Airwatch Secure Email Gateway versus Mobile Iron Sentry

davymcaleer's picture

davymcaleer

Joined: Nov 5, 2012
WWW
Your rating: None (1 vote)

Wondering if anyone has an overall view or opinion on the use of email security technology in the case of a hosted environment and in a local installation?
Airwatch seem to have a method of controlling access to corporate email, presumably setting email access on or off at the Exchange server by sending Powershell commands, while Mobile Iron have gone for a full Proxy sitting infront of the email server. Airwatch are more hosted based than Mobile Iron - but with these approaches I can see areas of contention with IT admins in the Enterprise - either having a full proxy sitting in front of their valuable mail server or having an externally hosted platform sending non read only commands to their Exchange/Domino servers.

For those of you deploying hosted or onsite systems and the differing ways of adding security to your environments - do you mind these approaches or is this not an issue in your view?

Cheers for your thoughts
Davy

Top
rsun's picture

rsun

Joined: Apr 4, 2012

We currently use Mobile Iron

Your rating: None

We currently use Mobile Iron Sentry to front end our server and the one negative thing I found is that we seem to take some performance hit when compared to the device directly hitting our mail server through the ActiveSync protocol. What's interesting is that this seemed to be an iOS only issue, while for Android devices it was still very quick.

However, I still prefer this over directly connecting so I can put all the security in one place to look at it.

I don't have much experience with AirWatch and this going direct, did you learn of anything new?

Top
Brendan Main's picture

Brendan Main

Joined: Jan 24, 2011
WWW

MobileIron Sentry

Your rating: None
davymcaleer wrote:

Wondering if anyone has an overall view or opinion on the use of email security technology in the case of a hosted environment and in a local installation?
Airwatch seem to have a method of controlling access to corporate email, presumably setting email access on or off at the Exchange server by sending Powershell commands, while Mobile Iron have gone for a full Proxy sitting infront of the email server. Airwatch are more hosted based than Mobile Iron - but with these approaches I can see areas of contention with IT admins in the Enterprise - either having a full proxy sitting in front of their valuable mail server or having an externally hosted platform sending non read only commands to their Exchange/Domino servers.

For those of you deploying hosted or onsite systems and the differing ways of adding security to your environments - do you mind these approaches or is this not an issue in your view?

Cheers for your thoughts
Davy

Hey Davy,

MobileIron is the only MDM vendor that has actually put some hard work into ActiveSync security.

The reason is, they have 2 versions of MobileIron Sentry:

- Standalone Sentry
Reverse ActiveSync proxy server and now has the ability to be able to pass-through client certificates and also do kerberos constrained delegation as well as other normal things like auto-blocking un-registered devices or any device that breaks any policies you have setup

Standalone Sentry is mainly used for Exchange 2003 and Lotus Notes because for Exchange 2007 through to hosted BPOS-D (which MobileIron were also the first to be able to integrate with) uses MobileIron Integrated Sentry

- Integrated Sentry
Small 5MB application that can run on any windows server as a service in your environment, and will connect to Exchange 2007 --> hosted BPOS-D (office-365 support out very soon) via the windows powershell to query Exchange and request all information about the devices connecting to Exchange via ActiveSync.

This way you don't have another server in the traffic flow of ActiveSync but you can apply the same level of extra security over ActiveSync

You can also then get a holistic view of all devices that are and have ever connected to your Exchange environment and if you wanted you could turn on auto-block un-registered devices and this would automatically block all devices that aren't registered in the MobileIron VSP server.

Also MobileIron Sentry blocks on the device hardware information, so if you have a view devices and only one of them breaks policy and the compliance action is to block ActiveSync, then only that specific device that broke policy will be blocked.

MobileIron also have a free iPad application called MobileIron Sentry which connects to the MobileIron VSP server and will graphically show you all ActiveSync devices that are registered, unregistered, blocked or allowed to connect via ActiveSync.
From this application, an administrator can allow or block from connecting via ActiveSync, wipe or register a device that is registered or un-registered

MobileIron also have a lot better MAM than any other MDM vendor as well which you will see from MobileIron coming soon that will also utilize there Sentry Standalone server, but for NDA reasons I can't reveal on this forum.

Hope this helps, but as always MobileIron has been the number 1 MDM for the past 2.5 years and won't be changing anytime soon as they were just awarded number 1 position in the latest Gartner MDM report for 2012

Top
rigocalin's picture

rigocalin

Joined: Sep 9, 2015

Dont even think to use MobileIron...

Your rating: None

Hi,

We have MobileIron implemented for about 20K devices with about 20 Appliances aound the world and let me tell you this:

The HighAvalability for the Core's is a bad joke.
- In case of automatic failover you loose data!!
- For a failover in case of maintenance you either have downtime or loose data again!! Either way you still have admin console downtime...

For the Sentries (gateways for email and app micro-VPN) there is no HighAvailbility built in..period.

The DB's are hosted on a closed/black box...
There is nothing you can do when you proceed to do a minimal upgrade and it fails..happened at least 5 times now.

If you define some "admin spaces" to delegate devices to some admins based on whatever, once is created you can only delete it...no option to edit this... Oh and do not dare to name it identically...or you may crash the thing.

The previous upgrade caused android devices to have all apps unassigned because a programmer did not include any login for the core to handle cases where you may have multiple versions of the same app in the app distribution library..
And it only took them about a week to find the problem...
The support is so bad...you are advised/encouraged to buy support from vendors....extra time for solving a problem.

And the list goes on..

For AirWatch (we tested it for a while also but management decided to go for MI instead because....) the shor experience we had with it seems way more better and flexible in almost any aspects.

Top
rigocalin's picture

rigocalin

Joined: Sep 9, 2015

Airwatch uses SEG (Secure email gateway)

Your rating: None
davymcaleer wrote:

Wondering if anyone has an overall view or opinion on the use of email security technology in the case of a hosted environment and in a local installation?
Airwatch seem to have a method of controlling access to corporate email, presumably setting email access on or off at the Exchange server by sending Powershell commands, while Mobile Iron have gone for a full Proxy sitting infront of the email server. Airwatch are more hosted based than Mobile Iron - but with these approaches I can see areas of contention with IT admins in the Enterprise - either having a full proxy sitting in front of their valuable mail server or having an externally hosted platform sending non read only commands to their Exchange/Domino servers.

For those of you deploying hosted or onsite systems and the differing ways of adding security to your environments - do you mind these approaches or is this not an issue in your view?

Cheers for your thoughts
Davy

I have posted on MI but remembered something from testing Airwatch also.

They have a Secure Email Gateway solution that was sitting in line betwin clients and exchange servers.
It was easily scalable to match your needs.
The SEG was cross checking the device EAS ID to the managed devices and based on the compliance checks was taking actions (allow/deny).

MobileIron solutions works in the same way.. It acts as an authenticating reverse proxy and has a URL rewrite to replace the SEG/Sentry URL with the EAS server URL and vice verse.

Not that complicated.

Top

Who is online?

There are currently 0 admins, 0 users and 15 guests online. Connected users: .

Recent Activity