Active Directory-based authentication, access control and role-based privilege management for Windows, Linux & UNIX
Standard Edition + privileged user auditing
Enterprise Edition + encryption of data-in-motion and server isolation
Any Edition + single sign-on for SAP, Apache and J2EE/Java applications
Single sign-on for cloud apps + mobile device supportMac Edition
Active Directory-based authentication and Group Policy management for Macs + mobile device supportPremium Edition
SaaS and Mac Editions + mobile device supportCentrify for Samsung KNOX
Active Directory-based SSO, MCM and MDM for KNOX-enabled devices
Monday, April 9, 2012
We are now on "Beta 2" of Centrify for Mobile, our new cloud-based service the lets enterprises centrally secure and manage smart phones and tablets, including iPads and Android devices, using existing Active Directory infrastructure, skill sets and processes. We have gotten hundreds of people registering to be beta testers and we appreciate all the feedback and usage. In prior blog posts I talked about why we decided to branch out into mobile and showed my own iPhone being secured by Active Directory, and in this post I want to provide more details on our cloud-based architecture for letting you leverage Active Directory to secure your iPad, iPhones and Android devices.
But before I drill down a bit on Centrify for Mobile's architecture, let me first describe the design goals of our mobile support and describe at a high level some of the functionality that it delivers so you can put the architecture in context.
Centrify's mobile solution helps customers gain total visibility and control over employee-owned or company-owned mobile devices. The solution helps organizations get the most out of their existing investments in Active Directory infrastructure, skills and processes while offering an extremely easy-to-deploy and highly scalable solution for mobile device security. Besides its Active Directory-centric approach and its cloud service, additional key capabilities include:
So let's now talk about how it all works. Let me first describe the architectural components. Centrify for Mobile includes the following components:
Below is an architectural diagram that shows all the components.
So in terms of how you deploy this, the deployment of Centrify for Mobile is actually extremely fast and simple, and with your Active Directory infrastructure already in place, the only on-premise requirement is to download, install and configure the Centrify Cloud Proxy, which takes well less than an hour regardless of the number of devices to be managed.
From there, you can use the Centrify Group Policy Extensions for our mobile support to set up default policies that will apply to mobile devices when they enroll with our cloud service and join the domain. The policies are fairly common across devices. Policies can configure settings for Exchange as well as Passcode policy (length, number of complex characters, failed attempts before locking, etc.) and device restrictions, such as which applications can be installed, use of camera, or enabling screen capture. In addition, Centrify for Mobile automatically sets up profiles that enforce the customer's policies for WiFi and VPN access, authentication, proxy and protocol settings. A complete list of supported policies can be found at: http://www.centrify.com/mobile.
The final step in getting this to work is to have the devices join the Active Directory domain and have the policies kick in. The actual way mobile devices join the Active Directory domain and have Group Policies automatically apply to them is via a self-service process. The owner of the device enrolls their device by simply entering their Centrify Customer ID and their Active Directory username and password via a web-based form or via a Centrify mobile application that they install on their device. Using either method, a trusted over-the-air connection is made from the device to the Centrify Cloud Service, which in turns communicates to the on-premise Cloud Proxy Server. The end result is that a computer object within Active Directory is created, and the device is associated in the directory with the user that enrolled the device. Because the device is in the directory, Group Policies can then be automatically applied to the device via the Cloud Proxy Server back to the Cloud Service and then to the device. This process joins the device to Active Directory and applies the pre-defined policies, which takes just a minute or so to complete.
Finally, besides being able to view and manage the joined devices via Active Directory Users and Computers (ADUC), Centrify for Mobile provides a web-based Cloud Manager that also lets you manage your mobile devices. A component of the Centrify Cloud Service, it lets you view the devices that are under management (e.g. device and app inventory) and also lets you perform administrative tasks such as unlock or wipe a device (which are also actions available via ADUC).
So that's a high-level view of what Centrify for Mobile's architecture is all about. In future blog posts I will talk more about it.