Direct Control for Mobile & Supporting Mac OS X in Windows Environments

Direct Control for Mobile & Supporting Mac OS X in Windows Environments Leveraging Existing IT Staff Knowledge, Processes and Infrastructure to Support Mac OS X Systems and Their Users Ed Frola Senior Systems Engineer Centrify Corporation Ed.Frola@Centrify.com (703) 631-2460

Agenda The Centrify Vision Challenges of BYOD and Consumerization of IT DirectControl for Mac OS X Overview Key Features and Benefits Architecture Demonstration Concluding Thoughts 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 2

The Centrify Vision Control, Secure and Audit Access to Cross-Platform Systems and Applications On-Premise Centrify the Enterprise Cloud Endpoints Servers Software and On-Demand Services App s Leverage infrastructure you already own Active Directory to: Control Secure Audit What users can access User access and privileges What the users did 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 3

DirectControl for Mobile Overview

Consumerization of IT & BYOD Brings New Challenges Consumer devices merge personal and business activities End users bringing their mobile devices to work increasingly want to use them for business, such as corporate email Users want to carry one device for phone, email, camera, and music Mobile devices are finding new use cases within Enterprise Complementing laptops/desktops with tablets for existing users Empowering a new class of end users to access electronic information Increasing the number of endpoint devices that need to be managed Results in security enforcement challenges for the Enterprise Mobile devices operate outside the scope of existing security infrastructure Lost or stolen devices exposes company confidential information Compliance regulations do not allow exceptions for mobile devices 2004-2012 CENTRIFY CORPORATION. ALL 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 5 SLIDE 5

Centrify: A Differentiated Approach to Mobile Security First deep integration of devices (ios/android) with Active Directory Leverage Active Directory existing infrastructure, knowledge and support procedures Enforce Group Policy-based security settings (e.g. passcode policy, restrictions, security settings, etc.) Cloud-based service Over-the-air policy integration with Active Directory; even if device off network Non-intrusive architecture; no open ports or additional infrastructure in DMZ First and only unified platform for BYOD that supports mobile devices AND Mac OS X Systems + 300+ versions of UNIX/Linux First and only FREE mobile device management solution Centrify Express for Mobile No limitation on number of devices managed Given fixed MDM capabilities by mobile vendors (e.g. Apple MDM API), functionally on par with what other MDM vendors offer for their paid solution 2004-2012 CENTRIFY CORPORATION. ALL 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 6 SLIDE 6

Centrify for Mobile: AD-based Administration Active Directory-based management of Mobile devices Group Policy-based management of Security Settings ADUC User Properties for David McNeely ADUC Computer Properties for David McNeely s ipad Group Policy Management Editor for Mobile Devices Active Directory 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 7 2004-2012 CENTRIFY CORPORATION. CONFIDENTIAL. ALL RIGHTS RESERVED. SLIDE 7

How it Works 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 8

DirectControl for Mobile Demonstration

And Vast Majority of Capability is FREE with Express Features Express Subscription Support Community Standard or Premium Centralized administration within Active Directory Infrastructure Devices assigned to AD User Administrative Commands (remove profile, remote wipe, lock/unlock, update profiles) Support for ios 4.x, 5.x and Android 2.2+ Devices Self service enrollment Mobile App with Jail-break/rooted device detection Web-based self service enrollment Group Policy-based Security Policy Management and Enforcement Passcode policies Device restrictions Application restrictions Auto-issue PKI Certificates for use with Exchange Automatic MS Exchange configuration for the assigned user Enterprise VPN and Wi-Fi Configuration Cloud-based solution, no servers in DMZ, highly available w/ multi on-premise proxies Inventory of installed Mobile Applications Additional settings for ios 5 devices Auto-remove device profiles on AD user or device disable/delete Settings for other Email, Calendar and Address Book servers Reporting on Mobile Devices Application Management Web clips for Enterprise Web Apps Force installation of Mobile Apps on ios 5 Enterprise App Store Prevent access to Exchange mailbox if device is not managed Coming in 1.1 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 10 1.1 to be available summer 2012

Centrify for Mobile Comparison Feature Single Purpose MDM Cloud-based platform Yes Yes Remote lock/unlock Yes Yes Full and selective device wipe Yes Yes Self-service enrollment Yes Yes Trusted over-the-air provisioning and updates Yes Yes Detect/block jail-broken devices Yes Yes Supports ios and Android Yes Yes Certificate authentication for Exchange Yes Yes Certificate authentication for VPN and Wi-Fi Yes Yes Automated PKI certificate enrollment, configuration and distribution Yes Yes Active Directory-based user/device lifecycle support Yes No Group Policy-based settings enforced for security, access and device policies Yes No Non-intrusive installation with no additional infrastructure or firewall changes required Yes No Unified platform for mobile, Mac OS X and server systems Yes No Free and enterprise offerings Yes No License price to manage 1000 mobile devices no support $0* $40-75K Annual subscription price to manage 1000 mobile devices with support $24,500 $35-48K * Includes community/online support at no charge 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 11 2004-2012 CENTRIFY CORPORATION. CONFIDENTIAL. ALL RIGHTS RESERVED.

Centrify for Mobile Summary Easiest Product to Deploy Cloud Service vs. acquiring, deploying & managing on-premise infrastructure Leverages existing Active Directory infrastructure and skill sets Does not require firewall configuration changes, appliances or stuff to be deployed in DMZ Not just a point solution for mobile devices Also supports Mac and Linux devices Plus backend UNIX/Linux servers as well as enterprise applications Compelling Go-to-Market Model with Centrify Express Robust free offering provides Mobile Security and Access Management Frictionless to try out and deploy Opportunity to upgrade to more features as requirements dictate 2004-2012 CENTRIFY CORPORATION. 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 12 SLIDE 12

Pricing and Release Schedule DirectControl for Mobile Subscription-based pricing for support and upgrades Device pricing starts at $24 per device per year with standard support Premium 24x7x365 support available Minimum 10 devices Administrator pricing starts at $100 per admin per year Minimum 5 admins 8% and 15% discounts for 2 or 3 year subscription commitments Schedule Beta 1 ios Now! Beta 2 Android April General Availability May 2004-2012 CENTRIFY CORPORATION. 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 13 SLIDE 13

Challenges that DirectControl for Mac OS X Addresses

Support & Management Challenges for Mac IT struggles to enforce security policies consistently across the enterprise on all platforms Access control policies, password management policies and security configuration policies must be consistently enforced across the enterprise Reality is: Macs are second-class citizens in most enterprise environments (excluding publishing/creative firms) IT support staff simply don t know how to manage Mac systems Typically Macs are managed individually or by the department expert Self-managed systems usually have one local admin account, the end-user Departmental support is focused on usability, not security policies 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 15

The Solution: AD-based Management of OS X Centrify empowers the Windows-centric enterprise to manage and support OS X using existing expertise, tools and processes ADUC for user account, password and group management GPMC/GPOE for system and user configuration management MacBooks imacs Active Directory 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 16

Centrify DirectControl for Mac OS X

Centrify DirectControl for Mac OS X Unified administration with Active Directory Centralize account and authentication with Active Directory Administrators given local admin privileges Separation of duties for large enterprises Macs integrate into existing Windows services Enforce security policies using Active Directory Group Policy System configuration via Group Policy Security policy enforcement and desktop lockdown Smart card-based strong authentication required Secure login to Active Directory with CAC, PIV and.net smart cards Certified by the Joint Interoperability Test Command (JITC); FIPS certification in progress 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 18

Unified Administration With Active Directory Common account and authentication with Active Directory Manage Mac user accounts, their login and authorization rights Enables offline login to OS X laptops same experience as Windows Administrators granted local admin privileges Group Policy configuration of Apple Remote Desktop (for VNC) Active Directory group of administrators are granted local privileges Pre-validation for administrators enables offline login And no changes to Active Directory, no new servers, no change in process 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 19

Separation of Duties for Large Enterprises Separation of admin duties by Zone Separation of Active Directory and UNIX admins UNIX admins don t need rights to manage Active Directory user objects Separation of UNIX departmental admins Each Zone is delegated to the appropriate UNIX admin Finance Zone Department Administrator Sales Zone Access is granted by Zone Access is denied unless explicitly granted UNIX profiles within a Zone enable the associated Active Directory user to log in Fred Joan Active Directory Active Directory Administrators 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 20

Macs Integrate into Existing Windows Services Joining Active Directory enables seamless integration for: Home directory auto-mounts to Windows file shares Authenticated printing to Windows print queues Single sign-on to services such as Exchange, SQL, and IIS servers Extensive home directory support On Mac OS X servers via AFP On Windows servers via SMB And on DFS shares when used with Group Logic s Extreme Z-IP Server Or Portable Home Directory with auto-sync to a network home directory 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 21

Enforce Security Policies Using AD Group Policy Automated security policy configuration for consistency Group Policy is automatically enforced at system join to Active Directory Group Policy routinely checks the system for policy compliance, updating as required User Group Policy is enforced at user login System Group Policies control system configuration Centrify agent configuration policy Firewall & services policies control machine access Screen saver policy controls access to existing user sessions SSH policies for remote access security 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 22

Desktop Lockdown Using AD Group Policy Group Policy enforcement of Managed User settings Controls to lock down: Finder & Preferences settings Desktop & Dock settings User Group Policies control: Screen saver Allowed applications Login/logout scripts Media access settings Mac App Store access 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 23

Demonstration 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 24

Concluding Thoughts

Completing the Integration into the Enterprises Centrify integrates Mac OS X into Active Directory Userid/password as well as smart card is supported for user login Group Policy is used for desktop lockdown and configuration management DirectControl supports authenticated printing to Windows print queues Home directories can be hosted on Windows Servers DirectControl supports users with home directories locally, on Windows servers or NAS appliances Portable home directories are also supported for mobile users with GP control over sync policies FileVault support for mobile users whose home directory is on an NFS-mounted share Cross platform backup services Software deployment and inventory management that integrates with SMS Exchange mailbox and calendar can be accessed seamlessly Entourage as part of Microsoft Office 2008 is the Mac version of Outlook Apple Mail and Mozilla Thunderbird also include support for Exchange Windows applications can be run in virtual Windows environment where there is no equivalent Mac application such as MS Visio or MS Project 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 26

Integrating Macs into the Enterprise Making it easy to deploy, integrate and manage Macs in a Windows environment. www.enterprisedesktopalliance.com 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 27

Why Customers Choose DirectControl for OS X IT can leverage existing directory, processes and skill sets to manage Macs Centralized authentication and password policies are enforced Smart card login to AD supports SSO and requirement for two-factor authentication Automated security policies enforcement with Group Policy Fine grained desktop lockdown security policies are centrally enforced Separation of administrative duties simplifies deployment in complex environments DirectControl offers the simplest and most fullfeatured Active Directory integration solution for Mac OS X. Because it relies on Active Directory's Group Policy architecture, it functions more seamlessly for managing access... particularly for systems administrators who are unfamiliar with Mac OS X. Ryan Fass ComputerWorld 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 28

Customers Using DirectControl for Mac OS X Once upon a time Apple computers were regarded as corporate IT nuisances and delegated to marketing or art departments in enterprises. Now they're an integral part of the system, with companies like Centrify integrating Macs into Active Directory. The Var Guy Apple s Government Sales Jump 200% September 2010 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 29

How To Contact Us WEB SITE www.centrify.com Direct Control for Mobile https://www.centrify.com/mobile/free-mobile-device-security-management.asp Direct Control for Smart Card http://www.centrify.com/mac/smartcard/free-smart-card-for-federal-military-cac-piv.asp REQUEST AN EVAL www.centrify.com/trial CONTACT US www.centrify.com/contact PHONE Worldwide: +1 (408) 542-7500 FOLLOW US centrify.com/rss twitter.com/centrifynews youtube.com/centrify facebook.com/centrify 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 30