Configuring UEM to Deploy the Harmony Mobile Protect App

Now that we have completed the integration steps, we can continue with the configuration of the UEMClosed Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. platform.

For this process we will return to the Endpoint Management Console to complete the configuration.

General Workflow

  1. Add the Harmony Mobile Protect App to your App Catalog. See Adding the Harmony Mobile Protect App to Your App Catalog.

  2. Add an iOS Configuration Policy for Harmony Mobile. See Adding an iOS Configuration Policy for Harmony Mobile Protect.

  3. Collect App list from iOS Devices. See Collecting App List from iOS Devices.

  4. Require the Harmony Mobile Protect app to be installed on your mobile. See Requiring the Harmony Mobile Protect app to be Installed".

  5. Create a Mitigation Process. See Creating a Mitigation Process.

Configuring UEM to Deploy Harmony Mobile Protect app

Prerequisites

Harmony Mobile Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Choose the server for your region):

Security Gateway servers:

Region

Server

US

gw.locsec.net

Ireland (EU region)

eu-gw.locsec.net

Australia (Asia region)

au-gw.locsec.net

Canada (Canada)

ca-gw.locsec.net

UK region (UK)

uk-gw.locsec.net

India

in-gw.locsec.net

Adding the Harmony Mobile Protect App to Your App Catalog

In this process we will be using the CHKP_Status tag.

Using the CHKP_Status tag we can start deploying the Harmony Mobile Protect app from the public stores to those devices that will be protected by Check Point Harmony Mobile. We will do this to only require the Protect app when the device has the CHKP_Status of Provisioned, Active, or Inactive. If CHKP_Status device property has not been set, then the user will NOT be prompted to install the Harmony Mobile Protect app. This ensures that the devices are synchronized in the Harmony Mobile Dashboard before asking the user to install the Harmony Mobile Protect app.

Add the Protect App for both iOS and Android operating systems.

  1. Navigate to Configure > Apps, and click Add.

  2. On the Add App pop-up window, select Public App Store.

  3. Enter in a Name for the app: Harmony Mobile Protect.

  4. Click Next.

  5. In the Platform pane select iPhone, iPad and Android Enterprise.

  6. Enter in Harmony Mobile Protect and click Search.

  7. The search result window should show the Harmony Mobile Protect app, such as in the example below.

  8. Click Harmony Mobile Protect app.

  9. Scroll down and Select Deployment Rules.

  10. Change Deploy when to Any, and click on the Advanced tab.

  11. Click on New Rule tab at the bottom.

  12. Select Limit by raw device property name with CHKP_Status is equal to Provisioned.

  13. Click "+" sign.

  14. Click on the OR word and the New Rule button will be active again.

  15. Click New Rule.

  16. Select Limit by raw device property name with CHKP_Status is equal to Active.

  17. Click + sign.

  18. Click New Rule.

  19. Select Limit by raw device property name with CHKP_Status is equal to Inactive.

  20. Click "+" sign.

  21. Once all the Deployment Rules are listed as they are below, click Next.

  22. On the iPad Platform tab, select the Harmony Mobile Protect app, and scroll down to Deployment Rules.

  23. Repeat the Change Deploy when to Any, and click on the Advanced tab. steps as with the iPhone platform for the iPad platform as well as below:

  24. Once all the Deployment Rules are listed as they are above, click "Next".

  25. On the Android Enterprise Platform tab, enter in Harmony Mobile Protect and click Search.

  26. Select the Harmony Mobile Protect app shown in the search result window, such as in the example below: approve it and click Select

  27. Click on the Harmony Mobile Protect app, approve the app and click Select

  28. Scroll down to Deployment Rules.

  29. Repeat the steps Change Deploy when to Any, and click on the Advanced tab. for the Android Enterprise Platform as well and create 3 new rules as below.

  30. Once all the Deployment Rules are listed as they are below, click Next.

  31. On the Approvals (optional) tab click Next.

  32. On the Delivery Group Assignments tab, select the Delivery Group you created in Creating a Delivery Group

  33. Click on the Deployment Schedule section toggle the Deploy for always-on connection button to be ON.

  34. Click Save.

  35. Get the dashboard’s token.

    Go to your Harmony Mobile dashboard > Settings > Integrations > Select the three dots > Edit:

  36. Go to Deployment and copy the token of your dashboard:

Adding Android Enterprise Managed Configurations

  1. Navigate to Configure > Device Policies > and click Add.

  2. On the Policy Platform pane click on the Android Enterprise check box.

  3. On the Security option choose Android Enterprise Managed Configurations.

  4. On the Select Application ID pop up window select the Harmony Mobile Protect app and click OK.

  5. On the Policy Info pane enter in a policy name AE Protect Configuration and click Next.

  6. On the Android Enterprise pane enter in the configurations as described below (See example) and click Next.

    Item

    Value Type

    Configuration Value

    IMEI

    String

    $device.imei

    gwAddress

    String

    Security Gateway servers:

    Region

    Server

    US

    gw.locsec.net

    Ireland (EU region)

    eu-gw.locsec.net

    Australia (Asia region)

    au-gw.locsec.net

    Canada (Canada)

    ca-gw.locsec.net

    UK region (UK)

    uk-gw.locsec.net

    India

    in-gw.locsec.net

    token

    String

    Take the copied value from the previous section

    portalAccountId

    String

    Account ID of application in the Infinity Portal, to integrate it with the UEM.

  7. Under Assignment tab, assign the configuration to your group and click Save.

Adding an iOS Configuration Policy for Harmony Mobile Protect

To auto-register iOS devices to Harmony Mobile, we need to configure an iOS Configuration Policy.

  1. Navigate to Configure > Device Policies, and click Add.

  2. Scroll down to Apps section and select App Configuration.

  3. On the Policy Info enter in a Policy Name ''iOS Protect Configuration'' and click Next.

  4. Select iOS only from Platforms, and select Add new for Identifier.

  5. On the box appeared under the Identifier enter "com.checkpoint.capsuleprotect".

  6. In the Dictionary content field copy and paste this text:

    Copy 
    <dict>
        <key>Device Serial Number</key>
        <string>${device.serialnumber}</string>
        <key>DEVICE_MAC</key>
        <string>$DEVICE_MAC$</string>
        <key>DISPLAY_NAME</key>
        <string>$DISPLAY_NAME$</string>
        <key>EMAIL</key>
        <string>$EMAIL$</string>
        <key>FIRST_NAME</key>
        <string>$FIRST_NAME$</string>
        <key>LAST_NAME</key>
        <string>$LAST_NAME$</string>
        <key>USERID</key>
        <string>$USERID$</string>
        <key>Lacoon Server Address</key>
        <string>gw.locsec.net</string>
        <key>token</key>
        <string>hash_tenant_id</string>
        <key>DEVICE_UDID</key>
        <string>${device.id}</string>
    </dict>

    In line number 17, replace the gateway server (gw.locsec.net) with the local gateway based on your region:

    Security Gateway servers:

    Region

    Server

    US

    gw.locsec.net

    Ireland (EU region)

    eu-gw.locsec.net

    Australia (Asia region)

    au-gw.locsec.net

    Canada (Canada)

    ca-gw.locsec.net

    UK region (UK)

    uk-gw.locsec.net

    India

    in-gw.locsec.net

  7. Change the <string>hash_tenant_id</string> content to your token value that you copied from your Infinity Portal dashboard (i.e. instead of “hash_tenant_id” text) from the previous section.

  8. Click Check Dictionary to make sure that there are no errors. If no error found a Valid  XML label should appear.

  9. Click Next.

  10. On the Assignment tab, select the Delivery Group you created in Creating a Delivery Group

  11. In Deployment Schedule toggle the Deploy for always-on connections button to be ON.

  12. Click Save.

Collecting App List from iOS Devices

This step is important to allow Harmony Mobile to protect against malicious apps.

  1. Navigate to Configure > Device Policies, and click Add.

  2. Scroll down to Apps section and select App Inventory.

  3. On the Policy Info pane enter a Policy Name ''Collect iOS App Inventory'' and Click Next.

  4. On the Platforms pane select iOS only and make sure the iOS button toggled to be ON.

  5. Click Next.

  6. On the Assignment tab, select the Delivery Group you created in Creating a Delivery Group.

  7. In the Deployment Schedule select Deploy for always-on connections button to be ON.

  8. Click Save.

Requiring the Harmony Mobile Protect app to be Installed

The Harmony Mobile Protect app is required by editing the Delivery Group Apps tab and moving the Harmony Mobile Protect app from Optional to Required.

  1. Navigate to Configure > Delivery Groups.

  2. Select the Delivery Group you created in Creating a Delivery Group and click Edit.

  3. Select the Apps tab.

  4. Drag Harmony Mobile Protect to Required Apps.

  5. The app adds to the Required Apps list as below:

  1. Scroll down to Summary tab.

  2. On the Summary tab, make sure the app shows up correctly, and click Save.

Creating a Mitigation Process

In this section, you will reference a device property (CHKP_Risk) Harmony Mobile Dashboard will use to label any device in High, Medium, or Low Risk, or None for device with No Risk as determined by the Harmony Mobile Analysis. This device property, CHKP_Risk, will allow the Citrix Endpoint Management system to identify which devices are at risk and to enforce actions and policies based on risk level.

We will use the CHKP_Risk device property in several actions as a trigger that when met will enact the action described.

Notes:

  • Device Properties are controlled by the device in that if a device property is set/configured at the Citrix Endpoint Management Console, the device must sync to Citrix Endpoint Management in order for the device to receive this device property setting. This means that there is a delay between when a device is marked at risk, such that CHKP_Risk = High, and the device enacting the actions/policies sent to it during a previous sync (or during initial enrollment) to the Citrix Endpoint Management system. This is not a shortcoming of Harmony Mobile; it is how Citrix Endpoint Management utilizes device properties. Because of this delay/operational requirement, there will be a delay between when a device is marked at risk and the policies/actions being enacted at the device to block access to corporate resources.

  • We will show a couple of different Actions and Policies, but these enforcement policies are something that the customer should create for their environment and needs.

    In a production environment, the customer should configure the policies according to their internal security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

Creating Actions for Devices at High Risk - Send Notification to User

  1. Navigate to Configure > Actions, and click Add.

  2. On the Action Info screen, enter in a unique name, and if desired, a description.

  3. Click Next.

  1. On the Details screen, select a trigger as follows:

    1. Select Device property

    2. On Select a Device Property select Other

    3. On Enter a property name enter in "CHKP_Risk"

    4. Select is

    5. On Enter a String enter in High.

  2. Select an Action as follows:

    1. On Select an action select Send notification

    2. On Select a template select Non-Compliant Device

    3. Set to 0 Hours (for immediately)

    4. Set to 1 Days for reminder

  3. Click Next.

  4. On the Assignment screen, select the Delivery Group you created in Creating a Delivery Group, in our example: Users_Group_SBM

  5. Also, under Deployment Schedule, toggle the button Deploy for always-on connections to be ON.

  6. Click Next.

  7. On the Summary screen, click Save.

Mark Devices at High Risk as Out of Compliance

  1. Navigate to Configure > Actions, and click Add.

  2. On the Action Info screen, enter in a unique name, and if desired, a description.

  3. Click Next.

  4. On the Details screen, select a trigger as follows:

    1. Select Device property

    2. On Select a Device Property select Other

    3. On Enter a property name enter in CHKP_Risk

    4. Select is

    5. On Enter a String enter in High.

  5. Select an Action as follows:

    1. Select Mark the device as out of compliance

    2. Select is

    3. Select True

    4. Set to 0 Hours (for immediately).

  6. Click Next.

  7. On the Assignment screen, select the Delivery Group you created in Creating a Delivery Group, in our example: Users_Group_SBM

  8. Also, under Deployment Schedule, toggle the button Deploy for always-on connections to be ON.

  9. Click Next.

  10. On the Summary screen, click Save.

Creating an AppLock Policy for Devices at High Risk

  1. Navigate to Configure > Actions, and click Add.

  2. On the Action Info screen, enter in a unique name, and if desired, a description.

  3. Click Next.

  4. On the Details screen, select a trigger as follows:

    1. Select Device property

    2. On Select a Device Property select Other

    3. On Enter a property name enter in CHKP_Risk

    4. Select is

    5. On Enter a String enter in High.

  5. Select an Action as follows:

    1. Select App Lock

    2. Set to 0 Hours (for immediately)

  6. Click Next.

  7. On the Assignment screen, select the Delivery Group you created in Creating a Delivery Group, in our example: Users_Group_SBM

  8. Also, under Deployment Schedule, toggle the button Deploy for always-on connections to be ON.

  9. Click Next.

  10. On the Summary screen, click Save.

Creating Actions for Devices at Medium Risk

  1. Navigate to Configure > Actions, and click Add.

  2. On the Action Info screen, enter in a unique name, and if desired, a description.

  3. Click Next.

  4. On the Details screen, select a trigger as follows:

    1. Select Device property

    2. On Select a Device Property select Other

    3. On Enter a property name enter in CHKP_Risk

    4. Select is

    5. On Enter a String enter in Medium.

  5. Select an Action as follows:

  6. On Select an action select Send notification

  7. On Select a template select Non-Compliant Device

  8. Set to 0 Hours (for immediately)

  9. Set to 1 Days for reminder

  1. Click Next.

  2. On the Assignment screen, select the Delivery Group you created in Creating a Delivery Group, in our example: Users_Group_SBM

  3. Also, under Deployment Schedule, toggle the button Deploy for always-on connections to be ON.

  4. Click Next.

  5. On the Summary screen, click Save.

Mark Devices Not at High Risk as Compliant

  1. Navigate to Configure > Actions, and click Add.

  1. On the Action Info screen, enter in a unique name, and if desired, a description.

  2. Click Next.

  3. On the Details screen, select a trigger as follows:

    1. Select Device property

    2. On Select a Device Property select Other

    3. On Enter a property name enter in CHKP_Risk

    4. Select Is Not

    5. On Enter a String enter in High.

  4. Select an Action as follows:

  5. Select Mark the device as out of compliance

  6. Select is

  7. Select False

  8. Set to 0 Hours (for immediately).

  9. Click Next.

  10. On the Assignment screen, select the Delivery Group you created in Creating a Delivery Group, in our example: Users_Group_SBM

  11. Also, under Deployment Schedule, toggle the button Deploy for always-on connections to be ON.

  12. Click Next.

  13. On the Summary screen, click Save.

Note - Now any device in the Delivery Group ("Users_Group_SBM") that has the Device Property "CHKP_Risk" "equal to" "High" or "Medium" set by the Harmony Mobile system will be acted upon by the Actions and Policies.