Deploying the Harmony Mobile Protect app automatically (Zero Touch Deployment)

This section is optional.

UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. solutions traditionally prompt the mobile device user to install the application once it is registered. In addition, to get full protection, the user needs to approve the required permissions and profiles. Many users are vigilant about installing new mobile applications or granting different permissions, and as a Security company, Check Point even encourages that. Most of them do not know that the Harmony Mobile Protect App is focused on device characteristics and behaviors and not the content stored on or flowing through the device. Furthermore, some users are incompliant with the company’s security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., especially when they use their own devices. Therefore, users often decide not to install the app or approve the required configuration. On top of that, users who do agree to install and accept the configurations will often not do it immediately, delaying the application activation. As a result, many devices remain exposed to potential cyber-attacks.

Harmony Mobile’s innovative zero-touch technology lets the Harmony Mobile Protect App to be installed and activated automatically without any user interaction.

The solution uses a VPN profile that is pushed automatically by Microsoft Intune to the device and used by the Harmony Mobile Protect App. When deployed, it runs the activation flow automatically, and the device becomes active and shows in the Harmony Mobile dashboard without the user opening the app on the device.

Note - If you selected Automatic integration in Configuring UEM Integration Settings, skip the procedures below and go to Deploying SSL Certificate (Zero Touch SSL).

1. To set the zero touch flow you should create four new empty Security groups (See Creating Security Group for your Devices) with these names:

   • sbm_unregistered_ANDROID

   • sbm_registered_ANDROID

   • sbm_unregistered_IOS

   • sbm_registered_IOS

     Note - The group name is important. So it is recommended to copy the group names from this document.

     

2. For each group, assign Check Point application as the owner. In the New Group screen of the relevant group, select Owners and then choose Harmony Mobile application as the owner.

   Note - To find the Harmony Mobile application, enter Check Point Harmony Mobile. Intune does not search partial application names, for example, Harmony or Mobile.

Zero Touch Deployment for Android Enterprise devices

1. In the Microsoft Intune Admin Center, go to Devices > Manage devices > Configuration > Policies.

2. Click Create > New Policy.

3. Select the Platform as Android Enterprise.

4. Select Profile type as Templates.

5. From the Templates list, select Device restrictions.

6. Click Create.

   

7. In the Basics tab, enter a name for your profile (example, Harmony_zero_touch_AE).

   

8. Click Next.

9. In the Configuration settings tab, go to Work profile settings.

10. From the Default app permissions list, select Auto grant.

    

11. Go to Connectivity section and set these values:

    • Always-on VPN - Enable

    • VPN client - Custom

    • Package ID - com.lacoon.security.fox

      

12. Go to the Assignments tab:

    1. Under Included groups, click Add groups and assign the profile to sbm_unregistered_ANDROID group that you created in the previous section.

    2. Under Excluded groups, click Add groups and exclude the profile from sbm_registered_ANDROID group.

       

13. Click Next.

14. Review and create the profile.

Zero Touch Deployment for iOS devices

1. In the Microsoft Intune Admin Center, go to Devices > Manage devices > Configuration > Policies.

2. Click Create > New Policy.

3. Select the Platform as iOS/ iPadOS.

4. Select Profile type as Templates.

5. From the Templates list, select VPN.

6. Click Create.



7. In the Basics tab, enter a name for your profile (example, harmony_zero_touch_iOS).

   

8. Click Next.

9. In the Configuration settings tab:

   1. Select Connection type as Custom VPN.

   2. Under Base VPN, enter these:

      • Connection name - Check Point Local Tunnel

      • VPN server address - www.checkpoint.com

      • Authentication method - Username and password

      • Split tunneling - Disable

      • VPN identifier - com.checkpoint.capsuleprotect

      • Custom VPN attributes - zero_touch = true

      

10. Under Automatic VPN, select Type of automatic VPN as On-demand VPN.

11. Click Add to add On-demand rules.

12. On the side panel, select these:

    • I want to do the following - Connect VPN

    • I want to restrict to - All domains

      

13. Click Save.

14. Select Block users from disabling automatic VPN as Yes.

    

15. Click Next.

16. Go to the Assignments tab and under Included groups, click Add groups.

17. Search and select the Security Group which represents the Harmony Mobile users in Intune.

    Note - In iOS, you do not need to set the profile to the sbm_unregistered_iOS as you set in Android.

18. Click Next.

19. Review and create the profile.

Zero Touch Notification Permissions for iOS

This feature automatically grants notification permission to Harmony Mobile Protect App when you install the app through UEM, without user interaction.

Important: As a prerequisite, make sure to add ios_dep_notification_permission key to the App configuration settings. See For iOS App in Configuring the Application Configuration Settings section. This feature is only supported for supervised iOS devices. See Notifications MDM payload settings for Apple devices.

To enable Zero Touch notification permissions for iOS devices:

1. In the Microsoft Intune Admin Center, go to Devices > Configuration and click Create > New Policy.

   

2. On the side panel:

   1. Select Platform as iOS/iPadOS.

   2. Select Profile type as Templates.

   3. Select Device features and then click Create.

      

3. In the Basics tab, enter a name for your profile and then click Next.

   

4. In the Configuration settings tab, click App Notifications and then click Add.

   

5. Do these:

   1. In the App bundle ID field, enter com.checkpoint.capsuleprotect

   2. In the App name field, enter Harmony Mobile Protect.

   3. From the Notifications list, select Enable.

   4. Click Save.

      

6. Click Next.

   

7. In the Assignments tab, under Included groups, click Add groups and add your relevant groups.

   

8. Click Next.

9. Review the settings and then click Create.

   

Deploying SSL Certificate (Zero Touch SSL)

This section is relevant if you use the On-Device Network Protection (ONP) feature with the Https Inspection option turned on.

First, you need to create a certificate in Harmony Mobile Administrator Portal and then set the configuration on the UEM to push it to the devices. This certificate is used for the ONP SSL Secure Sockets Layer. The standard security technology for establishing an encrypted link between a web server and a browser. Inspection.

Creating a certificate in the Harmony Mobile Administrator Portal

1. In the Harmony Mobile Administrator Portal, go to the Policy tab and expand your policy profile.

2. Click any one of these:

   • Device

   • Application

   • File

   • Network

3. Click Network Protection.

   

4. In the Advanced Network Protection settings section, enable HTTPS Inspection.

   

5. In the HTTPS Settings section:

   1. Select Central CA for MDM deployment.

   2. Click Generate CA Certificate.

      

6. Click OK.

   

7. Enter the certificate name and click Add.

   

   The system generates the CA certificate.

8. Click Download Certificate.

   

   The system downloads the certificate to your computer.

Note - If you use different policies for device groups, the enforcement of the certificate pushed by the UEM may take up to 24 hours on iOS devices. This limitation is not relevant if the entire fleet of devices use the Global policy.

Creating a certificate profile on the UEM:

• For Android Enterprise devices:

  1. In the Microsoft Intune Admin Center, go to Devices > Configuration > Policies.

  2. Click Create > New Policy.

  3. Select Platform as Android Enterprise.

  4. Select Profile type as Templates.

  5. From the Templates list, select Trusted certificate.

  6. Click Create.

     

  7. In the Basics tab, enter a name for your profile.

  8. In the Configuration settings tab, upload the certificate that was downloaded from the policy in Harmony Mobile dashboard.

     

     Note - The system downloads the CA certificate in crt format. Convert it to *.cer format before the upload. Intune requires the certifcate in *.cer format.

  9. Click Next.

  10. Go to the Assignments tab > Included groups, click Add groups.

  11. Search and select your Security Group.

  12. Review and create the profile.

• For iOS devices:

  1. Go to Devices > Configuration > Policies.

  2. Click Create > New Policy.

  3. Select Platform as iOS/iPadOS.

  4. Select Profile type as Templates.

  5. From the Templates list, select Trusted certificate.

  6. Click Create.

     

  7. In the Basics tab, enter a name for your profile.

  8. In the Configuration settings tab, upload the certificate that was downloaded from the policy in Harmony Mobile dashboard.

     

     Note - The system downloads the CA certificate in crt format. Convert it to *.cer format before the upload. Intune requires the certifcate in *.cer format.

  9. Click Next.

  10. Go to the Assignments tab > Included groups, click Add groups.

  11. Search and select your Security Group.

  12. Review and create the profile.