Mobile Access for Smartphones and Tablets
Overview of Mobile Access for Smartphones and Tablets
To manage your users and their access to resources, make sure to:
Certificate Authentication for Handheld Devices
For handheld devices to connect to the gateway, these certificates must be properly configured:
- If the configured authentication methods is Personal Certificate, generate client certificates for users.
- A server certificate signed by a trusted third-party Certification Authority (for example, Entrust) is strongly recommended. If you have a third-party certificate, make sure the CA is trusted by the device. If you do not have a third-party certificate, a self-signed (ICA) certificate, is already configured on the server.
Managing Client Certificates
Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-factor authentication with client certificates and username/password. The certificate is signed by the internal CA of the Security Management Server that manages the Mobile Access Security Gateway.
Manage client certificates on the page of the tab.
The page has two panes.
- In the pane:
- Create, edit, and revoke client certificates.
- See all certificates, their status, expiration date and enrollment key. By default, only the first 50 results show in the certificate list. Click to see more results.
- Search for specified certificates.
- Send certificate information to users.
- In the pane:
- Create and edit email templates for client certificate distribution.
- Preview email templates.
Creating Client Certificates
A Wizard helps you create and distribute client certificates to multiple users or a single user.
|
Note - If you use LDAP or AD, creating client certificates does not change the LDAP or AD server. If you get an error message regarding LDAP/AD write access, ignore it and close the window to continue.
|
To create and distribute certificates with the client certificate wizard:
- In the M tab, open the page.
- In the pane, select .
The wizard opens.
- In the page, select how to distribute the enrollment keys to users. You can select one or both options.
a.Each user gets an email, based on the template you choose, that contains an enrollment key.
- - Select the email template that will be used. You can click to preview the selected template.
- - Select the gateway that users will connect to.
- - Select the mail server that will send the emails. You can click to view and change its details. In the field, set the email address that the email will come from.
b. - Generate a file for your records that contains a list of all users and their enrollment keys. Click to select the path where a file will be saved.
- Optional: To change the expiration date of the enrollment key, edit the number of days in .
- Optional: Add a comment that will show next to the certificate in the certificate list on the page.
- Click .
The page opens.
- Click to add the users or groups that require certificates.
- Type text in the search field to search for a user or group.
- Select a type of group to narrow your search.
- When all included users or groups show in the list, click to create the certificates and send the emails.
- If more than 10 certificates are being generated, click to confirm that you want to continue.
A progress window shows. If errors occur, an error report opens.
- Click .
Revoking Certificates
If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not show in the list.
To revoke one or more certificates:
- Select the certificate or certificates from the list.
- Click .
- Click .
After you revoke a certificate, it does not show in the list.
Creating Templates for Certificate Distribution
You can create multiple email templates to use to distribute certificate enrollment keys to users. When you create new certificates, the wizard prompts you to select which email template to use to distribute the enrollment keys.
In the template, you can insert:
- Predefined fields - Such as Username, Registration Key, Expiration Date
- Links - A link or QR code that users can go to or scan from their mobile devices. You can insert multiple links into an email template.
To create or edit an email template:
- In the tab, open the page.
- To create a new template: In the pane, select
To edit a template: In the pane, double-click a template.
The opens.
- Enter a for the template.
- Optional: Enter a . Comments show in the Mail Template list on the page.
- Optional: Click to change the language of the email.
- Enter a for the email. Click to add a predefined field, such as a Username.
- In the message body add and format text. Click to add a predefined field, such as Username, Registration Key, or Expiration Date.
- Click to add a link or QR code and select the type of link to add.
For each link type, you select which elements will be added to the mail template:
a. - For users who already have a Check Point app installed. When users scan the CR code or go to the link, it creates the site and registers the certificate.
- - Select one client type that users will have installed.
- - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
- A full L3 tunnel app that gives users network access to all mobile applications.
- - In R77.30 and higher, you can use Per-App VPN for more granular control of which applications can access the VPN tunnel. You must configure the Per-App VPN settings on the gateway before you select this option. See the Capsule Connect and Capsule VPN for iOS, Android, and Windows 8.1 Administration Guide for more information.
b.- Direct users to download a Check Point App for their mobile devices.
- - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
- A full L3 tunnel app that gives users network access to all mobile applications.
- - Send users to a URL that you enter.
- - Enter the complete URL of the site.
- - Enter the text to show on the HTML link.
- Click .
- Optional: Click to see a preview of how the email will look.
- Click .
Cloning a Template
Clone an email template to create a template that is similar to one that already exists.
To create a clone of an email template:
- Select a template from the template list in the page.
- Click .
- A new copy of the selected template opens for you to edit.
Remote Wipe
Remote Wipe removes the offline data cached on the user's mobile device.
This feature is supported in R77.10 and higher.
When the administrator revokes the internal CA certificate, a Remote Wipe push notification is sent, if the Remote Wipe configuration for the client enables . Remote Wipe is triggered when the device gets the push notification.
Note: Remote Wipe by Push Notification works by best effort. There is no guarantee that the gateway will send the notification, or that the client will get it successfully.
If the device does not get the Remote Wipe push notification, Remote Wipe is triggered when the client does an activity that requires connection to the gateway while using a revoked internal CA certificate.
Remote Wipe send logs:
- If a Remote Wipe Push Notification is sent.
- When a Remote Wipe process ends successfully.
This feature is supported in R77.10 and higher.
To configure Remote Wipe:
- Run the command on the gateway.
: cvpnd_settings <conf_file_path> {set|listAdd|listRemove} <name> <value>
- To enable or disable Remote Wipe:
[expert@hostname:0]# cvpnd_settings $CVPNDIR/conf/cvpnd.C set RemoteWipeEnabled {true|false} Remote Wipe is enabled by default.
- To enable or disable Remote Wipe by Push Notification (wipe is done if client gets notification):
[expert@hostname:0]# cvpnd_settings $CVPNDIR/conf/cvpnd.C set RemoteWipePushEnabled {true|false} The Remote Wipe Push Notifications feature is enabled by default. For supported clients, see sk95587.
- To set supported devices for Remote Wipe Push Notifications, based on operating system:
[expert@hostname:0]# cvpnd_settings $CVPNDIR/conf/cvpnd.C listAdd RemoteWipePushSupportedClientOS {iOS | Android}
- Run:
[expert@hostname:0]# cvpnrestart You must restart the cvpn service to apply the changes.
To see that your changes are applied, open the $CVPNDIR/conf/cvpnd.C file in Read-Only mode.
To trigger Remote Wipe on a device:
- Make sure that
cvpnd.C is configured for Remote Wipe and, if you want, for Push Notifications.If you change the file, run: [expert@hostname:0]# cvpnrestart
- Revoke the client certificate:
- Open tab > .
- Select certificates.
- Click .
- Click .
To see Remote Wipe logs:
- Open SmartLog.
- Query for:
"Remote Wipe" AND blade:"Mobile Access" action:"Failed Log In" You can filter these results for user DN, device ID, or certificate serial number.
Managing Capsule Workspace Settings
For Capsule Workspace, many settings that affect the user experience on mobile devices come from the . Each Mobile Access user group has an assigned Mobile Profile. By default, all users get the Default Profile.
The settings in the Mobile Profile include:
- Passcode and access Settings
- Mail, Calendar, and Contacts availability
- Settings for offline content
- Settings for push notifications
- Settings for Calendar and Contacts
To enable some features, you must install the R77.30 Add-on. See the Release Notes for more information.
Manage the Mobile Profiles in tab > .
- In the pane:
- See all Mobile Profiles.
- Create, edit, delete, clone, and rename Mobile Profiles.
- In the pane:
- Create rules to assign Mobile Profiles to user groups.
- Search for a user or group within the policy rules.
Creating and Editing Mobile Profiles
Create and edit Mobile Profiles to meet the security requirements of your organization and the needs of different users. Assign Mobile Profiles to user groups in the Mobile Profile Policy. The Mobile Profile Policy applies to Capsule Workspace App users.
To create or edit a Mobile Profile
In the tab > pane:
Configure these settings in the Mobile Profile:
To enable some features, you must install the R77.30 Add-on. See the Release Notes for more information.
- - Configure settings related to user access and security:
- - After users authenticate with the authentication method configured in > > , configure how long they stay authenticated to the gateway.
- - Select to protect the Business Secure Container area of the mobile device with a passcode.
- - Select a passcode profile to use. The profile includes the passcode complexity, length, expiration, and number of failed attempts allowed.
- - If username and password authentication is used, store the authentication credentials on the device. Then users are only prompted for their passcode not also for their username and password.
- - Create a log if a jail-broken device connects to the gateway.
- - Block devices that are jail-broken from connecting to the gateway.
- (upon user's approval) - Tracks devices connecting to the gateway.
- - Select which Exchange features are available on devices:
- Configure what data is saved and for how long when the Check Point App cannot reach the gateway.
- - Select the length of time from which emails are saved.
- - Select which parts of the email are saved in the offline cache.
- - Select which parts of the calendar are saved: the length of time in the past and length of time in the future.
- - Select which parts of the calendar entry are saved in the offline cache.
- - Synchronize contacts so they are available offline.
- - Configure what information shows in the push notifications for emails and meetings. For example, you can select that only the sender's address shows and not the subject.
- - When selected, users get push notifications. This only takes effect if push notifications are enabled for Capsule Workspace on the gateway that users connect to.
- - See a list of the configured notification for emails.
- - See a list of the configured notification for meetings.
- - Click to see all configured push notifications, preview them, and change them.
- -
- - Select if email content can be copied and pasted into other applications on the device.
- -
- -Select if the business calendar gets information from the native device calendar
- - Select which contacts to show in Capsule Workspace in addition to business contacts:
- -
- - Select if credentials are required to open Capsule Docs protected documents are cached on the device. If they are not cached, users must enter their credentials each time they open a document for the first time.
- - Select if a Capsule Docs keys are cached on the device. If they are cached users can open a previously opened document with no need to enter credentials.
Passcode Profiles
A passcode lock protects Capsule Workspace in mobile devices. In each Mobile Profile, configure which Passcode Profile it uses. The profile includes the passcode requirements, expiration, and number of failed attempts allowed. The default passcode profiles are Normal, Permissive, and Restrictive. You can edit the default profiles and create new profiles.
To edit a Passcode Profile:
- In the tab > > , select a Passcode Profile and click .
To create a new Passcode Profile:
A Passcode Profile includes these settings:
- - The complexity requirements. When you configure this, remember that users usually have a small on-screen keyboard.
- - Users create a simple password of 4 numbers.
- -Select from the requirements below.
- - Enter the minimum number of characters.
- - Show an alphanumeric keyboard and require at least one character to be a letter.
- - Enter the number of characters that must be a special character.
- - Enter the number of days after which user's passcodes expires and must be replaced.
- - Select to let users access the Business Secure Container for a specified period of time without re- entering their passcode. Enter the quantity of time in minutes.
- - Select to lock users out after a specified number of failed attempts. After the failed attempts, users must re-authenticate. If the authentication method includes username and password, users must enter them. If the authentication is certificate-only, users need a new certificate.
- - When selected, users cannot use a passcode that is the same as earlier passcodes. Select the number of earlier passcodes that users cannot use.
Push Notifications
This feature sends push notifications for incoming emails and meeting requests on handheld devices, while the Capsule Workspace Mail app is in the background. The app icon shows the number of new, unhandled notifications. One user can get notifications for multiple devices.
This feature is supported from R77.10. The configuration in R77.20 and higher is easier.
Push notifications are disabled by default in this version.
To use push notifications, the gateway must have connectivity to these URLs on ports 443 and 80:
- https://push.checkpoint.com (209.87.211.173 and 217.68.8.71)
- http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl
- http://crl.verisign.com/pca3-g5.crl
|
Notes -
- Users must enable notifications for the Capsule Workspace Mail app on iOS devices
- Push notifications can increase Exchange server CPU usage if many users are connected
- The Exchange server must have access to the Mobile Access Portal.
- If you change the URL or IP address of the Mobile Access Portal after you enable push notifications, you must update the Push Portal attributes with GuiDBedit:
- In GuiDBedit, go to the section of your gateway > > .
- Change and to match the URL of the Mobile Access Portal.
- Save.
- Install policy on the gateway.
|
Configuring Push Notifications
To enable push notifications in R77.30 and higher:
To enable this feature, you must install the R77.30 Add-on. See the Release Notes for more information.
Enable push notifications from the Mobile Access Wizard or from the Gateway Properties of each gateway.
- From the Mobile Access Wizard:
- If you enable Capsule Workspace Mail in the Mobile Access Wizard, push notifications are automatically enabled for the gateway.
- If you enable Capsule Workspace Mail from the Mobile Access tab, push notifications are NOT enabled.
- From the Gateway Properties:
- Open a gateway object that has Mobile Access enabled.
- Select > from the tree.
- Select .
- Click .
To enable push notifications in R77.20:
To learn how to activate this feature in R77.20, see sk101217.
Enable push notifications from the Mobile Access Wizard or from GuiDBedit.
- From the Mobile Access Wizard:
- If you enable Capsule Workspace Mail in the Mobile Access Wizard, push notifications are automatically enabled for the gateway.
- If you enable Capsule Workspace Mail from the Mobile Access tab, push notifications are NOT enabled.
- In GuiDBedit.
- Open GuiDBedit.
- Search for .
- Change the value of to true on each Mobile Access Gateway object that will send push notifications.
- Save.
- Open SmartDashboard.
- Open each Mobile Access Gateway object and click .
- Install policy.
To enable push notifications in R77.10:
- Before you make changes to
$CVPNDIR/conf/cvpnd.C , create a backup copy - In
$CVPNDIR/conf/cvpnd.C , change the value of PNEnable to true . - Run:
[expert@hostname:0]# cvpnrestart - If the certificate on the Security Gateway is not trusted by the Exchange server, see To import a certificate to the Exchange server in Exchange Server and Gateway Communication.
Customizing Push Notifications
In R77.30 and higher, you can customize push notifications from the mobile profile in the tab > .
For R77.20 and lower gateways, use these instructions:
You can configure some custom options in the $CVPNDIR/conf/cvpnd.C file.
Before you make changes to $CVPNDIR/conf/cvpnd.C , create a backup copy.
To send push notifications to a list of specified users:
- In
$CVPNDIR/conf/cvpnd.C , change the value of PNAllowUserNamesInListOnly to true . - Configure the list of users to whom you want to send push notifications:
PNAllowedUserNames (
: (user1)
: (user2)
)
|
- Run:
[expert@hostname:0]# cvpnrestart
To define the format of push notifications for email messages:
- Set the
PNDefaultMailmessage parameter: PNDefaultMailMessage ("$push_notification_emoji$ $push_notification_importance$$push_notification_sender$: $push_notification_subject$")
- Run:
[expert@hostname:0]# cvpnrestart
To define the format of push notifications for meeting requests:
- Set the
PNDefaultMeetingMessage parameter: PNDefaultMeetingMessage ("$push_notification_emoji$ $push_notification_importance$$push_notification_sender$: Meeting Request - $push_notification_subject$")
- Run:
[expert@hostname:0]# cvpnrestart
Exchange Server and Gateway Communication
Make sure that the Exchange server can access the Mobile Access Portal.
On R77.20 and higher gateways, all confidential information between the Exchange server and the gateway uses encrypted SSL tunnels. All non-confidential information uses unencrypted HTTP connections.
You can configure all push notification communication to use SSL tunnels.
To force all push notification communication to go through SSL tunnels:
- Install a trusted server certificate on the Mobile Access gateway. See sk98203.
- Open GuiDBedit.
- Search for the field (Ctrl +F).
- Press F3 to see next until you find that contains the value .
- Double-click the field and edit the value to be and not .
- Save.
- Open SmartDashboard.
- Open the Mobile Access gateway object.
- Click OK.
- Install policy.
On R77.10 gateways, if the certificate on the Security Gateway is not trusted, import the certificate to the Exchange Server. This is not necessary on R77.20 and higher gateways. For details about how to get the gateway certificate, see sk98203.
To import a certificate to the Exchange server:
- Download the certificate to the Exchange server.
- Run the Windows certificate installation wizard: double-click the certificate file, and follow the wizard steps.
- Run Microsoft Management Console.
- In the window that opens, click .
Add or Remove Snap-ins window opens.
- Select from the Available snap-ins, and click .
- Select and click .
- Select and click again.
- Select and click .
- Click .
- Click .
The certificate is stored in Local computer and in Current user stores.
Monitoring Push Notification Usage
Use the fwpush commands to monitor, debug, and troubleshoot push notification activity.
|
Note - Users must first install the latest version of the Capsule Workspace app from the app store and connect to the site created on the gateway.
|
To see failed batches, expired push notifications, and delayed push notifications, see: $FWDIR/log/pushd_failed_posts
Legal disclaimer on product functionality
Check Point uses Apple and Google services to deliver push notifications to iOS and Android devices. This is consistent with industry practice and similar to other applications vendors. Accordingly, Check Point assumes no liability in the event a notification is not sent or is not successfully pushed.
Information which is sent as a push notification passes through Check Point’s push service and the Apple or Google push service (according to the user’s device). Check Point does not keep, filter, or read any information that passes through. Check Point may review basic information to determine if a push notification reached its destination.
Check Point provides configuration options for the information sent as a push notification. The administrator can choose whether to set the subject, the sender, or the importance of any email, and can send the meeting location for meeting invitations.
Check Point will not be held liable for any loss of information that may result during the push notification process.
ESOD Bypass for Mobile Apps
Hand-held devices cannot run Endpoint Security on Demand (ESOD) components. By default, ESOD is disabled for smartphones and tablets.
If your organization has ESOD enabled, mobile apps cannot access ESOD enforced applications.
|
Note - Mobile apps are not recognized by their HTTP User-Agent header.
|
To change the ESOD setting on the Security Gateway:
- On the Security Gateway run:
cvpnd_settings $CVPNDIR/conf/cvpnd.C set MobileAppBypassESODforApps "true" or "false" - true - Bypasses ESOD for mobile apps (default).
- false - Does not bypass ESOD.
- Restart the Mobile Access services:
cvpnrestart - If you use a cluster, copy the
$CVPNDIR/conf/cvpnd.C file to all cluster members and restart the services on each.
MDM Cooperative Enforcement
Support for Mobile Device Management (MDM) through third-party vendors enforces a unified security policy for devices that access internal resources. Only managed devices that comply with the organizational security policy can successfully connect and access your business resources.
This feature is supported in R77.10 and higher.
Check Point Apps establish a secure VPN connection to the corporate network through a Check Point Security Gateway. The Security Gateway queries the policy of the MDM server. The MDM server verifies the compliance level of employees' mobile devices when the VPN connection is established. The Security Gateway uses the MDM results to allow or block access, according to the device security and the user's permissions.
This feature is supported by Check Point Capsule Connect and Capsule Workspace clients.
For the most updated vendor information see sk98201.
To configure MDM Cooperative Enforcement with iOS 7, see sk98447.
Overview of the MDM Enforcement workflow:
- Before you start you must have:
- An MDM account set up with required vendor license, if necessary
- Necessary licenses for Capsule Connect or Capsule Workspace
- Users with supported iOS or Android devices
- Configure MDM on the Mobile Access Security Gateway. Edit the global options and vendor options.
- For iOS 7 only: Configure settings and policy for your MDM vendor. See sk98447.
- Make sure that the MDM functionality works - from a mobile device or Security Gateway console.
Configuring MDM on the Security Gateway
Enable MDM Enforcement in a configuration file on the gateway. Then define global options and vendor-specific options.
To configure Mobile Device Management on a Security Gateway:
- Open the Gaia shell on the Security Gateway.
- Log in to mode.
- Open this file to edit:
$FWDIR/conf/mdm.conf - Edit the global options.
MDM is disabled by default. You must change enabled to 1 .
- Edit the vendor options.
- Save the file.
- Test the configuration.
- Install policy.
Global Options
mdm.conf Options
|
Description
|
enabled
|
0 - MDM disabled
1 - MDM enabled
|
monitor_only
|
0 - Full enforcement: non-compliant mobile devices cannot log in.
1 - Monitor only: non-compliant devices can log in and attempts are logged.
|
fail_open
|
Defines behavior for cases of uncertainty, when an error occurs while checking MDM status.
0 - Drop VPN connections when an error occurs while checking MDM compliance status.
1 - Allow VPN connections when an error occurs while checking MDM compliance status.
|
session_timeout_in_sec
|
Maximum seconds allowed to determine device compliance status between the gateway and the MDM cloud service. Starts at device login. If passed, the action of fail_open starts. Recommended: keep default.
|
active_vendor
|
Name of active third-party vendor, to test MDM compliance. You can configure multiple MDM vendors, but only one can be active.
|
password_is_obscured
|
0 - password parameters in show in clear text.
1 - password parameters in show strings. See Obscuring Passwords. Recommended: keep default (1).
|
verify_ssl_cert
|
0 - SSL certificates not verified when gateway accesses MDM cloud services.
1 - SSL certificates verified. Prevents some DNS poisoning, spoofing, man-in-the-middle attacks against gateway. Recommended: keep default (1). If the MDM server is in a cloud, this parameter must be 1 . If you change it, the devices will be vulnerable to MITM attacks. (This risk is lower if the MDM server is local.)
|
ssl_ca_bundle_path
|
Local path on gateway of known CA certificate files. You can add more certificates to those that come with installation. Recommended: keep default.
|
ssl_cipher_list
|
Allowed ciphers for HTTPS between gateway and MDM cloud services. Recommended: keep default.
|
ssl_use_tls_v1
|
To use TLSv1 or SSL for HTTPS between gateway and MDM cloud services. Recommended: keep default.
|
Vendor Options
In , there is a block of options for each vendor. You can add more, if you have an understanding of the vendor's API and expertise with PHP programming. See Advanced Vendor Support.
For the most updated vendor information see sk98201.
Obscuring Passwords in mdm.conf
If the global property is enabled, obscure all parameters named password in the Vendor Configuration blocks.
To get an obscured password string from your password:
- Run:
[expert@hostname:0]# obfuscate_password <password>The output is a string. For example: 33542b323a3528343640
- Copy the string to the , as the
password value. - Save the file.
- Install policy.
Advanced Vendor Support
You can add more vendors. This requires PHP programming skills and an understanding of the third-party MDM vendor's cloud API.
In these steps, we use "BestMDM" as the name of a fictional MDM vendor. BestMDM's API requires an XML request to be sent to their URL that includes credentials and the ID of the device. It returns an XML response with the device status and reason.
Example Request:
<request>
<username>api_username</username>
<password>api_password</password>
<device>device_id</device>
</request >
|
Example Response:
<response>
<status>compliance_status_code</status>
<reason>reason</reason>
</response >
|
Example URL: https://bestmdm.com/api
We use these examples in the steps.
To add support for a new third-party vendor:
- Open to edit:
$CVPNDIR/phpincs/MDMVendors.php - Search for the text:
- Remove the comment for a branch.
- Enter your MDM vendor name.
For example:
case "BestMDM":
BestMDM($mdm_data);
break;
|
- At the end of the file, add a new PHP function. It must access the vendor's cloud API, and return a status and reason array.
For example:
function BestMDM($mdm_data) {
// Build the request XML
$request_xml = new
SimpleXMLElement("<request><username/><password/><device/></request>");
// Fill its fields with data from $mdm_data.
// Note that "username", "password" and "device_id" always in $mdm_data.
$request_xml ->username = $mdm_data["username"];
$request_xml->password = $mdm_data["password"];
$request_xml->device = $mdm_data["device_id"];
// Make POST request using the supplied class URLRequest
// (The class URLRequest is defined in the same .php file).
$url = "https://bestmdm.com/api";
$conn = new URLRequest(); // open HTTP/HTTPS request session
$resp_data = $conn->Request( $url, $post_body = $xml->asXML() );
// Handle possible network error.
If ($resp_data === FALSE)
return array("status"=>MDM_ERROR, "reason"=> $conn->get_error_message());
// Now $resp_data is raw string returned by the cloud API. Parse it as XML:
$resp_xml = new SimpleXMLElement($resp_data);
// Check the status codes returned by the vendor’s API.
$status = MDM_ERROR;
switch ($resp_xml->status) {
case "not_managed":
return array("status"=>MDM_NOT_MANAGED, "reason"=>"");
case "compliant":
return array("status"=>MDM_COMPLIANT, "reason"=>"");
case "not_compliant":
return array("status"=>MDM_NOT_COMPLIANT, "reason"=>$resp_xml->reason);
default:
return array("status"=>MDM_ERROR, "reason"=>"unknown status");
} // end switch
} // end BestMDM compliance protocol handler
|
:
- MDM_ERROR - Error occurred while accessing the MDM vendor’s Cloud API.
- MDM_NOT_MANAGED - The device is not registered in the vendor’s database.
- MDM_NOT_COMPLIANT - The device is known to the vendor as "not compliant with its policy".
- MDM_COMPLIANT - The device is known to the vendor as "compliant with its policy".
- Define
$mdm_data as an array of data from mdm.conf and the device ID.
Array(
"device_id"=>< MAC address of device, or other ID known by the vendor>,
"username"=>< username to access the API of the MDM vendor>,
"password"=>< password to access the API of the MDM vendor>
)
|
- Global parameters and vendor parameters are merged in one list.
- If a vendor parameter is the same name as a global parameter, the vendor parameter overrides the global parameter.
- If includes a
password parameter, and password_is_obscured=1 , the password is decrypted automatically. The function gets the clear text password.
With mdm.conf:
|
$mdm_data value:
|
(
:enabled (1)
:monitor_only (0)
:fail_open (0)
:active_vendor (BestVendor)
:BestVendor (
:username (MyUser)
:auth_key (12345)
)
)
|
Array(
"enabled"=>1,
"monitor_only"=>0,
"fail_open"=>0,
"active_vendor"=>"BestVendor",
"username"=>"MyUser",
"auth_key"=>"12345",
"device_id"=>"12:34:56:78:9A:BC:DE:F0"
)
|
- Save
MDMVendors.php . - Open
$FWDIR/conf/mdm.conf . - Add a section after the lastblock for the new vendor.
For example:
:BestMDM (
:username (MyUserName)
:password (123456)
)
|
- Change the value of to be the name of the new vendor.
For example: :active_vendor (BestMDM)
- Save the file.
- Install policy.
Testing MDM
To make sure that MDM functionality is configured correctly:
- On a mobile device, launch the Check Point Mobile app.
- Connect to the Security Gateway.
- On SmartDashboard, open SmartView Tracker.
- Search for > > .
The , , and values in the details of the device login, show data about MDM compliance status and requirements.
Advanced Testing
You can make sure the MDM configuration works without a device in hand, but it requires expert knowledge. You log in to a test web page and enter the WiFi MAC address of a real device. For security, the MDM test page is disabled by default.
To enable the test page:
- Log in to the Security Gateway console in mode.
- Save a backup of
$CVPNDIR/conf/includes/Login.location.conf . - Open
Login.location.conf to edit. - Search for , and carefully follow the instructions there.
- After you make required changes, save the file and run:
[expert@hostname:0]# cvpnrestart - Open the Mobile Access Portal with the
/Login/MDMProxy path.For example: https://<gateway_hostname>/sslvpn/Login/MDMProxy
- Enter the device MAC address.
- Click .
If there are issues for that device to access the third-party MDM vendor, the page shows diagnostics.
- Revert
Login.location.conf to the backup file. - Run:
[expert@hostname:0]# cvpnrestart
To prevent security risks, always revert and close the test page.
Example Diagnostics:
- Parameters for the MDM vendor’s cloud service (such as
Username or Password ) are not configured correctly in $FWDIR/conf/mdm.conf . - There is a network problem accessing MDM vendor’s cloud service.
- There is a problem with SSL certificates, which prevents the gateway from accessing the MDM vendor’s cloud service.
System Specific Configuration
This section describes system specific configuration required for iPhones, iPads, and Android devices. In some instances, end-user configuration is also required.
iPhone and iPad Configuration
Connecting iPhone/iPad Clients to ActiveSync Applications
When you allow access to an ActiveSync application, users see the Mail Setup item and can install the ActiveSync profile. This gives users access to their corporate email.
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To connect to corporate email:
- Sign in to the Mobile Access site.
- Tap Mail Setup.
- Do the on-screen instructions.
Getting Logs from iPhones or iPads
To resolve issues with client devices, tell the users to send you the logs. The iPhone or iPad must have an email account set up.
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To configure logs:
- Tap .
Before login, this is on the top right. After login, this is on the bottom right.
- Tap on the navigation bar.
If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.
When an email account is configured, the email page opens. The logs are attached.
|
Note - The email account that the iPhone uses to send the email is the default account. This might not be your organization's ActiveSync account.
|
If the iPhone is not configured for a destination email address for logs, the email that opens has an empty field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.
To set up a default destination address:
- Tap .
- Scroll down to the icon and tap it.
- In the global settings, enter the address in .
Disabling Client SSO
Single Sign On (SSO) lets users in a session connect to the Mobile Access gateway, without authenticating when the client starts. If a user cannot access the gateway while SSO is enabled, disable it.
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To disable SSO on a client:
- Tap .
- Scroll down to the icon and tap it.
- In the global settings, tap the > switch.
Android Configurations
Browsing to Servers with Untrusted Server Certificates
When browsing from the Android app to a server with an untrusted server certificate, you are denied access and you get this message:
"Some resources on this page reside on an untrusted host."
In some cases, such as in a staging or demo environment, you can enable browsing to servers with untrusted certificates.
|
Important - Disabling the server certificate validation in the client app is forbidden for production setups since it allows any 3rd-party to intercept the SSL traffic.
|
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To disable the server certificate validation for Web applications:
- Launch the Check Point Mobile app.
- Log in to the site.
- Press the menu button and tap .
- Enable .
|
Note - HTTP (non-SSL) requests are always blocked even when this attribute is disabled.
|
Session Timeout for Android Devices
For Androids, idle timeout cannot be modified or enforced by the device or the gateway.
The only timeout setting that applies to the device is the active session timeout. It is configured in SmartDashboard: option. This setting indicates the maximum session length. When this period is reached, the user must log in again. For example, if re-authentication is set to 120 minutes, a user will need to log in again after 2 hours in an active session.
Getting Logs from Android Clients
To resolve issues with client devices, tell the users to send you the logs.
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To enable logs:
- Open the Check Point application.
- Tap .
- Press the button on the device.
- Tap and then .
- Enter the email address of the system administrator.
- Tap .
To send logs:
- Open the Check Point application.
- Tap .
- Press the button on the device.
- Tap .
- Select a way to send the logs.
Instructions for End Users
Give these instructions to end users to configure their mobile devices to work with Mobile Access.
iPhone/iPad End User Configuration
Do these procedures on your iPhone/iPad so you can work with Mobile Access.
Before you start, make sure that your administrator gives you:
- The name of the site you will connect to.
- The required Registration key (also called Activation key).
|
Important - Do only the procedures that your network administrator has instructed you to do.
|
To connect to the corporate site:
- Get the Check Point Mobile app from the App Store.
- When prompted, enter the:
- Site Name
- Registration key
To connect to corporate email:
- Sign in to the Mobile Access site.
- Tap Mail Setup.
- Do the on-screen instructions.
- When asked for the password, enter the Exchange password.
To configure logs:
- Tap .
Before login, this is on the top right. After login, this is on the bottom right.
- Tap on the navigation bar.
If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.
When an email account is configured, the email page opens. The logs are attached.
|
Note - The email account that the iPhone uses to send the email is the default account. This might not be your organization's ActiveSync account.
|
If the iPhone is not configured for a destination email address for logs, the email that opens has an empty field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.
To set up a default destination address:
- Tap .
- Scroll down to the icon and tap it.
- In the global settings, enter the address in .
To disable SSO on a client:
- Tap .
- Scroll down to the icon and tap it.
- In the global settings, tap the > switch.
Android End User Configuration
Do these procedures on your Android device so you can work with Mobile Access.
Before you start, make sure that your administrator gives you:
- The name of the site you will connect to.
- The required Registration key (also called Activation key).
|
Important - Do only the procedures that your network administrator has instructed you to do.
|
To connect to the corporate site:
- Get the Check Point Mobile app from the Android Market.
- When prompted, enter the:
- Site Name
- Registration key
To enable logs:
- Open the Check Point application.
- Tap .
- Press the button on the device.
- Tap and then .
- Enter the email address of the system administrator.
- Tap .
To send logs:
- Open the Check Point application.
- Tap .
- Press the button on the device.
- Tap .
- Select a way to send the logs.
To disable the server certificate validation for Web applications:
- Launch the Check Point Mobile app.
- Log in to the site.
- Press the menu button and tap .
- Enable .
To transfer the client certificate to the 3rd party mail client:
- Launch the Check Point Mobile app.
- Log in to the site.
- Press the menu button and tap .
- From the option, tap . The Export Certificate window opens.
If the Export Certificate option is disabled, contact the system administrator.
- Select the certificate format appropriate for your mail client: P12 or PFX.
- Select the location to save the certificate.
The default path is /sdcard (for devices that have an SD card) or an external resource folder (for devices that do not have an SD card). - Tap to save the certificate to the selected location.
A window shows: Export succeeded. Certificate password is: _______
- You can copy the password to the clipboard. You will need the password when you import the certificate to the third party mail app.
Advanced Gateway Configuration for Handheld Devices
You can customize client authentication, device requirements, certificate details, and ActiveSync behavior. Use the CLI commands explained here to change the configuration file:
$CVPNDIR/conf/cvpnd.C
|
Note - Disable Link Translation Domain on Mobile Access gateways before you connect to them with the Android client.
|
To apply changes:
Restart the Mobile Access services: cvpnrestart
If you use a cluster, copy the $CVPNDIR/conf/cvpnd.C file to all cluster members and restart the services on each.
To set Mobile Access attributes:
cvpnd_settings <conf_file_path> set <attribute_name> "<value>"
To get the current value of an attribute:
cvpnd_settings <conf_file_path> get <attribute_name>
|
|
|
Attribute
|
Description
|
ActiveSyncAllowed (true)
|
If access to ActiveSync applications is allowed.
|
ActiveSyncExchangeServerAuthenticationMethod (basic)
|
Method of forwarding authentication from the Mobile Access gateway to the internal Exchange server.
Valid values: basic , digest , ntlm
|
ActiveSyncClientCertificateNeeded (true)
|
If ActiveSync access for all mobile devices requires a client certificate. Changing this value affects all mobile devices using the gateway.
|
MobileAppAllowActiveSyncProfileConfig (true)
|
Make the automatic ActiveSync Profile configuration for iPhones and iPads available to users. If true, only users with authorization to access ActiveSync applications see this feature. If false, no user sees this feature.
|
MobileAppMinRequiredClientOSVersion (3.1)
|
Minimum operating system version for iPhones and iPads. If a client fails this requirement, user sees
Your OS version must be upgraded
|
MobileAppAndroidMinRequiredClientOSVersion (2.1)
|
Minimum operating system version for Android. If a client fails this requirement, user sees
Your OS version must be upgraded
|
MobileAppMinRecommendedClientOSVersion (3.1)
|
Recommended operating system version for iPhones and iPads. If a client fails this recommendation, user sees a message but usage continues. Note: value must be equal to or greater than value, or Mobile Access will not start.
|
MobileAppAndroidMinRecommendedClientOSVersion (2.1)
|
Recommended operating system version for Android. If a client fails this recommendation, user sees a message but usage continues. Note: value must be equal to or greater than value, or Mobile Access will not start.
|
MobileAppMinRequiredClientAppVersion (1.3)
|
Minimum App version required for iPhones and iPads. If a client fails this requirement, user sees
Application Update Required
|
MobileAppAndroidMinRequiredClientAppVersion (1.0)
|
Minimum App version required for Android. If a client fails this requirement, user sees
Application Update Required
|
MobileAppMinRecommendedClientAppVersion (1.3)
|
Recommended App version for iPhones and iPads. If a client fails this recommendation, user sees a message but usage continues. Note: value must be equal to or greater than value, or Mobile Access will not start.
|
MobileAppAndroidMinRecommendedClientAppVersion (1.0)
|
Recommended App version for Android. If a client fails this recommendation, user sees a message but usage continues. Note: value must be equal to or greater than value, or Mobile Access will not start.
|
MobileAppMinClientOSVersionForProfileConfig (3.1)
|
Minimum operating system version for iPhone and iPad to configure ActiveSync with the app.
If you want data encryption, change this value from the default to 4.0 . Make sure the ActiveSync policy (configured on the Exchange server) enforces data encryption.
|
MobileAppAndroidMinClientOSVersionForProfileConfig (2.1)
|
Minimum operating system version for Android to configure ActiveSync with the app. If you want data encryption, change this value from the default to 3.0 . Make sure the ActiveSync policy (configured on the Exchange server) enforces data encryption.
|
MobileAppIncludeLocationInLogs (false)
|
A GPS feature. When true, iPhones/iPads send physical location data to the gateway, where it is collected and appears in authentication logs.
|
MobileAppClientSideTimeout (0)
|
Timeout (in seconds), controlled by the device. If the active Web application is idle for this amount of time, the end-user is redirected to the login page. This protects sensitive data that a user could have left open on the device. The default zero (0) means that the timeout is taken from the Mobile Access option: .
This attribute is not applicable to Android clients.
|
MobileAppBypassESODforApps (false)
|
When true, mobile apps are allowed access to MAB applications whose protection level requires ESOD compliance.
Mobile apps can always access the MAB portal.
|
MobileAppAllowClientCertExport (false)
|
When true, allows mobile app clients to export their client certificates to other apps and devices. See Using 3rd Party Android Mail Clients.
|
|
|