Configuring UEM to Deploy the Harmony Mobile Protect app
Use Microsoft Intune UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. to deploy Harmony Mobile Protect App and keep the device protected. In case that Harmony Mobile Protect App is not installed or removed from device, the device is marked as not protected.
Notes -
|
General Workflow:
-
If you selected Automatic integration in Configuring UEM Integration Settings, continue with Creating a Compliance Policy for the Organization Devices.
-
If you selected Manual integration in Configuring UEM Integration Settings:
Adding the Harmony Mobile Protect App to your App Catalog
To protect your devices, deploy the Harmony Mobile Protect app from the public stores to your devices.
You must add the Harmony Mobile Protect app for both iOS and Android operating systems.
For more information about adding apps to the Microsoft Intune App Catalog, see the Microsoft Intune online guide.
Notes:
|
Import Harmony Mobile Protect App to Intune:
-
On the Microsoft Intune portal, go to Apps > All Apps and click + Add.
An Add App window opens.
Example:
Note - The data fields are similar for both iOS and Android users. The examples below are applicable for both platforms.
-
Select App type iOS store app and click Select.
-
In the App information, click Search the App Store.
-
Search for Harmony Mobile Protect application. Click the application and click on Select.
-
In the App information section, fill this information and click Next.
-
Under Assignments > Required, select +Add Group.
Search for the security group created in previous steps. Choose it and click Select and then Next.
-
Under the Review + Create section. Review and click Create
-
Select App type Android Store App and click Select.
-
In the App information tab Enter Harmony Mobile Protect as the name.
-
Enter a description, as listed in the app store description.
-
Set the Publisher to Check Point Software Technologies.
-
Build the URL for Harmony Mobile Protect Android:
-
From the Harmony Mobile Dashboard go to Settings > Integrations under the Deployment section: Copy the token of your dashboard – See Configuring UEM Integration Settings> Deployment configuration
-
Concatenate the above Token to the end string of this URL that points to Harmony Mobile Protect Android Google Play store: "https://play.google.com/store/apps/details?id=com.lacoon.security.fox&referrer=UEM%3DIntune%26token%3D{Token}"
-
-
Paste this full URL under Appstore URL on the Add App pane.
-
Click Next.
-
Under Assignments > Required, select + Add Group
Select the security group created before and click Select and then Next
-
Review and click Create
-
Select App type Managed Google Play App and click Select.
-
Search Harmony Mobile Protect App and select it.
-
Click Approval Preferences and then Select
-
Go to Apps > Android Apps and select Harmony Mobile Protect app from the Managed Google Play store app
-
Go to Properties > Assignments, click Edit
-
Under Assignments > Required, select + Add Group
-
Select the relevant security group you want to install the app on and click Select
-
Click Review + save
-
Review and click Save
Configuring the Application Configuration Settings
To auto-register the Harmony Mobile Protect app on the devices to the Harmony Mobile dashboard, we use App Configuration Policy to send registration parameters to the device and to the Harmony Mobile gateway.
-
In the Microsoft Intune console, go to Apps > App Configuration policies
-
Click +Add and select Managed devices.
Example:
For iOS App
-
Give your configuration a Name (e.g. "Harmony Mobile app Config iOS")
-
Platform select "iOS/iPadOS"
-
Click Select App
-
Search the Harmony Mobile app for iOS devices
-
Click OK
-
Click Next.
-
Under Configuration Settings format, select Use configuration designer.
Use the table below for the configurations:
Configuration Key
Value Type
Configuration Value
DEVICE_UDID
String
{{AzureADDeviceId}}
token
String
Dashboard ID Hash **
Lacoon Server Address
String
Region
Server
US
gw.locsec.net
Ireland (EU region)
eu-gw.locsec.net
Australia (Asia region)
au-gw.locsec.net
Canada (Canada)
ca-gw.locsec.net
UK region (UK)
uk-gw.locsec.net
India
in-gw.locsec.net
portalAccountId
String
Account ID of application in the Infinity Portal, to integrate it with the UEM.
ios_dep_notification_permission
(Enable this key to grant Zero Touch notification permissions for iOS)
Boolean
true
** For the key "token" value use Harmony Mobile dashboard - go to Settings > Integrations, under the Deployment section, click Edit.
Note - It is highly recommended to Copy & Paste the Configuration Key and Configuration Value directly from the table above where applicable
-
Copy the token of your dashboard. See Configuring Deployment.
When done, click Next.
-
Under Assignments click on +Add groups.
-
Select the security group you want to associate the app configuration with
-
Click Select
-
Click Next
-
Review your configuration and click Create.
For Android Enterprise App
-
Give your configuration a Name (e.g. "Harmony Mobile app Config AE")
-
Platform select Android Enterprise
-
Profile Type select Fully Managed, Dedicated, and Corporate-Owned Work Profile Only or Personally-Owned Work Profile Only, according to your profile.
-
Click on Select App and choose Harmony Mobile Protect app from the Managed Google Play store app.
-
Click OK.
-
Click Next.
-
Under Settings > Configuration Settings > Select for Configuration Settings format "Use configuration designer" click +Add
Add the configuration attributes according to this table:
Configuration Key
Value Type
Configuration Value
mdm_uuid
String
{{AzureADDeviceId}}
GW Address
String
Security Gateway servers:
Region
Server
US
gw.locsec.net
Ireland (EU region)
eu-gw.locsec.net
Australia (Asia region)
au-gw.locsec.net
Canada (Canada)
ca-gw.locsec.net
UK region (UK)
uk-gw.locsec.net
India
in-gw.locsec.net
Token
String
** Dashboard ID Hash **
portalAccountId
String
Account ID of application in the Infinity Portal, to integrate it with the UEM.
Note - It is highly recommended to Copy & Paste the Configuration Value directly from the table above where applicable
-
For the key "token" value use Harmony Mobile dashboard go to Settings > Integrations, under the Deployment section click Edit :
Copy the token of your dashboard – See section "Configuring UEM Integration Settings" page Configuring Deployment
When done, click Next.
-
Under Assignments , click on +Add groups.
-
Select the security group you want to associate the app configuration with.
-
Click Select.
-
Click Next.
-
Review your configuration and click Create
Creating a Compliance Policy for the Organization Devices
The Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Policies are activated on the devices that did not install the required apps. Harmony Mobile Protect app defines the security levels for the devices. You select the security level that marks the device as Not Compliant with company policy.
You must create separate compliance policies for specific OS types, such as iOS and Android.
Note - In every organization, the customer configures the compliance policies according to the production environment, needs, and the internal security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. |
For more information about Intune compliance policy see the Microsoft Intune online guide where you can explore the details of creating compliance policies for iOS, Android and Android Enterprise.
To create a Compliance Policy:
-
Go to Devices > Compliance Policies > Policies and click +Create Policy.
-
On the Compliance Policy panel select a platform to start.
Note - The data fields are similar for both iOS and Android settings
Example for Android Enterprise with Personally-owned work profile:
-
On the basic tab, give your policy a name
-
Click Next
-
On the Compliance Settings tab, go to Device health, and require the device to be at or under the Device Threat Level of Medium (recommended). This will turn your device to be not compliant if its risk level determined by Check Point Harmony Mobile (MTD) is High. See below details for all options:
Device Health Level
Description
Secured
This is the most secure. The device cannot have any threats present and still access company resources. If any threats are found, the device is evaluated as non-compliant.
Low
The device is compliant if only low level threats are present. Anything higher puts the device in a non-compliant status.
Medium
The device is compliant if the threats found on the device are low or medium level. If high level threats are detected, the device is determined as non-compliant.
High
This is the least secure. This allows all threat levels, and uses Mobile Threat Defense for reporting purposes only. Devices are required to have the MTD app activated with this setting.
-
Click Next
Example: -
Go to Assignments and assign this policy to the relevant security group to apply this policy to
-
Review and create your policy.
Note - You can configure actions for noncompliance and Scope tags (not covered on this guide). |