MobiKEY Classic 2 Remote Access Device Review

MobiKEY Classic 2 (MC2)
Company: Route1
Price: $375 ($300/year subscription included)

IT managers have often struggled with making Macs work in the Enterprise. Apple hasn’t exactly made this easy with the elimination of their XServe line, but fortunately, at the operating system level, the tools are mostly there, or are readily available, to make a Mac a trusted member of a Windows-centric network. Of course Mac OS X supports Windows file systems, and can do basic connectivity. With open source (free) third-party software, they can even support the NTFS disk format. For years, the most important applications have been available for both platforms, and their file formats have been directly interchangeable; save the file on your Mac and open it on your Windows machine without the need for additional conversion utilities that may have been needed in the bad old days.

The only real difficulty, for which there are many solutions, is remote access. Part of the problem is defining what remote access is. For many, remote access is, in essence, the ability to grant a remote user, through a secure path, access to enterprise file systems. You have your apps on your traveling laptop, and you access working files on your office server through remote access technologies including Virtual Private Networks.

Others define remote access in a stricter way, such that you are restricted to logging into your host computer and basically controlling the screen of that machine. Apple and Microsoft, among others, offer remote access solutions that work like this. Some solutions still let you access your file system, permitting you to copy files to the computer you are using “in the field.” This can spell big trouble for many security-related reasons. Your traveling computer, even with all the best anti-virus and anti-malware software, and firewalls, may be more easily hacked than your office computer, where your IT organization maintains multiple levels of security to prevent access by unauthorized folks.

Then there’s the matter of espionage. Yes, espionage still exists in a big way, and not just with the countries you might be thinking of. In fact, much of the most aggressive information gathering operations are being performed by some of our closest allies in some of the most developed countries in Europe. If you travel with a corporate laptop, and you happen to work for a company that develops products for which foreign intelligence agencies might have some interest, the possibility exists that your laptop may be seized by customs agents in the country you are entering, and you, under threat of imprisonment, may be compelled to provide your password(s) so that these agencies can copy the contents of your hard drive for their analysis. They may tell you that they are doing so to check for contraband, such as pornography, but that’s not the real reason they have seized your computer. Their goal is to obtain your company’s intellectual property so that they can bypass the expense of time and money needed to perform similar research on their own. If you’re lucky, you might get your computer back in a few days/weeks, and hopefully not in pieces.

The answer is to not travel with this information on your laptop. Instead, you should leave that information on your secure corporate servers and networks and use some form of secure remote access technology to log into your network, preferably on to your desktop computer, and use this technology to replicate your complete office working environment. This way, you don’t need to copy anything onto your traveling machine that might be a target for others. Additionally, this technology runs amazingly quickly on your traveling computer because the only data that is being transferred is bits on a screen, and not the actual sensitive data. The best solutions are “plug and play” and leave the most minimal record of your logging into your remote server.

Enter Route1 and their MobiKEY Classic 2 (MC2) secure remote access device. Just announced on September 25, 2012, this is an enhancement of their original MobiKEY Classic.

As stated in their press release, “The MobiKEY Classic is the world’s first SMART device that is capable of running on both Mac OS X and Windows machines and devices. The MC2 is a smartcard embedded device that allows subscribers to remotely access their office computer, network, and other digital resources from anywhere at any time.”

The press release goes on to say that the MC2 “is completely clientless and driverless…protects…users who work remotely from malware, man-in-the-middle attacks, viruses, or other data breaches.”

True, multi-factor authentication provides an easy-to-use method to authorize users. The MC2 utilizes a patented communications and service delivery platform that is based on FIPS 140-2 Level 3 cryptographic modules, and simplifies the process of meeting stringent regulatory requirements for privacy and security. Accordingly, the MC2 is the “something you have”, while the password, which is verified against both the smartcard and the communications service delivery platform, is the “something you know”.

If the MC2 is lost or stolen, enterprise networks cannot be compromised as no data is stored, downloaded or saved on the device. Further, if more than three attempts are made to enter the password incorrectly, the MC2 is permanently disabled.

The press release provided an excellent “Top Ten Reasons for MobiKEY Classic 2 (MC2):

  1. Offers remote users exactly the same working experience that they have at their office
  2. No capital investment required – use your existing Mac, tablet, PC, or laptop
  3. Data stays within your network’s perimeter and firewall
  4. Integrates seamlessly into your existing IT infrastructure
  5. No network changes or reconfiguration required
  6. No additional servers needed
  7. Bandwidth efficient – 20 kbps average bandwidth usage per connected user
  8. No software installation or administrator privileges required on the remote device
  9. Hardware-based, multifactor authentication
  10. No data cache or footprint left on remote PC or device

Because I was evaluating a pre-release product, I noted some rough edges in the area of documentation. That said, installation isn’t too bad. Plug in the USB memory stick. It mounts as a DVD Image (ISO) file. Double-click the MobiKEY icon. After a few moments, a screen comes up, asking you to enter a new password. It will send you back to do it again if it doesn’t contain a combination of upper and lower-case characters, and numbers. Next comes the EULA license. The only trivial PITA (pain in the, well, you know) issue here, is that you have to scroll all the way to the bottom of the license text before the “Agree” button lights up.

Next, you enter the license key, which is printed in the little two-page manual provided in the box with the USB device. Then you need to add your own question/answer pair to verify your identity. Only then does the installer, communicating with servers at Route1, assign you a MobiNET ID.

All high-level authentication is handled on MobiNET’s servers (something they call TruOFFICE), so when you start the process of establishing a connection with your Host, it first talks to the MobiNET authentication servers to make sure you are who you say you are.

At this point, you should be ready to connect to your host, and this is where I ran into some difficulty. I had no host to connect to. It was 1AM and of course there was no one to contact. I was unable to use the supplied Help system, as it was written for Mac OS X 10.7 (Lion) and newer. Murphy’s Law dictated that my iMac would be running Snow Leopard (Mac OS X 10.6). Until I could make contact with Route1, there was nothing more I could do, so I fired off a note to my media contact and went to bed.

The next morning, I got an email that included some hints about where I went wrong. A little later in the morning, I got a call from MobiNET tech support. She and I discussed the process I had gone through and confirmed the product has not been tested on any Mac OS earlier than Lion. It also came up in conversation that the Host software only runs on Windows machines, so even if I had wanted to, I wouldn’t be able to work remotely on a Mac desktop. Gee, that was a really nice little tidbit that could have been made a little clearer, but wait, I couldn’t read the application’s Help because my two year old operating system is too old!

So much of this could have been cleared up, or better yet, made clearer by providing a PDF file with a few minor details, such as the Host (the machine you log into from your remote machine) can only be a Windows machine (at least for the moment), and that at least officially, you need Mac OS X 10.7 (Lion) at a minimum. I was to discover in my subsequent testing that the Remote client worked just fine on Snow Leopard (Mac OS X 10.6).

The website and sales literature left a lot to be desired regarding this information. Now, maybe more of this will be forthcoming when the product is formally announced, but that announcement will not be made until after I post this article, so as most folks who have chosen a career as a technical writer can tell you, you have to guess about a lot of stuff and then suffer the indignity of the reviewer (if you can actually get a subject matter expert to review your work) looking down his nose at you for being so terribly wrong about a product’s functionality. But I digress.

Author’s note: I did go back and check the website after the product announcement, and there was a lot more information about the product, but it still did not make note of the fact that the Host had to be a Windows machine, and that on the Mac side, in order to be able to access the Help system, you had to be running Mac OS X 10.7 (Lion) or newer.

Armed with additional information on how the MobiNET product worked, I made the 42 mile commute home, fed the cats, fed me, and then retired to my computer room, MacBook and iMac in hand, for the big test.

First, I booted into Windows 7 Professional using Bootcamp on my iMac, and once all the latest updates uploaded and installed themselves (I just love Windows…), I was able to plug in and mount the MobiNET USB memory stick, where I discovered the Host folder, which contained the Host installer app.

I launched the Host Installer, and after going through a few screens, I discovered I needed to remove the USB memory stick and move it to my MacBook. I returned to the installer where I had left off the previous evening, and discovered I had to go back (again!) to the Windows machine (without the memory stick this time) and launch the MobiNET Agent, the application that manages the remote-to-host communications process. After reviewing the Help file on my Windows machine, I learned I had to generate an Activation Code, which I then had to enter into the MobiNET installer on the MacBook. Useful hint: if you are trying to enter data on one machine, but need to view the data on another (in this case, to view and transcribe the Activation Code), copy the Activation Code to your clipboard (select and copy it), and then paste it into a word processor, where you can increase the font size to a point you don’t have to blind yourself when trying to view and transcribe the code. Anyhow, once the Activation Code was entered on the MacBook, I was able to establish a connection with my iMac (running in a Windows environment).

It was here that I discovered another minor but controllable problem. If the screen resolution on the Host machine is higher than that of your remote client, nothing’s going to look right (in fact, it’ll look downright weird), and you’ll probably not be able to control anything. The trick is to disconnect from the Host, go over to the Host machine, and change the screen resolution to something either exactly the same or real close to that of your remote machine. Now, my iMac is a 27-incher, with a screen resolution of something like 2540 x 1440 pixels, while my poor MacBook had a native resolution of only 1280 x 800 pixels. I think the closest resolution setting on the Windows machine was 1280 x 768, which is what I used. When I reconnected, there was my Windows screen in all its…er…glory. I was able to run my Host applications with no difficulties whatsoever. I could launch a web browser and surf the web, all the while controlling the action from a remote machine that, in this case, was right next to the host, but it could easily have been thousands of miles away, with similar performance. This is a good thing, and is where the MobiKEY Classic 2 product shines.

As a reminder, one of the big strengths of the MobiKEY Classic 2 device is that while I can run applications and manipulate things on my Host computer, I cannot copy anything from my Host machine to my remote machine (or vice-versa). This is by design, to protect your company’s intellectual property, and protect against viruses and other nasty things. You are moving highly secure data at somewhere around 20 kilobits per second—not transferring big files. In fact, you are simply redrawing the parts of the Host machine’s screen that you are actually altering at that moment. If nothing is happening with the rest of the screen, no data is being exchanged about that part of the screen. There are options to print from your remote machine, but only PDF files which are converted to raster (bitmap) format before transferring to your remote machine, so that no intelligence can be electronically extracted from the PDF file.

Okay, let’s summarize. Remote access protocols are among the most secure connectivity solutions in computerdom. The solution from Route1 is one of the best, and is an ideal way for folks who travel a lot, especially to foreign countries, to protect their company’s intellectual property, as you never need to store this information on your computer, but at the same time, you have easy and convenient access to your information, either on your office PC and your corporate networks. You are not married to a particular remote machine or host machine. You can install the Host software on up to five machines, and can then plug the USB memory stick into pretty much any Mac or PC to connect to the host. Because of the way this system communicates, it’s virtually impossible to pass a virus to your Host machines. It uses two-factor access (your password, and additional encrypted information on the memory stick), which makes it much harder for bad guys to gain access. Once connected, other than an occasional sluggishness due mostly to Internet provider performance, it’s just like working on your office machine. It’s also relatively inexpensive—especially if you are a distance worker, or you travel a great deal. The cost is $75.00 for the MobiKEY USB stick, and the service (access to Route1’s authentication servers) is $300 per year, with discounts for purchasing a two- or three-year subscription. There are also substantial discounts available for enterprise installations.

The process for installing and configuring the product need a lot of help. I couldn’t find any information that identified which versions of the Mac OS were compatible with the MobiNET product. Because of this disconnect, I didn’t know until I attempted to read the Help file that my operating system was not compatible—or at least wasn’t compatible with the Help system. Had I been able to read the Help file, there probably would have been a whole lot less confusion—likewise the fact that nowhere in the product literature did it state that the Host computer had to be a Windows machine. The literature did say that it was compatible with Macs and Windows PCs, but that was only partially true. The MobiKEY Classic 2 device does permit Macs and Windows to connect to a host, but that host has to be a Windows machine—a deal breaker for those who work in an all-Mac environment back at the home office.

Without some assistance from the excellent Route1 Tech Support folks, I had no idea how to complete the installation and configure it. After a couple of false starts, I figured out what I had to do to get these pieces talking to each other, and once I made that breakthrough, it went very quickly. Of course, I was also an IT guy in a former life, and knew what to look for. I never had to make a second phone call to Tech Support (which includes a Live Chat function on the Route1 website), and I was able to soak in the rather sketchy documentation to get a good idea of how the whole thing worked.

It would have been nice to know that you really need to match screen resolutions of the remote and Host computers. You should also know that you shouldn’t count on much leisure use of your remote connection. Video is extremely choppy, verging on unwatchable, and there is no audio from the Host machine. In all fairness, the folks at Route1 can respond that this is a secure solution for business and government users, and leisure time uses of a remote connection were not a consideration.

So, in the end, MobiKEY Classic 2 did work as advertised. In fact, it worked very well. The login/logout procedure was simplicity itself. The lack of documentation and the lack of information on compatible operating systems made the installation harder than it had to be.

Author’s note (10/1/2012): I was contacted by the media representative for Route1 yesterday. He advised that the small four-page guide that ships with the product is being updated to include compatible operating system information for client and host, and sent me a copy of it. This clears up a real big issue (at least for me) with what the customer needs to know right off the bat when they first open the box. The website has also been updated with user notes that if the live chat is off-line, customers should contact the call-in help desk, which operates 24/7.

This product certainly is not intended for the average consumer, so the need for consumer-style documentation was probably not a major concern for the developer, and more’s the pity. The MobiKEY Classic 2 is a superior solution for highly mobile consultants and other global travelers who can’t or at least shouldn’t keep sensitive information on their traveling laptop. With improved documentation, these single-user environments could be easily set up without need for an expensive IT staff. At the same time, if you are part of a larger organization, the product scales quite nicely and can be configured for a more “managed” environment by your IT staff. For the lone user, or someone who handles the tech side of things for a small organization, if you have had any experience with IT work, you can probably figure out most or all of a simple Host-Remote installation.

Based upon using an embargoed pre-announcement release, for which documentation was limited, and final website postings were not yet available, I’m giving Route1 the benefit of the doubt and will not be as harsh with my rating as I often am.

MyMac.com rating of 7 out of 10.