With VMware Workspace ONE and Hypergate, You Can Finally Get Kerberos on Android Enterprise

May 8, 2019
Kristen McManness

Author:

Kristen McManness is a product marketing manager for VMware End-User Computing, specializing in Android enterprise and Chrome Enterprise management.

Share This Post On

Guest blog by Niklaus Knecht, Business Development, Hypergate

Hypergate

Google recognized VMware’s commitment to Android Enterprise by designating VMware as a validated Android Enterprise Recommended EMM partner. Android Enterprise is clearly the future and the default path for any enterprise use-case on Android devices at VMware. Android Enterprise brings many new features and is a big step forward. Hypergate makes Android Enterprise even more attractive and secure for businesses by offering native Kerberos (aka Active Directory, IWA, LDAP) single sign-on.

With Android Enterprise, Google has reduced fragmentation by delivering a set of management capabilities across all Android devices. This allows administrators to use their unified endpoint management (UEM) solution like VMware Workspace ONE for much more proactive actions and allows the business to easily deploy Android devices within their environment.

 

Microsoft integrated Kerberos in Windows 2000. Therefore, it has become a standard for websites and single sign-0n implementations across all platforms (i.e. with Active Directory). Most people don’t even know they are using it.

Due to its strong cryptography and third-party ticket authorization, it makes it much more difficult for cybercriminals to infiltrate your network and/or impersonate your users.

 

To boil it down for you, Kerberos comes down to this:

  • a protocol for authentication
  • uses tickets to authenticate
  • avoids storing passwords locally or sending them over the internet
  • involves a trusted 3rd-party
  • built on symmetric-key cryptography
    (A more detailed report about Kerberos can be found on the Hypergate Website.)

 

You have a ticket — your proof of identity encrypted with a secret key for the particular service requested — on your local machine; so long as it’s valid, you can access the requested service that is within a Kerberos realm.

Rather than re-entering your user/password credentials every time, your ticket (cached on your system) is used to authenticate allowing for single sign-on.

Administrators have been able to use Kerberos for single sign-on on iOS for years because Apple natively provides a Kerberos client in the operating system, but to date, Android has never natively offered support for Kerberos. To fill this gap, Hypergate is installed as a local application on the device and acts as a local proxy for token requests and manages single sign-on keys for all apps. In a nutshell, it’s an Android Kerberos client that can seamlessly integrate with customers’ existing Android apps and Kerberos infrastructure.

Hypergate complements Workspace ONE’s single sign-on solution. While customers can implement Android single sign-on today with Workspace ONE, it’s dependent upon more modern federated authentication protocols such as SAML and OAuth. For existing systems that depend purely on Kerberos authentication, Hypergate can be employed with Workspace ONE to extend Android single sign-on to those systems.

Once authenticated, the identity provider will immediately forward the federated request (e.g. using SAML, OAuth, OpenID, etc…) and the user will automatically be securely logged in to his cloud application. Therefore, the end-user will never interact with Hypergate directly. Furthermore, Hypergate can also provide certificate-based authentication, simulating a smart-card logon, this means the user does not even need to enter any credentials and can consume his personalized services seamlessly.

Hypergate leverages the battle proof/ standard Active Directory single sign-on protocol/ Kerberos. It’s the same mechanism used for smart card logons often encountered in security critical setups, in example financial institutions, governments and so on. Since it’s the same standard used for workstations even your IT security officer will be happy with the solution.

 

See how fast and easy Hypergate works. Watch here.

With VMware Workspace ONE, we can simply and securely deliver and manage Hypergate on any device. Hypergate is available through the Google Play Store, and updates are released through this channel as well.

You can find Hypergate through the Workspace ONE console if your organization has been added to the Hypergate Google Play Distribution List. A change that is done by the Hypergate Team will be, depending on the purchased solution, automatically update and sync with your devices.

Requirements

This addendum covers the requirements to run Hypergate.
Minimal requirements

  • Android 6.0
  • ARM CPU Architecture
  • VPN to the KDC

Recommended requirements

  • Android 7.0
  • ARM CPU Architecture
  • VPN to the KDC
  • Android Enterprise recommended device

We would again like to take this opportunity to thank VMware for having us as a partner and hope for many technology savvy years ahead.

468 ad