Okta Mobility Management Roadmap & Demo



Naveed Makhani:  Hi everyone, I am Naveed Makhani. I lead Product Management for Mobility here at Okta. Thank you for coming. Hopefully with some lunch and some rest now, you've kind of worn off the craziness of last night. I talked to a bunch of people and it's amazing the voice changes between like 24 hours ago and now, from all the yelling last night, but luckily mine didn't take that much of a hit. Thank you for coming. What I wanted to do today is give you a sense of our perspective of the various challenges and opportunities around enterprise mobility and where we're making out investments going forward, so give you insight into our roadmap. That could help inform your own roadmaps for enabling enterprise mobility within your organizations.

Couple kind of house keeping things, please keep in mind that I will be sharing a some timelines, but they are forward looking statements that are subject to change. The session is also being recorded, so please be aware of that.

Let’s get into it. I started off last year’s session with something similar, just some fun stats to show how big a part of lives mobile is. We're really attached to our mobile devices. Just a quick poll of the audience, when you're waking up this morning, within 15 minutes of waking up, who did not check their mobile device? One gentleman in the back. Well, according to a Google study, on average 68% of us check our phones within 15 minutes of waking up and you just killed that average. You are over indexed here, very proud of yourselves. 87% of Millennials always have their phone, day and night. I definitely associate with this. I feel anxious when my phone is more than a couple feet away from me.

This is a statistic that we shared last year, it still amazes me every time. The amount of times we check our phone per day. It’s 150 times per day that we're checking our phones. When we check our phones, we usually spend about 70 seconds per interaction, so a minute 10 seconds, a 150 times per day. The respondents in this survey from this Google study said when they are out and about with mobile devices, 90% of the time, they are doing something productive. They are working towards some personal or professional goals. It could be making a dinner reservation, could be booking and Airbnb or it could be doing something productive for their professional lives as well.

This is giving rise to this idea of a mobile micro moment. We have our devices with us all the time and so when we catch ourselves in these situations, where we're waiting in line for a cup of coffee or for a lunch, we check our phones. You might go straight to Facebook or Twitter, but what can we do from an enterprise perspective to make it just as seamless, just as frictionless, to go and log into workday and approve that paid time off request or file that expense report. There's a wave of productivity that you could unleash if we make that a seamless, frictionless experience. That's one of the key things underlining our investments in mobility is designing those frictionless experiences.

Let’s look at the apps that we're accessing from these mobile devices that we have with us all the time. This is data from our Businesses @ Work Report. This is data from your users, our customers, aggregated and anonymized. These are the services that they are using on their mobile devices. What jumps out at me here are the types of data that’s stored in these. You look at O 365 and G Suite. These are email services. This is arguable where your most confidential information is either in the form of attachments or the actual body message itself. Salesforce, this is where all your customer data is. You might have your sales forecast, how you're going according to your quarterly plans. Workday, your compensation data, so lot of critical, sensitive data accessed on mobile devices and there is nothing preventing the users from accessing them from their unmanaged device. There's no corporate perimeter control anymore that they have to go through before they get access to that data.

They're going directly ... I could walk into the shadiest cyber café in Thailand, put in my primary factor credentials, username, password Okta Verify Push proves that I am who I say I am, could download an earnings report a week before the announcement, make an edit, not being malicious, but I also don't realize that the device I'm using is compromised, may have malware, screen scrapers, key loggers, things like that.

It's a different world, this cloud and mobile world and we need a different, more modern access management paradigm. The devices are connecting directly to the cloud services and we are fortunate in this new architecture, we being Okta are fortunate that there's a group of a kind of a federation standard, has emerged around SAML and OpenID Connect, where if you federate your service to Okta, you can rely on the user coming to Okta. They go to the cloud service, then that cloud service delegates to Okta for authentication and we'll challenge for the user identity, but then at that point, we can pause and say, "What else should we look at, what other factors of context should we incorporate into this access decision?" Could be a location, it could be time of day, day of week, could be a variety of factors, but we can also look at the device. We can look at what Okta knows about the device, but what do third parties that you maybe leveraging also know about that device.

Let’s look at the mobility management solution you are use, let’s look at the desktop management solution you are using, mobile security. Maybe there are apps on that device that pose a rise to data leakage and so we can incorporate all those factors of context and make the access decision.

This is kind of the modern access management model that we're building our policies around, so that at that point, where the cloud service delegates to us, we can pause and then, direct the user into the workflow you want them to proceed through based on what the results are of those contextual attributes.

That's kind of the landscape, so to speak, around which we're making our investments. They are really categorized in these three main areas around securing corporate data in this boarder-less world, designing frictionless experiences, so that we can take advantage of those mobile micro moments and then building an identity driven light weight management model, so it's easy on the administration aspects of it, so you have low complexity, low cost of ownership and integrated with identity, so it’s user driven.

I'm going to take you through each of these, share kind of highlights of what we delivered over the last year, but focus more on where we are going going forward.

For securing corporate data in the border-less world, what's important is when that device talks to the cloud service and then, comes to us, it's assessing what state the device is in. There are three kind of overarching categories that we look at. One is, is the device known? Is that devices known to be associated with Naveed, has Naveed used this device before? That gives us a level of kind of risk. We understand, "Okay, this is an unknown device. Naveed’s never used it. Let’s trigger a notification to him, make sure he knows that this device just tried to authenticate," or if it's a known devices that gives a little bit of assurance. It doesn't tell us whether it's secure or not.

If I use a device, you know it's my device, but you don't know if it has a passcode, if it’s encrypted, if it’s jail broken and rooted. That's another level. That’s another category. Is it a secure device? Then, lastly, is it managed? I might have a known device that has a passcode today, but there's nothing stopping me from removing that passcode tomorrow. Now, the enterprise data that I have on it is vulnerable if that device is lost or stolen. Managed means, is it a management authority of some sort that has control over that enterprise data and the security controls? The device can be in any one or more of these states. It can be known, secured and managed or it might only be known. We want to help you to make that assessment and work that into your policy based on the different services they are accessing.

Kind of sounds pretty simple, like the devices connecting to cloud service, cloud service delegates to Okta. We just want to put it in one of three categories, should be super simple. It's actually way more complicated than you expect. There are so many different access channels, there are so many different ways of accessing these cloud services. There's the platform dimension. There's the client type. Is it web app, native app? There's really no one size fits all technically solution here. What we're doing is we're looking to match the access channel and the technical approach. We are building multiple technical solutions here that optimize for broad application coverage because if you select one approach, you might not actually support very many applications because that's the lowest common denominator approach.

Where possible, we're optimizing for that access channel to give you broad application coverage, best-of-breed interoperability. What I mean by that is you might have investments already in third party mobility management solutions, third party desktop management solutions, SCCM, JAMF, Mobileiron, whatever it maybe, we want to help you to leverage those existing investments and pair it with our access management capabilities to complete that use case. We want to deliver it with a great user experience and of course, low complexity. This is what we're striving for when we build out our device trust solutions.

The access channels I talked about, there's the native app, sothe native app here I mean thick clients, so your Outlook, your PowerPoint. Web app would be the browser based channel that people can come in from. Then, there's the special breed, the active sync mail clients. These are traditionally your built in mail applications, so iOS, it's the Mail app. The third one there you see is the Samsung Mail client. A lot of the operating systems have these built in clients that users can use to access email over the active sync protocol. That's a big security threat vector as well. Then, lastly, there is operating system. They are coming on these channels, but what operating system because that combinations of, let’s say Outlook thick client on Android might behave very differently than and Outlook thick client on Mac and so we might have a different approach for that.

That's a bit of set up here. I want to go through the access via O365 ActiveSync Mail Clients first. We've got the platforms, we know the client type and then the last dimension here is, is it managed by a third party or is it managed by Okta Mobility Management? The way I think about this is there's two pieces. There's, you want to assess device trust and then, you want to establish device trust. Okta, regardless of whether it's third party managed or OMM managed, we are always going to be the one who are assessing whether the device is trusted or not. You can use a different tool to establish trust. I'll give you an example with Windows. You might use SCCM or ADGPO to establish trust and then, Okta would assess it and verify that that's a trusted device. On mobility, you might use Okta Mobility Management to establish that trust and then, Okta Identity to assess it.

That's what I mean here by third party managed or OMM managed. I know it's kind of confusing here, but hopefully you can bear with me through this framework. What have we done? On the third party manage side, we've delivered support here, so you can secure the access channel for O365 ActiveSync across all platforms. If that's a security concern for you, we support that use case today and if you currently use a third party mobility management solution and you have on-prem gateways that are use purely for securing ActiveSync, you could choose to decommission those and use this approach, where you still use the third party mobility management solution, but you don't need their on-prem gateways to enforce whether the device is managed or not. You could tie that into Okta, so that could help to reduce complexity, get you some more business value out of existing investments.

On the OMM side, we delivered support for iOS and in Android, we are targeting in the next 6 months and then, Windows and Mac in the future. I'll move to the native and web app channel now. Again, third party managed and OMM managed. We released support for Windows and what we are doing here is we are determining whether the device is [inaudible 00:12:23] and then, using that as a signal to establish, to say that it's a trusted device. Then, when the user authenticates to a web application or through a native application and it's federated to Okta, we will then check for that trust signal and if it's trusted, we'll let the user in. If it's not, we'll redirect them to out of the box page that explains that they are not getting access because their device doesn't met the security requirements. Then, optionally, you could configure a redirect URL that you'd like to take the user to to give them even more information. You have flexibility there as to the end user work flow you want to create for them. The user impact, it's completely transparent to the end user. To them, coming from a trusted device, they don't know that anything else is happening behind the scenes.

If you remembered last year, we introduced some of this capability. There was a certificate picker in the UI. We did a lot of user research. We found that users just have a real hard time with that when you had multiple certificates on the device and so we iterated on the solution till we got it to a point, where they don't see anything. It looks like just a standard Okta authentication to them, but behind the scenes, we are accessing that trust state.

In the next six months, we are looking to move beyond Windows, deliver that across the board. Whether you're managing it with JAMF, Mobileiron, AirWatch, SCCM, doesn't matter. We want to work with those vendors, so that we can determine whether the device is trusted or not. On the OMM managed side, we delivered support for iOS. I'll demo for iOS, both the third-party scenario as well as the Okta Mobility Management scenario and then, within the next six months, we're looking at Android and in the future, we're looking at Mac and Windows, Mac coming sooner. Let me show you what this looks like.

Hopefully I've got everything configured here, so I'm going to show it to you on Salesforce. I got the custom domain, it's redirecting me to Okta, which is so far the standard experience. What I've done for the admin side of this is I've protected Salesforce with Device Trust for iOS. What will happen is as soon as I log in … I did not put in the right information. This is a new screen. Normally, checks your credentials, lets you right into Salesforce, but because I'm protecting Salesforce, I need to verify that my device is secure before I get access to it. It's letting the user know, we're going to use Okta Mobile to check whether you're secure or not. The tap on that link Touch ID to Okta Mobile. Okta Mobile realizes that this device isn't secure, it's not enrolled in Okta Mobile Management, so it helps the user through this process. I can get started, secure the device. This is going through the standard Okta Mobility Management Enrollment Flow that triggers the native kind of OS management solution here.

Now, I'm done. It's going to bring me back to Okta Mobile. Then Okta Mobile is going to realize, “Okay, now you're secure, go back to the app you came from,” this case Salesforce. It's going to sign me right in. Within about a minute, I went from an untrusted device to a completely guided experience that got the user trusted. Oh and not authorized, but you're logged in. You're just not authorized. You go through that full flow in about a minute, you're signed into Salesforce.

Let me show you a similar flow, but with a third-party management solution. This time, I'm doing it with Gmail. I'm going to pause it in the middle here, so the normal Gmail flow takes you to Okta and I just want to pause here, so there's … Boy that hides it, but there's a little arrow icon that launches the extension view down here, so I'm going to tap that because if you notice in Gmail, Gmail, to do the authentication, it uses what's called Safari View Controller. It's essentially Safari, but embedded within the application. That means the user can take advantage of our Safari extension for single sign-on. They can tap on that and what that will do is it will launch Okta mobile via this extension. It will determine that this matches a site that it has stored and it logs them straight in, so no password they have to enter, they just use Okta Mobile to sign in to Gmail.

Then, it gives them the “Check my device is secure,” process. That will go, bring up Okta Mobile, check that their device is secure. They click secure my device because it's not and what happened, it just took them right into the AirWatch Enrollment Flow. This could be the AirWatch enrollment flow, the Mobileiron enrollment flow, the Intune enrollment flow, whatever you use. You can customize that. You can tell us where to take the user when we determine that they need to secure their device. Again, a key thing we're looking at here is best of breed interoperability, designing a nice self-guided experience. We could work with what you have. You can use Okta Mobile for a fully integrated experience.

What else are we doing here? Reporting, so you do all this work, you start getting devices trusted. You have trusted authentications, you want to brag about it. You want to see how you're doing. At the beginning, it's going to look all red. You're going to have either unknown or untrusted devices accessing these services, but over time, you'll start to see that go down. You'll roll it out maybe in a phased approach. You're not evaluating everybody's device trust state, but for the user that you're enforcing device trust for, you should see them on the green. If you look in the top right, you see O365 80%, so those users that you've enforced device trust for, only the trusted logins are allowed, the other untrusted ones are denied. Then, the unknown 20%, those are the users you haven't rolled it out to yet, so we're not assessing whether that device is secure. These kinds of reports are what we want to make available to you.

Then, so far, I've been talking a lot about the managed state, but we also want to allow you to assess whether device is secure without requiring management. There are a variety of use cases, a common one is a contractor scenario or you might not be in a position to require an enrollment into your mobility management solution or maybe they come from an organization that already has them enrolled in their MDM solution, so you can't have two MDM solutions. In this case, what you might care about is that the device is secure according to your standards. When we jump from the app to Okta Mobile, instead of saying, “Now, you have to go through an enrollment flow,” what if we just check that the device has a passcode, it's encrypted, it's not jailbroken and maybe it's not a bad OS version. You do those basic checks and say, “That's good enough for me, you can access the service,” and if those things aren't in place, then you ask the user to put those controls in place and then, come back and try the application.

We're looking at multiple approaches here, not just ones that require management. Moving on to frictionless experiences, what we delivered over the last year, so the key theme here over the last year was around building trust with the end-user. You may have seen it in some of the other mobility track sessions, but we [inaudible 00:20:30] a privacy sensitive enrollment flow, where we educate the user on what we can or cannot see as part of the management relationship. Naturally, users are very sensitive to this. They're often using personal devices with text messages and photos and they think the worst. They don't realize that we can't access their voicemails and things like that and it leads to help desk calls as users try to educate themselves.

What we're doing here is making that transparent to them. They can go through the process before they even enroll. It educates them on that and then helps to build that trust. Similarly, disable wipe permission, so this is the nightmare scenario, where IT says, “Don't worry, we'll never wipe your device,” but accidents happen and users are paranoid. Actually Derek, I don't know if he's here, but yesterday Derek from Bottomline Technologies, an Okta customer spoke about their OMM experiences. Before OMM, they were using [inaudible 00:21:25] ActiveSync, which just allows you to do a full device wipe and innocent mix-up, two names that look very similar on the exchange console and they wiped the wrong device, fully wiped the device. That's the scenario you worry about and that users worry about, so this is a solution to that where you can choose not to even have the wipe permission. You can tell your users that even if I wanted to, even if you called me and told me that your device is lost, I still can't wipe the whole thing, I can only wipe the enterprise data. You can choose to use this. You could do it on a group-based basis, but it's open to you to help build that relationship.

Lastly, the work profile passcode, so this is something that Google introduced on Android that we support now, but this is the ability to put a stronger passcode on only the work applications. You can choose what you want to do on the device passcode, so do you even require device passcode? Maybe it's a four digit one, but the work one is eight digit, but the idea here is not to put a big overhead and tax on the end user, when they're trying to get to their personal applications and personal services, instead only when they're accessing work data is when you ask them for the enterprise level security requirements.

Let me show you what that looks like. Notice I just put in a four-digit pin here. Then, I'm in the device. Now, when I click on Workday, notice it tells the user, “Enter your work pin to continue,” so it's differentiating between the device pin and the work pin. Here, I put in five digits, so kind of a simple scenario, you might have eight digits or whatever, but the idea here is you have that flexibility. It's another thing that you could provide your end users to try and make their lives a little bit easier.

Where we're going in the future, biometric based login to Okta Mobile, so in the next six months, we're looking to introduce that Eric Berg and his super session yesterday highlighted that that was one of the most requested features in the community is Touch ID to Okta Mobile, so bringing out to both iOS and Android. Then, we're going to build on that to support password-less authentication. I'll show you a demo of this, but the idea is that you sign into an iOS application, we give you a button to bring you to Okta Mobile. Okta Mobile verifies that you are who you say you are based on Touch ID and then, Okta says, “This is Naveed, whatever app he came from, just trust that this is Naveed and let him in without even asking for a password.”

I'm going to demonstrate that to you now, but it's a pretty nice way to get rid of passwords on mobile here. Wouldn’t it be nice [inaudible 00:24:51]. This is a little bit different than the screen you saw before. The other screen said, “Check my device is secure.” This one's saying, “I'm going to help you check your device is secure and sign into this application.” I haven't put any passwords in and hit sign in with Okta, verified my device is secure, go back to the application and it's going to sign me in. That is a super frictionless experience. I didn't type in one character of a password and I got an integrated device security check as part of the process. This is supported as of next week on all O365 applications and in the future, so later this year, across all iOS applications. You guys can clap. That's okay. The keynotes get all the fun.

Where we're going beyond that, so post enrollment flow, what I mean by this is you've helped the user, you built that trust, so that they decide to enroll in your solution and you might even force them to enroll by saying that they have to secure the device. After the enrollment flow, you want to help them to understand what they just got out of it. You took away the password that helps, but I just put this security profile in place, what is it doing for me, what's this management doing for me? The idea here is to help educate them like we just automatically configured your email for you, we just set up five Wi-Fi networks, so that you can walk into any office in our company in any location and automatically connect to corporate Wi-Fi. We provisioned four applications, so you don't have to go to the App Store and do that and we pre-configured it, so you don't have to worry about the Salesforce custom domain anymore. It's helping to educate the end user as to what they're getting in return for this management control that they're providing to the IT organization.

Mobile notifications, so this is something you're familiar with in the end-user application when you log in through a browser to Okta, the standard portal, there we have the ability to notify the user that they got new apps assigned to them or whatever messages that you want to make available to them. Let's bring that to the mobile channel, so using Okta Mobile, using Okta Verify, use that footprint on the device to provide them with those notifications.

Lastly, in this area, a device's view, where we could empower the users to take action to bring their device to whatever security level you deem [inaudible 00:27:34] to access the services that they need to access. In this case, there's three different devices. It lets them know that one of them, the Nexus 7 is managed, the other two aren't. They have the option of securing that device and the ones that are secured, they have additional options beyond the first two. The idea here is self-service, educating, empowering the users and using that as a way to get them to close some of the security gaps that may exist.

The last category here, identity driven lightweight management, so what we delivered over the last year, an additional Wi-Fi profile configuration, delivered Mac management capabilities and we have had for a while now, the ability to make available private apps. Private apps are those that you don't publicly host in the app stores, the Google Play or Apple App Store. These are apps that you privately distribute through Okta Mobility Management and we just enhanced the versioning process, so that you can offer upgrades to those custom applications more easily through Okta Mobile.

Where we're headed in the future, a bit of history here, we started out focused on BYO use cases and corporate-owned use cases that resembled BYO. We have lots of customers that use it in a mixed environment, but generally when they hand over that device, they're enforcing similar policies, whether it's company owned or BYO, but there are some use cases, where you do want to treat those company issued devices differently. A lot of you may have heard of the Apple Device Enrollment Program and so, we're going to take a phased approach here over the course of the year and based on what we've heard from you and if you feel differently, please let us know. What we've heard most important here is that you want to require enrollment, so when you hand a device over to a user as part of the out-of-the-box kind of the factory setup wizard, bring them into the enrollment flow, so you know it's a managed device. Then, don't let them take management off of it. Those are two capabilities offered by DEP.

Then, the third one we often hear is bypassing activation lock. I don't know if you're familiar with that but the way it works is you give a device to a user, even it's company-issued, as soon as they turn on Find My iPhone, it will turn on this activation lock. What that means is when they give the device back to you and they leave the company, if you don't have their pin, you can't use that device, even if you factory reset it. You have to go through a cumbersome process to prove to Apple that you own that device and then, they'll let you bypass it. Activation lock is something that you can enforce a bypass to through DEP. These are things that make it easier to manage these company owned devices and preserve management control. That's the first phase that we'll focus on for Apple DEP and equivalent for Android and then, move on to the volume purchasing program in the future.

If you do have different use cases for DEP and for the Android Work managed device, we'd love to hear it and [inaudible 00:30:31] and I will be around after the session. We're also looking to enable extensibility beyond what we support today, so currently you can export to CSV all the device details that we have for Okta Mobility Management enrolled devices. That provides some extensibility, but it'd be nicer if we had a device's API on top of that so you could programmatically integrate with a variety of tools and systems that you have in place. We'll work on that as well.

Then, lastly configuring enterprise services, to continue to push on this. We already support two of the three most common Wi-Fi profiles. Some of you have client certificate based authentication to Wi-Fi or referred to as [inaudible 00:31:12], we're going to support that and then, bring per-app VPN in the future as well.

That's the three categories, kind of securing corporate data in the borderless world, frictionless experiences, password less authentication that all fits in there and an identity driven lightweight management, so that's where we're focused going forward and hopefully that helped to give you a sense of what we're tackling and when. In case you missed it, these will be available via recording next week. Few sessions I'd recommend, demystifying device trust, so that securing corporate data in a borderless world, there's a deep dive a session on that and then, specifically on email is another session, securing O365 and G Suite on mobiles can give you more practical guidance for how you could configure the environment and then, lastly increasing your mobile workforce productivity. Derek, who I mentioned, did a great job in that session, talking about how he's using Okta Mobility Management and [inaudible 00:32:11] takes you through some demos of other scenarios and capabilities that we support today.

That's all I had for this session and I'll just open up for questions and also be available after the session as well, thank you. Yes.

Audience:  Is there mic around?

Audience:  Yes there is.

Audience:  First up, thanks. Question, is the language in these dialogues to the end users, is that customizable, well will it be?

Naveed Makhani:  There's a set of flows or screens that are from Apple or from Android that don't support any customization and there's some from Okta that based on feedback, we could change, but right now, they're kind of out of the box, not configurable.

Audience:  Okay, so the Okta ones, right now, we have to work with you, but we can't do it through the management UI?

Naveed Makhani:  That's right.

Audience:  Thank you.

Audience:  The password-less option that you showed, what were you using to authenticate to the app, was it through certificates in the background?

Naveed Makhani:  No, we've got some of our engineering team here. Afterwards, if you want to just come and we can give you the details, but it's the iOS solution is not using certificates. All right, thanks everyone.

Get an early look into the exciting capabilities our mobility team is working on to solve your gnarliest challenges created by a workforce that can work from anywhere, on any device, at any time.