Mobile Access for Smartphones and Tablets

Overview of Mobile Access for Smartphones and Tablets

To manage your users and their access to resources, make sure to:

Certificate Authentication for Handheld Devices

For handheld devices to connect to the Security Gateway, these certificates must be properly configured:

Managing Client Certificates

Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-factor authentication with client certificates and username/password. The certificate is signed by the internal CA of the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. that manages the Mobile Access Security Gateway.

Manage client certificates in Security Policies > Access Control > Access Tools > Client Certificates..

The page has two panes.

  • In the Client Certificates pane:

    • Create, edit, and revoke client certificates.

    • See all certificates, their status, expiration date and enrollment key. By default, only the first 50 results show in the certificate list. Click Show more to see more results.

    • Search for specified certificates.

    • Send certificate information to users.

  • In the Email Templates for Certificate Distribution pane:

    • Create and edit email templates for client certificate distribution.

    • Preview email templates.

Creating Client Certificates

Note - If you use LDAP or AD, creation of client certificates does not change the LDAP or AD server. If you get an error message regarding LDAP/AD write access, ignore it and close the window to continue.

Revoking Certificates

If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not show in the Client Certificate list.

Creating Templates for Certificate Distribution

Cloning a Template

Clone an email template to create a template that is similar to one that already exists.

Remote Wipe

Remote Wipe removes the offline data cached on the user's mobile device.

When the administrator revokes the internal CA certificate, a Remote Wipe push notification is sent, if the Remote Wipe configuration for the client enables Remote Wipe by Push Notification. Remote Wipe is triggered when the device gets the push notification.

Note: Remote Wipe by Push Notification works by best effort. There is no guarantee that the Security Gateway will send the notification, or that the client will get it successfully.

If the device does not get the Remote Wipe push notification, Remote Wipe is triggered when the client does an activity that requires connection to the Security Gateway while using a revoked internal CA certificate.

Remote Wipe send logs:

  • If a Remote Wipe Push Notification is sent.

  • When a Remote Wipe process ends successfully.

This feature is supported in R77.10 and above.

Managing Mobile Settings

For Capsule Workspace, many settings that affect the user experience on mobile devices come from the Mobile Profile.

Each Mobile Access user group has an assigned Mobile Profile. By default, all users get the Default Profile.

The settings in the Mobile Profile include:

  • Passcode Settings

  • Mail, Calendar, and Contacts availability

  • Settings for offline content

  • Where contacts come from

Manage the Mobile Profiles in Mobile Access tab > Capsule Workspace Settings.

  • In the Mobile Profiles pane:

    • See all Mobile Profiles.

    • Create, edit, delete, clone, and rename Mobile Profiles.

  • In the Mobile Profile Policy pane:

    • Create rules to assign Mobile Profiles to user groups.

    • Search for a user or group within the policy rules.

Creating and Editing Mobile Profiles

Capsule Workspace Settings in the Mobile Profile

Managing Passcode Profiles

A passcode lock protects Capsule Workspace in mobile devices. In each Mobile Profile, configure which Passcode Profile it uses. The profile includes the passcode requirements, expiration, and number of failed attempts allowed. The default passcode profiles are Normal, Permissive, and Restrictive. You can edit the default profiles and create new profiles.

Push Notifications

This feature sends push notifications for incoming emails and meeting requests on handheld devices, while the Mobile Mail app is in the background. The app icon shows the number of new, unhandled notifications. One user can get notifications for multiple devices.

Push notifications are disabled by default, but enabled when you run the Mobile Access First Time Wizard.

To use push notifications, the Security Gateway must have connectivity to these URLs on ports 443 and 80:

  • https://push.checkpoint.com (209.87.211.173 and 217.68.8.71)

  • http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl

  • http://crl.verisign.com/pca3-g5.crl

Notes:

  • Users must enable notifications for the Mobile Mail app on iOS devices

  • Push notifications can increase Exchange server CPU usage if many users are connected

  • The Exchange server must have access to the Mobile Access Portal.

  • If you change the URL or IP address of the Mobile Access Portal after you enable push notifications, you must update the Push Portal attributes with Database Tool (GuiDBEdit Tool):

    1. In Database Tool (GuiDBEdit Tool) (see sk13009), go to the Portals section of your Security Gateway > portal_name > ExchangeRegistration.

    2. Change main_url and ip_address to match the URL of the Mobile Access Portal.

    3. Save the changes and close Database Tool (GuiDBEdit Tool).

    4. In SmartDashboard, install policy on the Security Gateway.

Configuring Push Notifications

Customizing Push Notifications

Customize push notifications from the mobile profile in the Mobile Access tab > Capsule Workspace Settings.

You can customize templates for Mail and Meeting notifications.

Exchange Server and Security Gateway Communication

Make sure that the Exchange server can access the Mobile Access Portal.

On R77.20 and higher Security Gateways, all confidential information between the Exchange server and the Security Gateway uses encrypted SSL tunnels. Non-confidential information can use unencrypted HTTP connections.

You can configure all push notification communication to use SSL tunnels.

By default, KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). authentication is not enabled for Push Notification registration to the Exchange server. To enable it, follow the instructions in sk110629.

On Security Gateways R77.10, if the certificate on the Security Gateway is not trusted, import the certificate to the Exchange Server. This is not necessary on Security Gateways R77.20 and higher. For details about how to get the Security Gateway certificate, see sk98203.

Push Notification Status Utility

Use the Push Notification Status Utility to understand if your environment is configured correctly for push notifications.

Monitoring Push Notification Usage

Use the fwpush commands to monitor, debug, and troubleshoot push notification activity.

Note - Users must first install the latest version of the Capsule Workspace app from the app store and connect to the site created on the Security Gateway.

To see failed batches, expired push notifications, and delayed push notifications, see: $FWDIR/log/pushd_failed_posts

ESOD Bypass for Mobile Apps

Hand-held devices cannot run Endpoint Security on Demand (ESOD) components. By default, ESOD is disabled for smartphones and tablets.

If your organization has ESOD enabled, mobile apps cannot access ESOD enforced applications.

Note - Mobile apps are not recognized by their HTTP User-Agent header.

MDM Cooperative Enforcement

Support for Mobile Device Management (MDM) through third-party vendors enforces a unified security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. for devices that access internal resources. Only managed devices that comply with the organizational security policy can successfully connect and access your business resources.

This feature is supported in R77.10 and above.

Check Point Apps establish a secure VPN connection to the corporate network through a Check Point Security Gateway. The Security Gateway queries the policy of the MDM server. The MDM server verifies the compliance level of employees' mobile devices when the VPN connection is established. The Security Gateway uses the MDM results to allow or block access, according to the device security and the user's permissions.

This feature is supported by Check Point Capsule Connect and Capsule Workspace clients.

For the most updated vendor information see sk98201.

To configure MDM Cooperative Enforcement with iOS 7, see sk98447.

Configuring MDM on the Security Gateway

Enable MDM Enforcement in a configuration file on the Security Gateway. Then define global options and vendor-specific options.

Advanced Vendor Support

You can add more vendors. This requires PHP programming skills and an understanding of the third-party MDM vendor's cloud API.

Testing MDM

Advanced Testing

You can make sure the MDM configuration works without a device in hand, but it requires expert knowledge. You log in to a test web page and enter the WiFi MAC address of a real device. For security, the MDM test page is disabled by default.

System Specific Configuration

This section describes system specific configuration required for iPhones, iPads, and Android devices. In some instances, end-user configuration is also required.

iPhone and iPad Configuration

Android Configurations

Instructions for End Users

Give these instructions to end users to configure their mobile devices to work with Mobile Access.

iPhone/iPad End User Configuration

Do these procedures on your iPhone/iPad so you can work with Mobile Access.

Before you start, make sure that your administrator gives you:

  • The name of the site you will connect to.

  • The required Registration key (also called Activation key).

  • Important - Do only the procedures that your network administrator has instructed you to do.

To connect to the corporate site:

  1. Get Check Point Capsule Workspace from the App Store.

  2. When prompted, enter the:

    • Site Name

    • Registration key

To connect to corporate email:

  1. Sign in to the Mobile Access site.

  2. Tap Mail Setup.

  3. Do the on-screen instructions.

  4. When asked for the password, enter the Exchange password.

To configure logs:

  1. Tap Information.

    Before login, this is on the top right. After login, this is on the bottom right.

  2. Tap Report a Problem on the navigation bar.

    If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.

    When an email account is configured, the email page opens. The logs are attached.

    Note - The email account that the iPhone uses to send the email is the default account. This might not be your organization's ActiveSync account.

    If the iPhone is not configured for a destination email address for logs, the email that opens has an empty To field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.

To disable SSO on a client:

  1. Tap Settings.

  2. Scroll down to the Capsule Workspace icon and tap it.

  3. In the Mobile global settings, tap the Single Sign On > Enabled switch.

Android End User Configuration

Do these procedures on your Android device so you can work with Mobile Access.

Before you start, make sure that your administrator gives you:

  • The name of the site you will connect to.

  • The required Registration key (also called Activation key).

Important - Do only the procedures that your network administrator has instructed you to do.

Advanced Security Gateway Configuration for Handheld Devices

You can customize client authentication, device requirements, certificate details, and ActiveSync behavior. Use the CLI commands explained here to change the configuration file:
$CVPNDIR/conf/cvpnd.C

Note - Disable Link Translation Domain on Mobile Access Security Gateways before you connect to them with the Android client. To apply changes:

Restart the Mobile Access services: cvpnrestart

If you use a cluster, copy the $CVPNDIR/conf/cvpnd.C file to all cluster members and restart the services on each.

To set Mobile Access attributes:

cvpnd_settings set <attribute_name> "<value>"

To get the current value of an attribute:

cvpnd_settings get <attribute_name>