Unified endpoint management may be getting a lot of attention this year, but there’s a lot of progress on the conditional access front, too. Today, MobileIron is adding new features to their entrant in the space, MobileIron Access.
What is conditional access?
As we know, mobile devices and cloud apps mean that enterprise data can be all over the place, and old network and PC-based access controls just don’t cover everything anymore. Now, conditional access is becoming a common concept—this is the idea that the decision of whether or not to grant access is based on much broader visibility and management controls.
In practical terms, one of the common techniques that’s spreading is to ensure that when an identity provider makes an access decision, it checks with the user’s EMM platform to make sure the device that they’re coming from is managed and compliant with applicable policies. (There are many other factors that can go into a conditional access decision, like patterns of user behavior, geolocation, and so on, but for simplicity we’ll just focus on device management.)
Many of the conditional access products that exist today comprise EMM and IDaaS products that are integrated by coming from the same vendor, or through APIs.
MobileIron Access, first announced in April 2016, integrates with identity providers purely through SAML, and I’ve been wanting to provide a closer look at the architecture.
MobileIron Access works with any app that supports SAML federation (Box, Salesforce, Office 365, etc.) and with any SAML identity provider (such as ADFS, Okta, Ping, etc.).
SAML login flows are proxied through Sentry (MobileIron’s gateway product) via Tunnel (MobileIron's per-app VPN capabilities).
Approved, known client apps are managed by MobileIron so that they have a certificate and use the Tunnel/Sentry/Access flow for login, while unapproved or unmanaged apps that try to login directly to a service can be blocked.
To make conditional access decisions, MobileIron Access communicates with MobileIron Core or MobileIron Cloud, so decisions can be based on whether or not the device and/or app is compliant with desired EMM policies.
Today, MobileIron announced three new Access components.
- Access Risk Discovery: This takes records of users, devices, apps, and browsers from cloud services, and compares them to the records in MobileIron Core or Cloud, in order to spot unknown clients or devices. For now, MobileIron is supporting Risk Discovery for Office 365, Salesforce, and Box.
- Access for Macs and PCs: This is pretty straightforward, as it simply takes Access and combines it with MobileIron’s Windows 10 and macOS management capabilities. For Windows 7, Access can leverage Workplace Join to get visibility; or look for a MobileIron agent. Customers push the agent to domain-joined PCs using their existing systems management, and by seeing the agent, MobileIron Access can know that it’s a corporate device.
- Access Authentication Analytics: A new dashboard that surfaces login events and details, including user location.
With mobile devices and cloud identity spreading, conditional access will soon be a big part of end user computing for many companies. MobileIron certainly sees it this way, as Access is one of their key growth drivers, spreading faster than their Windows 10 products, according to their last earnings call. Unified endpoint management and other device trends are a big deal on their own, but ultimately they feed into an even higher plane—smarter identity and access management.