移动终端整合解决方案

Cisco ISE:
授权访问WiFi 限制访问权限 于客户 vLan 重定向浏览器访问设备注册地址 移交至MobileIron设备注册
MobileIron:
设备注册 MDM 配置设备安全策略:
- 锁屏密码 - 数据加密策略 - 禁用摄像头 - 禁用 iCloud 配置企业Email– 加密附件策略 分发企业应用 (初始化提醒安装) - 配置 Cisco AnyConnect 配置企业侧SharePoint的安全访问 安装快捷图标 访问IT及财务门户
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
模拟场景: 未注册iPad进入企业网络环境 – ISE 及MDM管控动作
User: Unknown Group: Unknown Certificates: None Device Registered: No Manufacturer: Unknown Model: Unknown OS Version: Unknown Apps: Unknown Encryption: Unknown Password: Unknown Compromised: Unknown Profiles: Unknown Ownership: Unknown Location: HQ
–► AirWatch Version 6.2
► MobileIron Version 5.5
–► SAP Afaria 7.0 SP3
► Citrix (Zenprise) Version 7.1
–► Good Technology Version 2.3
► Fiberlink MaaS360
© 2010 Cisco and/or its affiliates. All rights reserved.
15
© 2010 Cisco and/or its affiliates. All rights reserved.
Registered
Device
No
Ye s
MyDevices ISE BYOD Registration
MDM
Registered
No
Ye s
ISE Portal Link to MDM Onboarding
MobileIron
深度设备 状态识别
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
模拟场景: 未注册iPad进入企业网络环境
User: Group: Certificates: Device Registered: Manufacturer: Model: OS Version: Apps: Encryption: Password: Compromised: Profiles: Ownership: Location:
Cisco Confidential
7
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
• 设备注册 • 周期性的合规性检测 • 非合规性修复 • 通过ISE 进行设备远程操作 • 客户终端设备自管理功能
网络层管控
© 2010 Cisco and/or its affiliates. All rights reserved.
管控融合
设备管理
Cisco Confidential
6
• ISE通过和下面六家MDM厂商合作，开放API接口进行互联
• Cisco 通过测试的厂商如下，ISE 1.3 我们会有更多的MDM厂商加入:
注册成功:
设备网络策略部 署完毕，给予企 业内网访问权限
终端状态Posture 实时检查 设备是否合规
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
模拟场景: 用户安装违规应用Apps
User: Chris Williams Group: Finance Certificates: Present Device Registered: Yes Manufacturer: Apple Model: iPad OS Version: 6.1 Apps: Violation - Dropbox Encryption: Enabled Password: Enabled Compromised: No Profiles: Present Ownership: Corporate Location: HQ
Cisco Confidential
18
© 2010 Cisco and/or its affiliates. All rights reserved.
这个需要注意证书中的 FQDN 是域名还是IP地址
Cisco Confidential
19
• 导入MDM证书到ISE中
• ISE和MDM时间不能超过5分钟。最后都设置NTP服务器。
• ISE 添加MDM服务器时，可以用IP也可以用Domain name，但如果证书 FQDN是Domain Name 就必须使用统一的信息。
• 分配API权限给互联账户。
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Cisco ISE:
标记数据包启用加密传输 标记 VOIP 优先传输 授权访问内部加密文件
MobileIron:
允许开启摄像头使用 强制启用 强密码 策略 提示安装新的企业应用:
- “Directors Desk HD” - MobileEcho
基于域控AD的 策略变化:
所有的策略变化 都基于企业AD的 变化
20
• ISE 能设置下面的15种属性值，MDM合规属性可以提供更多的组合
• 合规性检测类:
✓ 此功能通MDM服务器反馈验证结果
SharePoint访问, 企业电子邮件及 企业应用Apps 自动重新部署
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
模拟场景: 用户提升为管理层
User: Michelle Jones Group: Directorate Certificates: Present Device Registered: Yes Manufacturer: Apple Model: iPad OS Version: 6.1 Apps: None Encryption: Enabled Password: Enabled Compromised: No Profiles: Present Ownership: Corporate Location: HQ
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
设备状态 + 管控动作
User: Group: Certificates: Device Registered: Manufacturer: Model: OS Version: Apps: Encryption: Password: Compromised: Profiles: Ownership: Location:
移动终端整合解决方案
李嵩 Songl@cisco.com BN Security Team
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
© 2010 Cisco and/or its affiliates. All rights reserved.
Access-Accept
Cisco Confidential
16
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
PC/Web 时代
移动优先 时代
后-PC 时代
© 2010 Cisco and/or its affiliates. All rights reserved.
SOURCES: Asymco.com, Public Filings, Morgan Stanley Research, Gartner, IDC
Inventory Management
Device Management (Backup, Remote Wipe, etc.)
Secure Network Access (Wireless, Wired, VPN)
Registration
Cert + Supplicant Provisioning
无线网络
VPN接入
Cisco AnyConnect
Cisco Confidential
5
MDM
Mobile + PC
Enterprise App Mgmt (Distribution, Config)
Acceptable Use Policy (AUP)
User <-> Device Ownership
Cisco ISE
设备注册 启用 VLAN 启用 ACL 启用 group ACL 启用 ToS (为 QoS使用) URL 重定向 Tag 数据包
Cisco ISE
网络层 管理动作
MobileIron
设备注册 移除企业Email 初始提示安装企业应用 移除被管控的企业应用 移除企业应用访问权限 移除企业数据 选择性擦除企业数据 整机擦除数据 应用企业网络及安全配置 移除企业网络及安全配置
Cisco ISE:
禁止访问企业文件服务器 重定向浏览器访问AUP用户规范内网页面 设备处于隔离vLan环境 – 仅提供自我矫 正所需的网络权限
移除违规App后:
恢复所有 网络权限
MobileIron:
通过短消息SMS或Email通知用户： “您已违反企业应用App策略”
移除 Leabharlann BaiduharePoint 企业数据 移除 企业Email 访问权限 移除 企业应用Apps
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Cisco Confidential
4
Mobility Services Engine
(MSE)
Catalyst Switches
Cisco Prime Infrastructure
Identity Services Engine
(ISE)
Cisco WLC
MDM Manager
有线网络
MDM ©M2o0b1i0leCDisecvoicanedM/oar nitsagafefirliates. All rights reserved.
Classification/ Profiling
Context-Aware Access Control (Role, Location, etc.)
Policy Compliance (Jailbreak detection, PIN lock, etc.)
Secure Data Containers
Cisco Confidential
3
“如何分发APP应用， 如何推进 BYOD?”
“如何掌控多种移动 OS?”
“如何保证信息 安全合规?”
“如何分发文档资料并保 证安全?”
© 2010 Cisco and/or its affiliates. All rights reserved.
“我需要不停的去满足用户的新需求, 同时还有确保安全合规”