MDM Jahresrück und Ausblick

transcript

Kapsch BusinessCom

| | Titel der Präsentation Untertitel der Präsentation 1

Kapsch BusinessCom

DI (FH) Daniel Ruby

Jahresrückblick/ -ausblick: MDM, MAM, BYOD, DLP...

und jetzt auch noch „mobile First“?

Kapsch BusinessCom

Kapsch Security – wrap up… Mastervorlage zur Gestaltung von PowerPoint-Präsentationen

Kapsch BusinessCom 2 |

MDM is the solution - mobile device landscape changed… - Android Fragmentation - BYOD (bring your own device) - Apps / appstores / app deployment

- Mobile malware - Network requirements / WiFi / QoS Bandwidth - Data at Rest

- The dropbox problem - Privacy & Compliance - Cost Control - Secure Access to corporate ressources

- Certificates - Rollout / Lifecycle Management - Device Lockdown

Smartphones & Tablets im Unternehmen

Kapsch BusinessCom

- mobile device landscape changed…

Kapsch BusinessCom

OS X v10.7

OS X v10.8

Kapsch BusinessCom

- iOS 6 Global HTTP Proxy

Kapsch BusinessCom

- Android Fragmentation -> The Android Challenge in the Enterprise...

Kapsch BusinessCom

- Android Fragmentation -> The Android Challenge in the Enterprise...

Kapsch BusinessCom

- BYOD (bring your own device)

Kapsch BusinessCom

Zugriff auf Firmenressourcen

Zugangsschutz Compliance Schutz

Management

- Active Sync Access (Mail, Kalender, Kontakte) - Netzwerk Zugang (WLAN Profile, APN settings, Dataguard) - Sharepoint (Dokumente, Präsentationen) - VPN (Zugriff von überall möglich?) - Cloud Services

- Passcode Policy - Verschlüsselung - Remote Wipe - Trennung Privat- und Firmengeräte

- Apple App-store / Google Play - App Inventory- & Deployment - App Black- / Whitelist - OS Updates/Releases Patchlevel

- Gerätekonfiguration - Ausbringung von Zertifikaten - Enforcement Möglichkeiten

Kapsch BusinessCom

Microsoft Exchange Active Sync (EAS Policies)

Kapsch BusinessCom

Apple iphone Configuration Utility

Kapsch BusinessCom

Secure Container solutions (z.B. Checkpoint mobile Blade)

Secure Access to Web Portal

Integrated Document Security

Corporate Mail Sync in a secure workspace

MAB Exchange Server

Kapsch BusinessCom

- BYOD (bring your own device) MDM/mobile Iron

Kapsch BusinessCom

- mobile device landscape changed… - Android Fragmentation - BYOD (bring your own device) - Apps / appstores / app deployment

Smartphones & Tablets im Unternehmen Wrap up!

Mobile Device Management mit

- mobile device landscape changed… - Android Fragmentation - BYOD (bring your own device) - Apps / appstores / app deployment

Kapsch BusinessCom

DI (FH) Daniel Ruby System Engineer Security

ICT Infrastructure

Kapsch BusinessCom

Wienerbergstraße 53 | A-1120 Vienna | Austria

Phone +43 (0) 50 811 5455 | Mobile +43 664 628 5455

E-mail daniel.ruby@kapsch.net | www.kapschbusiness.com

Please Note:

The content of this presentation is the intellectual property of Kapsch AG and all rights are reserved with respect to the copying, reproduction, alteration, utilization,

disclosure or transfer of such content to third parties. The foregoing is strictly prohibited without the prior written authorization of Kapsch BusinessCom AG. Product

and company names may be registered brand names or protected trademarks of third parties and are only used herein for the sake of clarification and to the

advantage of the respective legal owner without the intention of infringing proprietary rights.

Questions ?

Kapsch BusinessCom

MDM Dienstleistungs Module by Kapsch

Modul: Authentication & Certificates

Modul: Best Practice – Device Enablement & Rollout

Modul: High Availability - Sentry

Kapsch BusinessCom

MobileIron and ISE Workflow Initial Device Connection

Cisco ISE

Active Directory

Certificate Server

User connects to BYOD 802.1X EAP/PEAP and they log in with their corporate username and password or connects to Open SSID for on-boarding

Initial Connection

User is not registered with ISE so the user is redirected to the Cisco Captive Portal Page on ISE so they can register their device

for user self service later on

Redirect to ISE Device Registration Page

NTLM, Kerberos or LDAP If EAP/Peap-MSChap v2 Authenticated

Kapsch BusinessCom

| Trust

Cisco ISE

Active Directory

Certificate Server

I do not

Do you know this user? Look up by MAC Address

The user opens up a browser and tries to access a protected resource at which point ISE does a

lookup against the MobileIron API to see if it’s a known user/mac address

Redirect to ISE MDM Registration Page

The user is unknown so they are redrected to the ISE MDM enrollment page

Kapsch BusinessCom

| Trust

Cisco ISE

Active Directory

Certificate Server

…and follows the directions to install the MobileIron MyPhone@Work Client and enroll with the VSP

SCEP Certificate Enrollment

• Mobile Device Security, Lockdown, and Application Policies

• SSL VPN and WiFi Settings • iOS Restrictions

• Corporate Apps/Configuration/Identity • Authentication Certificate(s) • Corporate Root Certificate(s)

• Device Inventory • Application Inventory

• Multi-User • Kiosk Mode

Kapsch BusinessCom

| Trust

Cisco ISE

Active Directory

Certificate Server

Yes Device Posture is Returned

Device IS Compliant

Post ISE Registration/MI Enrollment (in policy)

User connects to same SSID using certificate and new WiFi profile that were provisioned from MobileIron.

This new profile uses EAP-TLS for authentication (certificate auth) instead of EAP/PEAP (username and

password)

User can Access Internet and Trusted Resources

Wireless Controller asks Cisco ISE for directions on what the user

should have access to

Cisco ISE returns access instructions to wireless

controller

Kapsch BusinessCom

| Trust

Cisco ISE

Active Directory

Certificate Server

Yes Device Posture is Returned

Device is NOT Compliant

User connects to same SSID using certificate and new WiFi profile that were provisioned from MobileIron.

This new profile uses EAP-TLS for authentication (certificate auth) instead of EAP/PEAP (username and

password)

User can Access Internet Resources Only

Wireless Controller asks Cisco ISE for directions on what the user

should have access to

Cisco ISE returns access instructions to wireless

controller

Post ISE Registration/MI Enrollment (out of policy)

Kapsch BusinessCom

Betrieb – Certificate Management mit SCEP

MDM Jahresrück und Ausblick

Documents