Here are the notes for another session I attended at the conference.
Unlocking Lync Mobile Deployments
Unlocking Lync Mobile Deployments
Francois Doremieux (Microsoft)
Authentication in Earlier Mobile Versions
- To Lync server
- Through Reverse Proxy
- NTLM only
- Re-authorize every 8 hours
- To EWS
- For voice mail, meetings, UCS in 2013
- NTLM only
- Authorization is required for each query
Recent Improvements
- Improvement Principles
- Reduce or remove AD credential exposure
- Two options for initial authorization
- NTLM
- Passive Authentication
- Dissociate subsequent re-authorizations - personal Lync certificate issued by Lync server
- No solution for EWS yet
- Remains NTLM for every query
- Can remove/disable EWS dependent capabilities
- Lync Certificate Authorization
- Client obtains certificate on initial authorization
- Method has been used for awhile with other clients (desktop, phone)
- Admin can revoke a user's certificate at any time
- Certificate lifetime and auto-renewal interval manageable by Lync admin
- Certificate is scoped only to Lync - can't be used to gain access to anything else on the network
- Sign-out, deleting client, upgrading client required intial sign-in again
- Initial Authentication
- NTLM
- Used to obtain web ticket from web ticket service
- Protecting AD Credentials
- New policy to disable password storage
- Set-CsMobilityPolicy -AllowSaveCredentials
- Disable EWS
- Set-CsMobilityPolicy -AllowExchangeConnectivity
- Voicemails will still be in email, Meeting links in calendar
- New policy to disable password storage
- Passive Authentication
- New auth method introduced in Q1 CY2013
- Lync server gets out of authentication
- Server delegates authentication to trusted Security Token Service
- STS serves custom authorization web page rendered in Lync app
- Uses form entries in Trident page - not possible to use cert on device or smart card but can support forms based multifactor (password + OTP or SecurID)
- STS passes token to client which it presents to Lync server
- Set up server side
- Can't be client policy as client would only get it after authentication
- Server Policy - scope per pool, affects all users and all client types
- Enable Passive, disable kerberos and NTLM
- Experience - pop up window to authenticate
- Not quite ready for all clients
Other questions around mobile security- MDM discussion
- Lync Mobile does not support MDM
- No path to distribute
- Rich, real-time behavior of app does not lend itself to complex integration
- Distribution through App Store is most efficient way to get current release
- What we endeavour instead
- Why should app security depend on MDM?
- Improvement on policies, authentication, protection of data at rest
- Open to feedback toward closing possible remaining gaps
- Lync Mobile does not support MDM
- What does Lync mobile do for data security
- Data transfers
- Authenticated, encrypted at similar grade as encapsulating solutions
- Data at rest
- Very little data at rest
- Not accessible to other apps
- No local storing of address books
- Data transfers
- Pre-authentication in DMZ
Incremental capabilities through third party solutions
- Random Trivia:
- The Hoover Dam is made of enough concrete to make a two lane highway from New York to San Francisco, that’s around 4000 miles (2500 kilometres).
Professional voicemail greeting have changed the way we stay in touch with each other. Both at a personal and a professional level, voicemail greetings are symbolic of our presence and our attitude towards the person to whom the voicemail greeting is addressed.
ReplyDeleteSplendidly imparted. Stunning quality. Worth Reading.
ReplyDeletephone spy app
Meta. txt is a special file, where you briefly summarize the contents of your website and point the user agent to the most correct version for it. antique tractor pulling
ReplyDeleteThis particular papers fabulous, and My spouse and i enjoy each of the perform that you have placed into this. I’m sure that you will be making a really useful place. I has been additionally pleased. Good perform! The Sims Mobile Cheats
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... unlockmobiledevice
ReplyDelete