Deploying the Harmony Mobile Protect App automatically (Zero Touch Deployment)

Zero Touch deployment is optional, if the organization does not want to force Harmony Mobile to activate itself automatically on employees' devices, you can skip this chapter.

UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. solutions traditionally prompt the mobile device user to install the application once it is registered. In addition, to get full protection, the user needs to approve the required permissions and profiles. Many users are vigilant about installing new mobile applications or granting different permissions, and as a security company Check Point even encourages that. Most of them don’t know that the Harmony Mobile Protect App is focused on device characteristics and behaviors and not the content stored on or flowing through the device. Furthermore, some users are in compliance with the company’s security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., especially when they use their own devices. Therefore, users often decide not to install the app or approve the required configuration. On top of that, users who agree to install and accept the configuration do not do it immediately and it takes time until the application is activated. As a result, many devices remain exposed to potential cyber-attacks.

Harmony Mobile's innovative zero-touch technology allows the Protect app to be installed and activated automatically without any user interaction. The solution leverages Check Point's unique bootstrap technology to establish zero-touch activation.

Zero Touch Deployment in Android Enterprise Devices

First, you must create a Device Group.

To create a new Device Group:

1. Go to Devices > Device Group > Add.

   Enter this information:

   • Name - android_sbm_registration

   • Dynamically Managed - ALL

   • Custom Device Attribute > CHKP_STATUS > in not equal to > Active (and)

   • Custom Device Attribute > CHKP_STATUS > in not equal to > Inactive (and)

   • OS > is equal to > Android

   

Next, create a new Always On VPN configuration.

1. Go to Configurations > Add > Always on VPN.

2. Select App > com.lacoon.security.fox.

3. Distribute the configuration to android_sbm_registration group created in Creating a new Device Group.

   

Zero Touch Deployment in iOS Devices

To create a new Identity Certificate:

1. Go to Configurations > Add > Identity Certificate.

2. In Certificate Distribution, select Single File and upload the certificate:

   https://secureupdates.checkpoint.com/mobile/sbm/sbm_vpn_cert.p12

   Password: Aa123456

3. Distribute the certificate to your group.

   

To create a new VPN On Demand configuration:

1. Go to Configurations > Add > VPN On Demand.

2. Enter these details:

   • Name - Check Point Local Tunnel

   • Connection Type - Custom SSL Secure Sockets Layer. The standard security technology for establishing an encrypted link between a web server and a browser.

   • Identifier - com.checkpoint.capsuleprotect

   • Server - www.checkpoint.com

   • Account - ${userUID}

   • Custom Data - zero_touch=true

   • User Authentication - Certificate

   • Credentials - Select the Identity Certificate from the previous section.

     

3. Enable VPN On Demand: true

4. Add these two connection rules:

   • Interface Type Match - Cellular

     Action - Connect

   • Interface Type Match - Wifi

     Action - Connect

   

5. Distribute the configuration to your group.

Deploy SSL Certificate (Zero Touch SSL)

This section is relevant if you use the On device Network Protection (ONP) feature with the https inspection option turned on.

First, you need to create a certificate in Harmony Mobile dashboard and then set the configuration on the UEM to push it to the devices. This certificate is used for the ONP SSL Inspection.

The below procedure applies both for Android and iOS.

1. In MobileIron Cloud console, go to Configurations > Add > Certificate.

2. In Create Settings tab, enter these:

   • Name - SSL Certificate for Harmony Mobile.

   • Configuration Setup - Select Choose file and upload the certificate downloaded from the policy in the Harmony Mobile dashboard.

     Click Next.

     

3. In Distribute tab, click Custom > Define Device Group Distribution.

   Make sure the Device Group you created is selected and click Done.