Mobile Access for Smartphones and Tablets

Overview of Mobile Access for Smartphones and Tablets

To manage your users and their access to resources, make sure to:

Certificate Authentication for Handheld Devices

For handheld devices to connect to the Security Gateway, these certificates must be properly configured:

Managing Client Certificates

Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-factor authentication with client certificates and username/password. The certificate is signed by the internal CA of the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. that manages the Mobile Access Security Gateway.

Manage client certificates in Security Policies > Access Control > Access Tools > Client Certificates..

The page has two panes.

  • In the Client Certificates pane:

    • Create, edit, and revoke client certificates.

    • See all certificates, their status, expiration date and enrollment key. By default, only the first 50 results show in the certificate list. Click Show more to see more results.

    • Search for specified certificates.

    • Send certificate information to users.

  • In the Email Templates for Certificate Distribution pane:

    • Create and edit email templates for client certificate distribution.

    • Preview email templates.

Creating Client Certificates

Note - If you use LDAP or AD, creation of client certificates does not change the LDAP or AD server. If you get an error message regarding LDAP/AD write access, ignore it and close the window to continue.

Revoking Certificates

If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not show in the Client Certificate list.

Creating Templates for Certificate Distribution

Cloning a Template

Clone an email template to create a template that is similar to one that already exists.

Remote Wipe

Remote Wipe removes the offline data cached on the user's mobile device.

When the administrator revokes the internal CA certificate, a Remote Wipe push notification is sent, if the Remote Wipe configuration for the client enables Remote Wipe by Push Notification. Remote Wipe is triggered when the device gets the push notification.

Note - Remote Wipe by Push Notification works by best effort. There is no guarantee that the Security Gateway will send the notification, or that the client will get it successfully.

If the device does not get the Remote Wipe push notification, Remote Wipe is triggered when the client does an activity that requires connection to the Security Gateway while using a revoked internal CA certificate.

Remote Wipe send logs:

  • If a Remote Wipe Push Notification is sent.

  • When a Remote Wipe process ends successfully.

Mobile Device Profiles

For Capsule Workspace, many settings that affect the user experience on mobile devices come from the Mobile Profile.

Each Mobile Access user group has an assigned Mobile Profile. By default, all users get the Default Profile.

The settings in the Mobile Profile include:

  • Passcode Settings

  • Mail, Calendar, and Contacts availability

  • Settings for offline content

  • Where contacts come from

Manage the Mobile Profiles in Mobile Access tab > Capsule Workspace Settings.

  • In the Mobile Profiles pane:

    • See all Mobile Profiles.

    • Create, edit, delete, clone, and rename Mobile Profiles.

  • In the Mobile Profile Policy pane:

    • Create rules to assign Mobile Profiles to user groups.

    • Search for a user or group within the policy rules.

Creating and Editing Mobile Profiles

Capsule Workspace Settings in the Mobile Profile

Managing Passcode Profiles

A passcode lock protects Capsule Workspace in mobile devices. In each Mobile Profile, configure which Passcode Profile it uses. The profile includes the passcode requirements, expiration, and number of failed attempts allowed. The default passcode profiles are Normal, Permissive, and Restrictive. You can edit the default profiles and create new profiles.

Push Notifications

This feature sends push notifications for incoming emails and meeting requests on handheld devices, while the Mobile Mail app is in the background. The app icon shows the number of new, unhandled notifications. One user can get notifications for multiple devices.

Push notifications are disabled by default, but enabled when you run the Mobile Access First Time Wizard.

To use push notifications, the Security Gateway must have connectivity to these URLs on ports 443 and 80:

  • https://push.checkpoint.com

    (209.87.211.173 and 217.68.8.71)

  • http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl

  • http://crl.verisign.com/pca3-g5.crl

Notes:

  • Users must enable notifications for the Mobile Mail app on iOS devices

  • Push notifications can increase Exchange server CPU usage if many users are connected

  • The Exchange server must have access to the Mobile Access Portal.

  • If you change the URL or IP address of the Mobile Access Portal after you enable push notifications, you must update the Push Portal attributes with Database Tool (GuiDBEdit Tool):

    1. Close all SmartConsole windows connected to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

    2. Connect with Database Tool (GuiDBEdit Tool) to the Management Server.

    3. Go to the Portals section of your Security Gateway > portal_name > ExchangeRegistration.

    4. Change main_url and ip_address to match the URL of the Mobile Access Portal.

    5. Save the changes and close Database Tool (GuiDBEdit Tool).

    6. In SmartDashboard, install policy on the Security Gateway.

Configuring Push Notifications

Customizing Push Notifications

Customize push notifications from the mobile profile in the Mobile Access tab > Capsule Workspace Settings.

You can customize templates for Mail and Meeting notifications.

Exchange Server and Security Gateway Communication

Make sure that the Exchange server can access the Mobile Access Portal.

All confidential information between the Exchange server and the Security Gateway uses encrypted SSL tunnels. Non-confidential information can use unencrypted HTTP connections.

You can configure all push notification communication to use SSL tunnels.

By default, KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). authentication is not enabled for Push Notification registration to the Exchange server. To enable it, follow the instructions in sk110629.

Push Notification Status Utility

Use the Push Notification Status Utility to understand if your environment is configured correctly for push notifications.

Monitoring Push Notification Usage

Use the fwpush commands to monitor, debug, and troubleshoot push notification activity.

Note - Users must first install the latest version of the Capsule Workspace app from the app store and connect to the site created on the Security Gateway.

To see failed batches, expired push notifications, and delayed push notifications, see: $FWDIR/log/pushd_failed_posts

ESOD Bypass for Mobile Apps

Hand-held devices cannot run Endpoint Security on Demand (ESOD) components. By default, ESOD is disabled for smartphones and tablets.

If your organization has ESOD enabled, mobile apps cannot access ESOD enforced applications.

Note - Mobile apps are not recognized by their HTTP User-Agent header.

System Specific Configuration

This section describes system specific configuration required for iPhones, iPads, and Android devices. In some instances, end-user configuration is also required.

iPhone and iPad Configuration

Android Configurations

Instructions for End Users

Give these instructions to end users to configure their mobile devices to work with Mobile Access.

iPhone/iPad End User Configuration

Do these procedures on your iPhone/iPad so you can work with Mobile Access.

Before you start, make sure that your administrator gives you:

  • The name of the site you will connect to.

  • The required Registration key (also called Activation key).

Important - Do only the procedures that your network administrator instructed you to do.

To connect to the corporate site:

  1. Get Check Point Capsule Workspace from the App Store.

  2. When prompted, enter the:

    • Site Name

    • Registration key

To connect to corporate email:

  1. Sign in to the Mobile Access site.

  2. Tap Mail Setup.

  3. Do the on-screen instructions.

  4. When asked for the password, enter the Exchange password.

To configure logs:

  1. Tap Information.

    Before login, this is on the top right. After login, this is on the bottom right.

  2. Tap Report a Problem on the navigation bar.

    If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.

    When an email account is configured, the email page opens. The logs are attached.

    Note - The email account that the iPhone uses to send the email is the default account. This might not be your organization's ActiveSync account.

    If the iPhone is not configured for a destination email address for logs, the email that opens has an empty To field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.

To disable SSO on a client:

  1. Tap Settings.

  2. Scroll down to the Capsule Workspace icon and tap it.

  3. In the Mobile global settings, tap the Single Sign On > Enabled switch.

Android End User Configuration

Do these procedures on your Android device so you can work with Mobile Access.

Before you start, make sure that your administrator gives you:

  • The name of the site you will connect to.

  • The required Registration key (also called Activation key).

Important - Do only the procedures that your network administrator instructed you to do.

Advanced Security Gateway Configuration for Handheld Devices

You can customize client authentication, device requirements, certificate details, and ActiveSync behavior.

Use the CLI commands below to change the settings in the configuration file:

$CVPNDIR/conf/cvpnd.C

To apply changes, restart the Mobile Access services:

cvpnrestart

Notes:

  • Disable Link Translation Domain on Mobile Access Security Gateways before you connect to them with the Android client.

  • In a Cluster, you must configure all the Cluster Members in the same way.

To set Mobile Access attributes:

cvpnd_settings set <attribute_name> "<value>"

To get the current value of an attribute:

cvpnd_settings get <attribute_name>

Attributes:

Attribute

Default Value

Description

ActiveSyncAllowed

true

If access to ActiveSync applications is allowed.

ActiveSyncExchangeServerAuthenticationMethod

basic

Method of forwarding authentication from the Mobile Access Security Gateway to the internal Exchange server.

Valid values:

  • basic

  • digest

  • ntlm

MobileAppAllowActiveSyncProfileConfig

true

Make the automatic ActiveSync Profile configuration for iPhones and iPads available to users.

  • true - Only users with authorization to access ActiveSync applications see this feature.

  • false - No user sees this feature.

MobileAppMinRequiredClientOSVersion

3.1

Minimum operating system version for iPhones and iPads.

If a client fails this requirement, user sees:

Your OS version must be upgraded

MobileAppAndroidMinRequiredClientOSVersion

2.1

Minimum operating system version for Android.

If a client fails this requirement, user sees:

Your OS version must be upgraded

MobileAppMinRecommendedClientOSVersion

3.1

Recommended operating system version for iPhones and iPads.

If a client fails this recommendation, user sees a message but usage continues.

Note - Value must be equal to or greater than Required value, or Mobile Access cannot start.

MobileAppAndroidMinRecommendedClientOSVersion

2.1

Recommended operating system version for Android.

If a client fails this recommendation, user sees a message but usage continues.

Note - Value must be equal to or greater than Required value, or Mobile Access cannot start.

MobileAppMinRequiredClientAppVersion

1.3

Minimum App version required for iPhones and iPads.

If a client fails this requirement, user sees:

Application Update Required

MobileAppAndroidMinRequiredClientAppVersion

1.0

Minimum App version required for Android.

If a client fails this requirement, user sees:

Application Update Required

MobileAppMinRecommendedClientAppVersion

1.3

Recommended App version for iPhones and iPads.

If a client fails this recommendation, user sees a message but usage continues.

Note - Value must be equal to or greater than Required value, or Mobile Access cannot start.

MobileAppAndroidMinRecommendedClientAppVersion

1.0

Recommended App version for Android.

If a client fails this recommendation, user sees a message but usage continues.

Note - Value must be equal to or greater than Required value, or Mobile Access cannot start.

MobileAppMinClientOSVersionForProfileConfig

3.1

Minimum operating system version for iPhone and iPad to configure ActiveSync with the app.

If you want data encryption, change this value to 4.0.

Make sure the ActiveSync policy (configured on the Exchange server) enforces data encryption.

MobileAppAndroidMinClientOSVersionForProfileConfig

2.1

Minimum operating system version for Android to configure ActiveSync with the app.

If you want data encryption, change this value to 3.0.

Make sure the ActiveSync policy (configured on the Exchange server) enforces data encryption.

MobileAppBypassESODforApps

false

When true, mobile apps are allowed access to Mobile Access applications whose protection level requires Endpoint Security on Demand compliance.

Mobile apps can always access the Mobile Access Portal.

MobileAppAllowClientCertExport

false

When true, allows mobile app clients to export their client certificates to other apps and devices.