Integration with MobileIron Cloud
Preparing UEM Platform for Integration
To deliver content to devices, MobileIron Cloud identifies users and establishes permissions through Device Provisioning Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Groups.
Through your MobileIron Cloud portal you can:
-
Build groups for entities within your organization.
-
Customize hierarchies with group levels.
-
Integrate with multiple internal infrastructures at the tier level.
-
Delegate role-based access and management based on multi-tenant structure.
|
Best Practice - For integration with the Check Point Harmony Mobile Protect app, use groups to set up the same UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. hierarchy as in your organization's internal hierarchy, or set up groups based on MobileIron Cloud features and content |
Prerequisites
-
MobileIron Cloud Instance and System Management Admin credentials.
-
An iOS UEM Certificate in MobileIron Cloud Portal. For more information see the online guide.
MobileIron Cloud Portal (Example):
General Workflow
-
Enable the Check Point Harmony Mobile Protect app on your MobileIron Cloud devices. See "Enabling the Harmony Mobile Protect app on the MobileIron Cloud Devices".
-
Create API Account for the Check Point Harmony Mobile Protect app. See "Creating API Account for Integration with the Harmony Mobile".
-
Create a User Provisioning Group for the Check Point Harmony Mobile Protect app. See ''Creating a Device Provisioning GroupCreating a Device Provisioning Group''.
-
Configure application collection. See "Configuring Application Collection".
-
Set Harmony Mobile parameters for the device protection. See "Setting Parameters for the Device Protection".
Enabling the Harmony Mobile Protect app on the MobileIron Cloud Devices
MobileIron Cloud deploys Harmony Mobile Protect app on a device.
-
Harmony Mobile service integrates with MobileIron Cloud through the existing API. To enable integration, you must first create a MobileIron Cloud API account.
Harmony Mobile integrates with MobileIron On-Premise Core and MobileIron Connected Cloud version 8.0 or later, with API access. Harmony Mobile uses the API to synchronize the device records, to retrieve device apps list, and to report the device risk level to MobileIron Cloud.
-
You must configure your UEM to collect the app list from the devices enrolled to Harmony Mobile. See Configuring Application Collection.
Creating API Account for Integration with the Harmony Mobile
For the interaction with Harmony Mobile and the MobileIron Cloud system you must create a dedicated API account user in your MobileIron Cloud. This API account limits the capability of the admin credentials between the Harmony Mobile Dashboard and the MobileIron Cloud system.
|
Best Practice - For the interaction at the API only, the MobileIron Cloud Console provides an "API Only" Admin Role. You can use this Administrator account between the Harmony Mobile Dashboard and the MobileIron Cloud system. See Configuring the Check Point Harmony Mobile Dashboard Integration Settings |
To create an “API Only” Administrator Account, create a dedicated Local User and assign it the Administrator Role.
Creating an API User Account
To create a Local User account settings:
-
On the MobileIron Cloud Console go to Users > Users, click the +Add drop-down menu, and select API User.
Example:
-
In the Add API User window enter all the required (|) fields with the applicable information.
Example:
-
Username - sbm_admin (recommended)
In our case we created a user ''UEM.test''
-
First Name
-
Last Name
-
Password
-
Confirm Password
-
Email
-
-
In the API Management section:
Remove the selection mark from the Cisco ISE Operations option.
Example:
-
Click Save.
Assigning the Harmony Mobile API Administrator Role to the API User
For more information see the online guide.
To set the new API Administrator account:
-
Go to Users > Users and select the new UEM.test user that you created.
-
From the Actions drop-down menu select Append Roles.
Example:
-
In the Select Role section select these settings:
-
System Read Only
-
User Read Only
-
Device Management
-
App & Content- Read Only
Example:
-
-
Click Next.
-
Click Done.
-
Log out and log in back with these new Admin credentials.
Example:
Creating a Device Provisioning Group
To configure your devices, apps, and app configurations for the Harmony Mobile Protect app, you must add them to the Dynamically Managed Device Provisioning Group named cpuser_test_devices, and then synchronize them with the Harmony Mobile Dashboard. They will be prompted to install the Harmony Mobile Protect app after the synchronization.
|
Note - The data fields are similar for both iOS and Android users. The examples below are applicable for both platforms. |
These devices will be registered to Harmony Mobile.
To create a Device Provisioning Group:
-
On the MobileIron Cloud Portal go to Devices > Device Groups and click Add+.
Example:
-
In the Create Device Group window enter these details:
Name – cpuser_test_devices
Description
Select Dynamically Managed
-
In the User Group section:
-
Select All of the following rules are true
-
Set User Group is equal to cptest_group
-
-
In the Platform section:
-
Select Any of the following rules are true and click on Add Group button
-
Set OS is equal to iOS
-
Set OS is equal to Android
-
-
-
Click Save.
Creating Custom Device Attributes
To configure your devices and users for the Harmony Mobile Protect app, you must add them to the device provisioning group that is registered with the Harmony Mobile and integrated with the Harmony Mobile Dashboard. Use tags to label these devices and users.
-
Status tags
Harmony Mobile Dashboard uses labels to deploy the Harmony Mobile Protect app from the public stores to the devices that Check Point Harmony Mobile protects.
The system prompts the user to install the Protect app only when the device has the CHKP_Status of Provisioned, Active, or TF. If all of these tags are empty or 0, then the system does NOT prompt the user to install the Protect app. In this way the devices first synchronize in the Harmony Mobile Dashboard and then prompt the user to install the Harmony Mobile Protect app.
You must add the Protect app for both iOS and Android operating systems.
-
Risk Levels
You must create special Mobile Device labels and name it risk_level. Each mobile device in MobileIron Cloud gets one of these risk level values:
Harmony Mobile Dashboard uses the built-in Risk tags to identify any device as determined by the Harmony Mobile Analysis.
-
None
-
Low
-
Medium
-
High
These tags allow the MobileIron Cloud system to identify the devices at risk and to enforce configured compliance policies based on their risk level.
-
The complete Custom Attributes list (example):
To create Custom Device Attributes:
-
On the MobileIron Cloud Portal go to Admin > System > Attributes and click +Add New.
-
In the Custom Attributes window enter these settings:
-
Attribute Name - CHKP_Risk
-
Set Attribute Type- Device
-
Repeat the above steps to create custom device attributes for CHKP_Status and CHKP_ TF.
Configuring Application Collection
After the initial device sync, you must update the Harmony Mobile Dashboard with the device app lists. The UEM must collect the app list from the devices enrolled to Harmony Mobile.
To configure the UEM to collect the app lists:
-
On the MobileIron Cloud Portal go to Configurations, click +Add drop-down menu.
-
In the Add Configuration window select Privacy.
-
In the Create Privacy Configuration window configure these settings:
-
In the Privacy Create Settings section enter a Name and Description:
Name: SBM_cpmp_privacy_policy
-
In the Configuration Setup section for Collect App Inventory section select For Apps on the Device
-
-
Click Next.
-
Click Custom.
-
Select the Device Provisioning Group. See Creating a Device Provisioning Group
-
Click Done.
-
Apply this privacy policy to the Harmony Mobile Device Provisioning Group that you created. For more information see Creating a Device Provisioning Group.
Setting Parameters for the Device Protection
To protect your users, you must configure Harmony Mobile Protect app to work on your user devices. Add users to the organization group for Harmony Mobile protection. See Creating a Device Provisioning Group.
Repeat these steps to add more users and more devices.
Adding Local Users to the Harmony Mobile Protect app
You can use Add Local User option to add one user, or Resync with DAPt option to upload more than one user at a time. Repeat this procedure for each new device that you add.
You can add a single user, multiple users, or invite users from LDAP.
To add a single user:
-
On the MobileIron Cloud Portal go to Users > Users and click the +Add.
-
Select Single User.
-
In the Add Single User window enter applicable information.
-
Select the applicable User Group for integration with the Harmony Mobile Protect app (See Creating a Device Provisioning Group).
-
To invite the user to enroll a device to MobileIron Cloud, select the Send Invitation now option.
-
Click Done.
Enrolling a Device to MobileIron Cloud
To manage your devices and apps and their access to your company data you must enroll them in the MobileIron Cloud service.
For more information see the MobileIron Cloud online guide: Device Registration (iOS, macOS, and Android).