What is our primary use case?
The primary use case is to enable access to any corporate application hosted on-premises or in the cloud using a mobile device with single sign-on (SSO) capabilities.
It provides IT admins capabilities for granting access to corporate applications or data on mobile devices and should be able to securely monitor and manage the mobile devices that access sensitive business data. It includes storing essential information about mobile devices, deciding which apps can be present on the devices, and locating devices.
This product should be able to remove corporate applications and data on enrolled devices remotely, known as an enterprise wipe, in case a device is stolen, lost, or if the user leaves the organization.
Corporate data should be securely stored on mobile devices and the user should not be able to share data from corporate apps/data to personal storage.
How has it helped my organization?
Internal applications, data, and folders are published on enrolled mobile devices in a secure way without publishing any of the resources over the internet.
A separate workspace is created on the enrolled mobile, which partitions corporate data from personal data. Policies can restrict users from copying any app/data from corporate to personal storage and vise versa.
Users are able to login to corporate applications using single sign-on.
DLP policy prevents data leakage issues, which cannot be prevented if applications are published directly without any MDM solution.
Enterprise wipe gives us the capability to remove applications and data from enrolled devices remotely in cases where one is lost, stolen, or for any other reason.
Organizations can prevent device enrollment in cases where a device is rooted/jailbroken.
What is most valuable?
Enrollment is based on the user name and the admin needs to create an enrollment policy. The enrollment email goes to users who are entitled to enrollment via Capsule. Each user needs to manually click and add the Token, which is sent via email and used for providing and restricting access.
Licenses are taken from Check Point for the number of users who need to be enrolled via Capsule.
No additional hardware or setup is required for Capsule configuration, as it can be enabled on the same security gateway. This reduces any additional hardware cost, as well as for setup and connectivity.
Configuration is straightforward and can be controlled on the same NGFW as Capsule. This is used for providing access to users.
What needs improvement?
Reporting is quite complicated once more users are enrolled and they need disparate access. It needs to be maintained separately, which adds work for the admin and can lead to errors.
Enrollment emails are sent for each device, which means that when a user needs to change devices or enroll more than one, admins need to generate and send additional tokens.
The product does not provide deep capabilities for sharing specific data to users or groups separately, nor does it provide visibility as to whether a user has access to the data or not.
For example:
- HR sharing certain learning videos or documents to a group of users. The solution does not provide reports as to whether these have been accessed by the user or not.
- It does not provide a solution in the case where a device is being shared by multiple users
- A site where one iPad is being shared between five users is a problem. Each user has their own access to the device but this solution does not have the capabilities of providing each user with specific access to data or applications.
For how long have I used the solution?
We are not using Check Point Harmony Mobile for now.
What do I think about the stability of the solution?
This product is stable, just like any other Check Point solution.
What do I think about the scalability of the solution?
It can be scaled by adding more security gateways and enabling the license. It is done in the same manner as a Check Point firewall.
How are customer service and technical support?
The technical support is excellent.
Which solution did I use previously and why did I switch?
We used this solution and then moved to a different one.
How was the initial setup?
The initial setup is straightforward.
The process involves getting a license from Check Point and enabling a module/blade on the security gateway. After this, start on the configuration (Published data, which needs to be made available on the endpoint to access).
What about the implementation team?
Our in-house team completed the deployment with OEM support.
What was our ROI?
Using this firewall improves productivity and availability for enrolled endpoints. Published data can be accessed anytime on a mobile device.
What's my experience with pricing, setup cost, and licensing?
Check Point provides a separate license in cases where organizations want to use this only on mobile devices, or laptops/desktops. Check Point Total includes both mobile devices and endpoints.
Setup can be done on the existing security gateway or it can be done on a dedicated security gateway where there are a large number of users.
Checkpoint provides five user licenses by default.
What other advice do I have?
The organization should be clear on the requirements. If it is only for publishing a few web apps, URLs, email, or for a few shared drives, then the solution works absolutely fine. However, it is not a full-fledged MDM solution like VMware AirWatch/Citrix/Blackberry and more.
These solutions all provide more MDM capabilities than Capsule.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.