Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM
-
Upload
airheads-community -
Category
Technology
-
view
109 -
download
0
description
Transcript of Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf#airheadsconf
BYOD, MDM, and MAMAruba Network Services Team
November 2013
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf
BYOD ChallengesBYOD PolicyBYO Device OnboardingDetecting BYO DevicesMDM IntegrationWorkSpace for MAMSummaryQ&A
Agenda
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf
BYOD – New Challenges
How do I get personal devices provisioned?
NETWORK:NAC?
DEVICE:MDM?
MAM?APP:
How do I keep corporate data safe?
How do I protect my network?
What if a mobile device is lost?
How do I maintain user privacy?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 4 #airheadsconf
Policy Enforcement Options for BYOD
NAC / AAA
MDM
MAM
• VLAN• ACLs• QoS• Authentication
• Device Provisioning & Onboarding• Device Policy• Device Level Encryption• Passcode• Full Wipe• App blacklist / whitelist
• Authentication• App Passcode• App Wipe• App Policies• App SSO• App VPN
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf#airheadsconf5
BYOD Policy
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 #airheadsconf
• Device diversity• Policy enforcement• Security and compliance • Containerization• Inventory management • Software distribution • Administration and reporting • IT service management • Network service management
Building a BYOD Policy (Gartner)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 7 #airheadsconf
BYOD Workflow
• Supplicant Config• Push Trusted Cert• Enable Posture• Set Auth type
• Enrollment workflow• Authorize User to provision device• Device credential push• Link User to Device
• Complete view of device & network
• Command & Control• Inventory• Diagnostics
• Revoke Device Access• Device Profiling• Role Derivation• Corp vs Employee Liable
Device Access
Controls
Join BYOD Domain
Visibility & Reporting
Onboard Device
1
2
3
4
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf#airheadsconf8
BYO Device Onboarding
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 9 #airheadsconf
• Planning– BYOD Policy
• Configuring– Certificate Authority Settings
– Network Settings
– Provisioning Settings
– Advanced Settings
• Lifecycle Management– User experience
– Lost, expired, revoked devices
Deploying ClearPass Onboard
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 10 #airheadsconf
Onboarding Mobile Devices
1. Mobile device detected & redirected to portal
2. Settings & certificates configured after domaincredentials entered
3. Automatically places user on proper SSID/ network segment
SSID = EnterpriseBYOD
Role based configuration of non domain devices
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 11 #airheadsconf
Deployment Architecture
Devices authenticate withUnique Device Credentials
iOS
Windows
Mac OS X
Android
ClearPass Onboard
ClearPassPolicy Manager
“Bring Your Own”Client Devices Network
Authentication Server
Users enroll withOnboard Workflow
Onboard Workflow
Manage Devices
Policy Definition
AdministerSecure BYOD
Network Access
1
2
3
4
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 #airheadsconf
Provisioning Workflow
Aruba Controlle
r
Over-the-AirProvisioning
QuickConnect™Provisioning
AP
EAP-TLS(Device Certificate)
Web Login Page
Onboard GUI
Certificates
Users
Endpoints
Users
Onboard Workflow
iOS and OSX 10.6+
Windows
Mac OS X
Android
ClearPass Onboard
ClearPassPolicy
Manager
“Bring Your Own”Client Devices Network Server
EAP-TLS(Device Certificate)
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 #airheadsconf
Onboarding Deployment Options
Aruba Controlle
rAP
802.1x Authenticator 802.1x AuthenticationServer
Endpoints
Users
iPad
Android
ClearPassPolicy
Manager
Client Devices Network Server
Active Directory
802.1x Supplicants
ProvisioningSSID
ProvisionedSSID
BYOD
Employee-Secure
• Different SSID for Provisioning & Provisioned– Standalone SSID
– Linked from Guest Access Portal
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 14 #airheadsconf
Onboarding Deployment Options
Aruba Controlle
rAP
802.1x Authenticator 802.1x AuthenticationServer
Endpoints
Users
iPad
Android
ClearPassPolicy
Manager
Client Devices Network Server
Active Directory
802.1x Supplicants
Provisioning & Provisioned SSIDEmployee-Secure
• Same SSID for Provisioning & Provisioned– Device Profiling
– Lack of provisioning credential
– MDM integration
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 15 #airheadsconf
Onboard Workflow – iOS & OS X
iOS DeviceNetwork
InfrastructureClearPassOnboard
ClearPassPolicy Manager
Associate, HTTP GET
Redirect Provisioning role
Request mobile device provisioning page
Download and install root certificate from portal
Login with provisioning user’s credentials
Authenticate with Active Directory
Apple Over-the-AirProvisioning
Switch to EAP-TLS EAP-TLS Auth RADIUS Auth (EAP-TLS)
Access-AcceptClient certificate verified
AuthenticatedEAP-Success
Server certificate verified
Device authenticated
Provisioning complete
Captive portal
Pre-provisioning
Provisioning
Onboard Complete
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 16 #airheadsconf
iOS “Over-the-Air Provisioning”
iOS DeviceNetwork
InfrastructureClearPassOnboard
ClearPassPolicy Manager
Start device enrollment (signed profile payload)
Request for enrollment
SCEP enrollment profile
Request device certificate using SCEP
User authenticated for device enrollment
Issue SCEP certificate for device
Request device configuration profile (signed)Install device
identity certificate
Device configuration profile (signed + encrypted)
Generate TLS certificate and payload with Onboard settings
User accepts enrollment profile
Install profile and return to Safari Refresh enrollment progress page
Switch to EAP-TLS
Apple Over-the-AirProvisioning
ProvisioningComplete
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf
Onboard Workflow – other OS’s
Android DeviceNetwork
InfrastructureClearPassOnboard
ClearPassPolicy Manager
Associate, HTTP GET
Redirect Provisioning role
Request mobile device provisioning page
Return provisioning portal page
Download Onboard configuration
QuickConnectProvisioning
Switch to TLS EAP-TLS RADIUS Auth (EAP-TLS)
Access-AcceptVerify unique device credentials
AuthenticatedEAP-Success
Server certificate verified
Device authenticated
Onboard Complete
Detect device type
Launch app
Provisioning complete
Device enrollmentPush unique device
credentials
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf#airheadsconf18
Detecting BYO Devices
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf
• No longer a binary decision• Leverage context sources to determine enforcement
– Active Directory Group Membership
– Machine authentication for domain joined devices
– Device Type / Posture of the device
– Managed by MDM / context from MDM
– Lack of provisioned credential
• Differentiate Corporate Managed / Provisioned devices– Enforce Machine Authentication differently
– Enforce MDM managed differently
– Enforce Onboard provisioning differently
– Redirect unmanaged / un-provisioned device to provisioning workflow (for example – only using PEAP AD credentials)
Power of context aware policies
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 20 #airheadsconf
• Native– MAC OUI
– HTTP User Agent (Captive Portal Services)
– Onboard (explicit knowledge from client OS interactions)
– OnGuard (explicit knowledge from client OS interactions)
• Network Sourced– DHCP Option fingerprinting (DHCP relay)
– Subnet scan with SNMP profiling (CDP, LLDP, sysDescr)
– AOS Controller 6.3 export (DHCP, HTTP, mDNS)
• Server Integration– MDM Server
– Asset Register
• Fingerprints updated automatically over the net
Sources of Profile Data
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 21 #airheadsconf
Sample Profile Dashboard
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf#airheadsconf22
MDM Integration
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf
MDM
Firmware & patch
management
Remote wipe & control
Device-level
visibility
Configure network settings
Network InfrastructureData in motion
Device ManagementData at rest
Identify the user
Protect the network
Provision & revoke device
credentials
Push & provision
apps
Restrict usage &
bandwidth
NAC
Managing Mobility
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf
MDM Partners or Native ClearPass
MDM Partners
Multi-Platform Support
iOS Only Support for Corporate and BYOD
Devices
ClearPass with WorkSpace
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf
Mutually Leverage Context
Device Policies
• Device restrictions• Remote Lock & Wipe• Install Application• Black list Apps
• Firewall Policies• Redirect to enroll• Quarantine devices• Bandwidth Prioritization
Network Policies
Exchange endpoint context & trigger
policies
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf
MDM Attributes of Interest
Network Policy Decision Points
Po
stu
re
Manufacturer: AppleModel: iPad2OS Version: iOS 6.1UDID 1730235f564094186Serial Number 79049XXXA4SIMEI 012416009780168Phone Number 408-534-2819Carrier VerizonMDM Id 130d0f992t34Owner jhowardDisplay Name John HowardOwnership Employee Liable
Inve
nto
ry
MDM Enabled YesCompromised Not JailbrokenEncryption Enabled YesBlacklisted Apps NoRequired Apps YesLast Check in 01/30/2012 9:03am
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf
ClearPass MDM Integration
Using MDM device information for Policy
ClearPass
Endpoint data replicated to
ClearPass cluster
CoA triggers network
enforcement
ClearPass
Device type & posture polled for policy
decisions & reportingMaaS360
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf
Use Context for Policy derivation
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf
Provisioning Workflow
Detect un-enrolled device connected to the network
Redirect to MDM self-service portal
or
Prompt user to download MDM agent
Enforce policy based on MDM context
Integrated User Onboarding
Install MDM agent on my device
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf
ClearPass MDM
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf
User Self Service
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf#airheadsconf32
WorkSpace for MAM
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf
Application ControlSeparates Corporate & Personal Data
Under MDMCorporate
Controlled
Private to Employee
PersonalApps
CorporateApps
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf
One App for Employee Self-Service
• Employee self-service mobility• Personalized portal with Single Sign-On
PersonalPersonal
• WorkSpace App provisioned to device
CorporateCorporate
@mycompany
My Access My DevicesMy Apps
ACCOUNT& GUESTS
BYODDEVICES
WORKAPPS
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf
Mobile Context
Application & Data Control
TIME-FENCING
Point of Sale App:Must be used during store hours
GEO- FENCING
EMR Apps:Must be used at hospital or member facilities
MOTIONSENSING
Email App:Can not be used while driving/moving
DEVICE CONTROL
Device Status:Cut & paste restrictions, Jailbreak / Root detection, Cloud backup
CONTENTCONTROL
Browser App:Can not access torrent sites
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf
Managing App Policy over the air
ClearPass with WorkSpace
WorkSpace Enrollment
App Policy Management
Trigger WorkSpace App Install
OTA Enrollment
Authenticate User &
Provision App
Install Policy Managed Apps
Device connects to WorkSpace
WorkSpace or App Launch
Policy Change on WorkSpace
Execute Policy / Update
App
Apple AppStore
WorkSpace
‘For Aruba Apps’Enterprise AppStore
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 37 #airheadsconf
Role Based Application Provisioning
PublicInternal Dev
User: AliceDept: AdministrationDevice: Android Tablet
PhysicianReferral
PublicInternal Dev
StaffingSchedule
HospitalAdmin
PatientFlow
PatientFolder
MedicalImaging
ResourcePlanning
UnifiedComms
User: FrankDept: RadiologyDevice: iPad 2
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf
Security Across the Network
Specific apps get their own VPN
Apps that don’t require network security go directly to the Internet
Aruba Mobility Controller
No Separate VPN Client Required
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf#airheadsconf39
Summary
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf
Device/User Control
AppControl
MDMServices
BYODOnboarding
Enterprise App Store
Application Wrapping
DeviceRegistration
Network Control
Device Profiling& Visibility
Integrated IT-Managed & BYOD Services
AAA – RADIUS, TACACS+
Policy Engine & Management
Health Checks
Visitor Management
App VPN
Single Sign On
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 41 #airheadsconf
ClearPass with WorkSpace
First System to Combine All BYOD Tools
When
What
Who
Where
How
Network Control
Device Control
Application Control
Unified access management
1
Built-in Onboarding & MDM
2
Complete BYOD visibility and control
4
Built-in mobile app management
3
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf
Q&A
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 43 #airheadsconf#airheadsconf
Thank You