Here are the notes for another session I attended at the conference.
Unlocking Lync Mobile Deployments
Unlocking Lync Mobile Deployments
Francois Doremieux (Microsoft)
Authentication in Earlier Mobile Versions
- To Lync server
- Through Reverse Proxy
- NTLM only
- Re-authorize every 8 hours
- To EWS
- For voice mail, meetings, UCS in 2013
- NTLM only
- Authorization is required for each query
Recent Improvements
- Improvement Principles
- Reduce or remove AD credential exposure
- Two options for initial authorization
- NTLM
- Passive Authentication
- Dissociate subsequent re-authorizations - personal Lync certificate issued by Lync server
- No solution for EWS yet
- Remains NTLM for every query
- Can remove/disable EWS dependent capabilities
- Lync Certificate Authorization
- Client obtains certificate on initial authorization
- Method has been used for awhile with other clients (desktop, phone)
- Admin can revoke a user's certificate at any time
- Certificate lifetime and auto-renewal interval manageable by Lync admin
- Certificate is scoped only to Lync - can't be used to gain access to anything else on the network
- Sign-out, deleting client, upgrading client required intial sign-in again
- Initial Authentication
- NTLM
- Used to obtain web ticket from web ticket service
- Protecting AD Credentials
- New policy to disable password storage
- Set-CsMobilityPolicy -AllowSaveCredentials
- Disable EWS
- Set-CsMobilityPolicy -AllowExchangeConnectivity
- Voicemails will still be in email, Meeting links in calendar
- New policy to disable password storage
- Passive Authentication
- New auth method introduced in Q1 CY2013
- Lync server gets out of authentication
- Server delegates authentication to trusted Security Token Service
- STS serves custom authorization web page rendered in Lync app
- Uses form entries in Trident page - not possible to use cert on device or smart card but can support forms based multifactor (password + OTP or SecurID)
- STS passes token to client which it presents to Lync server
- Set up server side
- Can't be client policy as client would only get it after authentication
- Server Policy - scope per pool, affects all users and all client types
- Enable Passive, disable kerberos and NTLM
- Experience - pop up window to authenticate
- Not quite ready for all clients
Other questions around mobile security- MDM discussion
- Lync Mobile does not support MDM
- No path to distribute
- Rich, real-time behavior of app does not lend itself to complex integration
- Distribution through App Store is most efficient way to get current release
- What we endeavour instead
- Why should app security depend on MDM?
- Improvement on policies, authentication, protection of data at rest
- Open to feedback toward closing possible remaining gaps
- Lync Mobile does not support MDM
- What does Lync mobile do for data security
- Data transfers
- Authenticated, encrypted at similar grade as encapsulating solutions
- Data at rest
- Very little data at rest
- Not accessible to other apps
- No local storing of address books
- Data transfers
- Pre-authentication in DMZ
Incremental capabilities through third party solutions
- Random Trivia:
- The Hoover Dam is made of enough concrete to make a two lane highway from New York to San Francisco, that’s around 4000 miles (2500 kilometres).