Increase Your Mobile Workforce Productivity



Ankit Garg:  All right. Hey everyone, my name is Ankit Garg. I'm part of the product management team at Okta and with me will be Derek from Bottomline Technologies. We both are super excited to have you all here at Oktane and attend this session with us. We all know mobile is a huge part of our lives. Do you guys know how big mobile is in your daily lives? Do you know how many hours do you spend on your mobile devices every day? Do how many times do you check your mobile devices every day? Any guesses in the audience? No?

Audience:  Five hours.

Ankit Garg:  Five hours, 10 hours. How many hours do you guys think you spend on your mobile device every day?

Audience:  Seven.

Ankit Garg:  Seven? All right. I'll share some of the interesting statistics around that in a few minutes, but let's jump in. We are a public company so I have to make sure I show this to you. This presentation will have some forward-looking statements. Now coming to the statistics, on an average, we spend almost 3.5 hours on our mobile device every day. If you take out almost seven hours of sleeping, then you spend almost 20% of your day engaged with your mobile device. That's a staggering number. You check your mobile device almost 150 times a day. That's another staggering statistics if you ... I can't imagine checking my phone 150 times a day, but it appears to be true. I do feel like I spend more time on my mobile device every day now.

Another study done by an organization revealed that 60% of the employees felt more productive when mobile was enabled from the organization, which meant they could do their work on the go. I go back to my early career days and think when I started my career, I could only access my email on my mobile device when I was on the corporate network, and I think how big of an impact it would have made to my productivity if I was able to access my email outside of work as well so. We live in interesting times where mobile has had a huge impact on our daily lives. Now as organizations think about enabling mobile, they're faced with this big challenge where they need to balance both security and productivity.

Now the IT admin wants to make sure that they enable their employees to be more productive, but at the same time they're concerned about their company data's security. For the end user, it's all about productivity and OMM tries to help alleviate some of these concerns. We first dive into a little bit deeper on the IT admin and end user side what their concerns are. On the IT admin side, data is the new currency we all know that, so they are most concerned with protecting company data. They don't want it to get lost with devices, which are stolen or ex-employees leaving the company. They're also concerned about employees accessing copied services from devices, which might be malware infected.

Last but not the least, if you are choosing a mobile solution, you want to make sure that you also take care of your cost when you're rolling out the solution. You don't want a lot of how best tickets or calls when you're rolling out a mobile solution as well as ongoing maintenance. Some of our customers earlier talked about password sync issues and all those other things. We want to eliminate that and make it really easy for you to use OMM and it's an important factor for other mobile solutions as well. From an end-user perspective, what they're mostly concerned about is access to corporate services, whether it's my email applications, whether it's my corporate Wi-Fi network, and I want to be productive when I do all those things.

I'm also concerned about my privacy. If I'm bringing my own device to work, which is a very common trend these days, I'm concerned about my company having access to my private messages, my photos or those other things on my device, which I don't want them to see. Last but not the least, I want to be able to use devices which I am comfortable with, whether it's an iOS device or it is an Android device. Now I'm going to dive into how OMM helps with some of these concerns. Both IT admins and end-users have common goals here, but they have very different concerns. Both users want the company to succeed, make sure the companies and whatnot and we'll show how OMM does that for you.

Now as you are enabling mobile for your organization, there are various aspects of enabling mobile. We'll start with how OMM helps with seamless mobile access and then we'll go all the way to of boarding end users. From a mobile access perspective, you guys must be wondering Okta already has a great assessment solution on desktop, on browsers, why is mobile such a big deal. Mobile is a very different beast it turns out. You could be using any of the native mail applications. You could be using the iOS Safari browser. You could be using a third-party application. The challenge is very different on mobile and we strive hard to make it simple on mobile. Now let me show you some of the things we do on mobile. 

Right I have my mobile device here and I'm logged into my Okta application. You see the same dashboard, which we show on desktop browsers in Okta mobile as well. You have access to all your applications day one as soon as you log in to Okta mobile. If I click on Outlook, I can easily log in to my email. That works great. If I'm accessing a website on my iOS Safari browser, there are lots of ways in which end-users end up in this situation, which could be clicking a link in the email or in the SMS. We also provide an Okta extension which essentially connects to Okta mobile in order to find out which application you are trying to log into and injects credentials for that application automatically.

The user doesn't have to type in their username or password, they are just logged in. This is great. These are features which are already available with our product today. Now we are working on making it even simpler for users on mobile. I'm going to show some of the new stuff we have been working on. Let me switch over to this other device I have here. Will take a few seconds to appear, there we go. I have Outlook and Okta mobile here installed on my device and I'm trying to access Outlook email account here. I input my email when trying to set up my email account or try to add it. It recognizes that this office time and is federated to Okta, and it takes me to this page where I can sign in with Okta here.

When I hit this button, it just takes me to Okta mobile and I can touch ID into Okta mobile to log in to Office 365. Now I come back to Outlook and you'll notice that I am logged in. This is completely password list for Office 365. It's currently packaged with our devices solution on iOS, but it will be available for all other apps on iOS later this year. Let me switch back to my slides. Just to do a quick recap, what I showed you was the ocular dashboard built into Okta mobile. I showed you the octave mobile extension on iOS to log into Safari as well as password list for native apps on iOS and touch ID on Okta mobile. The last two features are talked about are coming later this year.

Now let's talk about the next aspect which is really I have access to my applications, I can log in to them, but what about getting on my corporate network, what about the native mail application which I would like to be configured automatically, what about those things. I am also concerned about privacy so what about making it easy for end-users from that perspective. Now let me switch over and show you a demo on that one and show you how easy we make it for end-users. I'm logged into Okta here and when I click on my learn more link to enroll my device, it shows me this page which also gives me information on my privacy.

When I hit the privacy link over here, it tells me what content remains private and what content my company can access. You can click on this and you can see that my text messages, my photos, my company cannot have access to that, but what they do have access to you is device details or any work applications I am installing throughout them all. Let me go ahead and enroll my device here. I feel a lot better about privacy, so I'm going to go ahead and stall my application. There you go. It will take me through a few prompts to install the OMM MDM profile on the device. Now it's connected to OMM and it's starting to push all the configuration down to the device.

If I go back to the MDM configuration, you will notice slowly that will start to show all the things which we are pushing down to the device which is to secure the device the passcode policy. It will push a mail configuration. It will also push any Wi-Fi networks which my company has configured for me. It's pushing all those commands. You will notice here the password policy appeared, there are a few restrictions that it's also pushing some applications for me. Let's cancel that, but what you notice here is it pushed a bunch of Wi-Fi networks. Now this is live Okta org, so we have different offices around the world which has different Wi-Fi networks.

Our admins push like six different Wi-Fi networks to the device. Now when I walk into any offices, I'll automatically get connected to that corporate network. What it's also pushing is my mail configuration which is the exchange account. Let's go back and look at how that looks like. You will notice that there is a Microsoft Office 365 account which appears and it's already starting to sink email. Now this is leveraging some of the newer features which other speakers talked about, like the certificate based auth, and this is my live Okta org so these are live emails in in our system which I'm heading right now. Isn't that great it all configured zero touch email Wi-Fi for me and all those things?

Just a quick recap, we care a lot about end-user privacy and we provide all that information to end-users, zero touch configuration for email Wi-Fi. I didn't show VPN, but we support VPN as well. It's great I'm all set up. I have access to a bunch of services. I can get on the corporate network easily. Now what about apps though? Now we all know we are living in an era where cloud apps are very popular, organizations are using more than 50 cloud apps these days as well. It's not a thing which is not uncommon these days. I want to be able for my end users to easily discover what corporate applications, they can use as well as secure them at the same time.

For that, we host an app store within Okta mobile and I'll show you a quick demo of that, what that looks like as well. Let me switch over to my mobile device over here. Login here, I go back to my Okta mobile application and you will notice the app store here which our admins have provided for Okta employees. You'll notice all the applications which are available to me, some applications which already exist on my device but not necessarily are secured yet, so end users can discover all those applications secure them as well. Let's say I want to install one of the applications, I hit Concur which is an expense solution. I'm at Oktane, I'll have to go back and file my expense report.

I hit install and it's starting to install Concur on my device. Let's say I also want to secure Box for iPhone and iPad. If I go back here, you'll notice it's already starting to install Concur for me and it's pushing back to my device. It's installing as well as securing Concur for me. From this point onwards, anything which I do in Concur is that is corporate data which is protected by OMM. Switching back over here, what I showed you is the mobile app store which is built into Okta mobile. We also support distribution of private apps. Let's say you build any apps which you only want your employees to have access to but not necessarily distributed in the app store which is available for all users. 

We support that as well. You can push your private apps to end users as well as update them when you need to. Now my end users are all enabled, they have access to apps, they can discover them and whatnot, but what about ongoing updates and management? OMM really helps with that as well. They make sure any new policies, any new apps which you want to distribute your end-users happens in a nice and transparent way as well. I have a few slides on that, not a demo, but we do all these things today. You can apply a new policies. We do password syncs. We've recently built certificate based auth for Office 365. We managed the entire certificate lifecycle through OMM.

We will issue client certificates for authentication to Office 365 for mail as well as replace them when they're about to expire and all those things. We do all these things from an ongoing updates and management perspective. Last but not the least, when employees leave the company, you want to be able to easily off board them. Now all of this is nicely integrated into Okta's lifecycle management for end-users as well, so let's see what that looks like. I go to an end user which is Jo user. He's leaving the company and what do I need to do an order off board and remove any corporate data on the devices easily? It's very simple. You go to the user.

You go to more actions and if you deactivate the user, what will happen on the device is it will take away any applications which are secured by OMM which will also remove any corporate data associated with those applications from the device. It's as easy as that. Some of the other speakers also talked about we show all the devices and you also have control over these devices, such as you can wipe them, you can remote lock them and whatnot. There are a bunch of rich features around managing devices and taking actions on them as well. What we are striving for with OMM is really a win-win for both IT admins and end-users. We want to make sure ID admins are heroes of their organization where they can enable mobile productivity, as well as secure their company data.

On the end user side, we want to make sure that they're super productive so they can add value to their companies, and also secure them at the same time. For those of you who are Okta customers but new to OMM, I would highly encourage that you reach out to your CSMs or account owners to learn more about OMM. We have a bunch of mobile team here at Oktane as well. If you'd like to chat with them to learn more about OMM, we will be around here and happy to feel any questions for that as well. Now with that, I would like to invite Derek from Bottomline Technologies to the stage to share his experiences with rolling out OMM at Bottomline.

Derik Bibb:  All right.

Ankit Garg:  Cool.

Derik Bibb:  I got it.

Ankit Garg:  Here you go.

Derik Bibb:  All right, thank you everyone for coming. My name is Derek Bibb. I work for Bottomline Technologies. We're headquartered in Portsmouth, New Hampshire. We have offices all over the world, but most of them are here in the US. My disclaimer is much shorter than yours. All opinions I'm going to talk about are my own. Just real quick a little bit about Bottomline, been in business I think since the 198s, and we have multiple lines of business that all roll up into the overarching idea that we are a place where businesses can. They come to pay and to get paid, so business-to-business financial transactions primarily and the other lines of business really support that whole idea of the business to business model.

We're about 2000 users, many are technically savvy. We are our own SaaS provider, so a lot of developers. We're very geographically diverse and about half of our users are either completely remote or they're not in an office that has on-house or in-house IT support. We have about 1400 devices currently in OMM, almost all of them are iOS, a scant 10% are Android and about a half and half mix of corporate and BYOD. When we came on the journey of deciding to roll out an MDM solution, it was really due to these four bullets and primarily the first one, we are highly audited and regulated. If you look at the lines of business from the previous slide, we do a lot of things with banking, financial institutions, healthcare.

We fall under HIPAA, SOC, HITRUST, PCI, SOC II, FFIC. A non-stop series of audits, and we needed a solution that would help us tell a good story to those auditors when they came on site. The other key for us was our service desk was spending a lot of time helping new users enroll devices into Exchange ActiveSync, which was a primary use case for mobile devices before we went with OMM. Why did we choose Okta out of all the other choices out there? Primarily it was a user's first mentality that we try to do again across all decisions in IT. We want to focus on users, not on devices and Okta already has our entire user directory loaded up into it.

It's really a no-brainer to not go seek out all of us putting a whole new directory of users and another application, another place to manage users, another place to terminate users, so that was users first, and then privacy. Really wanted to be privacy sensitive to our users, especially the ones that are in the BYOD crowd. We didn't want to spy on our users. We don't want to know where they are. We don't want to see their personal photos and just my personal opinion but retaining top talent of your employees is always easier when you treat them like real people, not like criminals, like some of the other mobile manager solutions might try to do.

We definitely didn't have the need to do any GIO fencing or stopping cameras from working when in a certain area. I mean we are highly audited but that was way overkill, and it probably is for most industries out there. Finally, we really want to focus on automation in everything that we do at Bottomline. We have a small IT staff for a large user install base and the more we can automate, the more efficient everything can be. Really a key for us was when the HR system feeds into active directory, disables a separating user that automatically feeds up into Okta and removes all corporate data from the devices without anyone in IT or the service desk touching anything.

That's currently what's in place now and it's working fantastically. In the old world, we did have a pretty bad situation where due to some of the other audit requirements, part the separating process for an employee leaving the company is that a member of the service desk would go into the exchange console and remote wipe any devices they had connected to exchange, which in exchange it's just a complete flat factory reset. No granularity or anything and there was a miscommunication. We had two users with very similar last names and identical first names, and this poor guy was on an airplane to go visit a customer and when he landed and put his iPhone and took it out of airplane mode, it rebooted on him as a factory reset to that device.

We don't have to worry about that anymore. Like any project, our deployment didn't go perfectly smoothly. We had our share of deployment challenges. First one was really enabling user self service. Initially we struggled with some of our users to get them to do their own enrollment. With over a thousand users in an area without any dedicated IT staff, we really had to use self service. There was no way of hand-holding those users through on a one-on-one basis. We also found a surprising number of users that never bothered to open the Apple App Store. I don't know if anyone's discovered that in their org. They use the apps that come with the phone and that was it. We had to adjust to accommodate that. 

Secondly, we had a real problem with the intrusive warning, especially in BYOD crowd. All of our efforts in choosing a solution that was privacy sensitive was really negated by the default messages that pop up on iOS and Android. If you can't read that in the back, the big scary part is the administrator may collect personal data, which we weren't doing. In fact, we couldn't do it but they don't know that. That's what it says. That was a big challenge for us. Then the third and the biggest challenge that we encountered during our enrollment phase is that we were coming from all our devices had ActiveSync on it already, so we had to get users to uninstall ActiveSync and then enroll in OMM.

A lot of times they saw it as little value, they didn't want to do it, but we had to enforce it in order to meet all the compliance that we needed to do. A final challenge that we didn't see coming when we started our project is the jailbroken rooted device problem. We never really had visibility into it, so we didn't even really consider that it might be a problem. As soon as we started getting hundreds and then thousands of devices rolling into Okta and running some reports, right at the top of the screen on the management side is the number of jailbroken rooted devices. We needed to address that which again we didn't even really know what's coming when we started our project.

All right, now for the good part, it wouldn't be a very good presentation if all I did was complain about what was difficult, so hopefully we have some solutions to all of these different challenges. In terms of user self service the, real key for us was creating really good documentation. I don't know how many out in the audience use Confluence as a documentation tool, but we learned that you can embed gifts or gifts if you prefer right into a document page, and it made it really easy. You'd have to scroll down through hundreds of screenshots. You can actually follow the mouse click move and users had really appreciated the streamlined documentation for that.

The other key for us was the critical mass effect. As soon as we got a few users into it, they could help their neighbors, they could help their co-workers, and it's just a snowball that kept rolling. With that for us, IT really only had to deal with a few edge cases that really struggled. By and large, that really became a non-issue for us with the good documentation and with the network effect of users helping users. With new users onboarding now, they get shown the documentation page as part of their initial IT onboarding, and by and large, they just follow it and it's not really an issue at all. On the intrusive warnings, Okta covered this a little bit, but it was EA when we were testing it. 

I believe it's now generally available and enabled for all orgs. If you haven't enrolled your device lately, go check it out. This is screenshots from my org and it really, really helps to alleviate concerns from BYOD users that we're not out there to be looking at their data, looking at their photos or doing things that it's not even possible to do but they think we do it anyway. On the enforced enrollment, unfortunately this is the spot where we're still struggling a little bit to get the 100% enforcement. There's a few ways you can go about doing this, but we still use exchange on-prem. A few of the best options aren't available to us, but what we found is that the best way to enforce the enrollment was to make the benefits outweigh the negatives.

It's easier to enroll an Okta OMM than it is to install webmail manually. It provides value in mobile WebEx for us, it's very popular. The other really popular one is our travel and expense app. It's so much easier to use your mobile device to snap a photo of a receipt before you even leave the restaurant than it is to throw everything in a folder and then bring it home and then spend your first day back from a conference scanning your receipts and everything. By creating value, we got our enrollment numbers up to where we needed them to be. A couple of things that we can't take advantage of yet is the certificate based authentication at the only available for Office 365 users, and then we're excited to look more into DEP for all of our Apple devices.

Recently Apple has announced that you can enroll devices in DEP that were not purchased through a corporate purchasing plan, so all those devices that we purchased from AT and T or Verizon, we can now take all those into our DEP program as well once that comes down though down the line. Then our jailbroken rooted device issue, we've brought this up. I've talked to Ankit about it, and I believe they have a solution coming for this in the second half of this year, which is down to the next four months. Hurry up, but we're looking forward to being able to automatically deactivate and remove corporate data from some devices that are discovered to be jailbroken or rooted, or prevent them from even enrolling in OMM in the first place.

To summarize, couple things that you can do in your org if you haven't enrolled in OMM yet to prepare for success, create enough value so that users want to install Okta mobile. I touched on our travel and expense. Mobile WebEx is extremely popular for taking beatings on the go. The more apps you can get into an Okta or your mobile app stores before you go alive with your end user base, the better. Good documentation and good instructions and power user self service. Ankit walked through how easy it is to do. As a IT administrator, it should be that just easy for users that aren't as familiar walking through that process.

Lastly, get involved. The Okta dev team is here if you have any great ideas. I think I might have been the one to introduce the jailbroken rooted device requests, bring them to the dev team, they're all here, and demand more from your application vendors too. This is a big one for me. If we're looking at a new SaaS solution and they don't support SSO, the best time to make them support SSO is before you sign the contract with them. You never have more negotiating power than you do right before you sign that contract. If they don't support SSO, make them do that and if they don't support mobile SSO, have them put that on their roadmap at the very least before you'll sign the contract.

The more of us that band together and put the pressure on all those app developers, the better off everyone will be. We're looking at a few things in the future that we're excited about. We want to investigate device trust, which I believe is on the future roadmap. I think Naveed session tomorrow is going to cover some of this stuff. I'm excited to see how we can utilize that to better meet our audit and regulatory requirements. I touched on the jailbroken rooted devices, which is coming by the end of this year, and we're always constantly pushing for better user experiences. Single sign-on for mobile apps is sometimes a little wishy-washy.

Some apps bring you out into mobile safari to have you log in. Some apps do it very seamlessly. Some apps store a token that's good for the length of your device, but then when you get a new device, you have to re-enroll. We're just constantly pushing the envelope on our apps and pushing our SaaS app developers to do a better job. With that, if Ankit wants to come back up.

Ankit Garg:  With that, I would just want to say that there are a few sessions which I would highly recommend you go to. The first one here has already happened. Some of you might have attended it by [Snegha 00:31:37]. If not, it's about securing Office 365 and G Suite on mobile devices, and there'll be a recording available after Oktane finishes. The second and third one are happening tomorrow. We have a panel with a bunch of OMM customers, like Concur, ThoughtWorks, so it'll be good for you to go listen their experiences as well. The last one is the OMM roadmap presentation by Naveed, which is happening tomorrow. I highly recommend you go to that session as well to learn more about problems we have been working on and some of the exciting things which will come out in the future.

With that, we will open it up for questions.

Audience:  Okta mobile issue ...

Ankit Garg:  Sorry, I didn't ... 

Audience:  Sorry.

Audience:  Okay. Okay, thank you. I don't know if you have on the roadmap, but the Okta mobile app doesn't support the Okta profile update. The users from the Okta mobile app, they cannot change their profile settings in Okta itself.

Ankit Garg:  You mean Okta profile?

Audience:  Yes.

Ankit Garg:  Yeah, we don't support that currently, but they had point well-taken. I think we'll look at adding that in the future. Yeah.

Audience:  You showed something in the beginning part of the session where with Okta mobile, Okta mobile app, not OMM. It seems like a cached a username and password where they didn't have to login.

Ankit Garg:  Yeah. I think you're referring to the password list auth. What that allows you to do is if I'm trying to log into any application on iOS, it'll redirect me to Okta mobile. It will derive credentials from our mobile and let me log into the cloud service I'm trying to access through the native app. That's a solution, which we are working on right now, which will be available later in the year, but it will work for all native mobile apps on iOS.

Audience:  Okay, OMM it's not required to use that?

Ankit Garg:  OMM is not required for that. That's right.

Audience:  What's it called again?

Ankit Garg:  Sorry?

Audience:  What's the name of the admin?

Ankit Garg:  Password list auth on iOS. Any other questions?

Audience:  Okay. For the Bottomline Technologies, what did you use for the users when they first registered when they downloaded the app? What credentials do they need to provide in order to authenticate onto your network?

Derik Bibb:  When they first download the app?

Audience:  Mm-hmm (affirmative).

Derik Bibb:  They use their standard active directory network credentials.

Audience:  Password only?

Derik Bibb:  Username and password.

Audience:  Okay.

Derik Bibb:  Then once they do that, they can choose the Okta pin and then from that point forward until they change their password, they can continue just to use the pin.

Audience:  Is there anything on the roadmap or do you currently for either one of you guys looking at other apps that are loaded from the iOS or Google Play Stores, are they site loaded and do you have any visibility to the risk of some of those apps on a personal device, like where the data is, where it might be going? They install some version of Candy Crush that it's sending data that you don't want it go in somewhere. Is there anything like that?

Ankit Garg:  Yeah, that's something we don't do today, but it ties into our whole story around how we look at device trust and what factors do we consider as an input to that signal, right? Currently we only consider whether the device's manager or not, but in future, you can imagine that we'll cover other use cases like what apps are installed on the device. That is information which we can get through the Apple MDM solution from the OS, but we currently don't address these use cases in the product. You'll hear more in the device stress session from Naveed on where we are taking some of this functionality, but we currently don't do that.

Audience:  Did you have any challenges if MFA was enabled on the user's Okta account relative to the mobile deployment and apps and things like that, you need things like that ensure? 

Derik Bibb:  At the time we are rolling out OMM, we're not using MFA yet. We currently are and we're actually not really encountering any additional issues, so no.

Audience:  When is the plan to integrate with Apple's DEP program and their VPP program, which is the volume per purchase program?

Ankit Garg:  Yeah, we highly, highly encourage you go to the roadmaps I think to learn more about things coming in the future, but that is on the roadmap for us. Yeah.

Audience:  Any others?

Ankit Garg:  Any other questions? Cool. If not, I'm still going to hang around here for another 10 or 15 time minutes. If you guys want to come chat more about OMM, have any questions or problems or challenges you want to discuss, happy to do that.

Derik Bibb:  Yup, I'll be here too. Thank you.

Ankit Garg:  Cool, thanks everyone.

Derik Bibb:  Thank you.

Many organization struggle to balance mobile device security with the seamless mobile access to corporate apps and data that employees want. Join Okta's Ankit Garg and Derik Bibb from Bottomline Technologies, an innovator in business payment automation technology for 30 years, to learn how Okta's unique identity driven mobile management solution allows IT to give users a privacy sensitive enrollment, custom app store, and one touch access while giving IT the mobile device security and control they want.