Panel: Mobility Management Challenges and How to Overcome Them



Mike Paiko:  Hey good morning everyone. I hope Oktane has been a good event for you so far. I know myself, this is my second year at Oktane and I think it's even better than last year. If you haven't seen all the sessions, make sure you go back and watch all the replays for the ones that you missed. I think it's been a good experience for all involved. If you of have feedback, please be sure to fill out all the surveys and send it to the company.

Why I'm really excited today is to have a panel of Okta Mobility customers. Many times we can go through a lot of these presentations and have a whole discussion about hey you can do this. Here's these great features, but at the end of the day, hearing from actual customers and how they do it and the challenges they come across is extremely more valuable and allows you to relate to those experiences. 

So with that, I'm very excited to introduce our panel today. We have Kelsey Van Hester from Thoughtworks. We have CJ Weimer from kCura, and Owen Fuller from the Weitz Company. So we'll begin by having each of them give a brief introduction and their roles in their company and we'll kick it off from there.

Kelsey:  Okay. Hi. Good morning everybody. I'm Kelsey. I'm Product Owner of Global Identity for Thoughtworks. And I like to say that I look after the most remote team on the planet. There's five of us spread across America, Australia, and India and we look after identity for about 5000 Thoughtworkers. 

CJ:  I'm the Information Systems Security Engineer commonly referred to as the Security Guy in IT. kCura is a software company headquartered in Chicago. Around 750 employees and so I do just about anything and everything security related.

Owen:  I'm Owen Fuller. I'm A System Administrator for the Weitz Company, which is a construction company based in Des Moines Iowa. It was founded in 1855, making it the oldest general contractor West of the Mississippi. So we've got about 17 IT Staff that support 12 offices from Florida over to Phoenix and from Twin Cities down to Houston and dozens if not into the hundreds of job sites across various locations all across the country. I'm a multi-hat wearing type of administrator. I do Network Security, if we can say we have security really, as well as Identity Management as well.

Mike Paiko:  Great. So to begin our panel discussion what I'm going to ask each of them to give is a brief description of how mobile was addressed within their organization. What were the key drivers that really convinced them they needed to have some type of Mobile Management Solution? What were some of the decision criteria and really what led them to choose Okta and Okta Mobility Management. 

So let's start with Kelsey.

Kelsey:  Okay. So thoughtworks is an interesting organization. We hire very smart people, consultants. We like to be very light touch. We take a trust approach. People are issued with a Thoughtworks provided laptop and the expectation is that they will do certain things, that they will encrypt their device and so on and so forth. We've needed a way to verify that trust on occasion and one of the key things around us for Okta was that it was a very lightweight solution. Thoughtworkers are probably not likely to be very accepting of something that has for example, puts agents on their devices, or those kinds of things, so Okta's solution avoided the need to do that.It was really is about verifying trust, and also for us about being able to get some good data and make decisions based on that data. 

CJ:  For me, I'm going to tie it into the security because that's what I like talking about. The foundation to any vulnerability management program is asset management. You need to know what devices and what type of devices you have in order to defend against certain threats. So we needed some sort of way of tracking all the phones, what IOS version and things like that they're running. Who has what, where. And we already had Okta implemented, so it just made sense to bring in the Mobility Management and it's super easy to use and set up. So that was very helpful to get our asset management program a little further.

Owen:  For us, it wasn't really a desire for the Mobility Management Project originally that drove us to getting OMM. Originally for us there was a mandate from our parent company after an acquisition a few years ago that all of the subsidiaries were going to be on a single email platform. That was going to be Office 365. About this time we were looking for an Identity Management product because our users had complained that they had too many passwords. Out of all the issues in the entire company, that mad the top five. Not just IT issues, but issues across the entire company, so we started looking at Okta and what we found out was they had Okta Mobility Management and by using OMM, we could make our Office 365 rollout to our mobile devices a little bit easier. We have about 950 iOS devices among about 600 users, so we're also a very handholding type of culture. It has to be super simple or we don't want to put it in front of the users. So really for us, it was a very way to bundle that together. 

We had previously used Airwatch. It wasn't totally set up correctly and the System Administrator had run that for us left the company, so we got to a point over the last few years prior to this where all of our devices were just kind of in the wild. We would get them. Service Desk would touch them, set them up, but after that, we had no control. We saw this as a really good way to help meet those needs on the Office rollout as well as just coupling it with the IDM and as a cell product, we were already looking at and just roll those together, get a little bit more control over the devices and give the users an easy way to get that new email profile on their devices on migration weekend.

Mike Paiko:  That's great. I think the best thing about his story is that they did an employee survey and actually did something about it, so I give them a lot of credit for that. Making the decision to go with and use a Mobile Management Solution is really just a first step. I'm all of you have the experience that unless you actually get the value and the usage of the software, you're not going to get the benefits of all the security unless end users are actually enrolled to end use it.

I'd like CJ to start off and talk about what are some of the things that you did at your organization to really educate end users, communicate what was happening and what was the approach rolling it out? Did you do some test groups or was it Big Bang for everybody?

CJ:  With us, IT is always the testbed because if stuff breaks, we're going to be the ones to fix it, so we might as well experience that first and get all the kinks out of the way. We first rolled it out to just the IT Engineering group. It Ops, just to see how it went. To get a feel for it. And then, yeah, sort of just slowly push it out to more and more groups and then made sure to even change our procedures that if a new hire came on and they needed a company phone, that that already had the app installed and things like that. So that going forward, when we're handing out more devices it already had it set up.

I don't think there were many challenges. We had Okta first, so I think we learned from implementing Okta at first and the pushback we had received from that or any comments and things like that to make it easier and to make sure we did a better job communicating and really explaining what it actually does and the purpose of it and the things like that. The benefits.

Mike Paiko:  Owen.

Owen:  For us I already talked about really the driver for us on the OMM side was for the Office 365 rollout. What I didn't mention was that was actually our first exposure to Okta for our end users so they had not even seen Okta on the desktop. Their very first experience was logging into that Okta Mobile app on the Go Live weekend, so in preparation for that we did a little internal testing and essentially all we did was just put together a PDF with a bunch of screen shots, very simple instructions of "Hey, here's where you're going to click and this is how you're going to get your new email profile on there." So we just put that up in Box. Sent that out about a week before the migration and then migration weekend we just sent that link out again in a text message blast to all of our users and for the most part, we had no issue. 

You know you always have a few users that just aren't comfortable going through the directions and things like that, but out of those 600 or so users, I think we had maybe less than 10 calls the next morning. It was a very straightforward, seamless process with just some simple PDF instructions that we gave users and so it was definitely a big, everybody all at once type push, outside of just the little bit of testing we did internally with the department.

Mike Paiko:  Okay.

Kelsey:  So we've taken an incremental or a staged approach to rolling out OMM. Like CJ, IT went first, so Tech Ops, which is about 200 people in total and the installation and the setup process is really simple. It's really quick. It didn't require a great deal of explanation or documentation. It was really just an email to the group explaining what we were doing and why we were doing it and asking people to enroll their devices with that Okta Dashboard. And then we've spent some considerable time gathering some feedback, which I will talk about a bit later and we're now about ready to roll it out to another group of early adopters who are not Tech Ops folk, but who were people we hope in the organization will be ambassadors for us and then will then talk to other Thoughtworkers about their experience and about what's happening.

We've also and again, probably talk about this a bit more later, we've also built a transparency app that's available to any user whose device is enrolled, so that they can see exactly what we can see about their device, so transparency and feedback's really important to us.

Mike Paiko:  Now that's great. They've done a great job describing the decision why. How they're getting their end users to enroll and so far I think they've made sound actually a little bit too easy and I think Kelsey foreshadowed my next question and that as you got it rolled out and you've started using it, has there really been any, I guess unanticipated challenges or things came up that you didn't expect? Or things that you could make our colleagues in the audience be aware of that might help them avoid problems in the future?

Owen:  Want me to start?

Mike Paiko:  Yeah start with you.

Owen:  I think for us some of that just revolved around maybe letting the users know that this was going to do more for them than just put that email profile on there. Just let them know, "Hey. You're also going to be able to go in there and access your other apps." Part of that was probably just because again, we started with that OMM deployment before we started with the SSO on the desktop. So maybe if we had a little more time, we weren't constrained by that it would have been nice to maybe give users that SSO experience first and then say, "Oh. By the way, now what you do on your desktop, you can do in the device." I think we still have some users that don't realize you can get to applications in there, so that'd maybe be one thing if we weren't constrained by all those other problems.

I think too you have to realize that while OMM can do a lot of powerful things, it can get some of your basic apps on there if they're supported within Okta. There may be things that you can't do and just having an understanding that it's not necessarily MobileIron, or an AirWatch, but if what you're needing is that basic functionality, then it provides a lot of that very basic device information about what OS is on the device and how much space and your ID numbers for your cellular carriers. Things like that. And just giving your support team an expectation of, "Hey this is what you can do with the product. This is what you can't do with the product." Maybe a little bit more of that up front.

CJ:  I think with any change, communication is key. Really just explaining here's what the app does. We can't see any of your text messages to pictures or anything like that. It's just to use for these specific things and then talk about the benefits of then being able to then hit all of your Chiclets from your phone wherever you are. That's awesome. I use that feature all the time when you're walking around the office helping other people and you need to look something up really fast. 

Another thing was, a colleague and I do the IT Orientation Onboarding when new hires come on and explain, "Okay. You're going to be using Okta to access everything." And I think the most common question we get at the end of it is what's the wi-fi password? And it's like, "Okay, so you weren't listening to anything I was just talking about." So we go a little of the bribe route and say, "Well we could tell you the wi-fi password or you could install this application and the password will automatically get pushed to your phone and that way, even when we rotate the wi-fi password, you still get it pushed automatically and you won't ever have to track us down and bug us about the wi-fi password again. 

Kelsey:  Okay. So for us, when someone joins Thoughtworks, they get handed a laptop, a MacBook, and they have administrative access, full access to that laptop and we don't generally apply any kind of policy or constraints to the way that they use that. That's what the culture is about. Trust but verify. When we first rolled out OMM to the initial group, we had set up some policy on laptop password and locking and various things like that. And plus the ability to remotely wipe a device was part of the package. And boy did we get some feedback about that.

Very quickly it became very obvious that that kind of approach was really not going to work for us. It was not going to be acceptable under any circumstances at all and these were Tech Ops people. These were people that we had asked to support us and trial this and they were unhappy, so you can only begin to imagine how unhappy the wider population was going to be. 

We learned from that pretty quickly and pulled back on that and then as soon as the ability to opt out of remote wipe became available, via Okta again, we've gone ahead and done that. So those were the key challenges. I think for us is recognizing and acknowledging that the culture that we have is the culture that we have and that it's valuable and very powerful and whatever we need to do needs to be done in a way that's going to be appropriate and going to work.

And also reinforcement. Gathering feedback and acting upon that feedback is something that's really important and we should continue to do that.

Mike Paiko:  Some of you may have picked this up or not, but Kelsey's organization they actually used Okta Mobility Management first to manage their Mac laptops and not their iOS and Android devices. So she provides a little bit different perspective than some of our other customers and so I just wanted to highlight that point and because we've gotten feedback like this from our customers, you may have seen during some of the earlier presentations, we had what we call a privacy sensitive enrollment flow, which is now the end user can see exactly some of the things they detailed about what IT can and cannot do. Kelsey just referred to the ability to disable device wipe. So we now have the ability where you can basically take away the ability to do device wipe and only do managed app wipe, selective wipe. So this way, there's never an accidental wiping of data. I forget. One of you had a good story I think about wiping the wrong person's device. Was that one of you guys?

Owen:  I don't remember if I told you about it. I think we had that happen once. It was a case where I think there was a similar name, or like a junior versus a senior. There's no undo button on that. 

Mike Paiko:  In the case of us working with Thoughtworks, we've now enabled the option to say no one can ever do a full device wipe, even if they wanted to. So these are just some of the types of things that we've been collecting feedback and it's great to hear that this has been so successful for them.

We talked about now some of the challenges and the key things to think about and look forward. Now if you could take a step back and we talked about so many different things here around Okta Mobility at the show. We've talked about Device Trust. Better ways of managing Office 365 and Gsuite. There's going to be some great stuff in the RoadMap session after hours and I suggest to you attend.

As you think about mobility management going forward, what are some of things or key areas that you feel you need or you're going to focus on going forward?

Let's start with Kelsey.

Kelsey:  For us and I probably should have mentioned it earlier, we're a consulting company. Professional services consulting company. Our people are not in an office, behind a firewall, or on a network. They could be working and are working from anywhere on the planet and they're remote pretty much all of the time. I think one of the most exciting things for us is being able to move our perimeter to the trusted device, so the device becomes the perimeter for us and in the future the ability to work out whether you're accessing sensitive data because you happen to be in office or whether you are actually in some dodgy internet café in Thailand or on a beach in South America. Being able to go okay if you're in the office then your access should be seamless. You're not going to get prompted for multiple factors and we know you can get access to whatever you need. If you are somewhere else, then you perhaps should not have access to some of the more sensitive and critical data, depending on who you are. So Device Trust is the important thing for us. And basically recognizing the perimeter as it was doesn't exist anymore.

Mike Paiko:  That's great. How about you CJ?

CJ:  Yeah. Device Trust definitely. I think even on Monday I want to start rolling that out.

Mike Paiko:  It goes EA on Tuesday by the way. It's a holiday. You can have Monday off.

CJ:  Oh Okay. We're a huge Office 365 shop so that whole easy enrollment process and things like that with the device trust. I seen the demos yesterday where it's just a couple clicks, agree, install, whatever and not having to worry about a password and from then on, Okta just trusts that device. You're automatically logged into stuff. I think that's super cool. And that will also be I think really helpful in convincing people to install it and use it and things like that, to show them how simple and easy it is. No longer having to deal with when people reset their password, then they forget to change it on their phone and they get ... They won't get locked out of their phone, but they come to IT. Why aren't I getting emails on my phone? Did you change your password? Yup. That's why. So I think that will be really cool just a better user experience overall.

Mike Paiko:  CJ. Mentioning that, so would you consider blocking access to email if they don't enroll in Okta Mobility?

CJ:  Probably yeah.

Mike Paiko:  Do you think that would drive adoption or drive ain't angst?

CJ:  Something tells me there will be some pushback but I think we could probably convince them. 

Mike Paiko:  The betterment for the whole. And I think the key thing that he touched on is the benefit to the end user and always the focus of Okta. Yes, he's probably going to enforce them to enroll, but if he's giving them now a passwordless auth and no longer causing account lockouts and help desk calls, there's probably maybe a good compelling discussion with your end users to get them to buy in.

How bout you Owen?

Owen:  I think the certificate based authentication is going to be a big one for us. Internally I'm rally happy about that because I think it will be the thing that finally drives us to look at federating our Office 365 login, so we were well down dirt sync route as we were trying to scramble to get that out when we did our initial deployment and didn't want to try and change anything going down that route, but this would be a good reason to maybe do that and that will allow us to also then the device trust. Once we do the Device Trust, I think we'll also want to do at the same time the ... Did I get those backwards, I think I said Cert Auth. Both of those. Both the Cert Auth and the Device Trust. We also have a lot of help desk tickets. My service desk manager, when I mention that the Certificate based Authentication was coming, he was just like, "Oh man. That will save us so many tickets. Users just don't seem to get when they change their password on their computer, that's also going to have to be updated on their mobile device." 

You don't want to necessarily burden them, or you don't want to delay them either, even if it takes a 15 minute call or something to get int he help desk and have them do a reset. Things like that. That's just time where they could be out there doing their jobs and it makes them happier and it makes them have kind of It be something in the background that helps them out rather than something that's on their complaint list. 

I think those two things would be really good and I'm definitely looking way down the road there for Apple DEP which maybe coming someday I hear rumors of.

Mike Paiko:  If you go to the Right Roadmap Session, Device don't use cases around Apple DEP and own devices for Android will be discussed in the roadmap session, so nice foreshadowing there. Now, for our Game of Thrones fans, you know no spoilers please. We don't want to ruin Navid's thunder.

Before I open up to the audience so you can ask them our questions if each of you could just spend a few moments if you put yourself as a member of our audience whose either thinking about mobility or about to embark on it, what are just some things that you would recommend for them and let's start with CJ.

CJ:  I'd say use it for sure. It's so easy to mange as far as the administration side. There's only a couple menus and stuff like that. I rejoined the company back in December and Okta was really new to me so I'm still getting my feet wet with all that, but it's so easy as far as the UI and setup. It's very intuitive. I was able to just click around and oh that's how that works. That was easy. And the benefits of the app. Having it with you. Even if they're internal servers that you're trying to access with a Chiclet, I'm sure whatever VPN you're using there's an app for that too, so you can start the VPN app on your phone and then hop over to Okta, open the Chiclet and login that way. 

It's a huge help for our desktop support guys when they're running around the office and at people's computers and they need to look something up, they're a huge advocates for the mobile app, because then that way, they can always access that kind of information they need wherever they are. It's been a huge benefit so far I think.

Owen:  I echo what CJ was saying. Use it. It's so stupidly simple, but it does a lot for you. It brings you a lot of functionality for your admin teams and it really helps the users out in the end. Talk to your sales team. Get a trial going and really you could probably learn most of what you need to know about it in an hour or two, in an afternoon, so just get out there and give it a try. I really don't think you'll be disappointed in the product. It's a very good companion to go along with the other Okta products that you're probably already using today.

Kelsey:  I can't say anything to disagree with what's already been said and certainly from the perspective of the laptops that we've got enrolled the process is incredibly quick, simple, straightforward. Administratively, really easy to manage and for me, the biggest benefit is that I can actually see what assets we have. I've got some visibility whereas previously I had very little visibility over devices and over the state of those devices. And I now have that reassurance that I didn't have before so that's kind of the key driver for us.

And it's very lightweight for our users. I think what we have now is something that's going to be very acceptable to them and we're looking forward to rolling it out to increasingly wider groups. [inaudible 00:27:23] I totally encourage you to go ahead and try.

Mike Paiko:  Great. So with that, let's open it up for questions from the audience. This is your chance to get the real scoop.

We have a mic coming over.

Audience:  You mentioned that Device Trust and that they'll come cached with this authorization. Would that be in OMM?

CJ:  They're separate products from what I understand.

Mike Paiko:  Correct. 

CJ:  You don't need OMM for Device Trust.

Mike Paiko:  You do not need OMM for Device Trust but you do need something else to establish the trusted device so that the adaptive MFA product can query it to know that it's a trusted device.

CJ:  So a Third-

Mike Paiko:  A third party MDM, so I think we've discussed over the course of two days, we're supporting MobileIron and AirWatch to begin with, so if you have those products and you're using our adaptive MFA product, you can actually say, "Hey, is this device trusted by AirWatch? If yes, then that meets that condition of that contextual policy."

Audience:  Will that scenario help with password changes such as you guys alluded to, if they're using a native mail app, they're not using Office 365 mail app?

Mike Paiko:  That will not help you with that scenario. So that's actually being managed by Okta Mobility Management and that's synchronizing all the credentials from the Okta directory with the Apple mail app on the device.

Audience:  But it would help if they're using Office 365 passwordless authorization, correct?

Mike Paiko:  Yes. If you're using something else to put the Cert there. Correct. And exchange active sync.

Audience:  All right. Thanks.

Audience:  How are you guys dealing with the end users who don't necessarily want to talk to IT and they go out and they go ahead and install the Okta Mobility Management on their iPhone, and then they install it on their iPad, and then they sell their iPhone and they get a new iPhone. How do you guys work with knowing that device is actually owned by this person and they haven't handed it off to somebody else and now you've got corporate data out there ... Things like that?

Owen:  We don't have a BYOD policy so that makes it a little bit easier. Technically we don't restrict a user from bringing their own iPhone in. We do limit it to iOS devices unless you're an IT. There might be a special group out there that lets you put Android devices on, so yeah. Technically we could have somebody bring in their own iOS device, but I think most users just want to avoid that situation where their company's going to have that iron fist of being able to wipe device. You see there's some pushback when it's a company device, but can you imagine somebody that's just bringing their own device in. Most people don't want to do that. The vast majority of our users have company issued devices and we just tell them this is the way it's going to be.

And again, as they saw that as a way to get their email on their new phone, well, they all want their email, so they can keep working so we haven't gotten a lot of pushback in that regards. I guess technically there could be some situations out there where that would happen. I don't know if we've ever really specifically addressed that scenario, but you certainly can, if you know about it, wipe it very quickly or as soon as that user, if it's a case of an offboarding thing, or for whatever reason they just didn't ring the phone back and something else has happened with legal on that side, as soon as that user is turned off in AD, that propagates into Okta and then it deprovisions that device as well.

There are probably some holes there that could be filled somehow, but in general, it's a lot better for us than having no device management at all. It's a much, much better picture now than it was.

CJ:  Yeah. Going along with that, the deprovisioning thing I think is awesome. When they're offboarded, it just kicks off that chain and immediately wipes all the data. But back to your point. I guess technically it would be sort of hard to track that if they're voluntarily enrolling it. I would hope though that when they enroll, at least for us then that requires the PIN so that they wouldn't say, "Here. Let me unlock my phone for you" and then hand it over. So it's kind of relying on the users a little bit, but I guess there's not a huge good way to do that I think.

Owen:  And this isn't directly related to your question but we're jut talking about Device Wipe and some of those features. When a device or a user is leaving your company, there's some other good benefits within there too that we've been able to use for devices that are still within our company. Being able to unlock a phone, clear the passcode so the user can get in, or the other thing you can do is you can do a remote lock too, where you can say, "Hey. This device has been lost. If found, call" and you can put your service desk number on there. Whatever phone number you want. And then if anybody finds that, they can actually tap that and make that call to that number that you put in without unlocking the phone. Without having full access to it. Those are some of those things. Again, I know it wasn't exactly related to that question, but talking about some of the functionality, some of the things you can do with it, it's really beneficial to those devices you are trying to use and keep within your organization as well, when a user just forgets their PIN or does something crazy like that. 

Kelsey:  Because the scope for us is limited to the corporate provided laptops, not really such an issue for us. People bring their own phones and iPads. We don't issue corporate devices, so I don't know whether we would even have the conversation about whether somebody might want to enroll their personal device. I can't imagine that they would.

Mike Paiko:  Any other questions?

Great. Well, thank you very much. Thank you for my panelists. I really appreciated your time and sharing your stories with us. If anyone does have questions, we'll be lingering for a few minutes after the presentation.

Thank you.

Mobility management can be a complex undertaking. In this Q&A session, you’ll learn best practices from a panel of your peers including CJ Wiemer, Information Systems Security Engineer at kCura; Kelsey van Haaster, Product Owner, Identity at ThoughtWorks; and Owen Fuller, Systems Administrator at Weitz on how to make mobile management stress-free for IT while getting end-users to even like it. Come prepared to participate in this interactive session.