How can we safely allow mobile BYOD for our users?

Since Hitachi ID Identity Manager is a sensitive security application, with privileged access to many other systems in an organization and with access to sensitive personal data, most organizations are unwilling to expose Identity Manager directly to the public Internet. This creates a problem for mobile device access to self-service, as illustrated in Figure 1. Hitachi ID Systems has developed a solution to this problem, by installing and activating an app natively on iOS and Android devices and hosting a proxy server in the cloud. This arrangement is shown in Figure 2. Using this architecture: 1. An app is installed on user devices. 2. Users sign into Identity Manager with their PC and ask to activate their device. 3. The PC-based web UI displays an activation QR ode. 4. The user runs the app on their device, which scans this QR code. 5. The QR code includes encryption key material and a URL for a proxy service, in the cloud (i.e., on the public Internet). 6. Users use the app to (indirectly) access the on-premises Identity Manager web portal. 7. The app connects to the cloud proxy, requesting content from the on-premises portal. 8. The proxy checks key material provided by the app and may discard connection attempts. In this way, connections from regular browsers or devices which have not been correctly activated for a particular Identity Manager instance are easily discarded. 9. Simultaneously, a service on the Identity Manager server connects to the proxy server, asking for page requests to fulfill. 10. The proxy passes requests from mobile devices to connections from the Identity Manager server. 11. All connections that cross the corporate perimeter firewall in this architecture are outbound – from the Identity Manager server to the cloud proxy. 12. All connections are encrypted.