WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Similar documents
Securing Office 365 with MobileIron

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

Phil Schwan Technical

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Use EMS to protect your mobile data and mobile app

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

BRING MAC TO THE ENTERPRISE WITH A MODERN APPROACH TO MANAGEMENT

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Go mobile. Stay in control.

3-Part Guide to Developing a BYOD Strategy

How Microsoft s Enterprise Mobility Suite Provides helps with those challenges

Redefine Windows 10 Management. Embrace True Business Mobility

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Google Identity Services for work

2016 BITGLASS, INC. mobile. solution brief

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

REVISED 4 JANUARY 2018 VMWARE WORKSPACE ONE REFERENCE ARCHITECTURE FOR SAAS DEPLOYMENTS

Maximize your move to Microsoft in the cloud

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

VMware AirWatch Workspace ONE Send Admin Guide Configuring and deploying Workspace ONE Send

Microsoft IT deploys Work Folders as an enterprise client data management solution

Hybrid Identity de paraplu in de cloud

Augmenting security and management of. Office 365 with Citrix XenMobile

Secure Access for Microsoft Office 365 & SaaS Applications

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

THREE-PART GUIDE TO DEVELOPING A BYOD STRATEGY WHITE PAPER FEBRUARY 2017

905M 67% of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing the devices themselves

Maximize your investment in Microsoft Office 365 with Citrix Workspace

Windows ierīces Enterprise infrastruktūrā. Aris Dzērvāns Microsoft

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

SECURE, CENTRALIZED, SIMPLE

Integrating AirWatch and VMware Identity Manager

Windows 10 Management Technologies: What s New. Michael Niehaus Senior Product Marketing Manager, Windows Microsoft

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Use Microsoft EMS. to Protect your Mobile Data and Mobile Apps. Chris Nackers Nackers Consulting

RHM Presentation. Maas 360 Mobile device management

Adaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia

ForeScout Extended Module for VMware AirWatch MDM

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Service Description VMware Workspace ONE

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

SAML-Based SSO Solution

SAML-Based SSO Solution

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Liferay Security Features Overview. How Liferay Approaches Security

PROVE YOURSELF: IDENTITY IN A MOBILE-CLOUD WORLD. A Contextual Guide to the Digital Workspace

XenApp, XenDesktop and XenMobile Integration

AirWatch Container. VMware Workspace ONE UEM

Managing Devices and Corporate Data on ios

MaaS360 Secure Productivity Suite

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

WHITEPAPER. How to secure your Post-perimeter world

PCI DSS Compliance. White Paper Parallels Remote Application Server

BYOD: BRING YOUR OWN DEVICE.

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

Office 365: Modern Workplace

Nukona Policy Management

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Table of Contents. VMware AirWatch: Technology Partner Integration

Vodafone Secure Device Manager Administration User Guide

Centrify for Dropbox Deployment Guide

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Authlogics for Azure and Office 365

Table of Contents HOL-1757-MBL-6

VMware AirWatch - Mobile Application Management and Developer Tools

Unified Endpoint Management: Security and productivity for the digital workspace

AirWatch for Android Devices for AirWatch InBox

Centrify Identity Services for AWS

Cloud Secure Integration with ADFS. Deployment Guide

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

Citrix ShareFile Share, store, sync, and secure data on any device, anywhere

App Gateway Deployment Guide

The Device Has Left the Building

Addressing Today s Endpoint Security Challenges

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

The Modern Web Access Management Platform from on-premises to the Cloud

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

PLANNING YOUR WINDOWS 10 DEPLOYMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

Welcome! Securely Sync, Store & Share with Citrix ShareFile

Citrix XenMobile and Windows 10

Thomas Lippert Principal Product Manager. Sophos Mobile. Spring 2017

BYOD Business year of decision!

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

White Paper Securing and protecting enterprise data on mobile devices

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SAP Security in a Hybrid World. Kiran Kola

Conditional Access Policies

At Course Completion After completing this course, students will be able to:

The University of Toledo Intune End-User Enrollment Guide:

BlackBerry Enterprise Identity

Transcription:

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Airwatch Support for Office 365 One of the most common questions being asked by many customers recently is How does AirWatch support Office 365? Customers often ask if VMware AirWatch can control access to Microsoft Office 365 not only on their corporate systems, but most importantly on their mobile devices. Fortunately, AirWatch provides comprehensive support to help organisations leverage Office 365 on their mobile devices: AirWatch makes it easy to deploy the Office apps and email to the users that are licensed for them, and sets the users up so they sign in automatically to the apps using the same identity as their corporate account. Integration with VMware Identity Manager provides an industryfirst adaptive access control framework to ensure that all work applications, including Office 365, can only be installed and run on managed and compliant devices. Containerization that relies on the native OS Mobile Application Management (MAM) controls ensures encryption of data at rest, prevents corporate data leakage, and supports enterprise (selective) wipe of devices. The Office 365 Challenge Migrating to Office 365 for an organisation presents a host of new challenges: Given that Office 365 is accessible from the Internet, traditional access control mechanisms for email and apps, which are based on network and perimeter security models, fail to work. Unlike their desktop equivalents, mobile Office apps present new, complex data protection challenges for BYOD users - including containerization and remote wipe. What organisations need is a way to restrict O365 access to only managed and compliant devices without any dependency on the network or domain membership. Additionally, they need to ensure that any data stored on a device is encrypted and can be remotely wiped if lost or stolen. While this may seem trivial at first, it gets increasingly complex considering the many platforms and the complexity in enabling the ability for the solution to co-exist with both enterprise mobility management (EMM) and domain managed devices. Complexity is also added when integrating EMM and domain managed devices with existing on premise infrastructure. While this white paper specifically discusses how AirWatch solves these problems for O365, the same architecture secures all company applications both cloud and on-premise. Airwatch O365 Integration AirWatch enables Office 365 ease of use by providing a common identity for authentication, conditional access control to the apps, and protection for data on the device. Not only is this great news for IT and security, but AirWatch also enables easy scaling of the Office 365 apps across the organisation by making the entire provisioning process simple and automated for the end users. Self-Service Secure SSO Access to O365 Provision Office 365 Apps To begin with, a unified app catalog and EMM capabilities enables IT to securely distribute, or end users to independently download native Office 365 applications and set up email on their mobile devices. AirWatch makes the process of provisioning access to different Office 365 applications easy and automated by syncing with existing on-premises Active Directory (or LDAP) user groups. This ensures only authorised users with purchased licenses are able to access Office 365 services, and automatically revokes access to unauthorised users without requiring any IT involvement or calls to the help desk. Today, the activation and de-provisioning process are two decoupled processes of (1) revoking access from the identity management system and (2) remotely wiping data and applications from the endpoint device. AirWatch brings these two workflows together to automate and streamline the process. Simplify Authentication for Office 365 Apps Once the applications are deployed, AirWatch provides end users with an effortless authentication experience. Integration of AirWatch with VMware Identity Manager enables organizations to easily federate their existing on-premises corporate identity (e.g. LDAP or Active Directory) and automatically single signon (SSO) into Office 365 and other web, internal, and public store apps. This enables users to install the app from the app store and automatically authenticate without being prompted for a separate login. One of the common challenges with using traditional identity solutions is that they fail to work for native mobile applications. The identity module in AirWatch solves this problem by integrating the single sign-on frameworks built around EMM to automatically authenticate all native and web applications seamlessly. This enables the same SSO experience for native mobile apps that a user expects from web or SaaS apps. 2 uk.cdw.com 020 7791 6000

Certificate-Based Authentication AirWatch can also leverage digital certificates to automatically sign the user into Office 365; providing password-less authentication. Not only is the user experience superior but security is increased by using certificates to authenticate rather than Active Directory passwords. Since AirWatch installs the certificate in a single secure location, all applications on the device can leverage this identity for authentication. Certificate-based authentication increases security from two perspectives. First, since AirWatch stores the user s identity in a single location in the OS, company credentials are not stored or accessible by the applications on the device. This means IT does not have to worry about how each application might be storing a user s credentials and minimises the risk of a single application getting exploited. Secondly, since a digital certificate is used rather than a username and password, security is greatly increased. If a device is stolen, the certificate can easily be revoked and access to that specific mobile device can be fully denied without forcing the user to change their password across all company systems and services. Integration with Other Third Party Identity Access Management Tools While AirWatch provides seamless integration with VMware Identity Manager, it also integrates with existing identity solutions that organisations might already be using. This ensures that current configurations and federated authentication policies can continue to exist while still providing a better SSO and conditional access framework for mobile and managed devices. The diagram below outlines how the same configuration can coexist with an organization s existing third party identity tool (Ping, Okta, ADFS, Azure AD, etc.). Azure AD ADFS PING OKTA VMware Identity Manager Existing Identity Provider Active Directory 3 uk.cdw.com 020 7791 6000

Conditional Access to Authorised Users and Devices In general, only authorized users on authorised devices should be granted access to company applications. For Office 365 this means services such as Exchange Online, OneDrive for Business, Skype for Business, etc. should be restricted to only compliant and managed devices. AirWatch integrates with both Office 365 APIs and VMware Identity Manager to provide conditional access to all Office 365 services. Office 365 Apps In addition to email, AirWatch integration provides the same conditional access to all other Office 365 applications. When a user attempts to access Office 365 and authenticate, Office 365 redirects the authentication to VMware Identity Manager as part of the federated configuration. The authentication not only validates the user identity but also validates that the device is managed and compliant by AirWatch. If a user tries to connect to Office 365 from an unmanaged mobile device, access is denied. Exchange Online AirWatch integrates directly with Exchange Online to restrict email. This is done by first setting up a whitelist policy in Exchange to deny email access as a default behavior for all unknown devices. AirWatch then integrates with Exchange Online to automatically add managed and compliant devices to a whitelist so they are authorized to sync email. If a user activates a new device or an existing device goes out of compliance, AirWatch automatically blocks email access on the device by syncing the changes with Exchange Online. AirWatch integration works directly with Office 365 so devices can connect from any network without forcing email traffic through a VPN or onpremises gateway. VMware Identity Manager Validates User Identity + VMware Identity Manager 4 uk.cdw.com 020 7791 6000

One of the differentiating advantages with this architecture is the flexibility to require different claims rules for authentication based on the device platform and app requesting access. This enables organisations to have different policies for mobile devices than from existing domain joined company PCs. For example: Apple ios and Android native applications can require authentication using certificates Windows native applications can require domain membership and authentication Web-browser based sessions can have limited access or be required to be on the company VPN or network to access Office 365 Containerize and Protect Data In addition to having a common identity, SSO experience and conditional access to only managed devices, companies must also ensure Office 365 data is protected on the device itself. This includes ensuring: Containerization and DLP Controls By deploying Office 365 apps through AirWatch Catalog, AirWatch enforces containerisation of these applications to prevent data loss using the native platform controls. Each OS supports different containerization controls as outlined below: Apple ios: AirWatch integrates with Apple s managed app containerization technology to prevent data loss from work and personal applications. This includes preventing Exchange Online emails from being moved from the work account to personal account, and managing the open-in controls to prevent email attachments from being saved into personal applications. The same policies work across all Office 365 applications Android (Android for Work): Android for Work is a new security container for select Android devices, which enables the Office 365 applications and email to be deployed inside an app container via AirWatch. This ensures Office 365 data is encrypted, managed and can be remotely wiped and data leakage between work and personal apps is avoided. Furthermore, organisations can enforce advanced data loss prevention controls such as screen capture and copy/ paste restrictions. Windows 10 will add an additional layer of Enterprise Data Protection (EDP) for work apps to prevent sharing Office 365 data to personal apps and preventing commands like copy/paste actions between work and personal applications. AirWatch is excited to partner with Microsoft in supporting EDP capabilities for organizations participating in Microsoft TAP program and certain Windows Insiders builds. AirWatch EDP features for Windows Insiders build enable organizations to designate trusted desktop or modern apps, including Office 365 apps, with permission to open or decrypt work data. Flexible enforcement levels in AirWatch can either enable or disallow certain user groups from data moving and sharing capabilities, such as copy/paste, drag and drop, and others. Enterprise Wipe 78% participants of a mobile security survey identified lost or stolen devices containing company information as their top mobile security concern. In the same study, 45% participants reported that their employees actually lost a mobile device in the past one year with corporate date on it. 1 Enterprise Wipe capability in AirWatch enables organisations to selectively wipe all corporate data and apps, including removing Office 365 services, from a lost or stolen device. All of the enterprise data contained on the device is removed, including mobile management profiles, policies and internal applications. The enterprise wipe can be executed by the IT admins, or more reactively by the employees themselves using the AirWatch Self-Service Portal (SSP). Additional Office 365 Security Settings Office 365 has a few application settings that prevent copy and paste, require a PIN to launch the app and disable Save As to other non-work related storage locations (e.g. Dropbox) from within the Office 365 applications themselves. Much like a SalesForce1 mobile app or a SAP Concur app has settings for application behavior and features to turn On or Off, the copy and paste, PIN, and Save As settings are application specific controls Microsoft has built into their software. Today, these controls and settings are not extensible to third party management systems or tools to configure; therefore, they must be configured from the application itself and requires the use of Microsoft InTune MAM as the management tool to deliver these app settings. Windows: AirWatch supports flexible deployment options using either AirWatch Inbox (Windows 8.1) or native mail client (Windows Phone 8.1) to ensure email setup on the device is restricted to managed devices and can be remotely wiped from the device. 5 uk.cdw.com 020 7791 6000

Many other ISVs (e.g. Oracle, Cisco, Salesforce, and others) however, take standard app configuration approaches such as using ios managed app profiles. We are hopeful Microsoft will extend these Office 365 app settings to be configured differently in the future (directly through AirWatch) so organisations have a consistent framework to manage configurations and settings for all enterprise applications. Following recent product updates by Microsoft, organisations can now use Intune MAM alongside existing EMM solutions. This co-existence enables organizations to leverage above Office 365 DLP settings using Intune; and extend the capabilities further with AirWatch, which ensures support for multiple platforms, app types, and device ownership use cases (BYOD, CYOD, corporate-owned, corporate-shared). Summary Today, 60% of organizations are going beyond basic productivity (email and Office apps) and are deploying new apps or reengineering core business processes to support their mobile workforce. 2 Organizations that have made such investments in Line of Business (LOB) apps need to ensure that their EMM solution integrates with all of the enterprise app investments and supports multiple device ownership scenarios. VMware AirWatch Enterprise Mobility Management provides a holistic and extensible solution that is vendor-agnostic and uses a standard application configuration approach. 3 This ensures organisations have a unified management solution, which not only fully integrates with the Office 365 suite of applications, but also all other ISV applications and services (cloud and on-premises), app development platforms, and proprietary applications that they want to provision and secure. For further information, please contact CDW on 0207 791 6000 or email info@uk.cdw.com 1 Finneran, Michael. How Mobile Security Lags BYOD. Dark Reading. InformationWeek, 4 Dec. 2013. Web. 23 Dec. 2015. <http://www.darkreading.com/mobile-security/ how-mobile-security-lags-byod/d/d-id/1112902> 2 VMware State of Business Mobility Report. Rep. VMware, Nov. 2015. Web. <http:// www.air-watch.com/lp/vmware-state-of-business-mobility-report-2015/>. 3 App Configuration for Enterprise. <http://www.appconfigforenterprise.org/> 6 uk.cdw.com 020 7791 6000

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback