• Share
  • Email
  • Embed
  • Like
  • Private Content
Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM
 

Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM

on

  • 714 views

Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM

Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM

Statistics

Views

Total Views
714
Views on SlideShare
591
Embed Views
123

Actions

Likes
1
Downloads
79
Comments
0

3 Embeds 123

http://community.arubanetworks.com 121
http://cloud.feedly.com 1
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 1:23Wi-Fi History @ MicrosoftWi-Fi as a utilityThe Good, the Bad and the UglyFuture: Boldly Go
  • 30:24 – 32:44
  • 30:24 – 32:44
  • 30:24 – 32:44
  • In this first example, the MDM component has determined that a device is jailbroken and the WorkSpace app management app policy can then enforce a lock or wipe of a specific app or all of the apps. A network policy could also be used to deny access to the device if desired.In this 2nd example, an application like Lync will require priority bandwidth for voice or video traffic. A WorkSpace policy can be then work with the network infrastructure to prioritize traffic for this specific application and traffic type when run. Very important as more organizations are replacing PBXs with mobile unified communications applications that work on our mobile devices.Alleviating congestion due to user’s personal apps consuming valuable bandwidth may also become a problem with BYOD. iCloud backups, YouTube traffic and other bandwidth apps can be defined within the MDM component to trigger the network to restrict the bandwidth given to these apps.In this last example we see an example of how the complete solution uses context throughout the entire scenario. As a device moves between locations a network policy uses location to identify a usage policy, the MDM component then uses “location” to initiate a device specific policy that turns off the camera, and then a WorkSpace policy can then be used to either lock or unlock an app.
  • 21:44 – 24:16
  • 46:01

Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM Breakout - Airheads Macau 2013 - BYOD, MDM, and MAM Presentation Transcript

  • BYOD, MDM, and MAM Aruba Network Services Team November 2013 CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf
  • Agenda BYOD Challenges BYOD Policy BYO Device Onboarding Detecting BYO Devices MDM Integration WorkSpace for MAM Summary Q&A CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf
  • BYOD – New Challenges How do I get personal devices provisioned? How do I keep corporate data safe? NAC? How do I protect my network? MDM? What if a mobile device is lost? MAM? How do I maintain user privacy? CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf
  • Policy Enforcement Options for BYOD NAC / AAA VLAN ACLs QoS Authentication MDM • • • • • • Device Provisioning & Onboarding Device Policy Device Level Encryption Passcode Full Wipe App blacklist / whitelist MAM CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved • • • • • • • • • • Authentication App Passcode App Wipe App Policies App SSO App VPN 4 #airheadsconf
  • BYOD Policy CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf
  • Building a BYOD Policy (Gartner) • • • • • • • • • Device diversity Policy enforcement Security and compliance Containerization Inventory management Software distribution Administration and reporting IT service management Network service management CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 #airheadsconf
  • BYOD Workflow • • • • Supplicant Config Push Trusted Cert Enable Posture Set Auth type • • • • 1 Onboard Enrollment workflow Authorize User to provision device Device credential push Link User to Device 2 Join BYOD Device Domain 4 Visibility & Reporting • Complete view of device & network • Command & Control • Inventory • Diagnostics CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 Device Access • Revoke Device Access Controls • Device Profiling • Role Derivation • Corp vs Employee Liable 7 #airheadsconf
  • BYO Device Onboarding CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf
  • Deploying ClearPass Onboard • Planning – BYOD Policy • Configuring – – – – Certificate Authority Settings Network Settings Provisioning Settings Advanced Settings • Lifecycle Management – User experience – Lost, expired, revoked devices CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 9 #airheadsconf
  • Onboarding Mobile Devices Role based configuration of non domain devices 1. Mobile device detected & redirected to portal CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2. Settings & certificates configured after domain credentials entered 10 3. Automatically places user on proper SSID / network segment #airheadsconf
  • Deployment Architecture 2 Onboard Workflow Users enroll with Onboard Workflow Manage Devices iOS ClearPass Onboard 1 Windows “Bring Your Own” Administer 4 Secure BYOD Network Access Network Client Devices Mac OS X ClearPass Policy Manager Policy Definition Android 3 CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved Devices authenticate with Unique Device Credentials 11 Authentication Server #airheadsconf
  • Provisioning Workflow Onboard Workflow Web Login Page Onboard GUI EAP-TLS Over-the-Air Provisioning iOS and OSX 10.6+ (Device Certificate) ClearPass Onboard Certificates Windows QuickConnect™ Provisioning Users Aruba Controller AP Mac OS X ClearPass Policy Manager Endpoints Android EAP-TLS Users (Device Certificate) “Bring Your Own” Client Devices CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved Network 12 Server #airheadsconf
  • Onboarding Deployment Options • Different SSID for Provisioning & Provisioned – Standalone SSID – Linked from Guest Access Portal 802.1x Supplicants iPad Provisioning SSID 802.1x Authenticator BYOD Aruba Controller AP Android Provisioned SSID 802.1x Authentication Server ClearPass Policy Manager Endpoints Employee-Secure Users Active Directory Client Devices CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved Network Server 13 #airheadsconf
  • Onboarding Deployment Options • Same SSID for Provisioning & Provisioned – Device Profiling – Lack of provisioning credential – MDM integration 802.1x Supplicants 802.1x Authenticator 802.1x Authentication Server iPad Provisioning & Provisioned SSID Employee-Secure Aruba Controller AP ClearPass Policy Manager Endpoints Android Users Active Directory Client Devices CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved Network Server 14 #airheadsconf
  • Onboard Workflow – iOS & OS X Network Infrastructure iOS Device ClearPass Onboard ClearPass Policy Manager Associate, HTTP GET Captive portal Provisioning role Redirect Request mobile device provisioning page Download and install root certificate from portal Pre-provisioning Login with provisioning user’s credentials Authenticate with Active Directory Apple Over-the-Air Provisioning Provisioning Provisioning complete Switch to EAP-TLS RADIUS Auth (EAP-TLS) EAP-TLS Auth Access-Accept Server certificate verified Client certificate verified Authenticated EAP-Success Device authenticated Onboard Complete CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 15 #airheadsconf
  • iOS “Over-the-Air Provisioning” Network Infrastructure iOS Device ClearPass Onboard ClearPass Policy Manager Apple Over-the-Air Provisioning Start device enrollment (signed profile payload) User accepts enrollment profile User authenticated for device enrollment Request for enrollment SCEP enrollment profile Request device certificate using SCEP Issue SCEP certificate for device Install device identity certificate Request device configuration profile (signed) Device configuration profile (signed + encrypted) Install profile and return to Safari Generate TLS certificate and payload with Onboard settings Refresh enrollment progress page Switch to EAP-TLS Provisioning Complete CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 16 #airheadsconf
  • Onboard Workflow – other OS‟s Network Infrastructure Android Device ClearPass Onboard ClearPass Policy Manager Associate, HTTP GET Provisioning role Redirect Request mobile device provisioning page Detect device type Return provisioning portal page Download Onboard configuration Launch app Push unique device credentials Device enrollment QuickConnect Provisioning Provisioning complete Switch to TLS RADIUS Auth (EAP-TLS) EAP-TLS Access-Accept Server certificate verified EAP-Success Verify unique device credentials Authenticated Device authenticated Onboard Complete CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf
  • Detecting BYO Devices CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf
  • Power of context aware policies • No longer a binary decision • Leverage context sources to determine enforcement – – – – – Active Directory Group Membership Machine authentication for domain joined devices Device Type / Posture of the device Managed by MDM / context from MDM Lack of provisioned credential • Differentiate Corporate Managed / Provisioned devices – – – – Enforce Machine Authentication differently Enforce MDM managed differently Enforce Onboard provisioning differently Redirect unmanaged / un-provisioned device to provisioning workflow (for example – only using PEAP AD credentials) CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf
  • Sources of Profile Data • Native – – – – MAC OUI HTTP User Agent (Captive Portal Services) Onboard (explicit knowledge from client OS interactions) OnGuard (explicit knowledge from client OS interactions) • Network Sourced – DHCP Option fingerprinting (DHCP relay) – Subnet scan with SNMP profiling (CDP, LLDP, sysDescr) – AOS Controller 6.3 export (DHCP, HTTP, mDNS) • Server Integration – MDM Server – Asset Register • Fingerprints updated automatically over the net CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 20 #airheadsconf
  • Sample Profile Dashboard CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 21 #airheadsconf
  • MDM Integration CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf
  • Managing Mobility Network Infrastructure Device Management Data in motion Data at rest Identify the user Protect the network Provision & revoke device credentials Devicelevel visibility Restrict usage & bandwidth Configure network settings Push & provision apps Remote wipe & control Firmware & patch management NAC MDM CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf
  • MDM Partners or Native ClearPass MDM Partners ClearPass with WorkSpace iOS Only Support for Corporate and BYOD Devices Multi-Platform Support CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf
  • Mutually Leverage Context Exchange endpoint context & trigger policies Network Policies • • • • Device Policies • • • • Firewall Policies Redirect to enroll Quarantine devices Bandwidth Prioritization CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 Device restrictions Remote Lock & Wipe Install Application Black list Apps #airheadsconf
  • MDM Attributes of Interest Inventory CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved Manufacturer: Model: OS Version: UDID Serial Number IMEI Phone Number Carrier MDM Id Owner Display Name Ownership Apple iPad2 iOS 6.1 1730235f564094186 79049XXXA4S 012416009780168 408-534-2819 Verizon 130d0f992t34 jhoward John Howard Employee Liable Posture Network Policy Decision Points MDM Enabled Compromised Encryption Enabled Blacklisted Apps Required Apps Last Check in Yes Not Jailbroken Yes No Yes 01/30/2012 9:03am 26 #airheadsconf
  • ClearPass MDM Integration Using MDM device information for Policy CoA triggers network enforcement Endpoint data replicated to ClearPass cluster Device type & posture polled for policy decisions & reporting MaaS360 CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved ClearPass 27 ClearPass #airheadsconf
  • Use Context for Policy derivation CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf
  • Integrated User Onboarding Provisioning Workflow Detect un-enrolled device connected to the network Redirect to MDM self-service portal or Prompt user to download MDM agent Install MDM agent on my device Enforce policy based on MDM context CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf
  • ClearPass MDM CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf
  • User Self Service CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf
  • WorkSpace for MAM CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 32 #airheadsconf
  • Application Control Separates Corporate & Personal Data CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 33 #airheadsconf
  • One App for Employee Self-Service • WorkSpace App provisioned to device • Employee self-service mobility • Personalized portal with Single Sign-On My Apps My Devices My Access @mycompany CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 34 #airheadsconf
  • Application & Data Control Mobile Context Must be used during store hours Must be used at hospital or member facilities Can not be used while driving/moving Can not access torrent sites Cut & paste restrictions, Jailbreak / Root detection, Cloud backup CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 35 #airheadsconf
  • Managing App Policy over the air WorkSpace Enrollment OTA Enrollment Trigger WorkSpace App Install Authenticate User & Provision App Apple AppStore ClearPass with WorkSpace WorkSpace Enterprise AppStore Execute Policy / Update App Install Policy Managed Apps „For Aruba Apps‟ Device connects to WorkSpace WorkSpace or App Launch Policy Change on WorkSpace App Policy Management CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 36 #airheadsconf
  • Role Based Application Provisioning User: Alice Dept: Administration Device: Android Tablet User: Frank Dept: Radiology Device: iPad 2 Internal Dev Physician Staffing Referral Schedule CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved Internal Dev Public Medical Imaging Hospital Admin Patient Folder 37 Patient Flow Public Unified Comms Resource Planning #airheadsconf
  • Security Across the Network Specific apps get their own VPN No Separate VPN Client Required Aruba Mobility Controller Apps that don’t require network security go directly to the Internet CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 38 #airheadsconf
  • Summary CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 39 #airheadsconf
  • Integrated IT-Managed & BYOD Services Network Control Device Profiling & Visibility Device/User Control App Control MDM Services Enterprise App Store AAA – RADIUS, TACACS+ Device Registration Application Wrapping Policy Engine & Management Visitor Management Single Sign On BYOD Onboarding App VPN Health Checks CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 40 #airheadsconf
  • First System to Combine All BYOD Tools ClearPass with WorkSpace 1 Who Network Control Unified access management What 2 When Device Control Built-in Onboarding & MDM 4 Complete BYOD visibility and control Where How CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved Application Control 3 41 Built-in mobile app management #airheadsconf
  • Q&A CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 42 #airheadsconf
  • Thank You CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 43 #airheadsconf