Deploying the Harmony Mobile Protect app automatically (Zero Touch Deployment)
Zero Touch deployment is optional, if the organization does not want to force Harmony Mobile to activate itself automatically on employees' devices, you can skip this chapter.
UEM
Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. solutions traditionally prompt the mobile device user to install the application once it is registered. In addition, to get full protection, the user needs to approve the required permissions and profiles. Many users are vigilant about installing new mobile applications or granting different permissions, and as a security company, Check Point even encourages that. Most of them don't know that the Harmony Mobile Protect app is focused on device characteristics and behaviors and not the content stored on or flowing through the device. Furthermore, some users are in compliance with the company's security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., especially when they use their own devices. Therefore, users often decide not to install the app or approve the required configuration. In addition, users who do agree to install and accept the configuration will not often do it immediately and it will take time until the application is activated. As a result, many devices remain exposed to potential cyber-attacks.
Harmony Mobile's innovative zero-touch technology allows the Protect app to be installed and activated automatically without any user interaction.
The solution uses a VPN profile that is pushed automatically by the UEM to the device and used by the Harmony Mobile Protect App. When deployed, it runs the activation flow automatically, and the device becomes active and is displayed in the Harmony Mobile Administrator Portal without any user intervention on the device.
Zero Touch Deployment in Android Enterprise Devices
Devices That Do Not Use an Additional VPN App and Want To Use ONP
To enable zero touch on devices that do not use an additional VPN app and want to use the On-device Network Protection (ONP), you need to create a VPN profile that enables the automatic activation of Harmony Mobile. This VPN also serves as the ONP VPN.
|
|
Note - This procedure also applies to users who want to use Harmony Mobile without ONP. |
To create a VPN profile to allow automatic activation of the Harmony Mobile application:
-
Create a new custom profile.
Go to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
-
In the Add Profile window, select the Android platform.
In General section, select a profile name.
-
Under Custom Settings, click Add and paste the following text.
Make sure to replace the tenant token.
<characteristic uuid="9310785f-25a5-423e-b5e5-675100546e6e"
type="com.airwatch.android.androidwork.app:com.lacoon.security.fox">
<parm name="EnableAlwaysOnVPN" value="True" type="boolean" />
<parm name="LockDown" value="False" type="boolean" />
<parm name="token" value="your_tenant_token" type="string" />
<parm name="mdm_uuid" value="{DeviceUid}" type="string" /> <parm name="gwAddress" value="Harmony Mobile GW address according to below list" type="string" /> <parm name="portalAccountId" value="Infinity portal account ID" type="string" /></characteristic>Use the token configured in the Deployment section in the Harmony Mobile dashboard. For more information, see Deployment.
For
portalAccountID, use the Account ID from Check Point Infinity Portal > Global Settings > Account Settings.For
gwAddress, select the relevant GW address from the below table in the above settings:Region
Server
US
gw.locsec.net
Ireland (EU region)
eu-gw.locsec.net
Australia (Asia region)
au-gw.locsec.net
Canada (Canada)
ca-gw.locsec.net
UK region (UK)
uk-gw.locsec.net
India
in-gw.locsec.net
-
Click Next.
-
Set the relevant Smart Group to deploy Harmony Mobile.
-
Click Save and Publish.
The profile is pushed to the devices in the Harmony Mobile deployed group and activates Harmony Mobile on these devices. ONP is enabled through this profile.
Devices That Use an Additional VPN App and Want To Use ONP
To enable zero touch on devices that use an additional VPN app and want to use the ONP, you must create two Smart Groups. One group includes the devices that perform automatic activation, and the second group includes the devices that are already activated automatically.
After creating the two Smart Groups, you need to create a VPN profile to allow automatic activation of Harmony Mobile.
To create a group that represents the Harmony Mobile registered devices:
-
Go to Groups & Settings > Groups > Assignment Groups.
-
Click +Add Smart Group.
-
In the Name field, enter HM_Registered.
-
Under the Tags section, select these tags:
-
CHKP_Status_Active
-
CHKP_Status_Inactive
-
-
Click Save.
To create a group that represents the devices not registered to Harmony Mobile:
|
|
Note - This procedure applies only for devices with Android version 11 and lower. |
-
Go to Groups & Settings > Groups > Assignment Groups.
-
Click +Add Smart Group.
-
In the Name field, enter HM_Not_Registered.
-
Under the Tags section, select these tags:
-
CHKP_Status_Provisioned
-
- Click Save.
To create a VPN profile to allow automatic activation of the Harmony Mobile application:
-
Create a new custom profile.
Go to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
-
In the Add Profile window, select the Android platform.
In General section, select a profile name.
-
In Custom Settings, click Add and paste the following text.
Make sure to replace the tenant token.
<characteristic uuid="9310785f-25a5-423e-b5e5-675100546e6e"
type="com.airwatch.android.androidwork.app:com.lacoon.security.fox">
<parm name="EnableAlwaysOnVPN" value="True" type="boolean" />
<parm name="LockDown" value="False" type="boolean" />
<parm name="token" value="your_tenant_token" type="string" />
<parm name="mdm_uuid" value="{DeviceUid}" type="string" /> <parm name="gwAddress" value="Harmony Mobile GW address according to below list" type="string" /> <parm name="portalAccountId"value="Infinity portal account ID" type="string" /></characteristic>Use the token configured in the Deployment section in the Harmony Mobile dashboard. For more information, see Deployment.
For
portalAccountID, use the Account ID from the Check Point Infinity Portal > Global Settings > Account Settings.For
gwAddress, select the relevant GW address from the below table in the above settings:Security Gateway servers:
Region
Server
US
gw.locsec.net
Ireland (EU region)
eu-gw.locsec.net
Australia (Asia region)
au-gw.locsec.net
Canada (Canada)
ca-gw.locsec.net
UK region (UK)
uk-gw.locsec.net
India
in-gw.locsec.net
-
Click Next.
-
Set the relevant Smart Group to deploy Harmony Mobile.
-
Turn on Allow Exclusion.
-
In the Excluded Group field, exclude the HM_Registered group.
-
Click Save and Publish.
The profile is pushed to the devices which are not registered to the Harmony Mobile service (devices in Provisioned status) and activates Harmony Mobile on these devices.
-
To activate the On-device Network Protection (ONP):
-
For devices with Android version 12 and higher:
User needs to manually activate the VPN for the ONP.
After Harmony Mobile gets automatically activated on the device, the end-user gets an alert (see below) to enable the On-device Network Protection.
-
For devices with Android version 11 and lower:
The VPN profile used for the zero touch activation is also used for the ONP VPN.
The administrator needs to set the
EnableAlwaysOnVPNattribute in the profile toFalse. To do that:-
Create a custom profile. Follow steps 1-8 above.
-
In the new custom profile, under Custom Settings, paste the following:
<characteristic uuid="9310785f-25a5-423e-b5e5-675100546e6e"
type="com.airwatch.android.androidwork.app:com.lacoon.security.fox">
<parm name="EnableAlwaysOnVPN" value="False" type="boolean" />
<parm name="LockDown" value="False" type="boolean" /></characteristic>
-
In the Excluded Group field, exclude the HM_not_registered group.
-
Click Save and Publish.
-
-
Zero Touch Deployment in iOS Devices
-
Create a new device profile.
Go to Resources > Profiles & Baselines > Profiles > Add > Add Profile.
-
In the Add Profile window, select the iOS platform.
-
Select Device Profile in Context.
-
In the General tab, name the profile and assign it to your Workspace ONE Smart Group.
-
In the VPN tab:
-
Connection Name: Check Point Local Tunnel
-
Connection Type: Custom
-
Identifier: com.checkpoint.capsuleprotect
-
Server: www.checkpoint.com
-
Account: {DeviceUuid}
-
Custom Data: zero_touch=true
-
User Authentication: Certificate
-
Identity Certificate: None
-
-
Select these checkboxes:
-
Enable VPN On Demand
-
Use new on-demand keys
-
-
Add these On-Demand Rules:
-
Connect > Interface Match > Wi-Fi
-
Connect > Interface Match > Cellular
-
If you want to use the on-device network protection (ONP) configuration with https inspection, it is necessary to set the SSL Secure Sockets Layer. The standard security technology for establishing an encrypted link between a web server and a browser. certificate deployment used by ONP for the SSL inspection.
Zero Touch Notification Permissions for iOS
This feature automatically grants notification permission to Harmony Mobile Protect App when you install the app through UEM, without user interaction.
|
|
Important:
|
To enable Zero Touch notification permissions for iOS devices:
-
Go to Resources > Profiles & Baselines > Profiles and click Add > Add Profile.
-
Select platform as iOS.
-
Select context as Device Profile.
-
Enter a name for your profile. Scroll down to Notification and then click Add.
-
In the Select App field, enter Harmony Mobile. From the list, select Harmony Mobile Protect (com.checkpoint.capsuleprotect).
Make sure that Allow Notification is enabled (enabled by default) and do not disable other permissions.
-
Click Next.
-
Select your relevant groups for deployment then click Save & Publish.
CA Certificate Deployment Using the UEM
This section is relevant if you use the On device Network Protection (ONP) feature with the https inspection option turned on.
First, you need to create a certificate in the Harmony Mobile dashboard and then set the configuration on the UEM to push it to the devices. This certificate is used for the ONP SSL inspection.
You can use the same profiles that were created for Zero-Touch deployment but for this example we will create a new profile.
Creating the Certificate in the Harmony Mobile Dashboard
-
In the Harmony Mobile dashboard, go to Policy > Network Protection.
-
Under the HTTPs Settings, select the HTTPS Inspection checkbox.
Under Inspection CA, select Central CA for UEM Deployment.
- Click Generate CA Certificate and download it to your computer.
Deploying the CA certificate on Android Enterprise Devices
To generate certificate in Harmony Mobile dashboard that is dedicated to your policy:
-
In Workspace ONE Portal go to Resources > Profiles & Baselines > Profiles > ADD > Add Profile > Android.
-
In the General tab give the profile a name and assign it to your Smart Group:
-
Go to credentials tab and enter the following configuration:
- Credential Source: Upload
- Choose Credential Name
- Upload the certificate file and click on Save and Publish
Deploying the CA certificate on iOS Devices
To generate certificate in Harmony Mobile dashboard that is dedicated to your policy:
-
In Workspace ONE Portal go to Resources > Profiles & Baselines > Profiles > ADD > Add Profile > iOS > Device Profile.
-
In the General tab give the profile a name and assign it to your Smart Group:
-
Go to credentials tab and enter the following configuration:
-
Credential Source: Upload
-
Choose Credential Name.
-
Upload the certificate file and click Save and Publish.
-
