Juniper Access Assurance (NAC) - Client Onboarding, Always-On Posture, Built-in Profiling
Juniper Access Assurance (NAC) - Client Onboarding, Always-On Posture, Built-In Profiling
Access assurance and NAC enhance client onboarding for unmanaged clients to enterprise networks. Marvis client personas focus on an onboarding tool that provisions end user devices with certificates and profiles, ensuring network visibility. Customizable onboarding portals with SSO integration improve user authentication. The end user experience includes mobile and desktop onboarding, app installation, and SSO login. New BYOD support and cloud PKI for managed devices integrate with existing MDM solutions.
Presented by Slava Dementyev, Director, Product Management. Recorded live at Mobility Field Day 13 in Santa Clara, CA on May 7, 2025.
You’ll learn
How Mist access assurance enhances client onboarding for unmanaged clients to enterprise networks
How new BYOD support and cloud PKI for managed devices integrate with existing MDM solutions
Who is this for?
Host
Transcript
0:00 hi everyone my name is Slava and we will not talk about wireless we will talk about access assurance or cloud knack So
0:07 uh as we are expanding our footprint and we're you know we're growing
0:13 exponentially we're growing dramatically we are adding more and more functionalities that would cover uh some
0:20 of the use cases that come from from our customers And today we will talk about three things And the first thing we will
0:27 talk about is client on boarding This is something we've actually announced on
0:32 the previous uh MFD last year And I just wanted to go deeper into it as
0:39 we closing on this and as we are releasing the functionality So client on
0:46 boarding for us is really about how do you uh move a client that's that's unmanaged
0:53 to an enterprise network on WPA3 or WPA2 enterprise How do you push a search how
0:59 do you install a Wi-Fi profile or wire profile easily and seamlessly as possible now before we go into you know
1:07 a demo and a and a deep discussion you know you've heard the Marvis client
1:13 mentioned couple of times today and you will hear about it more and more I wanted to kind of uh give a brief
1:19 overview of different Marvis client personas right so this is where uh one
1:25 of the persona that we will cover right now is the knock on boarding tool So
1:30 Marbus client could just have different faces One of one of its faces is actually the onboarding one where it
1:36 will provision the end user device with a certificate with a Wi-Fi wire profile connected to the network and then
1:44 optionally on top of that you can then enable to send telemetry So you can actually get client level visibility of
1:51 the network streaming to the MIS cloud and then providing the admin of the MS
1:57 dashboard of you know uh deeper visibility into how the client sees the network and then you know the other
2:03 other use cases we've seen in uh in warehouses specifically is the loc
2:08 locationing aspect that's that's enabled on the Marvis client just to to track the uh uh the handheld scanners uh in
2:16 those areas Right now we are focusing on the Knack on boarding and we will actually start with the demo and the
2:24 demo we will start by looking at the uh at the admin side of things So we will
2:31 uh look at how an admin would actually you know start uh and create the
2:36 onboarding process for the end users and many of you are familiar with our PSK
2:42 portal concept where you know an end user say a student can come
2:48 to the portal authenticate through the SSO grab their personal appreciate key
2:53 connect their devices so that that process existed for for a long time now we are expanding that concept cept into
3:01 a knack on boarding portal where the similar workflow will work for and then
3:06 for an end user then do the SSO login and then uh they'll be able to provision their device with a you know with a
3:13 certificate and Wi-Fi wire profile Now we'll look at the portal config here So
3:19 first we'll create a portal portal has all the customization options that allow
3:25 you to kind of get your own branding colors and backgrounds The most
3:30 important thing is that portal will be attached to your single sign on using SL any uh identity provider that you work
3:38 with whether it's entra ID octa or you know Google or literally anything in the
3:43 world we will work with this once the SSO process is complete the important
3:48 part is the onboarding parameters and this is where you define if a user goes
3:55 through this portal and they're successfully authenticated and authorized what do we do with the on
4:02 boarding process how do we treat them so a you're going to specify which SSID they will eventually
4:08 connect to So that can be a portal for your say editor users on in a higher red
4:14 or that could be a portal for you know a personal employee network in an
4:20 enterprise You you can then say do you want to also enable wired connection
4:27 with one X and certificate authentication do you want to send Marvis telemetry back to the MSC cloud
4:32 so this way you can actually get that client level visibility So that's the optional part that you can uh enable as
4:39 part of that on boarding process plus you know few few other things where you could actually say for how long the
4:46 certificate will issue will be valid for the end user including roles etc So now
4:53 uh this is the admin side right So what's happening on the end user side uh is me go to the next slide on the on the
5:02 end user side So first we're going to look at the mobile device This is Android but you know it the process is
5:08 similar for uh for iOS as well What I did here was I just encoded the knack
5:15 portal URL as a QR code So you know you could just scan it with a camera It will
5:21 then redirect you to the onboarding portal That onboarding portal will actually redirect you to your SSO
5:28 provider In this case this is enter ID Again can be anything else You log in If
5:33 you have MFA MFA will be completed at this step Once you've logged in you will
5:39 be redirected back to our on boarding portal It will say "Oh hey you're running Android If you don't have an app
5:45 go click here and install." If you do click on the link and let me Okay click on the link
5:53 The app will pop up It will ask you to install the network profile Wait wait wait It will give you one more prompt
6:00 You'll hit save At this point you're connected You're good to go Now um
6:06 what's important here is uh this part right where based on your SSO login we
6:12 will grab your identity we will uh issue a certificate for that uh end user
6:18 device using the identity from the SSL right so we can embed all of that information in theert and then the
6:25 client will go through our general you know access assurance authentication process you can set up your policies
6:31 look at you know extra checks like group memberships things like that but this is the end user uh facing on boarding
6:40 process okay that's mobile device Now the next part is what's going
6:48 to happen on on a on a desktop whether it's you know Windows or or Mac OS Again
6:53 very similar We will uh look at the uh SSO login first Once you've logged in it
7:01 will detect that you're running uh Windows It will ask you to open the app
7:06 if you already have it It will then go through the enrollment process And as you can see in the bottom right corner
7:13 of the screen the client is already trying to authenticate to that uh to that network as it's installing the
7:20 Wi-Fi profile and it's now on on that destin uh destination SSID at this point
7:27 Right so that on boarding process is you know you know very uh very simple for
7:33 for the end user to follow And let me actually stop the video plane Okay And
7:39 uh whether you're on a mobile device whether you're on a desktop that's your typical BYOD flow And the primary use
7:46 case obviously for that is higher red as students bring in all sorts of things and you want them to be on ed you want
7:54 them to be you know enabled for for WPA3 etc etc Yeah just curious are you seeing
8:00 uptick in 2FA requirements uh for the onboarding process
8:06 So the onboarding process is something you will complete uh probably once uh
8:12 again let's talk about let's say higher ed you'll probably do it once a year or once a semester depending on you know
8:18 the policy requirements of the of the university or some some customers would actually say hey issue certificate for 5
8:25 years I don't care I'm going to check if the if the user is valid the MFA is there uh usually enabled by default
8:33 because all the IDPS today enforce you to have MFA enabled when you're going
8:38 through this kind of you know web type of authentication process but once you've done that on
8:44 boarding the way you connect to to the network is you're presenting your right
8:49 so that's completely transparent to the end user that Wi-Fi profile gets embedded in your machine you have aert
8:56 that identifies you and then the knack will actually check you know are you still active user which groups you
9:03 belong to which level of access you want to etc etc All right
9:10 Okay Now this is the BYOD portion right
9:16 so what we are uh releasing and by the way this is going to be available this summer early this summer right so what
9:23 we are releasing is uh BYOD portion That's what uh what we've looked at
9:28 right now We will support Windows Mac Android iOS at the start and Marvis
9:34 client will be the vehicle that would actually configure the end device and you know push the search push the Wi-Fi
9:40 profile etc Now with that we are also releasing full-blown cloud PI or
9:47 certificate infrastructure delivered as part of the M dashboard What this means is it's not just about BYU You can also
9:55 use it for your managed devices via our existing MDM integrations that uh that
10:02 we currently have So that means that if you have your uh your managed endpoints
10:08 via in tune via CH again this is what we what we'll do at the start you can
10:14 actually use our cloud PKI to let your clients uh get their their certificates
10:21 from our PI while MDM is still managing the client right so there is no need to install the MX client app the MDM will
10:28 do the work for you and we'll just use our uh PI endpoints to do that sava
10:33 Yep I have I have a question If you're running a Marvis client on one of those oss can that Marvis client also
10:42 be a Marvis mini agent uh so we we've started talking about the
10:51 the persona of the Marvis client that sends telemetry That's what that's an option that you will have uh when you
10:59 will you will be able to send telemetry from that Marvis client installed on the
11:04 device saying basically you know which APs are you hearing in the environment when you're roaming why do you why do
11:11 you actually make the decisions etc etc so you will get that uh level of uh
11:17 information optionally uh once once we get to to minis then you know Marvis
11:23 client is yet another uh yet another presence point for us So
11:30 yes Okay All
11:36 right Any any questions on on the PKI or
11:41 on boarding okay Very good
11:46 So again as I said this is available this summer We're getting you know
11:53 really close to to to get this released Very excited about it There are you know
11:58 lots of companies out there that are actually they don't have the PI or they
12:03 don't want to keep managing the onrem PPI anymore So we want to provide a you
12:08 know a simple and seamless solution to them Now item number two I want to talk
12:14 about is oh it's a fancy name of saying this It's an always on posture or continuous authorization if you will Uh
12:22 we've been doing uh integrations with various MDM providers since since the
12:28 start So we we do integrations within tune J VMware workspace one si etc etc
12:37 Now the way these integrations have done or have actually allowed us to do
12:44 posture assessment right so you're getting the endpoint health or compliance status from that MDM and you
12:51 use that compliance status in your policy So you say if in tune tells us that the device is compliant you know go
12:57 and have unrestricted access If you're not compliant go go into quarantine and
13:03 have some some more restrictions The challenge with the with most of these is
13:09 uh MDMs are not you know very frequent at actually checking with the client
13:14 themselves right So they may check with the client every couple of hours and within these couple of hours anything
13:21 and everything may happen So uh in addition to what we do today with MDMs
13:26 we're actually doing uh you know working on uh integration with EDR platforms
13:32 that are you know that have agents on on your devices and their only purpose is
13:39 actually to determine if you know if if your device is infected if it has malware if
13:45 it has some uncompliant things installed on it But what they provide to us is
13:51 really the real timeness of data So this is the first time when we uh you know add
13:57 the uh an option to do to ingest data into uh into our access assurance live
14:04 from these providers Right so it's it's not like we have to wait for something to happen or call periodically or wait
14:10 for the authentication to repeat Anytime the client is for example detected with
14:16 a malware there is a notification sent to us from one of these uh EDR providers
14:23 we will start with crowd strike and sentinel one so they will send us live notification we will be able to
14:31 immediately change the policy on the client right so that's that's why we call it like an always on posture
14:38 enforcement let's look at the demo so what we'll look at is it's a you know
14:44 simple scenario We will first look at the just the additional we will we're just
14:51 looking at Sentinel one as an example here So we have Sentinel one account linked in our dashboard So again it's a
14:59 onetime process where you link your M dashboard with your uh EDR provider to
15:06 provide an URL and and an API token Easy as that The second uh second point is
15:14 you need to create a a list of policies So again here we're just creating three simple policies We are looking at
15:20 infected clients that need to drop into quarantine dan get quarantine roller policy Healthy clients will get full
15:27 access into employee network and get employee role and unknown maybe they
15:32 don't have an agent We will still put them on a quarantine network Now we'll
15:38 look at one client example So we'll pull some knack live data coming from one
15:46 client that's that's connected and I'll show you like what is the you know what is the problem we're trying to solve here So uh look at the initial
15:53 connection of that client So at 236 here you see the there was an event that's
15:59 saying this client was allowed to connect to the network at 236 right it
16:04 went through all of these authorization processes So it did the ETLS authentication We then did a look up uh
16:13 in Sentinel one It was actually deemed healthy at that point right client was okay So we let them in and the client
16:21 got full full access no restrictions Now let's look at what happened to this
16:29 client just a couple of seconds later
16:35 will move to a Sentinel one dashboard or the video
16:40 will move to Sentinel one dashboard but it didn't So now what we see is actually
16:45 we've detected the malware uh for this client 10 seconds later after it joined
16:52 the network Right so in the normal world you would have waited for another couple
16:57 of hours before you would put them into quarantine But in this case Sentinel one
17:02 says "Oh actually I'm going to send a notification web hook back to back to Knack and this will trigger an action on
17:10 our site." Right so we're sending the uh the web hook and
17:18 then once we move back to uh the M dashboard what you'll see is actually
17:23 there is a dynamic update event saying "Hey now this client is infected Now rerun the policy." So it will actually
17:30 do the uh change of authorization whether it's a wireless or wired client doesn't really matter It will always
17:37 bounce the connection rerun the policy and at that point uh with the new status
17:42 it will give the more restricted access to to the client Now the beauty of this
17:50 is you don't really have to do match in order to to configure this right So you
17:55 just link your ADR provider into the M dashboard create some policies Now boom
18:01 you have your uh posture assessment happening in real time So that's the uh
18:06 the the beauty of it I'm going to pause and see your question Can you define
18:12 what can you be specific about what triggers that because I know like some EDR
18:17 uh solutions will will trigger alerts and like a posture state change when it's just you know encryption has been
18:24 temporarily disabled because an application is loading or something is running Can you can you be prescriptive
18:29 with that great So you you can be so again depending on the EDR provider they all have their own metrics so to speak
18:36 So in case of Sentinel one it's the client is either infected or it's not infected And the infect the infected
18:43 status is defined on Sentinel one All these policies are happening there right so you're defining what what it means to
18:49 be infected We're just getting the status yes or no we say uh you know with with
18:55 some others so take crowd strike they would actually give you the risk factor they will give you like low medium high
19:00 etc So you will be able to specify in your access insurance policies like okay
19:05 if it's a low risk we yeah maybe let it stay connected with less restrictions if it's high risk drop it in some dead VLAN
19:13 uh I'm going to deal with this later but the the compliance logic happens in the
19:18 source of truth which for the client which is your EDR really the knack is
19:24 only getting that uh information back from from the EDR saying this client is infected let us also isolate that uh
19:31 that device on the network side Okay Can I have one more follow-up question with that um because so many of the EDR
19:38 vendors have their own like auto quarantine at the software level where they can do things on the interface or they can modify the the firewall What
19:44 was the gap that you saw where we needed to be doing this back on the network again uh so uh again it's uh if if you
19:53 look at uh at the existing edrs and most of the time they they have a very like
19:59 yes or no uh kind of uh kind of triggers So uh you either block all access on the
20:06 on the agent itself or you allow everything and then uh you start enforcing some restrictions but there is
20:13 no granularity in terms of uh in terms of what policy you can assign in this scenarios in in many scenario in many
20:20 EDRs that that we've seen Uh now what you really want is to actually move that
20:28 client and uh isolate it from the rest of the uh let's say unrestricted network
20:34 at so to you so you can actually prohibit the east west traffic right so if you move into quarantine and only
20:40 allow outbound connection to the internet then your your east west is uh is safe in that in that scenario does
20:47 that make sense okay So uh Sentinel one
20:52 again crowd strike as well Let's talk about the third
20:58 thing Third item of the day is profiling or fingerprinting depending on how you
21:04 want to to name it So and for the most part really we've
21:10 we've been very successful doing all all of our wireless profiling by leveraging
21:16 the you know multi multip solution where you know your key is really the identity for the IoT and then you assign a policy
21:24 based on which keys the client is using But the challenge was always so and this is this was coming from customers saying
21:31 hey uh I have a bunch of wired devices that are that are IoT obviously you know
21:37 don't even dream about doing that 1x on them so you're only left with map so what else do you do so this is really an
21:44 attempt for us to simplify the on boarding of the IoT devices you know mainly this will be a
21:52 wired use case but you can always extend this to wireless as well So what you
21:57 will see now is uh you will see a new capability of uh doing profiling as part
22:06 of your uh access control policy So in your O policy rules you will be able to
22:12 match on device type or device family So it's a an AP and IoT device gaming
22:17 console blah blah blah or device manufacturer or OS or model want to be that ground I
22:26 hope you don't so and then you can mix and match all these four four buckets as
22:32 much as you want So in this scenario we will look at just five policies just to
22:39 you know do some basic uh basic segmentation So we have our cameras we have our IP phones we have our printers
22:46 So we we are matching on the device type which is say a camera and maybe we only
22:52 want to drop our access cameras to specific and again the policy config is
23:00 super super simple Everything is available again in one place But what's important is the onboarding flow So when
23:07 it comes to profiling um when it comes to profiling a knack especially on the wire side the challenge is okay so how
23:14 do how do I profile the device before it's on the network you know I I need I
23:19 need that device to send something some traffic so I can look at it and and tell you what it is so what we are doing is
23:27 really creating that last policy rule here that says okay if you don't match any of the policy rules right you will
23:35 drop into that catch control uh uh policy at the bottom We will move you to
23:40 some staging network or any network with very restrictive
23:46 access fairly dead end if you want as long as the device can send some some packets out Once the device is dropped
23:53 into that staging network we'll do the fingerprinting in a cloud We'll then uh
23:59 once we determine what the device is we'll bounce the port we'll reapply the policy and then move that client to the
24:06 correct correct van So we'll look at the example of one access camera that I had
24:11 in that policy before and we'll look at the flow So initially when the client
24:16 connects you'll see that you know at that point client is or not the client
24:22 switches the map and the only thing we see is really the MAC address of the client and that doesn't give us much
24:28 except the macro UI now So you could see OS is empty uh
24:36 model device type uh everything is unknown at that point Now you'll see
24:41 that there is a fingerprint change uh event that actually you know there is a
24:46 there's a microser in the cloud that actually looks at the at the packets that are sent uh by the client and
24:53 they're streamed to the to the cloud Once we know what that device is in this case it's a it's a camera there's a
25:00 model of it It assigns a family to that device We will then issue a COA or in
25:07 this case since it's a wired device we are always doing a port bounce to make sure the client gets the uh the AP from
25:15 from the new VLAN and at that point we are matching the new authentication policy rule which is you know designed
25:22 for our cameras So that process is fully automated Again the the beauty of this
25:28 is you don't really need to configure anything else in in on the switch side
25:35 or anywhere else The only thing you need to do is to configure the policy All the COA per bounce thing is all automated
25:42 and done by us right so something that you'd probably spend um quite a bit of
25:48 time with uh other N products that's simplified and uh uh now uh now
25:56 it will be available in in access assurance In fact it is now in early access I forgot to say now now we'll
26:06 talk about and please interrupt if there are questions in between but I will talk about some
26:14 specifics on
26:20 actually this light is not turning now it does okay so some specifics right uh
26:26 on how we are doing and what we are doing behind the scenes so as I said
26:31 this is a fingerprinting or profiling service that runs in our cloud It uh
26:37 gets data from multiple sources So it gets network side metadata that comes
26:43 from our switches APs or you know even third party devices that are using using our knack It gets data from his client
26:50 if it's installed on the device or any third parties that we integrate directly So all these MDM MDM EDR integrations
26:59 I've spoken about we actually get fingerprinting info about the endpoints as well So all of that gets sent to the
27:06 fingerprinting service kind of uh does does its magic It has has its own logic
27:12 on how to paradise certain information over other It produces the final fingerprint that
27:18 it actually sends down to our knot all the policy can actually be applied
27:25 and you know the proper segmentation will be done Now what it also does is it
27:31 continuously reevaluates the fingerprint right So some of the things that uh that that
27:38 you see in in some products is you know the fingerprint is only detected once and then it stays forever So we are
27:45 actually revaluating it based on the data that that keeps uh coming to that
27:51 profiling service And here what you see is it's completely passive right now
27:57 There is no requirement to put any span for any tap source sensors or probes or anything like that We get the
28:03 information from from the network in line Right So that's the that's the
28:10 important important point Hey Sava Yep So if it's passive is that just is that
28:16 assuming it missed infrastructure whether switches or AP well uh not only
28:22 so today uh so for third party uh we also we also get information uh in in
28:30 radius accounting So like there's device sensors in pretty much every uh you know
28:35 every solution out there So they would send send you the metadata that uh that we need and we can parse that as well
28:40 But I assume it's going to be more accurate if it's your infrastructure and you've got the full data flow It it will be Yeah So and again this is what we
28:48 release right now with the passive info collection Uh I'm sure you know next
28:54 year on MFB you will see this slide change a little bit
29:01 Oh yeah Quick question Um can you put any sort of custom fingerprints
29:07 in so if you've got an unusual device that you know how to identify it can you
29:13 how can I tell myths this is what this sensor looks like or something like that
29:19 right So right now uh right now uh you cannot feed the fingerprint back to us
29:27 but what what you can do and again be before this profile I should have mentioned uh the way we've been uh doing
29:35 and many customers integrate with our knack end points through uh through API
29:42 interface So you know if a customer has CMDB with all the data and they know what their devices are and where they
29:49 are and what they are they can actually push this data to to us through API and
29:54 you know we have very very very large customers doing that at at at high scale I mean
30:01 like millions of endpoints Now with the profiling this is an automated way for
30:06 us to actually do this for you If you want to tag something specifically you
30:13 have an unusual device uh you can actually create an endpoint like there's
30:18 a knack end points page where you can tag the client with with certain certain
30:23 labels So you can say this is you know a camera in building one floor 2 XYZ
30:28 something like that use these labels in the policies So that's something you can do today We are looking at uh providing
30:36 like a feedback loop for the customer to actually say this profile that you've
30:41 done automatically I want this improved because this and that but we're not there right now Okay Are you seeing an
30:49 uptick in uh profiling you know say headless IoT devices sensors
30:57 um what kind of a momentum are you seeing there so the primary as I said in the
31:02 beginning right the primary use case is really wired IoT So like take enterprise
31:08 all sorts of things like starting from IP phones and printers to uh all sort of
31:14 OT sensors or controllers etc etc So these need need to be profiled and they
31:21 need to be dropped into a particular a particular segment on the wireless side
31:26 again because uh prior to that we've been doing the multi type of IoT
31:33 deployment where you know a PSK is actually uh used by certain device type
31:38 So you say you know this is a PSK for my hback this is a PSK for for my cameras and at that point this is very
31:45 deterministic It's kind of implicit trust So I'm again seeing more profiling
31:51 on the wire side versus wireless but you know it doesn't mean that you can't combine the two
31:57 Okay this lava I have a question Um I'm just trying to think about this from a
32:04 higher ed point of view because there's a lot of BYOD devices uh I could potentially see uh a ton of policies uh
32:12 being created and and tying back to that Marvis client that gets installed How uh
32:19 one of the questions that was brought online from Anders was edgerome So how are you
32:28 integrating and and making that more mainstream with Edome SSIDs like can we
32:35 push that certificate through the Marvis client is that just a Marvis so so so
32:41 let me rewind to the beginning So if you look at this right
32:47 so the Marvis client is what actually allows you to onboard your uh your
32:54 devices to your own So think of a student coming into the to campus They're there for the first time All
33:00 they do is they they log into the portal with your you know university credentials right it will let them
33:10 uh provision their device by just downloading the Marvis client app and it will what what it is doing here at this
33:17 step it's actually provisioning a certificate for that user and it's provisioning the Wi-Fi profile Right
33:23 Okay Now the certificate that you provision here it it has the user identity So you can actually create a
33:29 policy uh in access issue and say oh hey uh this is this is this user is part of
33:35 the student group I'm going to drop it in the student view So your policies will be very very simple your policies
33:42 will say oh if it's a student go here if you're staff go there if you're some somebody special you know do something
33:48 else but the Marvis client will allow your students to on board This is the
33:55 BYD portion The PPI solution that I've shown on the on the next slide for for
34:01 the MDM integrations This will help you for your managed devices like if if you
34:06 have any like sometimes the devices are managed in higher ed and in this
34:12 scenario you can actually differentiate between the two by just looking at the certificate and how the certificate
34:17 looks So we we provide that capability and granularity today which actually you
34:22 know our higher ed customers are using that extensively today So so when you say certificate you're talking about a
34:28 missed certificate Yeah It's a misued certificate but that is issued to your
34:34 uh end user device Okay The the left of this is is misissued
34:41 Correct It is misu Yeah The left side is the
34:47 left side and the right side is as well It's misued It's the cloud PI that we host right that's that cloud PI will be
34:55 your PI for your organization right it's not shared with anybody else but it's
35:00 going to be issuing certificates for everything on the left hand side If you're using the apptoone board and if
35:07 you have MDM integration done then uh it will be issuing certificates for your
35:13 MDM manage clients So the difference is for MDM clients you don't need to install a Mars client app because the
35:20 MDM is actually the facilitator The MDM will put the profile and put the cloud
35:26 PPI and the miss cloud PKI will find that okay so it's designed to replace intoune's cloud PKI Yes Oh but it would
35:33 only apply to the ones that you onboarded through that portal through the MIS infrastructure etc etc Correct
35:39 Okay Slava maybe just interrupt just I think the point is so today uh you know
35:45 for you know to support certificates within access we're using you know third party CA you know bring your own CIA
35:51 right what we're saying is with the miscloud PK PKI we can we can operate in
35:57 both a sort of a uh provision on devices using the Marvis client uh or you know
36:02 through a managed type of workflow using uh you know a scype integration Yeah I'm just trying to figure out where where it
36:09 would make sense from a managed device scenario to use this platform instead of
36:14 something that we already have Yep Right More in root CA or into Right Yeah it's
36:21 an option And there are still a lot of customers who don't have any today or
36:26 they're planning to migrate from you know the the legacy Windows Windows CS
36:32 services That's when this will be an option I have
36:40 Awesome Slava are you are you good we've I am good All right Uh actually actually
36:47 one last thing because we we've digressed and we've went back to
36:52 tomorrow's client So let me go back to
36:57 the profiling part because I was so one last thing before before we finish So
37:03 the reevaluation fingerprint where this comes handy is
37:09 actually it allows us to actually do max detection right So when we when we think
37:16 about the typical scenarios especially with auditing or say you know you you
37:22 had a printer connected or you had a a camera connected somebody comes in puts the MAC of that printer disconnects the
37:29 printer connects the you know Linux device and starts some sort of attack So what will what will happen here is our
37:37 fingerprint reevaluation will come in handy first because it's going to do the enforcement that will say "Oh hey yeah
37:43 you have the same Mac but you're you've been a printer or you've been a camera and now you're a Linux uh a Linux laptop
37:49 That's not good Let us court bounce We will rerun the policy You will probably end up in some staging or quarantine van
37:56 anyway." But that enforcement is immediate but what we will do is we will also generate a climaxing alert saying
38:04 "Hey this is happening You may want to look into this because the same Mac was seen as two completely different 38:09 devices. And we are being really careful here basically you know just any dramatic changes So obviously if you've"
38:15 changed from Windows 10 to 11 that's not a maxable thing but if you've changed from you know a printer to to a laptop
38:22 that's cause of concern Hey Slava on on that are you tagging that device then
38:28 with a hey this has been max spoofed so that it can just be blocked until
38:34 someone goes in and manually re-evaluates So potentially potentially an kind of auto auto action
38:42 for for Marvis where you would be able to say hey uh I want this to be automatically blocked until I until I
38:49 says otherwise Today it's reevaluating the policy and if you don't match the
38:54 previous condition you'll likely end up in the you know in the default dead end van
39:02 Awesome Uh thank thank you Slava So let me uh close out just to level set on on
39:08 Knack Um our history in our industry says Knack and happy customers don't
39:14 belong in the same sentence right you know that's been our history where this is this product in general the category
39:21 has been tainted with very heavy onrem systems Uh we have the happiest
39:26 customers in the world on Knack If you have if you if you don't believe that you have to try access assurance um uh
39:33 sort of proof in the pudding uh the largest customer we're deploying right now has 3 million endpoints deploying on
39:41 our cloud knack right we have actually uh uh deployed knack now uh these knack
39:46 pops for a cloud-driven knack system are d dep deployed around the world so if an
39:52 employee from a US-based company goes to India or or China wherever else they are
39:57 they're connecting to the closest Knack Pop All this kind of stuff completely cloudnative you know uh being able to
40:04 enable Knack to be easy and simple to be deployed Um we've achieved I I I'm
40:10 really proud of the work that has been done on this thing So if you're new to Juniper Mist and new to access assurance
40:15 you got to try this to believe this So uh Sam uh any sort of survivability features with Mist Edge doing caching
40:22 and things along those lines oh yes Yeah we didn't talk about that We should stop actually actually we did um last M&M we
40:29 showed that So uh we released site survivability uh late last year So the
40:36 way the way this is done is you have a local site edge that's under normal conditions does nothing but just caching
40:43 right So your clients are still authenticated through through the through the net cloud All the heavy
40:49 lifting is done in the cloud Mist that just learns the cache of all of the clients we have seen in that site for
40:55 the period that you specify So you know up to them So if we have seen that
41:00 client on that side in the last month and then you suddenly lose all of your internet connectivity So you cannot talk
41:07 to any of the knack pods APs and switches will automatically fail over to that local mist right and at that point
41:14 mist will start saying oh okay I know the last policy for that client I know that's the last policy for that client
41:19 So they will keep authenticating for as long as you want So this is designed to
41:25 survive even you know full power outages if you know the whole building goes down comes back and only you know only maj
41:33 are available Oh yes Okay