Oktane19: VMware + Okta: Securely Embrace Your Digital Workspace

Steve D'Sa: My name is Steve. This is Camilo. We're gonna give you a little bit of an overview of VMware Workspace ONE, and Okta. But being on the floor ... So, we've been on the floor. We've been in the expo. I think we've talked to a lot of you. You've come out. We've had some great discussions. But what we're hearing is, "what the heck does VMware have to do with Okta? Are we talking about NSX? Are we talking about V-center?" It's one of these common things we're getting down on the floor. But what we're here to talk about is EUC, end user computing. Our unified end-point management. And Okta. And how to embrace the digital workspace. But also achieve the zero trust.

Steve D'Sa: When we start talking about zero trust. And we start talking with the digital workspace. Ultimately, what Workspace ONE is, is Workspace ONE is that digital workspace that is designed ... It's designed really to be consumer simple. Consumer simple, but enterprise secure. What we're going to talk about today is essentially two separate flows. When we start talking about how does Okta fit in with Workspace ONE? How can we take the power of the identity capabilities that Okta has, and bring in the unified end-point management capabilities that Workspace ONE has?

Steve D'Sa: Now, if I can just get a quick take of the room, who here has heard of what Workspace One is? Wow. Very nice. Very nice. And who here is familiar with Air watch? Excellent. Excellent. So Air watch, as you know, has been ... Is the traditional fundamental device management capabilities that has evolved to what Workspace One is. So when we start talking about Workspace One, we're gonna talk a lot about what some of those capabilities were within Air watch.

Steve D'Sa: So, when we start, and go into the digital workspace, and really what is the digital workspace? 'Cause you know what? Everybody has a digital workspace. All right. Okta has one. We have one. And what makes this different? In essence. Well, when we launch Workspace One, now Workspace One as I launch it in the browser. I launch the Workspace One app on my IOS device, my Android device, my Windows 10, my MAC. What makes this different? And really, what we are delivering in Workspace One is all your mission critical applications.

Steve D'Sa: And we're talking more than just our SASS applications. Yes. We want to connect to Workday, and Box, and Salesforce, and Office 365. All those SASS applications are very important. And we want to bring them into the digital workspace. But you know what else we want in our digital workspace? Is my native apps. If I'm coming in from an IOS device, and we know we're managing IOS devices. I want to see my IOS apps there. If I'm coming in from a Windows 10 device, or a MAC device, I want to see the appropriate apps that are available to me, with the right configuration. Ready to deploy.

Steve D'Sa: When I also get into my digital workspace, I want to see my VDI apps, my virtual apps. We're VMware. I want to see my Horizon applications in here, too. So when I log into Workspace One, if I'm coming in on a MAC device, I log in. I launch my Workspace One app, I have access to all my Horizon apps. Whether that launches inside the HTML 5 component of the Workspace One browser session. Or it launches the Horizon Client. But ultimately, I have access to my native apps. I have access to my SASS apps. And all my VDI apps.

Steve D'Sa: And now, one of the things that's, in essence, it is relatively brand new. Is we are now syncing in your Okta apps. So as you configure apps within Okta, your SASS apps in Okta will automatically now appear in Workspace One. So now when I log into Workspace One, I see any SASS apps, my native apps, my VDI apps, and all my Okta apps. Are all available to here. And the best part about having the Okta apps in here, is that all your configuration for Okta is done in the Okta app ... IN the Okta admin console. And then, everything will appear in your real time automatically into Workspace One. As soon as I log in, it is there. And that's what it's really designed for, a one stop shop where I can go in and access all my capabilities of the digital workspace.

Steve D'Sa: So, in essence, Workspace One, we manage the IOS devices. We manage Android devices. Windows 10. MAC devices. Chrome OS. And the non-traditional end-points. So just rugged devices, etc. so now, you might have also heard the term, VMware identity manager. You've heard that term come out a couple of times. And we always get asked, "What is VMware Identity Manager? How does VMware Identity Manager fit into this ecosystem?" Well, essentially, what is EUC? End user computing. EUC is all of these items that we see here, in addition to the Horizon apps.

Steve D'Sa: So, where does VMware Identity Manager, VIDM, fit in? VIDM is, in essence, what we call the identity broker. It brokers the identity experience from all of these end-points to Okta. That's where it fits in. It's there to be that broker, so that we can provide a seamless user experience. And Camilo's gonna get into what that seamless user experience is. And what is mobile SSO? All right. And what is device compliance? And we'll get into that as we start to talk about zero trust. And how all of this comes down together. And essentially, that's what we're bringing together from all of these components, within EUC. And as we extend that to Okta.

Camilo Lotero: Thank you. So, Steve touched upon two main points. User experience is one of the things that we want to maintain as high or low as possible. But one of the main drivers that we usually see when customers approach us to integrate Okta with Workspace One solution is, we want to elevate the security of some of the applications that have federated with Okta at the moment, without really taking an impact on the current use and experience that we have, and we love, with Okta.

Camilo Lotero: So we need to take a look at ways in which we can mitigate some of the challenges that end-users have when it comes to authenticating from a mobile device. Having to enter the password multiple times into each one of the different applications. And in some cases, having to do a second factor for each one of those different applications. So it becomes a really time consuming, arduous process the users need to go through. And what it does is, it really lowers the user adoption of those applications that you're trying to publish to each one of those end users.

Camilo Lotero: Now, we believe that when it comes to successfully authenticating a user to the device, or to a specific target application, it really comes down to taking a look at the factors that come both from the user, and the device that's actually accessing that application itself. So, Okta has a really good way to understand which user is accessing those applications. Okta owns the user identity. They're able to identify through credential challenge who the user is that's actually authenticated into those applications. And they can add some more conditions when it comes to where there user is coming from. If it goes to the IP network range. And what type of device they're actually using.

Camilo Lotero: Now, with VMware, given that we've been working with the MDM, UEM market for a couple of years. We believe we're able to bring a second layer to that authentication security, with regards to the device context that's brought in to the authentication decision. So, when it comes down to analyzing what the device status actually is at the moment of authenticating, with regards to the current patch level of the device. Is there any malware that's present on the device? Does you have a passcode? Or is the device encrypted? And analyzing those decisions before we give an access to actually download any data to that specific client device.

Camilo Lotero: And what that results, is to actually create a complete tries type of profile, when it comes to building the case for actually giving access to that specific user, with that device, to the target data that they're authenticating. Now, the way we have usually worked with clients, this is not a factor that fits across every single application. We understand that there are applications that require a higher risk level than others. There are some others that you can maintain the authentication through a single user name and password. What others you want to maintain a higher level of assurance. And for several devices, be manger. And only under strict conditions be given access to those resources.

Camilo Lotero: And this integration between Okta and VMware identity does allow you to that level of flexibility. Where the policies that are created within one solution or the other allow you to really be specific as to what application requires what level of assurance. Now, this also has a big significance in user experience. Once we're able to identify what user is trying to access which application, and what's the status of the device, then we can formulate a set of authentication policies that really fit that specific environment.

Camilo Lotero: At an ideal scenario, you would have a device that's actually managed by the Workspace One UEM solution. In that case, we're able to fit the device with the right server credentials. That we are able to simultaneously authenticate across any native application that's installed on the device. So what it really results, is we're able to elevate the security of the device by checking its compliance status. But also, we elevated the user experience by eliminating the use of any user name and password that's manually typed in. Or in a lot of cases, mitigating the need for a second factor.

Camilo Lotero: And now, in cases where our check for compliance status were to fail, then we can build upon the policies that already exist within Okta, through its Okta device trust. So we would fit back the information that comes from the Workspace One platform, in terms of the status of the device. And then if it fails our status checks, then Okta can say, "Well, it is trying to access a high level security application. And it is not necessarily a trust device. So let us fall back to simply using a user name and password, plus a second factor authentication that is available within the Okta admin experience."

Camilo Lotero: Now, if we took a look at how this works, at a really high level, the way we integrated with Okta is using a very standard SAML approach. We introduce ourselves as a trusted federation provider within Okta. So the main idea here is that we want to introduce our added value with regards to security, without disrupting any configuration that's already been made between your target application and Okta. So any federation trust has been established, which any of the SASS applications will be maintained within Okta. And we're essentially introducing ourself as a third party identity provider within there.

Camilo Lotero: Now, one of the things that Okta announced over the past year is the idea of IDP routing rules. So, after we are introduced our identity layer into Okta, now we can make decisions within Okta, that says only on this specific cases will we be actually redirecting the authentication to the Workspace One platform. In a lot of cases, what we see here is just we'll maintain the login experience that users are used to from their desktop, to maintain that custom login screen that's provided through Okta. And when it comes to mobile devices, where we want to enforce a specific Workspace One policies, then we'll go ahead and actually redirect our authentication to Workspace One.

Camilo Lotero: So, once the redirection happens, again, this is all based on just IDP chaining from one identity provider to the other. Then we'll fully delegate the authentication process for that specific device to the Workspace One platform. Now through Workspace One UEN, if the device is managed, again, we'll be able to check those specific policies that allow you to define what a compliant device should look like. Again, different companies have different definitions as to how strict they want a device to be before they give access to those specific resources. So that's all configured through the UEM platform.

Camilo Lotero: Once we've made that decision, and we've analyzed the device status health, then we can relay that information back to Okta. Again, part of the SAML response that we send back to them will contain the current status of the device that can fitting directly into the policy engine that already syncs within Okta. whether to allow access, deny access, or simply elevate the authentication to MFA type solution.

Camilo Lotero: From the Okta administrator perspective, there's really two main things that we're looking at here. So we've already mentioned the Okta routing rules. And that's what is gonna allow us to make decision as to when the actual authentication is being delegated over to Workspace One. So we can take a look at certain parameters, when it comes to network ranges, the target application, and even user groups. So if this is a future that you want to roll out on faces, where if it got to the users in your environment, or you only want to roll it out to specific applications that do require this elevated level of security, that's something that can easily accomplished with the Okta routing rules.

Camilo Lotero: And second factor is the device trust. So, Okta allows us to pretty take over the definition of what the device trust means. So we are the ones that provide what the device trust status of the specific device, that's making the authentication request, actually is. So based on that information, that can be then feeded in directly into the Okta policies, using that same device status definition.

Camilo Lotero: So next up, we can take a quick look at what the end-user experience will look like with each one of those different scenarios.

Steve D'Sa: So, one of the things ... Oops. Let me just go back. There we go. So one of the things with the routing rules that Okta has brought in, and kudos to Okta for doing this. They've made it really ... I've got to stop pressing that. Go back. There we go. One of the things that Okta's done, is they made it really easy to do this integration. From the routing rules ... Let me go back. One more slide. There we go. From the routing rules, you can really easily define how and when your apps are gonna be taking advantage of leveraging mobile single sign on. And the whole Workspace One device trust capabilities.

Steve D'Sa: By leveraging these routing rules, and defining the user's, where are they coming from? Are we gonna apply this in specific IP ranges? Are we going to do these for all platforms? Or are we just gonna do this for IOS and Android? Are we gonna leverage the whole out of the box experience on Windows 10? So, you have simple check boxes that you can do in this Okta console, to easily determine which scenarios are going to be directed to Workspace One. You could also apply it to specific users, as well. And bring out just a subset of the users. So they've done a real good job at configuring this, and being familiar in the identity space, and having something this easy to do, they've done a really good job at laying this out.

Steve D'Sa: So, what I'm going to show you over the next two slides, really I'm gonna show you the user experience of what does it mean when we are going to enable this zero trust? And how is this going to look? The first scenario that I'm gonna look at, in essence, is a user on an I-pad is downloaded the Outlook mobile app from the store. You download the app. I enter my information. Because my information is federated already Office 365 to Okta, this automatically went to Workspace One. And then, got redirected to Okta.

Steve D'Sa: Now, what happened in this scenario is, we sent to Okta, in essence, a failure. So what you saw on that screen ... Can you? Let's go back. I just want to ... Okay. So what you saw on that screen, it went by really quick, and I apologize that, Okta stopped ... This think likes to keep going. Can we pause? Yeah. Okay provided you with a splash screen that said, "This is not a managed device." You are trying to access an application that requires management. So I downloaded the Okta ... sorry, the Outlook app from the store. I went through, I configured my email address. But then, it stopped me. Because VMware sent back a denial.

Steve D'Sa: I got prompted for Okta credentials. And then I couldn't do it. Now let's look at that one more time, as we go through. So I download the Okta app. I enter my email address. It gets redirected to ... There's Workspace One. And then, it does that device compliance check. Sends that response back. Okta now, I can enter my user name and password. And then, I'll see the splash screen that says that this app requires management. You'll see that ability to continue on an enrollment flow. Where I can now register into Workspace One.

Steve D'Sa: So, now what I'll show you is the scenario where we are already under management. And this scenario is really straightforward. When we look at this, and this is the first time doing this. Where you're going in, I download the Outlook app. It goes to Workspace One. Workspace One is doing something called mobile SSO. And device compliance. It validated the user. And I seamlessly, now, authenticated into Okta, and into the Outlook app without any user interaction. Based on the fact that we know the identity context ... Pause that. I don't know why it does that.

Steve D'Sa: Based on the fact that the device was trusted. We did the device trust. We knew, based on the compliance policies, that everything was good. We passed that off to Okta. Okta did, Okta does the identity context. They know everything about the identity. They do the risk analysis of that identity. And between the two products, we were able to establish a secure enough session that we allowed the user straight in. And that, in essence, is how the two come together on that.

Steve D'Sa: Okay. Now let's move forward. There we go. Want to touch ...

Camilo Lotero: So, one of the stories that we think Workspace One and Okta fit really well together is with regards to minimizing the days that a user is able to access the application, whenever they join a company. So VMware and Workspace One, working with all the different platforms, and in several ways to make sure that from day one, a user is able to make full use of whatever laptop, or mobile device, as an IT Administrator, you assign to the specific user. And I think with that ties in really nicely with how Okta does end-user life cycle management.

Camilo Lotero: So, from day one, a device or any user joins a company, Okta takes care of pulling in that end-user identity from your HR platform. And pulls it into all your company directories. And feeds that user into the Workspace One platform, as well. And we can make use of that identity to assign all the specific profiles that should be assigned to those devices that are being assigned to that end user. And based on what users the user is a member of, NAD. And automatically push in every application profile, and access to resources, that that end-user should have in each one of those specific devices.

Camilo Lotero: Now, on a day to day basis, the end-user can continue to make use of the Workspace One platform to access every single application that they're entitled to through that unified application catalog. Fitting both the Okta applications, virtualized applications, and native mobile apps. And on a day to day basis, one of the main problems that, as an IT Administrator, you would usually come across, is having to reset your password. So again, Okta owns the identity. They own the plug-ins to be able to assist you with resetting the password whenever the issue comes up.

Camilo Lotero: And when it comes to a user leaving your company, the same effect would come in from two different places. Okta owns the identity. They know when a user needs to leave the company. And they can communicate that to Workspace One. And we can take care of eliminating all of the corporate specific information for each one of those devices that has been assigned to those specific users.

Camilo Lotero: Now, from a Workspace One perspective, we handle the provision across every platform. And we maintain a unified experience across each one of those platforms. No matter if you're being assigned IOS, Android, MAC OS, or Windows 10 device, the experience should be the same. And the amount of effort for the end-user to get access to those applications, should be the same, no matter what type of platform you're accessing.

Camilo Lotero: So, upon the first boot up that we usually receive from the device, you'll be guided to enroll into the Workspace One solution. And you can do that using your Okta credentials. And once you're authenticated, again, you'll be provisioned with all of the applications that are your entitled. Both from the VMware standpoint, as well as all the SASS applications that are federated with Okta.

Steve D'Sa: In the bottom right, you'll see the Windows 10 experience. Now if we think about the onboarding, and if we talk a little bit about Dell factory provision, about picking up a DELL laptop directly from the factory with Workspace One preloaded. I un-box my laptop. I go through the flow of booting up Windows 10. I enter my corporate email. I get redirected to Okta. Okta will pass it to us. We'll know that, "Hey. This is a Windows 10 enrollment flow. So let's not do device compliance. Let's not do a mobile SSO check. Let's prompt for user name and password, and Okta verify. So that we can properly authenticate the user."

Steve D'Sa: Once we do that, then I get all my policies permission down. My printers, my GPO's, any necessary software requirements. All of these things get pushed down as part of the Windows 10 modern management flow. And that is just something that adds to the onboarding experience of taking what we're doing with Windows 10. And then, the same thing applies, in essence, when we're talking IOS or Android. And bringing down a real good user experience. And adding that compliance aspect, to really achieve that zero trust on there.

Steve D'Sa: Okay. Now, is Ben here? There we go. There's Ben.

Camilo Lotero: So I think it's very important for us to ... We've done the integration. We've done the development work. And I think it's really important to give the perspective of a current customer. Both in the Okta and Workspace One side. To give their side of the story, as to how they see this evolving within their organization. So Ben, thank you for joining us. We appreciate you being here.

Ben Goodwin: Thank you.

Camilo Lotero: So if you want to please introduce yourself. Give us an idea of what your role is in Phillips ...

Ben Goodwin: Sure. I'm with Phillips 66. We're an energy company, headquartered out of Houston, Texas. I happen to live in Oklahoma. And we have about 14,000 employees. We have probably a moderately sophisticated, by comparison to a lot of other large companies, probably a moderately average, middle of the road, sophisticated security landscape. But we do have to secure a lot of assets. So in addition to just the normal things that you would normally be considered.

Ben Goodwin: We have been an Okta customer since about 2015, or so. We've also been a VMware Air watch ... Or Workspace One, formerly known as Air watch, customer since 2014, 2015, as well. And I might add that we've had really good, strong relationships with both of these companies, in different respects. In both cases, both partners have provided some solutions that others were not able to provide. And so, it's been a good run with both Air watch and ... I mean, sorry. With VMware and with Okta.

Ben: And hello everybody. My name is also Ben. Two for the price of one, here. I'm on the strategic alliances team at Okta. And I'm very excited to be up here, and talk to Ben a little bit, about what his experiences have been with both the Workspace One team, and also with Okta. And to that end, one of the things that we heard Todd talk about today was the idea that everybody is a technology company. I know that for most people, when they hear of Philips 66, that's not the first thing that comes to mind. Can you talk a little bit about what that transition has been like, how best products like Okta and Workspace One have enabled you guys to think a little bit differently about your type of business.

Ben Goodwin: Yeah, sure. When you think of an energy company, technology doesn't just jump out at you as the first thing that ... It's much more brick and mortar-ish. Staid, tried and true, cheap and cheerful. Those are more the monikers that you might think of when you think about an energy company. And it's well deserved. What we have been going through, over the last couple of years, however, is a transformation. And that transformation is being driven by some very strong leadership in the company, that says we really need to be very much more cloud based, for the advantages of nimbleness.

Ben Goodwin: Many of the advantages that have been talked about throughout the conversations that you're having in the halls, and such. And what that does is, it forces us to think very differently. It forces us to think about not so much doing things the way that we've always done them. We've also been very much a not [advitted 00:27:59] here kind of company. We believe that we've done it best. And as I was sharing with some folks earlier today, what we've found is, that's not really the case.

Ben Goodwin: There's ... Our core business is not securing our network. Our core business is not providing all of the components of a mobile technology that we need to, for our solutions. Our core business is providing energy. That's what we do best. And so, we rely on our partners, such as these companies, to do this far better than we do. And so, what our transformation is, is about shifting our trust from ourselves over to those who do this as their core business.

Ben: And to that end, I think that there are a lot of organizations that we work with, that are all very new. The idea of being cloud native is quite natural to them. But we also have a large number of organizations and customers that have not necessarily jumped immediately from their old environment to a cloud environment. And they have to go through the process of slowly shifting through, in addition to the types and styles of devices that individuals, front line workers, are leveraging continues to change. And the way in which you treat front line workers continues to change. Can you talk about how that transition ... So, A) from a data perspective, B) from and end-user perspective, C) from a security compliance perspective, has been, now that you've gone through it?

Ben Goodwin: So, I think you touched on a couple of things. One of which is, within our company, this is not a technology issue primarily. Yeah. We have to employ technology. But we've got to get people on board with moving from the way things were in the past, to the way things are ... Can be, going forward. And creating that vision, starting with even our IT leadership, is job one. It's very challenging. And as our partners understand, it can be a very long and laborious process. Even for those who understand the intricacies of how things get put together. Trying to create that understanding, and the pull from within the leadership, that this is a necessary move, can be a long process.

Ben Goodwin: And so, the social aspects, or the interpersonal aspects, of this, are as challenging as the technical pieces. Once you get the first part done, the second part follows fairly in smooth order after that.

Ben: Yeah, and to that end, one thing that we often hear about at these types of conferences, specifically at Okta's, is the idea of best of breed versus platform. And how best of breed technologies, when leveraged together, create a style of platform. Can you talk about how you and your organization chose, or thought of, the idea of going best of breed? Versus say, a much larger organization that will provide a suite, but may not be able to provide exactly what you're looking for across the board?

Ben Goodwin: Yeah. So interoperability is the key. And openness in the architectures, is the key to do that. We've done it both ways. At Phillips 66, we've got certain parts of our ecosystem that are very much sole sourced, even though they are not necessarily best of breed. We also have several areas that are ... Such as this one. Which are truly allow us to do best of breed. Because there is an openness to the architectures that provide for that.

Ben Goodwin: I shared with the partners, in the partner summit yesterday, that one of the things that has struck me ... I haven't been in this role that long. But one of the things that has struck me about the partners that I was sitting on the panel with, which were these guys, that when I first came in this role, I was somewhat jaded about the fact that when you've got two or three partners in the room together, they really are gonna be in turf battles. And trying to carve out their niche. And once you walk out of the room, one of them will pull you aside, into the coffee bar. And explain why the other guy's stuff is not gonna work the way that they just told you in the conference room, a few minutes ago.

Ben Goodwin: So, we've experienced that. But in this space, and particularly with these partners, have not experienced that at all. And matter of fact, they're saying, "You know what? These are the things that we do well. This is the things that these other partners do well." They'll bring people to the table, have brought people to the table, to say, "There's a niche in here that we believe that you need to use this partner for. And here's what they do well." So, it's been a very refreshing couple of months for me, from that perspective.

Ben: Yeah. That's great to hear. So good to know that we are playing well. The other partner that was up there is a more traditional style partner. One that you work with quite closely. Can you talk a little bit about how you can leverage a SI/GSI channel partner? And the benefits of having them involved in the way in which you've worked well with us?

Ben Goodwin: Yeah. Absolutely. So, in this case, our integration partner is really the expert. So they're the ones that we can fall back on, to rely on. And we use different third parties to do this. But if I were ... As much as I trust Okta, that doesn't mean I'm gonna put all of my cards in that basket, or eggs in that basket. I want somebody, third party, to come and validate ... The old Ronald Reagan, "Trust. But verify." Right? I want somebody to come and validate that this way that we're walking down, really does make sense for us.

Ben Goodwin: Identity, security, is not our core business. I'll go back to that. It's not why we exist as a company. It's a necessary piece, and in my world right now, it's a very important piece. 'Cause of my job depends on it. But it's not the core business that my company runs on. It's not what creates our revenue. So, what is important, though, is that I bring people in who are experts in this. And so, both from an expertise standpoint, and as we get into implementing projects and such, from a capacity standpoint, I bring in partners who really understand the space far better than I. So it's a matter of expertise, primarily.

Ben: Perfect. So, you've now heard me talk a little much here. Does anybody out there have any questions? Things that you want to ask Ben? Things that you want to ask the VMware team about what you guys saw today?

Camilo Lotero: So, at the moment, the intervention that we have, it's exactly what you proposed at the beginning. The integration, and the level to which we provide access, or control of the access, is to this specific applications that are being issued to the end-user. We provide a decision of the OS, once it's been enrolled into the solution. But actually, you can totally access into the OS itself, through Workspace One. It's not something that's built into the platform, at the moment.

Steve D'Sa: But when it comes down to the elements that your talking about, essentially what we do in that case is, we rely on the capabilities of the OS. Because really the OS, and whether that is Windows, or whether it is IOS or Android, we're relying on those capabilities of whether or not we're talking about biometrics. Face ID, or Windows hello. And in these scenarios, relying onto the capabilities of the OS from that aspect of getting through that first authentication.

Steve D'Sa: Once we get through in the OS, and we're leveraging the tools that the OS has provided us, then we can take that now, and apply that to the application. And start to apply things like certificate based off. Or mobile single sign on, etc.

Speaker 5: Are you guys that have the position now, that if you have an MDM registered device, and it successfully is registered, and being managed by your EMM platform, that it's good enough. It's trusted now? Or do you have customers that also have, under MDM control, and then, plus they also have local device trust certificates to validate the trust of the machine, as well?

Steve D'Sa: So we see it as two parts. When it comes down to, okay, we've managed the device. And we've always looked at it in two parts. There's the trusting the device. And can we ensure that the device is trusted? Absolutely. Do we have a certificate on there? Which is great. Do we have the right security policies? The right posture? Everything is great. But that alone is not enough. That alone is only part of it. Then we look at the identity context. We look at the user behavior. We look at things about how a user access it. Whether it's the right behavior, the right time of the day. They're looking at the various context attributes of the identity. Things that Okta does very well.

Steve D'Sa: And that's where we went off to say, "You know what? There are two elements of this." And when Camilo was showing that slide about the device trust, and then the identity context, the identity context is something that Okta does very well. They do really good at that. The device, we do really well. And that's why the two together can work. But I don't believe only one of them can do the job. It requires both of them.

Speaker 6: Have you integrated the Okta plug-ins yet? So that ... Into your secure browsers, so that you can use Okta's apps through the MDM solution yet?

Steve D'Sa: Sorry. Was this for the secure web authentication?

Speaker 6: Yeah. Secure web.

Steve D'Sa: The secure web authentication, as it stands right now, still relies on the Okta piece. And our first iteration of this, we're pulling in the SAML apps. And the SWA apps is not there yet.

Ben: Any other questions? Thoughts?

Speaker 7: You showed DELL as one example of pre configured with Workspace One. Are there other vendors that also offer that?

Steve D'Sa: Right now ... Well, obviously VMware, VMware is part of the DELL family. As it stands right now, DELL is the only manufacturer that has the out of the box provisioning of Workspace One, direct from the factory. But I know, I don't know if you can comment on this. I know there are talks with other manufacturers. But right now, it's only DELL.

Camilo Lotero: Yeah. Nothing has been defined yet. But yeah ...

Speaker 8: Could it later leverage auto-pilot, possibly?

Steve D'Sa: Well, auto-pilot, in itself, will follow the flow. But having the Windows 10 shipped, and having auto-pilot go on ... The difference with auto-pilot is, once you go through auto-pilot, then you would get automatically managed. And then, once you get managed, then we can deploy and push down the Workspace One app. But the difference between the DELL provisioning is that the Workspace One app is already available.

Speaker 9: So, is this compatible with Apple DEP?

Steve D'Sa: You want to take that one?

Camilo Lotero: Yeah. So the flow right now, Apple DEP doesn't support SAML natively through the enrollment flow. There is a work around it, that we have through the Workspace One platform. Where you're essentially enroll the device through DEP, with a local Workspace One user as a stage in user. And then, we'd be able to present to you with an Okta login page. Once you actually authenticate with your Okta credentials, then we can just move you around in our MDM solution, to assign you to the right profiles that are assigned to those specific device. So it is not natively supported directly. But there is work around in the platform, that allows you to do it.

Ben: Wonderful. We have time for one last question. Or if you want, we can give you all back a couple minutes as you go through, and transition to your next sessions. The latter? Is that the plan? If so, we can ... thank you to the team.

Camilo Lotero: Thank you.

Steve D'Sa: Appreciate your time. Thank you so much.