A look at MobileIron’s zero sign-on and passwordless authentication plans
MobileIron’s “zero sign-on” tech uses phones to authenticate when accessing SaaS apps from unmanaged devices.
Earlier this month, I sat down with MobileIron’s product team to take a look at their current strategy and roadmap. We talked about the whole product line, but focused on their most recent announcement, their zero sign-on initiative.
Recent business changes at MobileIron
Before we get into the products, there are a few recent changes to go over. Last December, Rhonda Shantz became the chief marketing officer for MobileIron. She came over from Centrify, and brought in a few other team members as well. Then in January, Brian Foster came in to lead product management. Lastly, Ojas Rege shifted to an advisory role in April. Ojas has held various product, marketing, and strategy leadership roles over the years, but to the EMM industry, he needs no introduction—he’s been the de facto face of MobileIron for a decade.
On the business side, in case you haven’t looked at the numbers recently, MobileIron reached $193 million in revenue in 2018 (or $223 million in bookings, if you prefer that number). Their revenue growth guidance for this year is 6% to 11%, or $205 to $215 million. (Their next earnings call is on August 1.) MobileIron CEO Simon Biddoscombe, previously CFO, is now two years into the role.
On the product side, MobileIron Access (for conditional access and zero trust) and Mobile Threat Defense have been a big focus for a few years now, and, of course, keeping up with iOS and Android is always a lot of work. (As I once wrote, despite all the predictions, EMM is not a commodity.)
In May at their user conference, MobileIron announced a big effort around zero sign-on and passwordless authentication. It had been far too long since my last product briefing, and “passwordless” can have a lot of different meanings. So, I spoke to Brian Foster on the phone after the show, and recently met with Vijay Pawar, VP of product management for Access, Michael Klieman, VP of product management for UEM, and Jay Bhansali, senior director of product marketing.
MobileIron Access today
MobileIron Access was launched back in 2016. I’ve written about the basic Access architecture before, but here’s a quick overview.
At its heart, Access acts a proxy for SAML connections. It communicates with MobileIron’s UEM platform (Cloud or Core) and MobileIron Mobile Threat Defense to check devices against management and security policies, resulting in conditional access. You can use Tunnel and Sentry, MobileIron’s secure connectivity products, to get even more granular and ensure that the user is coming in from the correct managed instance of an app. This works with MDM-enrolled devices, as well as unmanaged devices using AppConnect, their app-level MAM SDK.
Access can also work with desktops, either by enrolling them in MobileIron or by using a MobileIron trust agent if they’re managed by another system. Access also supports a delegated model, so that your usual IdP (Okta, Ping, ADFS, etc.) can take care of authenticating requests from desktops, while mobile devices will be redirected to Access for authentication.
When it comes to the actual authentication mechanism, on mobile devices, most companies are likely using certificates, so day-to-day mobile auth should already be pretty easy. (This is one of the wins in mobility—ever since the early days of MDM, cert-based auth has been a big selling point.) MobileIron also has their own authenticator app to go along with the stack.
New zero sign-on features
So, mobile authentication can already be easy and password-free (at least after initial enrollment, most of the time). Now, where does this “zero sign-on” come in? I was a little confused when I first heard the phrase, but as it turns out, MobileIron is turning their attention to desktop scenarios.
At the user conference, they announced a process for using Access to log into web apps on unmanaged desktops. They described the process in a blog post, which I’ll paraphrase here:
- A user, who is set up with Access on their mobile device, goes to log into an enterprise web app on an unmanaged desktop. Access (via its proxy functionality) is the IdP for the web app.
- During the login process on the desktop, Access shows a web page, just like any SAML IdP would. Except in this case, instead of a username and password field, the webpage will display a QR code.
- The user grabs their device, and authenticates to their MobileIron client via biometrics, and then uses the app to scan the QR code in the browser.
- The user is then given access to the web app on the unmanaged device.
So there was no password involved on the desktop; instead the user has been authenticated on the mobile device, which is trusted, and the user’s presence was verified with the QR code scan. This became GA for iPhone as of July 16, and will be coming to Android as well.
Future zero sign-on plans
There’s a lot more in the works for identity.
MobileIron is planning to integrate remote browser isolation (via a partner) so that customers can wrap security and DLP around corporate web apps on unmanaged PCs. If you’ve been following me for a while, you know that I really like this concept—you can almost think of it as a form of MAM for BYO laptops.
Next, MobileIron plans to add FIDO support in Access. Without a doubt, FIDO is really having its breakout moment. Plus, MobileIron is working on ways to authenticate to managed laptops with mobile devices.
MobileIron is planning to integrate ID proofing (also via a partner). This is a way to bootstrap or recover user access by scanning government-issued IDs (like drivers licenses or passports) with a smartphone camera, and then comparing them to a selfie from the user. We haven’t written much about this idea yet, but it came up several times at Identiverse—it’s definitely an interesting idea to keep watch on.
Lastly, they told me that they’ll be investing more in analytics for Access. Again, this follows an industry trend of finding ways to make conditional access policies smarter.
UEM and threat defense plans
When it comes to endpoints, like everybody else, they’re in the middle of building up support for iOS 13 User Enrollment and all the other new Apple features coming in September. This is a busy time every year, but this year’s changes are bigger than usual.
I was excited to hear that MobileIron is working on support for Chrome OS management. A few other updates that I'll mention are that they came out with App Station, an app catalog app for frontline employees, and that they built a MobileIron Core to Cloud migration tool.
But their biggest investment area in UEM right now is Mac management. This makes sense—we’ve just seen so many organizations begin to take Macs more seriously, formalizing their support or offering device choice.
Windows management is now less of a focus. MobileIron Access on Windows is important, naturally, but when it comes to actual management, they’re not going to try to go up against SCCM or anything like that. We had been wondering what their plans were, going back to the days of MobileIron Bridge, but ultimately, this seems like the most pragmatic plan for right now.
Over on the MTD side, remember that MobileIron Mobile Threat Defense uses an integrated SDK from Zimperium. But recently, they’ve added some of their own phishing protections, and they’re planning on adding some local VPN-based URL filtering, as we’ve seen others in the space do.
There are a lot of plans here. As an UEM vendor, they’re always committed to do a lot of work to keep up with yearly major operating system updates, but clearly they see a big opportunity in conditional access. Naturally, I agree with this, as I’ve written that conditional access, identity management, and zero trust are the most important trends in end user computing right now.
Put together, all the future MobileIron zero sign-on features make for a really awesome demo, and I can see why everybody was so excited about them at the MobileIron user conference.
The big question, though, is exactly how companies will end up building up their conditional access strategies and policies in the long run. There are just a lot of different ways that you can put components together. Customers have options from multiple segments of the IT space, so it’s not yet a forgone conclusion which vendors and products will be strategic, versus which ones will be tactical. EMM is a very sticky product, though, so that helps MobileIron.
Overall, after the various transitions I mentioned earlier, it was great to sit down with the team and hear about all these interesting product plans. We’ll be watching to see how these come to fruition and what they mean for MobileIron next.