top of page
Writer's pictureairwatchhk

“per-app VPN” VS “device VPN”

Whilst we are moving to anywhere workspace, It is essential to allow remote endpoints to have secure enterprise workload access to maintain or even boost up the level of productivity.


Zero Trust Network Access, ZTNA is an approach many enterprises adopted to.


Authentication, authorization and access are the three A’s to determine wether the least privilege is granted.


To achieve ZTNA with ”AAA“ control, a complete solution like Workspace ONE is required. WSO comes with different components and each one of them contributes to build a secure, scalable and employee friendly digital workspace.


WSO UEM has been a leading endpoint management solution since the Airwatch era. It also has been evolving from mobile device centric MDM platform to a cloud native multi-endpoint management solution. It provides enterprise grade tool to manage endpoints with a sound management life cycle.

With WSO UEM, an endpoint is provisioned in a way that it is to be authenticated, authorized and granted with least access privilege to enterprise workload. Any endpoint detected as out of compliance will be marked as quarantine. Access will be blocked at the edge of access until an endpoint is remediated.

Per-app VPN is one of the edges of access with tight integration with UEM. VPN access will be blocked whenever a device is marked as non-compliant. In addition, only authenticated user with a managed endpoint accessing authorized workloads is allowed.


It helps to protect enterprise workload based on conditional access rules. It is often to be deployed in DMZ to mobilize enterprise workload sitting behind a firewall. A legacy way to allow remote access to behind-the-firewall workload is VPN.


With a whole device VPN, it is either on or off. There is no room for administrator to have a more granular control based on authentication, authorization and access rules. This is apparently a breaking of ZTNA least privilege rule. The whole enterprise network is open regardless the target workload needed to be access.



In addition, we need a continues monitoring to provide real time and at the edge access control. The UEM compliance engine is our security guard.


Demo video of an Android Chrome browser accessing an internal website through tunnel.






30 views0 comments

Recent Posts

See All

Opmerkingen


Post: Blog2_Post
bottom of page