The 2 awesomest NEW things about the remote access device you already own

By Elevate posted 12-05-2013 12:32


I have a friend who doesn't like the word "conflate," so I use it at every opportunity.  Luckily, as a Juniper engineer who works with SSL VPN technology, that's easy because so many people conflate two of our most important features - HostChecker and Mobile Device Management (MDM) Integration.



HostChecker has been an important part of the Junos Pulse Secure Access Service for many years.  We made headlines nearly a decade ago as the first SSL VPN vendor able to "posture" and "remediate" connecting computers.  Being able to check and fix devices for security policy compliance (like whether antivirus and firewall software is installed, current, and running) BEFORE they get on the corporate network was a huge deal at the time. 


Actually, it's still a huge deal - and Juniper continues to deliver industry-leading endpoint posturing technology.  Our most recent software supports OPSWAT version 3 for Windows, Mac and Mobile clients (for those who aren't "super geeks" - version 3 is the latest available and pretty cool stuff), along with many other custom endpoint checks (like checking for specific OS versions and patches, registry entries, etc). 


And since the HostChecker feature is now integrated with the Pulse client (our multi-purpose VPN client), endpoint checks are super fast and reliable - without depending on ActiveX or a specific version of Java.  HostChecker integration with Pulse is the FIRST awesomest new thing you may not know about your reliable Juniper Mag (or SA - go ahead and upgrade!).


MDM Integration, on the other hand, is often said to be like HostChecker (which is why people conflate the two).  Our newest software (8.0 which just hit the streets) includes what is arguably the most important advance in endpoint compliance in years.  That's awesomest new thing "numero dos".  The Mag is now able to query the two most popular MDM services (MobileIron and AirWatch) for information about a connecting device.


Experienced Mag administrators will immediately think of a  "directory server", which is used to obtain information about a USER from Active Directory or LDAP (or a host of other AAA servers that we support).  In the same way, MDM obtains information about a connecting DEVICE - like a mobile phone managed by an enterprise MDM.

What's such a big deal (the "awesomest" factor) is that this MDM information is available to be used throughout the Mag configuration - not just for endpoint posturing.  Our customers can now use MDM information to make "device appropriate" decisions related to resource availability, access control, etc.  Essentially, anywhere in the Mag configuration where customers now use USER information, they can use DEVICE information.


For example, let's say you have a custom mobile application in your network that you only want available to iPad users.  No problem.  Or, you want to limit your Android users to access only a specific subnet.  No problem.  Or, you want to grant your Windows Phone users access to a specific port on a specific internal server.  No problem.  Or, you want to block all Chromebooks running a specific version of software.  No problem.


So sure - MDM information can be used for endpoint posturing decisions…  But it's WAY more powerful than that.  The two should definitely not be conflated.  The Juniper sales and support organization can provide more details on these and other features.  Check with your Juniper account team for a preview.  And if you don't like a particular word, it's probably best not to tell me about it.  Buy Juniper!