Divide as an Alternative EAS Client for Android
ISC has tested and evaluated Enterproid's Divide for Android on both Exchange and Zimbra. Divide is a free alternative Exchange ActiveSync (EAS) client that runs as a customized, secure implementation of the stock Android Exchange ActiveSync stack. Enterproid refers to this as a "Work persona", while the remainder of the user's applications are running within the normal Android environment. Since much of the Divide client is ported directly from the Android codebase, the work persona provides a reliable email, contact, and calendaring experience for Android users, even those using devices with UI overlays. Additionally, this client is secured within an AES-256 encrypted container that prevents the data contained therein from being accessed by other applications as well as malicious users should the device be lost or stolen. More information is available on Enterproid's website. Divide is the recommended EAS client for non-Nexus Android devices. Those with Nexus devices can also use Divide if they wish to maintain a separation between personal and University data, or desire the extra security of the encrypted container.
There are several benefits to Divide as an EAS client:
- Security: Data is protected in a secure container, and the security of the Divide application is regularly assessed by Enterproid. Additionally, security and feature updates are available for all devices simultaneously, regardless of OS version. When combined with a VPN, Divide provides levels of EAS security similar to that of a BlackBerry connecting via a BES.
- Support: The work persona interface closely resembles the standard Android mail, contact, and calendar applications, ensuring a familiar experience across different devices. Additionally, the Divide client is less prone to calendaring conflicts, message errors, and other typical EAS client shortcomings.
- Segmentation: Enterprise data is separated from personal data. Security policies, remote wipes, and other management only apply to the work persona and do not impact personal data.
Android versions 3.0 and later allow for device encryption, but do not do so by default. Additionally, the current implementation still allows for various workarounds, and the application permissions model can allow for third party applications to access the data of other applications. This is particularly true of devices with UI overlays. Google is working on the permissions model problems, but a fix is not yet available.
Divide addresses these concerns by protecting data at rest via an AES-256 container and only allowing access from verified Divide components. Additionally, optional policies allow for PIN or password authentication to the application, erasing after failed authentication attempts, and disallowing copy and paste to or from the work persona.
For integrity and verification, Enterproid regularly submits their application and service to third-party security review and penetration testing. This process is much more rigorous than most third-party clients, and offers a level of assurance that isn't attained by most custom clients provided by device manufacturers.
Due to the nature of the dual persona environment, there are a couple inconveniences. While ISC believes the drawbacks are far outweighed by the benefits of allowing users to embrace a "Bring Your Own Device" environment, the following factors should be taken into consideration when considering Divide:
- Impact on battery life: The Divide client requires additional resources to perform encryption, sync, and maintain the Divide environment. ISC has testing and seen a 5-15% impact on battery life, with most devices having battery longevity reduced by about 7%. ISC has tested and seen that devices running Motorola's Motoblur have a greater impact from the Divide client than devices with other UI overlays.
- Summary notifications: To maintain the security of incoming data, Divide only provides an alert that a new message has been synced or other event requires attention. No sender, message summary, or appointment information is displayed in the notification, only an indication of the total number of alerts since the work persona's last access. Users must enter the work persona to see what events have triggered the notification.
- Additional authentication: Entering the work persona requires the user to enter a PIN or password, in accordance with whatever policies are being applied to Divide. While the interval between authentications can be determined by user or policy (whichever is more restrictive), this leads to users needing to unlock their device first (if they have a lock screen set up) before performing a second unlock on the work persona to see messages and notifications. This helps protect data within the work persona, but is perceived as a major drawback by some users.
ISC maintains configuration instructions for connecting to ISC's Exchange and Zimbra services.
Additionally, Enterproid maintains extensive documentation related to configuration, problems, and supported devices. Please see the following resources for additional information:
Divide implements the Box API to allow users to view and modify files stored in the Box cloud. While applications directly from Box utilize the University's Single Sign On with PennKey and password for authentication, those using Divide with a University Box account will need to use what Box refers to as an "External Password" to access their Box files from within Divide.
An "External Password" can be set from within the Box web interface via the 'My Account' tab under 'Account Settings'. Alternately the user can install the Box application directly from Box, rather than use the functionality within Divide. Please note that doing so will leave documents unprotected by the work persona's encrypted container.