OK, so the users want corporate apps on the move. Don't Panic

Wednesday 30th March 2016 14:45 GMT PaulAb

Over my dead bo......but wait!

2 factor authentication, Apps device dependant, Attach from anywhere..........

Yea, Yea, Yea,....... Most users I know can't remember their username when they have a long week-end...... The call from dis-gruntled users who complain when they can't connect because they're not connected to a wifi spot.........The call from the other dis-gruntled user who's trying to connect from his mates phone with no idea of the settings - but that's an IT problem.

Everything is feasable nowadays, but really, I wouldn't trust a lot of users to get on the right bus!

0 0 Reply
1. Wednesday 30th March 2016 15:45 GMT Sir Sham Cad
  
  Re: Over my dead bo......but wait!
  
  We've recently started to can our client VPN solution because it was causing more problems than you could shake a tree full of sticks at. Our users just hated it. Secure* remote access directly to our VDI environment with a 2FA token on the smartphone (sorry, not you, Microsoft) and even our difficult users are happy**.
  
  Add in an MDM solution to securely access work email over the smartphone (bye bye Blackberry) and that covers just about all the bases.
  
  *Shush, let me have this fantasy
  
  **For small values of "happy" but the gruntles are not entirely absent
  
  1 0 Reply
Wednesday 30th March 2016 17:28 GMT dajames

you mustn't let the users run the 2FA app on the same machine they're connecting from – otherwise it isn't 2FA any more.

Yes it is.

There are reasons not to use a soft token (an app) running on the machine being secured for 2FA, but it not being 2FA any more isn't one of them.

The app shouldn't be run on a device that is going to be used to access the service that the 2FA controls, because malware on that device could compromise the app and issue fraudulent authentication. If there's to be any security you need an air gap: That's the main reason not to use the secured device as an authentication token.

The app does need to be tied to hardware, somehow -- perhaps by using a smartphone as the autentication token and getting the app to query the IMEI or SIM serial number and using that in its cryptographic exchange -- otherwise the app can simply be copied to multiple devices, and THEN it isn't really 2FA any more ... but that's a different story.

2 0 Reply
This post has been deleted by its author
Wednesday 30th March 2016 18:26 GMT Adam 52

I was just thinking today how lucky we are that Citrix and the like have died out. A horrible solution with unbearable latency and confusing user interface. A classic example of an IT department making life easy for themselves at the expense of the end users.

I got there from cursing the MDM solution that now prevents my phone syncing with mail, chat and calendar meaning that I have to return to my desk 5 minutes away between meetings.

1 0 Reply
1. Thursday 31st March 2016 21:02 GMT Nate Amsden
  
  kind of funny you say that since XenApp is the main thing I use when I VPN in from my phone. Just to play around a few months ago when I was installing some new HP gear I was curious if I could actually install vSphere while sitting at a bar having some drinks with my phone.
  
  Combining ILO Advanced w/boot from ISO, my Galaxy note 3 with stylus, XenApp fundamentals (small 5 user license or something that we use for operational related apps) I was able to power up the new HP server, and install ESXi on it from my phone. It felt pretty cool at the time. Also have used XenApp over mobile to briefly look and make changes to our Netscalers via web UI. Last time I had to do that was maybe 2 or 3 years ago.
  
  Anything more serious and I need my laptop. I haven't even bothered to try to get ssh working on my phone, and OpenVPN to my personal colo? tried it once, gave up pretty quick when the app wanted the configuration in some kind of format I had never heard of before.
  
  My org uses Duo two factor for 2nd factor, can link a phone, or other device, or register a phone number and it will call you. Lots of options, very simple to use. It may be the only SaaS offering that I could not see a way to host in house (mainly to do phone calls, about 10% of the user base relies on call backs for 2nd factor, many of them international).
  
  0 0 Reply
Thursday 31st March 2016 08:07 GMT Anonymous Coward

People want to be able to do their job from wherever they happen to be

WTF!

If I am on holiday/lunch break/sick at home I might NEED to check something out at work, but that doesn't mean that I necessarily want to.

0 0 Reply
1. Thursday 31st March 2016 11:09 GMT Bill M
  
  Re: People want to be able to do their job from wherever they happen to be
  
  I agree with "People want to be able to do their job from wherever they happen to be". But I also agree that ones needs the correct work/life balance and being "on holiday/lunch break/sick" is life and not work.
  
  I work in a global organisation and many people travel extensively and they do not have a permanent desk and the traditional office connectivity of RJ45 / wifi. So remote access to things without a LAN connection is needed.
  
  For work/life balance both employer and employee must to acknowledge the need for boundaries. I, for example, have agreed that I shall never respond to emails outside of working hours - although I must admit that on occasion I do check them when I should really be mowing lawn. I am on call 24/7 for major panic escalations, but the handshake for a panic is that somebody higher up the food chain than me needs to call me after exhausting all options with people who are officially working.
  
  0 0 Reply
Thursday 31st March 2016 15:34 GMT Superfishal

This could actually provide secure access to apps, anywhere from any device...

http://www.vmware.com/products/workspace-one/

Looks promising. Just had a demo of the product Tuesday.

0 0 Reply