My friends at FullArmor recently announced a product that takes existing security policies which have been created and enforced by Active Directory inside the network, and makes them portable, enforceable and auditable when the endpoints are outside the reach of the directory. The new Endpoint Policy Manager (EPM) makes continuous policy enforcement possible in a mobile and network-disconnected world, a world that – more and more – dominates the landscape we have to manage.

Marc Gendron must be the Sherlock Holmes of PR practitioners because he managed to track me down while I was on vacation to let me know about the new release. He wanted me to know that, “With the explosive growth of road warriors, telecommuters, temporary workers, and mobile users, it is virtually impossible for organizations to ensure that endpoint devices are secure and compliant. FullArmor EPM enforces consistent policy settings on endpoints whether they are connected or disconnected from an enterprise's Active Directory. This capability enables organizations to use their existing Group Policy infrastructure to intelligently enforce endpoint policy settings as devices drift in and out of the network. To prevent security policy ‘decay’, FullArmor EPM automatically corrects out-of-compliance settings when they are inadvertently changed. In addition, FullArmor EPM limits quarantine and remediation events in NAP and NAC environments [i.e., Microsoft’s Network Access Protection and Cisco's Network Admission Control] by keeping endpoint configurations locked-down.” (Seriously, that’s how PR people talk.)

But EPM is a very good addition to your authentication and authorization structure because it allows you to take the context of authentication into account when granting authorization to a user. Typical scenarios might include:

* An authorized guest machine logging onto the network could only receive device policy settings, not user settings.

* An authorized user authenticating to the network from an unmanaged device (home computer, Internet kiosk, etc.) could be subject to stricter policy settings.

* An authorized user connecting to the network via a Windows Mobile device could receive user policies, but not device policy.

But I’m sure you can think of many others.