Zero-Trust Network Access (ZTNA) with Jamf and Google

This session featured:

• Prashant Jain, Product Manager for BeyondCorp Alliances, Google,
• Travis Cynor, Director, Product Management, Jamf,
• Fumiaki Tokuyama, Director of IT, Executive Officer, Akatsuki Inc.
• yukihiro kora, Corporate IT, Akatsuki Inc.

Prashant Jain kicked things off with a quick background on Google BeyondCorp and this particular Jamf integration among multiple Google/Jamf integrations.

What is Google’s BeyondCorp Enterprise?

“BeyondCorp Enterprise is Google’s zero-trust solution,” explained Prashant. “At a very high level, this is secure enterprise browsing.”

Google bases this on three basic access principles:

• Least-privileged access
• Device and user context
• Continuous authorization

It offers six capabilities through Chrome that customers can set for themselves:

• ZTNA
• Data loss protection
• Threat protection from malware and phishing
• Chrome extension security and management
• Security reporting and insights
• Policy management

Jamf and Google BeyondCorp

BeyondCorp Enterprise takes things a step further: “You can take these security posture assessment signals across your entire security stack,” said Jain, “and use that as a context within Chrome.”

“A very important part of that,” he added, “is our partnership with Jamf.”

Once Jamf determines a device is compliant based on the customer’s specifications, BeyondCorp uses that information to allow only the amount of access that the specific device and specific, authorized user needs.

Jamf and Google integrations timeline

Jamf’s Travis Cynor then walked attendees through Jamf and Google’s partnership over time.

“It’s been really fun to see how our partnership has grown over the years,“ said Cynor, “and the problems Jamf and Google together are solving to enable not only the admin but also to ensure that end-users have a trusted and seamless experience.”

“As you can see,” he continued, “Jamf and Google have a number of different integration points, and it’s not slowing down at all.”

• 1H of 2020: Secure LDAP in Jamf Cloud
• 2H of 2020: Chrome Enrollment Token
• 1H 2022: Jamf Connect Password Sync and Beyondcorp for macOS
• 1H 2023: Jamf Safe Internet for Chromebook and Beyondcorp for iOS
• 2H 2023: Google Identity in Jamf Trust Apps and Jamf Protect Support in Google Chronicle

The Jamf Trusted Access journey

“Today as we’re talking about the zero-trust framework,” said Cynor, “this ties directly into the journey toward Jamf Trusted Access. At the end of the day, organizational decision-makers and Apple admins must have confidence that approved users on secured devices are accessing Google Services.”

Pillars

• Manage Apple devices with Jamf: having solid management is critical.
• Enrollment includes access to the Google security framework
• BYOD devices aren’t treated any differently than institutionally-owned devices

The Jamf and Google BeyondCorp Integration workflow

1. Device enrollment and user registration
   • for MacOS, this integration uses the Google Chrome extension
   • iOS uses iOS and Google Account
2. Register device with Google
3. Jamf evaluates compliance status and informs Google
4. Google allows access to Google Workspace company resources
5. If needed, Google blocks access from non-compliant devices; Jamf provides a user-friendly mediation experience

Jamf is very happy to report that we released this integration for iOS this April, which allows this integration to work on the full Apple platform.

Customer Showcase: Akatsuki

Fumiaki Tokuyama and yukihiro kora discussed Akatsuki’s experience with the BeyondCorp and Jamf integration.

Akatsuki is an entertainment company established in 2010 that has a history of working in the games and comics business as well as investing in and incubation of start-ups.

• Managed accounts: 2,400
• Deployment Size:
  • macOS - 1,300
  • iOS - 900
• Windows - 400
• Android - 700

75% of their employees use macOS, and only use Windows when strictly necessary such as in accounting or for creators. Their mobile devices are mainly used for development.

“We have been focusing on game development and operation,” said Tokuyama. Some of the games they distribute in the US include “August Cinderella Nine” and “Tribe Nine.”

Akatsuki’s Zero-Trust Network Access needs

yukihiro kora explained to attendees how the company uses the integration, and what problems the company solved by using it.

“We have been using Google Drive, Gmail, and other Google services since our inception,” said Tokuyama. “We had already partially implemented context-aware access, but needed to expand its application as we transitioned to remote work during the coronavirus pandemic.”

Unfortunately, the process of setting up company-owned devices as a condition of access for context-aware access was tedious.

“By linking information in Jamf Pro with Google BeyondCorp,” said kora, “We could easily see that traffic was coming from a company-managed device and use that information to provide an enhanced level of security with context-aware access.”

Google’s Enterprise plan required no additional investment, which was an added benefit.

Tips for other organizations

“I would like to give some advice to those who are considering implementing it,” said kora.

Setting up this integration has no impact on the user.

“BeyondCorp configuration can be set up in the background without affecting normal operations,” said kora.

It’s easy to start small.

“You can target implementation by group, organization or division,” said kora. “So you can first check the operation by applying it only to yourself for testing.” After that, it can be expanded to include other teams and departments.

There’s no need to ask users to do anything special.

“There are a few steps required to implement the BeyondCorp settings,” kora continued. “However, there is almost no need for the user to take any action. The only operation required is to restart the device.”

The power of Jamf and BeyondCorp

kora then walked the audience through the compliance criteria that users and devices must meet to gain access to resources:

macOS

• Operating System Version greater than or equal to 11
• System integrity protection is enabled
• FileVault 2 status is not ‘no partitions encrypted’
• EDR version is not ‘error’
• Firewall status is not disabled

iOS

• iOS version greater than or equal to 15
• ‘Jailbreak Detected’ is ‘no’
• Passcode status from configuration profile is met

“I hope this information will be helpful in your work,” finished kora.