Note: With the Centrify-Idaptive spin-out, the Self-Service and MDM Enrollment capabilities will continue to be supported by Idaptive.  For more info about the split see the FAQ here:  https://www.centrify.com/centrify-idaptive-faq/  this article is left here for historic purposes.

Background

This is one of a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3.  For additional articles in the series, review these links:

• Container Linux by CoreOS Support.
• Centrify Analytics Support for Infrastructure Services (preview).
• Centrify Agent for Windows™: Self-Service Password Reset and Windows 10 MDM Enrollment.
• Zero Trust Model - Conditional Access (UNIX/Linux and Windows access and privilege elevation).
• Official Announcement with all updates.

In this article, we'll discuss Centrify's Windows capabilities around Self-service and Windows 10 MDM Enrollment.

Cross-Functional capabilities of the  Centrify Identity Platform

Self-Service Overview

The Centrify Identity Platform provides self-service capabilities that can be leveraged from the web portal  These capabilities include:

• Self-Service Password Reset for Centrify Directory and Active Directory users.
• Self-Service Account Unlock for Centrify Directory and Active Directory users.

Self-Service - How it works

• Policy-based implementation:  Self-service capabilities are implemented by policy.  This means that you can enable/disable these capabilities based on the scope of the policy and this is quite handy especially if you want to offer these capabilities only to a segment of the population.
•  Multi-factor Authentication:  MFA is the mechanism to establish identity assurance when performing self-service operations (password reset and unlock).  This allows for administrators to adjust Authentication Profiles based on the type and sensitivity of these operations in the target population.  For example, for a user that does not deal with sensitive data, step-up methods (like SMS, Phone Factor, e-mail or questions) may be acceptable; however, for an admin-type, you may require of them to use a physical (true) MFA method via Mobile Authenticator, RADIUS-legacy OTP, OATH OTP or even FIDO U2F device (like Yubikey) to facilitate.
• Automatic detection of locked accounts:  A locked CD or AD account is detected automatically and the corresponding activity workflow is triggered (e.g. walking the user through the unlock authentication profile).

Endpoint Management - Overview

Centrify was the first Identity as a Service (IDaaS) provider to include both endpoint (mobile device/container/application management) as a built-in capability (along with MFA).  This has given us a unique position in the market.  With Windows 10 supporting MDM operations we are embarked in a process of incrementally adding capabilities to the Centrify Agent for Windows(tm).

Endpoint Management - How it works

• Policy-based implementation:  Endpoint policies are implemented by policy.  This means that you can enable/disable these capabilities based on the scope of the policy and this is quite handy especially if you want to offer these capabilities only to a segment of the population (e.g. users with corporate-owned devices vs. personalized or BYO).
  The policy payload can be delivered using Centrify's policy engine or Active Directory Group Policy.
• Platform Diversity and frameworks:  Depending on the platform, Centrify can provide varying degrees of depth.  For example, iOS, Android and other mobile devices have their own frameworks (e.g. APNS for iOS), however with OS X, not only we support the existing framework, but we enhance application management via Munki-based services.  In the case of Windows, expect incremental capabilities to be delivered when Configuration Service Providers are implemented.

Self-Service Capabilities in Microsoft Windows

Password reset (and account unlock) are popular identity management capabilities, and Windows has had the framework for years.   The graphical identification and authentication (GINA) in earlier versions of Windows, and now with Windows 8  and above, the Credential Provider is the framework used to deliver the functionality.

Since MFA was introduced by Centrify on Windows a couple of years ago, we used a Credential Provider that is now extended to provide self-service password reset (2017.3) and account unlock (2018).  These capabilities (in this version) apply to Active Directory accounts.

User Flow 

Precondition:  An Active Directory writable domain controller has to be reachable by means of the corporate network or VPN.

1. User presses ctrl+alt+delete to invoke the Windows credential provider.
2. User clicks the "Forgot Password" link and confirms and presses the arrow.
3. At this point, the Windows client talks to the Centrify connector that will verify if the user is allowed by policy to perform the operation.
4. Once verified, the user will be presented with the MFA or step-up methods defined for the SSPR authentication profile in the Centrify platform.
5. Provided the user types a password that is allowed by the Active Directory password policy rules, the user will successfully reset their password. 
6. An audit trail event will be logged in the application log of the Windows system and the Centrify platform event table will be updated.

Notes:  although account unlock is not officially released in 2017.3, the behavior is relatively similar, the biggest difference is that we will automatically detect the unlock state and trigger the proper identity assurance mechanism.

Controls

• Multi-factor authentication for identity assurance.
• Audit trail (application event log) to provide a mechanism for Security Operations solutions like Splunk, etc.
• CIP Events are also tracked in the platform's event table.

Audit Trail

Audit trails detail is especially important given that self-service metrics are usually captured to illustrate how these capabilities contribute to productivity. 

Dashboards

Self-Service operations are tracked by the security dashboard in Centrify Identity Platform.

The dashboard allows administrators or security leads to focus on an operation (e.g. denied self-service) and offers the scoping of the date range, once selected, you can drill into the users, failure reason, geo-location (if the client is reporting it)  and the authentication factors being used.

Windows 10 MDM Enrollment

MDM enrollment with the "connect to work or school"  facility.  Based on their own website:

" Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices. A built-in management component can communicate with the management server.

There are two parts to the Windows 10 management component:

• The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
• The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.

Third-party MDM servers can manage Windows 10 by using the MDM protocol."

With the Centrify Agent for Windows™ included with Infrastructure Services  2017.3, we now support automatic Windows 10 MDM enrollment as corporate-owned systems, with the optional capability for personalization.  In this release we provide:

• Administrative (bulk) enrollment (corporate-owned)
• Enrollment personalization (personal)
• Zero sign-on for to Centrify Apps Service from Windows (Internet Explorer or Edge) and Google Chrome browsers.

 This opens the possibility for future capabilities, including the configuration service providers.

Videos - Self-Service

Centrify Identity Platform - Self-Service Features Overview

Self-Service Password Reset using the Windows Credential Provider

Bulk Deployment - Corporate Owned Devices

Enrollment Personalization and Zero Sign-On

Summary

Centrify continues to extend the ability to reuse existing infrastructure in the hybrid enterprise. With new Windows capabilities we also continue to evolve our support for endpoints and our initiatives around MFA Everywhere, Zero-trust Model while providing strong access controls to align or enhance security postures.