Multi-factor authentication and authorization for device users

Device users can use Ivanti Web@Work only if the following are true:

  • The device and user are registered with Ivanti EPMM

    • Registering a device with Ivanti EPMM authenticates the device user.

  • The device is authorized to use Web@Work.

    • Using the Admin Portal, you authorize a device to use Web@Work. The labeling mechanism in Ivanti EPMM is used to indicate the devices that are authorized to use Web@Work.

    If the device is not authorized to use Web@Work, the device user cannot use it even for accessing public websites.

  • The device is in compliance with the security policy applied to the device.

    • Using the Admin Portal, you can set up security policies to block access to Web@Work if the device fails to meet conditions that you specify. When access is blocked, the device becomes unauthorized to use Web@Work. Also, all AppTunnel access is blocked, which blocks access to enterprise websites.

    On iOS devices, be sure to require a device passcode on the security policy, since a device passcode enables iOS data encryption capabilities. Web@Work uses iOS data encryption capabilities to encrypt browser data.

  • Device users are logged in with their secure apps passcode.

    • Web@Work is an AppConnect app, and therefore, you can optionally require the device user to enter a secure apps passcode to use it. The device user uses a secure apps passcode to access all AppConnect apps.

    When device users first launch Web@Work, they are prompted to create a secure apps passcode if they have not already created one to use on some other AppConnect app. On subsequent launches of Web@Work, users are prompted to enter the secure apps passcode, unless they had recently entered it to use on some other AppConnect app.

    After device users have registered the device with Ivanti EPMM and, if required, entered their secure apps passcode, they have no further Web@Work setup to do.

    A device user cannot specify Web@Work as the default browser on the device. This prohibition ensures that the device user always has easy access to a browser for non-enterprise browsing, even if the device becomes unauthorized to use Web@Work.

Secure enterprise web content access using AppTunnel

Ivanti Web@Work uses AppTunnel technology to securely access web content behind your enterprise’s firewall. This technology allows you to:

  • Set up Web@Work to access enterprise websites without requiring the device user to set up VPN.
  • Support Single Sign On using Kerberos Constrained Delegation (KCD).

    The device users register Mobile@Work with Ivanti EPMM by entering their Ivanti credentials. Then, the device user can use Web@Work to access an enterprise app server without having to enter any further credentials. This support depends on your environment being set up to use KCD, plus the necessary AppTunnel configuration.

  • Limit enterprise access to Web@Work.

    Other apps, such as mobile email and calendar synchronization, are not impacted by Web@Work’s enterprise access. Therefore, unlike when you use VPN for enterprise access, you do not have to retest the behavior of these existing apps.

  • Limit the enterprise sites that a device user can access.

    You can specify accessible sites in the tunneling configuration. Specifically, as long as the device stays on the external network, internal sites that are not specified in the tunneling configuration remain inaccessible. Also, you can vary the accessible sites according to device and user attributes, such as user membership in the enterprise directory.

  • Terminate enterprise website access based on compliance policies.

    Using the security policy for a device, you can specify which non-compliance situations block AppTunnel access.

  • Perform URL filtering to audit and enforce web use policies.

    If you direct all outgoing traffic through a filtering proxy, you can direct traffic that you tunnel through the proxy, too. For example, by setting up Web@Work to tunnel all requests to www.SomeExternalWebSite.com, you can set the URL rules in your filtering proxy to block access to that site.

Benefit from split-tunneling.

You can allow device users to access some public websites without tunneling, while enforcing tunneling for other external as well as enterprise websites. By setting up split-tunneling, your device users can access public sites without incurring additional load on enterprise network infrastructure. In addition, split-tunneling allows users to access public websites without visibility to the enterprise. Regional privacy regulations sometimes require this for personally-owned devices.

Secure tunneled web traffic using multi-factor authentication and authorization.

To use Ivanti Web@Work:

  • A device must be registered with Ivanti EPMM and authorized to use Web@Work.
  • You can optionally require a secure apps passcode to access Web@Work, in addition to the device passcode.

Also, establishing an AppTunnel requires a unique client-side certificate, ensuring that only managed and authorized devices can access enterprise websites. You can get certificates from a third-party certificate authority (CA) or from the CA built into Ivanti EPMM

Enable Ivanti Access for Ivanti Web@Work

Web@Work now supports Access. Access is a Ivanti Neurons for MDM service that secures access to enterprise content in business Ivanti Neurons for MDM services such as Office 365,G Suite, Salesforce, Box, and Dropbox. For information about Access as a service and how to set up the service with Ivanti EPMM, see the Access Guide.