Identity and device management

Nowadays, most companies provide mobile devices like the iPhone, iPad or MacBook to their team. As a logical consequence, remote work require remote device management, and more over, remote device deployment.

This requires a massive change of the IT work, most workflow must be updated to work from anywhere and without the help desk. Including:

  • initial device activation;
  • enrollment to the device manager;
  • inventory update;
  • automatic app deployment;
  • automatic accounts and services setup.

And still keeping the company’s information secure.

To handle of this, multiple tools are needed. The device manager (MDM, EMM, UEM… pick a name) is the most obvious. However, an always forgotten tools, the identity manager, is also needed.

The federated identity manager provides a source of trust for all web service for everything related to authentication and authorization. It keeps your corporate policy for identity manager applied even on third part cloud services.

Correctly set, a device and identity manager allows together a complete scheme of managed settings and authentication for mobile devices.

Here is the simple idea:

  1. The user get a brand new device delivered directly at home or at the office;
  2. He/she starts the device setup assistant and provides his/her corporate credentials when asked (eventually gotten from a gentle reminder previously sent by the lovely help desk);
  3. The device manager customize the device for the end user (e-mail account, apps, security policies…);
  4. Once installed, the user start all apps one by one;
  5. Each app start its own setup sequence using settings provided by the device manager;
  6. The authentication request is forwarded to the identity manager;
  7. The identity manager use all kinds of strong authentication mechanism to identify the user linked to the device via the device manager;
  8. The user is authenticated and just need to set his/her own preferences (like notifications).

In all this sequence, the user has to enter a password only during the initial setup assistant. Everything else (and under the condition of modern app supporting both federated authentication and managed settings) does not ask the user for anything.

To better understand this workflow, here is few videos providing a spotlight on each step. The recording has been done from an iPod touch (but will work the same on any other Apple product), managed by VMware Workspace ONE (aka AirWatch). All services used during the demo are federated with VMware Identity Manager.

Those two VMware products are sold via a unique package: VMware Workspace ONE.

The first video shows the initial activation of a brand new iOS device. The system will automatically ask the end user for corporate credentials and few personal preferences.

The second video presents the ideal app behavior: settings provided by the device manager and redirection to the identity manager automatically done, allowing an end user zero touch first start. This option is shown here with VMware People Search, an app allowing remote access to the company’s directory.

To continue with examples, we’ve another VMware app: Workspace, the self-service app used with the device manager Workspace ONE UEM. This app gives access to all web service federated to Identity Manager and allow the installation of optional corporate apps. For the need of this demo, the app is set to automatically fill the URL field but to not continue automatically. A normal deployment scenario will have this app behaving the same as People Search.

The next demo will use RingCentral Meeting. This app does not support any kind of managed settings, but still handle federated login. The user just have to specify an e-mail address to use it.

Another example of an app that can be federated but not managed with Slack. Here the app ask the user for the instance ID to go further. If we want a fully automated setup with Skack, we have to pay for the high end Slack Grid option made for big companies…

It seems now obvious that all companies, even the small one, need such a feature. Most software editors do the work needed to handle this new usage.

It’s important to understand something here, all those feature, of course, have a positive impact on the global company security and help to reduce the operation cost. However the main goal here is the user experience.

This mean, few companies (like Slack) now need to understand all customers, even the small one, need this feature. It’s our duty, customers and consultants, to push them to make the right choice.

In the recent list of recently improved support for this scenario, we have Apple with macOS 10.14 and iOS 12 who now support “modern auth” for Exchange.

The same behaviors demonstrated here for iOS are available for macOS.

For us, at Abelionni, it seems obvious that now IT setup can’t work without the team identity and device manager.

Positive effects are undeniable, improvements are:

  • security of the information system;
  • user experience;
  • lower OPEX.
/by