Google Apps offers the delegation of identity authority to the enterprise using tools like SAML, allowing the SecureAuth enterprise IdP to act as the arbiter of identity and access to the Google Apps domain.
SAML is a great protocol for passing identity information securely, but it does not extend outside of the browser, and cannot enforce many of the MDM features offered by GoogleApps for mobile ActiveSync clients. These features include device lock and device wipe, popular tools to have available.
When SecureAuth is delegated identity authority from Google for the browsers (via SAML) it can send different user-agents to different SecureAuth realms. In that way users who attempt to access the web-auth from a mobile device can be disallowed, and directed to the desired enrollment process and supporting information.
SecureAuth Augments SAML with Mobile Account Provisioning
With Secureauth, the end user can follow a web based process that results in the delivery of an iOS profile to the device.
The iOS Profile that is delivered by SecureAuth has all of the settings for the email account, plus it could have an embedded unique individual x509 certificate. After the profile is installed the device is provisioned with a mail account, and all the end-use has to do to access the newly enrolled account is run the mail application in iOS; the account is all set up. A new Google password, created by SecureAuth, is pushed up to Google, and is embedded in the profile. The end user has no knowledge of the password, and is never asked to enter it in. SecureAuth can change the password every time a device is enrolled and only one device would be allowed for an account at a time. Or, SecureAuth can store the password encrypted in the directory, so that it can provision the same password to multiple iOS devices. (See Image #1)
Image #1: SecureAuth IdP allows a user to utilize (1) web based enrollment for SecureAuth to push an (2) iOS profile to the user and encrypted random password to Google for seamless (3) iOS access to Google e-mail.
SecureAuth IdP manages the Google Apps mobile password for user
Although this process would fully provision the client, the GMail account settings in iOS also could allow a user to try and create an IMAP access email account manually. The IMAP client uses the account password maintained by Google. This is the same password the ActiveSync client uses to connect to the account.
Since the end-user does not know the password they would be unable to successfully configure the POP or IMAP client, or manually configure the ActiveSync client. Additionally, in the Google Apps domain settings, the administrator can choose to Disable POP and IMAP access for all users. This would close yet another gap.
Between the settings available in SecureAuth and GMail we can create a model where the enterprise has full identity authority for access to their domain, and MDM functionality extended to iOS devices.
Another feature, available in addition to the Google Password Provisioning for iOS ActiveSync to Google Sync, is the ability to embed an x509 certificate in the ActiveSync settings, which will allow the client to connect to an enterprise gateway, which would proxy the traffic out to Google. (See image #2) This allows the enterprise to provision strong encryption on those mobile devices that may be travelling on untrustworthy networks, such as coffee-shops and hotels. The settings point the ActiveSync client to the enterprise gateway, which requires x509 authentication and encryption before passing traffic out to Google.
Image #2: SecureAuth IdP, in addition to pushing out an iOS profile to the user via a (1) web enrollment, can provision a (2) user certificate which can be authenticated/validated by an (3) enterprise active-sync proxy before the traffic is sent to Google.
Google Adds IP White-Listing to Secure the Google Sync Traffic
Just a few days ago Google announced that they now support IP white-listing to the Google Sync service. (http://googleappsupdates.blogspot.com/2012/08/new-security-settings-for-google-apps.html)
This means that an enterprise can require the use of an enterprise gateway to control access and require strong encryption, and this feature, with the others mentioned above complete the delegation of identity authority and service control to the enterprise.
Juniper is one of our technology partners who has long supported this level of security in their ActiveSync proxy (Config guide here) and this can easily be done on an f5 BigIP, and many other edge devices and proxies.
So, there are a few things that SecureAuth might be able to do to fit in here. Either just the GoogleApps Provisioning or with x509.
mark
Note: This is exactly what SecureAuth and Darrell Kuhn, Google Migration director – did a webinar on a few months back.
Solution Brief: SecureAuth for Google – iOS Password/Account Provisioning
Blog: How do I provision my Apple iOS Password and Accounts for Google Apps
PPT: SecureAuth for Google – Password and X.509 Provisioning for Apple iOS devices
YouTube: SecureAuth – iOS Provisioning – Password and X.509
———————————————————————————————–
Mark Lambiase is Director of Research at SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN, SaaS and Mobile based solutions.