Mobile Access for Smartphones and Tablets

Overview of Mobile Access for Smartphones and Tablets

To manage your users and their access to resources, make sure to:

• For email, calendar, and contact access, configure Secure Container Mail or ActiveSync applications. This can be done automatically in the Mobile Access Wizard.
• Configure Web applications, if necessary.
• Make sure users have the information required to authenticate to the gateway. For client certificates, use the Certificate Creation and Distribution Wizard.
• Make sure users' Mobile Settings meet your organization's needs.
• Tell users which App to install.
• Make sure smartphone and tablet users are included in your Mobile Access Policy.

Certificate Authentication for Handheld Devices

For handheld devices to connect to the gateway, these certificates must be properly configured:

• If the configured authentication methods is Personal Certificate, generate client certificates for users.
• A server certificate signed by a trusted third-party Certification Authority (for example, Entrust) is strongly recommended. If you have a third-party certificate, make sure the CA is trusted by the device. If you do not have a third-party certificate, a self-signed (ICA) certificate, is already configured on the server.

Managing Client Certificates

Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-factor authentication with client certificates and username/password. The certificate is signed by the internal CA of the Security Management Server that manages the Mobile Access Security Gateway.

Manage client certificates on the Client Certificate page of the Mobile Access tab.

The page has two panes.

• In the Client Certificates pane:
  • Create, edit, and revoke client certificates.
  • See all certificates, their status, expiration date and enrollment key. By default, only the first 50 results show in the certificate list. Click Show more to see more results.
  • Search for specified certificates.
  • Send certificate information to users.
• In the Email Templates for Certificate Distribution pane:
  • Create and edit email templates for client certificate distribution.
  • Preview email templates.

Creating Client Certificates

A Wizard helps you create and distribute client certificates to multiple users or a single user.

To create and distribute certificates with the client certificate wizard:

1. In the Mobile Access tab, open the Client Certificates page.
2. In the Client Certificates pane, select New.

   The Certificate Creation and Distribution wizard opens.

3. In the Certificate Distribution page, select how to distribute the enrollment keys to users. You can select one or both options.
   1. Send an email containing the enrollment keys using the selected email template - Each user gets an email, based on the template you choose, that contains an enrollment key.
      • Template - Select the email template that will be used. You can click View to preview the selected template.
      • Site - Select the gateway that users will connect to.
      • Mail Server - Select the mail server that will send the emails. You can click Edit to view and change its details. In the From Address field, set the email address that the email will come from.
   2. Generate a file that contains all of the enrollment keys - Generate a file for your records that contains a list of all users and their enrollment keys. Click Browse to select the path where a file will be saved.
4. Optional: To change the expiration date of the enrollment key, edit the number of days in Users must enroll within x days.
5. Optional: Add a comment that will show next to the certificate in the certificate list on the Client Certificates page.
6. Click Next.

   The Users page opens.

7. Click Add to add the users or groups that require certificates.
   • Type text in the search field to search for a user or group.
   • Select a type of group to narrow your search.
8. When all included users or groups show in the list, click Generate to create the certificates and send the emails.
9. If more than 10 certificates are being generated, click Yes to confirm that you want to continue.

   A progress window shows. If errors occur, an error report opens.

10. Click Finish.

Revoking Certificates

If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not show in the Client Certificate list.

To revoke one or more certificates:

1. Select the certificate or certificates from the Client Certificate list.
2. Click Revoke.
3. Click OK to confirm that you want to revoke the certificate or certificates.

After you revoke a certificate, it does not show in the Client Certificate list.

Creating Templates for Certificate Distribution

You can create multiple email templates to use to distribute certificate enrollment keys to users. When you create new certificates, the wizard prompts you to select which email template to use to distribute the enrollment keys.

In the template, you can insert:

• Predefined fields - Such as Username, Registration Key, Expiration Date
• Links - A link or QR code that users can go to or scan from their mobile devices. You can insert multiple links into an email template.

To create or edit an email template:

1. In the Mobile Access tab, open the Client Certificates page.
2. To create a new template: In the Email Templates for Certificate Distribution pane, select New.

   To edit a template: In the Email Templates for Certificate Distribution pane, double-click a template.

   The Email Template opens.

3. Enter a Name for the template.
4. Optional: Enter a Comment. Comments show in the Mail Template list on the Client Certificates page.
5. Optional: Click Languages to change the language of the email.
6. Enter a Subject for the email. Click Insert Field to add a predefined field, such as a Username.
7. In the message body add and format text. Click Insert Field to add a predefined field, such as Username, Registration Key, or Expiration Date.
8. Click Insert Link to add a link or QR code and select the type of link to add.

   For each link type, you select which elements will be added to the mail template:

   • QR Code - Users scan the code with their mobile devices.
   • HTML Link - Users tap the link on their mobile devices.

     You can select both QR Code and HTML link to include both in the email.

     The text in Display Text is the text that shows on the link.

   1. Certificate and Site Creation - For users who already have a Check Point app installed. When users scan the CR code or go to the link, it creates the site and registers the certificate.
      • Select the client type that will connect to the site- Select one client type that users will have installed.

      - Check Point Mobile - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.

      - Mobile VPN - A full L3 tunnel app that gives users network access to all mobile applications.

   2. Download Application - Direct users to download a Check Point App for their mobile devices.
      • Select the client device operating system:

      - iOS

      - Android

      • Select the client type to download:

      - Check Point Mobile - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.

      - Mobile VPN - A full L3 tunnel app that gives users network access to all mobile applications.

   3. Custom URL - Send users to a URL that you enter.
      • Link URL - Enter the complete URL of the site.
      • Display Text - Enter the text to show on the HTML link.
9. Click OK.
10. Optional: Click Preview in Browser to see a preview of how the email will look.
11. Click OK.

Cloning a Template

Clone an email template to create a template that is similar to one that already exists.

To create a clone of an email template:

1. Select a template from the template list in the Client Certificates page.
2. Click Clone.
3. A new copy of the selected template opens for you to edit.

Managing Mobile Settings

For Check Point Mobile, many settings that affect the user experience on mobile devices come from the Mobile Profile. Each Mobile Access user group has an assigned Mobile Profile. By default, all users get the Default Profile.

The settings in the Mobile Profile include:

• Passcode Settings
• Mail, Calendar, and Contacts availability
• Settings for offline content
• Where contacts come from

Manage the Mobile Profiles in Mobile Access tab > Mobile Settings.

• In the Mobile Profiles pane:
  • See all Mobile Profiles.
  • Create, edit, delete, clone, and rename Mobile Profiles.
• In the Mobile Profile Policy pane:
  • Create rules to assign Mobile Profiles to user groups.
  • Search for a user or group within the policy rules.

Creating and Editing Mobile Profiles

Create and edit Mobile Profiles to meet the security requirements of your organization and the needs of different users. Assign Mobile Profiles to user groups in the Mobile Profile Policy. The Mobile Profile Policy applies to Check Point Mobile App users.

To create or edit a Mobile Profile:

1. In the Mobile Access tab > Mobile Settings > Mobile Profiles pane:
   • To create a new Mobile Profile, click New.
   • To edit a Mobile Profile, select the profile and click Edit.

   The Mobile Profile opens.

2. In the Access Settings area, configure:
   • Session timeout - After users authenticate with the authentication method configured in Gateway Properties > Mobile Access > Authentication, configure how long they stay authenticated to the gateway.
   • Activate Passcode lock - Select to protect the Business Secure Container area of the mobile device with a passcode.
     • Passcode profile - Select a passcode profile to use. The profile includes the passcode complexity, length, expiration, and number of failed attempts allowed.
     • Allow storing user credentials on the device for single-sign on - If username and password authentication is used, store the authentication credentials on the device. Then users are only prompted for their passcode not also for their username and password.
   • Report jail-broken devices - Create a log if a jail-broken device connects to the gateway.
     • Block access from jail-broken devices - Block devices that are jail-broken from connecting to the gateway.
3. In the Allowed Items area, select which Exchange features are available on devices:
   • Mail
   • Calendar
   • Contacts
4. In the Offline Content area, configure what data is saved and for how long when the Check Point App cannot reach the gateway.
   • Allow offline content -
     • When selected, data is always saved to the disk and encrypted, according to policy.
     • When cleared, data is saved temporarily in the RAM.
   • Mail from the last x days - Select the length of time from which emails are saved.
     • Cache Mail - Select which parts of the email are saved in the offline cache.
   • Calendar from the last x months and the following x months - Select which parts of the calendar are saved: the length of time in the past and length of time in the future.
     • Cache Calendar - Select which parts of the calendar entry are saved in the offline cache.
   • Synchronize contacts - Synchronize contacts so they are available offline.
5. In the Contacts area, select which additional contacts to show on the device:
   • Global Address List
   • Local Phone

Passcode Profiles

A passcode lock protects the Business Secure Container in mobile devices. In each Mobile Profile, configure which Passcode Profile it uses. The profile includes the passcode requirements, expiration, and number of failed attempts allowed. The default passcode profiles are Normal, Permissive, and Restrictive. You can edit the default profiles and create new profiles.

To edit a Passcode Profile:

• In the Mobile Access tab > Additional Settings > Passcode Profile, select a Passcode Profile and click Edit.

To create a new Passcode Profile:

• In the Mobile Access tab > Additional Settings > Passcode Profile, click New.

A Passcode Profile includes these settings:

• Passcode Requirements - The complexity requirements. When you configure this, remember that users usually have a small on-screen keyboard.
  • Simple Passcode (4 digits) - Users create a simple password of 4 numbers.
  • Custom password -Select from the requirements below.
    • Minimum passcode length - Enter the minimum number of characters.
    • Require alphanumeric characters - Show an alphanumeric keyboard and require at least one character to be a letter.
    • Minimum complex characters - Enter the number of characters that must be a special character.
• Force passcode expiration - Enter the number of days after which user's passcodes expires and must be replaced.
• Allow grace period for entering passcode - Select to let users access the Business Secure Container for a specified period of time without re- entering their passcode. Enter the quantity of time in minutes.
• Exit after a few failures in passcode verification - Select to lock users out after a specified number of failed attempts. After the failed attempts, users must re-authenticate. If the authentication method includes username and password, users must enter them. If the authentication is certificate-only, users need a new certificate.
• Enforce passcode history - When selected, users cannot use a passcode that is the same as earlier passcodes. Select the number of earlier passcodes that users cannot use.

ESOD Bypass for Mobile Apps

Hand-held devices cannot run Endpoint Security on Demand (ESOD) components. By default, ESOD is disabled for smartphones and tablets.

If your organization has ESOD enabled, mobile apps cannot access ESOD enforced applications.

To change the ESOD setting on the Security Gateway:

1. On the Security Gateway run:
   cvpnd_settings set MobileAppBypassESODforApps "true" or "false"
   • true - Bypasses ESOD for mobile apps (default).
   • false - Does not bypass ESOD.
2. Restart the Mobile Access services: cvpnrestart
3. If you use a cluster, copy the $CVPNDIR/conf/cvpnd.C file to all cluster members and restart the services on each.

System Specific Configuration

This section describes system specific configuration required for iPhones, iPads, and Android devices. In some instances, end-user configuration is also required.

iPhone and iPad Configuration

Connecting iPhone/iPad Clients to ActiveSync Applications

When you allow access to an ActiveSync application, users see the Mail Setup item and can install the ActiveSync profile. This gives users access to their corporate email.

The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.

To connect to corporate email:

1. Sign in to the Mobile Access site.
2. Tap Mail Setup.
3. Do the on-screen instructions.

Getting Logs from iPhones or iPads

To resolve issues with client devices, tell the users to send you the logs. The iPhone or iPad must have an email account set up.

The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.

To configure logs:

1. Tap Information.

   Before login, this is on the top right. After login, this is on the bottom right.

2. Tap Send Logs on the navigation bar.

   If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.

   When an email account is configured, the email page opens. The logs are attached.

If the iPhone is not configured for a destination email address for logs, the email that opens has an empty To field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.

To set up a default destination address:

1. Tap Settings.
2. Scroll down to the Check Point Mobile icon and tap it.
3. In the Mobile global settings, enter the address in Logs email.

Disabling Client SSO

Single Sign On (SSO) lets users in a session connect to the Mobile Access gateway, without authenticating when the client starts. If a user cannot access the gateway while SSO is enabled, disable it.

The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.

To disable SSO on a client:

1. Tap Settings.
2. Scroll down to the Check Point Mobile icon and tap it.
3. In the Mobile global settings, tap the Single Sign On > Enabled switch.

Android Configurations

Browsing to Servers with Untrusted Server Certificates

When browsing from the Android app to a server with an untrusted server certificate, you are denied access and you get this message:

"Some resources on this page reside on an untrusted host."

In some cases, such as in a staging or demo environment, you can enable browsing to servers with untrusted certificates.

The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.

To disable the server certificate validation for Web applications:

1. Launch the Check Point Mobile app.
2. Log in to the site.
3. Press the menu button and tap Settings.
4. Enable Allow connection to untrusted servers.

   Note - HTTP (non-SSL) requests are always blocked even when this attribute is disabled.

Session Timeout for Android Devices

For Androids, idle timeout cannot be modified or enforced by the device or the gateway.

The only timeout setting that applies to the device is the active session timeout. It is configured in SmartDashboard: Mobile Access Software Blade > Additional Settings > Session > Re-authenticate users every x minutes option. This setting indicates the maximum session length. When this period is reached, the user must log in again. For example, if re-authentication is set to 120 minutes, a user will need to log in again after 2 hours in an active session.

Getting Logs from Android Clients

To resolve issues with client devices, tell the users to send you the logs.

The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.

To enable logs:

1. Open the Check Point application.
2. Tap About.
3. Press the Menu button on the device.
4. Tap Write Logs and then Enable.
5. Enter the email address of the system administrator.
6. Tap OK.

To send logs:

1. Open the Check Point application.
2. Tap About.
3. Press the Menu button on the device.
4. Tap Send Logs.
5. Select a way to send the logs.

Instructions for End Users

Give these instructions to end users to configure their mobile devices to work with Mobile Access.

iPhone/iPad End User Configuration

Do these procedures on your iPhone/iPad so you can work with Mobile Access.

Before you start, make sure that your administrator gives you:

• The name of the site you will connect to.
• The required Registration key (also called Activation key).

To connect to the corporate site:

1. Get the Check Point Mobile app from the App Store.
2. When prompted, enter the:
   • Site Name
   • Registration key

To connect to corporate email:

1. Sign in to the Mobile Access site.
2. Tap Mail Setup.
3. Do the on-screen instructions.
4. When asked for the password, enter the Exchange password.

To configure logs:

1. Tap Information.

   Before login, this is on the top right. After login, this is on the bottom right.

2. Tap Send Logs on the navigation bar.

   If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.

   When an email account is configured, the email page opens. The logs are attached.

If the iPhone is not configured for a destination email address for logs, the email that opens has an empty To field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.

To set up a default destination address:

1. Tap Settings.
2. Scroll down to the Check Point Mobile icon and tap it.
3. In the Mobile global settings, enter the address in Logs email.

To disable SSO on a client:

1. Tap Settings.
2. Scroll down to the Check Point Mobile icon and tap it.
3. In the Mobile global settings, tap the Single Sign On > Enabled switch.

Android End User Configuration

Do these procedures on your Android device so you can work with Mobile Access.

Before you start, make sure that your administrator gives you:

• The name of the site you will connect to.
• The required Registration key (also called Activation key).

To connect to the corporate site:

1. Get the Check Point Mobile app from the Android Market.
2. When prompted, enter the:
   • Site Name
   • Registration key

To enable logs:

1. Open the Check Point application.
2. Tap About.
3. Press the Menu button on the device.
4. Tap Write Logs and then Enable.
5. Enter the email address of the system administrator.
6. Tap OK.

To send logs:

1. Open the Check Point application.
2. Tap About.
3. Press the Menu button on the device.
4. Tap Send Logs.
5. Select a way to send the logs.

To disable the server certificate validation for Web applications:

1. Launch the Check Point Mobile app.
2. Log in to the site.
3. Press the menu button and tap Settings.
4. Enable Allow connection to untrusted servers.

To transfer the client certificate to the 3rd party mail client:

1. Launch the Check Point Mobile app.
2. Log in to the site.
3. Press the menu button and tap Settings.
4. From the Export Certificate option, tap Export. The Export Certificate window opens.

   If the Export Certificate option is disabled, contact the system administrator.

5. Select the certificate format appropriate for your mail client: P12 or PFX.
6. Select the location to save the certificate.
   The default path is /sdcard (for devices that have an SD card) or an external resource folder (for devices that do not have an SD card).
7. Tap OK to save the certificate to the selected location.

   A window shows: Export succeeded. Certificate password is: _______

8. You can copy the password to the clipboard. You will need the password when you import the certificate to the third party mail app.

Advanced Gateway Configuration for Handheld Devices

You can customize client authentication, device requirements, certificate details, and ActiveSync behavior. Use the CLI commands explained here to change the configuration file:
$CVPNDIR/conf/cvpnd.C

To apply changes:

Restart the Mobile Access services: cvpnrestart

If you use a cluster, copy the $CVPNDIR/conf/cvpnd.C file to all cluster members and restart the services on each.

To set Mobile Access attributes:

cvpnd_settings set <attribute_name> "<value>"

To get the current value of an attribute:

cvpnd_settings get <attribute_name>