Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf#airheadsconf

BYOD, MDM, and MAMAruba Network Services Team

November 2013

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf

BYOD ChallengesBYOD PolicyBYO Device OnboardingDetecting BYO DevicesMDM IntegrationWorkSpace for MAMSummaryQ&A

Agenda


BYOD – New Challenges

How do I get personal devices provisioned?

NETWORK:NAC?

DEVICE:MDM?

MAM?APP:

How do I keep corporate data safe?

How do I protect my network?

What if a mobile device is lost?

How do I maintain user privacy?


Policy Enforcement Options for BYOD

NAC / AAA

MDM

MAM

• VLAN• ACLs• QoS• Authentication

• Device Provisioning & Onboarding• Device Policy• Device Level Encryption• Passcode• Full Wipe• App blacklist / whitelist

• Authentication• App Passcode• App Wipe• App Policies• App SSO• App VPN

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf#airheadsconf5

BYOD Policy


• Device diversity• Policy enforcement• Security and compliance • Containerization• Inventory management • Software distribution • Administration and reporting • IT service management • Network service management

Building a BYOD Policy (Gartner)


BYOD Workflow

• Supplicant Config• Push Trusted Cert• Enable Posture• Set Auth type

• Enrollment workflow• Authorize User to provision device• Device credential push• Link User to Device

• Complete view of device & network

• Command & Control• Inventory• Diagnostics

• Revoke Device Access• Device Profiling• Role Derivation• Corp vs Employee Liable

Device Access

Controls

Join BYOD Domain

Visibility & Reporting

Onboard Device

1

2

3

4


BYO Device Onboarding


• Planning– BYOD Policy

• Configuring– Certificate Authority Settings

– Network Settings

– Provisioning Settings

– Advanced Settings

• Lifecycle Management– User experience

– Lost, expired, revoked devices

Deploying ClearPass Onboard


Onboarding Mobile Devices

1. Mobile device detected & redirected to portal

2. Settings & certificates configured after domaincredentials entered

3. Automatically places user on proper SSID/ network segment

SSID = EnterpriseBYOD

Role based configuration of non domain devices


Deployment Architecture

Devices authenticate withUnique Device Credentials

iOS

Windows

Mac OS X

Android

ClearPass Onboard

ClearPassPolicy Manager

“Bring Your Own”Client Devices Network

Authentication Server

Users enroll withOnboard Workflow

Onboard Workflow

Manage Devices

Policy Definition

AdministerSecure BYOD

Network Access

1

2

3

4


Provisioning Workflow

Aruba Controlle

r

Over-the-AirProvisioning

QuickConnect™Provisioning

AP

EAP-TLS(Device Certificate)

Web Login Page

Onboard GUI

Certificates

Users

Endpoints

Users

Onboard Workflow

iOS and OSX 10.6+

Windows

Mac OS X

Android

ClearPass Onboard

ClearPassPolicy

Manager

“Bring Your Own”Client Devices Network Server

EAP-TLS(Device Certificate)


Onboarding Deployment Options

Aruba Controlle

rAP

802.1x Authenticator 802.1x AuthenticationServer

Endpoints

Users

iPad

Android

ClearPassPolicy

Manager

Client Devices Network Server

Active Directory

802.1x Supplicants

ProvisioningSSID

ProvisionedSSID

BYOD

Employee-Secure

• Different SSID for Provisioning & Provisioned– Standalone SSID

– Linked from Guest Access Portal


Onboarding Deployment Options

Aruba Controlle

rAP

802.1x Authenticator 802.1x AuthenticationServer

Endpoints

Users

iPad

Android

ClearPassPolicy

Manager

Client Devices Network Server

Active Directory

802.1x Supplicants

Provisioning & Provisioned SSIDEmployee-Secure

• Same SSID for Provisioning & Provisioned– Device Profiling

– Lack of provisioning credential

– MDM integration


Onboard Workflow – iOS & OS X

iOS DeviceNetwork

InfrastructureClearPassOnboard


Associate, HTTP GET

Redirect Provisioning role

Request mobile device provisioning page

Download and install root certificate from portal

Login with provisioning user’s credentials

Authenticate with Active Directory

Apple Over-the-AirProvisioning

Switch to EAP-TLS EAP-TLS Auth RADIUS Auth (EAP-TLS)

Access-AcceptClient certificate verified

AuthenticatedEAP-Success

Server certificate verified

Device authenticated

Provisioning complete

Captive portal

Pre-provisioning

Provisioning

Onboard Complete


iOS “Over-the-Air Provisioning”

iOS DeviceNetwork



Start device enrollment (signed profile payload)

Request for enrollment

SCEP enrollment profile

Request device certificate using SCEP

User authenticated for device enrollment

Issue SCEP certificate for device

Request device configuration profile (signed)Install device

identity certificate

Device configuration profile (signed + encrypted)

Generate TLS certificate and payload with Onboard settings

User accepts enrollment profile

Install profile and return to Safari Refresh enrollment progress page

Switch to EAP-TLS

Apple Over-the-AirProvisioning

ProvisioningComplete


Onboard Workflow – other OS’s

Android DeviceNetwork



Associate, HTTP GET

Redirect Provisioning role

Request mobile device provisioning page

Return provisioning portal page

Download Onboard configuration

QuickConnectProvisioning

Switch to TLS EAP-TLS RADIUS Auth (EAP-TLS)

Access-AcceptVerify unique device credentials

AuthenticatedEAP-Success

Server certificate verified

Device authenticated

Onboard Complete

Detect device type

Launch app

Provisioning complete

Device enrollmentPush unique device

credentials


Detecting BYO Devices


• No longer a binary decision• Leverage context sources to determine enforcement

– Active Directory Group Membership

– Machine authentication for domain joined devices

– Device Type / Posture of the device

– Managed by MDM / context from MDM

– Lack of provisioned credential

• Differentiate Corporate Managed / Provisioned devices– Enforce Machine Authentication differently

– Enforce MDM managed differently

– Enforce Onboard provisioning differently

– Redirect unmanaged / un-provisioned device to provisioning workflow (for example – only using PEAP AD credentials)

Power of context aware policies


• Native– MAC OUI

– HTTP User Agent (Captive Portal Services)

– Onboard (explicit knowledge from client OS interactions)

– OnGuard (explicit knowledge from client OS interactions)

• Network Sourced– DHCP Option fingerprinting (DHCP relay)

– Subnet scan with SNMP profiling (CDP, LLDP, sysDescr)

– AOS Controller 6.3 export (DHCP, HTTP, mDNS)

• Server Integration– MDM Server

– Asset Register

• Fingerprints updated automatically over the net

Sources of Profile Data


Sample Profile Dashboard


MDM Integration


MDM

Firmware & patch

management

Remote wipe & control

Device-level

visibility

Configure network settings

Network InfrastructureData in motion

Device ManagementData at rest

Identify the user

Protect the network

Provision & revoke device

credentials

Push & provision

apps

Restrict usage &

bandwidth

NAC

Managing Mobility


MDM Partners or Native ClearPass

MDM Partners

Multi-Platform Support

iOS Only Support for Corporate and BYOD

Devices

ClearPass with WorkSpace


Mutually Leverage Context

Device Policies

• Device restrictions• Remote Lock & Wipe• Install Application• Black list Apps

• Firewall Policies• Redirect to enroll• Quarantine devices• Bandwidth Prioritization

Network Policies

Exchange endpoint context & trigger

policies


MDM Attributes of Interest

Network Policy Decision Points

Po

stu

re

Manufacturer: AppleModel: iPad2OS Version: iOS 6.1UDID 1730235f564094186Serial Number 79049XXXA4SIMEI 012416009780168Phone Number 408-534-2819Carrier VerizonMDM Id 130d0f992t34Owner jhowardDisplay Name John HowardOwnership Employee Liable

Inve

nto

ry

MDM Enabled YesCompromised Not JailbrokenEncryption Enabled YesBlacklisted Apps NoRequired Apps YesLast Check in 01/30/2012 9:03am


ClearPass MDM Integration

Using MDM device information for Policy

ClearPass

Endpoint data replicated to

ClearPass cluster

CoA triggers network

enforcement

ClearPass

Device type & posture polled for policy

decisions & reportingMaaS360


Use Context for Policy derivation


Provisioning Workflow

Detect un-enrolled device connected to the network

Redirect to MDM self-service portal

or

Prompt user to download MDM agent

Enforce policy based on MDM context

Integrated User Onboarding

Install MDM agent on my device


ClearPass MDM


User Self Service


WorkSpace for MAM


Application ControlSeparates Corporate & Personal Data

Under MDMCorporate

Controlled

Private to Employee

PersonalApps

CorporateApps


One App for Employee Self-Service

• Employee self-service mobility• Personalized portal with Single Sign-On

PersonalPersonal

• WorkSpace App provisioned to device

CorporateCorporate

@mycompany

My Access My DevicesMy Apps

ACCOUNT& GUESTS

BYODDEVICES

WORKAPPS


Mobile Context

Application & Data Control

TIME-FENCING

Point of Sale App:Must be used during store hours

GEO- FENCING

EMR Apps:Must be used at hospital or member facilities

MOTIONSENSING

Email App:Can not be used while driving/moving

DEVICE CONTROL

Device Status:Cut & paste restrictions, Jailbreak / Root detection, Cloud backup

CONTENTCONTROL

Browser App:Can not access torrent sites


Managing App Policy over the air


WorkSpace Enrollment

App Policy Management

Trigger WorkSpace App Install

OTA Enrollment

Authenticate User &

Provision App

Install Policy Managed Apps

Device connects to WorkSpace

WorkSpace or App Launch

Policy Change on WorkSpace

Execute Policy / Update

App

Apple AppStore

WorkSpace

‘For Aruba Apps’Enterprise AppStore


Role Based Application Provisioning

PublicInternal Dev

User: AliceDept: AdministrationDevice: Android Tablet

PhysicianReferral

PublicInternal Dev

StaffingSchedule

HospitalAdmin

PatientFlow

PatientFolder

MedicalImaging

ResourcePlanning

UnifiedComms

User: FrankDept: RadiologyDevice: iPad 2


Security Across the Network

Specific apps get their own VPN

Apps that don’t require network security go directly to the Internet

Aruba Mobility Controller

No Separate VPN Client Required


Summary


Device/User Control

AppControl

MDMServices

BYODOnboarding

Enterprise App Store

Application Wrapping

DeviceRegistration

Network Control

Device Profiling& Visibility

Integrated IT-Managed & BYOD Services

AAA – RADIUS, TACACS+

Policy Engine & Management

Health Checks

Visitor Management

App VPN

Single Sign On



First System to Combine All BYOD Tools

When

What

Who

Where

How

Network Control

Device Control

Application Control

Unified access management

1

Built-in Onboarding & MDM

2

Complete BYOD visibility and control

4

Built-in mobile app management

3


Q&A

Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM

Technology

Transcript of Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM