MobileIron plus Cisco - Mobilizing Network Security

MobileIron Confidential
MobileIron plus Cisco:
Mobilizing Network Security
Cynthia Ryan, MobileIron, Solutions Marketing Manager
Fran Thorpe, MobileIron, Head, Business Development, Technology Alliances
Ameet Kulkarni, Cisco, Product Manager
Paul Carco, Cisco, Technical Marketing Engineer

MobileIron ConfidentialMobileIron Confidential
Your hosts

Your hosts

Your hosts
Paul Carco, Cisco, Technical Marketing Engineer

Logistics / Housekeeping
• A recording of this webinar will be
available shortly
– Transcript
– Replay
– Slides

Logistics / Housekeeping
• A recording of this webinar will be
available shortly
– Transcript
– Replay
– Slides
• We welcome your questions
– We will pause for Q&A inbetween topics
– Please use the Q&A panel

Why are we here?
“Leaders . . . demonstrate broad integration with channel
and other technology providers. . . Organizations that want
an up-to-date, scalable and proven UEM solution that
integrates with a large security ecosystem . . . should
consider MobileIron.”
-- Gartner, 2018 UEM Magic Quadrant

Why are we here?
“Leaders . . . demonstrate broad integration with channel
and other technology providers. . . Organizations that want
an up-to-date, scalable and proven UEM solution that
integrates with a large security ecosystem . . . should
consider MobileIron.”
-- Gartner, 2018 UEM Magic Quadrant
EcoSystem@mobileiron.com

Agenda
MobileIron
Cisco Identity Services
Engine
Cisco Security Connector
and AnyConnect
Q & A

Workflow automation
Collaboration
Customer experience
Communication
Limitless computing
through mobile
Limitless infrastructure
through cloud
TRANSFORMATION

MobileIron
System of record for
trust across
the last mile

A UEM admin has critical visibility
Device-to-UEM relationship provides unique insight
• User identity
• Device state
– Ownership
– Current configuration
– App inventory
• Access policies
• Compliance/ enforcement
actions

Multiple roles in assessment / enforcement
Policy Information
Point (PIP)
v
Policy Decision
Point (PDP)
Policy Enforcement
Point (PEP)

Asset
Management
Provision the
trusted
workspace
Together with Cisco we bring awareness
and alignment
Endpoint
Security
Protect business
data and user
privacy
Access
Control
Block untrusted
endpoints and
apps
Security
Operations
Detect and
remediate
threats
The MobileIron Platform:
Sharing data for coordinated control

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Conventional management is painful and risky
New individuals require
personalized permissions
Lack of visibility leaves
network open to intrusions
Overprotective policies
leave employees stranded
STOP
!
!
Access
Denied
!

Low risk
Device complaint
Finance credential
Low risk
Device complaint
Guest
Unlock next-generation secure network access
Preconfigure access
by business profiles
Identify profiles
automatically and intelligently
Enforce access
across entire infrastructure
Finance
Employee
Profile
Guest /
Vendor
Profile
Finance
Employee
Profile
Guest /
Vendor
Profile
PROFILE ACCESS
Finance
HR
Lobby
PROFILE ACCESS
Finance
HR
Lobby
Finance
HR
Lobby
with contextual awareness and segmentation
Finance
HR
Lobby

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco solutions are
the key to intuitive
network security
Give your internal customers
the access they want
Streamline your network
management
Maximize your security and
contain breaches

Give your internal customers the access they want
Ensure ubiquitous access
Set permissions by business role, so users get the
right access based on device, location, and more
Automate device onboarding
Provide easy guest and BYOD access with self-
service device onboarding portals and policies
Relieve tension between IT and users
Support new devices, apps, or access needs
quickly from a single dashboard.
Employee
Log in

Maximize your security and contain breaches
Safeguard your network
Keep your network secure with total visibility and
control from campus to cloud
Reduce attack surface
Immunize your network through segmentation
Harmonized, automated threat
protection
Centralized context sharing and policy controller for
rapid threat containment
Access
Denied

Streamline your network management
Automate complex changes
Take the complexity out of moves, adds, and
changes be it users, segments, or environments
Integrate disparate solutions
Whether five or fifty, your network and security
solutions can now truly communicate
Embed compliance standards
Systematically enforce access policies that align
with regulatory and security compliance

CSTA – Engineered Integrations Across the Breadth of Security
EMM/UEM/MDM
Endpoint and
Custom Detection Forensics and IR NPM/APM and
Visualization
Other
SIEM & Analytics
IAM/SSO
Threat
IntelligenceCASB
UEBA
Deception
Orchestration
Vulnerability
Management
Firewall and Policy Management
Infrastructure
Cloud Software &
Infrastructure
IoT Visibility

ISE connects trusted users and devices with
trusted services
Identity Services Engine (ISE):
a centralized security solution that automates context-aware access
Trusted Device Groups Trusted App/Services
Trusted
Group
Partners Cloud
App A
Cloud
App B
Server A Server B
Trusted
Asset
Trusted
Group
Partners
Public/Private Cloud
Policy Enforcement
Cloud
On Prem
Enforcement on every
PIN on Premise
Destination
Source

ISE internal CA for
BYOD certificates
Access based on
MDM policy
Single / Dual
SSID provisioning
Native supplicant
& cert provisioning
Services for Mobile Device
EMM/UEM/MDM
integrationsDevice Support
Devices
Resources
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
PUBLIC
CORPORATE
EMM: Enterprise Mobility Management | UEM: Unified Endpoint Management | MDM: Mobile Device Management
iDevice
Android
MAC OSx
Windows
ChromeOS

Mobile Device Compliance
MDM Policy Checks
Device registration status
Device compliance status
Disk encryption status
Pin lock status
Jailbreak status
Manufacturer
Model
IMEI
Serial number
OS version
Phone number
Posture Compliance assessment for Mobile devices
1. Register with ISE 2. Internet Access
3. Register with MDM 5. Allow Corp access
Cisco ISE
MDM
Internet
Corporate
4. Comply MDM Policy
Mobile Device

MDM compliance check on ISE
• Compliance based on:
–General Compliant or ! Compliant status
• OR
–Disk encryption enabled
–Pin lock enabled
–Jail broken status
• MDM attributes available for policy conditions
• “Passive Reassessment”: Bulk recheck against the
MDM server using configurable timer.
–If result of periodic recheck shows that a connected device
is no longer compliant, ISE sends a CoA to terminate
session.
Micro level
Macro level
Survivability Attribute

MDM Integration Flow
Registered?
MyDevices
ISE BYOD Registration
MDM
Registered?
MDM
Compliant?
Access-Accept
ISE Portal
Link to MDM Onboarding
ISE Portal for MDM non-
compliance
Internet Only

• Ability for administrator and user in ISE to issue remote actions on the device through the MDM
server (eg: remote wiping the device)
MDM Action

MDM Report
MobileIr
on
MobileIr
on
MobileIr
on
MobileIr
on
MobileIr
on
MobileIr
on
MobileIr
on
MobileIr
on
MobileIr
on
MobileIr
on

Agenda
(CSC)
AnyConnect Per App VPN

Introducing:
The Cisco
Security
Connector (CSC)
for iOS
33
iOS

Cisco Security
Connector is
for supervised
devices only
Bring your own device (BYOD)
Enterprise-owned, not supervised
Enterprise-owned, DEP – not supervised

Visibility
Gain insight into activity on iOS devices
during incident investigations
Control
Defend against phishing attacks
and accidental browsing of bad sites

Cisco Security Connector for iOS
36
The
Network
Apps
Network API
HTTPs / TLS

One App,Two Functions
CONTROL AND VISIBILITY
• DNS-layer enforcement and encryption via net new iOS 11 functionality
• Customizable URL-based protection with intelligent proxy
• Available to Umbrella1 customers at no extra charge
if subscription’s user count already covers those using iOS
VISIBILITY AND CONTROL
• App-layer auditing and correlation via net new iOS 11 functionality
• Logs encrypted URL requests without SSL decryption
• Available to AMP for Endpoints customers at no extra charge
if subscription’s device count already covers iOS devices
1. Professional, Insights and Platform packages
37

Integration w/ 3rd Party MDM / EMM
Download mobileconfig from Umbrella & Clarity – Upload to MDM for Push
* iOS identities include device serial numbers,
friendly names, and group profiles.
Supervised
devices
Automatically enrolled to
Cisco cloud services
DOWNLOAD
configuration
UPLOAD
into MDM
PUSHES
Per-device configurations for
the Cisco Security Connector
reflecting one or both policies
PUSHES*
Per-device
iOS identities*
Umbrella
Dashboard
maps policies to
identities
MDM / EMM
Upload Clarity &
Umbrella
configurations
Clarity (AMP)
Dashboard
maps policies
to identities
DOWNLOAD
configuration
UPLOAD
into MDM

Flows attributed by
iOS identity and app
Clarity (AMP)
Dashboard
Zero-touch UX for end-users
Visibility and control
Works anywhere
On- and off-network
Requests attributed
by iOS identity
Umbrella
Dashboard Umbrella
AMP
Encryption and enforcement
Internet requests
Auditing and correlation
App traffic flows
Clarity
App extension
Umbrella
App extension
One app, two extensions
Automatically provisioned via Meraki

What does it all do?
MDM
ClarityUmbrella
incident response
situational awareness
app and user audit
blocking at IP-layer
accident avoidance
content control
intelligent proxy
endpoint management

Introducing:
AnyConnect
Per APP VPN
41
iOS
Android

Cisco AnyConnect PerApp VPN & MobileIron

Full-Tunnel, Split-Tunnel or Per-App VPN
Corporate Connection
Social Media App Z
Video Streaming App B
External Resource (IP, App, Etc.)
Per App
VPN
Split
Tunneling
Full
Tunneling
Internal App X
External App Y
Internal DNS / IP Address
ASA
Internet
Internal Resource
Capabilities
Benefits
Provide highly secure remote access
from mobile endpoints
Extend narrow remote access for
partners and contractors
Leverage per app policy by creating per-app VPN policies using the dedicated app
selector
Dynamically provision split tunneling after tunnel establishment, based on the target host
DNS domain/host name.
Traditional Split-Tunnel/Local Lan Access based on Network

Differentiate Mobile Access
Connect Only Approved Applications Over VPN
Provide highly secure remote access for
selected applications by user, role, device,
etc. (Per App VPN)
Reduce the potential for non-approved
applications to compromise
enterprise data
Support a range of remote users and
endpoints (employees, partners,
contractors), streamlining IT operations
VPN
WWW
Selectively Tunnels Traffic Through VPN
Microsoft
SharePoint
Microsoft
Office 365

Policy provisioned
by third-party
MDM vendor
Allows application
policy
enforcement by
Cisco® ASA and
Cisco
AnyConnect®
Allows wildcard
application
package
identifiers to equal
com.anybird.*
Managed Per APP VPN

Per App Managed Flow
Request Connect
Credentials/ACIDex
Auth Challenge
Enterprise Network
VPN, Mobile
Device ASA
Config w/Per App Policy
Apply Policy from
3rd Party MDM
Enforce App
meets Policy from
ASA configuration
DAP to Per App
Policy
Is the traffic Valid
Valid Application Traffic

Customers and Case Studies
• Cisco ISE and MobileIron:
Hundreds of integrations globally
• Cisco AnyConnect:
#1 VPN amongst MobileIron
customers
• Cisco Security Connector:
Case studies under development

Thank you!
MobileIron
Cisco Identity Services
Engine
Q & A

MobileIron plus Cisco - Mobilizing Network Security

More Related Content

What's hot (19)

Similar to MobileIron plus Cisco - Mobilizing Network Security (20)

MobileIron plus Cisco - Mobilizing Network Security