MaaS360: Enterprise integration

overview

MaaS360: Enterprise integration

overview

Enterprise integration overview © Copyright IBM Corporation 2019

In this lesson, you learn how MaaS360 can integrate with behind-the-firewall resources by using
the MaaS360 Cloud Extender, and also how to use direct cloud-to-cloud integrations.

© Copyright IBM Corp. 2019 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
MaaS360: Enterprise integration overview

Uempty

IBM MaaS360 seamless integration

Exchange ActiveSync

Active Directory/LDAP

Cloud Extender™ IBM Traveler

Office 365

Integrate with existing Certificates

Enterprise systems
File Systems

Mobile Enterprise Web Apps

Gateway™
Network/Intranet

SharePoint

Mobilize apps & content IBM Connections

on corporate networks
CMIS

Gmail
Direct Cloud-to-Cloud
Google Drive
integration
Box

Web Services

Enterprise integration overview © Copyright IBM Corporation 2019

IBM MaaS360 seamless integration

IBM MaaS360 can provide seamless integration with all of your corporate resources, whether they
are cloud-based or on-premises.

MaaS360 provides direct cloud-to-cloud integration with many platforms like Office365, Box,
Google Drive, SharePoint, IBM Connections, Gmail, and CMIS-compliant content sources and web
services. Cloud-to-cloud integration does not require you to install any additional MaaS360
software components.

You can integrate MaaS360 with on-premises corporate resources with IBM MaaS360 Cloud
Extender. The Cloud Extender is a small Windows application that you install behind the firewall
with network access to the appropriate internal systems. For example, you can configure the Cloud
Extender to integrate MaaS360 with mail systems like Exchange ActiveSync, IBM Traveler, and
BlackBerry Enterprise Server. You can also integrate with certificate authorities and corporate
directory services such as LDAP and Active Directory.

The MaaS360 Mobile Enterprise Gateway is a Cloud Extender module that provides secure access
to behind-the-firewall corporate resources without a device VPN. Examples of corporate resources
that are supported by the Mobile Enterprise Gateway integration include SharePoint and Windows
file shares, IBM Connections, intranet sites, web apps, and databases.

© Copyright IBM Corp. 2019 2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
MaaS360: Enterprise integration overview

Uempty

Cloud Extender overview

• Modular architecture
ƒ Agent core: On Cloud Extender installation
ƒ Modules: Downloaded and activated after core installation
• High-level requirements
ƒ Outbound 80 and 443
ƒ Windows Server that is attached to a domain
ƒ Service account with local administrative rights on the machine
ƒ Module-specific requirements
• Proxy support
ƒ Automatic or manual proxy
ƒ PAC file support with automatic failover
ƒ Authenticated proxy support

Enterprise integration overview © Copyright IBM Corporation 2019

Cloud Extender overview

The Cloud Extender has a modular architecture that centers around a core set of functions that you
initially install. Then, based on the integration you require, more modules are downloaded and
activated from your MaaS360 portal. For example, if integration with LDAP and Lotus Traveler is
being implemented, then only those additional modules will be downloaded and activated after the
core installation.

The Cloud Extender requires outbound communication to the MaaS360 instance by using ports 80
and 443. The Windows Server must be attached to a Domain if you are integrating with Microsoft
Active Directory or Exchange. The Cloud Extender runs as a Windows Service account and must
have local admin rights on the Windows machine or virtual machine.

Each module has specific scaling and high availability requirements. It is important to review each
of the module’s requirements that you plan to install before implementing your production
architecture. In some cases, modules must be installed singularly on one Cloud Extender machine,
while other modules can be installed together. Certain modules must be sized based on number of
devices, mailboxes, or concurrent users. Global and regional deployment requirements can impact
placement of modules on Cloud Extender machines.

The Cloud Extender can also support proxies to the MaaS360 instance. Automatic, manual, PAC
file, and authenticated proxy options are all supported.

© Copyright IBM Corp. 2019 3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
MaaS360: Enterprise integration overview

Uempty

MaaS360 Mobile Enterprise Gateway overview

• Mobile Enterprise Gateway
ƒ Cloud Extender Module
ƒ Works with MaaS360 Secure Browser and MaaS360 SDK-enabled apps
ƒ Gives users secure access to corporate intranet resources
ƒ MaaS360 policies and compliance rules define access to resources
ƒ Enterprise Gateway Service must be enabled in MaaS360 portal
• Mobile Enterprise Gateway module requirements
ƒ Uses Relay or Direct access mode deployments
ƒ Relay requires an outbound 443 connection to MaaS360 Relay service in the IBM cloud
í Relay Access Mode handles load balancing
ƒ Direct requires an inbound 443 connection from the device to Mobile Enterprise Gateway
í Direct Access Mode requires load balancer if using multiple gateways for high availability

Enterprise integration overview © Copyright IBM Corporation 2019

MaaS360 Mobile Enterprise Gateway overview

The MaaS360 Mobile Enterprise Gateway is a Cloud Extender module. The Mobile Enterprise
Gateway works with the MaaS360 Secure Browser and MaaS360 SDK-enabled apps which include
the MaaS360 App itself.

The Mobile Enterprise Gateway delivers functionality to the end user. This is different from the other
Cloud Extender modules, which focus on authentication and mobile device administration
capabilities. The Mobile Enterprise Gateway module provides secure access to corporate intranet
resources with direct end user productivity and usability improvements. Administrators control
access to resources with MaaS360 policies and compliance rules.

To download the Mobile Enterprise Gateway module, the service must be enabled in the MaaS360
portal.

The Mobile Enterprise Gateway can be deployed to use Relay or Direct Access mode. Relay
Access Mode requires an outbound connection from the Mobile Enterprise Gateway that’s located
behind the corporate firewall to the MaaS360 relay service that is located in the IBM Cloud.

The devices communicate with the relay service, which in turn communicates with the Mobile
Enterprise Gateway, and the gateway sends device requests to the corporate resources. The relay
service also balances the load of requests if there are multiple gateways deployed. Therefore, for a
Mobile Enterprise Gateway that is deployed in Relay Access Mode, you need only to open an
outbound 443 connection and no load balancer is required.

For Direct Access Mode implementations, the devices send their requests directly to the Mobile
Enterprise Gateway that’s located in the corporate data center. If multiple Mobile Enterprise
Gateways are deployed for high availability and scaling, a load balancer must be implemented to

© Copyright IBM Corp. 2019 4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
MaaS360: Enterprise integration overview

Uempty
handle the distribution of device requests. For direct access, you must open a 443 inbound
connection to the load balancer or directly to the Mobile Enterprise Gateway.

© Copyright IBM Corp. 2019 5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
MaaS360: Enterprise integration overview

Uempty

Modular architecture
Real time Enterprise
Intranet Websites
Mobile Gateway
Enterprise
Gateway™ SharePoint
Direct 443 https
Windows File Shares

Relay 443 https User

Visibility Corporate Resources

Exchange
443
Integration
Discovery

XMPP over SSL

Traveler
Cloud Integration
Extender™
BES
Integration

Corporate
Internet Network User Certificate Email
Authentication Integration Notification

Real time

Enterprise integration overview © Copyright IBM Corporation 2019

Modular architecture

With MaaS360 Cloud Extender you select which modules to install. If a new feature is enabled in
the portal, the related module and associated configuration elements are automatically sent to the
Cloud Extender if that service is available for your account. But you also have the option to turn off
automatic updates when you install the Cloud Extender.

Several Cloud Extender modules can perform discovery and real-time functions. The discovery
modules gather information from directory and email services in your behind-the-firewall
environment and upload it to the MaaS360 portal. Real-time modules service mobile device
management, application and content management, user authentication, certificate delivery, email
notifications, and corporate resource access.

User Visibility is a read-only module that discovers users and groups from Active Directory or LDAP
directory services and uploads them to the MaaS360 portal. The corporate groups are used for the
assignment and distribution of policies, apps, and docs.

The Microsoft Exchange module discovers all connected ActiveSync devices in the Microsoft
Exchange environment and uploads them to the MaaS360 portal. It supports actions to approve
devices, block devices, wipe devices, and remove devices from Exchange. There are also
auto-quarantine capabilities that prevent new devices from connecting to ActiveSync if they have
not enrolled in MaaS360.

The IBM Traveler module discovers devices that are connected to the IBM Traveler server and
uploads them to the portal. Actions such as approve, block, remove, and remote wipe can be
initiated on the devices from the portal through the Cloud Extender module. IBM Traveler also has

© Copyright IBM Corp. 2019 6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
MaaS360: Enterprise integration overview

Uempty
auto-quarantine capabilities that prevent new devices that have not enrolled in MaaS360 from
connecting to email.

The BlackBerry Enterprise Server module discovers devices that are connected to the BlackBerry
Enterprise Server and uploads them to the MaaS360 portal, where device actions can be initiated
on BlackBerry devices.

The User Authentication module authenticates users that are enrolling in MaaS360, or
administrators and users that are logging in to the portal. The module is configured to use Active
Directory or LDAP directory services. Currently, Microsoft Active Directory, IBM Domino LDAP,
Oracle LDAP, Novell eDirectory, and OpenLDAP are supported.

The Certificate Integration module is used to distribute identity certificates to devices that enroll in
MaaS360. These identity certificates are used for authentication against email, wifi and VPN,
reverse proxy or a particular app. The Cloud Extender Certificate Integration module can issue
identity certificates from a local or hosted certificate authority. For current supported certificate
authorities, see the Cloud Extender Admin Guide in the IBM Knowledge Center.

The Email Notification module is specific to the MaaS360 Secure Mail app. If you have the Secure
Mail app for iOS, you must enable and configure the Email Notifications module to receive new mail
notifications on the iOS lock screen. The iOS framework does not allow an app to send notifications
to its lock screen. Therefore, the Email Notifications module is used to issue notifications outside of
that system. The module is used to subscribe to an Exchange server or IBM Traveler server to
determine whether there are new emails for a particular mailbox.

For all the modules except the Mobile Enterprise Gateway, the Cloud Extender makes an outbound
connection to the MaaS360 instance over port 443 using SSL AES256 encryption and uses an
XMPP style protocol to maintain the connection with the MaaS360 instance. After the connection is
made, it is used to facilitate two-way communication between the MaaS360 instance and the Cloud
Extender. The corporate firewall must be open for this outbound 443 connection.

If you require more granular firewall rules, a list of the IP addresses that the Cloud Extender
connects to, can be found in the Cloud Extender Admin Guide in the IBM Knowledge Center:
https://ibm.biz/Bd4kLg

The Cloud Extender is proxy-aware and can automatically configure proxy settings. After the
connection is made, the proxy facilitates two-way communication between the MaaS360 instance
and the Cloud Extender.

The Cloud Extender modular architecture provides mechanisms for module versioning and release.
Module updates can be released independently.

Several of the modules support high availability and scaling. High availability and scaling is detailed
in the Cloud Extender Admin Guide.

© Copyright IBM Corp. 2019 7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
MaaS360: Enterprise integration overview

Uempty

Basic Cloud Extender installation requirements

• For installation, the software is downloaded from MaaS360 portal (Setup > Services)
• Installed on premises
ƒ Microsoft Windows Server physical or virtual machine
ƒ Windows Server 2016, 2012 R2, 2012, or 2008 R2
ƒ 2 GB RAM (4 GB for Mobile Enterprise Gateway)
ƒ 4 GB free space
• Runs as a service account
Local administrator rights on the server
• Uses .NET Framework 3.5
• Has access to MaaS360 URLs
• Cloud Extender Scaling Tool – download from MaaS360 portal

Enterprise integration overview © Copyright IBM Corporation 2019

Basic Cloud Extender installation requirements

The Cloud Extender installation package can be downloaded from the MaaS360 Portal in the
Setup> Services >Cloud Extender and also from within each service in the portal that requires a
Cloud Extender. The license key is emailed to the MaaS360 Portal Administrator account.

The basic installation requirements are for the Cloud Extender core. You install the Cloud Extender
on-premises in your data center.

A Microsoft Windows Server physical or virtual machine is required. Windows Server 2016, 2012
R2, 2012, 2008 R2, or 2008 are supported.

Each module that you enable can have its own sizing and additional requirements. At a minimum, 2
GB of memory is required. More memory is required based on the modules that you enable and the
number of devices and users. The Mobile Enterprise Gateway requires a minimum of 4 GB RAM.

The Cloud Extender must run as a service with local administrator rights. This is a Microsoft
requirement for programs that run as a service. The .NET Framework version 3.5 must be installed
on the Windows machine.

The Cloud Extender must have access to specific MaaS360 URLs and IP addresses, which are
listed in the Cloud Extender Admin Guide. Typical bandwidth usage for network planning is also
listed in the guide.

Each module has its own sizing requirements, but in many cases, you might have several modules
that you are deploying and therefore you must consider sizing for the entire deployment. Modularity
in Cloud Extender provides easy scale up capabilities for phased rollouts and changing enterprises.

© Copyright IBM Corp. 2019 8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
MaaS360: Enterprise integration overview

Uempty
MaaS360 also provides a downloadable Cloud Extender Scaling Tool to help you identify a
suggested number of Cloud Extenders based on your requirements.

You can find detailed planning, installation, and administration details in the Cloud Extender Admin
Guide located in the IBM Knowledge Center: https://ibm.biz/Bd4kLg

© Copyright IBM Corp. 2019 9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.