Apple devices on enterprise networks need secure access to corporate resources to keep employees connected and productive. In order to protect the communication between enterprise networks and the increasing number of mobile endpoints, organizations must ensure all devices have secure machine identities that support authentication, encryption and decryption.
However, the machine identities for these mobile devices can become prime targets for cyber criminals if they are issued outside of enterprise policy, are not tracked or are left unrevoked after use. Bad actors can compromise machine identities from unprotected mobile devices and use them to access critical enterprise systems and data. These issues can be especially problematic with employee-owned devices.
Visibility, intelligence and automation make up the same recipe for protecting widely used endpoint devices like iPads as they do for an organization’s load balancers and Next Gen Firewalls. And now two experts in the field have joined to close the loop on machine identity protection for Apple devices: Jamf and Venafi.
Jamf recently entered the league of leading developers sponsored by the Machine Identity Protection Development Fund. I had the opportunity to meet with Jamf, who are the standard for Apple in the enterprise, and learn about their plans for integrating the Venafi Platform and Jamf Pro. Here I am speaking with Josh Jagdfeld, Director of Marketing at Jamf, about their involvement in the Development Fund.
Bridget: Josh, tell us about Jamf.
Josh: Jamf helps organizations succeed with Apple. More than 35,000 organizations use our software to connect, manage and protect their Apple products, apps and corporate resources in the cloud without ever having to touch the devices. With Jamf, Apple devices can be deployed to employees brand new in the shrink-wrapped box, set up automatically and personalized at first power-on and administered continuously throughout the life of the device. Our software solutions preserve and extend the native Apple experience, allowing employees to use their Apple devices as they do in their personal lives, while retaining their privacy and fulfilling IT’s enterprise requirements around deployment, access and security.
Bridget: How critical is machine identity protection for the Apple devices you manage?
Josh: Critical, but without the right tools, extremely difficult. Automating the life cycle of machine identities across all enterprise Apple devices and certificate authorities (CAs) can be a complex challenge for device management and security teams. Device management teams are often not PKI experts and need simple, easy access to machine identities. Security teams may not be directly responsible for maintaining mobility access for the business and need to ensure that policies are enforced, including consistent use of machine identities from approved sources. Security teams may also require the ability to remove machine identities—in other words: “a kill switch.”
All this adds up to two teams with different strengths and levels of expertise striving for the same security objective.
Bridget: What is Jamf’s plan for bringing device management and security teams together?
Josh: Today EMM/MDM systems use SCEP or one-off integrations with CAs to best provide machine identities for all enterprise mobile devices. However, this fails to empower the security team with the intelligence and policy control they require. EMM/MDM teams also seek the easiest source of certificates possible and may setup their own CAs or acquire certificates from unauthorized sources outside the control of the security team. All of this leads to unnecessary friction, limits deployment potential and holds back the possibilities of enterprise mobility. As part of the Development Fund, Jamf is looking to bring these two worlds together with the power of Jamf Pro and Venafi Platform.
Bridget: How will the integration between Jamf Pro and the Venafi Platform work?
Josh: Jamf Pro will make pull requests to the Venafi Platform for machine identity life cycle operations, including certificate issuance, renewal and revocation. This workflow ensures enterprise devices are provisioned and managed anywhere in the world and across any network. To connect within an enterprise, Jamf’s Infrastructure Manager adds the capability to call the Venafi Platform for machine identity life cycle operations. The integration also uses the Venafi REST API to connect with the Venafi Platform. Machine Identity Protection with Venafi Platform support for Jamf Pro will be included in Jamf subscriptions, so it will be very easy for our joint customers to deploy across their enterprise.
The Jamf Pro integration is targeted to be complete in Q2 2020. Visit Jamf on the Venafi Marketplace for more information. And stay tuned for future interviews with Machine Identity Protection Development Fund recipients.