ZENworks Mobile Management 3.1 is expected to be released in the next week, so I thought I’d take a few minutes and introduce you to the new value we are providing in this exciting new release of the product. This includes:
Enhanced security via FIPS 140-2 validated crypto modules
Easing the provisioning of certificates for Wifi and Exchange authentication in an Active Directory environment
Ability to use ZENworks Mobile Management as an external MDM server for Cisco ISE
Support for shared devices with the ability for users to check-out/check-in these devices
Support for custom Acceptable Use Policies that must be accepted before accessing corporate data
APNS certificate configuration as part of the new organization setup
Ability to assign most corporate resources to local groups
iOS policy enhancements allowing you to control Activation locking and disable the app store while still allowing the distribution of managed applications
Let’s take a look at a few of these in more detail.
ZENworks Mobile Management 3.1 utilizes a FIPS 140-2 validated cryptographic library that has been FIPS-140-2 validated for encrypting data on both the server and the managed devices. This includes such important information as the passwords for local users and private information such as text message logs, phone logs, and location. When combined with configuring the IIS server that is hosting ZMM in FIPS 140-2 mode this allows Federal Government customers who require FIPS 140-2 validated solutions to be assured that their sensitive data is secure. For a more in-depth discussion of FIPS 140-2, refer to the Securing the System guide that is part of the on-line documentation.
ZENworks Mobile Management 3.1 allows you to have ZENworks act as an enrollment agent on behalf of your devices to a Microsoft Active Directory Certificate Services environment so that you can automatically provision certificates to devices when required for Wi-fi and Exchange authentication. The screen shot below shows the certificate management view in the dashboard.
From here you can see the certificates that were issued, the resource they are associated with, and the user that is using the certificate. You can also revoke or renew the certificate as needed. I will be writing an in-depth tutorial on Certificate Management in the next few days.
Support for Cisco ISE
The user guide for Cisco ISE states that “Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The unique architecture of Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. The administrator can then use that information to make proactive governance decisions by tying identity to various network elements including access switches, wireless LAN controllers (WLCs), virtual private network (VPN) gateways, and data center switches. Cisco ISE is a key component of the Cisco Security Group Access Solution.”
ZENworks Mobile Management has been updated to provide the required web services so that the Cisco ISE appliance can leverage it as an external MDM provider. When configured as the MDM provider this means that Cisco ISE can retrieve information about the mobile devices, can quarantine devices that are not enrolled with the MDM solution and redirect them to the enrollment page, and trigger locks and wipes from the ISE console. The screen shot below shows the ISE console with the ZMM server configured as an MDM server.
The only configuration that must be done to support ISE in the ZENworks dashboard is to create an organizational administrator and flag the user as an ISE admin, and then to set the correct version of the ISE protocol in the organization properties. Once that is complete you can simply point your ISE server to the MDM server using the organizational administrator you created and the system should be ready. For more information about configuring ISE to use ZENworks Mobile Management refer to the ISE documentation.
Shared Device Support
We’ve heard from a lot of you that you have shared devices. For instance, you might have a set of iPads in a classroom that you want to manage or a set of devices on a hospital floor. ZENworks Mobile Management 3.1 introduces the notion of a “Shared User”. Essentially when you create a Shared User you are creating a user that you will use to enroll these devices, as part of this configuration you define the default policy for those devices and the types of Corporate Resources that can be applied based on the user that has checked out the device, as shown below:
For each of the resource types you select on this dialog, the checked out user will receive their assigned resources; however if you uncheck that option the resources will be read only from the shared user’s assignments. This allows you to do things like always use the Shared Users Wi-fi settings, while providing the user with custom web clips or email. This could also prevent a user’s ActiveSync email from being provisioned on the shared device if desired.
Once you’ve created the user then you enroll the device as the shared user, just like any other user. This will cause the device to show up in your grid as being managed and associated to the shared user. However, unlike regular devices users can open up the ZENworks app and re-enroll or “check-out” the shared device, as shown below:
Once the user clicks sign in then the device is considered checked-out to them, and their policies will apply instead of the shared user. Also any allowed resources for that device will be deployed to the device as well. The user can then use it until requested to turn it back in. When they do so they can simply click the check-in button on the enrollment page and the device will be logged out as them and back in as the shared user. The policies of the shared user will now apply until the next user checks out the device.
ZENworks Mobile Management provides significant new value to our ZENworks customers. These features help to improve the security of your overall environment, simplifies management, and delivers new policy capabilities. I encourage you to take a look at the product if you haven’t already, and if you are already running it I hope you upgrade to 3.1 as quickly as your internal processes allow. Look for additional video demos around these features on the Resource Library tab of the product marketing page shortly.