Privacy/Security

Central HTTPS Inspection Root CA

You can generate a centralized root CA certificate for HTTPS inspection to use across all policies in your account. Once generated, you can upload the certificate to your UEMClosed Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. for deployment to end-user devices.

Prerequisite

To generate the centralized CA certificate, you must have one of these roles:

  • Admin role in Global Role

  • Admin or Super User role in Specific Service Roles

00:03: This video demonstrates how to generate a centralized CA certificate 00:07: and apply it across multiple policies in the Harmony Mobile Administrator 00:11: Portal. This helps you to simplify and centralize your 00:15: CA certificate lifecycle management. 00:18: To begin access, the harmony mobile administrator portal. 00:21: Go to settings and click privacy security. 00:25: To generate a CA certificate issued by checkpoint in the central, https 00:30: inspection route, CA section, click generate CA certificate optionally, 00:35: you can upload a self-signed or third-party CA certificate 00:40: If you selected the Generate CA Certificate option, enter a 00:44: certificate name and click Add. 00:47: The system generates a certificate, valid for one year from the generation 00:51: date. If you are using UEM, you can click Download Certificate 00:55: to download and upload it to your UEM. 00:58: To apply the centralized CA certificate across different policies in 01:02: your tenant, go to your policy and click Network Protection. 01:07: Expand HTTPS Settings and under Inspection CA, select 01:11: the Centralized CA across several policies option. 01:14: This allows ONP to use this certificate to inspect the HTTPS 01:19: traffic on end-user devices. 01:22: Click Close. 01:23: Click Save. Repeat this process for all policies 01:26: that need the centralized CA certificate. 01:29: This way, you don’t have to manage separate CA certificates for each policy. 01:33: Instead, you get a single, centralized certificate that’s easier to update 01:37: and renew. 01:39: Thank you for watching.

To generate a centralized root CA certificate:

  1. Go to Settings > Privacy/Security.

  2. In the Central HTTPS Inspection Root CA section, click Generate Certificate.

  3. Do one of these:

    • To generate a CA certificate issued by Check Point, click Generate CA Certificate.

      The system generates a certificate valid for one year from the generation date, as shown in Expiration date.

      Note - Check Point recommends you renew the CA certificate at least two weeks before the expiration date. To renew the CA certificate, see sk181288.

    • To use a self-signed or a third-party CA certificate, click Upload CA Certificate.

      1. In the pop-up window, upload the certificate.

        Note -

        For the Transport Layer Security (TLSClosed Transport Layer Security. A security protocol designed to facilitate privacy and data security for communications over the Internet.) certificate to be valid:

        • The certificate must have a lifecycle of at least 30 days and not longer than 390 days.

        • The certificate must be valid for more than 30 days from the time it is uploaded to the Harmony Mobile Administrator Portal.

      2. Enter the certificate password.

      3. Click Verify.

      4. If there are no errors, click Add.

  4. If you have generated a CA certificate by Check Point, click Download Certificate.

    The system downloads the certificate to your computer.

  5. Upload the new certificate to the UEM.

    For more information, see CA Certificate Deployment Using the UEM section for the relevant UEM in Harmony Mobile Integration Guide.

  6. To revoke the certificate, click Revoke Certificate.

    Important - Revoking the centralized certificate will remove it from all policies that use it.

To apply the centralized CA certificate to multiple policies in your tenant, go to HTTPS Settings in Network Protection settings.

Privacy/Security

BYOD Privacy Mode

When you enable BYOD Privacy Mode, administrators can only see that a malicious threat exists, but they cannot see the user affected by it. This ensures the highest user privacy when needed.

Example: Events & Alerts Tab

BYOD Privacy Mode Disabled:

When BYOD Privacy Mode is disabled, the Events & Alerts tab shows the Device Owner and Device Number fields as configured in the Devices tab.

BYOD Privacy Mode Enabled:

When BYOD Privacy Mode is enabled, the Events & Alerts tab does not show the Device Owner and Device ID Number field.

Example:

Example: Device Risk Tab

BYOD Privacy Mode Disabled:

When BYOD Privacy Mode is disabled, the Device Details show the app(s) that put this device at high risk.

BYOD Privacy Mode Enabled:

When BYOD Privacy Mode is enabled, the Device Details does not show the app(s) that put this device at high risk. The administrator will only see that the device is at risk, and its risk level, but not the reason.

Example: App Risk Tab

BYOD Privacy Mode Disabled:

When BYOD Privacy Mode is disabled, the drill-down into the App Analysis information about the App at Risk displays the app Owner Details.

BYOD Privacy Mode Enabled:

When BYOD Privacy Mode is enabled, the drill-down into the App Analysis information about the App at Risk does not display the app Owner Details.

Enable PII Decryption

Select this checkbox to enable the decryption of Personal Identifiable Information (PII) when you integrate with a Check PointHarmony MobileConnector installed on-premises. For more information on Harmony Mobile Connector installation, see Harmony Mobile Connector Installation Guide.

Data Retention

In this section, you can set the time period to discard old alerts. You can also configure it by attack vector.