Deploying the Harmony Mobile Protect app automatically (Zero Touch Deployment)

This section is Optional.

UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. solutions traditionally prompt the mobile device user to install the application once it is registered. In addition, to get full protection, the user needs to approve the required permissions and profiles. Many users are vigilant about installing new mobile applications or granting different permissions, and as a Security company, Check Point even encourages that. Most of them don’t know that the Harmony Mobile Protect app is focused on device characteristics and behaviors and not the content stored on or flowing through the device. Furthermore, some users are incompliant with the company’s security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., especially when they use their own devices. Therefore, users often decide not to install the app or approve the required configuration. On top of that, users who do agree to install and accept the configuration will not often do it immediately and it will take time until the application is activated. As a result, many devices remain exposed to potential cyber-attacks.

Harmony Mobile's innovative zero-touch technology allows the Protect app to be installed and activated automatically without any user interaction. The solution leverages Check Point’s unique bootstrap technology to establish zero-touch activation.

Zero Touch deployment is optional, if the organization does not want to force Harmony Mobile to activate itself automatically on employees’ devices, please skip this chapter.

Zero Touch Deployment in Android Enterprise devices

Note - The steps below are relevant when you want to apply Zero Touch to all devices. If this is not the case (for example, during evaluation) you would need to change the labels criteria defined below to uniquely select the relevant devices you want to apply this on.

1. Create two new labels:

   Go to Devices & Users > Labels > Add Label Type > Filter

   

   1. Name: android_sbm_not_registered

      Criteria (copy the following):

      "custom.device.CHKP_Status" != "Active" AND "custom.device.CHKP_Status" != "Inactive" AND "common.platform" = "Android" AND "common.retired" = false

      

   2. Name: android_sbm_registerd

      Criteria (copy the following):

      "custom.device.CHKP_Status" = "Active" AND "common.retired" = false AND "common.platform" = "Android"

      

2. Create an Always-On VPN configuration

   1. Create new ANDROIDFORWORK configuration, and apply Always-On VPN to Harmony Mobile protect.

      In this configuration, check:

      • Enable Managed Device with Work Profile of the devices

      • Auto update Mobile@Work app on the devices

      In For Android 7.0 and higher only section, check Always-on VPN and select Harmony Mobile Protect for the app identifier:

      

   2. Click Save

3. Apply the configurations to your labels

   1. Apply your Android Enterprise configuration (from type ANDROIDFORWORK) to android_sbm_registered label (the one you use to deploy the work profile to your Android devices).

   2. Assign the configuration created in step 3 to the android_sbm_not_registered label.

      

CA certificate deployment using the UEM

In order to inspect the HTTPS traffic coming from your devices you can install a root CA certificate on the devices using the UEM capabilities.

You can use the same profiles that were created for Zero-Touch deployment but for this example we will create a new profile.

Deploying the CA certificate on Android Enterprise devices:

Follow these steps to generate certificate in Harmony Mobile dashboard that is dedicated to your policy.

1. In Mobile Iron Core Portal go to Policies & Configurations > Configurations > Add New > Certificate.

2. Upload the certificate file you generated in Harmony Mobile dashboard and click Save.

3. Apply the configuration to your label.

Zero Touch Deployment in iOS devices

Create new VPN Profile. Go to Policies & Configs > Configurations > Add New > VPN

1. On VPN Settings fill in the following details:

   • Connection Name: Check Point Local Tunnel

   • Connection Type: Custom SSL Secure Sockets Layer. The standard security technology for establishing an encrypted link between a web server and a browser.

   • Identifier: com.checkpoint.capsuleprotect

   • Server: www.checkpoint.com

   • User authentication type: password

   • Enable VPN on Demand

   

2. Add On Demand Rules:

   Add two Connect rules, one for Wifi and one for cellular.

   

   

3. On Custom Data > Add zero_touch=true

   

4. Click Save

5. Apply the configuration to your label.