Securing Office 365 & G Suite on Mobile Devices

Snegha R.:  Good afternoon everyone! My name is Snegha. I'm the mobility specialist for the sales engineering team here at Okta. As you can see, the topic of the day is Office 365 and G Suite. I want to start out with why email, why mobile, and why we're here today. We did a few studies recently. What we noticed is that we found from a recent Gartner CIO survey that more than 50% of a CIO's investments are related to mobile enabling their workforce. Clearly, this is important. The second thing is on a Forbes' survey, we found that mobile enabling a workforce led to a 23% increase in not just productivity, but satisfaction of employees. This tells us that productivity is important. Email is important. Mobile is important, but this challenge we all know it's important, but we haven't really always known the answer to the solution.

What are the challenges that IT sees in this world? One of the key things we've noticed these days is almost every few months, we have either a new operating system, or we have a new device type. Diverse landscape means having diverse solutions. We want you to have that solution no matter what use case you have. Another thing you will notice is that an IT end users, at the end of the day, everybody wants the same thing. Nobody really wants a breach to happen. What you'll notice is that everything is about a balance in access and security, but this is easier said than done. What I want to do today is help you have a toolkit with your Office 365 and G Suite instances on how do I solve this question of ease of access and security on your mobile devices.

One other thing I did want to mention is it's not just that this is about email. We looked at all the different Cloud applications that we access today, and you'll notice that Office 365 and G Suite are not just the email solutions of choice, but are also the top Cloud applications that users access today. Just to go through a quick agenda for what you will see and learn today, we're going to start out with Office 365, different features and solutions from both Microsoft and Okta that can help you with your challenges on mobile devices. That will be followed by a demo for Office 365, continued by G Suite. How can we help you with Google and Okta for G Suite?

Once we complete that, I will talk about how our customer is going to walk through what he does with Office 365 and mobile devices. We will follow that up with a little bit of time for questions today. Let's get started. One thing we look at every day is mobile devices, but what I wanted to do with this slide was to let you know we're all in this lifecycle management of what's happening with my mobile devices. Now, this doesn't mean you're using Okta to do this today. This doesn't mean you're using another solution. This is how things look today. You need to onboard devices. You need to get them to the point where these devices are actually being used by your users effectively. 

Email and security are part of the story. We're going to focus on that piece today, but at the same time, a lot of our different sessions today are going to help you paint this entire story. Let's talk about Office 365. If we take a step back, how exactly do you get email on mobile devices for Office 365? One of the most common ways is on a native mail app, and that uses Exchange ActiveSync. That's one of the key examples. The second one uses modern authentication. That is the Outlook client and Office applications. What you'll notice is that even to get email, there's all these different ways of getting email. That means we need to have all these different ways of solving the challenges that come with each of these protocols, as well as making sure your users are happy where to get email the way they want to.

Let's look at how your sign-on policies look. Now, some of these things may look new to you, but if you have Office 365 federated with us today, you must know you have all these different sign-on policies that are extremely granular. Now, we've developed these to be so unique that you can decide what unique solution you would like to provide based on not just the things that you're used to so far, but also, what device type. Maybe you'd like to provide a different experience on an Android device. Maybe you'd like to provide a different experience on an iOS device. What we've done is included these conditions into our granular access policies. 

As I talked through the different features for Office 365, you will notice how this functionality will not just help you with mobile, but all the different things that you may already be doing with Office 365, and you may continue to do so. Exchange ActiveSync is typically on the native mail app. Let's take that as an example. How does this work today? If you took your phone, and you open the native mail app, you configured an Office 365 account. You typed in your username and password. It talks to Office 365. Office 365 says, "Hey, Okta is your IDP, so I'm going to let Okta authenticate you." Okta says, "Okay, let me check the user's credentials. Is this the right user?"

Once Okta knows this is the right user, we let you access your email, but this brings about the question, "Great, this is the right user. This is the right application, but what about the device? Do I know this device? Is this a managed device? What if it's just a random device at a coffee shop? Am I okay with that?" Let's look at what we can do with that. The first picture you see here is the ideal solution. Your mobile device, if it has a certificate to present to Office 365, Microsoft offers cert-based authentication to Office 365. Now, this gives you multiple things. The first thing is completely password-less authentication to Office 365, so very less friction. 

Nobody is going to call you and ask you, "I'm not getting email on my mail app, or I forgot my password." This takes care of all those password reset calls that you get as well, because the certificate takes care of that story. Now, the second piece this gives you is why does this make sure that this is only the devices I like? Because, how does the user get the certificate? With the granular access policies that you saw in just the previous screen, you have the ability to say, "If you'd like to accept or deny Exchange ActiveSync as a protocol at all. You can also be granular enough to say on iOS, "I trust the iOS mail app. I'd like to provide access on Android." 

I don't. Once you do that, what that means is the only way to get access on the iOS mail app is to have the certificate on that device. Now, how does the user get the certificate? Through your management tools. Now, Okta Mobility Management or MDM solution does support this capability. We use our Okta CA to provide an Okta certificate to complete this process. If you do use a third party MDM, I'm sure you can check them to see if they support the deployment of certificates for this same purpose. Using our granular access policies, you are still able to make sure that no other Exchange ActiveSync traffic is allowed. A lot of you might have attended our previous session, which was about device trust, so I just wanted to touch a little bit about our device trust story. 

Then show you what outlook and that story looks like with these features. Device trust is the ability to say that not only is this the right user and the right application, but this is the right device as well. Okta is working a lot on giving you the solution across the board, and Office 365 is one of those applications that supports this as well. We are going to show you how that looks. If you look at this picture, what it shows you is a user says I need access. They reach their Cloud application. It gets redirected to Okta, but Okta says, "Hey, I'd like to check if this is the right device or not." Once we know it's the right device, we will provide you access to your application.

Now, if it's not the right device, we are going to help you get the device the right security posture to enable your users. Why do we care? Why is this related to Outlook? Why is this related to Office 365? We talked about the second popular protocol, which is modern authentication on the Outlook client. We have a feature for iOS. iOS device trusts for all modern applications is currently an EA for your preview environments. What this feature gives you is the ability to use the Okta mobile app on your iOS devices to be able to say, "Hey Okta mobile, is this device secure? Is there a valid sign-on session here? Should I grant the user access to the application they have asked for?"

Outlook is one of those applications. The two key features you will see with the Outlook application through this flow is first password-less authentication to Outlook. We're able to support an additional field for Outlook where you can use your active session in Okta mobile to have password-less auth into the application, as well as make sure only secure devices have access to Office 365. Now that we've talked about all of these things, let me show you a quick demo on this. Great! Let's take an example of a new end user. I come into work. You've given me my email address, and I downloaded Outlook. What do I do next?

I went into Outlook, and I'm a user who doesn't know what Okta is, what mobility management is, but I know I need my email to get my job done. I type in my email address. Some of you who may have seen this before must know that you are able to ... Excuse me. Let me just reconfigure that. I clearly practiced too much. All right, great. I'm going to restart that process. I'm a new user. I don't know my email already. I'm actually going to skip to my video here. I apologize for that. I think too much practice clearly ... This iPhone says it's not a new phone anymore. We're going to walk through this same flow together. The user opens Outlook. They type in their email address. Yes, I'm a Harry Potter nerd, so it is a Harry Potter account.

[email protected] is the email address. Office 365 recognizes this is Okta, and that' the new screen. What you just noticed even before I finished talking was that it redirected you to download Okta mobile. The reason for that was because we have a device trust policy that says they shouldn't have access unless they're enrolled in Okta Mobility Management. You downloaded Okta mobile. What next? I did want to mention here if you do have Okta mobile already on your device, this flow does know to enable you from the step you're already at. It can pre-populate the information for you, or it can just take you through the steps of enrollment in case you are already enrolled.

You set up the per app pin here for the Okta mobile app as some of you may be familiar with. You click on get started, and what you can see here is our privacy sensitive flow for enrollment of an iOS device. Once you go through the key steps to get enrolled in Okta Mobility Management, we will go back to Outlook. This time, we will have access to email. As you all noticed, all of that was completed under two minutes. Once we open Okta mobile, you're able to see all the different applications that were provided to you by your Okta Mobility Management, as well as you can deploy any other application you need. Now, I restart the process now that I'm in the right security posture. 

You'll notice that I don't enter any passwords here. I was able to get into Outlook for my email, and I'm able to complete the process. The next questions comes, "How do I set this up? Is this easy? Is this hard? How do I do this?" Let's take a look at that. This is a portal that all of us are very familiar with. That's your policies for office 365. Now, if you do use Okta Mobility Management, this is the tab that you see, and this is where you would configure certificate-based authentication for your mobile devices. Now, that also means if you use a third party system, this is where you would use these features with your third party MDM, and the sign-on policies will help you regardless of if you use Okta Mobility Management or your third party MDM.

What you'll notice here is that you have the ability to separate out what you would like to offer on iOS, what you would like to offer in Android, as well as how to step up policies to complete a unique solution for your mobile workforce. To summarize Office 365 before we move on, we have certificate-based authentication to Office 365 available on iOS devices. This feature if you use Okta Mobility Management is EA currently. The other option you have, and a lot of people ask the question of, "What about Android? How do I provide this unique solution?" The granular access policies will let you decide maybe you want to standardize on Outlook. You do have the ability to do that by blocking Exchange ActiveSync access.

You can also use device trust like I showed you in that flow to restrict access on Outlook to only Okta Mobility Management managed devices. You also have the option of doing this with a third party MDM, and you can attend our roadmap session tomorrow at 1:30, which will cover that a little more in detail. The other thing you want to remember is that the unique rules you can create with Android and iOS would really provide you an answer to all your mobile questions for Office 365. Now that we're done with Office 365, let's move on to G Suite. In G Suite, the one thing I wanted to cover before we even jump into the solution was what are these different words I see in Google? How do they translate to the terms that I typically see with the other things even we talked about right now?

In Google, you do see the options to completely customize these different protocols. Google Sync refers to using Exchange ActiveSync to communicate with your G Suite solution. iOS Sync and Android Sync refer to using modern authentication on the Gmail app. IMAP and POP is a traditional email protocol that is available to communicate with G Suite. Now, in partnership with Google and Okta, we're able to provide you a full solution today to how you can protect your mobile devices as they access your email solution. The first thing is Google lets you customize and design which of these protocols you would like to even provide access to. You do have the capability to say IMAP and POP is allowed or not allowed. The same thing with iOS Sync, Android Sync, Google Sync.

Let's first talk about iOS Sync and Android Sync. Again, that refers to the Gmail app on both of these device types, and it's the modern authentication type. To start out with, let's look at iOS apps. You have this also with the same functionality that we saw with the Outlook. This is going to be EA in all your general environments next week. What does this look like? The user opens the Gmail application, types in their email address. Just like you saw before, we do know it's federated. You will be redirected to the Okta login screen. Once we recognized who the user is, you have a policy set up to say, "No, they only get access if it's an enrolled device." It's enrolled in Okta Mobility Management.

We will take them through the flow of enrollment if they're not enrolled. If they are enrolled, they will be provided access to the Gmail app on their iOS device. Now again, this will be supported for both OMM and third party MDMs. The OMM solution will be out next week. Let's take a step back as to what we do with Google. Like I mentioned before, in partnership with Google is why we're able to give you some of these solutions. Android for Work is Google's ability to let you use your mobile devices for both work and personal use. You have the ability to separate these containers on your device. As you can see on this page, you can see your work applications separately with a little briefcase on them, which lets you know that these are your work applications. 

The data in those work applications stay completely separate from your personal applications. Now, why does this matter with security and access? Not only can we help you with integration with Android for Work to push those critical applications out to your devices including Gmail, but also give you the same story about securing access. This is a screen that some of you may have seen on the Google portal. If you go to security settings, and you have connected to your MDM provider, and in this case, that's Okta Mobility Management, we definitely support Android for work, and you can start using that with us. 

Once you have that configured, you will see a little checkbox to say, "Would you like to enforce EMM policies on these devices?" This configures this protocol for Google Sync. It gives you the story to secure devices through the Gmail app when they are communicating to G Suite. Let's take a look at my Android device now. This is an Android device that again, I'm a new user, and I'm going to try to get email on the personal side of my device. I open the Gmail app. Let me first type in my email address. I set up a Google account. Clearly, it's just still trying to talk to Google. I type in my email address to get access to my G Suite account. 

What you'll notice like I showed you, it does redirect to Okta because we have G Suite federated with Okta. Now, it's redirecting me, and let's see what happens. What you'll notice here, and this is a critical piece, that because we have those policies enforced, it says this account requires mobile device management through Okta mobile to give you access. Let's do that. Let's follow the instructions. I have Okta mobile downloaded, and I'm going to go through a flow that you may have seen before when you used Okta mobile. I do have Android for Work configured in this environment. I set up my Okta mobile pin just like you saw before. Let me click on secure my device. What we're going to go through here is the Android for Work configuration. 

It takes us a few steps to complete the enrollment process. Since I'm using my G Suite account, it will ask me to log in to complete the AFW flow. Once I sign in, it's going to complete the enrollment process, and I will officially have an enrolled Android device. We do have to give it a few minutes to load all the applications I have installed for this device. What you'll notice that immediately, a folder has been created for all my Android for Work applications. If we give it a little bit of time, it will silently install any application that I have deployed to this device. Let's give it a minute. While we look at that, we see that this is a really quick process, but also a customized process for you to use. 

Okta Mobility Management is able to support these flows for you today to help you ensure not just a perfect lightweight solution with your existing identity, but also the ability to secure these devices without any hassle to the admin or the end user. As you'll notice, it's going to download the application, and we will get email. There we go. This is my corporate Gmail app. This corporate Gmail app is the only one that has access to my account. If I go to my Gmail app that's on the personal side, I will not be able to access email. We just took a look at what we can do with G Suite on iOS devices and Android devices. Like I mentioned, in Google just like we showed you before with Office 365, Google will let you decide if you would like to allow access to Exchange ActiveSync, or maybe not. That's a decision you can make.

Let's just summarize what we talked about a little bit. We talked about the different protocols that Google offers to communicate with G Suite. As an admin, you can customize the experience by plugging in which one you want to allow or not. With Okta Mobility Management and Android for Work and device trust, you have the ability to secure the Gmail app to only Okta Mobility Management enrolled devices or your MDM enrolled devices. We also can help you configure the Gmail app like you saw with managed app config from our MDM tools. 

To conclude the different things that we talked about, I hope we were able to see some of the different features that you can do with Okta, Okta Mobility Management as well as your existing investments. I did want to mention that we really are focusing on trying to give you the best experience of access and security on your mobile devices along with the existing functionality that you already have with G Suite and Office 365. We will follow up with resources online as well as documentation to all our new features. We do have other sessions coming up for mobility specifically around how do we make this experience easy as well as roadmap sessions tomorrow. 

With that, I am going to introduce our customer, Owen Fuller, from the Weitz company to talk to us about what he did with Office 365 in mobile.

Owen Fuller:  Thanks Snegha. Just before I start, quick show of hands, how many people are already G Suite or Office 365 customers, but are not using OMM? Anybody? Okay, so quite a few people feeling this out, seeing if this might be for you. What I want to talk about is a little bit about what our company went through as far as adopting office mobility ... or, sorry, Okta Mobility Management along with Office 365. I belong to a company called the Weitz Company. It's a construction company. In the last couple of years, we developed this corporate slogan of building a better way. This is how we've used OMM to build a better way there at the Weitz Company. 

A little bit about my background, I've had a little bit of a diverse experience. I worked all over the place for military, for nonprofit, for commercial companies. I've been in Cushy Midwestern offices. I've been in the Middle East. I've set up satellite links in African jungles, so I kind of draw on all this stuff to look for creative solutions. Right now, since about June of 2014, I've been a System Administrator for the Weitz Company. Weitz was founded in 1855 in Des Moines, Iowa. It makes it the oldest general contractor west to the Mississippi. We do a lot of different types of construction, everything from commercial buildings, student housing or senior living communities, big industrial projects like fertilizer plants or natural gas plants, things like that, agriculture.

A very broad range of things that we do, so that means that we have a lot of spread out jobs, a lot of mobile workers. Right now, we've got about 12 offices in states from Florida all the way over to Arizona, and from Minneapolis down to Houston. We have job sites from Miami to Seattle, so we really definitely have that mobile workforce, about 950 iOS devices, and about 500 users there. Some of us have iPad and an iPhone. We support all that with 17 IT staff out of our central office in Des Moines. What drove us to Office 365? Well, early 2016, a parent company that acquired us a few years back said, "Hey, everybody is going to be on one email platform. It's going to be Office 365." Okay, well, Weitz had been a long-time Novell customer, so that meant we had GroupWise for email, and we had eDirectory instead of active directory. 

Lots of us had had a little bit of experience with Microsoft in previous jobs, but Office 365 was a pretty significant jump. It wasn't so easy as just standing up an instance in the Cloud, and maybe go on from one exchange on prem. I mean, it was a totally different directory, totally different mail client, totally different server administration, a very big change. More things to learn. More things to build. More things to test. As far as our mobility solution went, we did have a full-fledged MDM at one time. It wasn't set up necessarily completely correctly, so it would work for us, but kind of not. Then of course, to complicate that, the one guy that really knew how to run it left the company.

I'm sure no one else has ever been in that kind of situation before, but basically, that leaves you with an expensive paper weight of a server. Even if it's a virtual server, you get the point I'm trying to make. Not really accomplishing what we wanted it to, so what that meant was we have all of our iOS devices pretty much just out there in the wild. IT would set them up for the user, or talk to them through setting it up over the phone, no control over anything, whatsoever. What we were thinking about is as we approach this go live day for Office 365 was, "How are we going to switch people over from using their existing connection to the GroupWise servers to now connecting to Office 365?" 

On the desktop, that's a little bit easier. You can push out Outlook with your endpoint management system. It's a whole different client. You just tell people, "Don't worry about opening that until go live weekend, and just let it sit there." With the mobile side, we didn't really want to confuse people by having different mail profiles on there at once, so this was going to have to be, "Okay, Friday night, we're going to stop using this mail system, and then Saturday night, when we get notified by migration, you guys are going to have to set up this new connection to Office 365." We have a very handholding type of a culture in our organization, meaning, we really want to spell out all the steps for people. 

I had another administrator for another construction company say to me one time, "You know, there are a bunch of hammer swingers." That meant no derogatory way at all, but they're good at what they do. They build buildings. They're not necessarily all good at IT, so we go way out of our way to try and make things as simple as possible. Really, when you consider all those different things, we realized that getting people changed over on their mobile devices was going to be the big difficult point in our migration for the whole email system. Now, about this time, about 2015, we took a survey of all of our employees in the economy. One of the top five complaints was too many passwords. Not the top five IT complaints, top five complaints about everything in the company. 

We said, "All right, we need to start looking for an IDM and an SSO solution." We looked at two or three of the industry leaders, and we really started selling on Okta. This was happening about the same time that we were getting ready to do this Office 365 migration. We were saying, "Hey, we need something on the SSO side that reduces the number of passwords that users have to enter. We want it to be easy for them to learn. We want it to be something that doesn't break the bank. It was also something that had a very wide range of support, and of course, being a limited IT department, we wanted something, a solution that had a good customer service focus and a good support team behind it.

That's what really drove us to Okta. It was very easy for IT to set up, and it was very quick to train service desk on how to use those IDM and SSO pieces. What we also found was, "Hey, they've got this product called OMM. And we might be able to use this to fix our little problem that we have with trying to get these new email profiles distributed out to all our users across all these different remote locations in the country, and so really, it was two birds with one stone. What did we end up doing with OMM first? Well, like I said, we have that big go live, we printed up a nice little PDF document, emailed it out to everybody, and said, "Hey, our Go Live weekend, here is what you're going to do. Go in and delete this profile, and you're going to go and download the Okta Mobile Client, and sign in with the username and password that you're used to using already." 

Long story short, we had very few issues with people not being able to connect to email. It accomplished a couple of things for us. Number one, it made that transition smooth, but then it also gave us little bit more control over those devices again. Since we weren't using an MDM anymore, it gave us a way to say, "Hey, now we can erase those devices. If we need it, we can do a wipe on them. We can see what's out there and how many devices are connecting. We basically just trained our users to say, "Hey, when you're connecting to your new email profile, go right in there to the Okta mobile app to sign in, and accept the few prompts, as simple as that." 

I should mention that we did this without being federated for our log on, so we were already down the road of setting up DirSync or whatever they're calling it these days, and just a username and password on Office 365. We weren't actually federating our login, and it still works to push out your mail profile. That was the great thing about this. It gave us our foot in the door with Okta. In fact, our users saw Okta mobile in that client, and we deployed the OMM before they even had Okta on their desktop in their web browser, but we actually rolled that out about two months after users started using Okta mobile.

Really for us, Okta mobile was the first product from Okta that any of users ever saw. That was a really good thing for us, because that really helped us sell it internally as well. We can say, "Hey, we need a single signin. I think, this also really addresses this other issue." It's definitely a great piece if you don't need everything that something like an air watch or mobile iron provides, you need some basic MDM functionality to be able to secure some of your apps. Have a little bit of information. My service desk guys love it, because they can go in there. They can see the devices that are enrolled, see what version of iOS that someone has, see the ME ID, just those different pieces of information they're always trying to get from users that are not always easy to get.

It provides a lot of that basic functionality for a much lower price, and a much easier learning curve than something like a full-fledged MDM solution might be. For us, it's really been great. It's really reduced the number of support issues that our service desk guys have had to do. Going forward, we're looking here at implementing some of the things that Snegha was talking about as far as the certificate trust. My service desk manager says that they have so many tickets. When people reset their password on their computer, they just don't seem to put two in two together, that, "Hey, this password is the same password that's on your mobile device." For some reason, it just doesn't click. We're really looking forward to the certificate base of, and also just taking things up a little bit on the security side of things, and doing the device trust as well.

Really, it's been something that early on, like I said, our very first experience with Okta, it's been a great product to start with, and we see a lot of potential for where it's going. I really think it's going to help us continue to make our workforce more efficient, take the load off of our IT staff. Then also provide a little bit more security. All I can say is for us, OMM plus Office 365 has definitely been a win. If you guys aren't trying it already, it is so simple to learn. Really, from an admin standpoint, it is very easy to set up. You can probably do it in an hour or two, and be very familiar with it, so why not give it a try? 

Snegha R.:  Awesome! With that, we'd like to open the floor for questions. Anything you have? We do have a mic. 

Audience:  We've done some mobility work without Okta just trying to put Google work email on users' mobile devices, and it didn't go well, because Google requires you to encrypt your devices. We have new devices.

Speaker 3:  Yeah, so people just gave up. I'm just wondering. Is there a way to avoid that whole encryption business, and just use OMM? Yes, that's my question.

Snegha R.:  Yes. Okta Mobility Management is supported not just for Android for Work devices, but it also supports Vanilla Android devices or your Nexus devices as well as Samsung SAFE. If you do not want to use Android for Work, as long as they are Samsung SAFE or they are native Android, you can still use Okta Mobility Management. The piece you won't be able to use is the functionality that I demoed on my device for restricting access on Gmail. That solution is offered for Android for Work, but you can use all the other Okta Mobility Management features with us. 

Audience:  Android for Work is the piece that requires encryption. I don't have that.

Snegha R.:  Yes. 

Audience:  If I don't have that, then I can still use some of these other features?

Snegha R.:  Yes.

Audience:  Did you say email is not included in that?

Snegha R.:  The restricting access on Gmail, so the flow where you saw it prompted me to enroll in Okta Mobility Management, because I was not enrolled, that piece is restricted to Android for Work devices, but everything else that we offer-

Audience:  Okay. They've still got their email and G drive and all of that?

Snegha R.:  Mm-hmm (affirmative).

Audience:  Great! 

Snegha R.: Any other questions? Awesome! Well, thank you so much for your time today. Please reach out if you have any questions. We'd love to answer them.