Pulse Secure PulseWorkspace
Strengths: Solid endpoint security deployment for mobile devices. Preserves the user experience, does not interfere with typical device use while still protecting data.
Weaknesses: We would like to see a bit more MDM implemented.
Verdict: If your organisation allows mobile devices – especially BYOD – take a close look at this one. It can prevent a lot of pain.
PulseWorkspace is just for mobile device endpoints. It functions on iOS or Android and, as we are seeing more frequently, it depends on containerisation. This is a cloud offering and is policy controlled. The management console is web-based and user instances are role-based. Apps to be protected are selected by the administrator. These then are placed into the containerised workspace and are not modified, ensuring that the user experience is uniform whether or not the application is containerised. Once policies are provisioned on a device, host checking is performed at the Pulse Connect Secure gateway to ensure that devices are compliant with enterprise security standards before they are given access to the enterprise datacentre and cloud resources. Host checking rules include jailbroken/rooted conditions and OS version.
The Android version - Android for Work - encrypts data at rest and in motion. Both applications and their data may be containerised. VPN uses certificate authentication and there are DLP options that allow work sharing while preventing unauthorised data exfiltration. Enterprise access to Google Play, along with the choice of separation of personal applications from corporate apps, makes this an excellent choice for organisations considering BYOD. Email may be configured as part of the Android deployment and there is a VPN for protected applications on a per-app basis. Validating against organisational policies ensures that the device is in compliance and has not been rooted.
While the iOS version of this service is a bit different in look and feel from the Android version, the functionality is pretty much the same - with most of the differences being the result of differences between iOS and Android. Like Android, the iOS version offers encryption for both data at rest and in transit. The VPN technology is the same and the implementation - certificate authentication - tracks as well.
DLP is a bit more diverse in the iOS version, however. Safari domains are protected from unauthorised data leakage as are email and web domains. Also, unlike Android, personal applications may also be managed and, of course, sharing of data is managed as well. In the iOS version, all applications - whether personal or business - are containerised. They always are kept separate and you cannot be in a personal application at the same time you are in a business app. Although there is some mobile device management capability, full MDM is not implemented. Rather, only the necessary aspects for protecting the mobile endpoint are in place.
The user experience is consistent with non-Pulse protected devices. The PulseWorkspace appears as an icon on the desktop. When tapping the icon the user is presented with the Pulse login screen, which in turn presents the Pulse desktop. Within the Pulse desktop are the managed applications that the user needs. These can be dragged and dropped on the device desktop to maintain the familiar user experience.
Personal file sharing is equally simple and secure. First, the user opens the personal downloads app and selects the document to open. Finally, the application needed to open the particular document is selected and only personal applications are available.
Business file sharing is done the same way except that the Workspace version of the download app is used. In this case, only the enterprise version of the document reader is available. For this function everything goes through the Pulse VPN.
Deployment is straightforward. The administrator defines users at the admin console. Then users can self-register. When the user opens the PulseWorkspace application for the first time provisioning occurs automatically. Android and iOS function slightly differently but the outcome is the same. The user then sends an email to the administrator over the corporate email system. This results in a registration email with a first-time password.
This service is priced about the middle of the pricing structure for similar applications, and basic support is included by phone 24/7. The website is solid and the documentation is good as well. Overall, a very good example of endpoint security for mobile devices.