Blog post

EMM and IAM Play Well Together

By Paul Rabinovich | September 26, 2018 | 0 Comments

Enterprise mobility management (EMM) — and now unified endpoint management (UEM) — platforms have always had a strong identity and access management (IAM) component. After all, policies and configurations are tied to identity, and users need to authenticate to gain access to EMM-protected resources.

However, in recent years cross-pollination between EMM and IAM dramatically increased to the point that many EMM vendors started to include in their offerings functionality traditionally associated with IAM. The areas of convergence include:

  • Single sign-on (SSO). End users increasingly view mobile devices as their access point to enterprise applications. While web SSO is now mainstream, it still requires additional server-side support, and EMM suites often provide this capability. EMM/UEM suites can also facilitate mobile SSO across browser-based and native apps, and enforce secure context and token sharing between protected apps. SSO in EMM/UEM often helps organizations drive app adoption.
  • Multifactor authentication (MFA). EMM/UEM suites can help protect enterprise resources by implementing MFA or integrating with third-party MFA services. They can also bring MFA to the device itself, providing support for MFA to on-device containers managed by them. In phone-as-a-token scenarios EMM/UEM suites can provide extra protection for the device used to complete MFA.
  • Adaptive access. Most access management tools now implement some form of adaptive (or risk-based) authentication. Information about compliance, compromise or management status of the device from which a user is accessing enterprise resources — as well as other device attributes  — is key for better risk assessment. Similarly, EMM/UEM suites can benefit from additional risk signals available from external analytics services.
  • Analytics. Enterprise systems do not exist in isolation. Information about mobile-based attacks against a user is useful in evaluating his or her account’s risk and taking remedial actions even in systems not impacted by the attack. Many user and entity behavior analytics (UEBA) tools collect information from disparate systems including EMM/UEM suites to build a holistic risk picture and can provide risk scoring to other systems, EMM suites themselves among them.
  • Identity governance and administration (IGA). Integration between EMM and IGA can support device and app governance and provisioning, incorporation of device information into IGA data models, and remedial actions in EMM/UEM initiated by administrators in IGA portals or executed automatically based on IGA policies.

Mark Diodati and I recently published a document on the identity elements in EMM/UEM platforms entitled “Solution Comparison of IAM Features in Three UEM Suites.” The document compares IAM features in Microsoft Enterprise Security + Mobility (EMS), VMware Workspace ONE and MobileIron.

In the near future we expect EMM/UEM suites to simultaneously incorporate more IAM features and provide deeper integration with external IAM tools.

Leave a Comment