Prab KalraVikas Jain
SAAM2204BU
#VMworld #SAAM2204BU
Secure and Seamless Access to All Your Applications with Workspace ONE Conditional Access and Mobile Single Sign-On
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#SAAM2204BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Speaker Introduction
3
• Prab Kalra, Director Technical Marketing, Workspace ONE
• Vikas Jain, Director Product Management, Workspace ONE
Who
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 Market Trends & IT Challenges
2 Why Context Matters?
3 Conditional Access Overview with Demos
4 Mobile SSO Overview with Demos
5 Case Study
6 Q & A
4#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
1. Market Trends & IT Challenges
VMworld 2017 Content: Not fo
r publication or distri
bution
Modern
Workforce
Apps
Anywhere
Mobile
Workflows
Emerging
Delivery Models
Consumerization Is Driving Digital Transformation
6#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
7
…And Creates Silos within IT
• iTunes
• Apple ID
• App Store
• iWork
• iCloud
• Gmail Account
• Google Play
• G Suite
• Google Drive
• Microsoft ID
• AD/Azure AD
• Office 365
• Windows Store
Update Service
• Salesforce 1
• Concur
• Workday
• Slack
• Dropbox
• Docusign
Mobile Team Desktop Team LOB
iOS / MAC ANDROID / CHROME WINDOWS SaaS APPS
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobility: A Key Aspect of the Consumerization of IT
Consumer Experiences The Way We Work
8
IT Service Delivery
Graphics created by VMware based on industry research:1. Statista, “Global mobile retail commerce revenue from 2012 to 2018,” January 2017 2. Gartner, Mikako Kitagawa, “User Survey Analysis: Mobile Device Adoption at the Workplace Is Not Yet Mature,” October 2016 3. Gartner, “The Things People Buy: CIOs Need to Know the Smartphone User Preferences That Impact Mobile Policies” January 22, 2016
Global mobile commerce is projected to almost double by 2017.1
employees, as of 2016 in a Gartner survey, use a personally owned device or devices for work.2
Number of respondents = 5,862Base: Works a full-time job or part-time job
By 2018, 95% of global enterprises will have both a choose-your-own-device (CYOD) and a formal bring-your-own-device (BYOD) plan in place.3
$315
$549(U.S. Billions)
2015 2017
95%BYODand
CYOD
2 out of 3
VMworld 2017 Content: Not fo
r publication or distri
bution
9
Why Your Security Team is Concerned
152% INCREASE
34% REPORTED
56% INCREASE
EXPLOITS ON IoTincrease in 2015
INTELLECTUAL PROPERTYtheft in 2015
EMPLOYEEScited as source of compromise in 2015
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL 10
v
“There are two kinds of big
companies in America: those
who have been hacked . . . and
those who don't know they've
been hacked.”
~ James Comey, FBI Director
Justice News: U.S. Chamber of Commerce Third Annual Cybersecurity Summit
v
“Ninety-seven percent of
Fortune 500 companies have
been hacked, and likely the
other 3% have too, they just
don’t know it.”
~ Peter W. Singer, Political Scientist
FORTUNE: Cybersecurity is for the C-suite, 'not just the IT crowd'
VMworld 2017 Content: Not fo
r publication or distri
bution
Digital Transformation: IT Challenges
11www.company.com
Context Driven Unified
Access“Any App, Any device, Any where” To
“Right app, Right Device, at the Right
Time”
User CentricityNeed for Enterprise Secure solution,
without compromising User
Experience
Proliferation of DevicesConvergence of work and personal
devices
Mobile & ProductivityKeeping your Mobile Workforce
productive
Shadow IT Security Risks
Rising Security risks with
Consumerization of IT
VMworld 2017 Content: Not fo
r publication or distri
bution
2. Why Context Matters?
VMworld 2017 Content: Not fo
r publication or distri
bution
Context Driven Security and Access
How Do
They
Access?
Where Do
They Access
From?
Who are
Your
Users?
What
Resources Do
They
Access?
C O N T E X T
13
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
ConsumerSimple
EnterpriseSecure
Digital Workspace
1414
VMworld 2017 Content: Not fo
r publication or distri
bution
Workspace
Experience
Identity, Mobility And Workspace ONE
CONFIDENTIAL 15
Identity
Manager AirWatch
CatalogService
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access using Identity Context and Device Compliance
16
AUTHENTICATION
MODULE
DEVICE
POSTURE
USER
AUTH
APP SERVICE
Workspace ONE
Managed Jail Broken
DEVICE COMPLIANCE
OS
3rd PartyMSA | Malware | Trust
LocationBlacklist
Apps
IDENTITY CONTEXT
Authentication
Provider
Network
Scope
Authentication
Strength
Session
Time
Per
Application
Remote Apps | Web Apps | Native Apps
Integrates identity and device compliance to create and enforce granular policies for secure data access
Leverage existing Identity management investments to simplify data management
Eliminate manual compliance management, minimizing data access risk
VMworld 2017 Content: Not fo
r publication or distri
bution
Identity and Access Management
Unified Catalog Single-Sign On Authentication Access Policy
AirWatch Unified Endpoint Management (UEM)
Management Context
End-User Services Team
iOS / MAC ANDROID / CHROME WINDOWS SaaS APPS
17
One Platform For All Use Cases Open
Ecosystem
App Config
Community
Mobile
Security
Alliance
Authentication
and Identity
Providers
Connected Things
(Rugged / IoT)
Virtualize
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
3. Conditional Access Overview
VMworld 2017 Content: Not fo
r publication or distri
bution
What is conditional access?
19
IF THIS THEN THAT (IFTTT)Conditions Action
Enrolled Vs unenrolled device
Enrolled device becomes non-compliant
Device OS (iOS Vs Android Vs Win10)
Network location (corp network Vs public)
Group membership
Allow
Deny
Step-up with MFA
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Workspace ONE Architecture
Secure Browser
Content
Contextual Policy Framework
LOCATION APPDEVICEUSER DATA
Windows Device
Adapter
iOS Device Adapter
Android Device
Adapter
Browser Add-On
Authentication
Mobile Push,
X.509Session
Management
Protocol Engine
Proxy (F5)
Per App VPN
AccessPoint
Device
Provisioning and
Configuration
Compliance
Enforcement/
Remediation
Self-Service App
Provisioning(Push/Pull)
SAML / OIDC
WS-Fed
HTTP
Access Management
App / Device Management
Any Application
Catalog and
Launcher
Catalog and
Launcher
App/Data
Containerization
Includes integration with Mobile Security / CASB Partners
Web Apps
SaaS Apps
Windows Apps
Citrix Apps
Mobile Apps
Mobile Apps
Cloud
On Premises
Any Device
Or 3rd Party
Auth Providers:
(RSA, Imprivata
Radius)
Unified Catalog /
App Broker
(Google Play,
Apple Store,
Windows Store
for Business)
Active Directory
Or 3rd Party
Identity
Providers
(Ping, ADFS)
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access For Office 365
21
OWA
Modern
Auth
Clients
Browser
Client App
Client App
Conditional
Access
Policy
Active Sync & Legacy Clients`
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DEMO: Conditional Access For
Outlook App On Mobile Device
22
VMworld 2017 Content: Not fo
r publication or distri
bution
23
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access For Office 365 ActiveSync And Legacy Email Clients
24
Network Range
Device/OS Type
Client Name
Group Membership
Email Protocol
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DEMO: Conditional Access For
Native Email Clients
25
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL 26
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Native Email Access From Enrolled Devices Only
27
Restrict email access to only
enrolled devices, set of users, pre-
defined mail clients and devices…
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Intune DLP Policies Through Workspace ONE
28#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Step-Up Authentication With Workspace ONE
Condition
Workspace ONEApp name
Device OS
Network Location
Group membership
Any 3rd party MFA
Built-in MFA
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Verify Mobile-Push Strong Authentication
30
Built-into Workspace ONE for consumer simple, enterprise secure strong authentication
Key Benefits
Simple consumer-like
registration and useNo more instructions, codes or
copying and pasting for high
compliance strong authentication
Reduce strong
authentication costs Reducing or eliminating
traditional tokens
Leverage the
smartphone Nearly every employee
already owns as a physical,
second factor of
authentication
Reduced security riskOf replay, keylogger, and man-
in-the-middle attacks by
authenticating users outside of
the application
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DEMO: Step-Up Authentication
31
VMworld 2017 Content: Not fo
r publication or distri
bution
32
VMworld 2017 Content: Not fo
r publication or distri
bution
Biometric Authentication Using RSA Authenticator
Condition
Workspace ONEApp name
Device OS
Network location
Group membership
Eye scan with
RSA Authenticator
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
34
Protect Against Mobile Threats Through Partner Integrations
Conditional
Access
Policy
Mark DeviceNon-Compliant
MTD solutions
VMworld 2017 Content: Not fo
r publication or distri
bution
DEMO: Conditional Access
Based on Mobile Threat
35
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
4. Mobile SSO Overview
VMworld 2017 Content: Not fo
r publication or distri
bution
What is Mobile SSO?
Password-less login experience into a native mobile app (No SDK or app wrapping required)
38
Pre-requisite: Requires device enrollment into Workspace ONE
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobile Experience Without Workspace ONE
39#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
40
Mobile Experience With Workspace ONE
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Enabled Through One Touch SSO
Workspace™ ONE™One Touch SSO
TRUST Cloud
41
SaaS AppsTrust ID Key
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DEMO: Mobile Single Sign-On
42
VMworld 2017 Content: Not fo
r publication or distri
bution
43
VMworld 2017 Content: Not fo
r publication or distri
bution
Recap
1. Workspace ONE provides unified workspace for access to ANY type of app
2. You can add conditional logic to control access to these apps based on your
security requirements
3. You can improve productivity and security for app access from mobile devices
using Mobile SSO feature
44#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Attend Related Sessions
45
Session ID Title Date / Time
SAAM1321BU VMware on VMware: Winning a Single Sign-On
Solution with VMware Workspace ONE
Thu, 10:30 – 11:30 am
EDU4252U Use Workspace ONE to Stop Disappointing Your
New User
Thu, 10:30 – 11:00 am
SAAM2294BU Simplify management and security of your mobile
apps
Thu, 1:30 – 2:30 pm
#SAAM2204BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution