Direct Control for Mobile & Supporting Mac OS X in Windows Environments

(1)

Direct Control for Mobile

&

Supporting Mac OS X in

Windows Environments

Leveraging Existing IT Staff Knowledge, Processes and

Infrastructure to Support Mac OS X Systems and Their Users

Ed Frola

(2)

Agenda

• The Centrify Vision

• Challenges of BYOD and Consumerization of IT

• DirectControl for Mac OS X Overview

•  Key Features and Benefits

•  Architecture

•  Demonstration

(3)

The Centrify Vision

Control, Secure and Audit Access to Cross-Platform Systems and Applications

Centrify the Enterprise

Leverage infrastructure you already own – Active Directory – to:

Control

Secure

Audit

What users can access User access and privileges What the users did

(4)

(5)

• Consumer devices merge personal and business activities

•  End users bringing their mobile devices to work increasingly want to use

them for business, such as corporate email

•  Users want to carry one device for phone, email, camera, and music

• Mobile devices are finding new use cases within Enterprise

•  Complementing laptops/desktops with tablets for existing users

•  Empowering a new class of end users to access electronic information

•  Increasing the number of endpoint devices that need to be managed

• Results in security enforcement challenges for the Enterprise

•  Mobile devices operate outside the scope of existing security infrastructure

•  Lost or stolen devices exposes company confidential information

•  Compliance regulations do not allow exceptions for mobile devices

Consumerization of IT & BYOD Brings New Challenges

SLIDE 5

(6)

•  First deep integration of devices (iOS/Android) with Active

Directory

•  Leverage Active Directory existing infrastructure, knowledge and support procedures

•  Enforce Group Policy-based security settings (e.g. passcode policy, restrictions, security

settings, etc.)

•  Cloud-based service

•  Over-the-air policy integration with Active Directory; even if device

off network

•  Non-intrusive architecture; no open ports or additional infrastructure in

DMZ

•  First and only unified platform for BYOD that supports mobile

devices AND Mac OS X Systems + 300+ versions of UNIX/Linux

•  First and only FREE mobile device management solution — Centrify

Express for Mobile

•  No limitation on number of devices managed

•  Given fixed MDM capabilities by mobile vendors (e.g. Apple MDM API), functionally on par with

what other MDM vendors offer for their paid solution

Centrify: A Differentiated Approach to Mobile Security

SLIDE 6

(7)

Centrify for Mobile: AD-based Administration

• Active Directory-based management of Mobile devices

• Group Policy-based management of Security Settings

Active Directory

ADUC Computer Properties for David McNeely’s iPad ADUC User Properties

for David McNeely

Group Policy Management Editor for Mobile Devices

(8)

How it Works

SLIDE 8

(9)

(10)

And Vast Majority of Capability is FREE with Express

Features Express Subscription

Support Community Standard or Premium

Centralized administration within Active Directory Infrastructure ✔ ✔

Devices assigned to AD User ✔ ✔

Administrative Commands (remove profile, remote wipe, lock/unlock, update profiles) ✔ ✔ Support for iOS 4.x, 5.x and Android 2.2+ Devices ✔ ✔ Self service enrollment

•  Mobile App with Jail-break/rooted device detection •  Web-based self service enrollment

✔ ✔

Group Policy-based Security Policy Management and Enforcement •  Passcode policies

•  Device restrictions

•  Application restrictions

✔ ✔

Auto-issue PKI Certificates for use with Exchange ✔ ✔ Automatic MS Exchange configuration for the assigned user ✔ ✔ Enterprise VPN and Wi-Fi Configuration ✔ ✔ Cloud-based solution, no servers in DMZ, highly available w/ multi on-premise proxies ✔ ✔ Inventory of installed Mobile Applications ✔ ✔

Additional settings for iOS 5 devices ✔ ✔

Auto-remove device profiles on AD user or device disable/delete ✔ ✔ Settings for other Email, Calendar and Address Book servers ✔ ✔

Reporting on Mobile Devices ✔

Application Management

•  Web clips for Enterprise Web Apps •  Force installation of Mobile Apps on iOS 5 •  Enterprise App Store

Coming in 1.1

Prevent access to Exchange mailbox if device is not “managed” ✔

1.1 to be available summer 2012

(11)

Centrify for Mobile Comparison

Feature Single Purpose _MDM

Cloud-based platform Yes Yes

Remote lock/unlock Yes Yes

Full and selective device wipe Yes Yes

Self-service enrollment Yes Yes

Trusted over-the-air provisioning and updates Yes Yes

Detect/block jail-broken devices Yes Yes

Supports iOS and Android Yes Yes

Certificate authentication for Exchange Yes Yes

Certificate authentication for VPN and Wi-Fi Yes Yes Automated PKI certificate enrollment, configuration and distribution Yes Yes Active Directory-based user/device lifecycle support Yes No Group Policy-based settings enforced for security, access and device policies Yes No Non-intrusive installation with no additional infrastructure or firewall changes

required Yes No

Unified platform for mobile, Mac OS X and server systems Yes No

Free and enterprise offerings Yes No

License price to manage 1000 mobile devices — no support $0* $40 -75K Annual subscription price to manage 1000 mobile devices — with support $24,500 $35 -48K

* Includes community/online support at no charge

(12)

• Easiest Product to Deploy

•  Cloud Service vs. acquiring, deploying & managing on-premise infrastructure

•  Leverages existing Active Directory infrastructure and skill sets

•  Does not require firewall configuration changes, appliances or stuff to be deployed in

DMZ

• Not just a point solution for mobile devices

•  Also supports Mac and Linux devices

•  Plus backend UNIX/Linux servers as well as enterprise applications

• Compelling Go-to-Market Model with Centrify Express

•  Robust free offering provides Mobile Security and Access Management

•  Frictionless to try out and deploy

•  Opportunity to upgrade to more features as requirements dictate

Centrify for Mobile Summary

SLIDE 12

(13)

• DirectControl for Mobile

•  Subscription-based pricing for support and upgrades

•  Device pricing starts at $24 per device per year with standard support

•  Premium 24x7x365 support available

•  Minimum 10 devices

•  Administrator pricing starts at $100 per admin per year

•  Minimum 5 admins

•  8% and 15% discounts for 2 or 3 year subscription commitments

• Schedule

•  Beta 1 iOS — Now!

•  Beta 2 Android — April

•  General Availability — May

Pricing and Release Schedule

SLIDE 13

(14)

(15)

Support & Management Challenges for Mac

• IT struggles to enforce security policies consistently across the

enterprise on all platforms

•  Access control policies, password management policies and security

configuration policies must be consistently enforced across the enterprise

• Reality is: Macs are second-class citizens in most enterprise

environments (excluding publishing/creative firms)

•  IT support staff simply don’t know how to manage Mac systems

• Typically Macs are managed individually or by the department

expert

•  Self-managed systems usually have one local admin account, the end-user

(16)

The Solution: AD-based Management of OS X

• Centrify empowers the Windows-centric enterprise to manage

and support OS X using existing expertise, tools and processes

•  ADUC for user account, password and group management

•  GPMC/GPOE for system and user configuration management

MacBooks

iMacs

(17)

(18)

Centrify DirectControl for Mac OS X

• 

Unified administration with Active Directory

•  Centralize account and authentication with Active Directory

•  Administrators given local admin privileges

•  Separation of duties for large enterprises

•  Macs integrate into existing Windows services

• 

Enforce security policies using Active Directory Group Policy

•  System configuration via Group Policy

•  Security policy enforcement and desktop lockdown

• 

Smart card-based strong authentication required

•  Secure login to Active Directory with CAC, PIV and .NET smart cards

•  Certified by the Joint Interoperability Test Command (JITC); FIPS certification in

(19)

Unified Administration With Active Directory

• 

Common account and authentication

with Active Directory

•  Manage Mac user accounts, their login and

authorization rights

•  Enables offline login to OS X laptops – same

experience as Windows

• 

Administrators granted local admin

privileges

•  Group Policy configuration of Apple Remote

Desktop (for VNC)

•  Active Directory group of administrators are

granted local privileges

•  Pre-validation for administrators enables

offline login

(20)

Separation of Duties for Large Enterprises

• Separation of admin duties by Zone

•  Separation of Active Directory and UNIX

admins

•  UNIX admins don’t need rights to manage

Active Directory user objects

•  Separation of UNIX departmental admins

•  Each Zone is delegated to the appropriate

UNIX admin

• Access is granted by Zone

•  Access is denied unless explicitly granted

•  UNIX profiles within a Zone enable the

associated Active Directory user to log in Active Directory

(21)

Macs Integrate into Existing Windows Services

• Joining Active Directory enables seamless integration for:

•  Home directory auto-mounts to Windows file shares

•  Authenticated printing to Windows print queues

•  Single sign-on to services such as Exchange, SQL, and IIS servers

• Extensive home directory support

•  On Mac OS X servers via AFP

•  On Windows servers via SMB

•  And on DFS shares when used with Group Logic’s Extreme Z-IP Server

(22)

Enforce Security Policies Using AD Group Policy

• Automated security policy configuration for consistency

•  Group Policy is automatically enforced at system join to Active Directory

•  Group Policy routinely checks the system for policy compliance, updating

as required

•  User Group Policy is enforced

at user login

• System Group Policies control

system configuration

•  Centrify agent configuration policy

•  Firewall & services policies control

machine access

•  Screen saver policy controls

access to existing user sessions

(23)

Desktop Lockdown Using AD Group Policy

• Group Policy enforcement of

Managed User settings

• Controls to lock down:

•  Finder & Preferences settings

•  Desktop & Dock settings

• User Group Policies control:

•  Screen saver

•  Allowed applications

•  Login/logout scripts

•  Media access settings

(24)

(25)

(26)

Completing the Integration into the Enterprises

•  Centrify integrates Mac OS X into Active Directory

•  Userid/password as well as smart card is supported for user login

•  Group Policy is used for desktop lockdown and configuration management

•  DirectControl supports authenticated printing to Windows print queues

•  Home directories can be hosted on Windows Servers

•  DirectControl supports users with home directories locally, on Windows servers or NAS appliances

•  Portable home directories are also supported for mobile users with GP control over sync policies

•  FileVault support for mobile users whose home directory is on an NFS-mounted share

•  Cross platform backup services

•  Software deployment and inventory management that integrates with SMS

•  Exchange mailbox and calendar can be accessed seamlessly

•  Entourage as part of Microsoft Office 2008 is the Mac version of Outlook

•  Apple Mail and Mozilla Thunderbird also include support for Exchange

•  Windows applications can be run in virtual Windows environment where there

(27)

Integrating Macs into the Enterprise

Making it easy to deploy, integrate and manage Macs in a Windows environment.

(28)

Why Customers Choose DirectControl for OS X

• 

IT can leverage existing directory,

processes and skill sets to manage Macs

• 

Centralized authentication and password

policies are enforced

• 

Smart card login to AD supports SSO and

requirement for two-factor authentication

• 

Automated security policies enforcement

with Group Policy

• 

Fine grained desktop lockdown security

policies are centrally enforced

• 

Separation of administrative duties

simplifies deployment in complex

environments

“DirectControl offers the simplest and most full-featured Active Directory integration solution for Mac OS X. Because it relies on Active Directory's Group Policy architecture, it

functions more seamlessly for managing access ... particularly for systems administrators who are unfamiliar with Mac OS X.”

(29)

Customers Using DirectControl for Mac OS X

“Once upon a time Apple computers were regarded as corporate IT nuisances and delegated to marketing or art departments in

enterprises. Now they're an integral part of the system, with companies like Centrify integrating Macs into Active Directory.”

(30)

How To Contact Us

WEB SITE

www.centrify.com

Direct Control for Mobile

https://www.centrify.com/mobile/free-mobile-device-security-management.asp

Direct Control for Smart Card

http://www.centrify.com/mac/smartcard/free-smart-card-for-federal-military-cac-piv.asp

REQUEST AN EVAL