Tom Kemp's Centrify Blog

Centrify Introduces First Solution that Extends Active Directory to Mobile Devices

Tuesday, February 14, 2012

I am very pleased to announce a major extension of our product line with the beta release today of Centrify for Mobile. This new cloud-based service lets enterprises centrally secure and manage smart phones and tablets, including iPads and Android devices, using existing Active Directory infrastructure, skill sets and processes to enable easy, rapid deployment combined with enterprise-class scalability. In this blog post I want to tell you why we decided to branch out into mobile and give an overview of Centrify for Mobile.

So Why Address Mobility?

Probably one of the first questions you may have is why did we decide to extend DirectControl to support mobile devices? Well, there were a number of reasons …

First of all, clearly more and more information workers are following the BYOD ("Bring Your Own Device") trend and accessing critical corporation information from their mobile devices. Given the ease in which a device can be lost or stolen, and the often inconsistent security policies that are applied to mobile devices (if even applied at all), there is a significant demand by IT organizations to lock down and secure mobile devices accessing their corporate networks. These challenges are compounded by the fact that users have their own device preferences — heterogeneity will certainly exist with mobile devices as it does today for systems in the data center. So this is clearly a big deal with customers.

Not surprisingly, like others we are clearly aware of this trend happening around us and could see this was a clear point of pain with customers, and as a vendor who provides security and compliance solutions for cross-platform systems and applications, we asked ourselves did it make sense for us to throw our hat in the ring? There were two key questions we asked ourselves that guided our eventual decision of yes:

  • Were our customers explicitly asking us to support mobile devices, and
  • Were the existing "Mobile Device Management" (aka "MDM") vendors already doing a good job of addressing the customer's needs?

The answer to the first question was a definite yes. We were constantly being told "we love what you do for [ Macs | Linux | Apps | etc. ], can you do the same for my mobile devices?" Customers love how they can use Centrify to embrace and extend their existing Active Directory infrastructure to cover non-Microsoft systems and apps, and they thought it would be cool to have an iPad join AD just like a Windows system or a Mac running Centrify, apply a Group Policy to their iPhones, etc. In other words customers fundamentally like our paradigm for management and security — one that leverages an existing infrastructure, skill sets and processes — and they believe our approach results in both a lower Total Cost of Ownership ("TCO") and quicker Return on Investment ("ROI"). And every week they would ask us if we could extend this paradigm to these new mobile devices. We definitely do listen to our customers!

But before we threw our hat in the ring, we did not want to reinvent the wheel and deliver something that customers already had something in place if they were pleased with it. We quickly found the answer to the second question was a definite no in terms of customer being satisfied with the options that existed out there for MDM. What we heard is that each of the pre-existing MDM vendors deliver their functionality by forcing our customers to install additional infrastructure, learn new processes, and/or make intrusive changes to their IT environment to manage these devices, and customers did not like that. At the same time customers told us that MDM vendors are charging a premium for their offering and in many cases will charge more over a multi-year period for their solution than the cost of the device itself. Hence the encouragement for us to provide something better.

So in asking these questions to customers we came to the conclusion that IT organizations are definitely looking for a more cost-effective solution that allows them to leverage existing infrastructure and skill sets and processes, and that our approach would be a great fit to address this huge pain point. Hence the release today of Centrify for Mobile!

So just what is Centrify for Mobile?

In future blog posts I will go into more details, but in the remainder of this post let me give a thumbnail overview to give you a feel for what Centrify for Mobile is all about.

Basically what Centrify for Mobile does is use your on-premise Active Directory infrastructure and Group Policy-based management tools to let you easily enforce and update mobile security settings, lock or remotely wipe devices, and secure access to email networks. As you can see from the screenshots below, it supports familiar Active Directory management tools such as Active Directory Users & Computers (aka "ADUC") and the Group Policy Management Editor, so administrators can see which devices are assigned to a user, the properties of each device, and manage policies across all devices.

ADUC and the Group Policy Management Editor

The policies that Centrify for Mobile offers can configure settings for Exchange as well as Passcode policy (length, number of complex character, failed attempt before locking, etc.) and device restrictions, such as which applications can be installed, use of camera, or enabling screen capture. In addition, Centrify for Mobile automatically sets up profiles that enforce the customer's policies for WiFi and VPN access, authentication, proxy and protocol settings. A complete list of supported policies can be found at: www.centrify.com/mobile.

The actual backend management of mobile devices by Active Directory is facilitated by the Centrify Cloud Service, a multi-tenanted cloud service that provides secure communication from your on-premise Active Directory to your organization's mobile devices. The Centrify Cloud Service facilitates over-the-air policy integration with Active Directory — even if devices are not connected to an organization's network. Another advantage of the Centrify Cloud Service is that unlike other MDM solutions, there is no management system or appliance that needs to be deployed on-premise, nor are there firewall configuration changes that need to be made. This makes Centrify for Mobile even more frictionless to deploy and further lowers both TCO and increases ROI. The diagram below shows the architecture.

Centrify for Mobile

The deployment of Centrify for Mobile is extremely fast and simple, and with your Active Directory infrastructure already in place, the only on-premise requirement is to install and configure the Centrify Cloud Proxy which takes well less than an hour regardless of the number of devices to be managed. Once this is accomplished, users are empowered to perform self-service enrollment that will install their mobile device profiles using a secure over-the-air connection.

The actual way mobile devices join the AD domain and have Group Policies automatically apply to them is via a self-service process. The owner of the device enrolls their device by simply entering their Centrify Customer ID and their AD username and password via a web-based form or via a Centrify mobile application that they install on their device. Using either method, a trusted over-the-air connection is made from the device to the Centrify Cloud Service, which in turns communicates to the on-premise Cloud Proxy Server. The end result is that a computer object within AD is created, and the device is associated in the directory with the user that enrolled the device. Because the device is in the directory, group policies can then be automatically applied to the device via the Cloud Proxy Server back to the Cloud Service and then to the device. These policies are implemented on the mobile phone as device profiles, and typical policies include passcode policies, device restrictions (e.g. disable camera) and VPN and WiFi settings. This process joins the device to Active Directory and applying the pre-defined policies takes just a minute or so to complete. The screenshots show you the Mobile App that facilitates enrollment and the Centrify profiles that enforce the policies on the device.

Mobile App

Finally, Centrify for Mobile also simplifies reporting of enrolled devices, installed applications and device update status across the entire organization, with the ability to detect and block enrollment of jail-broken devices. Because Centrify for Mobile uniquely integrates with Active Directory, the process of creating a computer object tied to the assigned users Active Directory credential is automatic. This makes the inventory of devices by group, device type and user role simple for administrators to provide to management. And we even provide a web-based Cloud Manager as part of the Centrify Cloud Service that also lets you view the devices that are under management (e.g. device and app inventory) and also lets you perform administrative tasks such as unlock or wipe a device (which are also actions available via ADUC).

So that's a high-level view of what Centrify for Mobile is all about. In my next few blog posts I will drill into more detail.

< Previous Article: Buckle up with Cybersecurity ... It's the Law
> Next Article: Centrify for Mobile in Action