With VMware Workspace ONE and Hypergate, You Can Finally Get Kerberos on Android Enterprise
Guest blog by Niklaus Knecht, Business Development, Hypergate
With Android Enterprise, Google has reduced fragmentation by delivering a set of management capabilities across all Android devices. This allows administrators to use their unified endpoint management (UEM) solution like VMware Workspace ONE for much more proactive actions and allows the business to easily deploy Android devices within their environment.
Microsoft integrated Kerberos in Windows 2000. Therefore, it has become a standard for websites and single sign-0n implementations across all platforms (i.e. with Active Directory). Most people don’t even know they are using it.
Due to its strong cryptography and third-party ticket authorization, it makes it much more difficult for cybercriminals to infiltrate your network and/or impersonate your users.
To boil it down for you, Kerberos comes down to this:
- a protocol for authentication
- uses tickets to authenticate
- avoids storing passwords locally or sending them over the internet
- involves a trusted 3rd-party
- built on symmetric-key cryptography
(A more detailed report about Kerberos can be found on the Hypergate Website.)
You have a ticket — your proof of identity encrypted with a secret key for the particular service requested — on your local machine; so long as it’s valid, you can access the requested service that is within a Kerberos realm.
Rather than re-entering your user/password credentials every time, your ticket (cached on your system) is used to authenticate allowing for single sign-on.
Administrators have been able to use Kerberos for single sign-on on iOS for years because Apple natively provides a Kerberos client in the operating system, but to date, Android has never natively offered support for Kerberos. To fill this gap, Hypergate is installed as a local application on the device and acts as a local proxy for token requests and manages single sign-on keys for all apps. In a nutshell, it’s an Android Kerberos client that can seamlessly integrate with customers’ existing Android apps and Kerberos infrastructure.
Hypergate complements Workspace ONE’s single sign-on solution. While customers can implement Android single sign-on today with Workspace ONE, it’s dependent upon more modern federated authentication protocols such as SAML and OAuth. For existing systems that depend purely on Kerberos authentication, Hypergate can be employed with Workspace ONE to extend Android single sign-on to those systems.
Once authenticated, the identity provider will immediately forward the federated request (e.g. using SAML, OAuth, OpenID, etc…) and the user will automatically be securely logged in to his cloud application. Therefore, the end-user will never interact with Hypergate directly. Furthermore, Hypergate can also provide certificate-based authentication, simulating a smart-card logon, this means the user does not even need to enter any credentials and can consume his personalized services seamlessly.
Hypergate leverages the battle proof/ standard Active Directory single sign-on protocol/ Kerberos. It’s the same mechanism used for smart card logons often encountered in security critical setups, in example financial institutions, governments and so on. Since it’s the same standard used for workstations even your IT security officer will be happy with the solution.
See how fast and easy Hypergate works. Watch here.
With VMware Workspace ONE, we can simply and securely deliver and manage Hypergate on any device. Hypergate is available through the Google Play Store, and updates are released through this channel as well.
You can find Hypergate through the Workspace ONE console if your organization has been added to the Hypergate Google Play Distribution List. A change that is done by the Hypergate Team will be, depending on the purchased solution, automatically update and sync with your devices.
This addendum covers the requirements to run Hypergate.
- Android 6.0
- ARM CPU Architecture
- VPN to the KDC
- Android 7.0
- ARM CPU Architecture
- VPN to the KDC
- Android Enterprise recommended device
We would again like to take this opportunity to thank VMware for having us as a partner and hope for many technology savvy years ahead.