By Kevin Strohmeyer, senior director, product marketing, Workspace Services, VMware
In June, VMware introduced VMware Identity Manager, an Identity as a Service (IDaaS) offering that we began including in premium versions of AirWatch Enterprise Mobility Management (EMM). Today, we announced VMware Identity Manager Advanced, a new standalone package of Identity Manager focused on broad-based deployment across all employees on any of their devices, laptops or desktops across any network for SaaS, Mobile, and Windows apps.
As discussed in the initial launch, VMware Identity Manager is unique in the market because of the ability to register a device with AirWatch to create a secure chain of trust between the user, their device, the OS vendor, and the enterprise. This chain of trust is what enables what we call Adaptive Access, the ability to discriminate access to sensitive apps based on it’s managed status, and just as importantly, to customize the authentication flow based on the capabilities of the device. Let’s take a closer look at each of these:
Adaptive Access Part 1: Managed vs. Unmanaged devices
Conditional access policies that take into account network and authentication strength are commonplace in the IDaaS market. VMware Identity Manager has such capabilities and the ability to “score” authentication strength to abstract authentication types creating flexibility in policy design.
What is unique is our ability to add into policy decisions the state of the device and it’s ability to protect application data should the device be lost or stolen. We do this by leveraging AirWatch device registration whether the device is being managed by IT, or not.
While there are many myths and misunderstandings about what IT can actually see and do to an employees personal device, we recognize that not every device a user will ever want to use as part of getting their job done will be under IT management.
This is where the new VMware Identity Manager Advanced edition shines. We include just the minimal functionality of AirWatch to enable device registration that allows us to push a unique certificate to the device to establish the chain of trust. There are many applications an enterprise may want to deploy that don’t contain sensitive data. For instance an expense app, maybe some HR informational apps, or apps that don’t hold sensitive state. These apps can easily be distributed to employee-owned smartphones, tablets, and laptops with a Single Sign-On experience tied to your existing directory. Other apps, like Salesforce 1, may cache significant amounts of information making their use on unmanaged devices too risky. Those apps can be restricted to only managed devices through AirWatch
Adaptive Access Part 2: Cutting Gordian’s knot of authentication
Most Identity Management solutions have to take a lowest common denominator approach to authentication. While they can design a specific flow for a specific kind of device, they can’t deal with multiple flows for the same app. This means the administrator must design a policy that would work on any device, resorting to either a password, or an out-of-band third party token/challenge response solution for stronger authentication. By building device specific adaptors for iOS, Android and Windows 10, we can leverage device ownership and PIN unlock as a strong form of authentication. As we look into the future, our deep knowledge of iOS, Android, and now Windows 10 <Link> will allow us to take advantage of the device for more advanced forms of authentication, and include device posture into advanced policy decisions.
Building a business mobility environment for all of your employees
We see many of our customers choosing to enable their employees through an integrated mix of Identity Management and Device Management. Chances are the bulk of your employee population requires an Identity Management Solution; a one-stop shop for SaaS, Mobile and even Windows apps plumbed with the right access policies across any device. A subset of those users will then require Enterprise Mobility Management to either further secure their personally owned devices, or to manage corporate owned-devices issued to employees. Only VMware provides this comprehensive solution that permits a unified app catalog and SSO for all users with the ability to manage risk, ensure compliance, and simplify operations.