This is an edited transcript of the 03.15.24 IT Hour
Overview
- Sergey Belous, Principal Product Manager for Mobility tells us about the latest updates to Android EMM and iOS/iPadOS management.
- Those include enhancements on Kiosk Mode and Better Together Enterprise on Android; the EA launch or VPP on user enrollment and work on Mobile Device Trust
Transcript
Introduction
Sergey: So when we say Mobility, what does that mean? iOS, iPad, Android, and how we manage those devices. We’re starting to bleed a little bit more into mobile applications and how we deliver those and making sure that complete overarching experience is ideal for you.
Disclaimer - Some of these will have Generally Available (GA) items and some of them will be things that we’re launching in Early Access (EA) here in the next couple of days, and some roadmap items. I wanted to give a broad overview of mobility and how we’re progressing.
Mobility Value Chain
Stage One: Basic Endpoint Security
- Base Device Enrollment - Company Owned Device (COD)/Bring Your Own Device (BYOD)
- Base Device Configuration - Passcode, OS features
- Limited value beyond Enforce PIN and View Device. Nothing to “wipe”
Stage Two: Seamless, Productivity ‘Lite’
- 'Serviceable’ device management, better user experience, though users manually set up apps. Apps can be wiped.
- Zero Touch Onboarding - Automated Device Enrollment, Android Zero Touch
- Device Level Apps - Public/Private apps & updates
Stage 3: Remote Productivity Enabled
- Most customers want to manage a mail account, wifi configuration and push a user certificate for authentication. Better experience and security.
- User Centric Policies - Wifi, VPN, Certificate, Email, App Config etc.
- User Centric Apps - Public and Private
Stage 4: Remote Productivity Pro
- For heavier MDM users who want differentiated solutions that save them and their users time. Leading vendors are here.
- User experience - Mobile SOO, Self-Service Catalog, Automations
What we here at JumpCloud have been doing is working to gradually get to that last stage where we can offer a complete breadth of capabilities, as well as start integrating some of what I call JumpCloud DNA with the Identity and Device Management pieces with Mobile SSO and other security capabilities.
Android Enterprise Mobility Management (EMM)
Use Cases
Use Case
|
Ownership
|
Enrollment
|
Privacy vs Control
|
BYOD
|
Personally Owned
|
Work Profile
|
Privacy Centric
|
Personally Enabled
|
Company Owned
|
Work Profile
|
High Privacy
|
Work Only
|
Company Owned
|
Fully Managed
|
High Control
|
Dedicated Device
|
Company Owned
|
Fully Managed
|
Control Centric
|
Updated Policies
- App & Device based restrictions
- Proxy Settings
- VPN - Enable VPN Client + Enable Lockdown
- Wifi Configuration - MAC Randomization
- Compliance Enforcement
What’s New
Dedicated Device Enhancements - Kiosk Mode Policy & Software Management
- Removed the limitation of applying applications to Dedicated Device only via Kiosk Mode Policy
- With the above change, when configuring Kiosk Mode Policy in Policy Management, the application list is pulled from Software Management
- This creates an association to the application instance in Software Management, allowing you to modify application configuration like Runtime Permissions or Managed Configuration values without needing to make any changes to the Kiosk Mode Policy itself.
- Ability to have the Settings application appear in the Launcher Mode when you toggle on Device Settings. (Not applicable to Single App Mode)
Roadmap
Lost Mode
- Admins can mark company owned devices as lost
- Lost Devices can display admin-customized messages to aid their return
Better Together Enterprise (BTE)
Google’s goal of the “Better Together Enterprise” initiative is to have a unified enterprise solution for Google Devices.
This change will allow IT Admins to have a single deployment approach for multiple device types and endpoints. Employees will be able to work across any Google device seamlessly. Furthermore, partners can easily integrate the management of multiple Google products into their offerings.
Customer Sign-up
Currently
|
Goal
|
Segmented approach to Android, ChromeOS and Chrome Browser
|
Simplify sign-up via a consolidated customer model across Google products
|
3 Types of Enterprises
- Customer Managed
- EMM Managed
- Google Domain Based
|
Customer Managed Enterprise:
- Will now create a Google managed domain after email verification
- Created Created enterprises can be used for other Google Services
- No longer required to create a Gmail account
- Works for existing Google managed domains
|
Enrollment:
- Create a new Google Account
- Specify Business Requirements
|
Enrollment:
- Create new account OR sign in with existing account
- Behind the scenes verification & binding
|
On-Device Auth & Provisioning User Accounts
Currently
|
Goal
|
Android Enterprise has 3 different systems which hold account information:
- Organizations user directory
- EMM solution provider
- Google - Play + Enterprise accounts
|
Standardized Enterprise Google account
- Same IdP for EMM & Enterprise Google Accounts
|
Android Enterprise supports 2 types of accounts:
- Managed Google Play Account for created via EMM provider
- Enterprise Google Accounts which require using Google as the IdP or directory integration with Google
|
Standardized Enterprise Google account
- Deprecate Managed Google Play Accounts
- On-Device Auth will be done by Google
|
iOS and iPadOS Device Management
Use Cases
Ownership
|
Enrollment Type
|
BYOD
|
User Enrollment
|
BYOD/Company Owned
|
Device Self-Enrollment
|
Company Owned
|
Automated Device Enrollment
|
What’s New (Early Access)
Enterprise Apps (VPP) for iOS
- Admins can now assign apps from Apple’s App Store on iOS. You’ll be able to associate a managed Apple ID and when redeeming the app on a user based approach, one license will be redeemed to a user. So that single user may install that application on one or more of their managed devices.
- VPP apps will be supported for Company Owned and User Enrolled iOS devices
- Admins can apply a policy for Managed Open-In to protect corporate data from being shared with personal apps
- You’ll be able to do custom configurations for each of those applications.
- If you’re interested in participating in the Early Access program, please reach out to your Account Manager or email sergey.belous@jumpcloud.com
Roadmap
Delete Passcodes
- Admins can clear device passcodes of managed, company owned iOS 4.0+ devices
- Admins can clear restrictions password of managed, company owned, supervised iOS 8.0+ devices
Single App Mode
- Admins can configure iOS and iPadOS devices to present a single application as the primary interaction for users
- The user will only have access to the application and cannot access the iOS/iPadOS springboard
- This configuration is used to create a kiosk or digital signage for supervised iOS/iPadOS 6.0+ devices
Lost Mode
- Admins can mark Supervised devices as lost
- Lost Devices can display admin-customized messages to aid in their return
- Subsequent enhancements - ability to play a sound on the lost device, elevated location service
Single Sign-On Extension (SSOE)
- Admins can enable their end users with app extensions that perform single sign-on (SSO)
- Applicable to Device/User enrolled iOS/iPadOS 13+
Mobile Device Trust (Roadmap)
The objective is to be able to lock down and conditionally manage access to company resources for managed mobile devices. Currently desktop devices currently use a Device Trust Certificate delivered via the JumpCloud Agent. Mobile devices will use a Device User Refresh Token (DURT) delivered via the JumpCloud Protect app which will be saved in the secure enclave of the device to make sure they are phishing and tamper-proof.
Requirements for Mobile Device Trust
- JumpCloud Go
- Managed Mobile Devices - Android EMM, Apple MDM & VPP
- JumpCloud Protect for Android/iOS
- Conditional Access Policies
Roadmap
- Conditional Access Policy for Managed iOS and Android devices
- New Device Trust settings tab with pre-requisites and validation as well as list existing policies with Device Management condition
This is what the new login workflow will look like for Mobile Conditional Access with an SSO app.
Android
- You put in your credentials at that point.
- We will redirect to console.jumpcloud. com.
- You'll be able to select “Login with JumpCloud Go”.
- Behind the scenes, a trusted connection will be opened to JumpCloud Protect and it will determine if there is a DURT available
- If it is, with biometrics you will be able to retrieve that DURT and pass it along.
- The DURT will contain a number of pieces - the identifier of the device, the organization, the user.
- We will have built in capabilities for device attestation. For Google, it'll be Google's device attestation checks. On iOS, it will be IOS's device compliance or device attestation capabilities.
- Pending you pass those conditions and that it matches for the conditions you've set on JumpCloud, we will allow you to pass in and that will be sort of your native experience with that login window.
iOS
- You'll enter your credentials
- Instead of us opening console.jumpcloud.com, the SSO extension will take over the session.
- It will be able to communicate with JumpCloud Protect and retrieve the DURT and pass that along.
- If the DURT is not available, you will do a one time DURT registration.
- So you will not have to navigate outside of the app or from the browser into JumpCloud Protect to complete those actions.
- The intention is to keep you within the app and keep you focused and introduce those authentication flows respectfully into the app while pulling from a secure application like JumpCloud Protect.
Q&A
Q: Is there a policy for Patch Management for iOS?
A: This is not yet in the works but we are working on declarative device management which will give us more accurate device information. Once we have that set up on top of MDM we can create policies that will be the answer to patching of iOS and iPadOS
Q: Is there a policy to hide the non-work profile after enrollment on Android?
A: If you’re enrolling as a work profile, the intention is to have separate profiles for work and personal. If your intention is to have only a work related container then your approach should be fully managed devices. There is hesitation to have to factory reset the device for company owned device management, which is a requirement for Android EMM, but a BYOD work profile on a company owned device is not recommended.
Q: Will JumpCloud auto push MDM when someone signs into their Google Workspace Account on a device?
A: We are looking at those use cases. Essentially, if you’re not managed, we will block you and your end users will be able to enroll after the fact. But there are nuances on Android and iOS. For example, if you are on a company managed device and we block you, you have to first factory reset the device and then enroll with the enrollment token. So there's no automatic push of MDM if that's iOS related.
So we are currently looking at account driven user and device enrollment but that requires a little bit of Apple and Google federation. Once that's in effect you'll be able to more seamlessly do account driven enrollment. So that would be applicable to user and device use cases.
From there, we will explore a remediation screen. So if you do get blocked, can we detect the rationale of why you're blocked by conditional access policy and without exposing all the checks we're doing? We want to make sure we give a user a potential for self remediation.
If you’re blocked because you're not enrolled and we can be confident that that's a BYOD device and we can offer them a solution of how they can remediate. We will look to incorporate that in those instead of just giving a blanket “Hey, you don't meet the criteria”. We want to make sure we can elaborate on why so that you can remediate. If it's an OS version, “Hey, you haven't updated it. We can't force an update on a Personal iOS device, but we require iOS 17.4.1”. That would be something that we would explore as remediation screens so that those end users can mitigate them and come back and access those resources.