Friday Notebook, December 7: Pixm endpoint-based anti-phishing; iOS BYOD challenges

Also: Edge will adopt Chromium; ShareFile’s password gaffe; Liquidware; more on WVD; Tangoe and MOBI; Jon Towles on identity; Safari and hardware security keys; and more!

This is our weekly log of desktop virtualization, enterprise mobility, and end user computing news.

Our blog posts

Jack: Liquidware releases ProfileUnity and FlexApp 6.8, and talks Windows Virtual Desktop. Liquidware announced the release of ProfileUnity 6.8 and FlexApp 6.8 this week. Jason Smith sat down with me ahead of the announcement and spoke about Windows Virtual Desktop.

Jack: Brian and Jack talk 2019 predictions - Podcast #137. Brian was in town, so we sat down and talked about VMware, as well as our 2019 predictions for the EUC industry.

Jack: What will Microsoft do next with Windows Virtual Desktop? Look at their cloud priorities. As we wait for WVD to hit preview, we still have a few questions about where Microsoft will go next, especially after their acquisition of FSLogix.

Jon Towles: Why identity management matters to mobility engineers. Times are changing for mobility engineers and they need to develop more skill sets to stay up to date, with the focus now turning toward identity management.

Jack: Tangoe acquires MOBI, combining telecom expense management and managed mobility services. More acquisition news, with Tangoe purchasing MOBI on Tuesday. Both are companies we don’t normally cover, but both are involved to EMM.

Industry news

I've spent a lot of time writing about how difficult iOS BYOD is, how it still hasn't been fixed, and how BYOD just isn't feasible in many situations. Now, it's poised to get worse: A future version of iOS 12 will add another manual step for enrolling a BYOD device into MDM. I'm shaking my head in annoyance, but this will cause serious headaches at plenty of customers. For now, all we can do is give more feedback and continue to be resigned to the (increasing) challenges of iOS BYOD.

Microsoft Edge will move to the Chromium rendering engine. My enterprise take? Anything that improves Edge makes it easier to deal with scenarios where you’re forced or encouraged to use the built-in browser, for example in S Mode or with the rumored Windows 10 Lite (which also came up this week). And of course S Mode and Lite are steps in the model-influenced modern direction.

Citrix ShareFile got some of the wrong type of attention with forced password resets over the weekend—just see the comments on Citrix’s blog post. While the resets were pre-emptive and there was no hack, it still comes off as a bit of a gaffe. On a larger level, it does bring up the question of who’s responsible for users that have poor password habits, and what we should do about it, a topic that Troy Hunt recently addressed.

Meanwhile in identity news, did you know that Windows 10 now supports security questions? I just found out via Ars Technica, who were reporting on research presented at BlackHet. One more thing to lock down.

Safari is starting to test support for USB-based CTAP2 devices, i.e., hardware keys like Kyle tested earlier this year. Great!

More reads

Is VDI Dead? By Brian Madden, the person.

Microsoft and Mastercard announced some sort of effort to “advance digital identity innovations,” but there’s no technical substance and the press release uses the word “cloud” a lot, so for now it just reminds me of this XKCD comic.

This week I wrote about CloudJumper in relation to Windows Virtual Desktop, but that’s not their only focus (read here for more background). Among support for other platforms, they just announced support for VMware Cloud on AWS.

John Gruber is frustrated with some iOS UX basics that still haven’t become completely standard after 11 years. My feelings exactly. At Daring Fireball.

Google is launching the Android Security and Privacy Research program (ASPIRE) to research developments two to five years down the road.

What’s new in Workspace One UEM 1811. This includes the Windows 10 reset options that Kyle wrote about, and a lot more.

And what’s new in Citrix Workspace for November 2018.


This week Pixm, a new desktop-based anti-phishing vendor, came out of stealth mode, and Kyle and I had a call with co-founder Arun Buduri to find out how it works. Pixm is based in Boston and has $1.7 million in funding; Pixm is marketing personal, small business, and enterprise versions.

Here’s how it works: First, an extension in your browser watches for signs that you’re on a potential login page, such as a password field. If you are, it takes a screenshot and sends it to a local agent on the desktop. There, the agent uses computer vision to identify the site by looking for a login form and a logo. Once the site is identified, the agent checks to make sure that it matches the URL, and also checks the URL against a whitelist. (For example a site with a Wells Fargo logo should use a legitimate whitelisted Wells Fargo Login URL.) Lastly, users will see a notification of whether or not the site is safe.

The whole process should be pretty quick. The computer vision model is trained on Pixm’s servers, but the execution is using a local copy of the model, which is updated occasionally. Arun said that false positives should be very rare, since all the big sites aren’t introducing new login domains all that often, so they can keep up with the whitelist easily. Enterprise customers can also whitelist their internal domains.

A couple of thoughts: Pixm seems to be playing up the computer vision component, but as Arun described it, it’s just one of several steps, and it’s not the metric that’s deciding if a page is good or bad (their website is a little bit confusing about this). Pixm would be hard to implement on mobile, which is unfortunate considering how it’s becoming a phishing target. Overall, this shows how computer vision and similar technologies are getting normalized—this is a good thing. It seems like a good way of avoiding the pitfalls of blacklisting, while narrowing things down enough to make whitelisting feasible.

While I don’t quite agree with all their uses of the term “world’s first,” in general, Pixm is unique among the phishing solutions that I happen to be familiar with. It’s always nice to learn about a new way of tackling a problem, so I’m eager to see how they do.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.