years of experience in enterprise mobility management • First multi-tenant cloud service to manage and secure smartphones, tablets, and laptops • Only UMM vendor to achieve FISMA certification directly from the US Government • Only UMM vendor with SOC 2 Type II certification for over 5 years • FISMA certified • Only UMM vendor on the Cloud Security Alliance’s Security, Trust and Assurance Registry (CSA

STAR)

MaaS360 delivers a complete enterprise mobility management solution with one platform that integrates comprehensive security for all your mobile assets. At the same time, it enables the flexibility and modularity needed to match the challenges and use cases for your organization with standalone products.

MaaS360 provides a wide range of mobile management and security options across different categories of users, devices, content, and apps, all within the context of their business. This offers the flexibility to implement tiered or layered mobile security to address varied end user needs and IT security requirements.

With MaaS360, organizations can phase in BYOD and “right size” their mobile security investments for different classes of users, departments, geographies, devices and applications, and apply the technology approach that best meets the need of those use cases, all from a unified platform.

The graphic below shows the solution bundles that are available in MaaS360:

6

2.1 MaaS360 Advanced Mobile Management MaaS360 enables organizations to manage and secure enterprise-owned and personal BYO smartphones, tablets and laptops. It simplifies deploying private and public apps by delivering an easy-to-use enterprise app catalog with full security and operational lifecycle management. This solution bundle includes MaaS360 Mobile Device Management, MaaS360 Mobile Application Management and MaaS360 Mobile Expense Management. MaaS360 Laptop Management is separate from this bundle.

2.1.1 MaaS360 Mobile Device Management MaaS360 Mobile Device Management streamlines the provisioning corporate-owned and employee-owned BYO devices over-the-air with features for enrollment, configuration, security policy management, and device actions such as locate, lock and wipe.

• Manage smartphones and tablets featuring iOS, Android, Windows Phone and BlackBerry • Gain complete visibility of devices, security and network • Enforce compliance with real-time and automated actions

2.1.2 MaaS360 Mobile Application Management MaaS360 Mobile Application Management simplifies the distribution, updating and management of private, public and purchased apps by delivering an easy-to-use enterprise app catalog with full security and operational lifecycle management across mobile device platforms.

• Deploy custom enterprise app catalogs for users to easily view available apps, install apps, and be alerted of app updates

• Blacklist, whitelist and require apps • Administer app volume purchase programs

2.1.3 MaaS360 Mobile Expense Management MaaS360 Mobile Expense Management enables organization-wide expense policies and proactively monitors and tracks mobile data and application usage to optimize mobile spend and shift the accountability more to departments and individual employees.

7

• Monitor mobile data usage with alert thresholds and real-time alerts • Set group and individual policies to restrict or limit data and voice roaming • Review integrated reporting and analytics

2.1.4 MaaS360 Laptop Management In addition to smartphones and tablets, MaaS360 manages Windows-based laptops, desktop and ultrabooks, and Apple MacBooks, iMacs and Mac Pros, delivering actionable information across all of your laptops and distributed PCs. By collecting and correlating endpoint data from these devices, you get unprecedented visibility into hardware and installed software, missing patches, outdated anti-virus signature files, and so much more. With MaaS360, IT can support and manage enterprise mobile computing devices, even when they are not connected to the corporate network.

• Gain instant insight in hardware and software inventory, security and compliance details and operating system versions

• Block non-compliant devices from accessing the corporate network • Ensure patches and anti-virus signature files are always up-to-date • Push software to devices, regardless of their location • Specify applications to be blacklisted on your users’ devices • Take immediate actions with location tracking, locking and remote wipe • Integrate seamlessly with your existing remote control applications • Demonstrate compliance for audits or if a laptop is lost or stolen

2.2 MaaS360 Secure Productivity Suite MaaS360 delivers a comprehensive set of cross-platform solutions to isolate and contain work emails, Web access and app data to prevent data leaks. It is the only complete solution that enables employees to securely access corporate data while preserving the mobile experience on their devices. This solution bundle includes MaaS360 Secure Mail, MaaS360 Secure Browser and MaaS360 Application Security.

2.2.1 MaaS360 Secure Mail MaaS360 Secure Mail is an intuitive personal information management (PIM) app to contain emails, calendar and contacts on iOS, Android and Windows Phone devices.

• Contains email text and attachments to prevent data leakage • FIPS 140-2 compliant, AES-256 bit encryption for data at rest • Enforce authentication, cut and paste restrictions, and view-only mode • Restrict forwarding, moving and screen captures • Conduct on-line and off-line compliance checks prior accessing email

2.2.2 MaaS360 Secure Browser MaaS360 Secure Browser is a feature-rich web browser for secure access to intranet sites and web apps, and automated compliance of content policies for iOS, Android and Windows Phone devices.

• Enable access to corporate intranet sites and network without device VPN • Define URL web filters and security policies based on categories • Block known malicious websites to prevent mobile malware • Enforce whitelist exceptions • Restrict cookies, downloads, copy/paste, and print features to prevent data leaks • Disable native and 3rd party web browsers

8

2.2.3 MaaS360 Mobile Application Security MaaS360 Mobile Application Security provides a mobile application container with full operational and security management to protect against data leaks for iOS and Android devices.

• Use a simple App Wrapper when deploying enterprise apps with MaaS360 Mobile Application Management (MAM) or a robust Software Development Kit (SDK) to integrate security right into app code

• Enable user authentication • Restrict copy and paste, as well as local and cloud data backups • Enforce device compliance checks and file protection • Alert administrators of violations in real-time and prevent access to work apps from compromised

devices • Requires the purchase of MaaS360 Mobile Application Management

2.3 MaaS360 Secure Document Sharing MaaS360 provides a secure, encrypted container and productivity suite to distribute, view, create, edit and share documents on mobile devices, giving organizations the control they need and employees the access they demand. This solution bundle includes MaaS360 Mobile Content Management, MaaS360 Secure Editor and MaaS360 Document Sync.

2.3.1 MaaS360 Mobile Content Management MaaS360 Mobile Content Management delivers a mobile document container for secure content collaboration with a robust set of lifecycle management capabilities to distribute, update, manage and secure documents on iOS and Android devices.

• Enforce authentication, copy/paste and view-only restrictions • Access MaaS360 distributed content and file repositories such as SharePoint, Box & Google Drive • Alert users on new or updated content • Enable versioning and time-based expirations • Use MaaS360 Content Cloud for hosting and distribution

2.3.2 MaaS360 Secure Editor MaaS360 Secure Editor is an office productivity app to create, edit and save documents on iOS and Android devices and designed to prevent corporate data leaks.

• Work on documents anywhere in an encrypted container with data leak controls • Collaborate on Word, Excel, PowerPoint and text files • Change fonts, font size and color • Insert images, camera photos, links, shapes, tables and more • Perform searches within documents • Share seamlessly with Secure Mail and to corporate file folders

2.3.3 MaaS360 Document Sync MaaS360 Secure Document Sync enables users to easily and securely synchronize content across managed iOS mobile devices.

• Restrict copy/paste of data across managed devices • Block content from being opened or shared in other apps • Store content securely, both in the cloud and on devices • Requires the purchase of MaaS360 Mobile Content Management

9

2.4 MaaS360 Mobile Enterprise Gateway MaaS360 offers simple, secure access to behind-the-firewall business resources, such as SharePoint, Windows File Share, intranet sites and databases. This solution bundle includes MaaS360 Mobile Enterprise Gateway for Browser, MaaS360 Mobile Enterprise Gateway for Docs and MaaS360 Mobile Enterprise Gateway for Apps.

2.4.1 MaaS360 Mobile Enterprise Gateway for Browser MaaS360 Mobile Enterprise Gateway for Browser delivers access to enterprise intranet and internal web sites without requiring a full device level VPN connection on iOS and Android devices.

• Enable MaaS360 Secure Browser to access enterprise intranet sites, web apps and network resources

• Access data and information seamlessly and securely without needing a VPN session on mobile device

• Requires purchase of MaaS360 Secure Browser

2.4.2 MaaS360 Mobile Enterprise Gateway for Docs MaaS360 Mobile Enterprise Gateway for Docs allows mobile devices outside of the enterprise network secure and seamless access to internal file stores without requiring a full device level VPN connection on iOS and Android devices.

• Enhance MaaS360 Mobile Content Management with secure access to internal files and folders from private SharePoint, Windows File Share and other network folders

• Retrieve enterprise documents without needing a VPN session on mobile device • Requires purchase of MaaS360 Mobile Content Management

2.4.3 MaaS360 Mobile Enterprise Gateway for Apps MaaS360 Mobile Enterprise Gateway for Apps enhances enterprise apps with secure and seamless access to internal data and resources without requiring a full device level VPN connection on iOS and Android devices.

• Add in-app VPN to MaaS360 Mobile Application Security to integrate behind-the-firewall data in enterprise apps

• Incorporate enterprise data without a device VPN session • Requires purchase of MaaS360 Mobile Application Management and MaaS360 Mobile Application

Security

MaaS360 Platform Overview

10

11

3 Solution Details MaaS360 is uniquely capable to meet your mobility objectives by enabling your users to connect to corporate resources with company or individually-owned smartphones, tablets and laptops without compromising the security of your data and network.

Below is a list of just some of the capabilities of MaaS360 to highlight.

3.1 MaaS360 Advanced Mobile Management The mobility explosion and complex device landscape are pressing realities today, and will only continue to grow. While laptops remain a leading device type, the modern business environment is multi-platform, consisting of desktops, smartphones and tablets, all with different operating systems and app ecosystems.

With the current trends in Bring Your Own Device (BYOD) and employees using their own apps for work, IT must manage everything from policy to deployment, operations, content, compliance, security and monitoring.

MaaS360 Advanced Mobile Management simplifies the management, security, and maintenance—across all enterprise devices and all mobile platforms–from a single console that provides instant visibility and control into who is connecting to your corporate data and with which devices and apps.

MaaS360 supports all of today’s enterprise-owned and personal BYO smartphones, tablets and laptops including iPhones, iPads, iPods, Androids, Kindle Fire devices, Windows Phones and BlackBerry smartphones as well as Windows laptops and MacBooks. Each enterprise is unique; therefore, you need a flexible, yet simple, platform to manage your fluid environment.

It simplifies deploying private and public apps by delivering an easy-to-use enterprise app catalog with full security and operational lifecycle management. MaaS360 Mobility Intelligence dashboards and reports give you complete visibility across multiple facets including users, devices, apps and and expenses.

This solution bundle includes MaaS360 Mobile Device Management, MaaS360 Mobile Application Management and MaaS360 Mobile Expense Management. MaaS360 Laptop Management is separate from this bundle.

Key benefits:

• Embrace Bring Your Own Device (BYOD) • Migrate from BlackBerry to multiple mobile OS platforms • Support smartphones, tablets and laptop from a single platform with a single pane of glass • Reduce the cost of supporting mobile assets • Increase employee productivity and satisfaction • Protect sensitive corporate data and reduce security risks • Enforce compliance with regulations • Safeguard end use privacy • Transform your business with Mobile

12

3.1.1 MaaS360 Mobile Device Management

Every organization needs to see and control the mobile devices entering their enterprise, whether they are provided by the company or part of a (BYOD) program. MaaS360 Mobile Device Management (MDM) is the fastest, most comprehensive way to make that happen.

MaaS360 simplifies MDM with rapid deployment and comprehensive visibility and control supporting a wide landscape of devices including the smartphones, tablets, laptops and desktops.

3.1.1.1 Device Support

MaaS360 supports all major smartphone and tablet platforms including iOS 4.0+, Android 2.2+ (including Samsung SAFE, Amazon Kindle, LG GATE devices), Windows Phone 7.5 and 8+, and BlackBerry 5.0. For laptops and desktops, MaaS360 also supports Windows XP SP3 and higher, Windows Vista, Windows 7, Windows 8+, Mac OS X 10.5 (Leopard), 10.6 (Snow Leopard), 10.8 (Mountain Lion), and 10.9 (Mavericks).

13

3.1.1.2 MaaS360 Cloud Extender

MaaS360 Cloud Extender that delivers a unique approach to securely and seamlessly plug-n-play with your enterprise systems including Exchange ActiveSync (EAS 2007, 2010, 2013 and Office365), Active Directory and LDAP, IBM Notes Traveler, BlackBerry Enterprise Server, and Certificate Authorities. This is an optional feature that allows you to control access to email, leverage AD groups for policies, authenticate against corporate credentials, manage certificates for advanced user authentication, provide secure access to corporate systems (e.g., a certificate for Wi-Fi network authentication), and take actions through those systems (e.g. block email on a compromised device). It was designed to be easy and straightforward, without the need for on-premise servers or network reconfigurations. It’s a small lightweight software module that you install in your environment. MaaS360 Cloud Extender ties into your backend systems in a completely non-intrusive way and is not inline proxy with your critical messaging flows, so it is not in the direct path of email. And through APIs, it can integrate with other IT systems, such as identity management and network access controls.

MaaS360 Certificate Services Integration provides customers with the ability to leverage their existing Certificate Authority (CA) and automatically provision user certificates to enrolled iOS Devices. Administrators can create email, Wi-Fi, and VPN policies and profiles that can use user-based certificates for authentication. The Cloud Extender interacts with the Certificate Authority, and pushes the issued certificates down to enrolled iOS devices. It performs the following functions:

• Processes user certificate requests from MaaS360 when the users enroll their iOS devices against a policy that requires user certificates

• Authenticates against the Certificate Authority (CA)/Registration Authority (RA) before requesting certificates

• Requests user certificates on behalf of enrolled iOS devices • Encrypts the issued user certificates and uploads them to MaaS360 • MaaS360 then pushes these certificates to these devices MaaS360 Mobile Device Management provides a lightweight BlackBerry agent that interfaces with your existing BlackBerry Enterprise Server 5 (BES 5). The lightweight agent utilizes native BES APIs

14

and Toolkits to auto-discover connected devices and policies. MaaS360 then provides detailed hardware and software inventory details, assignment of policies, and the ability to push actions to your connected devices. MaaS360 offers key capabilities such as a set of flexible entitlements providing comprehensive visibility and control for BlackBerry devices.

3.1.1.3 Device Discovery

MaaS360 discovers when new devices try to connect to your corporate resources. You can then send enrollment requests to the users so they can enroll the devices. This prevents unauthorized devices from gaining access to your system without approval, but is the process is quick and easy for your users.

3.1.1.4 Jailbreak and Root Detection

Maas360 runs a series of proprietary checks to see if the device has been comprised. If any of these return positive, we report the device as jailbroken (for iOS) or rooted (for Android). Compliance actions can be enforced based on this status including user and/or admin alerts or more restrictive actions like blocking email, VPN, Wi-Fi profiles and removing applications and content.

• Attempt a function that should fail when the device is jailbroken/rooted • Check for services that should not be there, but are • Check for the presence of certain files on the system that are only present when jailbroken/rooted

15

3.1.1.5 MaaS360 Portal

MaaS360 makes it simple to secure and manage your mobile with an intuitive portal, streamlined workflows and a powerful analytics engine. The home page dashboard delivers an elegant experience to navigate your mobile environment and one-click actions make managing mobile assets fast and easy.

3.1.1.6 Top Navigation Bar

The top navigation bar of the portal home page provides workflow-based navigation to help you simply access information and take action on devices, users, security, apps, docs, expenses, reports, and setup. You have access to a search bar for global search functionality and a Get Help link for support materials. Use My Groups to view groups from corporate directory integration.

16

3.1.1.7 Global Search Bar

The global search bar tracks down the devices, users, apps and docs in your account. You can just start typing in the field and it delivers fast search results with auto-complete. You can take action right in the search results for one-click access, including view, locate, distribute app, and distribute document.

3.1.1.8 My Alert Center

MaaS360 allows you to proactively manage potential problems. You quickly glance at the My Alert Center on the home page to see color-coded alerts to focus attention on the most urgent issues. It is a customizable and interactive dashboard of your mobile environment, and you can easily customize alerts that are most important to each administrator since they are contextual, based on role and administrative rights.

17

You can examine and drill-down to the details of each alert and see why devices were out of compliance, as well as additional security-related information. For example, you can see how many how many devices don’t have passcode protection enabled or how many devices have data sharing apps installed. There are hundreds of alerts you can configure, where “Red” represents a security alert that needs attention, “Green” represents and security alert with no incidents, and “Blue” represents an information-only alert.

3.1.1.9 At-A-Glance Overview

In the upper right of the home page, you get an at-a-glance overview of devices, users, apps and docs for a quick snapshot of your mobile environment. You can take action instantly with these icons for a one-click, efficient experience.

3.1.1.10 My Activity Feed

My Activity Feed provides a real-time timeline of every activity in your mobile environment in a Twitter-like fashion. You will see any recent additions, compliance events and updates, and can drill down into each of the activities to review status and take action. Compliance events will be highlighted in red for emphasis.

18

3.1.1.11 Device View

MaaS360 presents all of the data collected about a device in a single location called the Device View. Ideal for troubleshooting and help desk workflows, administrators can browse through Hardware Details, Apps Installed, Network Information, Security and Compliance Statistics and much more about a single device. Administrators can also create and populate custom attributes, such as whether the device is corporate and employee owned, to better align IT with business.

19

3.1.1.12 Device Actions

You can take actions on mobile devices with just a few mouse clicks. Depending on the type of device, the actions can include Locate Device, Send Message, Buzz Device, Lock Device, Reset Device Passcode, Selective Wipe (Restrict Device) and Wipe Device.

20

3.1.1.13 Device Security Policies

MaaS360 uses policies to keep your devices safe. They can be set up to enforce passcode settings, automatically lock the device if it has been idle for a specified time, to erase all data on the device if an incorrect passcode has been entered for a specified number of times, and more. Policies are automatically sent to the appropriate devices whenever the policies are updated. Users don’t need to be connected to the corporate VPN to get the updates; the policies are received over the Internet and automatically applied.

3.1.1.14 Persona Policies

21

MaaS360 supports persona policies that apply to a user rather than a device. All the devices an individual uses for work can be managed the same way, from passcode requirements to URL web filters. Policies seamlessly transition from device to device without any intervention to streamline the way you protect your organization's data.

3.1.1.15 Location-Based Policies and Geo-Fencing

MaaS360 provides the ability to locate devices using latitude and longitude coordinate mappings on Bing Maps with history/breadcrumb tracking. Used in conjunction with geo-fencing, you can dynamically assign location-based policies and geo-fencing rules, and take automated actions based on the physical location of the device.

Location-based policies can be specified with physical location (e.g. street address) or with network connection (e.g. Wi-Fi SSID). Specific policies can be automatically enforced when a device checks in or checks out of a location, or entering or leaving a geo-fenced area around a specified location.

22

3.1.1.16 Time-Based Policies

MaaS360 can assign time-based settings to group persona policies based on time of day and days of the week. Timed-based policies are especially critical for organizations that have hourly employees, contractors and consultants to help avoid compensation complications when they access work information during off-hours on corporate-owned, personally-owned and shared devices.

3.1.1.17 Automated Compliance Engine

With MaaS360’s Compliance Engine, you can ensure that all mobile devices in your enterprise are in compliance with your organization’s mobile policies. If at any time a mobile user or device violates policy, MaaS360 detects the violation and takes automated action. The Maas360 Compliance Engine enables you to create rules for mobile devices that can adapt to business needs. It looks for policy violations and dynamically takes prescribed actions if it sees non-compliant events.

23

3.1.1.18 BYOD Support

For Bring Your Own Device (BYOD) programs, MaaS360 gives you the confidence to support personal devices accessing your corporate network, email, applications, and documents. MaaS360 provides a robust set of BYOD management capabilities including a simplified over-the-air (OTA) device enrollment process, customizable acceptable use agreements, automated device approval, configuration and policy management based on device ownership, BYOD privacy settings, a self-service employee support portal, and selective wipe of corporate data.

24

3.1.1.19 Mobility Intelligence™ Reports and Dashboards

MaaS360 Mobility Intelligence provides executive and operational dashboards for your mobile organization. With a powerful analytics, reporting and action engine, MaaS360 delivers a whole new level of centralized, 360-degree visibility and focus for potential issues, asset tracking and simplified management. These reports and dashboards deliver real-time, interactive and graphical summaries of your mobile IT environment and security overviews. You can drill down to detailed reports and lists to take specific action, view detailed hardware and software inventory reports, examine configuration and vulnerability details, and filter by device ownership (corporate or employee), mobile OS platform (iOS, Android, Windows Phone, BlackBerry) and time frame (preset, custom). Email subscriptions are available for your favorite reports, so they are delivered to you in your preferred timeframes.

25

3.1.2 Mobile Application Management

MaaS360 provides an intuitive enterprise application catalog for iOS, Android, and Windows Phone devices that displays apps available to them, and allows them to install the apps quickly and easily. Public apps and in-house developed apps can be quickly added to the master enterprise catalog and distributed over-the-air to all users, groups of users or individual devices. You can specify if an app is required, allowed (whitelisted) or restricted (blacklisted), and MaaS360 can automatically take action if a device is out of compliance. It also delivers detailed reporting about app compliance events and any remediation actions.

MaaS360 Content Cloud gives you the option and capability of hosting and distributing your private enterprise apps in the Cloud on a globally optimized content distribution network. The MaaS360 Content Cloud reduces network load and increases performance for users.

MaaS360 supports the latest volume purchase programs (VPP) to manage bulk app licenses for employees. Organizations can now purchase bulk app licenses and automatically manage them in MaaS360. Administrators can distribute and install pre-paid apps without users needing to visit app stores. They can track provisioning, manage licenses, reclaim licenses for users who have left the organization or no longer need the app, and monitor compliance.

26

27

3.1.3 Mobile Expense Management

Mobile devices and applications use data more than ever before, many times without end user knowledge. MaaS360 allows IT administrators to set and configure different usage thresholds and policies that include both in-network and roaming usage. End users can be notified of approaching data usage thresholds, roaming status changes and more through an on-device client interface. MaaS360 provides organizations with reports at both company- and device-level reports. Seeing current wireless plans and usage helps IT make effective decisions on data plan changes and allocations. MaaS360 also provides usage trending reports to show macro-level spikes and trends.

3.1.4 Laptop Management Management Whether you’re optimizing your existing laptop management strategy or considering total enterprise mobility management to include smartphones and tablets, the challenges are the same: dealing with constantly changing users, devices and applications; preventing security risks and illegal information access; aligning user expectations; and asset management. Our long-running expertise in addressing these challenges for laptops and desktops has resulted in best practices that simplify IT management and eliminate risk for all enterprise assets. For nearly a decade, we have been helping IT to seamlessly provision, integrate, manage, secure, monitor and support mobile assets — in a single solution, from a single portal.

28

3.1.4.1 MaaS360 Device Management for Windows

MaaS360 Device Management for Windows delivers the Windows PC management functionality your IT staff needs to support the entire lifecycle. Managing Windows devices is now as easy as managing mobile devices from the same MaaS360 portal as for MDM. MaaS360 supports Windows XP SP3, Windows Vista, Windows 7, Windows 8+ and Windows 8+ Pro (including 32-bit and 64-bit where applicable) and Windows 10.

3.1.4.1.1 Gain visibility MaaS360 shines a light onto hardware and software on Windows laptops, desktops, ultrabooks and tablets. A software agent runs continuously on managed devices for reporting and analysis. • Hardware inventory • Software inventory (including application types like Win32 or Windows Store applications) • Status Information about security applications:

− Anti-virus − Personal firewall − Anti-spyware − Data encryption − Backup and recovery

• Operating system (OS) details • Location history • OS patch levels and information, including file size, severity level and how many of your users are

missing each one

3.1.4.1.2 Take control: MaaS360 extends visibility to help IT manage Windows devices across the organization. Through a centralized console, IT managers can perform a number of actions with unified workflows: • Enroll a device over the air (OTA) • Locate the device • Shutdown or restart the device • Require a passcode to unlock the device • Choose a service and stop, start or restart that service • Wipe a hard drive if the device is lost or stolen • Distribute packages containing documents or applications to increase employee productivity while

keeping your data secure • Configure patch settings to ensure devices have the latest security patches and updates • Send a message to alert the user

29

3.1.4.1.3 Real-time security alerts and reports MaaS360 highlights device status and key statistics in My Alert Center on the home page and in the Mobility Intelligence dashboards. At a glance, you can see where your Windows IT environment needs your attention in summary or detailed views. • My Alert Center can be easily customized to monitor how many devices do not have encryption,

missing critical OS patches, missing anti-virus software & so much more • Mobility Intelligence reports deliver interactive, graphical overviews of your device environment in

real-time − PC overview − Hardware inventory − Network − Operating system − Software inventory

3.1.4.2 MaaS360 for OS X Devices

Delivered as a self-service solution for OS X device management, MaaS360 provides over-the-air enrollment, policy configuration, and visibility, control and reporting of your entire mobile IT environment — in a single solution, from a single portal for all your mobile devices. MaaS360 for OS X devices enables your IT staff to support the entire device lifecycle from the same portal as for MDM. You can gain up- to-the-minute information about devices, with no need for connectivity to the corporate network. MaaS360 supports OS X 10.5 through 10.11.

3.1.4.2.1 Gain insight: MaaS360 enables IT to gain significant insights about OS X devices critical to enabling a secure mobile environment. All this information is collected over-the-air (OTA) as soon as a device is enrolled. • Hardware: model name, Apple serial number, memory, and processor information • Security: anti-virus, encryption, personal firewall, passcode and missing OS patches status details • Software: operating system information and a list of installed software • Network: MAC address, Gateway and DNS servers details • Location: last known location and location history • BYOD Privacy Settings: restrict location and installed software information

3.1.4.2.2 Set and distribute policies MaaS360 allows IT to securely configure and distribute policies over the air (OTA) to OS X devices. These policies help IT ensure minimization of security breaches while at the same time ensuring standardization across the mobile environments. Leveraging device groups further expedites secure provisioning of multiple devices at once thereby making employees productive from the word Go! • Device Restrictions: user and group management; disable changing preferences for mail, sharing,

bluetooth settings; restrict internal and external media usage; and enforce authentication for external media

30

• Security: enforce device passcodes, manage login window, ensure encrypted backups, enforce Gatekeeper for apps and certificate credentials for adding certificates

• Mail: configure email accounts remotely (IMAP, POP), configure Exchange ActiveSync settings, and restrict users from moving emails between accounts, eliminating the risk of corporate data leakage

• Secure Connectivity: push Wi-Fi profiles OTA, manage and push proxy settings and SSID auto-join and push VPN settings OTA for L2TP, PPTP, Cisco (IPSec, AnyConnect), Juniper, F5

• Miscellaneous: software update, server configuration, Energy Saver settings, and printer configuration

3.1.4.2.3 Perform remote actions • MaaS360 allows IT to take actions on OS X devices remotely, reducing possibility of enterprise

data leakage. • Lock devices: locks at a BIOS level and can only be unlocked using a one-time passcode • Remote wipe: wipe all data on device OTA • Change device policies: can be changed remotely • Remove OS X control: stop managing retired devices or those used by employees leaving your

organization

3.2 MaaS360 Secure Productivity Suite

MaaS360 delivers a comprehensive set of cross-platform solutions to isolate and contain work emails, Web access and app data to prevent data leaks. MaaS360 Secure Productivity Suite provides a Dual Persona approach to separate personal and enterprise data in this BYOD era. It offers a Trusted WorkPlace container secured by FIPS 140-2 compliant, AES-256 encryption for a complete mobile security and productivity solution with strong data leak prevention (DLP) and consistent and seamless workflows on iOS, Android and Windows Phone devices.

This suite solves the challenge of how to best balance the needs of IT to maintain control and security, while providing end users a seamless and productive mobile experience. Available as a standalone

31

solution without enrolling devices in MDM, it is ideal for BYOD programs or working with contractors, consultants and vendors to securely share and collaborate without needing to manage and control these devices. For businesses that need stringent security policy and compliance controls, such as those in the highly regulated healthcare and financial services industries, containerization can be especially helpful in making the BYOD experience more palatable for users.

With policies to control the movement of data, you can restrict sharing by users, forwarding of attachments, and copying and pasting. Devices that are lost, stolen or compromised can be selectively wiped to remove the secure container and everything in it.

This solution bundle includes MaaS360 Secure Mail, MaaS360 Secure Browser and MaaS360 Application Security.

Key Benefits:

• Safely and securely support Bring Your Own Device (BYOD) • Separate personal and corporate data • Reduce risk of sensitive data leakage • Leverage single sign-on for authentication, and on-line and off-line compliance checks • Wipe suite container, app containers, enterprise profiles or whole device • Experience consistent and seamless workflows for iOS, Android and Windows Phone devices

3.2.1 MaaS360 Secure Mail

32

MaaS360 Secure Mail is an intuitive personal information management (PIM) app to contain emails, calendar and contacts on iOS, Android and Windows Phone devices to enable employees to securely collaborate with colleagues while preserving the mobile experience on their personal devices.

As a foundational component of the MaaS360 Secure Productivity Suite, it addresses key concerns of data loss risks. Through authentication and authorization, only approved, valid users can access sensitive emails and data inside a FIPS 140-2 compliant, AES-256 encrypted secure container. With policies to control the flow of data, you can restrict sharing by users, forwarding of attachments and copying and pasting. Devices that are lost, stolen or compromised can be selectively wiped to remove the secure email container, all attachments and profiles.

Other solutions secure email by intercepting the email stream, removing attachments and loading them in a separate application. This ultimately leads to disjointed user experiences between the native email client and standalone applications that may just provide document viewing.

MaaS360 Secure Mail works seamlessly within the MaaS360 Secure Productivity Suite to manage all emails, contacts, calendars, and attachments from one dedicated workspace on their mobile devices, no matter what devices they’re using or who owns them. You can put controls in place to manage this secure container that doesn’t affect the rest of the device so you can separate work from play.

• Secure emails (both text and attachments), calendars and contacts in a container to prevent data leakage on iOS, Android and Windows Phone devices

• Enable authentication and block unauthorized email access • Conduct on-line and off-line compliance checks prior to accessing email • Leverage FIPS 140-2 compliant, AES-256 encryption for data at rest • View attachments directly in the app • Control where files can be copied or moved • Restrict forwarding, move to other apps, copy, paste, and screen capture • Selectively wipe attachments, even outside of email • Work in MaaS360 Secure Document Sharing to store, view, edit and share content • Support cloud email, such as Office 365 and Gmail, because MaaS360 does not require an inline

presence

33

3.2.2 MaaS360 Secure Browser

MaaS360 Secure Browser protects data and increases productivity by enabling secure access to corporate intranet sites and web apps without device VPN needed, and controlling access to public websites on iOS, Android and Windows Phone devices.

34

You can easily and securely mobilize your corporate intranet sites and networks with no device VPN required, such as private Sharepoint, JIRA, internal Wikis, legacy ERP systems, etc. to help make your employees more productive and efficient.

With customized blocking, real-time notification, exception and reporting options, it reduces the vulnerability your devices have to risky websites that may contain malware, violate HR policies or simply waste your users' precious time. MaaS360 empowers IT to allow or block websites and URLs based on a number of content categories, such as social networking, explicit or download sites.

In addition, specific websites can be allowed or blocked and granular data leak prevention controls, such as cut and paste, can be enabled. Native and 3rd party web browsers can be disabled either through app policy or blacklisting. Administrators can be alerted via email in real-time when violations occur and receive a comprehensive report and history of web browsing.

• Enable access to corporate intranet sites, network and internal web apps without device VPN (requires MaaS360 Mobile Enterprise Gateway for Browser)

• Provide an intuitive user interface that includes tabbed browsing, bookmarks, search, share and history—all the features your users expect

• Protect in real-time via interception of all browser traffic • Define URL web filters and security policies based on 60+ content categories • Block known malicious websites to prevent mobile malware • Enforce whitelist website exceptions • Restrict cookies, downloads, copy/paste, and print features to prevent data leaks • Customizable blocking, real-time notification, exception and reporting options • Seamless integration with MaaS360 MDM for easy enrollment and restriction configuration • Disable native and 3rd party web browsers

It restricts or allows users to access websites based on categories you specify, including:

• Advertisements & pop-ups

• Anonymizers • Botnets • Chat • Criminal

Activity • Dating &

Personals • Download

Sites • Entertainment • Explicit

• Forums & Newsgroups

• Gambling • Games • Hacking • Image Sharing • Instant

Messaging • Malware • News • Peer-to-Peer

• Phishing & Fraud • Shopping • Social Networking • Sports • Streaming Media

& Downloads • And more

3.2.3 MaaS360 Mobile Application Security

35

Organizations are leveraging the power of mobile applications to transform their businesses now more than ever. They are developing their own applications and relying on third-party applications for enterprise use.

However, these enterprise applications are especially vulnerable to sensitive data leaks since they tap directly into corporate information systems and files. Before your organization deploys in-house developed and third party applications, they must be contained and secured.

MaaS360 Mobile Application Security enables a mobile application container with full operational and security management to protect against data leaks for iOS and Android devices.

You can enforce authentication, set up single sign-on across applications and configure data leak prevention (DLP) controls Improve efficiency and safely support BYOD with app-level tunneling for secure access to corporate data, real-time compliance checks and automated enforcement actions.

Integrated with MaaS360 Mobile Application Management, you can use our simple App Wrapper to contain your enterprise apps. Take advantage of streamlined, one-window workflows right when you upload and deploy your apps in the MaaS360 platform. Just click on checkboxes to integrate security controls without modifying a single line of code.

Your organization or a third-party application developer also can leverage our Software Development Kit (SDK) to enable enterprise-grade security right in the application code. It is suprisingly easy to integrate to quickly add containerization features to both private and public applications.

• Use a simple App Wrapper when deploying enterprise apps with MaaS360 Mobile Application Management (MAM) or a robust Software Development Kit (SDK) to integrate security right into app code

• Require user authentication against corporate directories before accessing apps • Authorize access based on user role or department • Enable single sign-on and set a timeout for single sign-on across your apps • Block copy and paste, as well as local and cloud data backups for data leak prevention • Restrict open-in controls to a set of whitelisted apps • Enforce device compliance checks and file protection • Alert administrators of violations and take automated actions in real-time • Deliver and update policies remotely to the application container based on user and device

security posture • Configure app-level tunneling for secure access to corporate data without needing a device VPN

(requires MaaS360 Mobile Enterprise Gateway for Apps)

36

3.3 MaaS360 Secure Document Sharing

Organizations of all sizes need a simple, scalable way to distribute, manage and secure documents on smartphones and tablets. Users need the productivity tools to view, edit and synchronize their content across iOS and Android devices.

MaaS360 offers a secure, encrypted container and productivity suite to distribute, view, create, edit and share documents on mobile devices, giving organizations the control they need and employees the access they demand. Users can now collaborate on content while reducing risks of data leakage on smartphones and tablets.

Each document can have its own security policy and be distributed to all users, groups, or individual devices, creating a highly personalized and compliant experience for each employee. And with workgroup-oriented roles, it’s easy for Marketing, Sales, Operations and Finance departments to use MaaS360’s secure mobile document sharing capabilities with optimized workflows and reporting.

Your organization can have simple, secure access to public, cloud file stores as well as private, behind-the-firewall business resources, such as SharePoint, Windows File Share, Box and Google Drive.

Users can securely view, create, edit and save Word, Excel, PowerPoint or text files on mobile devices. These files can then be automatically synchronized across managed devices, delivering an unprecedented level of productivity and efficiency. And all of this comes without compromising data security.

37

MaaS360 Secure Document Sharing is available as a standalone solution without enrolling devices in MDM. Ideal for BYOD programs or working with contractors, consultants and vendors, you can securely share and collaborate without needing to manage and control these devices.

MaaS360 Content Cloud gives you the option and capability of hosting and distributing your documents in the Cloud on a globally optimized content distribution network. The MaaS360 Content Cloud reduces network load and increases performance for users.

This solution bundle includes MaaS360 Mobile Content Management, MaaS360 Secure Editor and MaaS360 Document Sync.

Key Benefits:

• Protect corporate documents from data leaks with full containerization • Increase employee productivity and satisfaction • Safely and securely support Bring Your Own Device (BYOD) • Separate personal and corporate data • Centrally manage document distribution or leverage existing enterprise file stores • Enable users to securely view, create, edit and save documents • Perform a selective wipe of secure container and managed documents • Experience consistent and seamless workflows for iOS and Android devices

3.3.1 MaaS360 Mobile Content Management

MaaS360 simplifies the secure distribution of documents to mobile devices by providing an simple-to-use mobile document container for secure content collaboration with a robust set of lifecycle management capabilities to distribute, update, manage and secure documents on iOS and Android

38

devices. With a few mouse clicks, IT can upload, distribute and review distribution statistics for any corporate document right from MaaS360. The potential of corporate resources can be unlocked by integrating public SharePoint, Box and Google Drive to allow secure access to these document repositories anytime and from anywhere. IT can restrict sharing of documents by sandboxing and containing them inside the MaaS360 mobile app, and configure data leak prevention policies to block copy/paste and open-in controls. For MaaS360 distributed content, administrators can specify an expiration date when the documents will be automatically removed from devices. Users are alerted when new or updated content appears in their document catalog without having to manually and continually having to check for updates. The enterprise document catalog allows users to browse and view documents in the most common content formats from Microsoft, Google and Apple, as well as PDF, web, video, image and audio files. Native device encryption can be configured to ensure corporate data remains secure. Automated enforcement rules can be set for out-of-compliance devices including Alert Administrator, Alert User and Administrator, Block, Restrict Device and Wipe. You can view detailed reports of documents, users and devices of compliance events and remediation actions. • Use a mobile document container for secure content collaboration on iOS and Android devices • Access MaaS360 distributed content and file repositories such as SharePoint, Box & Google Drive • Enforce authentication and view-only restrictions • Configure native device encryption to secure sensitive data • Specify automatic download and download only on Wi-Fi • Work with all common file types including Word, Excel, PowerPoint, text and PDF formats as well

as web, video and audio files • Enable versioning and time-based expirations • iRestrict sharing, printing, copying and pasting outside of container • Alert users on new or updated content • Hide document preview and prevent deletion after download • Apply device compliance checks and automated compliance enforcement actions • Receive real-time alerts of compliance violations • View in-depth reporting on documents, users and devices to monitor status and usage • Host documents on MaaS360 Content Cloud for centralized distribution

39

3.3.2 MaaS360 Secure Editor

Take mobile collaboration and productivity with your employees to a whole new level with MaaS360 Secure Editor. MaaS360 Secure Editor is an office productivity app to create, edit and save documents on iOS and Android devices. It is designed with all of the features your users expect when editing files and documents.

MaaS360 Secure Editor works seamlessly with the MaaS360 document container to control the sharing of documents and prevent data leaks. Newly created and edited documents can be shared securely with MaaS360 Secure Mail and integreated corporate file shares.

• Create, edit & save content in a secure, encrypted container • Collaborate on Word, Excel, PowerPoint and text files • Change fonts, font size & color • Insert images, camera photos, links, shapes, tables & more • Perform searches within documents • Share seamlessly with MaaS360 Secure Mail and to corporate file folders

40

3.3.3 MaaS360 Document Sync

MaaS360 Secure Document Sync enables users to easily and securely synchronize content across managed iOS mobile devices, delivering an unprecedented level of productivity and efficiency. And all of this comes without compromising data security, because documents are contained and stored securely, both in the cloud and on the device, and accessed only via the MaaS360 document container.

Admins can ensure that security policies, such as restricting copy/paste, and blocking content from being opened or shared in other apps, are in place for user content across devices to prevent data leaks.

• Synchronize user content across managed devices • Restrict copy/paste outside of the container • Block documents from being opened in unmanaged apps • Store content securely, both in the cloud and on devices • Requires the purchase of MaaS360 Mobile Content Management

41

3.4 MaaS360 Mobile Enterprise Gateway MaaS360 offers simple, secure access to behind-the-firewall business resources, such as SharePoint, Windows File Share, intranet sites and databases, all without requiring changes to your network, firewall security configuration or device VPN.

MaaS360 Mobile Enterprise Gateway enables collaboration on the go while securing your content with authorization, encryption and containerization policies. It's simple to set up, configure and maintain without additional hardware in your IT environment.

Users can access, view and share corporate content from SharePoint, Windows File Share and more through the MaaS360 Secure Document Sharing or MaaS360 Secure Browser on their mobile devices. The data is secured in an encrypted container with data leak prevention controls.

This solution bundle includes MaaS360 Mobile Enterprise Gateway for Browser, MaaS360 Mobile Enterprise Gateway for Docs and MaaS360 Mobile Enterprise Gateway for Apps.

Key benefits:

• Collaborate on documents anytime, from anywhere, whether on corporate or personally-owned iOS and Android devices

• Enable secure mobile access to corporate data without device VPN • Provide access without requiring changes to your network or firewall security configuration • Mobilize SharePoint, Windows File Share and all of your Intranet sites • Securely unlock the potential of intranet sites and internal apps such as JIRA, internal wikis,

knowledge bases, legacy ERP systems and more using the MaaS360 Secure Browser • Protect sensitive corporate data with robust security policies, including authorization, encryption

and DLP controls

3.4.1 MaaS360 Mobile Enterprise Gateway for Browser

MaaS360 Mobile Enterprise Gateway for Browser delivers access to enterprise intranet, internal web sites and legacy web apps without requiring a full device level VPN connection on iOS and Android devices.

42

• Enable MaaS360 Secure Browser to access enterprise intranet sites, web apps and network resources

• Access data and information seamlessly and securely without needing a VPN session on mobile device

• Protect data with robust security policies and DLP controls • Requires purchase of MaaS360 Secure Browser

3.4.2 MaaS360 Mobile Enterprise Gateway for Docs

MaaS360 Mobile Enterprise Gateway for Docs allows mobile devices outside of the enterprise network secure and seamless access to internal file stores without requiring a full device level VPN connection on iOS and Android devices.

• Enhance MaaS360 Mobile Content Management with secure access to internal files and folders from private SharePoint, Windows File Share and other network folders

• Retrieve enterprise documents without needing a VPN session on mobile device • Protect data with robust security policies and DLP controls • Requires purchase of MaaS360 Mobile Content Management

3.4.3 MaaS360 Mobile Enterprise Gateway for Apps

MaaS360 Mobile Enterprise Gateway for Apps enhances enterprise apps with seamless access to internal data and resources through a secure in-app VPN tunnel without requiring a full device level VPN connection on iOS and Android devices.

• Enable and distribute private apps with secured enterprise data • Add in-app VPN to MaaS360 Mobile Application Security to integrate behind-the-firewall data in

enterprise apps • Incorporate enterprise data without a device VPN session

43

• Requires purchase of MaaS360 Mobile Application Management and MaaS360 Mobile Application Security

44

4 MaaS360 UMM SaaS Built on a mature architecture that is multi-tenant, fully redundant, secure, and on-demand, MaaS360 Cloud delivers instant access to a comprehensive cloud-based mobile management and security platform.

Millions of devices are managed and secured on MaaS360 Cloud with the performance, reliability and scalability that enterprise customers expect. Continuous feature updates are available instantly with no ongoing maintenance and you can effortlessly scale deployments as there are no infrastructure limitations.

Cloud Security

• First and only AICPA SOC-2 Type II compliance since 2007 • First and only Mobile Device Management vendor to receive FISMA Authority to Operate • First certified CyberScope data feed vendor for the Federal Government • FIPS140-2 Compliant (Federal Information Processing Standard Publication 140-2) • Licensee of the TRUSTe Privacy Program • Compliance with the EU Safe Harbor framework • Only UMM vendor on the Cloud Security Alliance’s Security, Trust and Assurance Registry (CSA

STAR) • FEDRAMP certified • Co-chair of the CSA Mobile Working Group drafting standards

Everything You Should Expect from a Cloud Solution

• Fully redundant architecture, geographically load balanced • Logical, physical, and network level security • Disaster recovery and automatic backups • Rigorous audits and certifications to meet highest standards

Mobility Management Made Easy

• Enroll devices in 3 minutes with our free 30-day trial (not 2 days like most “cloud” vendors) • Trial is your live environment. No need to re-enroll devices • Seamless integration with your existing infrastructure • Effortless scalability that grows with your needs • Continuous updates available instantly • Launch day support for new devices and mobile OSs

45

4.1 MaaS360 Cloud Security Details

4.1.1 Data Center Redundancy Redundancy and high availability are critical components of any managed service offering. IBM utilizes multiple Data Centers spreading out critical systems throughout each of these locations. Data replication takes place between the locations, and each location has ample bandwidth to ensure that they can handle increased traffic volume if any one of the Data Centers goes offline.

4.1.2 Physical Security IBM has Data Centers both in-house and at co-location facilities. We rely on the co-locations physical access controls, which include manned security, biometric access controls and video surveillance. IBM reviews the co-location facilities’ SAS-70/SOC-2 reports annually to ensure they maintain the same high-level standards we expect. IBM utilizes their environmental components like power, gas based fire suppression and HVAC. The network connectivity, hardware, and software are controlled and managed by IBM.

IBM’s in-house Data Center utilizes several physical security techniques, including restricting access to sensitive areas of the building (such as the Data Center) by Key Fob access. All ingress points to the building are also monitored by cameras so all activity is recorded. Authorization is given only to people with a direct requirement to access sensitive areas, and only after a security team review. Visitors are not allowed into sensitive areas without being accompanied by an authorized IBM employee. All access gets logged automatically via the security access system. Access and video logs are reviewed regularly as part of IBM’s overall compliance standards.

IBM protects its infrastructure by using fire a suppression system that protects the entire Data Center and power room. In case of a utility power failure power to the Data Center, power can be maintained for long durations by use of an onsite power generator. The entire Data Center is also supported by UPS systems for power conditioning, and a maintained level of power during any transition from utility power to generator.

Audible as well as silent alarms are triggered in case of fire or unauthorized access to sensitive areas of the building. In the case of a utility power failure, alarms are triggered and monitors immediately activated to check the load and stress on the backup power systems.

IBM has assigned asset tags to all hardware. A database of that information is kept for all equipment. Network monitoring is also in place, which assists in the maintenance of the inventory. The database is reviewed periodically by a physical walk-through to ensure all equipment is accounted for. Cameras are also in place at all egress points from the Data Center. All mobile equipment is equipped with lockdown hardware.

4.1.3 Network Security IBM implements various types of monitoring and alerting on all systems which notifies the Operations staff of unusual activity. Systems are also in place to alert the Operations staff of utilization thresholds. Automated systems for alerting are supported by a periodic review of system logs.

To protect against malicious or accidental intrusion, IBM uses both network and host-based intrusion detection probes throughout the network. IBM implements a multi-layer security approach with routers and firewalls protecting the perimeter of the IBM networks. Firewalls and router access lists are also in place to segment the network into different departments. Content scanning of various types of traffic is performed and filtered in accordance with IBM’s internal network usage/security policy. Anti-virus software is also deployed to servers and workstations. The anti-virus definitions are maintained controlled and updated using a central anti-virus server within IBM.

46

4.1.4 Customer Data IBM goes to great lengths to protect its customers’ information. The MaaS360 platform only collects information necessary to generate reports specific to the functionality of the endpoint. IBM limits its collection of information to only pieces needed to adequately support our customers.

All information is transmitted over SSL3.0/TLS1.0 with certificated from DigiCert using FIPS140-2 compliant encryption modules. This includes administrative access to the portal through a web browser and communication between devices and the portal backend. In addition, information that is backed up to tape is encrypted at the hardware level also adhering to FIPS140-2 requirements.

IBM has implemented its cloud service networks separately from the IBM corporate to ensure the highest level of confidence in the integrity of the customer information. Both physical and digital access to the customer network is highly controlled and under constant scrutiny by IBM security to ensure constant and consistent compliance that exceeds industry standards. Information gathered and stored from the customers’ mobile devices is kept in databases with security controls in place to prevent unauthorized people from viewing the information.

All servers in the IBM cloud services networks are managed by IBM Operations staff. We do not have any devices in our production network managed by a third party. All of the IBM networks are fully switched to help with traffic flow and minimize the risk of network snooping. The customer networks are also segmented internally so administrative traffic, backup traffic, customer traffic, etc. are all on different network segments.

4.1.5 System and User Account Administration and Management IBM employees go through background checks at varying levels depending on their role in the company. IBM has an administrative review team that assigns, revokes, and controls all aspects of user and administrative accounts on the network. There are controls in place that ensure the users’ passwords meet specific requirements including strength and expiration periods. Controls are also in place to handle sequential bad password attempts. A quarterly review is performed by management to ensure that all employees have the appropriate level of access to systems and resources.

4.1.6 Disaster Recovery/Business Continuity IBM has designed its networks in a distributed and redundant manner down to the server level. Along with multiple redundant Data Centers capable of handling the volume of traffic from any other Data Center, IBM has implemented a detailed disaster recovery plan, which includes information about specific server requirements as well as documentation on how to recover or rebuild systems if needed.

IBM performs tests of its disaster recovery plan to ensure proper procedures are maintained and personnel understand steps that will need to be taken in the event of a disaster.

Along with the technical means of being able to sustain functionality and recover from disasters, IBM has taken into account business functionality beyond the Data Center by ensuring our personnel can work remotely in the event they cannot get to the office. As part of this overall business continuity plan IBM has written a pandemic readiness plan including educational awareness of possible pandemic threats as well as technical awareness of what to do in the event of a local, regional or global pandemic outbreak.

IBM also has a disaster readiness and business continuity team which meets regularly to review the latest threats and risks to IBM’s networks. This team walks through possible disaster scenarios and specifies how IBM will react, from system and data recovery to customer notification.

4.1.7 Audits/Compliance IBM recognizes that as a trusted provider of security and secure mobility services it must meet high standards of operational security.

SOC-2 TYPE II

47

In 2011 the AICPA changed their auditing standards retiring the SAS-70 standard. In its place, IBM has adopted the SOC 2 Type II audit as the standard going forward. IBM had Ernst & Young perform our first SOC 2 assessment in 2011 with positive results. The SOC 2 audit covers security, availability, processing integrity, confidentiality, and privacy.

SAS-70 TYPE II IBM has had favorable SAS-70 Type II audits performed against its operational processes and controls annually since 2007. IBM set forth with a set of control objectives around software development, change management, physical and logical security controls and overall computer operations. The auditor’s report indicates, "...in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved...” indicating that our procedures satisfy the expectation of the auditors. The report goes on to read, "In our opinion, the controls that were tested, as described in Section II, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in Section II were achieved during the period...", indicating that the effective operational processes follow through on our documented procedures to a satisfactory level for the auditors.

FISMA Authority To Operate (ATO) MaaS360 by IBM went through the C&A process in 2011 to become FISMA certified. MaaS360 was chosen by GSA (General Services Administration) as one of three cloud service providers to go through the certification process. The process included an audit showing adherence to the NIST SP800-53R3 guidelines. IBM went a step further and asked the auditors to also include the proposed FedRAMP requirements, which are special additions to the NIST guideline specifically for cloud service providers.

In addition to the overall audit, IBM has to give quarterly updates to GSA showing Continuous Monitoring of our systems as well as audits and penetration tests.

CyberScope In addition to having an Authority to Operate for the Federal government, IBM has also gone through the process of being a certified CyberScope data feed vendor for the Federal government. MaaS360 by IBM is able to export XML feeds that comply with the SCAP requirements of the Federal government allowing Federal agencies to comply with the government mandate of continuous monitoring using the federal CyberScope tools.

TRUSTE EU Safe Harbor IBM is a licensee of the TRUSTe Privacy Program. TRUSTe is an independent organization whose mission is to build user’s trust and confidence in the Internet by promoting the use of fair information practices.

Security Policies Modeled on ISO 27001 and NIST Standards IBM’s security policies are based on the ISO 27001 standard. The ISO standards are recognized throughout the world as comprehensive and thorough sets of controls comprising best practices. IBM developed these policies in conjunction with the outside vendor to ensure the most comprehensive coverage of our business practices.

In addition to the ISO27001 IBM reviews the NIST (National Institute of Standards and Technology) Federal Information Processing Standards (FIPS) and Special Publication (SP) 800 series. IBM enhances its security policies by implementing components of the NIST SP800-53 guideline that are relevant to its business. IBM has also adopted the recently published standard from NIST regarding Risk Management Framework, NIST SP800-37.

Vulnerability Assessments and Penetration Audits IBM employs an independent third party to perform quarterly vulnerability assessments against the company’s networks. The firm assesses the security of all production locations, the corporate network,

48

as well as the development and QA networks. The results of the quarterly assessments are reviewed and remediated as quickly as possible. IBM selects a different vendor each year. Past vendors include SunGard Professional Services, BT-INS, ETSec, SMART and Associates, Stach & Liu, among others.

Along with vulnerability assessments IBM employs an independent third party to perform more intensive penetration tests against our networks and our service offering. These audits range from black box style, where the auditor has no prior knowledge of our infrastructure or defense mechanisms, to much more focused white box tests, where the auditor is given information pertaining to the target and potentially privileged access to the system in an effort to break through boundaries similar to those that a customer may have.

Software Code Audits IBM works with experts to perform security audits of its software code. IBM has had line by line code level audits performed by the IBM Internet Security Systems X-Force research team. This audit included line-by-line source code reviews and penetration assessments against IBM’s platform and client software.

IBM also has penetration tests against various components of our applications performed by third party auditors for major and select minor releases. Results from these penetration tests are taken back for review and remediation by our development team.