Configuring UEM to Deploy the Harmony Mobile Protect app

Notes: If you configured MobileIron Core for Whitelisting Apps, you must add the Harmony Mobile Protect app to the white list. For on-premise MobileIron Core UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. environments: Before you try to connect, make sure that you can remotely get access the TCP Web Services port (usually TCP port 443 (HTTPS) through your firewall from the Harmony Mobile Dashboard to the UEM system. You can only synchronize devices from the UEM to the Harmony Mobile Dashboard. You cannot synchronize users. Create the Check Point Statuses in the Device Provisioning Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Group. Mitigation tags, Smart Groups, and Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Policies are recursive. If you create them in the Device Provisioning Group, each Secondary Device Provisioning Group inherits and applies to the Device Provisioning Group devices that agree with the criteria. You must add the Harmony Mobile Protect app for the two iOS and Android operating systems.

General workflow:

1. Add the Harmony Mobile Protect app to your App Catalog. See Adding the Harmony Mobile Protect app to your App Catalog

2. Prompt the Harmony Mobile Protect app installation on your devices. See Automatic Activation of Harmony Mobile: Prompt the Protect app installation

3. Connect the app to your devices. See Connecting the Harmony Mobile Protect app to your Device

4. Configure the Mitigation Process for the app (optional). See Connecting the Harmony Mobile Protect app to your Device

Adding the Harmony Mobile Protect app to your App Catalog

The Harmony Mobile Protect app can be automatically configured and deployed. The user only needs to accept the installation and then launch the app to finish activation and registration. You assign configuration parameters for configuring the app per user.

Note - The data fields are similar for both iOS and Android users. The examples below are applicable for both platforms.

Use the CHKP Status Tags to deploy the Harmony Mobile Protect app from the public stores to the devices that are protected by Check Point Harmony Mobile. See Creating a Device Provisioning Group for Harmony Mobile

You must add the Protect app for both iOS and Android operating systems.

Notes - As you add the Harmony Mobile Protect app to your catalog, rename this New Mobile Device App to Harmony Mobile Protect app. Approve the Harmony Mobile Protect app in Work Google Play account.

To import the Harmony Mobile Protect app:

1. Go to Apps > App Catalog > Add.

   

2. Select and configure the Harmony Mobile Protect app.

   • For Android Enterprise Devices

     1. Select Add > Google Play > Harmony Mobile Protect app.

     2. In the Application Name field enter Harmony Mobile Protect and click Search.

        Example:

        

3. From the app list, select the Harmony Mobile Protect app.

4. Click Next.

The Describe pane opens. No changes are required.

5. Click Next.

6. On the App Store pane go to Apps@Work catalog checkbox and select only the Feature this App option.

7. Select these options:

   • Install the app for Android Enterprise

   • Auto Update this App

   • Silent Install for Mandatory Apps

   Example:

   

8. Go to Configuration Choices and click Add.

9. In the Configuration Choices section configure these settings and assign to the label:

   Item	Description	Configuration Value
   mdm_uuid	String	$DEVICE_UUID Universal Unique Identifier. A UUID is a 128-bit value used to uniquely identify an object or entity on the internet.$
   gwAddress	String	Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. servers: Region Server US gw.locsec.net Ireland (EU region) eu-gw.locsec.net Australia (Asia region) au-gw.locsec.net Canada (Canada) ca-gw.locsec.net UK region (UK) uk-gw.locsec.net India in-gw.locsec.net
   token	String	hash_tenant_id** (The SHA-256 value of the Dashboard Management ID. You must use the token configured in the Deployment section. For more information see Configuring the Integration Settings)
   portalAccountId	String	Account ID of application in the Infinity Portal, to integrate it with the UEM.

   

10. Click Finish

• For iOS Devices

  1. Go to Store List and select iTunes.

  2. In the Application Name field enter Harmony Mobile Protect > App Store and click Search.

  3. Select the Harmony Mobile Protect app

     Example:

     

  4. Click Next.

     The Describe pane opens. No changes are required.

  5. On the App Store pane go to Apps@Work catalog and select these options:

     • This is a Free App

     • Allow conversion of apps from unmanaged to managed in Apps@Work (iOS 9 or later)

     • Feature this App in the Apps@Work catalog

  6. Click Next.

  7. On the App Configuration pane select these options:

     • Send installation request on device registration or sign-in

     • Remove app when UEM profile is removed

  8. Click Finish.

     Enable the automatic configuration and deployment of the app. See iOS App Deployment Configuration

iOS App Deployment Configuration

To enable the automatic configuration and deployment of the iOS Harmony Mobile Protect app on your devices you must assign configuration parameters for configuring the app per user. Create the ManagedAppConfig.plist File and then use it for auto-deploy of the Harmony Mobile Protect app on your devices.

To create the ManagedAppConfig.plist File:

1. Copy this text to a text editor (for example, Notepad).

   Copy

   1
   2
   3
   4
   5
   6
   7
   8
   9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
   <plist version="1.0">
   <dict>
   <key>DEVICE_UDID</key>
   <string>$DEVICE_UDID$</string>
   <key>DEVICE_MAC</key>
   <string>$DEVICE_MAC$</string>
   <key>DISPLAY_NAME</key>
   <string>$DISPLAY_NAME$</string>
   <key>EMAIL</key>
   <string>$EMAIL$</string>
   <key>FIRST_NAME</key>
   <string>$FIRST_NAME$</string>
   <key>LAST_NAME</key>
   <string>$LAST_NAME$</string>
   <key>USERID</key>
   <string>$USERID$</string>
   <key>Lacoon Server Address</key>
   <string>gw.locsec.net</string>
   <key>token</key>
   <string>hash_tenant_id</string>
   <key>UEM_device_id</key>
   <string>$DEVICE_UUID$</string>
   </dict>
   </plist>

   In line number 20, replace the gateway server (gw.locsec.net) with the local gateway based on your region:

   Security Gateway servers:

   Region	Server
   US	gw.locsec.net
   Ireland (EU region)	eu-gw.locsec.net
   Australia (Asia region)	au-gw.locsec.net
   Canada (Canada)	ca-gw.locsec.net
   UK region (UK)	uk-gw.locsec.net
   India	in-gw.locsec.net

2. Change the <string>hash_tenant_id</string> content (i.e. instead of “hash_tenant_id” text) to the Token you saved from Deployment section in Configuring the Integration Settings

3. Click Save As… and save the file as ManagedAppConfig.plist

4. Exit the file.

5. Go to Policies & Configs > Configurations and click Add New.

6. From the drop-down list select Apple > iOS / tvOS > Managed App Config.

   

   The New Managed App Config Setting window opens.

   

7. Enter these parameters:

   • Name

   • Description

   • BundleId - Enter com.checkpoint.capsuleprotect

8. Click Choose File and select the ManagedAppConfig.plist file.

   

9. Click Save.

10. Select this new Managed App Config and click More Actions drop-down menu.

    

11. Select Apply To Label.

12. In the Apply To Labels window select the primary or secondary Device Provisioning group (label).

    

    See Creating a Device Provisioning Group for Harmony Mobile

13. Click Apply.

Automatic Activation of Harmony Mobile: Prompt the Protect app installation

If Harmony Mobile Protect app is not installed or removed from device, then the device is marked as not protected.

To prompt the Harmony Mobile Protect app installation on your devices

1. Create a Protect app Application Group for both iOS and Android apps.

2. Assign this group to your organization.

3. Create a compliance policy that uninstalls and, or removes all corporate apps from the device until the user installs the Harmony Mobile Protect app on the device.

Connecting the Harmony Mobile Protect app to your Device

To install the Harmony Mobile Protect app on your devices in your organization, you must first configure them to require the Harmony Mobile Protect app. This is a dynamic group assignment according to the associated tag. MobileIron UEM calls these dynamic Assignment Groups “Smart Groups”.

Add all the devices marked with the Status tags to a group that indicates that the devices are registered in Harmony Mobile Dashboard.

Optional: Create a mitigation process. See Creating a Mitigation Process

General Workflow:

1. Add Harmony Mobile Protect apps to the Device Provisioning Group to create a Protect app group.

2. Create App Control Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that prompts installation of the Harmony Mobile Protect app on both the iOS and Android apps.

3. Assign the groups of the protected devices to the organization through the Status tags.

4. Create a Compliance policy to uninstall / remove corporate apps from the device until the user installs the required apps on the device.

5. Create a Mitigation Process for devises-at-risk through the Risk tags.

Creating a Protect app Group

Add the Harmony Mobile Protect app group to your devices in the Device Provisioning group.

Note - The data fields are similar for both iOS and Android users. The examples below are applicable for both platforms.

To add Harmony Mobile Protect apps to the Device Provisioning Group:

1. On the MobileIron Core Portal go to Apps > App Catalog, select Harmony Mobile Protect app both the iOS and Android devices.

2. In the Actions drop-down menu select Apply To Labels.

   Example:

   

3. In the Apply to Labels window select the provisioning label you created for the Device Provisioning group. See Creating a Device Provisioning Group for Harmony Mobile

4. Click Apply.

   Example:

   

Creating an App Control Rule

Procedure:

1. Go to Apps > App Control click Add.

   App Control Rule prompts the iOS and Android devices to install the Harmony Mobile Protect app.

   Example:

   

2. In the Add App Control Rule window configure these parameters:

   • Rule Name - Select Required button.

   • Rule Entries:

     • App Identifier Equals - Select com.checkpoint.capsuleprotect > iOS

     • App Identifier Equals - Select com.lacoon.security.fox > Android

       Example:

       

3. Click Save.

Creating a Compliance Actions Policy for the Organization Devices

The Compliance Policies are activated on the devices that did not install the required apps.

You must create separate compliance policies for specific OS types, such as iOS and Android.

Note - In every organization, the customer configures the compliance policies according to the production environment, needs, and the internal security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

To create a Compliance Policy:

1. Go to Policies & Configs > Compliance Action > and click + Add.

   Example:

   

2. In the Add Compliance Action window configure these parameters:

   • Name - Enter Non- Compliant Device Actions (recommended)

   • Select these options:

     • Enforce Compliance Actions Locally on Devices

     • ALERT - Select Send a compliance notification or alert to the user

     • BLOCK ACCESS - Select Block email access and AppConnect apps

     • QUARANTINE - Select Quarantine the device

3. Click Save.

   Example:

   

Creating a Security Compliance Rule (Enforcement)

Link the App Control Rule and Compliance Actions Policy to create the new Security Policy.

Procedure:

1. Go to Policies & Configs > Policies > Add New menu and select Security.

   Example:

   

2. In the New Security Policy window enter a policy name.

   Example:

   

3. Scroll down to Access Control > For All Platforms section and select these options:

   • Option Non-Compliant Device Actions compliance action policy (see Creating a Compliance Actions Policy for the Organization Devices .

   • Option when a device violates following App Control rules (see Creating an App Control Rule).

   • Rule Type - Select Enabled > SBM_Required

     

   • For iOS Devices:

     Scroll down to For iOS devices section and select these options:

     • Non-Compliant Device Actions Policy

     • when device UEM is deactivated

     Example:

     

   • For Android Devices

     Scroll down to the For Android devices section and select these options:

     • Non-Compliant Device Actions Policy

     • when device administrator is deactivated

     Example:

     

4. Click Save.

Applying the UEM Security Policy to the Device Provisioning Group

Procedure:

1. Go to Policies & Configs > Policies and select the Security Policy.

2. Click More Actions drop-down menu and select Apply To Label.

   Example:

   Make sure the checkbox is checked:

   

   And after that apply it to label:

   

3. In the Apply To Labels window select one of these options:

   • If you created only a Primary Device Provisioning Group

     Note - Perform this step if you created a Primary Device Provisioning Group only.

     Select the Device Provisioning Label.

     Example:

     

   • If you created both a Device Provisioning Group and a Secondary Device Provisioning Group

     Note - Perform this step only if you created a Secondary Device Provisioning Group.

     Select the Secondary Device Provisioning Label.

     Example:

     

4. Click Apply.

Creating a Mitigation Process

To let the MobileIron Core system identify the devices-at-risk and to enforce the configured compliance policies according to the risk level, you must apply the built-in Risk tags. The Harmony Mobile Dashboard uses these tags (CHKP_Risk) to identify any device with the risk level that the Harmony Mobile analysis determines.

For more information, see Configuring the Integration Settings

To accomplish the policy enforcement on the devices, you must create Device Profiles and the Compliance Policy to apply these profiles to the devices. Create a Compliance Policy Rule, Compliance Policy Group and apply the Compliance Policy Group to the Device Provisioning Label.

Check Point recommends these names for the Harmony Mobile Protect app attributes:

• Device Provisioning Group - CPTME_SBM

• Custom Attribute - CHKP_ Risk (set to High or Medium)

• Compliance Policy Group - CPTME_SBM_AT_RISK_DEVICES

Creating a Compliance Policy for the Devices at Risk

The Compliance Policies are activated on the devices that are at high risk.

You must create separate compliance policies for specific OS types, such as iOS and Android.

Note - In every organization, the customer configures the compliance policies according to the production environment, needs, and the internal security policy.

To create a Compliance Policy for the Devices at Risk:

1. Go to Policies & Configs > Compliance Policies > Compliance Policy Rule and click Add.

   Example:

   

2. On the Compliance Policy Rule tab configure these parameters:

   • Rule Name - Enter the Rule Name.

   • Description - Enter a description.

   • Status - Check Enabled option.

   • Make sure Exclude retired devices from search results is selected.

3. From the Field menu select Custom Attributes > Device Attributes > CHKP_Risk.

4. From the Operator menu select Equals.

5. In the Value field enter High.

6. (Optional) To apply the Compliance Action to devices with High or Medium Risk level, click [+] icon to add another line and enter Medium in the Value field.

7. From the Compliance Action menu select the Non-Compliant Device Action. See Creating a Compliance Actions Policy for the Organization Devices

8. Click Save.

   Example:

   

Creating a Compliance Policy Group

Compliance Policy Group uses the Compliance Policy Rules and applies to the Device Provisioning Group to enforce on devices that are at High or Medium Risk.

Procedure:

1. Go to Policies & Configs > Compliance Policies > Compliance Policy Group and click Add.

   Example:

   

2. On the Compliance Policy Group tab configure these parameters:

   • Group Name - Enter the Group Name.

   • Status - Check Enabled option.

   • Make sure Exclude retired devices from search results is selected.

3. In the Available Rules section, select the created Compliance Rule.

4. Click Save.

   Example:

   

Applying the Compliance Policy Group to the Device Provisioning Group

The Compliance Policy applies to the Device Provisioning Group (see Creating a Device Provisioning Group for Harmony Mobile).

Procedure:

1. Go to Policies & Configs > Compliance Policies > Compliance Policy Group and select the Compliance Policy Group (seeCreating a Compliance Policy Group).

2. Click Actions menu and select Apply to Labels.

   Example:

   

3. In the Apply to Label window select the Device Provisioning Group label (for example, CPTME_SBM).

4. Click Apply.