According to 2022 research by Gartner on Unified Endpoint Management Tools:
By 2027, unified endpoint management (UEM) and digital employee experience (DEX) tools will converge to drive autonomous endpoint management, reducing human effort by at least 40%.
By 2025, more than 90% of clients will use cloud-based UEM tools to manage the majority of their estate, up from 50% in early 2022.
Increased acceptance of remote or hybrid work models replace traditional in-office work and forces clients to look for tools that can help them with solving challenges like patching and managing corporate-owned endpoints, especially for remote employees. This highlights the increased importance of UEM and related tools in enabling remote and hybrid work where integration with endpoint analytics and endpoint security services help building proactive and resilient defences for endpoints.
Among the UEM leaders are Microsoft with their Intune and Endpoint Manager products, VMware with the Workspace ONE platform and Ivanti with Neurons for Unified Endpoint Management. But clients also consider alternatives like #IBM Security #MaaS360 in order to address specific business needs and IT ecosystems.
Oftentimes proper implementation of UEM products is further complicated by requirements to migrate resources like identities, mailboxes etc., between cloud providers or from on-premises to the cloud. And this was the case with a recent project we had where we were tasked with upgrading and reconfiguring existing IBM MaaS environment to ensure smooth mailbox migration from an on-premises Exchange organisation to Microsoft Office 365 Exchange Online services while ensuring an uninterrupted mobile device management.
Key MaaS360 Components
MaaS360 Email Access Gateway (EAG) is a reverse proxy solution that is typically deployed in DMZ. EAG exposes an external interface to the internet for all mobile devices to connect to. This interface serves as a hostname for ActiveSync connections from email clients. EAG handles all ActiveSync traffic from mobile devices on the internet before the traffic is forwarded to corporate email servers.
MaaS360 Cloud Extender is a lightweight agent that enhances device management capabilities by integrating with on-premises systems within the environment, such as email, corporate directories, certificate authorities, application, and content servers. It requires minimum resources and easily traverses proxy environments to provide secure messaging and data transfer between the MaaS360 platform and on-premises systems.
MaaS360 Cloud platform is a SaaS enterprise mobility management (EMM) platform that provides visibility and control of smartphones and tablets in the enterprise.
MaaS360 Mobile Enterprise Gateway (MEG) module provides simple, seamless, and secure access to behind-the-firewall information resources for device users beyond implementing a new VPN-like technology.
MaaS360 Secure Mobile client protects the content of corporate email messages, calendar, and contacts.
Project Objectives
The goals of the project were defined based on the below needs and challenges, and also by considering the current and future IT landscape of the client.
Business needs:
Cost optimisation.
More adaptable business applications.
Increased productivity.
Increased security.
Customer challenges:
Lack of specific technical expertise to support MaaS360 changes.
Prerequisite for ongoing mailbox migration to the cloud and O365.
Implementation Approach
Key step in any project is planning. We use a simplified approach utilising a few key phases to deliver at expected quality and with minimum interruption to end users.
Discover & Design
Discovery of MaaS360 environment.
Discovery of on-premises Exchange, Microsoft 365 environments and related integration points with MaaS360.
Gathering configuration details of MaaS360 components:
Cloud Extenders.
Email Access Gateway appliance deployed as a proxy for ActiveSync.
MaaS360 Portal details and policies.
Produce an assessment document highlighting key upgrade points and requirements.
Identify all dependencies e.g., applications, services, processes etc.
Run Cloud Extender Scaling tool to estimate and validate current environment sizing and future requirements.
Build a high-level plan for MaaS360 upgrade and integration with Exchange Online.
Align prerequisites and implementation activities with customer SPOCs.
An overview of the environment before any activity took place:
Build & Integrate
Upgrade existing Cloud Extenders used for integration with Exchange along with all modules to the latest stable version.
Upgrade Email Access Gateway (EAG) to the latest stable version.
Install and configure new Cloud Extender used integration with O365.
Test and validate each step with test users and mailboxes.
Update MaaS360 configuration for Exchange Online:
Configure a new Persona Policy for Exchange Online with Modern Authentication enabled.
Create an Azure AD application used for modern authentication with permissions to access user mailboxes via Exchange ActiveSync.
Configure an auto quarantine policy on Cloud Extender for Exchange Online.
Test and validate with migrated user mailbox from Exchange on-premises to Exchange Online.
Here is how the transition to Office 365 with MaaS365 looked like:
Clean-up & Handover
Validation of all requirements and user scenarios.
Removal of unneeded components and modules.
Knowledge transfer on “How to use new services” aligned with ongoing mailbox migration.
Hypercare support post upgrade and migration.
The end result is a simplified architecture consisting of mostly cloud components:
Technical Aspects Requiring Special Attention
During Email Access Gateway (EAG) upgrade some key settings are reset to default values. Without a plan and preparation this behaviour results in users getting blocked. So having a backup of the configuration is a must prior to any update/upgrade activities. Disabling Security Verify access policies “max-login-failures" and “disable-time-interval” are some of the considerations you need to make.
When updating MaaS360 configuration for Exchange Online to use modern authentication, make sure that Secure mail clients connect directly to Office 365 instead of going through the EAG.
Did you know? MEG and VPN are the only modules which cannot be upgraded automatically. This is because of active browser sessions against Mobile Enterprise Gateway (MEG) and MaaS360 VPN that might cause service interruption. MEG is upgraded as a part of the Cloud extender upgrade process.
Do not forget! When you perform mailbox migration from Exchange on-premises to Exchange Online in a MaaS360 environment, you have to configure new policies for migrated users.
Conclusion on MaaS360
We have managed to address customer's challenges amid the ongoing mailbox migration to the cloud which helped them retain the level of security on their mobile device fleet. MaaS360 upgrade was completed during the preparation for mailbox migration along with respective optimisation, fine tuning, and testing. It allowed the customer to kick off production migrations to the cloud without impacting schedule.
Contact us if you are considering a mobile device management solution based on Microsoft Intune, IBM MaaS360 or other.
Commentaires