Configuring the Check Point Harmony Mobile Dashboard Integration Settings

Prerequisites

  1. You need the following details from your MaaS360 Deployment:

    Note - There is a table in section Integration Information that you can record your settings for easy reference

    1. Server: The root URL to your MaaS360 Web Services API including the leading https://, for example:https://services.m3.maas360.com

    2. MaaS360 API Administrator Username and Password: These are the Admin credentials that the Harmony Mobile Dashboard uses to connect to the UEMClosed Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point.. You may have created a special API Admin account in section Creating an API Only Administrator Account (optional) for this purpose.

    3. Billing ID: This is the Corporate Identifier and can be located on Setup > Deployment Settings.

    4. API App ID: com.[Billing ID or Corporate Name].api (This information needs to be obtained from IBM MaaS360 Support)

      Note - Multiple Harmony Mobile Dashboards can be integrated to one MaaS360 instance by separating the devices into different “Device ProvisioningClosed Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Groups”, such as creating a device provisioning group for All EU Devices (i.e. “MTP_EU_Devices”) and a device provisioning group for All US Devices (i.e. “MTP_US_Devices”). Then, the Harmony Mobile Dashboard in the EU would be integrated to “MTP_EU_Devices” and the Harmony Mobile Dashboard in the US would be integrated to “MTP_US_Devices”.

    5. Access Key: This key needs to be obtained from IBM MaaS360 Support.

    6. Organization Groups(s): This is the MaaS360 device provisioning group to which the devices to be registered to Harmony Mobile are grouped, and will be integrated with the Harmony Mobile Dashboard. Multiple groups can be integrated with the one Harmony Mobile Dashboard instance by entering each label name separated with a semicolon (;). This is the Device Provisioning Group we created in section Creating a Device Provisioning Group (“MP_Devices_Group”).

    7. Mitigation Attribute: This is the custom attribute that will be set to “Yes” when the device is in High Risk. This is the custom attribute that you created in section Creating a Mitigation Label (“MP_HighRisk”).

  2. For on-premises UEM environments, port 443 (HTTPS) must be remotely accessible through your firewall from the Harmony Mobile Dashboard to the UEM system before trying to connect.

    1. See section Integration Information for the Harmony Mobile Dashboard IP addresses for your region.

    2. If you do not know your Harmony Mobile Dashboard’s region, follow the instructions in section Integration Information to find out.

  3. Delete any existing devices in the Harmony Mobile Dashboard.

Note - Only the devices are synchronized from the UEM to the Harmony Mobile Dashboard, not users.

Configuring UEM Integration Settings

After you complete the necessary steps, the Device Management pane shows the detailed status of the settings.

Procedure

  1. From the Infinity Portal, go to Settings > Integrations.

    The Integrations page opens.

  2. Click Add and then UEMs

    The Integration Wizard opens.

    Example:

  3. Configure the settings for your MaaS360 Deployment, and click Next.

    • Server Setup

      Configure your UEM to integrate with the created MaaS360 devices:

      In Server Setup section, enter this information:

      • Display Name – MaaS360

      • Server Address - The full URL needed for the UEM service

      • User name

      • Password

      • Billing ID

      • API app ID

      • Access key

      Click Verify, wait for the green check, and click Next

    • Synchronization

      Configure the devices and groups that you synchronize with Harmony Mobile Dashboard:

      1. In the Group(s) field:

        • Click Group(s). A dropdown with list of the available groups opens.

        • Select the group(s) you need for integration with MaaS360.

      2. In the Android Enterprise Groups field:

        Select the groups for two deployed applications as part of the MaaS360 Android Enterprise deployment.

      3. In the Advanced section:

        Import Personally Identifiable Information (PII) and set the synchronization intervals.

        You can limit the import of the PII devices (users) to Harmony Mobile.

      Note - If all entries are OFF, the placeholder information set for the email address is placed in the Device Owner’s Email, in form of "UEMDevice UDID@vendor.UEM".

      Click Verify, wait for the green tick-mark, and click Next.

      Setting

      Description

      Value

      Device sync interval

      Interval to connect with UEM to sync devices.

      10-1440 minutes, in 10 minute intervals.

      Device deletion threshold

      Devices for deletion after UEM device sync (in %).

      100% for no threshold.

      Deletion delay interval

      Delay device deletion after sync – device is not deleted if it is re-synchronized from UEM during the threshold interval.

      0-48 hours.

      App sync interval

      Interval to connect with UEM to sync applications.

      10-1440 minutes, in 10 minute intervals.

    • Tagging Configuration

      Specify the information sent to MaaS360 and the risk level of the device.

      1. In Tagging Section:

        1. Set Tag device status to ON.

        • For integration with IBM MaaS360, the Device Status tag is interpreted as a "device attribute" of "CHKP_ Status" with the values of Provisioned, Active, or Inactive.

        • We will use the CHKP_Status device property to determine when to prompt the user to install the Harmony Mobile Protect app on their device. If the CHKP_Status device property hasn’t been set yet, then the device has not been synced with Harmony Mobile Dashboard.

        1. Set Tag device risk to ON.

        • For integration with IBM MaaS360, the Device Risk tag is interpreted as a "device attribute" of "CHKP_Risk" with the values of None, Low, Medium, or High.

        • We will use the CHKP_Risk device property to determine when to enact certain policies or actions on the device. If the CHKP_Risk is High or Medium, then the device will be sent an in-app notification and blocked from running corporate apps.

        1. Set Tag device threat factor to ON.

        • The Threat Factor tag (CHKP_TF) is a list of threat factors associated with the Security Risk level, such as TF_ BACKUP_TOOL, etc. These threat factors can be used to provide additional detail and granularity of the current Risk level, however, they are not necessarily appropriate for policy triggers. The CHKP_TF value is a sort of free-form comma separated string of threat factors from the BREClosed Behavioral Risk Engine database.

        Example:

    • Deployment

      Specify the deployment status of a device.

      Note - This section is optional, because MaaS360 manages the deployment automatically.

      Example:

      If you use Harmony Mobile to manage the deployment:

      In the Advanced section:

      1. Enable options to send email and/or SMS notification to the new users with instructions to download and install the Harmony Mobile Protect app.

      2. Click Finish.

      Example:

  4. View the Integration Status.

    The Integration pane shows this information:

    For each integration:

    • Server – The latest server configuration status.

    • Sync – The synchronization status and when was the last synchronization..

    Example:

  5. Click on the three dots on the top, then Edit in each integration block to edit the integration settings.