Mobilize Employees with the Cisco Mobile Workspace Solution

advertisement
Mobilize Employees with the
Cisco Mobile Workspace
Solution
Mike Jessup, Engineering Tech Lead, Systems Development Unit, Cisco Systems
Marcelo Brosig, Solution Architect, Americas Strategic Alliances, Citrix Systems
John Monaghan, Consulting Systems Engr., EMEAR Enterprise Networking, Cisco Systems
June 4 2014
What is a Mobile Workspace?
MOBILE DEVICES
MOBILE APPLICATIONS
MOBILE EXPEREINCES
Native | Virtual | HTML5 | SAAS| Voice | Video
A mobile workspace provides consistent, seamless and secure mobile access to
applications, content and communications on any user or corporate device,
anywhere.
Security
Infrastructure
OFFICE | MOBILE | TELE
COMPLETE END-TO-END
MOBILITY SOLUTION
INFRASTRUCTURE AND
MOBILE APP EXCELLENCE
SIMPLIFIED DEPLOYMENT
AND SUPPORT
LINKED INFRASTRUCTURE
AND MOBILE APP POLICY
Customer Challenges with BYOD and Mobility
WiFi Growth and Reliability
•  Number of devices, 40-100% Y/Y growth
•  Mobile applications driving higher bandwidth
requirements 802.11ac (and LTE)
•  Ubiquitous wired-like service expectation
BYOD is just a subset
•  CYOD – Choose Your Own Device,
corporate assets
•  Ownership is less important, its
about managing/securing data
Data Loss Prevention Strategy
•  Compliance with industry/government
regulations (HIPAA, PCI, S-Ox, etc.)
•  Balancing Security with User Experience
Application Support
•  How to provide access to Legacy
applications (Windows, Office,
others)?
•  App and Desktop Virtualization
shifting to Mobile use cases
•  Mobile App Lifecycle including
Portability, Development Costs
Complexity and Confusion of
Solutions in the Market
• 
• 
• 
• 
• 
Should I use an MDM? Which one?
How do I secure it?
Which security technologies?
How will HTML5 affect my strategy?
Cloud vs On-premise?
Sources: *Accenture CIO 2013 Survey ** Gartner Research *** IDC Research **** Nemertes 2013
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
•  Simplified integrated solution – customers do not have to
select/integrate many technologies
•  Modular building-block approach provides insertion for
Cisco Mobile
Workspace
with Citrix
Solution
Differentiators
different buying centers: network, security, desktop,
mobility, application
•  Seamless zero touch BYOD onboarding (ISE and
XenMobile integration)
•  Mobile data protection for security/compliance for
Healthcare, Finance, Retail, etc.
•  Flexible support for all application delivery models (native,
virtual, HTML5, SaaS, collaboration)
•  Improved Mobile User Experience (Cisco WLAN prioritizes
Citrix protocol/traffic)
•  Validated designs mitigate deployment risk with proven
reference architectures
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
The Mobile Workspace Solution Components
Architecture and Components
BYOD Solution
Components
Any Device
Desktop Virtualization
Solution Components
Mobile Workspace
Solution Components
Applications and
Content
Mobile Productivity
Mobile Data Security
Mobile Collaboration
Worx Mobile Apps, ShareFile,
Receiver
Unified Comms, Jabber, WebEx
Application Delivery
App/Desktop Virtualization
Unified App Store
XenApp, XenDesktop
XenMobile, Storefront
Mobile Policy
Network Policy Control
ISE, AnyConnect
Mobile Networking
Unified Access, Secure Access
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Mobile Device Management
XenMobile
Core Infrastructure + Security
Cloud Infrastructure
Unified Data Center, Security Services
Cisco Confidential
5
Cisco Mobile Workspace Solution With Citrix: Benefits
Best for
Best for
BUSINESS
SIMPLE
SECURE
SMART
Best for
IT
§ 
Single architecture
accelerates, enabling mobile
workstyles, apps
§ 
Integrated modular, validated
solution for faster risk-free
deployments
§ 
Protecting access, data, and
applications for maximum risk
mitigation
§ 
Centralized, multilayer policy
management, and
enforcement: users, access,
devices, data, apps
§ 
Flexible architecture to
support broad set of use
cases and workstyles
§ 
Built on scalable, intelligent
Cisco Unified Access, and
HDX for great mobile user
experience
END USERS
§ 
Easy, seamless mobile
device on-boarding and
app experience
§ 
Worry-free secure access
for any app on any device,
anywhere
§ 
Choice and flexibility to roam
between devices, networks,
locations
Complete Best-in-Class B2E Mobile Solutions and Services
Mobile Workspace
Solution Demo
John Monaghan, Consulting Systems Engr.
EMEAR Enterprise Networking
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
Core Infrastructure and
Security
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
Cisco Mobile Workspace with Citrix
Starts with Unified Access / BYOD Foundation
•  Secure network access
anywhere, anytime…
•  AAA Services provided by
Cisco Identity Services
Engine.
•  Authentication with PKI,
AD, and OTP (RSA)
•  Role based assignment
with access restrictions
•  Access Control Lists
•  TrustSec – Security Group
Tags.
•  ISE MDM integration for
mobile device policy.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Cisco High Density Experience Technology
Enabling the Mobile Workspace
Performance, Mitigation, Scalability and Roaming Optimized for High Client Density WiFi Networks
CleanAir 80 MHz
RF Turbo Performance
Optimal performance for high
throughput, high density environments
RF interference detection & mitigation
optimized for 802.11ac’s wider channel
bandwidths.
Support highly dense clients without
performance degradation
Scale seamlessly to 60+ 802.11ac clients
using interactive video & multimedia
traffic.
Smart Roam
ClientLink 3.0
Increase performance & range by up to
60%
Cisco patented implicit beamforming
technology for 802.11ac clients,
complementing Explicit BF. Also extend
capabilities to 802.11a/g/n clients.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Intelligently assist client roaming
Right size WiFi cell to better assist client
handoff in a dense network.
RF Noise Reduction
Enables higher density AP deployments to
support client density and increased
bandwidth
Increase spectrum usage efficiency to
improve co-channel performance
Cisco Confidential
10
Mobile Traffic and the need for QoS
Intelligently Managing Mobile Traffic
• 
• 
• 
• 
• 
Assuring voice quality from wireless applications meets enterprise VoIP
requirements
Ensuring video applications are delivered to/from wireless devices with a high
Quality of Experience
Provisioning preferred services for business-critical applications running on
wireless devices
De-prioritizing "background" business application traffic
Identifying and de-prioritizing (or dropping) non-business applications
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
Cisco Application Visibility and Control for WLCs
• 
Provides Deep-Packet Inspection (DPI)
capabilities
• 
• 
Identifies applications via Layer 7 stateful
signatures
Leverages the IOS Network-Based
Application Recognition (NBAR2) Engine
• 
Over 1000 applications
• 
Available on Cisco Wireless Controllers, Routers,
and Switches
• 
Introduced for WLANs in AireOS 7.4
• 
AireOS 7.6 added “Protocol Pack”
support
• 
Application signatures can be added to the
engine without requiring a system-software
update
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
BYOD - Cisco Validated Designs
v2.5
v2.6
Aug 2013
q  Security and Policy
• 
• 
• 
• 
3rd Party MDM Integration
ISE Logical Profiles
Personal/Corporate devices
TrustSec/SGA Enforcement
q  UA/Mobility Infrastructure
•  Converged Access
q  User Experience
•  App Visibility & Control (AVC)
•  Bonjour Application Gateway
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
v2.7
Mar 2014
June 2014
q  Security and Policy
•  TrustSec for Converged Access
•  IOS XE 3.3.2SE
q  Mobile and Remote Access
q  Location Awareness
q  FQDN
• 
Cisco Mobility Services Engine
q  Converged Access
•  Wireless QoS, AVC
q  Updated Hardware/SW
• 
• 
• 
802.11ac via 3600 AP
CUWN release 7.6
ISE 1.2 Patch 6
for Jabber
q  Scalability Testing
http://www.cisco.com/c/en/us/solutions/
enterprise/data-center-designs-cloud-computing/
own_device.html#~overview
Cisco Confidential
13
Mobile Policy
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Cisco Identity Services Engine (ISE)
•  All-in-One Enterprise Policy Control
Who
What
Where
When
How
Security Policy Attributes
Identity Context
Business-Relevant
Policies
Wired Wireless VPN
VM client, IP device, guest, employee, remote user
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
BYOD Use Cases
BASIC/GUEST
Focus on Basic
Services,
Guest Access
Broader Device Types
Internet Only
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
LIMITED
ENHANCED
ADVANCED
Environments
with Tight Controls
Differentiated Services,
On-Boarding Securely
Posture from Mobile
Device Management
Only Corporate Devices
Personal Devices
IT Whitelist
Deny Some Devices
Any Device, Any
Ownership
MDM Compliance
Cisco Confidential
16
ISE and MDM Integration
Better together…
•  ISE has limited awareness of device posture.
E.g. ISE can’t detect if PIN-lock is enabled, the
device has been jailbroken/rooted ,etc.
•  While Mobile Device Managers (MDM) provide
posture information, their capacity to enforce
network policies is limited
•  With the REST API Integration, ISE 1.2 is able
to :
•  Receive device compliance information from the
MDM in order to make network access policy
decisions
•  Push administrative device actions (such as
remote-wiping) via the MDM
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
ISE and MDM Integration
Critical Foundation for Mobile Workspace
Enrollment: ISE-orchestrated to simplify user
experience
•  Non registered clients redirected to MDM
registration page
•  Non compliant clients will be given restricted
access
ISE 1.2
Daily Access: network+device
•  Update data from endpoint which can be tied
into access policy
De-enrollment: Ability to Initiate Device Action
from ISE
•  Device stolen è need to wipe data on client
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
MDM Policy Compliance
Dictionary Attributes
•  Is the device compliant with MDM
policy?
•  Has the device registered with
MDM?
•  Has the device been jail-broken/
rooted?
•  Is PIN-lock enabled?
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Application Delivery
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
It’s All About the Apps
Key capabilities are currently extended to Smartphones more than Tablets
66%
50%
47%
2014
73%
Email/
Calendar
Collaborations
Apps
37%
47%
Productivity
Apps
32%
32%
Custom Business
Apps
35% 27%
14% 20%
UC/ IP
Telephony/ VoIP
Virtualized
Desktops
Key capabilities will be extended to Tablets more than Smartphones in the future and device form will influence the
types of apps and resources extended
96%
FUTURE
96%
Email/ Calendar
86%
91%
Collaborations
Apps
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
83%
92%
82%
89%
Productivity Apps Custom Business
Apps
84%
87%
UC/ IP
Telephony/ VoIP
75%
86%
Virtualized
Desktops
Source: Cisco Strategic Marketing Organization/2014 Mobility Landscape Survey – 1000 large and mid-sized
companies
Cisco Confidential
21
Unified App Store
XenMobile AppController and WorxStore delivers secure access to mobile and
native Windows Apps to Mobile Devices
Unified Application Store offering
• 
• 
• 
• 
Integrated with XenDesktop StoreFront
Native & Enterprise Mobile Apps
Web and SaaS apps
Seamless delivery of Windows apps
WorxHome client for secure access to corporate
applications
• 
• 
• 
Apps launched from within WorxHome requiring user
authentication
Optional application containerization
Apps and data easily wiped in event device is lost or
stolen.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
Desktop Virtualization
Mobile worker must be able to access corporate
apps from any device…
XenDesktop providing access to Windows apps on mobile devices
• 
Native, in-house, mobile application development may be delayed or
impractical and hence access to Windows app must be made available.
XenDesktop and Receiver improves mobile user experience
• 
Incorporates integrated optimizations for mobile devices
•  Use of mobile device controls
•  Automatic keyboard display in editable field
•  Touch-optimized desktop
• 
SDK available for developing Window apps with capabilities and
behaviors typical of a mobile device.
•  Button usage definition
•  Screen orientation
•  On-screen keyboard activation
•  Access device’s telephone, SMS, and camera
•  Local interface controls instead of Windows
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
Before…
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
After…
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
Mobilizing Windows Apps
High Definition Experience (HDX) Mobile
Edit box
Combo Box
Keyboard Pop-up
Translates
keyboard /
mouse tasks to a
touch
environment
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Picker Pop-up
Cisco Confidential
26
Mobile SDK for Windows Apps
HDX Mobile: Autosense and refactors hosted apps
Optimized for screen resolution
and orientation
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Mobile SDK for Windows Apps
HDX Mobile: Local device features translated for virtual apps
Citrix Mobility Pack permits:
•  GPS data access
•  Camera access
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
Mobile Productivity
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
Cisco Mobile
Workspace Solution
for Mobile Workers
• 
Have secure remote access to corporate
network
• 
Have access to corporate Unified
Communications and reachable via
corporate number or messaging anywhere
• 
Have ability to attend meetings via web
with rich, collaborative, capabilities.
• 
Have access to corporate apps regardless
of device they are using
Have access to work files anywhere
without having to download everything to
the device.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• 
Cisco Confidential
30
Remote Access and Cisco AnyConnect
Mobile worker must have secure, consistent
access anywhere…
Cisco AnyConnect Secure Mobility Client
• 
IPsec/SSL full-tunnel VPN client
• 
Always-on connectivity & superior user experience
• 
Posture for desktops and mobile
• 
Broad desktop and mobile OS platform support
• 
Pushed transparently by XenMobile Device Mgr along with
connection profile to mobile devices.
Clientless SSL VPN Portal on the ASA
• 
Granular access control
• 
Users presented with defined resources
• 
Secure vault
• 
Virtual desktop access for Citrix Receiver as ICA Proxy
• 
Broad browser and application support
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
Unified Communications and Collaboration
Mobile workers must be able to
work anywhere… with anyone… on
any device...
• 
Upon MDM registration, XenMobile Device
Manager and AppController redirect clients to
download Cisco Jabber Client and Webex.
• 
Jabber communications to Cisco UC, IM, and
Video services enabled while on or off Campus.
• 
AnyConnect not required while remote through
use of Cisco Expressway
• 
Seamless interoperability with AnyConnect when
deploying Expressway at the Edge
• 
AVC on WLC classifies voice and video traffic
• 
QoS on Cisco wireless controllers enables a
great overall user expoerience
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
Desktop Virtualization
Mobile workers must be able to securely access
Windows apps and associated data from any
device…
XenDesktop delivers Secure access to corporate
applications
• 
Provides a consistent and secure virtual workspace for
contractors and employees with personal devices.
• 
Allows for role-specific access to applications based on
user credentials
• 
Data securely stored in the data center.
• 
Desktop and user preferences customizable by Citrix
Policies as well as Microsoft GPO.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
Secure File Sharing and Storage
Mobile workers must be able to access and share
files securely anywhere…
•  Access, share and sync files from any device
•  Apps for mobile devices
•  Sync for Windows and Mac for laptops and MacBooks
•  Mobile-optimized ShareFile web site
SaaS
•  Data stored in cloud or locally in “StorageZone”
•  Local data stored in NAS, CIFS Shares, & SharePoint
•  AD integration incorporating SAML authentication
•  Built-in mobile editor for rich content editing on-the-go
•  PDF annotation
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Control Plane
Data Plane
Cisco Confidential
34
Mobile Workspace Solution
with Citrix 1.0
CVD Overview
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
Cisco ISE integrated with Citrix XenMobile Device
Manager and AppController – Device & App Management
Cisco Identity Services Engine 1.2
• 
Policy management for device on-boarding and network
access for wired or wireless device while on network.
• 
RADIUS AuthC/AuthZ for remote access VPN.
• 
EM-BYOD v2.6 policies used as foundation.
• 
Policy enforced through ACLs and TrustSec (SGT)
• 
Integrated With XenMobile Device Manager for visibility into
mobile device policy compliance; quarantined if noncompliant.
Cisco ASA Edge Firewall & VPN Edition
• 
• 
• 
Providing Remote access to Network.
AnyConnect Client used for access to corporate
applications and Citrix infrastructure.
Clientless (WebVPN) access for case where ONLY access
to XenDesktop is required.
Cisco UCS Servers
• 
Providing Microsoft AD, DNS/DHCP, and CA services
• 
Supporting all Citrix infrastructure and built on VMware
ESXi 5.1
• 
Scaling guidance provided in Desktop Virtualization
Solutions with Citrix CVD
http://www.cisco.com/c/en/us/solutions/enterprise/datacenter-designs-virtualization/landing_vdi_citrix.html
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
ASA VPN Remote Access
AnyConnect SSL or IPsec
Remote Users
XM-MDM
ASA-Out
ASA-In
& SSLVPN
I-Edge
6500
Core
6500
Cisco UCS
Data
Center
Nexus
7000
•  AC Client required on
AD
Mail
ISE
CA
Cisco UCS
StoreFront 2.1
XenDesktop 7.0
XenMobile 2.10
App Cntl
Clientless WebVPN
Remote Users
ASA-Out
I-Edge
ASA-In
& SSLVPN 6500
Core
6500
Cisco UCS
Data
Center
Nexus
7000
device
•  Access to AppC Mobile
apps via Worx and
XenDesk HSD via
Receiver after AC
launched.
Clientless WebVPN
•  AC Client not required.
AD
Mail
ISE
CA
Cisco UCS
StoreFront 2.1
XenDesktop 7.0
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect Client
•  Only access to XenDesk
HSD
•  Receiver clientless
WebVPN access to
XenDesk HSD .
Cisco Confidential
37
Cisco ISE integrated with Citrix XenMobile Device Manager
and AppController – Mobile Device & App Mgmnt
Citrix XenMobile Device Manager 8.7
Citrix XenMobile App Controller Cont’d
• 
Role-based restrictions of mobile device features; i.e.
password/PIN lock, Camera, applications, clipboard, etc.
• 
Supports selective wipe of corporate applications launched
from within WorxHome.
• 
Role-based deployment packages with policies and apps
such as Cisco AnyConnect Client, AC Profile, Jabber and
Webex .
• 
Provide SAML Federation Services required for ShareFile
AD integration.
• 
MDM serves as SCEP Proxy for certifcates required for
MDM and AnyConnect Client.
• 
Integrated with XenDesktop StoreFront.
• 
Users can register with MDM either on or off network.
• 
Integrated with XenMobile App Controller.
Citrix XenMobile App Controller
• 
Provides Unified App Store with Citrix Receiver and
ShareFile as well as other mobile applications.
• 
Reciever configuration profile pushed transparently to
mobile device based on user’s AD credentials.
• 
Provides support for the WorxHome client from which apps
can be securely launched using AD credentials.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
Citrix XenDesktop 7
Application and Desktop Virtualization
Citrix XenDesktop 7
• 
XenDesktop – Server OS Machine Catalogs
providing Hosted Shared Desktops based on
Server 2008 R2.
• 
Implement StoreFront to provide access to
XenDesktop HSD and Windows applications.
• 
Hosted Shared Desktops enumerated by
Machine Creation Services
• 
Fills requirement for shared desktop addressing
tablet and laptop users without intensive graphic
or computing requirements.
• 
Machine Catalogs and Delivery Groups
dedicated for each user “role”.
• 
Desktops customized for specific user roles
based on Active Directory credentials.
• 
ShareFile Sync for Windows available on
shared desktops
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
39
Citrix ShareFile
Mobile Information Management
Citrix ShareFile
• 
Providing enterprise-grade file sharing
• 
Split control and data plane
• 
Control plane resident in Citrix cloud
• 
User authentication
• 
Resource List; ie files, folders
• 
Files can be stored in cloud storage or in a local
“StorageZone” for regulatory compliance of sensitive
files. NAS, CIFS, Sharepoint support.
• 
Ubiquitous access regardless of device as a mobile
app, Outlook plug-in, and Sync app for Windows and
MacOS.
• 
AD-SSO via SAML services deployed on XenMobile
App Controller.
• 
Sync for Windows deployed on XenDesktop HSD
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
The Mobile Workspace Solution Components
In Summary…
CMWS 1.0 CVD - http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/CMWSwC.html
BYOD 2.6 CVD - http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/own_device.html
Desktop Virtualization CVD - http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-virtualization/landing_vdi_citrix.html
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
41
Q&A
Thank you.
Download