Mobile Security

Security Update: 8 Advances in End-User Computing from VMware

Employees across enterprise organizations in today&#rsquo;s mobile-cloud world expect simple user experiences to help them be productive. IT often runs into challenges supporting these expectations while keeping their environments secure.

Our team has focused on empowering organizations with an enterprise-secure approach and consumer-simple experience through a digital workspace. Employees can securely access any app, on any device in their own digital workspace provided by VMware Workspace ONE, powered by VMware AirWatch unified endpoint management technology.

Over the course of 2017, we&#rsquo;ve introduced many security capabilities across the Workspace ONE platform, which includes advancements in VMware Horizon 7 and VMware Horizon Cloud. Let&#rsquo;s take a closer look at those security capabilities, as well as existing security integrations and security features that elevate Workspace ONE to the digital workspace platform that organizations can trust.

1. Derived Credentials

Earlier this year, we announced our derived credentials solution as part of Workspace ONE. This was huge news for organizations mandated by certain directives, such as FIPS 201, that require use of smart cards, personal identification verification (PIV) or common access cards (CAC) for access to physical, logical and network resources.

Smart cards, PIV and CAC worked great on desktops and laptops, but the experience on mobile devices was poor and costly because special hardware was needed to read the cards. To help with this issue, the National Institute of Standards and Technology (NIST) updated FIPS 201 in 2013 and the following year released SP 800-157, with guidelines on how to generate and utilize alternative tokens, which they refer to as a derived PIV credentials, also commonly referred to as derived credentials or PIV-D. This helped provide better experience, implementation and deployment on mobile devices accessing physical, logical and network resources.

We released our derived credentials app, called VMware PIV-D Manager, that enables the use of derived credentials with native apps and profiles, VMware apps and third-party AirWatch SDK-enabled apps. PIV-D Manager even integrates with other derived credentials solution providers such as Entrust and Intercede.

2. Boxer S/MIME

VMware Boxer, one of our Workspace ONE productivity apps, is an integrated mobile email, calendar and contacts app that helps increase productivity by giving end users a great user experience. Security was a big focus on our Boxer app this year.

We started by enabling S/MIME support for sending and receiving signed and/or encrypted mail. S/MIME is a standard for public key encryption and signing of MIME (Multipurpose Internet Mail Extensions) data that allows for secure email exchange. Organizations have the option of signing an email for authenticity and/or encrypting email messages for an added layer of security.

3. Boxer Classification Markings

In various regulated industries, such as public sector, healthcare and financial, sensitive emails often need to be specifically marked or classified when they are sent and received. When it comes to email, messages typically get a classification appended in the subject line, top or bottom of the body, etc. For example, an email message should be marked &#rsquo;unclassified&#rdquo; or &#rsquo;secret&#rdquo; depending on the content of the email.

Earlier this year, we announced support for classification markings in the Boxer app, which integrates with the built-in Microsoft Exchange transport rules. This capability also integrates with TITUS, Boldon James and janusNET.

4. Boxer Information Rights Management

In addition to S/MIME and classification marking support, we added full support for information rights management (IRM). IRM is a form of data loss prevention (DLP), which can specify access permissions to email messages, including the ability to restrict copy-paste, restrict email forwarding, enforce email message content expiration and more. As you can tell, we put a lot of emphasis on email security through our Boxer app!

5. AirWatch & NSX Integration

AirWatch and NSX integration was introduced over a year ago, and the amount of customer interest in it hasn&#rsquo;t slowed down since. When apps on mobile devices have access to communicate to any resource in the data center, this represents a challenge for IT as the attack surface within the data center can be large.

The AirWatch and NSX integration aims to solve this problem by limiting each mobile app to only communicate to the server that it needs to talk to, using the tunneling capability in AirWatch and the micro-segmentation capability in NSX. Combining these two technologies vastly reduces the access footprint from the mobile device and the attack surface in the data center.

Organizations, like Vallejo Sanitation and Flood Control District, can raise their security posture from the mobile device to the data center using the AirWatch and NSX integration.This type of integration can also help organizations along their journey towards General Data Protection Regulation (GDPR) compliance, as data in transit utilizes AES-256 bit encryption.

VMworld 2017 Panel Discussion:

“Data Privacy, theGDPR &the Globalization of Compliance”

Add GRC3109PU via VMworld U.S. schedule builder.

AddGRC3109PE via VMworld Europe schedule builder.

6. Horizon & NSX Integration

We know that apps on mobile devices and data center resources can be tunneled and micro-segmented for an extra layer of security. We can take that same concept and apply it towards desktop virtualization.

Integrating Horizon and NSX, customers can effectively secure east-west traffic within the data center, preventing malware from spreading across the data center if a virtual desktop is compromised because each desktop is effectively isolated from other desktops. IT can quickly and easily administer networking and security policy that dynamically follows end users&#rsquo; virtual desktops and apps across infrastructure, devices and locations. This extra level of security takes desktop virtualization to a whole new level!

VMworld 2017 Breakout Session:

“Securing Your Horizon Virtualized Apps & Desktop Investments with NSX”

Add SIE2034BU via VMworld U.S. schedule builder.

Add SIE2034BE via VMworld Europe schedule builder.

7. Just-in-Time Management Platform (JMP)

We introduced JMP earlier this year, our next-generation desktop and application delivery platform, which enables fust-in-time desktops and apps. Imagine a virtual desktop that is created when a user logs in and destroyed when that user logs out. IT can set up a pool of virtual desktops that fits this model, including pools that can access the internet and pools that cannot, effectively creating separation parameters for higher security. Virtual desktops in each pool only get created when a user logs into a specific pool.

With the JMP platform extending across Horizon 7 and Horizon Cloud, IT has the ability to inject apps and user environment settings into the desktop the moment a user logs in. Having pristine desktops created at every login and destroyed at every logoff eliminates malware that the user may have accidentally installed during the session.

8. Smart Policies

Smart Policies are available in Horizon 7 and Horizon Cloud for IT to provide end users with a truly contextual user experience. For example, policies dynamically change depending on the device used or the location services are being accessed from.

True single sign-on (SSO) enables end-to-end authentication from Workspace ONE to Horizon virtual desktops and apps, for a secure and simple user experience. Users aren&#rsquo;t prompted for multiple logins once they&#rsquo;ve authenticated into the Workspace ONE portal. Client policies such as enabling or disabling clipboard redirection, USB, printing and more can be set by IT using Smart Policies. Horizon is certified to meet FIPS 140-2 and Common Criteria requirements as a result of the secure policies powered by Smart Policies.

For organizations looking for even more advanced security capabilities across Workspace ONE, look no further than Workspace ONE integrations with our ecosystem of mobile security leaders in the VMware Mobile Security Alliance. Workspace ONE integrates with technologies from our Mobile Threat Defense partners, Cloud Access Security Brokers partners and more to further enable comprehensive cybersecurity across mobile devices, apps, networks and cloud services.

Learn more about our end-user computing (EUC) security initiatives at VMworld U.S.andVMworld Europe. If you&#rsquo;re not attending VMworld, you still have time to register!

To learn more about the security capabilities in Workspace ONE, visit vmware.com/workspaceone.

The post Security Update: 8 Advances in End-User Computing from VMware appeared first on VMware End-User Computing Blog.

Read more..

Q&A: What CISOs Can Do About Mobile Security Threats

This blog was updated on May 22,2017, with the latest information about the Device Enrollment Program from Apple. Join the conversation on Twitter using #iOSinBusiness.

What is the Device Enrollment Program from Apple?

The Device Enrollment Program provides a fast, streamlined way to deploy your corporate-owned Mac, iOS or tvOS devices. With a mobile device management (MDM) and unified endpoint management solution like VMware AirWatch, IT can:

  • Customize device settings;
  • Activate and supervise devices over the air; and
  • Enable users to setup their own devices out of the box.

[Related: 27 Questions Answered about AirWatch & the Device Enrollment Program from Apple]

What IT challenges does the Device Enrollment Program help address?

The Device Enrollment Program solves several critical requirements for corporate-owned devices. First, organizations save time and money by eliminating high-touch processes for IT. DEP takes configuration time to zero. Deployment of corporate-owned devices with DEP means zero-touch configuration for IT, eliminates staging and automates device configuration.

Second, onboarding iOS or macOS devices is streamlined for users. Based on the settings IT configured, users are prompted through Setup Assistant (skipping through any unnecessary screens). Users only need to authenticate and don&#rsquo;t need to be tech savvy to get the content, apps and email they need on their smartphones.

Finally, supervising iOS devices over the air is possible with the DEP. With supervision, administrators have more control over the device and can disable features like AirDrop, the App Store and account modification. They can also enable features like password protection. Also, the MDM profile cannot be removed, which eliminates the possibility of un-enrollment to protect data and investments in devices and provides the best user experience possible.

What role does AirWatch play in Apple&#rsquo;s Device Enrollment Program?

To utilize the Device Enrollment Program, MDM capabilities like those part of VMware AirWatch are required. AirWatch integrates with the Device Enrollment Program, enabling organizations to automatically import devices in the console based on order history. Then, administrators can easily configure settings, apply profiles, assign applications and set restrictions that will apply automatically when users unbox devices.

[Related: iOS 10.3, tvOS 10.2 & macOS 10.12.4 Are Live! VMware AirWatch Has Your Mobile Business Covered]

How can I join the Device Enrollment Program from Apple?

First, enroll with Apple and register your organization&#rsquo;s information to create an account and designate your administrators. Next, configure your device settings and Setup Assistant steps in the AirWatch console. You then can ship devices directly to your users.

For more information, check out Apple&#rsquo;s Device Enrollment Program Guide.

What are the device requirements for the Apple Device Enrollment Program?

The devices must be corporate-owned and purchased directly from Apple or through participating Apple Authorized Resellers.*

*The Device Enrollment Program may not be supported by all Apple Authorized Resellers and carriers.

Where is the Device Enrollment Program available?

The Device Enrollment Program is available in 34 countries: Australia,Austria,Belgium,Brazil,Canada,Czech Republic,Denmark,Finland,France,Germany, Greece,Hong Kong,Hungary,India,Ireland,Italy,Japan,Luxembourg,Mexico,Netherlands, NewZealand,Norway,Poland,Portugal,Singapore,South Africa,Spain,Sweden,Switzerland, Taiwan,Turkey,United Arab Emirates,United Kingdom andUnitedStates.

What’s available for education with the Device Enrollment Program from Apple?

Both Apple and AirWatch give special consideration to unique education use cases. With Apple School Manager (ASM), Apple has delivered a central place for account creation, role definitions and content purchases. To support ASM, AirWatch designed a console section for education to setup mobile deployments and streamline management of teachers, students, classes, apps and more—whether you have a 1:1 or shared device deployment. After importing data from Apple School Manager, use AirWatch to:

  • Match devices with students or classes;
  • Assign applications (to users or devices); and
  • Configure the new Classroom application, allowing teachers to guide learning on iPads.

Students quickly choose the device with their photo displayed once their teacher has started the class.

Visit apple.com/business/dep/ and apple.com/education/it/ to learn more about the Device Enrollment Program.

 

Read more..

13 Mobile Conferences for IT Leaders & Innovators

This blog was updated on May 22,2017, with the latest information about the Device Enrollment Program from Apple. Join the conversation on Twitter using #iOSinBusiness.

What is the Device Enrollment Program from Apple?

The Device Enrollment Program provides a fast, streamlined way to deploy your corporate-owned Mac, iOS or tvOS devices. With a mobile device management (MDM) and unified endpoint management solution like VMware AirWatch, IT can:

  • Customize device settings;
  • Activate and supervise devices over the air; and
  • Enable users to setup their own devices out of the box.

[Related: 27 Questions Answered about AirWatch & the Device Enrollment Program from Apple]

What IT challenges does the Device Enrollment Program help address?

The Device Enrollment Program solves several critical requirements for corporate-owned devices. First, organizations save time and money by eliminating high-touch processes for IT. DEP takes configuration time to zero. Deployment of corporate-owned devices with DEP means zero-touch configuration for IT, eliminates staging and automates device configuration.

Second, onboarding iOS or macOS devices is streamlined for users. Based on the settings IT configured, users are prompted through Setup Assistant (skipping through any unnecessary screens). Users only need to authenticate and don&#rsquo;t need to be tech savvy to get the content, apps and email they need on their smartphones.

Finally, supervising iOS devices over the air is possible with the DEP. With supervision, administrators have more control over the device and can disable features like AirDrop, the App Store and account modification. They can also enable features like password protection. Also, the MDM profile cannot be removed, which eliminates the possibility of un-enrollment to protect data and investments in devices and provides the best user experience possible.

What role does AirWatch play in Apple&#rsquo;s Device Enrollment Program?

To utilize the Device Enrollment Program, MDM capabilities like those part of VMware AirWatch are required. AirWatch integrates with the Device Enrollment Program, enabling organizations to automatically import devices in the console based on order history. Then, administrators can easily configure settings, apply profiles, assign applications and set restrictions that will apply automatically when users unbox devices.

[Related: iOS 10.3, tvOS 10.2 & macOS 10.12.4 Are Live! VMware AirWatch Has Your Mobile Business Covered]

How can I join the Device Enrollment Program from Apple?

First, enroll with Apple and register your organization&#rsquo;s information to create an account and designate your administrators. Next, configure your device settings and Setup Assistant steps in the AirWatch console. You then can ship devices directly to your users.

For more information, check out Apple&#rsquo;s Device Enrollment Program Guide.

What are the device requirements for the Apple Device Enrollment Program?

The devices must be corporate-owned and purchased directly from Apple or through participating Apple Authorized Resellers.*

*The Device Enrollment Program may not be supported by all Apple Authorized Resellers and carriers.

Where is the Device Enrollment Program available?

The Device Enrollment Program is available in 34 countries: Australia,Austria,Belgium,Brazil,Canada,Czech Republic,Denmark,Finland,France,Germany, Greece,Hong Kong,Hungary,India,Ireland,Italy,Japan,Luxembourg,Mexico,Netherlands, NewZealand,Norway,Poland,Portugal,Singapore,South Africa,Spain,Sweden,Switzerland, Taiwan,Turkey,United Arab Emirates,United Kingdom andUnitedStates.

What’s available for education with the Device Enrollment Program from Apple?

Both Apple and AirWatch give special consideration to unique education use cases. With Apple School Manager (ASM), Apple has delivered a central place for account creation, role definitions and content purchases. To support ASM, AirWatch designed a console section for education to setup mobile deployments and streamline management of teachers, students, classes, apps and more—whether you have a 1:1 or shared device deployment. After importing data from Apple School Manager, use AirWatch to:

  • Match devices with students or classes;
  • Assign applications (to users or devices); and
  • Configure the new Classroom application, allowing teachers to guide learning on iPads.

Students quickly choose the device with their photo displayed once their teacher has started the class.

Visit apple.com/business/dep/ and apple.com/education/it/ to learn more about the Device Enrollment Program.

 

Read more..

5 New EMM How-To Guides for AirWatch Admins

This blog was updated on May 22,2017, with the latest information about the Device Enrollment Program from Apple. Join the conversation on Twitter using #iOSinBusiness.

What is the Device Enrollment Program from Apple?

The Device Enrollment Program provides a fast, streamlined way to deploy your corporate-owned Mac, iOS or tvOS devices. With a mobile device management (MDM) and unified endpoint management solution like VMware AirWatch, IT can:

  • Customize device settings;
  • Activate and supervise devices over the air; and
  • Enable users to setup their own devices out of the box.

[Related: 27 Questions Answered about AirWatch & the Device Enrollment Program from Apple]

What IT challenges does the Device Enrollment Program help address?

The Device Enrollment Program solves several critical requirements for corporate-owned devices. First, organizations save time and money by eliminating high-touch processes for IT. DEP takes configuration time to zero. Deployment of corporate-owned devices with DEP means zero-touch configuration for IT, eliminates staging and automates device configuration.

Second, onboarding iOS or macOS devices is streamlined for users. Based on the settings IT configured, users are prompted through Setup Assistant (skipping through any unnecessary screens). Users only need to authenticate and don&#rsquo;t need to be tech savvy to get the content, apps and email they need on their smartphones.

Finally, supervising iOS devices over the air is possible with the DEP. With supervision, administrators have more control over the device and can disable features like AirDrop, the App Store and account modification. They can also enable features like password protection. Also, the MDM profile cannot be removed, which eliminates the possibility of un-enrollment to protect data and investments in devices and provides the best user experience possible.

What role does AirWatch play in Apple&#rsquo;s Device Enrollment Program?

To utilize the Device Enrollment Program, MDM capabilities like those part of VMware AirWatch are required. AirWatch integrates with the Device Enrollment Program, enabling organizations to automatically import devices in the console based on order history. Then, administrators can easily configure settings, apply profiles, assign applications and set restrictions that will apply automatically when users unbox devices.

[Related: iOS 10.3, tvOS 10.2 & macOS 10.12.4 Are Live! VMware AirWatch Has Your Mobile Business Covered]

How can I join the Device Enrollment Program from Apple?

First, enroll with Apple and register your organization&#rsquo;s information to create an account and designate your administrators. Next, configure your device settings and Setup Assistant steps in the AirWatch console. You then can ship devices directly to your users.

For more information, check out Apple&#rsquo;s Device Enrollment Program Guide.

What are the device requirements for the Apple Device Enrollment Program?

The devices must be corporate-owned and purchased directly from Apple or through participating Apple Authorized Resellers.*

*The Device Enrollment Program may not be supported by all Apple Authorized Resellers and carriers.

Where is the Device Enrollment Program available?

The Device Enrollment Program is available in 34 countries: Australia,Austria,Belgium,Brazil,Canada,Czech Republic,Denmark,Finland,France,Germany, Greece,Hong Kong,Hungary,India,Ireland,Italy,Japan,Luxembourg,Mexico,Netherlands, NewZealand,Norway,Poland,Portugal,Singapore,South Africa,Spain,Sweden,Switzerland, Taiwan,Turkey,United Arab Emirates,United Kingdom andUnitedStates.

What’s available for education with the Device Enrollment Program from Apple?

Both Apple and AirWatch give special consideration to unique education use cases. With Apple School Manager (ASM), Apple has delivered a central place for account creation, role definitions and content purchases. To support ASM, AirWatch designed a console section for education to setup mobile deployments and streamline management of teachers, students, classes, apps and more—whether you have a 1:1 or shared device deployment. After importing data from Apple School Manager, use AirWatch to:

  • Match devices with students or classes;
  • Assign applications (to users or devices); and
  • Configure the new Classroom application, allowing teachers to guide learning on iPads.

Students quickly choose the device with their photo displayed once their teacher has started the class.

Visit apple.com/business/dep/ and apple.com/education/it/ to learn more about the Device Enrollment Program.

 

Read more..

Have Connected Devices Become a Cybersecurity Nightmare?

This blog was updated on May 22,2017, with the latest information about the Device Enrollment Program from Apple. Join the conversation on Twitter using #iOSinBusiness.

What is the Device Enrollment Program from Apple?

The Device Enrollment Program provides a fast, streamlined way to deploy your corporate-owned Mac, iOS or tvOS devices. With a mobile device management (MDM) and unified endpoint management solution like VMware AirWatch, IT can:

  • Customize device settings;
  • Activate and supervise devices over the air; and
  • Enable users to setup their own devices out of the box.

[Related: 27 Questions Answered about AirWatch & the Device Enrollment Program from Apple]

What IT challenges does the Device Enrollment Program help address?

The Device Enrollment Program solves several critical requirements for corporate-owned devices. First, organizations save time and money by eliminating high-touch processes for IT. DEP takes configuration time to zero. Deployment of corporate-owned devices with DEP means zero-touch configuration for IT, eliminates staging and automates device configuration.

Second, onboarding iOS or macOS devices is streamlined for users. Based on the settings IT configured, users are prompted through Setup Assistant (skipping through any unnecessary screens). Users only need to authenticate and don&#rsquo;t need to be tech savvy to get the content, apps and email they need on their smartphones.

Finally, supervising iOS devices over the air is possible with the DEP. With supervision, administrators have more control over the device and can disable features like AirDrop, the App Store and account modification. They can also enable features like password protection. Also, the MDM profile cannot be removed, which eliminates the possibility of un-enrollment to protect data and investments in devices and provides the best user experience possible.

What role does AirWatch play in Apple&#rsquo;s Device Enrollment Program?

To utilize the Device Enrollment Program, MDM capabilities like those part of VMware AirWatch are required. AirWatch integrates with the Device Enrollment Program, enabling organizations to automatically import devices in the console based on order history. Then, administrators can easily configure settings, apply profiles, assign applications and set restrictions that will apply automatically when users unbox devices.

[Related: iOS 10.3, tvOS 10.2 & macOS 10.12.4 Are Live! VMware AirWatch Has Your Mobile Business Covered]

How can I join the Device Enrollment Program from Apple?

First, enroll with Apple and register your organization&#rsquo;s information to create an account and designate your administrators. Next, configure your device settings and Setup Assistant steps in the AirWatch console. You then can ship devices directly to your users.

For more information, check out Apple&#rsquo;s Device Enrollment Program Guide.

What are the device requirements for the Apple Device Enrollment Program?

The devices must be corporate-owned and purchased directly from Apple or through participating Apple Authorized Resellers.*

*The Device Enrollment Program may not be supported by all Apple Authorized Resellers and carriers.

Where is the Device Enrollment Program available?

The Device Enrollment Program is available in 34 countries: Australia,Austria,Belgium,Brazil,Canada,Czech Republic,Denmark,Finland,France,Germany, Greece,Hong Kong,Hungary,India,Ireland,Italy,Japan,Luxembourg,Mexico,Netherlands, NewZealand,Norway,Poland,Portugal,Singapore,South Africa,Spain,Sweden,Switzerland, Taiwan,Turkey,United Arab Emirates,United Kingdom andUnitedStates.

What’s available for education with the Device Enrollment Program from Apple?

Both Apple and AirWatch give special consideration to unique education use cases. With Apple School Manager (ASM), Apple has delivered a central place for account creation, role definitions and content purchases. To support ASM, AirWatch designed a console section for education to setup mobile deployments and streamline management of teachers, students, classes, apps and more—whether you have a 1:1 or shared device deployment. After importing data from Apple School Manager, use AirWatch to:

  • Match devices with students or classes;
  • Assign applications (to users or devices); and
  • Configure the new Classroom application, allowing teachers to guide learning on iPads.

Students quickly choose the device with their photo displayed once their teacher has started the class.

Visit apple.com/business/dep/ and apple.com/education/it/ to learn more about the Device Enrollment Program.

 

Read more..

Don’t Leave Holes in Your Office 365 Security Strategy

Secure every access point to Microsoft Office 365 emails and data with VMware Workspace ONE.

If your organization is like most, you&#rsquo;re either using Microsoft Office 365 or thinking about an Office 365 implementation. Since the data and email in Office 365 are vital to your business, you&#rsquo;ve probably thought through how to protect Office 365 with application access control policies. You need to ensure, however, that your policies protect all apps with access to Office 365.

Imagine that one of your end users goes to visit family for the holidays. While at her parent&#rsquo;s house, she borrows her father&#rsquo;s laptop to check work emails. Although you require multi-factor authentication (MFA) for access to Office 365, she logs into Outlook 2010 using nothing more than a username and password. Outlook downloads her mailbox, she checks her email, and after a few days, she returns home.

All her emails, however, stay on the laptop. That data is out of her control and out of IT&#rsquo;s control, creating data loss risks if the laptop is sold, lost or compromised with malware. How did your user (unwittingly) bypass your conditional access rules, and what can you do to protect your data and email?

In this blog post, we&#rsquo;ll cover how this data leak occurred, and how VMware Workspace ONE allows you to avoid similar Office 365 data losses and security holes.

Applying Access Policies to Office 365 Authentication Methods

To understand how your user bypassed your MFA requirement, you have to understand that Office 365 supports two ways to log users in: Modern authentication and legacy username/password authentication. In the example above, your user logged in with a legacy username/password client, accidentally bypassing the policies you created to protect Office 365.

To control access to Office 365 emails and data no matter what client your user chooses, you need a solution such as Workspace ONE that protects both authentication methods. Although many Office 365 client apps use newer modern authentication, older Office 365 apps, Android and iOS native mail (using ActiveSync), and third-party Office 365 apps (such as Thunderbird) use legacy username/password authentication.

Protecting both authentication types is vital for most organizations. Workspace ONE controls access to Office 365 no matter which client app a user chooses with policies based on group, network range, device type or OS and more.

Modern vs. Legacy Authentication

Here&#rsquo;s how to tell the difference Office 365 modern authentication and legacy username/password authentication:

Modern Authentication

If the end user is redirected to an IDP in a browser, it&#rsquo;s modern authentication.

Microsoft modern authentication redirects the end user in a browser from the Office 365 app to an identity provider (IdP), such as Workspace ONE, to authenticate. Modern authentication takes advantage of Microsoft&#rsquo;s Azure Active Directory Authentication Libraries (ADAL). For more details on modern authentication, see Microsoft&#rsquo;s summary here.

This is modern authentication. The user is redirected to Workspace ONE in a browser.

Legacy Authentication

If the end user enters credentials into the client&#rsquo;s UI (and there&#rsquo;s no redirection to an IDP), it&#rsquo;s legacy username/password authentication.

In username/password authentication, the Office 365 client collects a username and password in its own UI (rather than sending the user to an IDP in a browser). Because the user enters their credentials into the client rather than using standard browser single sign-on (SSO), legacy username/password authentication doesn&#rsquo;t support advanced features such as MFA or VMware mobile SSO. Microsoft sometimes calls legacy username/password authentication by a more specific name such as basic authentication or the Microsoft Online Services Sign-In Assistant.

This is legacy username/password authentication. The user enters credentials directly into the client UI—there&#rsquo;s no browser redirect to Workspace ONE or another IDP.

Many identity solutions can only protect access to Office 365 for clients using modern authentication. Workspace ONE protects access to Office 365 without requiring additional products or servers, no matter what client a user chooses.

Use Cases for Controlling Access to Office 365

Because modern authentication supports MFA, certificate authentication, VMware mobile SSO and all other standard authentication features of Workspace ONE, organizations have fine-grained control over how they allow access for Office 365 clients using modern authentication.

Controlling legacy username/password clients, on the other hand, is tricky. Because legacy username/password clients only support one authentication method (username and password), organizations can&#rsquo;t rely on the enhanced security of MFA, VMware mobile SSO or other authentication features. Instead, many organizations take the following approaches:

  • Allow legacy username/password access to Office 365 for mobile email only. In this approach, an organization could block legacy username/password access to Office 365 apps and data for all apps and add an exception for native mobile email clients that use Exchange ActiveSync. This approach works well with the mobile email management features in Workspace ONE. Many organizations choose this path because Exchange ActiveSync clients don&#rsquo;t download the user&#rsquo;s entire mailbox, reducing the risk of data loss. Your organization can also choose to limit mobile email access to the extra-secure VMware Boxer app.

 

  • Allow legacy username/password access to Office 365 only under more secure conditions. Because legacy username/password clients such as Thunderbird or older versions of Office don&#rsquo;t support MFA, some organizations want to limit these clients to only connect to Office 365 under more secure circumstances. For example, you might only allow Thunderbird on your corporate network to ensure users are not downloading their mailboxes on multiple computers. This approach can reduce the risk of data loss.
  • Allow legacy username/password access only for specific users or groups. Organizations may want to limit which users can connect to Office 365. For example, IT could block retail employees from accessing mobile email while they are offsite.
  • Block all access to Office 365 for username/password clients. Some organizations want to ensure all users access Office 365 with MFA, mobile SSO or other secure methods. Because modern authentication supports these methods but legacy username/password authentication does not, these organizations should block username/password client apps. Users will still be able to access Office 365 through Office 2016 apps (or Office 2013 apps, if they are configured correctly).

Workspace ONE & Office 365

Workspace ONE makes securing and deploying Office 365 easier, with industry-leading enterprise mobility management (EMM) to keep your devices and users safe. Learn more about how Workspace ONE protects Office 365, while providing end users with consumer-level ease of use. Visit vmware.com/products/workspace-one, or contact your VMware account representative for more details.

Because you liked this post:

  • Better Together: VMware Workspace ONE & Office 365
  • Enable Consumer Simple, Secure Access to Office 365 with New VMware Workspace ONE Enhancements
  • VMware Named a Leader in Gartner Magic Quadrant for Enterprise Mobility Management (EMM)

The post Don&#rsquo;t Leave Holes in Your Office 365 Security Strategy appeared first on VMware End-User Computing Blog.

Read more..

Derived Credentials: The Perfect Balance Between Security & Usability

This blog was updated on May 22,2017, with the latest information about the Device Enrollment Program from Apple. Join the conversation on Twitter using #iOSinBusiness.

What is the Device Enrollment Program from Apple?

The Device Enrollment Program provides a fast, streamlined way to deploy your corporate-owned Mac, iOS or tvOS devices. With a mobile device management (MDM) and unified endpoint management solution like VMware AirWatch, IT can:

  • Customize device settings;
  • Activate and supervise devices over the air; and
  • Enable users to setup their own devices out of the box.

[Related: 27 Questions Answered about AirWatch & the Device Enrollment Program from Apple]

What IT challenges does the Device Enrollment Program help address?

The Device Enrollment Program solves several critical requirements for corporate-owned devices. First, organizations save time and money by eliminating high-touch processes for IT. DEP takes configuration time to zero. Deployment of corporate-owned devices with DEP means zero-touch configuration for IT, eliminates staging and automates device configuration.

Second, onboarding iOS or macOS devices is streamlined for users. Based on the settings IT configured, users are prompted through Setup Assistant (skipping through any unnecessary screens). Users only need to authenticate and don&#rsquo;t need to be tech savvy to get the content, apps and email they need on their smartphones.

Finally, supervising iOS devices over the air is possible with the DEP. With supervision, administrators have more control over the device and can disable features like AirDrop, the App Store and account modification. They can also enable features like password protection. Also, the MDM profile cannot be removed, which eliminates the possibility of un-enrollment to protect data and investments in devices and provides the best user experience possible.

What role does AirWatch play in Apple&#rsquo;s Device Enrollment Program?

To utilize the Device Enrollment Program, MDM capabilities like those part of VMware AirWatch are required. AirWatch integrates with the Device Enrollment Program, enabling organizations to automatically import devices in the console based on order history. Then, administrators can easily configure settings, apply profiles, assign applications and set restrictions that will apply automatically when users unbox devices.

[Related: iOS 10.3, tvOS 10.2 & macOS 10.12.4 Are Live! VMware AirWatch Has Your Mobile Business Covered]

How can I join the Device Enrollment Program from Apple?

First, enroll with Apple and register your organization&#rsquo;s information to create an account and designate your administrators. Next, configure your device settings and Setup Assistant steps in the AirWatch console. You then can ship devices directly to your users.

For more information, check out Apple&#rsquo;s Device Enrollment Program Guide.

What are the device requirements for the Apple Device Enrollment Program?

The devices must be corporate-owned and purchased directly from Apple or through participating Apple Authorized Resellers.*

*The Device Enrollment Program may not be supported by all Apple Authorized Resellers and carriers.

Where is the Device Enrollment Program available?

The Device Enrollment Program is available in 34 countries: Australia,Austria,Belgium,Brazil,Canada,Czech Republic,Denmark,Finland,France,Germany, Greece,Hong Kong,Hungary,India,Ireland,Italy,Japan,Luxembourg,Mexico,Netherlands, NewZealand,Norway,Poland,Portugal,Singapore,South Africa,Spain,Sweden,Switzerland, Taiwan,Turkey,United Arab Emirates,United Kingdom andUnitedStates.

What’s available for education with the Device Enrollment Program from Apple?

Both Apple and AirWatch give special consideration to unique education use cases. With Apple School Manager (ASM), Apple has delivered a central place for account creation, role definitions and content purchases. To support ASM, AirWatch designed a console section for education to setup mobile deployments and streamline management of teachers, students, classes, apps and more—whether you have a 1:1 or shared device deployment. After importing data from Apple School Manager, use AirWatch to:

  • Match devices with students or classes;
  • Assign applications (to users or devices); and
  • Configure the new Classroom application, allowing teachers to guide learning on iPads.

Students quickly choose the device with their photo displayed once their teacher has started the class.

Visit apple.com/business/dep/ and apple.com/education/it/ to learn more about the Device Enrollment Program.

 

Read more..

The Latest Mobile News on Apple, Android & Windows 10

This blog was updated on May 22,2017, with the latest information about the Device Enrollment Program from Apple. Join the conversation on Twitter using #iOSinBusiness.

What is the Device Enrollment Program from Apple?

The Device Enrollment Program provides a fast, streamlined way to deploy your corporate-owned Mac, iOS or tvOS devices. With a mobile device management (MDM) and unified endpoint management solution like VMware AirWatch, IT can:

  • Customize device settings;
  • Activate and supervise devices over the air; and
  • Enable users to setup their own devices out of the box.

[Related: 27 Questions Answered about AirWatch & the Device Enrollment Program from Apple]

What IT challenges does the Device Enrollment Program help address?

The Device Enrollment Program solves several critical requirements for corporate-owned devices. First, organizations save time and money by eliminating high-touch processes for IT. DEP takes configuration time to zero. Deployment of corporate-owned devices with DEP means zero-touch configuration for IT, eliminates staging and automates device configuration.

Second, onboarding iOS or macOS devices is streamlined for users. Based on the settings IT configured, users are prompted through Setup Assistant (skipping through any unnecessary screens). Users only need to authenticate and don&#rsquo;t need to be tech savvy to get the content, apps and email they need on their smartphones.

Finally, supervising iOS devices over the air is possible with the DEP. With supervision, administrators have more control over the device and can disable features like AirDrop, the App Store and account modification. They can also enable features like password protection. Also, the MDM profile cannot be removed, which eliminates the possibility of un-enrollment to protect data and investments in devices and provides the best user experience possible.

What role does AirWatch play in Apple&#rsquo;s Device Enrollment Program?

To utilize the Device Enrollment Program, MDM capabilities like those part of VMware AirWatch are required. AirWatch integrates with the Device Enrollment Program, enabling organizations to automatically import devices in the console based on order history. Then, administrators can easily configure settings, apply profiles, assign applications and set restrictions that will apply automatically when users unbox devices.

[Related: iOS 10.3, tvOS 10.2 & macOS 10.12.4 Are Live! VMware AirWatch Has Your Mobile Business Covered]

How can I join the Device Enrollment Program from Apple?

First, enroll with Apple and register your organization&#rsquo;s information to create an account and designate your administrators. Next, configure your device settings and Setup Assistant steps in the AirWatch console. You then can ship devices directly to your users.

For more information, check out Apple&#rsquo;s Device Enrollment Program Guide.

What are the device requirements for the Apple Device Enrollment Program?

The devices must be corporate-owned and purchased directly from Apple or through participating Apple Authorized Resellers.*

*The Device Enrollment Program may not be supported by all Apple Authorized Resellers and carriers.

Where is the Device Enrollment Program available?

The Device Enrollment Program is available in 34 countries: Australia,Austria,Belgium,Brazil,Canada,Czech Republic,Denmark,Finland,France,Germany, Greece,Hong Kong,Hungary,India,Ireland,Italy,Japan,Luxembourg,Mexico,Netherlands, NewZealand,Norway,Poland,Portugal,Singapore,South Africa,Spain,Sweden,Switzerland, Taiwan,Turkey,United Arab Emirates,United Kingdom andUnitedStates.

What’s available for education with the Device Enrollment Program from Apple?

Both Apple and AirWatch give special consideration to unique education use cases. With Apple School Manager (ASM), Apple has delivered a central place for account creation, role definitions and content purchases. To support ASM, AirWatch designed a console section for education to setup mobile deployments and streamline management of teachers, students, classes, apps and more—whether you have a 1:1 or shared device deployment. After importing data from Apple School Manager, use AirWatch to:

  • Match devices with students or classes;
  • Assign applications (to users or devices); and
  • Configure the new Classroom application, allowing teachers to guide learning on iPads.

Students quickly choose the device with their photo displayed once their teacher has started the class.

Visit apple.com/business/dep/ and apple.com/education/it/ to learn more about the Device Enrollment Program.

 

Read more..

Securing Enterprise Mobility after Shadow IT Strikes

By Brian Duckering, Marketing and Strategy Executive, Skycure For years now, your IT and security admins debated proper methods, tools and policies to mobilize your enterprise. While these official discussions dragged on, your users unofficially started using their mobile devices (#ShadowIT) for everything from email to managing and editing highly confidential documents and communications. They&#rsquo;re […]]> By Brian Duckering, Marketing and Strategy Executive, Skycure

For years now, your IT and security admins debated proper methods, tools and policies to mobilize your enterprise. While these official discussions dragged on, your users unofficially started using their mobile devices (#ShadowIT) for everything from email to managing and editing highly confidential documents and communications.

They&#rsquo;re not doing this to spite you or your company. They&#rsquo;re doing it because it fuels their productivity. Believe it or not, users break the rules to be more productive!

Though users&#rsquo; motivations are in the right place, it still puts IT in a precarious situation. Your enterprise has already mobilized itself. So how do you make sure that all of those devices are properly managed and secured (to protect both your end users and, perhaps more importantly, all the sensitive systems and data they access)?

And, let&#rsquo;s be honest, the clock is ticking. You need an effective mobile strategy to prevent a mobile breach that could cost your company a lot of money (and bad press).

Different Problem, Different Solution

One big challenge, though, is that mobile security requires a different solution than desktop or network security. Traditional systems that handle patch and identity management, anti-virus, firewalls, encryption, etc., simply don&#rsquo;t translate into an effective mobile security strategy.

Traditional anti-virus solutions, for example, won&#rsquo;t do anything to stop (let alone mitigate) ransomware that&#rsquo;s infected a user&#rsquo;s mobile device. Traditional firewalls won&#rsquo;t do anything to stop users from connecting to insecure or malicious Wi-Fi networks. And traditional encryption won&#rsquo;t keep users&#rsquo; documents safe if they lose their mobile device and haven&#rsquo;t set up a passcode.

The bad news is you can&#rsquo;t solve these mobile security challenges with traditional systems. The good news is you can solve them by integrating enterprise mobile management (EMM) and mobile threat defense (MTD).

[Read more: New Whitepaper! How to Select, Implement & Succeed with Mobile Threat Defense]

MTD + EMM

EMM solutions, like VMware AirWatch, handle onboarding, reporting and policy management (and enforcement). MTD solutions, like Skycure, handle the real-time, proactive prevention and mitigation of security threats (and report them back to the EMM solution, too). Skycure further simplifies the management and maintenance of the solution by relying on a public app that adheres to all of Apple&#rsquo;s and Google&#rsquo;s best practices and updates automatically, with no extra steps required by IT.

The integration of these two solutions is critical because it provides the 360 degrees of protection that end users (and your company) need. Recall why users started self-mobilizing in the first place: Productivity. What is the enemy of productivity? Interruption.

Thankfully, properly integrating EMM and MTD solutions means users can be productive with their mobile devices without the interruption of malware, malicious networks or device vulnerabilities. It also means IT can be productive without the interruptions of compromised mobile devices.

With an integrated EMM and MTD solution in place, you can automatically prevent ransomware installations, block connections to malicious networks and remotely wipe mobile devices if they are lost or stolen. These are just a few examples of the automated mitigation that a strong, seamless mobile security deployment provides.

[Watch: Republic National Distributing Company (RNDC) Secures Mobile Devices with VMware AirWatch & Skycure]

Learn More

In today&#rsquo;s mobile age, it is no question that end users work on their mobile devices with or without the official support of IT. IT&#rsquo;s job now is to deploy a mobile security strategy that empowers them to perform seamless onboarding, policy enforcement and management, real-time threat prevention and mitigation and reporting. Thankfully for IT, the tools for a successful mobile security strategy are already available via EMM and MTD.

You can find more information on EMM from AirWatch and more information on MTD at the Skycure website.

Read more..

Go Que Newsroom Categories

Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 46 bytes) in /home/content/36/8658336/html/goquecom/wp-includes/wp-db.php on line 1995