Cloud Q&A: Centrify Centralizes Mobile Control

Centrify's DirectControl for Mobile manages it all, from Windows to Apple to Android devices, via Active Directory. What's different here? The cloud was the first option.

Doug Barney talks with Centrify senior director of product management David McNeely about its cloud-first approach when developing Centrify DirectControl for Mobile. Another in a series of Q&As with companies taking their wares to the cloud.

How different or similar is Centrify DirectControl for Mobile to the on-premises tool?
First-generation mobile device management products require stand-alone infrastructure deployed within the enterprise. In order to enable enrollment, self-service and policy enforcement for mobile devices (employee and corporate owned), organizations are forced to make network and firewall configuration changes for mobile devices to communicate to the on-premise MDM infrastructure. Given that mobility demands secure access to corporate resources from mobile operator and WiFi networks, a cloud-based model for mobile device security and management leveraging existing on-premise infrastructure is becoming the preferred option by more organizations.

According to Gartner's Andrew Walls, Research Director Security, Risk & Privacy, "Organizations are struggling with how to assert both authentication and policy enforcement across a wide variety of platforms. With a new fleet of mobile devices entering the organization, the issue is increasingly topical. Enterprises should consider mobile security policy enforcement solutions that best leverage existing directory deployments for group membership, authentication and to eliminate the need to set up an intermediate or additional credential repository."

Centrify's approach uses a cloud-based service to enable trusted over-the-air enrollment, security and management of mobile devices in Active Directory even if the devices are not connected to the corporate network. A proxy ensures administrative actions on Active Directory are securely communicated to the cloud-service and on to the user's mobile device. This eliminates the need for complex new infrastructures or intrusive changes to corporate networks and firewalls. Enterprises use familiar administrator tools (ADUC, GPOE), skills and process while providing a quick startup time that is frictionless to deploy because it leverages an infrastructure that already exists in the enterprise -- Active Directory.

What did it take to make the move to the cloud?
Centrify allows an organization to leverage an existing investment and infrastructure -- Microsoft Active Directory (which organizations already use today to manage and secure Windows laptops and desktops). And with Centrify's expertise and long experience managing and securing non-Microsoft systems such as Mac and Linux, the transition to extend this lightweight approach to popular mobile devices was a natural extension to Centrify's existing business.

Centrify's approach has the added benefit of lowering Total Cost of Ownership and providing a quicker Return on Investment.

How does a customer make the transition?
Customers have simple transition from an on-premise mobile device management offering to Centrify's Cloud Service. Centrify allows enterprise users to enroll devices in Active Directory through a self-service process. The user enrolls their device by simply entering their Customer ID and their AD username and password via a web-based form or via a Centrify mobile application that they install on their device. Using either method, a trusted over-the-air connection is made from the device to the Centrify Cloud Service, which in turns communicates to the on-premise Cloud Proxy Server.

The end result is that a computer object within AD is created, and the device is associated in the directory with the user that enrolled the device. Because the device is in the directory, group policies are then automatically applied to the device via the Cloud Proxy Server back to the Cloud Service and then to the device. This also means that the device is fully integrated into the lifecycle of the user's AD credential so that policy updates based on group affiliation apply. The device is locked and/or wiped when reported lost or stolen and completely de-provisioned from corporate access when the user leaves the organization. There is no separate 'pane of glass' or process that makes supporting mobile devices and BYOD trends difficult for an organization.

Is there interoperability?
Centrify DirectControl for Mobile provides interoperability with the organization's on-premise Active Directory infrastructure. By extending Active Directory authentication, security policy and groups to the management of mobile devices and Macs, Centrify ties together the major trends for BYOD empowering IT organizations to secure and manage endpoints, servers and applications with one interoperable framework.

What has been the customer reaction?
"We first signed up for a beta test with Centrify, and it worked well. We're using Centrify's cloud-based mobile device management through Active Directory application," said Kevin Martin, CTO of Universal Melody Services. "It allows me to get to the application from anywhere in the world. I can always login to the Centrify website and issue my commands from there."

What are the economic advantages?
The reality for managing mobile devices is that mobile OS vendors such as Apple have completely leveled the playing field by providing a consistent Mobile Device Management API for all mobile security vendors to utilize. The reality is that MDM vendors' data sheets show comparable functionality. The vendor differentiation for mobile security then really becomes how the vendor delivers its functionality from a technology perspective and how the vendor sells and packages the solution to the market.

Centrify decided to take the unique technology approach of letting a customer manage their mobile devices with a management framework that they already have -- Microsoft Active Directory. Organizations already use AD to centrally manage and apply policies to Windows systems, and with Centrify to hundreds of different types of UNIX, Linux and Mac systems. And now they can do the same with mobile devices. Alternative solutions force organizations to buy yet another management "silo" to manage mobile devices, with the corresponding costs associated with it. The Centrify approach results in significantly lower Total Cost of Ownership and quicker Return on Investment.

In addition, the heavy lifting of managing mobile devices is done by the Centrify Cloud Service. Many other MDM vendors don't offer a cloud offering, and instead force organizations to install and deploy an on-premise management system or appliance in their environment, requiring changes to their firewall settings. Centrify's AD-centric approach coupled with the Centrify Cloud Service makes Centrify DirectControl for Mobile even more frictionless to deploy and further lowers both TCO and increases ROI.

It is important from a technology perspective to not simply just manage mobile devices, but also manage and secure other devices such as Macs in a unified fashion. Centrify provides a comprehensive solution that addresses not only mobile but more than 375 versions of UNIX, Linux and Mac -- something that other MDM vendors can't offer.

Based on this experience, are you doing more cloud work?
Centrify has long experience unifying secure access for endpoints, servers and applications within enterprises. With our launch of the cloud service for mobile endpoints we see a large opportunity to provide the same advantages for systems and applications anywhere these resources reside (in hybrid or public cloud environments).

What is the best compliment you've heard from customers?
From customer Kevin Martin, CTO for Universal Melody Services in Dallas:"Being the number one music source in the state, we have a mobile workforce with numerous devices connected to our Exchange server; and we have always been concerned about email security and keeping sensitive corporate information safe."

"We beta tested the Centrify mobile security solution after deep research into what was available on the market. The performance has been flawless, and its easy integration into our Active Directory environment simplifies securing and managing mobile devices using our existing people and processes. Centrify has helped me sleep at night, knowing sensitive information on our mobile devices is secure."

About the Author

Doug Barney is editor in chief of Redmond magazine and the VP, editorial director of Redmond Media Group.


Virtualization Review

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.