In the current mobile, cloud, and BYOD era, conditional access and single sign-on have become essential parts of end user computing. However, they’re both still tricky, and there are many different approaches. In light of this, Okta outlined their updated mobile strategy in a blog post today, and I met with Naveed Makhani (from product management) and Mike Paiko (from product marketing) to learn more.
Okta’s mobile strategy
Okta announced Okta Mobile Management back in 2014. It’s oriented towards typical office worker and SaaS user scenarios, and provides MDM and leverages the mobile app management features that are built into iOS and Android. About a year and a half ago, they announced plans to support the Apple Device Enrollment Program.
However, as Okta has been growing, their mobile priorities have been changing. They’re going into more enterprise-size customers, which generally already have other EMM providers like AirWatch and MobileIron. In addition, the conditional access trend has really surged in the last 12–24 months.
To that end, Okta has been prioritizing support for conditional access features that can work with any EMM provider, not just Okta Mobile Management. They use the term “device trust” for these features. Okta is shelving plans to roll out their own support for Apple DEP, but will continue to develop and support Okta Mobile Mangement for basic use cases.
Issues in SSO and conditional access
There are a lot of different ways to do conditional access on mobile, and making SSO work in native iOS and Android apps also has its challenges. My original draft of this article started to turn into a 3000-word white paper on these topics, but I’m going to save that for another time.
Conditional access is the idea that with today's apps and devices, access decisions should consider a broader context than they may have in the past. On mobile devices, this often means attesting the security state of the device and/or verifying that it is enrolled in MDM and compliant with policies.
For today, I’m just going to talk about apps from public stores, running on devices with mixed and personal usage (BYOD or COPE). As you can imagine, if you can modify apps, sign them all with the same developer certificate, or ensure that only approved apps are running on a device, many SSO and conditional access challenges go away.
Most native mobile app clients for enterprise SaaS offerings use a browser for the login process. The modern preferred technique for implementation is to use special mobile browser options: SFAuthenticationSession on iOS and Chrome Custom Tabs on Android. These allow browser state (i.e. session cookies) and certificates to be shared among apps and the system browser.
Certificates are great because they can be used to authenticate to an identity provider like Okta, and if you distribute them with MDM and apply the appropriate policies, they can also confirm that the device is enrolled and compliant. SSO and conditional access—done!
The problem is that many enterprise apps still just implement the older technique of using embedded webviews for their login process. Embedded webviews cannot access shared browser state or certificates, meaning users have a poorer SSO experience and have to log into all their enterprise apps individually. These apps also miss out on the ability to use certificates to do conditional access.
Okta Device Trust for iOS
On iOS, Okta device trust is addressing the conditional access and SSO problems from embedded webview logins by leveraging the Okta Mobile app and MDM.
When a user logs into an app that contains an embedded webview, the webview is redirected to their corporate Okta tenant login web page, just like with any typical app that uses federated identity. But from there, the Okta login page redirects the user to the Okta Mobile app, via a universal link.
The Okta Mobile app contains a pre-shared secret; Okta Mobile is managed with MDM and the secret is populated using a managed configuration. If the app is not present or managed, or if the device is not enrolled, the user is directed to the appropriate links to correct this.
By verifying the pre-shared secret, the Okta tenant knows that the device is managed and, if the appropriate MDM policies are in place, compliant. The user can then return to the app and continue the process.
The result is conditional access for any iOS app, regardless of whether it uses the modern SFAuthenticationSession technique or just embedded webviews. Okta has also enabled a completely password-free flow for Office 365 iOS apps, and will add this for other apps in the future.
This is currently available for use with Okta Mobility Management, and should be available to work with any third-party MDM in late January or early February. There are some demos in Naveed’s Oktane 2017 session (you’ll notice the session mentions the now-shelved plans for Apple DEP). Okta should be providing some updated videos, so I’ll add a link here when they’re available.
For other devices, the Okta device trust approach varies.
On unmanaged iOS devices, the Okta Mobile app can do a few forms of device attestation. For Windows, Okta has an MSI that can be distributed by any client management tool, register devices, and install certificates. On macOS, they have a certificate enrollment process that works with Jamf. For per-app conditional access, Okta can be implemented with MobileIron Access, VMware Workspace One, or third-party VPNs. Android conditional access support is coming later this year, and will take yet another technical approach.
...Again, there are a lot of ways to do conditional access! (Be sure to check with them on the exact timing and technical details of these.)
For their part, Okta is working out how to implement as many conditional access options as possible. In addition to options that work with Okta Mobile Management and with any 3rd-party MDM, they’re working with vendors like MobileIron and Jamf to create integrations and reference documentation.
In general, be prepared to hear more about conditional access in 2018. It answers a good number of the questions we had about BYOD, consumerization, and the cloud in the first half of this decade, and is starting to become a defining aspect of modern end user computing.