Separating Directory from Policy Management: Accelerating Office 365 Deployments with Workspace ONE
A Great Start to VMworld 2016
I’ve been at VMworld since Saturday, and I’ve already found that I don’t get many chances to talk about VMware Workspace ONE. It’s not for lack of interest, but rather the opposite. Every time I am in a group of customers and colleagues and the Workspace ONE topic comes up, some VMware employee breaks out their phone, opens their Workspace ONE catalog and can’t stop talking about:
- How they don’t need tokens.
- How they can book travel with their phone, create a meeting and find a conference room.
- How much easier it is to just get things done.
After years of planning, it is incredibly rewarding to not be the one doing the talking. I get to see, hear and experience the value of Workspace ONE as it touches my coworkers from their perspectives on a daily basis. It is exactly that excitement that we want all of our VMware customers to experience. Yes, Workspace ONE closes security holes that have been around for years and simplifies operations. But the real win is when IT is seen as adding value to the employee experience. That always makes business sense in this increasingly complex and competitive business world.
This week, we continue the Workspace ONE journey with two announcements that speak to removing the friction common in most end-user computing (EUC) environments today.
Accelerating Office 365 Adoption
The move to a cloud-based, office productivity solution is a core component of a digital workspace solution. To streamline collaboration and share ideas, nothing is better than working on shared, cloud-based, real-time dynamic documents. While a majority of enterprise customers are either already licensing or considering Office 365, really taking advantage of Office 365 beyond Exchange is still a challenge.
Access to Office apps, files and email from domain-joined devices on a corporate network is nearly DNA-level to most EUC organizations. As soon as the guardrail of the corporate network is removed, it’s unclear how to deliver and secure this most fundamental service to employees. The existing assumption is that files are manipulated and stored on domain-joined devices with known configurations. Files may be saved to network shares, but theoretically don’t leave the corporate network without detection. The perimeter changes constantly in our mobile-cloud world, making authentication and authorization a primary point of control.
Azure AD Is Not Active Directory in the cloud
With every new SaaS application comes yet another directory. It’s initially convenient for a line-of-business manager to manage user access and policy to a newly acquired application. But the model doesn’t scale as the number of SaaS apps grows and the number of separate user credentials increases—all with its own policy controls and authentication methods. Office 365 becomes one more cloud service with its own directory and an additional point of management. While many organizations are moving more infrastructure to the cloud, most organizations will remain dependent on Active Directory for the foreseeable future.
There are a number of methods to bridge or synchronize Active Directory to Azure AD. What is more important to those deploying Office 365 is more than merely where users are managed; it is how and where access policy is managed to assure employees have access when they need it and across multiple devices and public networks.
Separating Policy from Directory
The identity management architecture of Workspace ONE is not designed to be yet another directory. IT leverages existing AD resources as the source of truth. More importantly, Workspace ONE provides an abstraction layer between directory and policy, so that access policy management can be centralized for all applications across multiple clouds and on-premises. For those organizations already bridging AD and Azure AD with ADFS or PingFederate, Workspace ONE leverages those investments and still provides device posture-based conditional access controls. All this while delivering the consumer-simple Workspace ONE experience across any device.
Today’s announcement adds new automation to Workspace ONE. This innovative new technology makes it much easier for our customers to not only bridge AD and Azure AD, but also automatically provision and de-provision user accounts to Office 365. While the provisioning automation certainly makes operations simpler, it is the automated and instant de-provisioning that is most important.
When authentication itself is used as an access control, an authenticated user or device may have an access token granted for hours or days, depending on policy designed to reduce repeatedly entering credentials. By automating the de-provisioning of Office 365, even an authenticated user with a valid token will be rejected access once the user is deactivated in Active Directory.
Simplifying & Strengthening Authentication for Office 365 & Every Other App in the Enterprise
In June, VMware announced VMware Verify mobile-push, multi-factor authentication solution available with every Workspace ONE license. Since its release, we have had fantastic interest from customers who either have never previously invested in multi-factor authentication. The enterprises either fear end-user revolt or those using legacy token solutions today. Customers need a more modern, low-cost and user-friendly method of strong authentication.
When coupled with Workspace ONE, the VMware Verify service is invoked completely outside of the existing application log in. As such, there is no authentication activity taking place on the endpoint at all. Now integrated into the Workspace ONE experience, setting up a new employee to use VMware Verify takes virtually no instruction at all.
Whenever a user attempts to access an application requiring strong authentication based on some series of conditions, the user is immediately prompted to download and register the VMware Verify app if they do not already have a phone registered. This simple automation means that IT no longer has to develop and deliver training to employees. They can begin instantly improving security posture by removing the threat of compromised passwords.
To learn more about Workspace ONE and how we can simplify the deployment and management of Office 365, while protecting corporate data across any device, please check out workspaceone.com and sign up for a customized demo.
Want to read more about the EUC innovations announced today at VMworld 2016? Check out these blogs: