Mobilize Employees with the Cisco Mobile Workspace Solution Mike Jessup, Engineering Tech Lead, Systems Development Unit, Cisco Systems Marcelo Brosig, Solution Architect, Americas Strategic Alliances, Citrix Systems John Monaghan, Consulting Systems Engr., EMEAR Enterprise Networking, Cisco Systems June 4 2014 What is a Mobile Workspace? MOBILE DEVICES MOBILE APPLICATIONS MOBILE EXPEREINCES Native | Virtual | HTML5 | SAAS| Voice | Video A mobile workspace provides consistent, seamless and secure mobile access to applications, content and communications on any user or corporate device, anywhere. Security Infrastructure OFFICE | MOBILE | TELE COMPLETE END-TO-END MOBILITY SOLUTION INFRASTRUCTURE AND MOBILE APP EXCELLENCE SIMPLIFIED DEPLOYMENT AND SUPPORT LINKED INFRASTRUCTURE AND MOBILE APP POLICY Customer Challenges with BYOD and Mobility WiFi Growth and Reliability • Number of devices, 40-100% Y/Y growth • Mobile applications driving higher bandwidth requirements 802.11ac (and LTE) • Ubiquitous wired-like service expectation BYOD is just a subset • CYOD – Choose Your Own Device, corporate assets • Ownership is less important, its about managing/securing data Data Loss Prevention Strategy • Compliance with industry/government regulations (HIPAA, PCI, S-Ox, etc.) • Balancing Security with User Experience Application Support • How to provide access to Legacy applications (Windows, Office, others)? • App and Desktop Virtualization shifting to Mobile use cases • Mobile App Lifecycle including Portability, Development Costs Complexity and Confusion of Solutions in the Market • • • • • Should I use an MDM? Which one? How do I secure it? Which security technologies? How will HTML5 affect my strategy? Cloud vs On-premise? Sources: *Accenture CIO 2013 Survey ** Gartner Research *** IDC Research **** Nemertes 2013 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 • Simplified integrated solution – customers do not have to select/integrate many technologies • Modular building-block approach provides insertion for Cisco Mobile Workspace with Citrix Solution Differentiators different buying centers: network, security, desktop, mobility, application • Seamless zero touch BYOD onboarding (ISE and XenMobile integration) • Mobile data protection for security/compliance for Healthcare, Finance, Retail, etc. • Flexible support for all application delivery models (native, virtual, HTML5, SaaS, collaboration) • Improved Mobile User Experience (Cisco WLAN prioritizes Citrix protocol/traffic) • Validated designs mitigate deployment risk with proven reference architectures © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 The Mobile Workspace Solution Components Architecture and Components BYOD Solution Components Any Device Desktop Virtualization Solution Components Mobile Workspace Solution Components Applications and Content Mobile Productivity Mobile Data Security Mobile Collaboration Worx Mobile Apps, ShareFile, Receiver Unified Comms, Jabber, WebEx Application Delivery App/Desktop Virtualization Unified App Store XenApp, XenDesktop XenMobile, Storefront Mobile Policy Network Policy Control ISE, AnyConnect Mobile Networking Unified Access, Secure Access © 2013-2014 Cisco and/or its affiliates. All rights reserved. Mobile Device Management XenMobile Core Infrastructure + Security Cloud Infrastructure Unified Data Center, Security Services Cisco Confidential 5 Cisco Mobile Workspace Solution With Citrix: Benefits Best for Best for BUSINESS SIMPLE SECURE SMART Best for IT § Single architecture accelerates, enabling mobile workstyles, apps § Integrated modular, validated solution for faster risk-free deployments § Protecting access, data, and applications for maximum risk mitigation § Centralized, multilayer policy management, and enforcement: users, access, devices, data, apps § Flexible architecture to support broad set of use cases and workstyles § Built on scalable, intelligent Cisco Unified Access, and HDX for great mobile user experience END USERS § Easy, seamless mobile device on-boarding and app experience § Worry-free secure access for any app on any device, anywhere § Choice and flexibility to roam between devices, networks, locations Complete Best-in-Class B2E Mobile Solutions and Services Mobile Workspace Solution Demo John Monaghan, Consulting Systems Engr. EMEAR Enterprise Networking © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Core Infrastructure and Security © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Cisco Mobile Workspace with Citrix Starts with Unified Access / BYOD Foundation • Secure network access anywhere, anytime… • AAA Services provided by Cisco Identity Services Engine. • Authentication with PKI, AD, and OTP (RSA) • Role based assignment with access restrictions • Access Control Lists • TrustSec – Security Group Tags. • ISE MDM integration for mobile device policy. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Cisco High Density Experience Technology Enabling the Mobile Workspace Performance, Mitigation, Scalability and Roaming Optimized for High Client Density WiFi Networks CleanAir 80 MHz RF Turbo Performance Optimal performance for high throughput, high density environments RF interference detection & mitigation optimized for 802.11ac’s wider channel bandwidths. Support highly dense clients without performance degradation Scale seamlessly to 60+ 802.11ac clients using interactive video & multimedia traffic. Smart Roam ClientLink 3.0 Increase performance & range by up to 60% Cisco patented implicit beamforming technology for 802.11ac clients, complementing Explicit BF. Also extend capabilities to 802.11a/g/n clients. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Intelligently assist client roaming Right size WiFi cell to better assist client handoff in a dense network. RF Noise Reduction Enables higher density AP deployments to support client density and increased bandwidth Increase spectrum usage efficiency to improve co-channel performance Cisco Confidential 10 Mobile Traffic and the need for QoS Intelligently Managing Mobile Traffic • • • • • Assuring voice quality from wireless applications meets enterprise VoIP requirements Ensuring video applications are delivered to/from wireless devices with a high Quality of Experience Provisioning preferred services for business-critical applications running on wireless devices De-prioritizing "background" business application traffic Identifying and de-prioritizing (or dropping) non-business applications © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Cisco Application Visibility and Control for WLCs • Provides Deep-Packet Inspection (DPI) capabilities • • Identifies applications via Layer 7 stateful signatures Leverages the IOS Network-Based Application Recognition (NBAR2) Engine • Over 1000 applications • Available on Cisco Wireless Controllers, Routers, and Switches • Introduced for WLANs in AireOS 7.4 • AireOS 7.6 added “Protocol Pack” support • Application signatures can be added to the engine without requiring a system-software update © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 BYOD - Cisco Validated Designs v2.5 v2.6 Aug 2013 q Security and Policy • • • • 3rd Party MDM Integration ISE Logical Profiles Personal/Corporate devices TrustSec/SGA Enforcement q UA/Mobility Infrastructure • Converged Access q User Experience • App Visibility & Control (AVC) • Bonjour Application Gateway © 2013-2014 Cisco and/or its affiliates. All rights reserved. v2.7 Mar 2014 June 2014 q Security and Policy • TrustSec for Converged Access • IOS XE 3.3.2SE q Mobile and Remote Access q Location Awareness q FQDN • Cisco Mobility Services Engine q Converged Access • Wireless QoS, AVC q Updated Hardware/SW • • • 802.11ac via 3600 AP CUWN release 7.6 ISE 1.2 Patch 6 for Jabber q Scalability Testing http://www.cisco.com/c/en/us/solutions/ enterprise/data-center-designs-cloud-computing/ own_device.html#~overview Cisco Confidential 13 Mobile Policy © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Cisco Identity Services Engine (ISE) • All-in-One Enterprise Policy Control Who What Where When How Security Policy Attributes Identity Context Business-Relevant Policies Wired Wireless VPN VM client, IP device, guest, employee, remote user © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 BYOD Use Cases BASIC/GUEST Focus on Basic Services, Guest Access Broader Device Types Internet Only © 2013-2014 Cisco and/or its affiliates. All rights reserved. LIMITED ENHANCED ADVANCED Environments with Tight Controls Differentiated Services, On-Boarding Securely Posture from Mobile Device Management Only Corporate Devices Personal Devices IT Whitelist Deny Some Devices Any Device, Any Ownership MDM Compliance Cisco Confidential 16 ISE and MDM Integration Better together… • ISE has limited awareness of device posture. E.g. ISE can’t detect if PIN-lock is enabled, the device has been jailbroken/rooted ,etc. • While Mobile Device Managers (MDM) provide posture information, their capacity to enforce network policies is limited • With the REST API Integration, ISE 1.2 is able to : • Receive device compliance information from the MDM in order to make network access policy decisions • Push administrative device actions (such as remote-wiping) via the MDM © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 ISE and MDM Integration Critical Foundation for Mobile Workspace Enrollment: ISE-orchestrated to simplify user experience • Non registered clients redirected to MDM registration page • Non compliant clients will be given restricted access ISE 1.2 Daily Access: network+device • Update data from endpoint which can be tied into access policy De-enrollment: Ability to Initiate Device Action from ISE • Device stolen è need to wipe data on client © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 MDM Policy Compliance Dictionary Attributes • Is the device compliant with MDM policy? • Has the device registered with MDM? • Has the device been jail-broken/ rooted? • Is PIN-lock enabled? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Application Delivery © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 It’s All About the Apps Key capabilities are currently extended to Smartphones more than Tablets 66% 50% 47% 2014 73% Email/ Calendar Collaborations Apps 37% 47% Productivity Apps 32% 32% Custom Business Apps 35% 27% 14% 20% UC/ IP Telephony/ VoIP Virtualized Desktops Key capabilities will be extended to Tablets more than Smartphones in the future and device form will influence the types of apps and resources extended 96% FUTURE 96% Email/ Calendar 86% 91% Collaborations Apps © 2013-2014 Cisco and/or its affiliates. All rights reserved. 83% 92% 82% 89% Productivity Apps Custom Business Apps 84% 87% UC/ IP Telephony/ VoIP 75% 86% Virtualized Desktops Source: Cisco Strategic Marketing Organization/2014 Mobility Landscape Survey – 1000 large and mid-sized companies Cisco Confidential 21 Unified App Store XenMobile AppController and WorxStore delivers secure access to mobile and native Windows Apps to Mobile Devices Unified Application Store offering • • • • Integrated with XenDesktop StoreFront Native & Enterprise Mobile Apps Web and SaaS apps Seamless delivery of Windows apps WorxHome client for secure access to corporate applications • • • Apps launched from within WorxHome requiring user authentication Optional application containerization Apps and data easily wiped in event device is lost or stolen. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Desktop Virtualization Mobile worker must be able to access corporate apps from any device… XenDesktop providing access to Windows apps on mobile devices • Native, in-house, mobile application development may be delayed or impractical and hence access to Windows app must be made available. XenDesktop and Receiver improves mobile user experience • Incorporates integrated optimizations for mobile devices • Use of mobile device controls • Automatic keyboard display in editable field • Touch-optimized desktop • SDK available for developing Window apps with capabilities and behaviors typical of a mobile device. • Button usage definition • Screen orientation • On-screen keyboard activation • Access device’s telephone, SMS, and camera • Local interface controls instead of Windows © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Before… © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 After… © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Mobilizing Windows Apps High Definition Experience (HDX) Mobile Edit box Combo Box Keyboard Pop-up Translates keyboard / mouse tasks to a touch environment © 2013-2014 Cisco and/or its affiliates. All rights reserved. Picker Pop-up Cisco Confidential 26 Mobile SDK for Windows Apps HDX Mobile: Autosense and refactors hosted apps Optimized for screen resolution and orientation © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Mobile SDK for Windows Apps HDX Mobile: Local device features translated for virtual apps Citrix Mobility Pack permits: • GPS data access • Camera access © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Mobile Productivity © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Cisco Mobile Workspace Solution for Mobile Workers • Have secure remote access to corporate network • Have access to corporate Unified Communications and reachable via corporate number or messaging anywhere • Have ability to attend meetings via web with rich, collaborative, capabilities. • Have access to corporate apps regardless of device they are using Have access to work files anywhere without having to download everything to the device. © 2013-2014 Cisco and/or its affiliates. All rights reserved. • Cisco Confidential 30 Remote Access and Cisco AnyConnect Mobile worker must have secure, consistent access anywhere… Cisco AnyConnect Secure Mobility Client • IPsec/SSL full-tunnel VPN client • Always-on connectivity & superior user experience • Posture for desktops and mobile • Broad desktop and mobile OS platform support • Pushed transparently by XenMobile Device Mgr along with connection profile to mobile devices. Clientless SSL VPN Portal on the ASA • Granular access control • Users presented with defined resources • Secure vault • Virtual desktop access for Citrix Receiver as ICA Proxy • Broad browser and application support © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Unified Communications and Collaboration Mobile workers must be able to work anywhere… with anyone… on any device... • Upon MDM registration, XenMobile Device Manager and AppController redirect clients to download Cisco Jabber Client and Webex. • Jabber communications to Cisco UC, IM, and Video services enabled while on or off Campus. • AnyConnect not required while remote through use of Cisco Expressway • Seamless interoperability with AnyConnect when deploying Expressway at the Edge • AVC on WLC classifies voice and video traffic • QoS on Cisco wireless controllers enables a great overall user expoerience © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Desktop Virtualization Mobile workers must be able to securely access Windows apps and associated data from any device… XenDesktop delivers Secure access to corporate applications • Provides a consistent and secure virtual workspace for contractors and employees with personal devices. • Allows for role-specific access to applications based on user credentials • Data securely stored in the data center. • Desktop and user preferences customizable by Citrix Policies as well as Microsoft GPO. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Secure File Sharing and Storage Mobile workers must be able to access and share files securely anywhere… • Access, share and sync files from any device • Apps for mobile devices • Sync for Windows and Mac for laptops and MacBooks • Mobile-optimized ShareFile web site SaaS • Data stored in cloud or locally in “StorageZone” • Local data stored in NAS, CIFS Shares, & SharePoint • AD integration incorporating SAML authentication • Built-in mobile editor for rich content editing on-the-go • PDF annotation © 2013-2014 Cisco and/or its affiliates. All rights reserved. Control Plane Data Plane Cisco Confidential 34 Mobile Workspace Solution with Citrix 1.0 CVD Overview © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Cisco ISE integrated with Citrix XenMobile Device Manager and AppController – Device & App Management Cisco Identity Services Engine 1.2 • Policy management for device on-boarding and network access for wired or wireless device while on network. • RADIUS AuthC/AuthZ for remote access VPN. • EM-BYOD v2.6 policies used as foundation. • Policy enforced through ACLs and TrustSec (SGT) • Integrated With XenMobile Device Manager for visibility into mobile device policy compliance; quarantined if noncompliant. Cisco ASA Edge Firewall & VPN Edition • • • Providing Remote access to Network. AnyConnect Client used for access to corporate applications and Citrix infrastructure. Clientless (WebVPN) access for case where ONLY access to XenDesktop is required. Cisco UCS Servers • Providing Microsoft AD, DNS/DHCP, and CA services • Supporting all Citrix infrastructure and built on VMware ESXi 5.1 • Scaling guidance provided in Desktop Virtualization Solutions with Citrix CVD http://www.cisco.com/c/en/us/solutions/enterprise/datacenter-designs-virtualization/landing_vdi_citrix.html © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 ASA VPN Remote Access AnyConnect SSL or IPsec Remote Users XM-MDM ASA-Out ASA-In & SSLVPN I-Edge 6500 Core 6500 Cisco UCS Data Center Nexus 7000 • AC Client required on AD Mail ISE CA Cisco UCS StoreFront 2.1 XenDesktop 7.0 XenMobile 2.10 App Cntl Clientless WebVPN Remote Users ASA-Out I-Edge ASA-In & SSLVPN 6500 Core 6500 Cisco UCS Data Center Nexus 7000 device • Access to AppC Mobile apps via Worx and XenDesk HSD via Receiver after AC launched. Clientless WebVPN • AC Client not required. AD Mail ISE CA Cisco UCS StoreFront 2.1 XenDesktop 7.0 © 2013-2014 Cisco and/or its affiliates. All rights reserved. AnyConnect Client • Only access to XenDesk HSD • Receiver clientless WebVPN access to XenDesk HSD . Cisco Confidential 37 Cisco ISE integrated with Citrix XenMobile Device Manager and AppController – Mobile Device & App Mgmnt Citrix XenMobile Device Manager 8.7 Citrix XenMobile App Controller Cont’d • Role-based restrictions of mobile device features; i.e. password/PIN lock, Camera, applications, clipboard, etc. • Supports selective wipe of corporate applications launched from within WorxHome. • Role-based deployment packages with policies and apps such as Cisco AnyConnect Client, AC Profile, Jabber and Webex . • Provide SAML Federation Services required for ShareFile AD integration. • MDM serves as SCEP Proxy for certifcates required for MDM and AnyConnect Client. • Integrated with XenDesktop StoreFront. • Users can register with MDM either on or off network. • Integrated with XenMobile App Controller. Citrix XenMobile App Controller • Provides Unified App Store with Citrix Receiver and ShareFile as well as other mobile applications. • Reciever configuration profile pushed transparently to mobile device based on user’s AD credentials. • Provides support for the WorxHome client from which apps can be securely launched using AD credentials. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Citrix XenDesktop 7 Application and Desktop Virtualization Citrix XenDesktop 7 • XenDesktop – Server OS Machine Catalogs providing Hosted Shared Desktops based on Server 2008 R2. • Implement StoreFront to provide access to XenDesktop HSD and Windows applications. • Hosted Shared Desktops enumerated by Machine Creation Services • Fills requirement for shared desktop addressing tablet and laptop users without intensive graphic or computing requirements. • Machine Catalogs and Delivery Groups dedicated for each user “role”. • Desktops customized for specific user roles based on Active Directory credentials. • ShareFile Sync for Windows available on shared desktops © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 Citrix ShareFile Mobile Information Management Citrix ShareFile • Providing enterprise-grade file sharing • Split control and data plane • Control plane resident in Citrix cloud • User authentication • Resource List; ie files, folders • Files can be stored in cloud storage or in a local “StorageZone” for regulatory compliance of sensitive files. NAS, CIFS, Sharepoint support. • Ubiquitous access regardless of device as a mobile app, Outlook plug-in, and Sync app for Windows and MacOS. • AD-SSO via SAML services deployed on XenMobile App Controller. • Sync for Windows deployed on XenDesktop HSD © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 The Mobile Workspace Solution Components In Summary… CMWS 1.0 CVD - http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/CMWSwC.html BYOD 2.6 CVD - http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/own_device.html Desktop Virtualization CVD - http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-virtualization/landing_vdi_citrix.html © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Q&A Thank you.