Zimbra Collaboration Suite and Mobile Control with ABQ

    The rapid development of portable electronics, and in particular smartphones and tablets, has created a host of new challenges for corporate information security. Indeed, if all cybersecurity used to be based on creating a secure perimeter and its subsequent protection, now that almost every employee uses their own mobile devices to solve work problems, it has become very difficult to control the security perimeter. This is especially true for large enterprises in which each employee has a username and password from email and other corporate resources. Often, when purchasing a new smartphone or tablet, an employee of the enterprise enters their credentials on it, often forgetting to log out on the old device. Even if there are only 5% of such irresponsible employees in the enterprise,


    In addition, quite often mobile devices are lost or stolen, and subsequently used to search for compromising information, as well as access to corporate resources and data representing a trade secret. As a rule, corporate cybersecurity is most harmful if an attacker gains access to an employee’s email. Thanks to this, they can access the global list of addresses and contacts, the schedule of meetings in which the unlucky employee should take part, as well as his correspondence. In addition, attackers gaining access to corporate mail will be able to send phishing or malware infected messages from a trusted email address. All this together gives attackers practically unlimited opportunities for cyber attacks,

    In order to monitor the mobile devices included in the security perimeter, there is ABQ technology, or Allow / Block / Quarantine. It allows the administrator to control the list of mobile devices that are allowed to synchronize data with the mail server, and if necessary, block compromised devices and quarantine suspicious mobile devices.

    However, as any administrator of the free version of Zimbra Collaboration Suite Open-Source Edition knows, its interaction with mobile devices is very limited. Strictly speaking, users of the free version of Zimbra can only receive and send emails using the POP3 or IMAP protocol, without having the built-in ability to synchronize data from the diary, address books, and notes with the server. Not implemented in the free version of Zimbra Collaboration Suite and ABQ technology, which automatically puts an end to all attempts to create a closed information perimeter in the enterprise. In the conditions when the administrator does not know which devices are connected to his server, information leaks may appear at the enterprise, and the likelihood of carrying out a cyber attack according to the scenario described above increases sharply.

    The Zextras Mobile modular extension will help solve this issue in the Zimbra Collaboration Suite Open-Source Edition. This extension allows you to add full support for the ActiveSync protocol to the free version of Zimbra and, thanks to this, it opens up a lot of opportunities for interaction between mobile devices and your mail server. Among other various functions, the extension Zextras Mobile provides full support for ABQ.

    We’ll immediately warn you that since an incorrectly configured ABQ can cause some users to not be able to synchronize data on their mobile devices with the server, you need to approach the issue of setting it up with the utmost care and caution. Configuring ABQ is done from the Zextras command line. It is on the command line that the ABQ operating mode in Zimbra is configured, and device lists are also managed.

    It is implemented as follows: After a user logs in to corporate mail on a mobile device, he sends authorization data to the server, as well as the credentials of his device, which encounter an obstacle in the form of ABQ, which scans the credentials and compares them with those that are on the list of allowed, quarantined, and blocked devices. If the device is not in any of the lists, then ABQ acts with it in accordance with the mode in which it operates.

    Zimbra's ABQ provides three modes of operation:

    Permissive: In this mode of operation, after user authentication, synchronization is performed automatically at the first request from a mobile device. In this mode of operation, it is possible to block individual devices, but everyone else will be able to freely synchronize data with the server.

    Interactive: In this mode of operation, immediately after user authentication, the security system requests the device identification data and compares it with the list of allowed devices. If the device is listed as allowed, synchronization automatically continues. If this device is not in the “white list”, it will be automatically quarantined so that the administrator can later decide whether to allow this device to synchronize with the server or block it. In this case, the user will be sent a notification. Informing the administrator occurs regularly, once in a configurable period of time. In this case, each new notification will contain only new devices that have been quarantined.

    Strict: In this mode of operation, after user authentication, immediately checks for the presence of device identification data in the list of allowed. In the event that it appears there, synchronization automatically continues. In the event that the device is not in the list of allowed, it immediately falls into the list of blocked, and the user receives a notification by mail.

    Also, if desired, the Zimbra administrator can completely disable ABQ on his mail server.

    Setting the ABQ operating mode is carried out using the commands:
    zxsuite config global set attribute abqMode value Permissive
    zxsuite config global set attribute abqMode value Interactive
    zxsuite config global set attribute abqMode value Strict
    zxsuite config global set attribute abqMode value Disabled

    You can find out the current ABQ mode using the zxsuite config global get attribute abqMode command .

    In the event that you use the interactive or strict ABQ modes of operation, you often have to work with lists of allowed and blocked devices, as well as devices that are in quarantine. Suppose that two devices are connected to our server: one iPhone and one Android with the corresponding identification data. Later it turns out that the CEO of the enterprise acquired the iPhone the other day and decided to work with mail on it, and Android belongs to the usual manager, who does not have the right to use work mail on a smartphone for security reasons.

    In the case of Interactive mode, all of them will be quarantined, from where the administrator will need to transfer the iPhone to the list of allowed devices, and Android to the list of blocked ones. To do this, he uses the commands zxsuite mobile abq allow iPhone and zxsuite mobile abq block Android . After that, the CEO will be able to fully work with mail from his devices, while the manager will still have to view it exclusively from a work laptop.

    It is worth noting that when using the Interactive mode, even if the manager on his Android device correctly enters his username and password, he still will not get access to his account, but will go into a virtual mailbox in which he will receive a notification that his device was quarantined and he will not be able to use mail from him.

    In the case of strict mode, all new devices will be blocked and after it becomes clear who they belonged to, the administrator will only have to add the CEO to the list of allowed iPhone devices using the zxsuite mobile ABQ set iPhone Allowed command , leaving the manager phone number there.

    The permissive mode of operation is poorly compatible with any security rules at the enterprise, however, if you still need to block any of the allowed mobile devices, for example, if the manager suddenly quits with a scandal, you can do this using the zxsuite mobile ABQ set Android command Blocked .

    In the event that employees receive office gadgets to work with mail, the next time the owner changes, the device can be completely removed from the ABQ lists, in order to subsequently decide again whether to allow it to synchronize with the server or not. This is done using the zxsuite mobile ABQ delete Android command .

    Thus, as you can see, using the Zextras Mobile extension in Zimbra, you can implement a very flexible control system for mobile devices used, suitable for enterprises with fairly strict policies regarding the use of corporate resources outside the office, as well as for those companies that are quite liberal in this plan.

    For all questions related to the Zextras Suite, you can contact the representative of Zextras Katerina Triandafilidi by e-mail katerina@zextras.com

    Also popular now: