Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIS 2015 Enterprise Identity Meets Android for Work - Andy Zmolek

1,299 views

Published on

Binding an enterprise identity to a mobile device comes with additional considerations (starting with enterprise mobility management, or EMM), and historically the most challenging aspect of mobile identity has been how to get native SaaS apps to participate in single sign-on, but that's starting to change. We'll dive into how the new flows from the OIDF Native Applications Working Group ("NAPPS") can work with the new "work profile" concept within Google's Android for Work program to make enterprise identity (and SSO) more natural to the end user, easier for enterprise IT and the SaaS vendor to implement along with their EMM partners.

Published in: Technology
  • Be the first to comment

CIS 2015 Enterprise Identity Meets Android for Work - Andy Zmolek

  1. 1. Enterprise Identity Meets Android for Work Andy Zmolek - Enterprise Partnerships, Android
  2. 2. This talk brings together two emerging enterprise mobile identity efforts: Android for Work and NAPPS
  3. 3. Android for Work is a program to drive Android adoption in the workplace Secure Android for BYOD and corporate issued devices Google Play for Work for app distribution Standardized management Leveraging entire Android ecosystem
  4. 4. Management Integrated with existing management tools. to create a single console across all devices Devices Designing new business specific form factors and enabling AfW management Applications Developer friendly: write once, deploy and manage on any device through Google Play Networking Securely connect to your internal systems through VPN and network applications Android for Work launched earlier this year with support from a broad set of initial partners
  5. 5. Work Profiles Extension of Lollipop’s default encryption, security enforcement and multi-user support A dedicated work profile isolates and protects work data - badged work apps sit right alongside personal apps Users know IT only manages work data and can’t erase or view personal content
  6. 6. Android for Work app For devices that can’t run work profiles natively Secure mail, calendar, contacts, documents, browsing and access to approved work apps Can be completely managed by IT
  7. 7. Work Profile vs Android for Work app Android Lollipop+* Native App Work instance Personal instance Android ICS-Kitkat** Android for Work SDK Work App Android for Work App Native App * Where OEM has enabled multi-user ** Or lollipop where OEM has not enabled multi-user Work Profile Android for Work app Android for Work SDK Enables apps to run seamlessly in the secure container provided by the Android for Work App. Supports APIs to access the container such as Contacts/Calendar Providers, Storage Access Framework, Intents, Application configuration and management, KeyStore access, Clipboard, Download and Notification Manager. Provides Extension APIs to support VPN and File encryption. Personal user Work user
  8. 8. Work Managed Device For corporate-liable deployments which require management of the entire device Set up from initial boot including NFC-based provisioning Deploy only selected apps -- internal or 3rd party -- to managed devices
  9. 9. Built-in productivity tools A suite of business apps for everyday tasks: email, contacts and calendar Supports Exchange and Notes Edit the most popular documents with Docs, Sheets and Slides apps
  10. 10. Google Play for Work Allows IT to securely deploy and manage business apps Any app in the Play catalog to be deployed to the Work Profile; a subset to the Android for Work app Simplifies process of distributing apps and ensures IT approves every app deployed to workers
  11. 11. IT Admins: Work Storefront - play.google.com/work ● Web-based tool for Company Admin ● Access to entire public Google Play catalog ● Bulk App Purchasing for users ● Admin acceptance of permissions for whitelisted apps
  12. 12. Points of Integration For App Developers Managed Configuration Your app can expose its policy and configuration settings, to be read by Enterprise Mobility Managers, and managed by IT admins. [Details] Data Segregation Users of your app can keep data separate between their work and personal profiles. Check that your app works seamlessly in a work profile. [Details] Group Licensing Your app can be bulk purchased by IT admins and licenses assigned and reassigned within the company. Opt-in via Play Developer Console. [Coming Soon] Identity / Authentication Use Google sign-in to authenticate. Customers that have integrated to Google Auth get SSO with your app for free--or leverage standard SAML/OAuth [Details]
  13. 13. HW OS APPS MGT VERIFIED BOOT HARDWARE ENABLED KEY STORE ENCRYPTION SELINUX + ANDROID WORK PROFILE PERSONAL APPLICATIONS IDENTITY APPS PRIVATE / PLAY OEM EXTENSIONS AND INNOVATION EMMs OEMs
  14. 14. OS APPS MGT ENCRYPTION SECURITY ENHANCEMENTS (SE) for ANDROID APPLICATIONS IDENTITY APPS PRIVATE / PLAY KNOX WORKSPACE EMMs KNOX ANDROID FRAMEWORK (VPN, SSO, ODE, SDP, Attestation) ENHANCED TIMA (RKP/Keystore/CCM) TRUSTED BOOT SECURE BOOT WORK PROFILE PERSONAL
  15. 15. Lollipop Native User Experience Secure Mobility for Work
  16. 16. USER EXPERIENCE :: Personal and work applications shown in a single unified launcher :: Work apps badged with an orange briefcase :: A single application binary with two different data sets - one for work and one for personal :: PIM Suite, Browser, Docs, Sheets, Slides included
  17. 17. ● OS based data separation ● Data sharing restricted across profiles ● Separate file store for each profile Data Sharing Between Apps
  18. 18. Recent task switching with badging ● Work apps are badged ● Seamless switching between personal apps to work apps ● Work and personal instances of same app run side-by-side with sandboxed data stores Native Task Switching
  19. 19. ● Notifications are badged to separate work from personal ● EMM policy can redact or limit detail displayed Badged Notifications
  20. 20. Android for Work App User Experience Secure Mobility for Work
  21. 21. ● Same look and feel as Android for Work native experience in Lollipop ● All Applications shown in launcher ● Work apps indicated by orange briefcase badge ● Consistent across all Android for Work devices CONFIDENTIAL USER EXPERIENCE
  22. 22. ● Application management and security framework ● Suitable for BYOD scenarios ● Screenlock protected, controlled apps ● Management of the profile and associated apps vs full device ● Wipe removes the profile, data and apps, leaving the rest of the device unaffected CONFIDENTIAL Android for Work App
  23. 23. Managed Domains & Identity Secure Mobility for Work
  24. 24. Google Play for Work Store ● Android Work will provide a Managed Google Play Store to build collections of IT-approved apps Managed Google Account ● Eliminates the use of personal accounts for Play for Work access ● Enables installation of approved apps presented in Work Profile ● Facilitates app management including volume purchases, with no license keys or user intervention Google Play for Work
  25. 25. 1 2 3 4 Register Managed Domain Create Admin Account Verify Domain Ownership Generate EMM API Token Google Domain Identity
  26. 26. Registration Process Step 1: Admin enters basic business contact information Step 2: Admin enters basic information about the business ● Business name ● Address ● Number of Employees 1 Registration of Domain
  27. 27. Admin creates the account for the Managed Domain 2 Create Admin Account
  28. 28. Admin verifies Domain ownership Option 1: Add meta tag to corporate homepage ● Google verifies by scanning homepage Option 2: Add a TXT or CNAME record to domain’s DNS ● Google verifies by checking DNS records Option 3: Add an HTML file to root of company’s website ● Google verifies by scanning the company website 3 Domain Verification
  29. 29. ● Generated for binding to customers’ EMM provider ● Enables Android for Work management via API’s ● Allows management of ONLY specific Managed Domain devices 4 EMM Binding Token
  30. 30. The IT admin can populate the managed accounts directly into managed domain: Option 1: Delegate to EMM via Directory API’s Option 2: Google Active Directory Sync Authenticate accounts via enterprise SAML- based SSO (recommended) or password sync Account Management
  31. 31. Native Application SSO aka “NAPPS” Secure Mobility for Work
  32. 32. Searching for NAPPS? http://openid.net/wg/napps/ not found at napps.org!
  33. 33. ● NAPPS can always work with system browser ● User experience can be improved: eliminate unnecessary app flips and browser pops ● Android for Work partners and product team working closely to define best practices ● Opportunity to leverage capabilities that already exist natively in Android OS ● Stay tuned for more! “Native” NAPPS
  34. 34. ● Multiple methods exist for IdP discovery (aka “tenant discovery”) with NAPPS, such as: Non-managed: Smart Lock for Passwords Managed: Android App Restrictions ● With managed profiles or devices, Android “app restrictions” can point to enterprise IdP ● App developer exposes app configuration schema specific to their app in manifest ● Play publishes restrictions for EMMs who set configurations via Android framework IdP Discovery via App Restrictions
  35. 35. Thank You! Secure Mobility for Work
  36. 36. EMM App search & install COMPANY Mgmt front end / console Business Customer signup for Android for Work 1. IT admin signs up for Android for Work through google.com/android/work/partners. 2. IT admin verifies domain ownership 3. IT admin enrolls Android for Work account with EMM 6. User installs EMM DPC app from Google Play 5. EMM sets which apps users have available. 8. User is signed in to their corp Google account. 4. Company synchronises user directory with Google auth. Optionally synchronises credentials or integrates SAML federated login to enable SSO. GOOGLE AUTH 7. User follows setup wizard in EMM DPC app APIs for mgmt and config 9. User browses for works apps to install in Work Play Store
  37. 37. EMM APIs for mgmt and config App catalog and delivery COMPANY Mgmt front end / console App Management Flow 1. IT admin discovers apps through Google Play for Work 2. IT admin approves app and accepts permissions (free apps) in either Google Play for Work or EMM console. Purchases can only be made in Google Play for Work (paid apps). 3. IT admin push installs app or makes it available to users through the Play Store client app via the EMM Console 6. User installs approved apps from Play Store client and accepts permissions. 7. Admin pushes managed configuration to devices via EMM Console 5. User is signed in to their corp Google accounts. 4. Company synchronises user directory with Google auth. Optionally synchronises credentials or integrates SAML federated login to enable SSO. GOOGLE AUTH
  38. 38. EMM SERVERCOMPANY EMM CLIENT YOUR APP Publish config options Present admin config UI Push config Push config to profile Read app’s config options Managed Configuration Flow
  39. 39. Make any place your workplace

×