ForeScout CounterACT Integration with Citrix XenMobile MDM Edition Improve Mobile Security and

ForeScout CounterACT Integration with
Citrix XenMobile MDM Edition
Highlights
Improved Visibility
Gain real-time visibility of all mobile devices
that are connected to your network,
including devices that are not enrolled in
XenMobile MDM.
Enhanced Security
Block unauthorized and non-compliant
devices from your network. Re-assess the
security and compliance status of each
mobile device the moment it tries to access
your network.
Operational Efficiency
Provide a seamless enrollment process for
mobile devices to enroll in XenMobile MDM
the moment they connect to your network.
Improve Mobile Security and
Unify Compliance Management
ForeScout has integrated its automated security control platform for network access control (NAC)
and endpoint compliance with Citrix XenMobile™ MDM. With this joint solution, IT organizations
obtain better security, compliance and control for all endpoints on an enterprise network.
..................................................................................................
The Challenges
Mobile Device Management systems are
gaining rapid adoption among enterprises
that wish to better manage the plethora of
smartphones and tablets that are being used
in corporate environments. MDM systems can
help IT security managers secure the sensitive
corporate data that is frequently stored on such
devices. However, MDM systems by themselves
do not address the following challenges:
•• MDM systems can only see devices
that have already been enrolled in the
system. This leaves IT managers blind to
unmanaged devices on the network.
Easier Management
and Reporting
Unify network access control policies and
compliance reporting for all endpoints
on your network — personal computers,
servers and handheld devices.
•• MDM systems primarily work with
components and settings on the mobile
endpoint and do not have visibility into
the network. This means that they can’t
limit where the user goes within the
network.
•• MDM systems typically do not manage
all the personal devices that employees
might want to use on the corporate
network. For example, employee-owned
Windows, Mac and Linux computers are
typically outside the scope of MDM.
“Enterprises must be prepared to manage and secure a wide range of devices,
some which they don’t own. Multiplatform MDM tools are one way to achieve
this.”
Gartner, “Top 10 Mobile Technologies for
2012 and 2013”, 14 February 2012,
Nick Jones
Joint Solution Brief
an insufficient security control. You also need
to protect the data on the device itself with
controls such as Mobile Device Management
(MDM) and Mobile Application Management
(MAM) that are provided by XenMobile MDM.
Analysts such as Gartner recommend that
organizations consider using network access
control (NAC) as a foundation for any BYOD
security strategy, combined with technologies
such as MDM and MAM to secure data on BYOD
devices.1
The ForeScout-Citrix
Joint Solution
ForeScout CounterACT™ integrates with Citrix
XenMobile MDM to address these challenges
and complete the mobile security puzzle.
Through this integration, you can leverage your
existing XenMobile MDM system within the
broader context of unified security control that
ForeScout CounterACT provides.
•• MDM systems are often operated as a
separate IT management silo, with a
separate set of management screens,
policies and reports.
ForeScout CounterACT is an appliance (either
physical or virtual) that installs on premises,
typically at the core of your network. From that
location, the appliance monitors network traffic
and integrates with your existing switches and
wireless access points. ForeScout CounterACT
can detect devices the moment they try to
connect to your network and can allow, block,
limit, or redirect such devices depending on the
security policies you choose to enforce.
Similarly, NAC is commonly used to control
access to enterprise networks. This helps
prevent data loss by preventing unsecured,
unmanaged devices from having access
to corporate data. But if your goal is to get
corporate data onto the mobile device to
empower your employees, NAC by itself is
ForeScout CounterACT communicates bidirectionally with XenMobile and can query
XenMobile MDM for device attributes — “Is this
device enrolled? Is this device compliant?” This
information can be used by CounterACT as a
basis for deciding whether to allow the device
onto the network.
1
Gartner Magic Quadrant for Network Access Control, 3 December 2012, Lawrence Orans and John Pescatore.
1
ForeScout CounterACT Integration with
Citrix XenMobile MDM Edition
ForeScout ControlFabric™
The integration between ForeScout
CounterACT and Citrix XenMobile MDM
Edition is just one of many IT system
integrations that leverage the ForeScout
ControlFabric architecture. ControlFabric is
an open technology enabling ForeScout
CounterACT and other solutions to
exchange information and more efficiently
mitigate a wide variety of security issues.
Learn more at
www.forescout.com/controlfabric.
Take the ForeScout Challenge
Let us know which ForeScout solution is
right for you, and we’ll arrange a free on-site
evaluation.
About ForeScout
ForeScout delivers pervasive network
security by allowing organizations to
continuously monitor and mitigate security
exposures and cyber attacks. The company’s
CounterACT appliance dynamically
identifies and assesses all network users,
endpoints and applications to provide
complete visibility, intelligence and
policy-based mitigation of security issues.
ForeScout’s open ControlFabric technology
allows a broad range of IT security products
and management systems to share
information and automate remediation
actions. Because ForeScout’s solutions are
easy to deploy, unobtrusive, flexible and
scalable, they have been chosen by more
than 1,500 enterprises and government
agencies. Headquartered in Campbell,
California, ForeScout offers its solutions
through its network of authorized partners
worldwide.
Learn more at www.forescout.com.
Joint Solution Brief
When used in conjunction with XenMobile
MDM, ForeScout CounterACT provides:
•• Automated real-time detection of
mobile devices the moment they connect
to your network, regardless of the type of
device, and regardless of whether it has
been enrolled in XenMobile MDM.
•• Seamless enrollment and installation of
XenMobile MDM agents on unmanaged
devices by initially placing them in a
limited access network, directing them
to an installation web page, and then
allowing access once the device has
passed all required compliance checks.
•• Just-in-time compliance checks
triggered by CounterACT the moment a
device connects to the network. Through
the bi-directional integration, CounterACT
tells XenMobile MDM to immediately
re-assess the device, and CounterACT then
bases its network access decision on the
result of that assessment.
•• Policy-based blocking
of unauthorized users and
devices from the network,
as well as enforcing
any limits you want
on authorized devices.
ForeScout CounterACT
can base network access
control decisions on many
different factors obtained
from XenMobile MDM,
including the type of
device, operating system,
ownership (corporate vs.
BYOD), compliance status,
enrollment in XenMobile
MDM, and many other
factors.
•• Unified network access policy
management and compliance reporting
for all endpoint devices — PCs, Macs,
smartphones, tablets and others.
•• Guest access for personal mobile
devices can be enabled by setting up
a guest network and using ForeScout
CounterACT’s built-in guest registration
system. Once a guest has been approved,
CounterACT can dynamically enforce your
security policies, such as restricting the
user’s access to just the Internet.
•• Continuous protection from infected,
compromised, jailbroken or rooted
devices. If malware on a mobile device
tries to propagate or interrogate your
network, ForeScout CounterACT will
detect the malicious behavior, block the
threat, and quarantine the device.
Figure 1: The ArcSight ESM console displays endpoint compliance by
department or business unit, with remediation capabilities provided by
call-back into ForeScout CounterACT.
.....................................................................................................................................................
ForeScout Technologies, Inc.
900 E. Hamilton Ave.,
Suite 300
Campbell, CA 95008
U.S.A.
Contact Us
T 1-866-377-8771 (US)
T 1-408-213-3191 (Intl.)
F 1-408-213-2283 (Intl.)
www.forescout.com
©2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks
of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners.
Doc: 2013.0044
2