Divide as an Alternative EAS Client for Android
Information Systems and Computing support for Android is limited to the stock version of Android 4.x present on "Google Experience" devices such as the Nexus 7 and Galaxy Nexus. These devices generally behave in a predictable manner when connecting Exchange and Zimbra services. The same may not be true of devices running user interface overlays such as Sense or TouchWiz, which run their own customized email, contact, and calendar applications that can behave in unpredictable or insecure ways.
As such, ISC has tested and evaluated Enterproid's Divide for Android on both Exchange and Zimbra, and is currently reviewing Divide for iOS. Divide is a free alternative Exchange ActiveSync (EAS) client that runs as a customized, secure implementation of the stock Android Exchange ActiveSync stack. Enterproid refers to this as a "Work persona", while the remainder of the user's applications are running within the normal Android environment. Since much of the Divide client is ported directly from the Android codebase, the work persona provides a reliable email, contact, and calendaring experience for Android users, even those using devices with UI overlays. Additionally, this client is secured within an AES-256 encrypted container that prevents the data contained therein from being accessed by other applications as well as malicious users should the device be lost or stolen. More information is available on Enterproid's website. Divide is the supported and recommended EAS client for non-Nexus Android devices. Those with Nexus devices can also use Divide if they wish to maintain a separation between personal and University data, or desire the extra security of the encrypted container.
There are several benefits to Divide as an EAS client:
Android versions 3.0 and later allow for device encryption, but do not do so by default. Additionally, the current implementation still allows for various workarounds, and the application permissions model can allow for third party applications to access the data of other applications. This is particularly true of devices with UI overlays. Google is working on the permissions model problems, but a fix is not yet available.
Divide addresses these concerns by protecting data at rest via an AES-256 container and only allowing access from verified Divide components. Additionally, optional policies allow for PIN or password authentication to the application, erasing after failed authentication attempts, and disallowing copy and paste to or from the work persona.
For integrity and verification, Enterproid regularly submits their application and service to third-party security review and penetration testing. This process is much more rigorous than most third-party clients, and offers a level of assurance that isn't attained by most custom clients provided by device manufacturers.
Due to the nature of the dual persona environment, there are a couple inconveniences. While ISC believes the drawbacks are far outweighed by the benefits of allowing users to embrace a "Bring Your Own Device" environment, the following factors should be taken into consideration when considering Divide:
ISC maintains configuration instructions for connecting to ISC's Exchange and Zimbra services:
Additionally, Enterproid maintains extensive documentation related to configuration, problems, and supported devices. Please see the following resources for additional information:
Divide implements the Box API to allow users to view and modify files stored in the Box cloud. While applications directly from Box utilize the University's Single Sign On with PennKey and password for authentication, those using Divide with a University Box account will need to use what Box refers to as an "External Password" to access their Box files from within Divide.
An "External Password" can be set from within the Box web interface via the 'My Account' tab under 'Account Settings'. Alternately the user can install the Box application directly from Box, rather than use the functionality within Divide. Please note that doing so will leave documents unprotected by the work persona's encrypted container.
Divide is available for free from the Google Play store, or directly from Enterproid for devices that do not have access to the Google Play store.
Information Systems and Computing
University of Pennsylvania
Comments & Questions