11 April,19 at 11:50 AM
Note: With the Centrify-Idaptive spin-out, the Self-Service and MDM Enrollment capabilities will continue to be supported by Idaptive. For more info about the split see the FAQ here: https://www.centrify.com/centrify-idaptive-faq/ this article is left here for historic purposes.
Background
This is one of a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3. For additional articles in the series, review these links:
In this article, we'll discuss Centrify's Windows capabilities around Self-service and Windows 10 MDM Enrollment.
Cross-Functional capabilities of the Centrify Identity Platform
Self-Service Overview
The Centrify Identity Platform provides self-service capabilities that can be leveraged from the web portal These capabilities include:
Self-Service - How it works
Endpoint Management - Overview
Centrify was the first Identity as a Service (IDaaS) provider to include both endpoint (mobile device/container/application management) as a built-in capability (along with MFA). This has given us a unique position in the market. With Windows 10 supporting MDM operations we are embarked in a process of incrementally adding capabilities to the Centrify Agent for Windows(tm).
Endpoint Management - How it works
Self-Service Capabilities in Microsoft Windows
Password reset (and account unlock) are popular identity management capabilities, and Windows has had the framework for years. The graphical identification and authentication (GINA) in earlier versions of Windows, and now with Windows 8 and above, the Credential Provider is the framework used to deliver the functionality.
Since MFA was introduced by Centrify on Windows a couple of years ago, we used a Credential Provider that is now extended to provide self-service password reset (2017.3) and account unlock (2018). These capabilities (in this version) apply to Active Directory accounts.
User Flow
Precondition: An Active Directory writable domain controller has to be reachable by means of the corporate network or VPN.
Notes: although account unlock is not officially released in 2017.3, the behavior is relatively similar, the biggest difference is that we will automatically detect the unlock state and trigger the proper identity assurance mechanism.
Controls
Audit Trail
Audit trails detail is especially important given that self-service metrics are usually captured to illustrate how these capabilities contribute to productivity.
Dashboards
Self-Service operations are tracked by the security dashboard in Centrify Identity Platform.
The dashboard allows administrators or security leads to focus on an operation (e.g. denied self-service) and offers the scoping of the date range, once selected, you can drill into the users, failure reason, geo-location (if the client is reporting it) and the authentication factors being used.
Windows 10 MDM Enrollment
MDM enrollment with the "connect to work or school" facility. Based on their own website:
" Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices. A built-in management component can communicate with the management server.
There are two parts to the Windows 10 management component:
Third-party MDM servers can manage Windows 10 by using the MDM protocol."
With the Centrify Agent for Windows™ included with Infrastructure Services 2017.3, we now support automatic Windows 10 MDM enrollment as corporate-owned systems, with the optional capability for personalization. In this release we provide:
This opens the possibility for future capabilities, including the configuration service providers.
Videos - Self-Service
Centrify Identity Platform - Self-Service Features Overview
Self-Service Password Reset using the Windows Credential Provider
Bulk Deployment - Corporate Owned Devices
Enrollment Personalization and Zero Sign-On
Summary
Centrify continues to extend the ability to reuse existing infrastructure in the hybrid enterprise. With new Windows capabilities we also continue to evolve our support for endpoints and our initiatives around MFA Everywhere, Zero-trust Model while providing strong access controls to align or enhance security postures.