This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMC Container based installation, no supervised - Company WLAN

Hello *,

we plan to rollout the SMC MDM solution on approximatly 20 mobile devices.

First of all, we decided to standardized the company mobile devices to IOS plattform for a homogenous infrastucture.

As far as I know I have two possibilities to manage the MDM. First "container based" (additional applications with a secure "sandbox" area) and second "supervised" (a completely managed device).

The colleagues prefer to use only one device - On the "private" side a lot of non business and unsecure apps, on the business side the sophos standardized secure apps / business data and email sync in the sandbox.

My question: Is it possible to activate and deactivate the company WLAN connection, if the user start / end the sophos applications (Reason - I dont want a active company wlan connection on the private side).

BR

Patrick



This thread was automatically locked due to age.
Parents
  • Hello Patrick,

    i dont think that this is possible.

    You can set an option that only allows to use the Container-Apps when connected to specific WiFi-Networks.

    For your case Sophos Mobile would have to check the device status every second to recognize if theres a private app running.

    What if someone starts e.g. Sophos-Container, then Whatsapp (private) and then the Container-App again in a few seconds? WiFi would turn on, turn off an on again?

    You can create a policy that checks device status based on the installed apps but not for the currently opened apps.

    I hope you understood what i tried to tell you - i'm not writing in english very often.

    If you have further questions, ask them.

     

    Regards

  • Hi Matthias,

    thanks for your quick reply...

    I fear that...

    From up to now I asked myself, why a container based installation is generally possible?

    Is anybody here, who has implemented a similar MDM solution?

    If yes, how you has managed the data connection of the MDM devices? With a separated MDM WLAN? Guest WLAN?

    Regarding this topic, how works the "SMC data workflow" between the company devices (data flow)?

    Or is the idea of a impementation of a container based MDM completely bulls**t??

    BR

    Patrick ;)

  • Hello Patrick,

     

    even though i did not unterstand completely what you would like to do i try to explain my way of MDM usage.

     

    We do have a separate WiFi for our Smartphones and Tablet-PCs. The WiFi-Settings are pushed onto the devices via MDM.

    We do not allow the private usage of our Smartphones. So i dont have to think about insecure Apps or private Data on the devices. Allowed apps are published as APK-File or through managed play store.

    The use of a container-based solution is the best for devices that are allowed to use for private belongings. You can deny the export of data from the container to the device by policy.

    If you could explain what you mean with "SMC data Workflow" i can try to give you an answer.

  • If you have an supervised MDM device it is not "really" nessessary to set up a separated network scope,

    because you already have a secure and fully managed network member...

    Sure, you have the possiblity to manage the data flow between the network scopes,

    set up a dedicated DHCP Server a better overview of you devices and so on... Very good points and it sound also good for me.

    The primary problem that I have is, that the users already has the smartphones and tablets in use (with tons of applications and configurations)

    and in addition to this "private" Site I have to rollout the MDM system....

    With the "SMC data workflow" I mean the data transfer between standardized applications (like Secure EMail, Secure Workspace), not additional *.apks...

    My proposal / fear - If set up a dedicated network for the MDM devices with SMC MDM container based installations, I have to unblock different ports (tcp / udp) to the internal MDM Server and / or Exchange server that the SMC apps work.

    Whats your opinion? Is it completely impossible that the applications on the "private" site of the smartphone !!!within the same network scope!!! don't compromise the internal network?!

    For me point of view (but I am an Newbie) - I think not... ;)

     

Reply
  • If you have an supervised MDM device it is not "really" nessessary to set up a separated network scope,

    because you already have a secure and fully managed network member...

    Sure, you have the possiblity to manage the data flow between the network scopes,

    set up a dedicated DHCP Server a better overview of you devices and so on... Very good points and it sound also good for me.

    The primary problem that I have is, that the users already has the smartphones and tablets in use (with tons of applications and configurations)

    and in addition to this "private" Site I have to rollout the MDM system....

    With the "SMC data workflow" I mean the data transfer between standardized applications (like Secure EMail, Secure Workspace), not additional *.apks...

    My proposal / fear - If set up a dedicated network for the MDM devices with SMC MDM container based installations, I have to unblock different ports (tcp / udp) to the internal MDM Server and / or Exchange server that the SMC apps work.

    Whats your opinion? Is it completely impossible that the applications on the "private" site of the smartphone !!!within the same network scope!!! don't compromise the internal network?!

    For me point of view (but I am an Newbie) - I think not... ;)

     

Children
  • Now i unterstand your problem.

    I would NEVER let a device with private and unmanaged apps be a Member of my network. For those cases (and guests) we have a separated wifi network.

    You can control the data workflow between the container apps like e.g. that mail attachments can only be opened in Secure Workspace and not in external viewers.

    Are the devices the private ones of the employees or were they bought by your company? If bought by your company you could set up a policy that includes a list of apps which are generally forbidden to use on those smartphones...maybe?

    How do you manage the devices and the mail accounts on them at the moment?