Integration with MobileIron Core

Preparing UEM Platform for Integration

Harmony Mobile service integrates with MobileIron Core (on-premise) through the existing API.

The MobileIron Core is connected to MobileIron cloud (version 8.0 or later) through API access. Harmony Mobile uses the API to synchronize the device records, to retrieve device apps list, and to report the device risk level to MobileIron Core.

To enable integration, you must first create a MobileIron Core API account.

Note - For more information about MobileIron Cloud, see the MobileIron online guide.

You need to also configure your MobileIron UEMClosed Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. to collect the app list from the devices enrolled to Harmony Mobile. See Configuring Application Collection.

General Workflow

  1. Enable the Check Point Harmony MobileProtect App on your MobileIron Core devices. See Enabling the Harmony Mobile Protect app on the MobileIron Core Devices.

  2. Create a Security Group to manage the devices with the Check PointHarmony MobileProtect App. See Creating a Device Provisioning Group for Harmony Mobile.

  3. Configure your MobileIron UEM to collect the app list from the devices enrolled with Harmony Mobile. See Configuring Application Collection.

  4. Create an API account for the integration of Harmony Mobile service and MobileIron. See Creating API Account for Integration with the Harmony Mobile.

  5. Set Harmony Mobile parameters for the device protection. See Setting Parameters for the Device Protection.

Enabling the Harmony Mobile Protect app on the MobileIron Core Devices

To deliver content to devices, MobileIron Core identifies users and establishes permissions through Device ProvisioningClosed Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Groups.

Through your MobileIron Core console, you can:

  • Build groups for entities within your organization.

  • Customize hierarchies with group levels.

  • Integrate with multiple internal infrastructures at the tier level.

  • Delegate role-based access and management based on multi-tenant structure.

Best Practice - For integration with the Check Point Harmony Mobile Protect app, use groups to set up the same UEM hierarchy as in your organization's internal hierarchy, or set up groups based on MobileIron Core features and content.

Creating API Account for Integration with the Harmony Mobile

For the interaction with Harmony Mobile and the MobileIron Core system, you must create a dedicated API account user in your MobileIron Core. This API account limits the capability of the admin credentials between the Harmony Mobile dashboard and the MobileIron Core system.

Best Practice - For the interaction at the API only, the MobileIron Core Console provides an API Only Admin role. You can use this Administrator account between the Harmony Mobile dashboard and the MobileIron Core system. See Configuring the Check Point Harmony Mobile Dashboard Integration Settings.

To create an API Only Administrator account, create a dedicated Local User and assign it the Administrator role.

Creating a Local User Account

  1. Navigate to Devices & Users > Users.

    From the Add drop-down menu, select Add Local User.

  1. In the Add New User pop-up window, fill in all the required fields.

  1. Click Save.

Assigning the Harmony Mobile API Administrator to the Local User Account

  1. Navigate to Admin > Admins and select the created user (For example, sbm_admin).

    From the Actions drop-down menu, select Assign to Space.

  2. From the Select Space drop-down menu, select Global .

  3. Under Device Management, select these roles:

    1. View device page, device details

    2. View device dashboard

    3. Apply and remove device label

    4. Edit custom device attribute values

  4. Scroll down to the Privacy Control section, and select View apps and ibooks in device details.

  5. Under the Label Management section, select View label.

  6. Scroll down to the Settings and Services Management section, and select Manage custom attributes.

  7. Scroll down to Other Roles section, and select API. This setting allows Harmony Mobile service to interact with MobileIron Core.

  8. Click Save.

  9. To complete the creation of the new admin account, log out from the MobileIron Core Admin Portal, and then log in back using the credentials you created in Creating a Local User Account.

Note - Log out and log in back into the MobileIron Core Admin Portal with your Service Administrator credentials to continue with the configuration.

Creating a Device Provisioning Group for Harmony Mobile

A device provisioning group is used to tie devices, apps, and app configurations together for deployment. MobileIron Core calls a device provisioning group a device label. This label is also used in the Harmony MobileProtect App deployment process discussed in Configuring UEM to Deploy the Harmony Mobile Protect app.

There are two types of labels, manual (static) and LDAP (dynamic).

For a manual label, select the devices that you want to add and apply to label manually.

For a filter label, you define a criteria, and if the device was created according to this criteria, then this device gets added to the label automatically.

Creating a Static Device Provisioning Group

  1. Navigate to Devices & Users > Labels.

    Click Add Label.

  2. Enter a Name and Description.

    Set the Type to Manual.

  3. Click Save.

Creating a Dynamic Device Provisioning Group (LDAP)

  1. Navigate to Devices & Users > Labels.

    Click Add Label.

  2. Enter a Name and Description.

    Set the Type to Filter.

  3. Under Criteria, select All of the following rules are true.

    Select User Fields > LDAP > Groups > Name.

  4. In the second drop-down list, select Equals, and enter the AD Group Name (In this example Equals Agents).

  5. Select the Exclude retired devices from search results checkbox, if required.

  6. Click Save.

Creating a Secondary Device Provisioning Group (Optional)

Note - If all the Android and iOS devices within your MobileIron Core environment are registered to Harmony Mobile, then it is recommended to create a second device provisioning group (label). Only devices in this group are forced to install Harmony Mobile Protect once their device has been synchronized with the Harmony Mobile dashboard. This improves the user experience and avoid users to install Harmony Mobile Protect app and register with Harmony Mobile prior to their device being provisioned within Harmony Mobile dashboard.

A secondary group is essentially a filtered group or a sub-group of devices you can create only after connecting your UEM to Harmony Mobile dashboard. If you wish to create such group, prior to creating it, follow the steps of Configuring the Check Point Harmony Mobile Dashboard Integration Settings.

  1. Navigate to Devices & Users > Labels, click Add Label.

  2. Enter a Name, a Description, and set the Type to Filter.

  3. Under Criteria select Any of the following rules are true, and select:

    1. Custom Attributes > Device Attributes > CHKP_Status Equals Provisioned

    2. Click + icon at the end of the first ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

    3. Custom Attributes > Device Attributes > CHKP_Status Equals Active

    4. Click + icon at the end of the second rule.

    5. Custom Attributes > Device Attributes > CHKP_Status Equals Inactive

    6. Check the Exclude retired devices from search results checkbox.

  4. Click Save.

Configuring Application Collection

You need to configure the MobileIron to collect the list of applications installed on the devices enrolled with Harmony Mobile service.

To configure the MobileIron to collect the applications list:

  1. On the MobileIron Core portal, go to Policies & Configs > Policies.

    From the Add New drop-down menu, select Privacy.

  2. In the New Privacy Policy window, enter a name and description.

  3. Set these parameters:

    • Apps to All Apps.

    • iOS Installed App Inventory to All Apps.

  4. Click Save.

Applying the Application Collection Policy to the Device Provisioning Group

  1. On the MobileIron Core portal, go to Policies & Configs > Policies and select the application collection policy.

  2. From the Actions drop-down menu, select Apply To Label.

  3. In the Apply to Label pop-up window, select the Device Provisioning Group name.

  4. Click Apply.

Setting Parameters for the Device Protection

To protect your users, you must configure Harmony Mobile Protect app to work on your user devices. Add users to the organization group for Harmony Mobile protection. See Creating a Static Device Provisioning Group.

Repeat these steps to add more users and more devices.

Adding Local Users to the Harmony Mobile Protect App

There are two ways to add a user to MobileIron:

  • Add Local User

    or

  • Resync With LDAP

To add a local user:

  1. Navigate to Devices & Users > Users, click Add drop-down menu, and select Add Local User.

  2. On the Add New User pop-up window, fill in all the required fields.

  3. Click Save.

Adding a Device to a User

  1. Go to Devices & Users > Devices.

    From the Add drop-down menu, select Single Device.

  2. On the Add Single Device window, fill these fields:

    1. User - Add the user you want to add a device to.

    2. Device Platform - Select Android or iOS.

    3. Select the This device has no phone number checkbox if the device doesn’t have a phone number. Otherwise, fill in the Country, Operator, and Mobile number.

    4. Device Ownership - Select whether the device is owned by Company or Employee.

    5. Select the Device Language and the User Notification method.

  3. Click Register.

The MobileIron registration instructions are sent to the user.

Note - Repeat these steps to add another user and/or device.

Adding Devices to the Device Provisioning Group

Note - This step is only required if you created a manual device provisioning group as in Creating a Device Provisioning Group for Harmony Mobile.

  1. Go to Devices & Users > Devices.

  2. Select the devices added in Adding a Device to a User .

    From  the Actions drop-down menu, select Apply to Label.

  3. In the Apply to Labels window, select the provisioning label you created in Creating a Device Provisioning Group for Harmony Mobile.

  4. Click Apply.

Enrolling a Device to MobileIron Core

To manage your devices and apps and their access to your company data, you need to enroll them in the MobileIron Core service. For more information, see the MobileIron Core online guide.

  1. On the MobileIron Core portal, go to the Admin Profile > Help.

  2. Use your Support Account at the MobileIron Core site.

Note - At this point, you have all the information needed to configure the Device Management Settings in the Harmony Mobile dashboard. We are going to do that and then return to the MobileIron Core Admin Portal to configure the Harmony MobileProtect App deployment settings and the mitigation policies.

 

From the examples:

Server = https://mobileiron.net

API Admin Username/Password = sbm_admin/<******>

Device Provisioning Label(s) = EXAMPLE_SBM