Cisco Zero Trust at Scale
So you think you have a Mac choice program that’s “good enough”? Cisco did too, but by their own standards, good enough doesn’t cut it, so they did something about their legacy VPN connection workflow, by implementing Zero Trust and deploying it throughout their global infrastructure of over fifty-thousand Mac computers.
Why make the change?
In this session, Jacob Davidson, Technical Systems Engineer, Mac@Cisco discusses some of the needs that switching from legacy VPN to Zero Trust helped Cisco address while simultaneously eliminating some of the frustrations their employees faced while working remotely, such as:
- Slower network connections
- Waiting on login processes to complete
- Service disconnect when laptops close
- Backhauled traffic = increased company expenses
How does Zero Trust make security better for Cisco stakeholders?
At a glance, Davidson provides a breakdown of the Zero Trust security model and how it works to better protect devices, users and data than their previous enterprise VPN offering ever could.
To do so, Zero Trust involves just that — no implicit trust of users and/or devices. To achieve this it:
- Assumes inevitable breach
- No special privileges inside the perimeter
- Dynamic & policy-based access
- Least-privilege access
- Continual monitoring
Furthermore, Cisco applies this industry security model into three categories, called Cisco’s Zero Trust Pillars:
- Workplace: Secures the campus network
- Workforce: Secures employee access from anywhere
- Workload: Secures machine-to-machine workflows
Cisco + Jamf
During the session, Davidson performs a deep dive into how Cisco pulled off such a feat in rolling out borderless access and an improved authentication experience to all its employees and Mac computers worldwide, including its remote workforce.
He also dives into the app workflow process and how Cisco leverages its Duo mobile technology to perform certificate management and device health inspections while providing users with Multi-factor Authentication (MFA) security.
But what role does Jamf play in ensuring endpoint security?
Davidson shares the various apps and configurations that are managed on Cisco endpoints using Jamf Pro. Further illustrating the combined power and ease of use that Jamf Pro offers in device management and endpoint security, he presents a demo of the previous version 1.0 deployment workflows, while comparing it to the current version 1.1 model. Finally, he previews the version 1.2 workflow, which Cisco has created, that eliminates the need to manage certificates. Instead, v1.2 relies on Duo Device Health app for endpoints to further simplify the workflow while adding passwordless authentication within Duo.
Mac@Cisco
During this session, hosted by Rosalie Cook, Director, Device Experience and Ryan Gorman, Mac Architect, both from Cisco, they discuss how their team is “transforming workplace experience in a mature Mac choice program” at Cisco.
Rosalie kicks off the session by providing some background information on Cisco’s global infrastructure consisting of:
- 140,000 employees distributed
- across 500+ offices and
- located in 99 countries
- utilizing 56,000 Macs,
- 68,000 PCs and
- 56,000 mobile devices
- of which iOS makes up 85%
Brief history lesson
Before the modernization of their Apple fleet with the Mac@Cisco program, as it currently stands, Rosalie goes back to the beginning, circa 2008-2010, when Cisco initially offered Macs to employees, with 5,000 Macs deployed — no device management — and only community support offered to address stakeholder requests. In the following two years, Macs tripled and helpdesk support was added.
But it wasn’t until between 2013-2015 that Jamf Pro device management was introduced, coinciding with growing the Mac population by another ten-thousand devices. From 2016 to current, the Mac exploded in growth — doubling in size — and the process to reimagine the Mac experience took hold to support, engage and empower Cisco employees to do their best work.
Guiding principles
“When did it become ok to live like The Jetsons at home and The Flintstones at work?”, Fletcher Previn, Sr. Vice President & Chief Digital Officer, Workforce Experience at Cisco.
The Mac@Cisco program aims to show employees that Cisco cares about them. “And why is it important we do that?”, Rosalie posits. It is her belief that to grow a company, the following must be provided in line with the Mac@Cisco Vision:
- Differentiated customer experience
- Employee engagement
- Tools and experiences
Enable and empower employees
A critical component of the Mac@Cisco program is, you guessed it, the stakeholders. After all, if they’re not happy or feeling limited and restricted every step of the way, it will assuredly reflect in productivity.
Ryan speaks about how Mac@Cisco addresses these concerns, starting with a breakdown and demo of the Mac provisioning process from initial enrollment to being ready for use after being powered on for the first time by employees.
Leveraging technologies such as Single Sign-On (SSO) and step-by-step guidance during the entire setup process, employees are empowered each step of the way by being able to prepare their device, customizing it to suit their needs and job role without having to wait on IT or submit a helpdesk ticket to have someone do it for them.
Additionally, Ryan explains how the setup process has been streamlined to automatically provide end-users with necessary and required software packages — that are installed in the background — as well as providing helpful welcome messages that guide users post-setup, helping them to find their way around to resources they may find useful and even links to more detailed instructions should they need a more technical approach.
All Mac endpoints are managed by Jamf Pro. While new devices are automatically enrolled with Jamf thanks to the zero-touch integration made possible by Apple Business Manager, existing devices that are not going to be wiped require a slightly manual touch to enroll within Jamf Pro.
Ryan demonstrates this process as well, showing how streamlined and user-friendly the workflow is for existing users to enroll their Mac. Beginning with email invites and on-screen reminders, users are prompted to enter their credentials via SSO, working seamlessly to enroll their device in Jamf Pro through helpful guided prompts. When enrollment is successfully completed, the user is presented with Self Service along with helpful information on how it works and what they can do with it.
The takeaway? In reimagining Mac@Cisco in partnership with Jamf, stakeholders at Cisco are able to:
- Minimize disruptions to the user experience
- Bring maintenance outages from 100 hours per year to 4
- Simplify and automate upgrades and software deployments
- Relax security controls, empowering users to take an active role in managing their devices
- Reduce the administrative burden on IT, allowing them to focus on ways to better Mac@Cisco, iteratively improving the program for everyone
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.