One of the smartest things a company can do to support their employees is allow them to work from their own customizable devices. Enterprise mobility and flexibility are prized in the workplace, but it also entail a lot of extra work for IT to keep corporate data secure. Fortunately, provides smart ways to manage both corporate data and apps discreetly- seamlessly separating work data from personal data while keeping users informed on how their devices are being managed.

Apple’s unified management framework for enterprise mobility

Apple’s unified management framework for iOS supports both corporate-owned and user-owned, as well as personally-owned, devices. With it, IT can:

• Configure and update settings
• Deploy applications
• Monitor compliance
• Query devices
• Remotely wipe or lock devices

The framework is already built into iOS, allowing devices to be managed with a light touch as well as full control by third-party (MDM) solutions without degrading user experience or compromising employee privacy.

Managing corporate data

With iOS, IT doesn’t have to lock down employee devices. Key technologies control the flow of corporate data between apps and prevent any of it from slipping through the cracks to the user’s personal apps or cloud services.

Managed content

Managed content covers the installation, configuration, management, and removal of App Store and custom in-house apps, accounts, books, and domains.

• Managed Apps: These apps can be from the App Store or custom in-house apps, and are installed over the air using . Managed apps often contain sensitive information and provide more control than apps downloaded by the user. The MDM server can remove managed apps and their associated data on demand, or specify whether they should be removed when the MDM profile is removed. The MDM server can also prevent corporate data from getting backed up to iTunes and iCloud.
• Managed Accounts: MDM gets your users up and running quickly by setting up mail and other accounts automatically. Account payloads can also be pre-populated with a user’s name, email address, and certificate identities for authentication and signing.
• Managed Books: With MDM, books, ePub literature, and PDF documents can be automatically pushed to user devices, so employees always have what they need. When no longer needed, the materials can be removed remotely.
• Managed Domains: Downloads through the Safari browser are considered managed documents if they originate from a managed domain. MDM ensures that downloads from those domains comply with all managed document settings and are managed by default.

Managed distribution

Managed distribution lets IT use the MDM solution or Apple Configurator 2 to manage apps and books purchased from the Apple Business Manager. Users can be prompted when apps are ready to be installed on their device, or they can be silently pushed through without prompting.

Managed app configuration

With managed app configuration, MDM uses the native iOS management framework to configure apps during or after deployment. This allows users to start using them right away without requiring custom setup and demonstrates to IT that corporate data within the apps is being handled securely.

Managed data flow

MDM solutions provide specific features that enable corporate data to be managed at such a level that none of it leaks out to the user’s personal apps and .

• Managed Open In: Open In management keeps attachments or documents originating from managed sources from opening in unmanaged destinations, and vice versa
• Managed Extensions: App extensions give third-party developers a way to provide functionality to other apps, or even to key systems built into iOS like Notification Center, which enables new business workflows between apps

Managed security

When a device is managed, an MDM server can perform a variety of administrative tasks to ensure corporate data is kept secure without compromising enterprise mobility. This includes changing configuration settings automatically without user interaction, performing an iOS update on , locking or wiping a device remotely, or clearing the password lock so users can reset forgotten passwords.

With iOS 9.3 or later, your MDM solution can place a device in Lost Mode remotely. This locks the device and allows a message with a phone number displayed on the Lock screen. Supervised devices can also be located if they are lost or stolen because MDM remotely queries their location the last time they were online.

Contact WEI about corporate data management solutions today

Apple’s unified management framework in iOS gives your enterprise the best of both worlds. IT is able to configure, manage, and secure devices, as well as control corporate data, while users enjoy enterprise mobility on the devices they love to use. Contact WEI today to learn how we can help your design a custom corporate data management solution.

The post Tips for Managing Corporate Data on Apple iOS appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Several Trojans then took advantage of the web of shared files, spreading cryptocurrency-mining malware throughout the department. Bank Trojans were then introduced and soon an administrator password was recorded and compromised. The virus began proliferating throughout the school system, taking advantage of devices that were behind in their endpoint protection updates. As the school has a successful one-to-one program that boasts more than 13,000 laptops, the virus had a lot of potential targets. Slowly and methodically, the virus grew, consuming the processing power of servers and client devices, capturing account credentials as users interacted with the machines. By the time the full ramifications of the virus had come to light, the only available option was to bring in additional resources to clean servers and reset or re-image workstations.

The district’s enterprise infrastructure consisted of hundreds of Aruba switches along with Aruba Instant Access Points. It’s just too bad they didn’t have ClearPass to complement and secure the enterprise. Many people associate as a system to onboard and authorize BYOD and guest devices. Others know it as a (NAC) solution. While those are important components of Aruba ClearPass, that sell this multifaceted solution well short. ClearPass is a policy management platform that gives you broad visibility throughout your enterprise and offers a suite of tools to protect your networks and the infrastructure that supports it.

Identifying what is on your network

One problem for the school district was the inability to know what exactly was on its network. While the IT staff was able to discern through SCCM logs where the virus started, often times, organizations simply have no idea. Was the malware introduced through a domain joined device, guest device, or smart phone that was anonymously brought in? Anonymity is a thing of the past with ClearPass because every device is required to check in and identify itself, whether connected via wired, wireless, or VPN. Access control policies then state whether a device can be joined or not. All of this is performed in automated fashion requiring little IT involvement. With Aruba ClearPass, you always know what and who is connected to your network with near little time invested.

Creating profiles for all of your devices

Once connected, a profile is created within ClearPass for every device. In this case, the IT department would have been reminded every day about the outdated operating systems that were vulnerable to the EternalBlue exploit. They would have known about the operating systems, hostnames and MAC addresses of each and every device on the network. A built-in certificate authority issues certificates to then identify and reconnoiter all devices while connected.

Health Checks and Posture Assessments

Malware only requires a minimal window of vulnerability to infect a network and spread. This is why it is so imperative that all connected devices are up-to-date when it comes to endpoint and operating system updates. In organizations with thousands of devices, how do you know if they are all in compliance or not? With Aruba ClearPass, there is no more uncertainty involving outdated systems. Every time a device attempts to connect, it is checked for all security criteria set forth by your IT department. This includes minimum standards concerning endpoint protection, updates and firewall activation. This is done through the use of persistent or dissolving agents that support both auto and manual remediation. ClearPass then continues to perform health checks and posture assessments in order to identify weak and vulnerable devices because it only takes one exploited device to bring down your entire network.

Segmentation

Although this malware attack infiltrated domain joined devices from the start, it is your guest network that is the most vulnerable. But how do you segment your guest network without a complicated conglomeration of VLAN switch port assignments and AP access control lists? Well, with ClearPass, VLAN segmentation is done dynamically with little configuration. All devices residing in the guest category are automatically sectored into a separate VLAN that is routed straight to the internet without complicated manual configurations. Referred to as “colorless ports,” devices are assigned to VLANs according to enforced policies, not static port placement.

Wired 802.1x Authentication

Although ClearPass is correctly associated with , it provides important management and security features for wired workstations, servers, and IoT devices as well. ClearPass incorporates 802.1x authentication methods so that the only wired computers that can gain access to your network are the ones that have LDAP or similar accounts. Wired devices can then be assigned policies as well.

Protect your dynamic enterprise network of devices

ClearPass is the policy management platform you need to identify, enforce, and protect your network devices. There is nothing static about your network, so why would you continue to depend on static-based configuration tools and methods to manage it? We can never know if ClearPass could have prevented the malware attack mentioned earlier, but it would have given IT the information and reconnaissance about their devices to have at least contained it.

Next Steps: Talk to the Aruba experts at WEI to better understand how a solution like ClearPass can benefit your business. As an award-winning IT solutions provider, WEI can perform a to detect how well your current wireless solution is performing and can help identify any gaps in coverage. Click below to learn more and get started with an assessment.

The post Aruba ClearPass – Profiles, Health checks, Segmentation, and more appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Before we dive into some frequently asked questions about ClearPass, it will be beneficial to discuss some of the misconceptions between wired and wireless networking out there. Wired is a very challenging thing to do, given that you have open ports out there. Anybody that walks into your environment can just plug in, making it important to secure the wire. is much easier, because the wireless is just one component controlling the entire wireless. With a wired connection, there are different switches, ports, and they all have to be identified compared to wireless access. With ClearPass, this identification process can be accomplished more easily. We’re able to understand or communicate with most of the major vendors out there, so that makes it easier to really authenticate any devices connecting through any type of switch out there. It isn’t even necessarily authenticating the switches, but ClearPass can also act as a TACACS server. If the user admin’s, or the IT admin’s, trying to get into a switch, we can securely provide access into those switches, either at its full access, or read-only access.

Does Aruba ClearPass integrate well with other solutions?

One of the main benefits of ClearPass is that it plays well with other technologies and systems. Nowadays many environments are not comprised of solutions from just one vendor. You may have a Cisco switch, a Palo Alto firewall, and of course you want to make sure that any product you put in your environment will be able to communicate and exchange information with all the different components. There is no such thing as vendor lock-in, you are essentially future-proofing your investment with ClearPass.

ClearPass is very flexible and it can do a lot. In fact, most customers are not currently using ClearPass to its full potential. IT teams can authenticate devices from a wireless, wired, or even from a remote VPN perspective. With VPN, you can authenticate it against most major vendors out there too, such as Juniper, Avaya, Cisco, Fortinet, etc. Talk to a trusted IT solutions provider and you will realize it is tough finding vendors ClearPass doesn’t cover from an integration perspective.

2. How can I see IoT devices on my network?

Just because you can’t see it doesn’t mean it’s not there! Many companies have no idea what’s out there when it comes to smart devices. ClearPass can identify all those wired and wireless devices, including . Companies have experienced numerous security issues with IoT devices and ClearPass can dynamically profile (with different mechanisms to profile devices) and that profile information can be used to determine what type of policy or access that device should have while connected to your network.

If the appropriate profile information is provided, it becomes quite easy to determine what is out there on the network. Different policies can then be applied to any device, including IoT devices such as a printer. For example, that process would identify the device as an actual printer and then send a VLAN or an access list to segment that particular printer from the network. This device would be segmented differently than a laptop or a phone. The key takeaway with this is that every port can be treated the same way. Aruba refers to this as “dynamic segmentation.” With dynamic segmentation, it doesn’t matter which port is being connected because different access policies can be assigned anywhere in the environment.

3. How can ClearPass provide to guests?

It’s important to understand there are different types of methods for authenticating devices. is able to do this very well. ClearPass is able to authenticate devices using 802.1X certificate-based authentication and is also able to authenticate devices using captive portal. This is a very customizable module where the captive portal page can be made with different fields. For example, if a user gets into the environment and they’re trying to get guest access, a sponsor type of access can be provided. In this instance they will need to provide the email of the person that they’re visiting in order to get access to the network enabling organizations to securely allow visitors to get guest access to the network.

Another method for this can be accomplished by having the front desk create an account for the user that will only be valid for a certain amount of time, whether the guest needs access for a day, week, or longer, depending on how long that user will be onsite.

4. How does Aruba ClearPass address challenges with BYOD?

BYOD is a clear point of emphasis for ClearPass capabilities. ClearPass allows for self-service on-boarding which allows users to onboard their own devices to the network. ClearPass can generate a unique certificate, which can be used to then revoke access into the network if the device is misbehaving.

4a. How does Aruba ClearPass the address the unique challenges of BYOD in a college campus environment?

Students are bringing more devices to their college dorm than ever before. Outside of the expected devices, like an mobile phone and laptop, students are trying to connect video game consoles, Amazon Alexas, smart TVs and devices, tablets, and more. Many of these devices are not able to perform 802.1X authentication. For many of those devices there is no way that a username and password can be entered to get those devices connected to the network. This is a concern for many IT professionals on college campuses because in a lot of institutions the standard process is that a student goes to the IT help desk to register a device. This is not an efficient process, and it certainly doesn’t scale very well.

With ClearPass, a workflow can be created to present a page to students to self-register and manage their own devices. If the student wants to provide access to another student or somebody else in their dorm they can actually do that as well. Students can manage and register their own devices, and IT/network administrators can prevent other users from being able to see those devices on the network. Users have the capability to control and provide access to whoever they want. IT administrators can also identify those devices and can assign the correct access policy into the network as well need be. This puts the power in the hands of the users.

5. How can I tell if the devices on my network are secure?

It’s great that ClearPass can provide you the visibility needed to see all of the devices on the network, but how do you really know if any of those devices have already been compromised? Which devices have vulnerabilities that could be exposed once they are on your network? ClearPass can check the health of each device. It can check, for example, if the device is running an antivirus, or whether it’s running the latest version of the antivirus, the same way an IT administrator can check whether a laptop is running the latest Windows updates. Before the device is granted access, the IT team can ensure the device meets the security requirements set by the organization. At this point ClearPass enables this feature for Windows, Macs, and Linux devices. This ensures that security strategies are being implemented correctly, and the monitoring aspect provides you that level of visibility needed to be confident your network is secure.

Conclusion

Typically, networking and security teams are the two main drivers of adoption for Aruba ClearPass, but more often than not, it’s security. At the end of the day, it’s about the visibility and security at the edge. You want to understand what’s out there. You want to make sure that devices are getting the proper access. You don’t want an IoT device to be on the same VLAN as your trusted laptops. With ClearPass you can identify, classify, and enforce.

It’s also important to note that Aruba ClearPass is pretty hot right now in all verticals, purely based on the success stories companies are experiencing after deployment. The solution is so flexible that is can meet the needs of even the most unique needs at a wide-range of companies. At WEI, we are currently implementing Aruba ClearPass in healthcare and hospitals, financial services, higher education, etc. At the end of the day, Aruba ClearPass is about securing the edge and being able to exchange information with what you already have in place, meaning you don’t have to go and invest in other solutions to get things working, which is always a big win for the IT team and the CFO.

Next Steps: Talk to the Aruba experts at WEI to better understand how a solution like ClearPass can benefit your business. Ask us about a as well to find out how well your current wireless solution is performing and to help identify gaps in coverage.

The post Secure the Edge: 5 FAQs About Aruba ClearPass appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.