VMware Workspace ONE Community
Ibbers
Contributor
Contributor
‎08-26-2018 03:50 PM

data loss prevent office 365

Hi folks, A client is implementing Office 365, and shifting email delivery to the Outlook for iOS/Android.


Unfortunately this decision is set in concrete and I've been asked to work out the best way to adapt email management via AirWatch.


Looking at options for AirWatch management, I can really only see a few:


1. Basic MAM of Outlook - install/remove only, no real security provisions.


or


2. Intrust App Protection integration with Airwatch, requirement Azure Premium or Microsoft EMS licensing? Provides Data Leak Protection etc - optimal method.


Have I missed anything? Hoping to draw on the experience of others.

Labels (1)
Labels
Reply
0 Kudos
5 Replies
lukaszwa
Contributor
Contributor
‎08-27-2018 06:24 AM

1.5 option if budget it tight to pay for Azure Premium.

VIDM - ADFS integration as Idp, Redirect in ADFS for Mobile traffic to go to vidm and set your auth there to only allow Airwatch managed devices (or even add exception for Exec etc). Non AW managed devices will get access denied (ADFS will pass all mobile traffic to vidm). You can then do SSO plus compliance check at auth time. Real time compliance from AW can than revoke Azure tokens (but this piece requires Prmium AD).
For that setup you can use SaaS vidm (easy deployment) plus Auth via Airwatch so no need for full ESC install on prem.
Lukasz
Reply
0 Kudos
pmeuser
Contributor
Contributor
‎01-25-2019 12:33 AM

Lukasz, you are aware, that this will open a security issue? (aka ' user-agent-dance'  and cancel onload.js on ADFS)
Reply
0 Kudos
lukaszwa
Contributor
Contributor
‎01-25-2019 02:39 AM

Hi Peter and thank you for the comment,
Let me try to address it but please keep me honest here if I am not correct.
As far as I understand the user agent scenario the issue is there regardless of the mobile redirection. Anyone can set user agent to what they want, so I am unsure how this would create the security risk. This risk is already there.
For the onload.js I didn't see this being canceled in my tests. In fact you can build up the logic in it to cover all agents scenarios and automate realms selection so user cannot select wrong one.
Last but not least any other user agent scenario of course should have some security measures as well if we are talking about securing email access in general. So for example requiring 2FA on non mobile agents would cover one for the agent chance aspects.

Hope this address the concern but please let me know if I misunderstood or missed anything. At the end of the day we want any advice to be a good one and not causing security issues.
Reply
0 Kudos
Cgarvin21
Contributor
Contributor
‎03-05-2019 05:41 PM

Lukasz, do you have any links or documents to setup the VIDM - ADFS integration as Idp, We currently have Office365 federated to ADFS primarily for our Windows10 devices. Business does not want to change federation in Office365 to another IDP but if we can only redirect iOS and Android traffic from ADFS to VIM to then do proper conditional access ' is the device enrolled and compliant'  then that would be an acceptable solutions. As it leaves the windows10 clients to be handled by ADFS.
Reply
0 Kudos
pmeuser
Contributor
Contributor
‎03-05-2019 10:28 PM

Lukasz, I have implemented this for 45.000+ O365 users. We want to get rid of this configuration as soon as possible. Without going in detail, trust me, this setup is a major security risk and you will lose any flexibility to support unmanaged devices for specific applications being federated to Azure AD.
Reply
0 Kudos