VMworld 2018 - Day 3
VMworld 2018 – Day 3
(Note: You can replay recorded sessions here)
Deep Dive Into What’s New with Workspace ONE Unified Endpoint Management
Console changed, mobile UI changed. Using Clarity UI.
Workspace ONE UEM is the new name for the console. The AirWatch name is not as prominent.
Windows 10
Windows 10 is a full OS and more complicated to manage than Android or iOS
Wizard to choose security baselines to lock down computers
Dell Factory Provisioning with Workspace ONE & apps already done. No charge.
Policy Builder for Custom Settings Profiles. Makes building the XML much easier
vmwarepolicybuilder.com
ServiceNow integration
Airlift moves SCCM info to Workspace ONE UEM
Apple Platforms
iOS & macOS
Remote view for iOS. View, not control.
DEP Skip Screens. Device Enrollment Program. Airwatch can skip some Apple screens in DEP.
Moving away from Product Provisioning for macOS devices.
Incorporated munki free tool for package deployment.
Android
Android Enterprise is the new preferred method for MDM APIs.
New Android mode: COPE – Corporate Owned Personally Enabled
QR Code Generator to enroll Android devices into Workspace ONE
Samsung Knox container supported and integrated into the same console
Android Enterprise Multi-User Mode. Maybe a shared hospital device.
Console defaults to Android Enterprise. Opt-out available for Android Legacy management. This is needed for devices that are locked down with no access to the Play Store.
VMware Tunnel, Content Gateway, Unified Access Gateway
Content Gateway is now an integrated product in the UAG (Unified Access Gateway)
Identity Bridging with UAG. Identity Groups. SSO without username and password to an AD back-end. Uses Kerberos that is built into Windows. A certificate is on the device. Use biometrics to authenticate and a certificate is used to get a token.
Secure Productivity Apps
Office 365 Graph APIs for DLP. Control where apps can save and copy/paste/cut.
Airwatch Agent moving to Workspace ONE Intelligent Hub. Adds more intelligence.
Workspace ONE Apps
Apps have new icons
New Send app is built to work with O365
Notebook works with Outlook Notes and Tasks
Web for Intranet access
Tunnel for per-app VPN
Content shared files
Verify for MFA
People for Contacts including org chart
PIV-D replaces access cards for authentication
Workspace ONE SDK
Analytics via Aptelligent. Designed for app analytics. Where are pain points in apps and user flows?
Dedicated module for privacy. Framework for privacy rules.
Tech Preview: Mobile Flows & Content. Content SDK allows Content features within custom apps.
Boxer Enhancements
Alert if sending outside the company
View calendar availability of recipients
Turn of notifications for VIPs only
Redesigned user interface. Attachments are at the top now.
Notebook
Like Evernote.
Send
Built to work with O365. Can open and share O365 files with Boxer and Content.
Mobile Flows
Extend Enterprise App Workflows
Built-in connectors and custom connectors
Workspace ONE Intelligence Vision
OS Patch Management
Trust Network Partners use the Airwatch APIs to send information
techzone.vmware.com for technical resources and tutorials
Great Power, Great Responsibility – Least Privilege Security with AppDefense
More money is spent on security, but losses are increasing
Was at RSA when a nation-state broke in and sold token seeds
Did not have enough layered controls. Too much emphasis on the external layer.
A user was phished with a zero-day attack. RSA was the only target for this attack.
No controls once the Infiltration phase was breached.
Attackers are getting better at using know “good apps” and open ports rather than inserting bad apps into the network.
Stop chasing bad and start ensuring good.
Reduce the attackable surface
What you do for endpoints (top of the pyramid) is different from what you should be doing for your servers.
System Integrity, App, Exploit, Data in Motion are tiers AppDefense is focussed on
Least privilege
Focus more on hygiene than on reducing threats
With great power comes great responsibility
Create a policy based on learning
The blocking is the easy part. The learning is the hard part.
Inventory of vCenter and containers supported. Bare metal coming.
Capture and analyze. Detect and Respond.
Can we use existing authoritative sources of information to classify inventory? Existing automation tools can be helpful for this. Run through analysis engine to match against known good software.
Don’t expect users to write manual triggers, just to approve what was learned.
You cannot trust a security agent that may have been compromised. The hypervisor cannot be compromised from the VM
You cannot trust a security agent that may have been compromised. The hypervisor cannot be compromised from the VM
Capture the behavior of a “good” application
Machine learning for adaptive whitelisting. Helpful when known good applications auto-update causing them to look different.
Advanced extensibility use case: vRealize Automation and Ansible Tower
Extending vRealize using SovLabs modules
Delta Air Lines example. 800 applications, 55+ mission critical. New VM turnaround took from 3 days to 6 months.
Non-production goal: VM in 30 minutes. Solution: Ansible + SovLabs + VMware.
vRrealize Automation 7.5
New UI – Clarity UI
Ansible is the top config management tool and vRA 7.5 adds more Ansible integration
Requests can be tied to business groups
Can rename a deployment in the UI
SOVLabs owned the integration with Ansible. Requires a SovLabs License.
Two ways to consume Ansible. Dedicated Tower module plug-in. Standalone Tower plug-in.
If you are N-2 vRA behind. VMware engineering will help you get up to date
VMware Cloud on AWS with NSX: Use Cases, Design, and Implementation
AWS is just another vSphere site
Networking is AWS VPC networking
Use Cases:
1) DC expansion to the cloud
2) On demand capacity
Extend Layer 2 networking to VMC-AWS
Extend Layer 2 networking to VMC-AWS
3) Migration to the cloud
Data Center evacuation without changing the applications
Data Center evacuation without changing the applications
4) D/R
Using Site Recovery Manager
Using Site Recovery Manager
Architecture & NSX-T SDDC
Key Components:
- Management pool
- Management gateway
- Compute Pool
AWS login gives access to existing AWS resources
Route tables are built between
NSX-T is in preview mode
Components are within one VM rather than separate VMs
Connected to 0 router
All traffic can go over direct connect with NSX-T
NSX-T Differences From NSX-V
NSX-T Differences From NSX-V
GUI changes in NSX-T for ease of use
Distributed Firewall (DFW) is a paid add on to NSX-T. Service Insertion and Load Balancer are coming.
NSX-T Deep Dive
(This section was presented very quickly; you might want to watch the replay)
Moved everything into the console
More than two DNS servers
Auditor and Admin roles built in
Multiple DNS zones
Multiple DNS zones
Role-Based Access Control
DFW. Rules fire same segment or separate segment for micro-segmentation.
Edge FW
Allow traffic through the MGW FW
Security groups in edge FW
Groups based on…
IP Address
VM Instance
VM Name
Security Tag
IPSEC VPN enhancements
VM Instance
VM Name
Security Tag
IPSEC VPN enhancements
NSX-T APIs
Can do port mirroring to WireShark
Advanced NSX Services in VMware Cloud on AWS
Can you manage private cloud and public cloud using the same tools and skills today? Probably not. VMC-AWS fixes that
Typical cloud use cases
Overview of NSX-T Advanced Services
Connectivity, security, visibility
Connectivity
Direct connect
NSX VPN
DPDK supported for faster packets
Security
Micro segmentation in the public cloud with DFW and policies
Visibility
Flow and packet level visibility
Use Case 1: Application Migration
Network and security focused assessment of applications
DFW, log intelligence
Transit VPC can be used to house security appliances to control traffic. Not required but security folks might like this. Reduces bandwidth.
Perimeter VPC is another option for all application access
Use Case 2: Data Center Extension
Customer example with strict security model including controlling traffic coming back from the cloud.
Use Case 3: D/R
App failure. Understand the latency
Site failure.
Example for hard-coded IP addresses (Extend Layer 2)
Example for full site failure
I hope you have enjoyed this post from Day 3. I value and welcome your feedback.