HiveManager Client Management

Similar documents
Aerohive Client Management

Aerohive and JAMF Software

Seven Guidelines to Support Standardized Testing

solution brief ID Manager Leverage the Cloud to Simplify and Automate Enterprise Guest Management

Wi-Fi Security. More Control, Less Complexity. Private Pre-Shared Key

Smart Mobility Platform for Retailers

Aerohive and Palo Alto Networks. Partner Solution Brief

Aerohive Private PSK. solution brief

Solution Brief. Aerohive and OpenDNS. Advanced Network Security for Retail Stores

Trends in Wireless Networking for Healthcare Organizations

White Paper. Retail Made Personal. Make the shopping experience personal, relevant, and profitable

How To Build A Network From Scratch

Connected Store & Restaurant in a Box

Rethink Your Branch Network Strategy

The Benefits of Cloud Networking Enable cloud networking to lower IT costs & boost IT productivity

Cloud Services Platform. Security and Availability Controls Overview

Mobile-first Enterprise: Easing the IT Burden

How To Make A Network Reliable

BYOD: BRING YOUR OWN DEVICE.

Radio Resource Management in HiveOS. solution brief

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

ForeScout MDM Enterprise

The ForeScout Difference

BR100 Router Branch Router with built-in n

Cisco Mobile Collaboration Management Service

Ensuring the security of your mobile business intelligence

What We Do: Simplify Enterprise Mobility

How To Support Bring Your Own Device (Byod)

Secure iphone Access to Corporate Web Applications

Addressing BYOD Challenges with ForeScout and Motorola Solutions

Cisco Virtual Office Express

AirWatch Solution Overview

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

The Benefits of Cloud Networking

Athena Mobile Device Management from Symantec

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

Cisco Secure BYOD Solution

Symantec Mobile Management 7.1

Choosing an MDM Platform

Deploying iphone and ipad Apple Configurator

MTP. MTP AirWatch Integration Guide. Release 1.0

Mobile Device Management

Mobile Device Management Solution Hexnode MDM

Enabling Seamless & Secure Mobility in BYOD, Corporate-Owned and Hybrid Environments

Generating leads with Meraki's Systems Manager. Partner Training"

How To Protect The Agency From Hackers On A Cell Phone Or Tablet Device

Deploying Apple ios in Education

Delivering Control with Context Across the Extended Network

Healthcare Reference Architecture to Support Mobile Access for Point-of-care and Other Critical Applications

How To Protect Your Mobile Devices From Security Threats

Embracing Complete BYOD Security with MDM and NAC

Symantec Client Management Suite 7.5 powered by Altiris

Symantec Mobile Management 7.1

Copyright 2013, 3CX Ltd.

Symantec Mobile Management 7.2

Mobile Device Management Version 8. Last updated:

EOH Cloud Mobile Device Management. EOH Cloud Services - EOH Cloud Mobile Device Management

Company Facts. 1,800 employees. 150 countries. 12,000 customers and growing. 17 languages. 11 global offices

IT Resource Management & Mobile Data Protection vs. User Empowerment

MDM Mobile Device Management

Systems Manager Cloud Based Mobile Device Management

Marble & MobileIron Mobile App Risk Mitigation

On-boarding and Provisioning with Cisco Identity Services Engine

Mobile Device Strategy

Workplace-as-a-Service BYOD Management

Telstra Mobile Device Management (T MDM) Getting Started Guide

Windows Phone 8.1 Mobile Device Management Overview

Aerohive Networks Inc. Free Bonjour Gateway FAQ

Bell Mobile Device Management (MDM)

SA Series SSL VPN Virtual Appliances

ManageEngine Desktop Central. Mobile Device Management User Guide

When enterprise mobility strategies are discussed, security is usually one of the first topics

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Cloud Services MDM. ios User Guide

IT Self Service and BYOD Markku A Suistola

Enrollment System GETTING TO THE BOTTOM OF BYOD... AND COMING OUT ON TOP

IT Resource Management vs. User Empowerment

The Maximum Security Marriage:

ClearPass Policy Manager

Configure AirWatch for Your Mobile Device

PULSE SECURE FOR GOOGLE ANDROID

Android for Work powered by SOTI

Transcription:

Solution Brief HiveManager Client Management Context-Based Access & Device Controls for a Mobile First Enterprise

Introduction BYOD and the Consumerization of IT are changing enterprise networking. Just a few short years ago, IT was easily able to create policies and track network usage because they had control of most of the variables, including ownership of the devices, knowing who the users were and which department they belonged to, knowledge of where the user was located in the network, and users expected working hours. In the last few years, however, mobility and cloud have changed this landscape dramatically, and the abundance of consumer devices in the enterprise has drastically altered how IT controls network and resource access. Context-based network access isn t a new concept. When IT had control of all the variables listed above, creating policies specific to a user, device, location, and time was straightforward and generally tied to which port the user was plugged into or the SSID to which they were connected. Ensuring security or policy compliance was equally simple when the devices were owned and managed by IT and patches, applications, and connectivity credentials were tightly controlled and routinely deployed to the managed devices. Without control of all these variables, however, IT now has to find a way to regain control of the network and secure resources to adapt to the mobile first enterprise, where users expect to connect whatever device they want, wherever they are in the world, to access the resources they need to get their jobs done. The problem isn t just with BYOD, however. More and more IT professionals are turning to consumer devices to solve specific enterprise issues, such as taking orders throughout a retail store, kiosk-based guest access, and 1:1 learning programs for students. In fact, in a recent survey of nearly 1000 respondents, Gartner found that 90% of enterprises have already deployed mobile devices, and 86% plan to deploy tablets this year 1. This means that not only do you need a solution that can use context to create policies based on identity, device type, location, and time, but you also need to understand who owns that particular device and be able to distinguish an issued device from a BYO device even when all the other variables are exactly the same. Aerohive predicted Wi-Fi would become the primary access layer and now with the prevalence of mobile devices, the lines between corporate-issued and end user owned are blurring. The mobile first transition is forcing a borderless network where the network edge is where these devices transition from being consumer devices to business devices. Aerohive cloud-enabled networking with distributed intelligence streamlines and automates connectivity, management, and monitoring of HiveOS devices and client devices to help corral the ieverything explosion and transform your network into a platform for mobility. Weighing the Options for BYOD and Consumerization of IT With all the recent focus on BYOD, many IT administrators have approached the problem of consumer devices in the enterprise with a singular goal limit access from these consumer devices to protected resources. They are backed up by statistics such as Gartner s prediction that through 2014, employeeowned devices will be compromised by malware at more than double the rate of corporate-owned devices 2. However, as these consumer devices become more prevalent, affordable, and capable, many new use cases emerge and classifying them all as BYOD doesn t allow the flexibility to enable these corporate-deployed functions. Administrators are looking for a carrot or stick approach to 1 http://www.cioinsight.com/c/a/mobile-and-wireless/gartner-byod-study-enterprises-just-say- Yes-827004/?kc=CIOQUICKNL07032012MOD2 2 http://www.gartner.com/newsroom/id/2211115

Aerohive Client Management Solution Brief either entice users to secure their devices by allowing them network access, or preventing network access if the device doesn t meet the security requirements. As IT administrators sort through the deluge of information aimed at solving the BYOD problem with various carrots or sticks, we see four major trends for deploying consumer devices in the enterprise emerging: WPA2-Enterprise (802.1X) authentication: This method generally requires a username and password to join the network, and allows an administrator to easily control network permissions based on the identity of the user and the type of device. Administrators can rely on the security of per-device-negotiated encryption which ensures secure transmissions between the devices and the access point, and they can also quickly de-auth a particular user and disconnect the user from the network without impacting access for the rest of the connected users. o For networks where 802.1X is difficult to configure because of certificate or authentication server challenges, Aerohive offers a unique feature called Private Pre- Shared Key which delivers much of the same functionality as a WPA2-Enterprise implementation without requiring an external auth server or certificates. Read more in the Private Pre-Shared Key Solution Brief. The limitation of WPA2-Enterprise or Private Pre-Shared Key implementations is that many consumer devices make connecting to this type of network as easy as clicking a button to accept the certificate and entering a username and password. This makes it extremely challenging for an administrator to differentiate between an issued device for a specific purpose and a device that a user brought in from home. In fact, if the devices are the same, for example a corporate-issued ipad and a BYOD ipad, and both have the same remaining context same user, location, and time differentiating between the devices is a huge challenge and the devices will get the same access to network resources. Administrators need more granular context, such as device ownership, to apply policies that limit or permit access to protected resources. Virtualization (VDI): Another common way of controlling access to restricted content is to use virtualization technology, or VDI. VDI is a technology that turns the end user device essentially into an access terminal for content that is stored on a secured, centralized database or cloud server. VDI ensures that no restricted or secure content resides on the device, so it no longer matters whether that device is company issued or BYOD. However, virtualization can be extremely expensive and can be prone to access limitations because the content is stored remotely. Network failure often means the content is completely inaccessible. Another Copyright 2013, Aerohive Networks, Inc. 3

challenge with VDI, particularly specific to BYOD and Consumerization of IT, is that many administrators are allowing BYOD or Issued consumer devices because of the superior user experience. By using VDI, the user is effectively bypassing the inherent UI on the device and using whatever operating system/ux is available on the remote device. Virtual Private Networks (VPN): Many IT administrators also employ the use of VPNs to restrict access to content based on specific device. This method ensures encrypted access to secure resources and allows an administrator to control what devices can access the content based on the type of client supported. However, VPN on mobile devices is often a challenging configuration and isn t always supported for all mobile operating systems or within all installed apps. Mobile Device Management (MDM): At the crux of BYOD and Consumerization of IT management and control is the use of Mobile Device Management profiles from companies such as AirWatch, JAMF Software, or MobileIron. MDM vendors allow an administrator to tightly control device security, applications, and content by installing a profile on the devices to restrict permissions. When integrated with an infrastructure vendor like Aerohive, the use of softwarebased MDM is simplified because Aerohive can ensure the devices coming online get the profile installed and keep it there in order to access the network. The beauty of MDM is that it continues to work even when the device is connected to a home or 3G/4G network as well as on the corporate network, and it gives the administrator granular control over device configuration, application installation, and content. Vendors like Airwatch even offer advanced functionality that allows administrators to segregate content and resource access on the device itself, helping to protect corporate assets that remain on a device that may or may not be owned by the organization. Installing profiles on BYO devices has historically been a challenge as content ownership, especially of personal information like pictures and content, makes employees wary of MDM solutions and often unwilling to keep the profile installed on the device. The issue with any of these four solutions to BYOD and Consumerization of IT is that they all focus on solving one aspect of the challenge, but you really need a combination of the options in order to truly differentiate access based on device ownership, identity, type of device, location, and time. This can often lead to multiple management systems, configuration woes, and troubleshooting horror stories. How Aerohive Solves the Problem Aerohive cloud-enabled HiveManager with client management capabilities gives administrators the power to easily provision, configure, and monitor end user devices as simply as Aerohive access points, routers, or switches today. 4 Copyright 2013, Aerohive Networks, Inc.

Aerohive Client Management Solution Brief This functionality allows an administrator to clearly differentiate between issued devices and BYOD, giving them the additional layer of context necessary to create granular policies and controls for a mobile first enterprise. The client management capability includes Client AutoProvisioning: the HiveManager cloud services platform can automatically create and install a unique client certificate as well as install a secure profile on the device. Unified Device Configuration, Management, and Reporting: an administrator can configure policy objects within HiveManager to define and auto-provision network access parameters such as VLAN, firewall policy, QoS, etc based on device ownership status. In addition, if the administrator wants more granular device controls over specific clients, a secure profile can apply configuration parameters such as passcode policies, email and calendar configurations, and Wi-Fi connectivity options. Once configured, HiveManager will display the information about the clients within the standard Monitoring and Reporting sections of HiveManager. Customizable Self-Service Portal: users will see a completely customized enrollment portal which can display their own company logo and details about enrolling their issued and BYO devices so they will not need to contact the IT department in order to acquire the custom device certificate and access the network. The combination of these features provides a unified workflow and process for organizations to deal with the ieverything explosion. While many mobile device management solutions have the ability to install a certificate onto a device that downloads the enrollment profile, Aerohive has actually provided a way to generate that certificate on the fly based on the identity of the user, the device type, and the state of device ownership. Device certificates have long been the answer to distinguishing like devices with like users and other like context from one another, but PKI can be a challenge even for the most seasoned IT professional. The most daunting issue, after the initial PKI infrastructure setup, is that users often run into a chicken-and-egg problem: they need a certificate to get their device onto the network, but they need to be on the network to get the certificate onto the device. This can lead to a multiple-ssid-setup, where users have to connect to an enrollment SSID to get the profile and certificate, and then connect to the secure SSID once enrollment completes. Once an administrator has decided to go with device certificates to solve network access challenges, BYOD and Consumerization of IT present another hurdle: these devices are specifically designed to be user-centric, with the user in charge of everything installed and running on the device, including certificates and device profiles. In fact, Apple in particular designed their interface and devices this way intentionally to provide exceptional user experience, not to be hardened business devices. So the challenge for IT, in addition to managing the devices and ownership, then becomes how to incent the user to accept the user profile and certificate on their device and keep it there. Copyright 2013, Aerohive Networks, Inc. 5

Aerohive has once again paved the way to Simpli-Fi by providing a way to generate and install a unique device certificate and profile using a single SSID. The user connects a device to the SSID using standard 802.1X/PEAP credentials. The administrator can configure a list of expected MAC addresses for issued devices, and any device not matching that list will be treated as BYOD. Once connected with their username and password, the user will have their device provisioning status confirmed. If the device has not been provisioned or has the profile uninstalled, the user will be redirected to the self-service portal and assigned a unique certificate that reflects their identity, device type, and the ownership of the device, which will be pushed to the device and the device will automatically be reconnected to the same SSID using the unique device certificate no user or IT intervention required! In addition, if an administrator wants to implement device controls, such as passcode restrictions, application permissions (for example, disallowing cloud file sharing), or email, VPN or calendar configurations on the connected devices, a secure profile can also be assigned to the device also based on the identity of the user, device type, and ownership of the device. These secure profiles provide real-time configuration and monitoring capabilities for the provisioned devices, and allow an administrator to get even more granular control over the network and optimize for mobility. Regardless of whether the administrator wants to implement secure device profiles, the unique device certificate adds the additional level of context (device ownership) to further refine the Aerohive user profile assigned to a particular device, which applies network permissions such as VLAN assignment, firewall, QoS, and tunneling policies. All of the client information and management will be displayed within HiveManager alongside the other network elements administrators are already managing. 6 Copyright 2013, Aerohive Networks, Inc.

Aerohive Client Management Solution Brief Summary People want to work anywhere, on any device, and IT needs to enable them without drowning in complexity or compromising on security, performance, reliability, or cost. Aerohive delivers a cloudenabled and comprehensive solution to deploy, configure, monitor, and control clients in a mobile first enterprise. Client management provides a single workflow and management interface to aid companies in supporting BYOD and corporate-issued devices on their networks, and helps transform the network into a platform for mobility. Copyright 2013, Aerohive Networks, Inc. 7

About Aerohive Aerohive's mission is to Simpli-Fi enterprise access networks with a cloud-enabled, self-organizing, service-aware, identity-based infrastructure that includes innovative Wi-Fi, branch routing, switching, and client management solutions. Aerohive was founded in 2006 and is headquartered in Sunnyvale, Calif. The company's investors include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light Venture Capital, New Enterprise Associates, Inc. (NEA) and Institutional Venture Partners (IVP). For more information, please visit www.aerohive.com, call us at 408-510-6100, follow us on Twitter @Aerohive, subscribe to our blog, join our community or become a fan on our Facebook page. Corporate Headquarters International Headquarters Aerohive Networks, Inc. Aerohive Networks Europe LTD 330 Gibraltar Drive The Court Yard Sunnyvale, California 94089 USA 16-18 West Street Phone: 408.510.6100 Farnham, Surrey, UK, GU9 7DR Toll Free: 1.866.918.9918 + 44 (0) 1252 736590 Fax: 408.510.6199 Fax: + 44 (0) 1252 711901 info@aerohive.com www.aerohive.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information