Demystifying Enterprise Apps: Secure Deployment, Access ...dl.geekboy.pro:8080/VMworld 2019/DEE2774BU.pdf · Demystifying Enterprise Apps: Secure Deployment, Access, and Management

#vmworld

DEE2774BU

Demystifying Enterprise Apps: Secure Deployment, Access, and Management

John Turner, VMware, Inc.

#DEE2774BU

VMworld 2019 Content: Not for publication or distribution

©2019 VMware, Inc.

Disclaimer

This presentation may contain product features or functionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

2

The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein. VMworld 2019 Content: Not for publication or distribution

©2019 VMware, Inc. 3

Speaker Bio – John Turner20+ Years Enterprise Consulting Experience

5 Years at VMware

• Current: EUC Client Solution Architect

• Previous: Senior Consultant in Federal Practice

Certifications

• Current: VCP6-DTM / VCP6-NV / MCTS (Windows, Desktop Deployment, SCCM), MCSE, Net+, Sec+

• Previous: MCT, CCNA, MCP+I, MCP-BDD, MCP-Desktop Optimization

Consulting Experience

• Career Experience: EMC Professional Services, BT Global Services, Avanade, CGI

• Over 20 projects deploying 20K+ desktop seats (VDI & traditional)

• Over 100 projects deploying 5k+ desktops seats (VDI & Traditional)

• Over 20 Enterprise-Wide (5k+) App-Rationalization engagements

• Over 10 Enterprise SCCM Design & DeploysWedding Sept 3, 2017


©2019 VMware, Inc.

Agenda

4

The End-User Perspective (Lessons Learned)

Secure Access

Versatile Management

Flexible & Easy Deployment

Wrap-Up / Q&A


5©2019 VMware, Inc.

“You’ve got to start with the customer experience and work back toward the technology –not the other way around”

- Steve Jobs



Begin with User Experience in MindIT’s Chance to Innovate

Consistent Look, Feel, & Experience

• Applications maintain order across devices

• Authentication screens are consistent throughout, even if 2FA is utilized

Customized & Secured

• View is customized specifically to the user’s needs – by the end user!

• Able to be integrated with Horizon, Citrix, SaaS, SAML, etc.

• Facilitates SSO across environments (On-Prem/Cloud/Partner)

• Access controlled by “who, where, what device”

• App Icons can launch applications from various sources:

– Locally Installed desktop & mobile apps (Secure Containers)

– VDI / RDSH / Hosted Applications (Including Citrix)

– SaaS Applications

• Simple self-service onboardingVMworld 2019 Content: Not for publication or distribution


Applications Pose Multiple ChallengesApplications often have their own ecosystem

Application Types:• SaaS• Traditional (Installed locally on PC)• Platform Specific • Incompatible / Not-Supported

Identity Integration Requirements• On-Prem AD / LDAP• ADFS • iDP’s (OKTA/PING/ETC)• SaaS/SAML

Delivery Issues:• OS Differences• Application Updates• On-Prem devices / Off-Prem devices• Reporting of compliance• Version sprawl• Device Management• Roll-Back

Apps Identity Device



Secure Access



Context• Location• Device Type• Security Status

Identity• Who• Organizational Role• Additional Roles

Governance• Consistent• Repeatable• Manageable

Security• Based on User

and Role• Across Devices• Changes With Role

Identity & Device Access Challenges

Apps Persona

Data

AppsDevice

Services



Workspace ONE Architecture

Email

Secure Browser

Content

Contextual Policy Framework

LOCATION APPDEVICEUSER DATA

Windows Device Adapter

iOS Device Adapter

Android Device Adapter

Browser Add-On

Authentication

Mobile Push, X.509

SessionManagement

Protocol Engine

Proxy (F5)Per App

VPNAccessPoint

Device Provisioning and

Configuration

Compliance Enforcement/Remediation

Self-Service App Provisioning

(Push/Pull)

SAML / OIDCWS-Fed

HTTP

Access Management

App / Device Management

Any Application

Catalog and Launcher


App/Data Containerization

Includes integration with Mobile Security / CASB Partners

Web Apps

SaaS Apps

Windows Apps

Citrix Apps

Mobile Apps

Mobile Apps

Cloud

On Premises

Any Device

Or 3rd PartyAuth Providers:(RSA, Imprivata

Radius)

Unified Catalog / App Broker

(Google Play, Apple Store,

Windows Store for Business)

Active Directory

Or 3rd PartyIdentity

Providers(Ping, ADFS)



Integrate Identity and Device Compliance for Conditional Access

AUTHENTICATION MODULE

DEVICE POSTURE

USER AUTH

APP SERVICE

Workspace ONE

Managed Jail Broken

Workspace ONE UEM

OS

3rd PartyMSA | Malware |

Trust

LocationBlacklist

Apps

Workspace ONE Access

Authentication Provider

Network Scope

Authentication Strength

Session Time

Per Application

Remote Apps | Web Apps | Native Apps

Email

Secure Browser

Content





Policy Driven Access & Security

Integrate Conditional Access Policies

12

APP

USER

Policy Framework

DEVICE

LOCATIONAPP

Employee

USER

Contractor

PrivilegedCustomer

R&D Sales Marketing

iOS

DEVICE

Android Win10

Unmanaged Managed

BYOD Corp-Issued

Web

APP

Mobile Virtual

Low Security

High Security

External Internal

In Network

LOCATION

Out Network

Beacon 3G / 4G

Geo



Further Enhance Security with Secure Tunnel & Content Locker



Versatile Management



Building Blocks for Versatile Management

WIN 10 / MAC / ChromebookiOS / Android Rugged/Connected Things

All AppsExperienceModern

ManagementInsights Automation



Device and Application Management Lifecycle

End to End Device Lifecycle Management

• Acquisition

• Configuration and Provisioning

• Zero Touch Deployment

• Support and Repair

• Retirement and Disposition

• Forward Stocking Locations

• Inventory Management

DeviceLifecycle

Management

Asset configuration

AssetAcquisition

Installs MovesAdds Changes

AssetRetirement

& Deposition

Deployment

Software &ApplicationManagement

DemandManagement

RemoteManagement

MaintenanceRepair

ProactiveRepair

OS Imagingand Migration

• Lease Return

• Redeploy

• Employee Sale

• Data Destruct/Grading

• Remarket

• Recycle



Begin your Transition to Modern Management

TRADITIONAL MODERN

DEPLOYMENT

PATCHING

SECURITY

CONFIGURATION

APP MANAGEMENT

BUILT FOR THE MODERN

WORKFORCE

Highly manual imaging for all use cases

On-network mgmt. of 1000s of GPOs

Takes months to patch all endpoints

Costly mgmt. and distribution points

Lack compliance visibility when needed

Out-of-box for day one productivity

API driven, across any network

From the cloud in minutes

Cloud-scale with zero CapEx

Real-time detection and remediation



Complete Windows 10 Co-Management Technology

Flexibly co-exist with anyWin10 and SCCM – no costly upgrades

18

Configuration Manager Workspace ONE

TRADITIONAL MODERN

Imaging

WSUS

Group Policies

Apps

Onboarding

Cloud Patching

MDM

Take cost out of traditional PCLM pain-points such as patching, etc.

Ease migration of traditional PCLM tasks to Workspace ONE

Apps

AirLift

AirLift Delivers Simplified Transition to Windows 10 Modern Management



Flexible & Easy Deployment



Evolution from a test-first approach to a publish-first approach

Granular Control over Application & Updates Publishing

Deferral Approved by Group

Manually Approved

Patch

Workspace ONE AdminVMworld 2019 Content: Not for publication or distribution


Cloud Migration

Application Retirement / Consolidation

Re-Write applications for today’s world (Docker/Kubernetes)

Create a ThinApp Package

Create a purpose-specific Win 200x RDS Farm

Down-level OS with Horizon Agent (Kiosk)

Shim Applications

Strategic Tactical

Dealing with Problem AppsLong-Term Plans and Short-Term Solutions



Desktop 3

Desktop 1

Desktop 2

Policy driven personalization for VDI and RDSH Applications

Simplify the Deployment of VDI & RDSH Applications

Network Policyfrom NSX (Optional)

ApplicationDelivery *

Dynamic Policy and Personalization from User

Environment Manager

Desktop Creation & Customization

Bob’sdesktop

Max’sdesktop

Lucy’sdesktop

Lucy(Finance)

Max(Developer)

Bob(HR)

InstantClone

Horizon App or

Desktop in

Catalog

* Capabilities vary based on cloud platform



Security / Compliance / Device Management

Email

Secure Browser

Content

Contextual Policy Framework

LOCATION APPDEVICEUSER DATA

Windows Device Adapter

iOS Device Adapter

Android Device Adapter

Browser Add-On

Authentication

Mobile Push, X.509

SessionManagement

Protocol Engine

Proxy (F5)Per App

VPNAccessPoint

Device Provisioning and

Configuration

Compliance Enforcement/Remediation

Self-Service App Provisioning

(Push/Pull)

SAML / OIDCWS-Fed

HTTP

Access Management

App / Device Management

Any Application



App/Data Containerization

Includes integration with Mobile Security / CASB Partners

Web Apps

SaaS Apps

Windows Apps

Citrix Apps

Mobile Apps

Mobile Apps

Cloud

On Premises

Any Device

Or 3rd PartyAuth Providers:(RSA, Imprivata

Radius)

Unified Catalog / App Broker

(Google Play, Apple Store,

Windows Store for Business)

Active Directory

Or 3rd PartyIdentity

Providers(Ping, ADFS)



How Do We Get there?



A customized journey

How Do We Get there?

Mo

bili

tyD

esk

top

Ap

ps

Ide

nti

ty

END USER RELATIONSHIP

Control Devices

Standardize Platform for Efficiency

Reduce Deployment Time

Secure Access

Any Device Access

Location Independent

Self-Service Deployment

Streamline Access

Connected Workforce

Data Driven Decisions

Competitive Advantage

IT DEFINED USER CENTRIC DIGITAL ENTERPRISE



Mo

bili

tyD

esk

top

Ap

ps

Ide

nti

ty

Traditional Identity and Authentication

Identity Aggregation

App Deployment

Client Management

Enterprise Mobility Management

App Abstraction

UnifiedEndpoint

Management

Enhanced Mobility

App Catalog

Digital ConvergenceDynamic Desktops

Digital Workspace

CYBERSECURITY INSIGHT PROTECT CONTROL

INFRASTRUCTURE PLATFORM MANAGE AUTOMATE

DIGITAL ENTERPRISEIT DEFINED USER CENTRIC

Work with VMware to determine your path

Defining the Journey



Application Rationalization Starting Point

Define Technical Objectives

• Devices / Locations

• Security

• Mobility

Current State Discussion

• What works?

• What doesn’t work?

• Desired Improvements

Challenges

• Integration Challenges

• Accessibility Challenges

• Regulations

Apps Identity Device



“A lot of times people don’t know what they want until you show it to them.”- Steve Jobs

“If I had asked people what they wanted, they would have said faster horses.”- Henry Ford (Supposedly)



Q&A



John TurnerTwitter: @BeardedVDIGUYLinked In: www.linkedin.com/in/johnpturner


Documents

Demystifying Enterprise Apps: Secure Deployment, Access ...dl.geekboy.pro:8080/VMworld 2019/DEE2774BU.pdf · Demystifying Enterprise Apps: Secure Deployment, Access, and Management