Embed Size (px)
Citation preview
Enterprise Identity Meets Android for Work Andy Zmolek - Enterprise Partnerships, Android
This talk brings togethertwo emerging enterprise mobile identity efforts:
Android for Workand NAPPS
Android for Work is a programto drive Android adoption in the workplace
Secure Android for BYOD and corporate
issued devices
Google Play for Work for app distribution
Standardized management
Leveraging entire Android ecosystem
Management
Integrated with existing management tools. to create a
single console across all devices
Devices
Designing new business specific form factors and enabling AfW
management
Applications
Developer friendly: write once, deploy and manage on any device through Google Play
Networking
Securely connect to your internal systems through VPN
and network applications
Android for Work launched earlier this year with support from a broad set of initial partners
Work ProfilesExtension of Lollipop’s
default encryption, security enforcement and
multi-user support
A dedicated work profile isolates and protects work data - badged work apps
sit right alongside personal apps
Users know IT only manages work data and
can’t erase or view personal content
Android for Work app
For devices that can’t run work profiles natively
Secure mail, calendar, contacts, documents,
browsing and access to approved work apps
Can be completely managed by IT
Work Profile vs Android for Work app
Android Lollipop+*
Native App
Work instance
Personal instance
Android ICS-Kitkat**
Android for Work SDK
Work App
Android for Work App
Native App
* Where OEM has enabled multi-user** Or lollipop where OEM has not enabled multi-user
Work Profile Android for Work appAndroid for Work SDK
Enables apps to run seamlessly in the secure container provided by the Android for Work App.
Supports APIs to access the container such as Contacts/Calendar Providers, Storage Access Framework, Intents, Application configuration and management, KeyStore access, Clipboard, Download and Notification Manager.
Provides Extension APIs to support VPN and File encryption.
Personal user
Work user
Work Managed DeviceFor corporate-liable deployments which
require management of the entire device
Set up from initial boot including NFC-based
provisioning
Deploy only selected apps -- internal or 3rd party --
to managed devices
Built-in productivity tools
A suite of business apps for everyday tasks: email,
contacts and calendar
Supports Exchange and Notes
Edit the most popular documents with Docs, Sheets and Slides apps
Google Play for Work
Allows IT to securely deploy and manage
business apps
Any app in the Play catalog to be deployed to the Work Profile; a subset to the Android for Work
app
Simplifies process of distributing apps and
ensures IT approves every app deployed to workers
IT Admins: Work Storefront - play.google.com/work
● Web-based tool for Company Admin
● Access to entire public Google Play catalog
● Bulk App Purchasing for users
● Admin acceptance of permissions for whitelisted apps
Points of Integration For App Developers
Managed Configuration
Your app can expose its policy and configuration settings, to be read by Enterprise Mobility Managers, and
managed by IT admins.[Details]
Data Segregation
Users of your app can keep data separate between their work and personal
profiles. Check that your app works seamlessly in a work profile.
[Details]
Group Licensing
Your app can be bulk purchased by IT admins and licenses assigned and
reassigned within the company. Opt-in via Play Developer Console.
[Coming Soon]
Identity / Authentication
Use Google sign-in to authenticate. Customers that have integrated to
Google Auth get SSO with your app for free--or leverage standard SAML/OAuth
[Details]
HW
OS
APPS MGT
VERIFIED BOOT
HARDWARE ENABLED KEY STORE
ENCRYPTION
SELINUX + ANDROID
WORK PROFILE PERSONAL
APPLICATIONS
IDENTITYAPPS
PRIVATE / PLAY
OEM EXTENSIONS
AND INNOVATION
EMMs
OEMs
OS
APPS MGT
ENCRYPTION
SECURITY ENHANCEMENTS (SE) for ANDROID
APPLICATIONS
IDENTITYAPPS
PRIVATE / PLAY KNOX WORKSPACE
EMMs
KNOX ANDROID
FRAMEWORK(VPN, SSO, ODE, SDP, Attestation)ENHANCED TIMA
(RKP/Keystore/CCM)TRUSTED BOOT SECURE BOOT
WORK PROFILE PERSONAL
Lollipop Native User Experience
Secure Mobility for Work
USER EXPERIENCE
:: Personal and work applications shown in a single unified launcher
:: Work apps badged with an orange briefcase
:: A single application binary with two different data sets - one for work and one for personal
:: PIM Suite, Browser, Docs, Sheets, Slides included
● OS based data separation
● Data sharing restricted across profiles
● Separate file store for each profile
Data Sharing Between Apps
Recent task switching
with badging
● Work apps are badged
● Seamless switching between personal apps to work apps
● Work and personal instances of same app run side-by-side with sandboxed data stores
Native Task Switching
● Notifications are badged to separate work from personal
● EMM policy can redact or limit detail displayed
Badged Notifications
Android for Work AppUser Experience
Secure Mobility for Work
● Same look and feel as Android for Work native experience in Lollipop
● All Applications shown in launcher
● Work apps indicated by orange briefcase badge
● Consistent across all Android for Work devices
CONFIDENTIAL
USER EXPERIENCE
● Application management and security framework
● Suitable for BYOD scenarios● Screenlock protected, controlled apps● Management of the profile and
associated apps vs full device● Wipe removes the profile, data and
apps, leaving the rest of the device unaffected
CONFIDENTIAL
Android for Work App
Managed Domains & Identity
Secure Mobility for Work
Google Play for Work Store● Android Work will provide a
Managed Google Play Store to build collections of IT-approved apps
Managed Google Account● Eliminates the use of personal
accounts for Play for Work access
● Enables installation of approved apps presented in Work Profile
● Facilitates app management including volume purchases, with no license keys or user intervention
Google Play for Work
1 2 3 4
Register Managed Domain
Create Admin Account Verify Domain OwnershipGenerate EMM API
Token
Google Domain Identity
Registration Process
Step 1: Admin enters basic business contact information
Step 2: Admin enters basic information about the business● Business name● Address● Number of Employees
1Registration of
Domain
Admin creates the account for the Managed Domain
2Create Admin
Account
Admin verifies Domain ownership
Option 1: Add meta tag to corporate homepage● Google verifies by scanning homepage
Option 2: Add a TXT or CNAME record to domain’s DNS● Google verifies by checking DNS records
Option 3: Add an HTML file to root of company’s website● Google verifies by scanning the company website
3Domain
Verification
● Generated for binding to customers’ EMM provider
● Enables Android for Work management via API’s
● Allows management of ONLY specific Managed Domain devices
4EMM Binding
Token
The IT admin can populate the managed accounts directly into managed domain:
Option 1: Delegate to EMM via Directory API’s
Option 2: Google Active Directory Sync
Authenticate accounts via enterprise SAML- based SSO (recommended) or password sync
Account Management
Native Application SSOaka “NAPPS”
Secure Mobility for Work
Searching for NAPPS?
http://openid.net/wg/napps/
not found atnapps.org!
● NAPPS can always work with system browser
● User experience can be improved: eliminate unnecessary app flips and browser pops
● Android for Work partners and product team working closely to define best practices
● Opportunity to leverage capabilities that already exist natively in Android OS
● Stay tuned for more!
“Native” NAPPS
● Multiple methods exist for IdP discovery (aka “tenant discovery”) with NAPPS, such as:
Non-managed: Smart Lock for Passwords
Managed: Android App Restrictions
● With managed profiles or devices, Android “app restrictions” can point to enterprise IdP
● App developer exposes app configuration schema specific to their app in manifest
● Play publishes restrictions for EMMs who set configurations via Android framework
IdP Discovery via App
Restrictions
Thank You!
Secure Mobility for Work
EMM
App search & install
COMPANY
Mgmt front end / console
Business Customer signup for Android for Work
1. IT admin signs up for Android for Work through google.com/android/work/partners.
2. IT admin verifies domain ownership
3. IT admin enrolls Android for Work account with EMM
6. User installs EMM DPC app from Google Play
5. EMM sets which apps users have available.
8. User is signed in to their corp Google account.
4. Company synchronises user directory with Google auth. Optionally synchronises credentials or integrates SAML federated login to enable SSO.
GOOGLE AUTH
7. User follows setup wizard in EMM DPC app
APIs for mgmt and config
9. User browses for works apps to install in Work Play Store
EMM
APIs for mgmt and config
App catalog and delivery
COMPANY
Mgmt front end / console
App Management Flow
1. IT admin discovers apps through Google Play for Work
2. IT admin approves app and accepts permissions (free apps) in either Google Play for Work or EMM console. Purchases can only be made in Google Play for Work (paid apps).
3. IT admin push installs app or makes it available to users through the Play Store client app via the EMM Console
6. User installs approved apps from Play Store client and accepts permissions.
7. Admin pushes managed configuration to devices via EMM Console
5. User is signed in to their corp Google accounts.
4. Company synchronises user directory with Google auth. Optionally synchronises credentials or integrates SAML federated login to enable SSO.
GOOGLE AUTH
EMMSERVERCOMPANY
EMMCLIENT
YOUR APP
Publish config options
Present admin config UI Push config Push config to profile
Read app’s configoptions
Managed Configuration Flow
Make any place your workplace
