About the talk
This session is a technical deep dive into the SSO capabilities of Citrix Endpoint Management. As more and more enterprises invest in mobile technology to support business-critical processes, the end user experience is paramount to success. Citrix Endpoint Management not only provides a high level of security, but also delivers a great user experience and easy access to mobile, web, virtual, and SaaS applications. Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.
Thank you for coming welcome is good to see so many Star Wars fans in here. Hope I'm not insulting anyone of that one. So this station is about and we are also charging a bid on things. Like how does be in pain Management Solutions to pull the work space and how do we can figure it out? We deployed how do we make this a great user experience when you are a first-time user on the workspace app Pitney depending on which platform Iran? So as you probably can see hear my name is mold an hour and I work at the Domain specialist. So I work in the field and my colleague a job
rocker the systems engineer also working in the fields. So some of the stuff in here is not only from the documentation side, but also from what we picked up during the years working with these types of Technologies, so they're going to have your time. So just a quick overview like we're going to go over we've got some almost live there knows we were supposed to do like but yeah things change. So today we're going to do what we think is crucial to the experience that you
meet when you join a workplace solution. So basically that's what we are going to demonstrate and of course we've chosen some of the really tricky ones third-party application, which is always been a challenge for both more than me when we run into you guys in the field. So that's that's where we we put our money in this MO. So to who to lead off? One of the things that we see a lot when going to the feelies, everybody is aware of this going on this destruction in our normal business
lot of changes happening. We meet a lot of people say they are on the way away from Citrix, but what they actually meeting is that they're moving into SAS app web apps are moving away from 30 32-bit application. I need virtualization. So what you saying, we're moving more more way from which relaxation then the funny thing is we run into customers. Well, we want to secure the way we access these web apps. So we need a secure browser and one of the offerings the teacher sexually has isn't secure browser and we're able to virtualize
any kind of broth experience and then we really wanted that because that's what I want a big big issues within the company's so they received people Shifting the virtualization two different. Scenarios and we also see a picture into web app and Sassafras and the thing that people forget some time is that web apps and SAS up equally complex in the way. They need to be handled especially around SSO. And the citric has had to learn that recently that we need to enforce a single sign-on
architecture throughout the services that we are. So one of the demos today slack slack is a huge tool it started out as this Shadow it solution for engineers to chatting and we have this whole world without boys are strong disagreement how the communication within Citrix actually are we using go to meetings that we using Skype are we using different communication and a probably a lot of can say yeah, we've been through that been slack showed up and now slack is becoming one of the preferred ways of finding
information within Citrix. If you can find it if you can find the right channel to the right person and it's grown into being the de facto standard on how you communicate with our engineering team. And I was that was a good example of a technology that was brought in and it had it at its own life. And now it's part of a single sign-on infrastructure. A lot of things they also changing is the way we perceive networking. So one of the big changes hitting us in a couple of years that you guys have to take a stand on a position on it's
break time will 5G. I was recently in Barcelona and 5G is going to hit us like we haven't seen yet. It's going to be a tsunami of services and I all of a sudden not going to be available that mean that it's becoming more complex social that soon direct contradiction to what many perceive which is let's move to the cloud and we don't have to worry about networking in the same sense as we do in our internal infrastructure. Right. No, It's going to be it's going to be like nothing we've seen yet and the amount of data you hurt David talk about we are moving into the Utah
and I completely agree with that people are users if you can call use of people. Go on. They are one of the things that David pointed out is the people of comparing the service. They're getting from from consumer services and of cost for a lot of airlines a lot of banks vit front is becoming the battlefield for customers how easy it is to use and they're pouring a lot of money into that good multi-factor authentication. They know that they need to secure it. So if for example I
use Amazon for many years and now all the sudden I have to give my phone number so they can they can send me a ping if I do something that are out of the ordinary if I order of fights that bull Healthy food or Diet food then they know it's a deviation of my normal shopping pattern. So so what you're saying is that you're out of your normal behavior. Yes, and of course they compare that service to the service that you guys deliver within the company and they say it will look look at the
experience I get here and look at experience and its really really tough competing with somebody was pouring million and say to that primary Battlefront zactly. So we we are again seeing the consumer consumer isolation driving the demands within the company and demanding juices are coming because it's David also say work sucks, especially in our area Mi Pueblo high level IT staff is becoming increasingly hard to adopt and so we were going to have compared. situation about
the right fuses at the core of what we do and this is really one of the crucial slide procedures. We we have three things that we build into everything. We do we build the first time for analytics products. You've seen security analytics. Now, we came with performance analytics and soon we will have this productivity and a latex coming up and it's like the cold everything we do is that the core what we do with the work with very focused on the experience that uses 1/2 and in order to support
that infrastructure. It's incredible important that single sign-on has become something about identity but becomes something about what happens before the single sign-on after it's a part of this ecosystem that we actually delivering. So just give you an example of one of the demos that more than I like to do later that we couldn't do what we have a video showing the unfolding part of it is that we want a consumer to be Well, we want the juice or to be able to take a brand new device any device out of a box. Gets delivered
directly to the person take it out hook it up put his email address in and everything that he needs within the company gets installed in the device. The device are the become so managed to buy some non man is the whole identity gets pushed onto the bison and that's what we're working on with these three the productivity the performance and the security at at the heart of everything we do and one of the main reason for doing so is that we want to drive adoption of technologies that could be more productive. If we do not offer a solution that makes it easy to get their uses will find other ways
to do the job. And one of the things I had a chance to talk to a customer who actually bought 4000 raspberry pies come in Computing and that seems to be a gap between what he's able he's able to unbolt them and deliver the right experience on this device has something that will really really aware of multi screen. There is a multi-screen function when he's running set up virtual apps. Be aware of all the name changes, right? Yeah, so he wasn't able to do that. He wasn't able to deploy the right profile since so on and we believe that that's somewhere that we need to be. So
we had a talk with this customer and more news is on in like a leech. So one of the things that why do you need us or so so I think it's really becoming an issue and if you heard David the way that people work you might work 3 days at one company in two days, Do you really want that inside your your identity infrastructure? Another thing is the way the companies communicate with custom means that you need to have their identity also and take care of it. Especially New York Yoruba, when we have this gdpr thing and you really need to protect those information to
all of sudden you might be accompanied with a thousand employees you have maybe twenty thousand customers. So where do you need to have their identity? And how do you protect it? And how do you do all this analytics stuff? So that's especially in a market with the arms and legs for the night. He's becoming fewer. So you need to order make automation that we talked about and single sign-on automation with Anna and it is crucial to be delivering this Spirits that that we want to deliver and also especially in Citrix. We just had an experience.
Let's call it that where we got a chance to renew our password and used more complex password. So in order to support the IT department when when you are adopting these new services and making sure that you have the right person it would have helped to have single sign-on across our entire platform. And that's one of the benefits that I see what single sign-on more efficient A lot of times is it that easy. It's not really nice to be recognized. This one.
Was that easy? Hopefully we can change that in the future don't think so have the same now clearly. We're from the field. We're not from product management or anything. Yeah. It is. That was not the intention I guess. We don't try meme. I just want the journey for us as well. But the whip combining so many Technologies from an on-premise suspected and and and we're building out our identity and why would doing so is because we want to make it easier. Of course. This is going to build out in the future
and look at any obstacles for a nooses to on ball to that solution easily. Exactly hire someone that can read them. Would that be the solution? Documentation was just to say sometimes we make services available. That would make your life easier. But I also running to companies where they say. Well we don't have the time to implement this so they take an easy solution which fits the lowest bar. So I made a lot of Secret customer service Morton where they selected the lowest denominator
with in single sign-on instead of actually getting the experience to the use of that our technology jobs. So really think about we will show them all be able to get more technical it later in a few minutes. We will show some of the things that I'm going to steps that you can ask you to do to get this experience to do you say and to give you just an idea Citrix. We just throw a laptop at you when you start in the company and then you get a token and good luck with that and you have a URL And then you get a vdi dashboard and then everything should be there. So that's how we do
it. It's it's not on nice process, but it's it's getting there. So really not just take off enable single sign-on think about single sign-on process, especially when you when you start to adopt. I hope the micro apps that we have. Let me watch stopped to have integration two different Services the way you also need to identify you in the right way to get the the micro micro apps working properly. Within Citrix, we have multiple ways of doing single sign-on and this is growing.
A lot of the things that we would hire that we would show all talk about today's the website ASAP. And then the MDX we actually have an s2k. Will they know which would help a lot of people used it and the documentation was a little better and then of course, it's also a possibility to do single sign-on. We are focused on the Empire today and how we can support the work space. So that's where we we put out at 4 because they didn't want to give us two hours
for the position. So another friend and I love this new guy that wrote usually got nurses in 10 Years. Everybody will be here. Now. They only giving us three years before apparently identity will move into to a cloud service. So my point here being some of the trends we're seeing the acceleration is crazy five, Jesus three or four years out in the future. It will end tables so much data to come into your data center. You will have access to so many services and you will need to have a Federated a
displaced identity platform that can talk to the services. I mean it is simply staggering what kind of data load we will change the future people are starting to talk about it other than will disappear in Van will be everywhere and your user will be on a van every other all the time. How can you compete with a 5G connection with 1 gigabit connection and in our office? We have 25 make something a good day. But maybe this also shows some of the difficulties some
customers face. When when you're in the hybrid environment deciding to adopt different types of pasta ever since you might have hosted Services. You have your own services in your infrastructure. How do you consolidate the way that uses access to Services issues like that in the field? Okay. Thank you very much. One person only one. How do we make sure that your identity platform is configured correctly have access and can provide access to the different Services independently off where
those Services reside. In the old days, it was like building the high-speed rail road. So if you need to be a hundred me up in 10 km, you start 10 kilometres before I just saying a lot of the technologies that is going to hit us. It's going to hit us within the next three to four years and the way you can secure your identity is to have a density service according to Garden in place, especially around your your customer contacts in your apartment complex. Morton. Was that my. Now
we will try to at least so and I was told to stand still instead of walking around the Habit that I have tried to do that. Let me know if I'm moving too much but actually the thing about ITP and identity. This is one of the vital areas that you need to look at in order to provide a good user experience and enable capabilities as single sign-on. So this is things you need to have in place and you can see up here. What would a solution is to make sure that we can configure the endpoints we can deliver certificates configurations and applications provide
configuration that enables VPN connections or sassa Connections in someone so it's not only about single sign-on and it's just making sure you have the foundation's on the platforms that you used to working to enable least kind of services. And then of course. When we have all these ease-of-access two different kind of services. We also need to have things like conditional access in place to make sure that we can cut off those connections. If something arises that I'm not in the normal behavior that we're getting and just signed an agreement with Microsoft to do conditional
access integration with EMS on IOS and Android. This is a huge thing. We have our secure mail application. Oh by the way, how many and here are using secure mail? Oh, I love to see so many hands. That's amazing. But one thing that we're doing as well is that we're making secure mail hasn't approved application on the list of applications in Ems for conditional access was price of this was only consisting of Microsoft application against showing the partnership that we provide you with. But let's have a look at how we are configuring
the endpoint. So when a device connects in it, will it could be a BYOD. It could be a fully managed to buy scenario. But we able to do is that we connect through the workspace, but it can be intercepted and then enrolled into the in pain management solution and the endpoint management a profile to that device to that works face application that tells it so this is the country graichen you need to use that can be all you can for Eurasian Graphics, but also things like certificates in Wi-Fi configurations. This is all about making sure that the
end uses onboarding experience first time use is as best as possible. They need to do a Hopefully in the future just about nothing other than opening the application entering their credential set and then they have access to everything. So that's the goal. We're moving tools. That means that we can support this type of access on basically any device that you're working on so I can have an iOS device. I can have a Macbook or I can have a virtual ice machine independently of loose box one will be able to deliver the workplace application provide the foundation to do things
like single sign-on, but it's an important step in order to provide. If we move it further once we also want to provide this week in leverage the bulk enrollment Technologies from the different Hardware vendors. But that's not all that's not in north in order to provide that really great user experience. So giving them type of out-of-the-box experience by them opening their device automatically rolling through Apple device enrollment program as an example, but we then on top of that enables
administrators to easily configure the workspace experience on top of that. That that enables the end-user to basically open that device get things installed and configured and then connect to the services they want to work with. So using the the bargain romantic Aldi's. Connecting to the endpoint management solution deploying the profiles and then you have the access will that social action desktop files internally on a cloud service SAS application the internal web applications all Consolidated through the workplace experience.
So if we look up how we're doing that well. One big item in this this setup is the Citrix cloud and Citrix Cloud identity platform. That's why we easily can connect to things like your on-premise Solutions or SAS applications. We've got the plus hundred different templates to configure single sign-on. Not only use for a Windows machine or a virtual machine access to that starts. It's a service but it can be for iOS devices for Android devices. So covering basically
all the different platforms that you're in uses of using on a daily basis. Going into the third party clouds, even if you're using a browser using a native mobile application, but it's all about how we can figure that device to start with. So we make sure that the right technology sign place the right connections on Face the right application to unfold so that the end you so you can stop working just all the bat. So now this is an almost live demo you ready for that. It might fail
I guess you're so let me just you need to switch when you're ready. So this is the demo where we going to take a Windows 10. We going to do the enrollment of work space based on a email identity. And we going to probation. The only thing we don't have is where we don't have enable the autopilot at all these things where it's an out-of-box experience. That's where you added and there's no Brandon Morton forget and forgot to mention one important things by the the certificates and the control the device instead of just pushing the workplace out
now that we begin to support local applications for the workspace. It becomes increasingly important that you cannot dedicate those local applications with single sign-on and you can only do that if you have this layer underneath doing the the whole identity. So what we doing here is that not now that we start to bring in more and more capabilities for for the workspace app. We also need that Foundation to not only provide connectivity services and the VPN and then
we're we're delivering native applications. We might also want to deploy policies that controls how the data flows from those applications. So by leveraging things like Windows information protection policies, we can make sure that the Enterprise application deploy to your devices only can interact with other applications. That's a part of the Enterprise Suite Give me going in and looking at the in pain management solution. Just making sure that this is not enrolled with the device that was enrolled on this user was another device. It'll
be after you will see two devices. So just opening up the Citrix workspace. How do I add an account add in your email address? So what happens now is that the workspace knows that you need to enroll into an appointment? So it will automatically kick off that process and guy who used to through that process. That means that now we can deploy the configurations for the workspace app. We can deploy policies for the platform itself. We can deploy applications and the user can get productive
a lot faster than you would otherwise do. quit yesterday. Thank you real. Okay, so we'll just be enrolling the device into the in pain management solution. That will provide us with the ability to in this case showing off that we can basically configure and enroll through the workspace application install the native applications as well as provide access to Virtual apps and desktops staff application internal web applications. So that would pretty much cover what most use this one's
access to and if this is an onboarding experience you open up your new laptop and this is all you need to do to get started to get access all to all you Enterprise services. So now we there This is an example of what we can do from a configuration perspective. So freaking speaker that the native Lee installed application also shows up and you start menu not only installing at location providing the access but also configuring the device. So you'd have that access from the start menu from workplace application providing that ease of access to all the different types of
Enterprise services that you that you need to work with. Let's go in and see you in the settings and see how that enrollment went. Go to the account setting and I'm thinking I'm taking your clicking on your clicking you high. I know that should be a bit faster. So now we connect you to our and Pain Management solution. Now we have that hook into that pot form so we can provide the end-user with what they need for my my application to fix it from a configuration and policy perspective we have now that pot from completely out of control. How do you say can go in and
see what we actually controlling? So, let's hop back to be in pain management solution see that that device is enrolled correctly and have a bear the Windows desktop tablet. Traffic, so that's the process from a used perspective. This is what I need to do. They don't need to go into the admin console going chick with her then rolling off, but that's how we how we can do that on a Windows platform unless the application is installed. Close the demo, please. Perfect.
Yes, or no, so they're delivered to that device so that the question is I'm sorry. I'm just going to repeat it for 4000 is that it is is the installation of that application assigned to specific user or is it delivered from the membership of an 80 group or something like that? So we do it by a delivery group in the endpoint Management Solutions that are attached and Active Directory Group, but you're correct. It's it's personal the dabs are delivered to that specific use a person on the device. You have a library
and you have some prepared for this user needs of the application that this user has been allocated exactly. so the whole point here is to make sure that the workspace gets all the policies all the configurations all the applications on all the access delivered on that device and from an SSO perspective what we can do when we have that workspace device on the management. We can provide many different types off SSO capabilities. Let's go in and look at a few of those right so One thing that we need in order to make this
happen anyone. That has been working with our netscaler Citrix ATC Gateway service. It has different names and resides in different places. So few of you most of the magic around getting access to something providing single sign-on and authentication and authorization for that matter that leverages our netscaler Technologies. So where we should have the chill appliances Hotwire appliances that you can put on premise to what we're doing now is that we're living to both of you on premise capabilities and the cloud service
capabilities. Provide you with these technologies that keeps that great user experience. So if we look at the work space as a showpiece. Garfield requirements that you need to run through but maybe the most certain without question. Sorry. Yep. That has possibly been fixed. So this is the combination of endpoint management and receiver basically so that enables us to use some of the capabilities from both of these Solutions. Will the high issues with certificate-based authentication and one reason being that we
could not automatically deploy the certificate and assign it to an application but within pain management in that Loop will be able to configure that so that enables us basic needs to do more and that's why in her management is such an important part of making that work space experience really good. so but it's just a setup that you can look at and see how does this actually work. But let's say you have your device you have the what face app installed. You have a native mobile app install that's been deployed all the information solution, but we don't have any capabilities off actually
containerized and controlling that application because it's a public App Store application, right? But we can do is that we can connect the Citrus identity platform shoe. That's a service. So now we have these two combined and what we can do then is that we can deploy everything through the infant management solution. We can then authenticate through the workspace service will then get a token issue that we can use and when the user clicks on the Sass mobile application weather that is worth a slack Salesforce excetera. We can intercept that traffic
redirect and initiate the saml authentication process and at the end of the day what will get a sample of educated session to walk celphos athletic. Sandal we can bend deliver that authentication token to that application. and then whoops I'm happy that this has a back button. So what basic do you have in fairy is that we provide that authentication token? And now that application can authenticate directly so the user won't get prompted to Essentia Kate when accessing Salesforce work they slack Etc. Will you can then with the in
pain management solution apply platform mobile application management policies on that public app store app partially containerizing. The dataflow from that application as well. I'm going back to why in pain management is a good thing when you deplane the workplace solution because we can provide more controls for that platform and how and applications interact how policies that apply at how configurations are done it because third-party apps they need two things. They need to know who you are three things. Which platform are you on the Salesforce experience deviates if
you're on a mobile phone or if you want a tablet or if you're in a Windows device so nice to know which device you on secondly he needs to know which your sight until you have some sales force has a site that needs to be put in there to know. Okay. This is your cell phones Heidi and asked me if you chew your identity. So, you know that yeah, I don't have admin rights within Salesforce when I shouldn't have said those are the three things that the the um actually asked to this experience. So this one just shows that you might not have an idiot of a solution on activity. You might have
October opinion the mix so we can connect to that as well. But it is basically the exact same process that you need to run through. You just redirecting to your identity provider. And the same process running through the authentication tokens that deliver to the mobile app, and it has access to last a service. So if we look at what what do you actually need to do this? So there are few things. I think we started out by saying that there are some items that you need to have
control over which is your identity provider configure house at connected to all the different services that you want access to. And of course you use identities some of the most important pieces in enabling your organization to leverage single sign-on, right? But how is the ivp chain control? And how is it constructed so that you don't run into problems, which is also an important piece. So let's do a almost live demo again because often when people they say all we like your workspace premium post ask you but
we want we want to take out the the um parte and get a discount for taking that out. There's some reason why it's in there because the way that we deliver this experience. It's not it's not because we want to push it out in point management system. It's because it's part of getting the experience that you see on our demo booth. So now we're going to show a little demo will be going to take a third party app that needs these three things. He needs to know which device it's four. Am I pushing to an Android on I guess it needs to know that the site is a swag application to need to
know the slight the slack that we belong to and then he needs the identity. So I open up the workplace application. So, of course when you do that, you need to authenticate depending on the authentication timers that you have installed for configured for your workplace application. But you see I'm locking in I've asked you a certain set of applications. It could be faster this application for the web applications. But when I click on the slack application the configuration support to this device that you need to enroll in
order to do this, so we might have a BYOD device from a corporate perspective. I made it goes through the enrollment process. He keeps that off and it passes on the credentials to the end-user won't have to do this again, but we cannot really go around the enrollment process from Apple that has naturally. And use a steps included in it. So we need to run through that. I put spot in rolls open-top the workplace out. So now you're enrolled now you have
actually Installing. I will installing the slack application. At the same time what we're doing from an endpoint management perspective is that we living things like application context meaning seating that application with the information needed to connect to the site that it needs to connect and use effects on the application. Get the first time user experience from Flac. Prompts the user you want to sign-in? Yeah, I want to sign in. Now we should get access to that slack Channel all that
slack site that has been configured by the employment service. However, we're not able to eliminate all images of steps because each of these application has their own first time user experience and the user needs to run through this but as you can see no authentication problems. only access directly Thank you very much. So it could be but in this case we're using the environmental solution at the MGM agent. Let's say you have desktop users connected to the same workspace. Do you want a single sign-on in you configured / 2.2 your
your appoint straight? exactly Yeah, they took it so they can't go to the pharmacy of integration. But since we already have an authenticated session we can reuse that through the identity platform so doesn't really matter which platform that you're coming from. It is more of your authenticated. Let's use that and translate that to something that makes that single sign on to your sass service. If I want mobile single sign-on like you just showed up with desktops that aren't working late tonight. Does that work for without require a lot extra
figuration that would probably require some country duration of that configuration you would be able to do with you in pain management solution depends on whether is the Nativity installed application Orissa left and three and a half minute. So So secure mail also offers single sign-on capabilities and we have two different options and I encourage you to look at that off in the documentation on how to configure that are there a few things you need to do in order to make that cop from anel. Prudential El Paso or perspective another common
way of doing single sign-on with a secure mail issues certificate-based authentication some configurations both from a implementing perspective. But also making sure that you're a certificate provider is configured correctly in the environment solution can actually issue certificates during in Roman and so on. So these are the two main ways of doing single sign-on for the secure mail application and it just that you would use experience instead of you having to authenticate yourself and every time you take off an application for the first time then lets us to that
authentication for you. We have you authenticate it within the solution already. So let's pass out on and make sure you have easy access to Yahoo. Patience. So Four Sisters files anyone using sisters files in here nice places on the different applications, which is really good to see and of course we can do single sign-on for the sisters that look at the Citrus files application as well. But the real beauty of these that it's also what you say interact as a
so-so. I open one of the application. I need something from one of the other application. It just seemed this leaflet to that authenticates automatically and provide you with access to the services that that specific application offers. Superman and you suspected I don't need to worry about offending hating every time I open a location. I'll try to access a service. anyone familiar with our MDX technology that was a bit less. I'm a bit disappointed about that.
You may need to cut it also provides a lava capabilities from an application connectivity and also from a single sign-on perspective. Oh, absolutely. So when it comes to third party app, I know that our development team reaches out to some of the nomono map application developers because as yourself a slap there was a lot of screens you got to click even though that we could actually to do so users to the right the slack channel. So of course, I know it's something that drives our development you nuts when they see all these user
interaction because every time you have user interaction something can go wrong. So the mall we can do so more than I we sometimes go out to these developers and talk about our STK. How come we actually help you make your application Mo Enterprise ready? When you do a project like this you were most likely be in the driving seat of having the communication with that company developing the apps that you want to the 3rd party apps that you want to deploy cuz I'm just saying that is something where you as a customer needs to put in some effort in order to get them to deliver and
enterprise-ready app and we have description on how to do that. So we are all the time. Anything else? I just want to add one thing. You can fill out an application to reach out to the local Sixers team have a conversation about with them on how can we use the switch axe terminology embedded in your application to provide that security and configuration and a great user experience. There is no sessions. Go City sessions. Thank you for coming.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.