MDM Cooperative Enforcement

Support for Mobile Device Management (MDM) through third-party vendors enforces a unified security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. for devices that access internal resources. Only managed devices that comply with the organizational security policy can successfully connect and access your business resources.

Check Point Apps establish a secure VPN connection to the corporate network through a Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The Security Gateway queries the policy of the MDM server. The MDM server verifies the compliance level of employees' mobile devices when the VPN connection is established. The Security Gateway uses the MDM results to allow or block access, according to the device security and the user's permissions.

This feature is supported by Check Point Capsule Connect and Capsule Workspace clients.

For the most updated vendor information, see sk98201.

To configure MDM Cooperative Enforcement with iOS 7, see sk98447.

Overview of the MDM Enforcement workflow:

  1. Prerequisites:

    • An MDM account set up with required vendor license.

    • Necessary licenses for Capsule Connect or Capsule Workspace.

    • Users with supported iOS or Android devices.

  2. Configure MDM on the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Security Gateway.

  3. For iOS 7 only: Configure settings and policy for your MDM vendor. See sk98447.

  4. Make sure that the MDM functionality works - from a mobile device or Security Gateway.

Configuring MDM on the Security Gateway

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Enable MDM Enforcement on the Mobile Access Gateway in a configuration file.

To configure Mobile Device Management on a Security Gateway:

  1. Connect to the command line on the Mobile Access Gateway.

  2. Log in to the Expert mode.

  3. Edit the $FWDIR/conf/mdm.conf file:

    vi $FWDIR/conf/mdm.conf

  4. Edit the global parameters (see the summary table below).

    • Enable the MDM CE. Set the value of the "enabled" parameter to 1:

      :enabled (1)

    • Configure other global parameters.

  5. Edit the vendor parameters (see the summary table below).

  6. Save the changes in the file and exit the editor.

  7. Test the configuration.

  8. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control Policy on the Mobile Access Gateway.

Global MDM CE Parameters

Parameter

Description

enabled

Controls the MDM CE status:

  • 0 - Disables MDM

  • 1 - Enables MDM

monitor_only

Controls the MDM mode:

  • 0 - Full enforcement: non-compliant mobile devices cannot log in.

  • 1 - Monitor only: non-compliant devices can log in, and attempts are logged.

fail_open

Defines behavior for cases of uncertainty, when an error occurs while the Security Gateway checks the MDM status.

  • 0 - Security Gateway denies remote access sessions.

  • 1 - Security Gateway allows remote access sessions.

session_timeout_in_sec

Controls the timeout (in seconds) to determine device compliance status between the Security Gateway and the MDM cloud service.

The time count starts at device login.

If timeout passed, the Security Gateway performs the action configured by the value of the "fail_open" parameter.

Recommended: keep the default value of (15).

active_vendor

Name of active third-party vendor to test MDM compliance.

You can configure multiple MDM vendors, but only one can be active.

(See Advanced Vendor Support).

password_is_obscured

Controls how password parameters appear in the mdm.conf file:

  • 0 - The password parameters appear in clear text.

  • 1 - The password parameters appear as obfuscated strings.

(See Obfuscating Passwords in the $FWDIR/conf/mdm.conf File).

Recommended: keep the default value of (1).

verify_ssl_cert

Controls whether the Security Gateway performs SSL certificate verification when it accesses MDM cloud services:

  • 0 - Does not perform SSL certificate verification.

  • 1 - Performs SSL certificate verification. Prevents attacks against the Security Gateway (such as some DNS poisoning, spoofing, man-in-the middle).

Recommended: keep the default value of (1).

Important - If the MDM server is in a cloud, the value of this parameter must be 1. If you change it, the gateway becomes vulnerable to MITM attacks. (This risk is lower, if the MDM server is local.)

ssl_ca_bundle_path

Local path on the Security Gateway of known CA certificate files.

You can add more certificates.

Recommended: keep the default path.

ssl_cipher_list

Contains the list of allowed ciphers for HTTPS between the Security Gateway and MDM cloud services.

Recommended: keep the default list.

ssl_use_tls_v1

Controls whether to use TLSv1 or SSL for HTTPS between the Security Gateway and MDM cloud services.

  • 0 - Uses SSL

  • 1 - Uses TLSv1

Recommended: keep the default value of (1).

Vendor MDM Parameters

In the mdm.conf file, there is a block of options for each vendor. You can add more blocks, if you understand the vendor's API and the PHP language. (See Advanced Vendor Support).

For the most updated vendor information, see sk98201.

Obfuscating Passwords in the $FWDIR/conf/mdm.conf File

If the value of the global parameter "password_is_obscured" is (1), then obfuscate all passwords in the $FWDIR/conf/mdm.conf file.

To obfuscate a password:

  1. Connect to the command line on the Mobile Access Gateway.

  2. Log in to the Expert mode.

  3. Run:

    obfuscate_password <password in clear text>

    The output is a string. For example: 33542b323a3528343640

  4. Use the output of the command as the value of the "password" parameter.

    You must enclose it in double quotes.

    :password ("[obfuscated password]")

  5. Save the changes in the file and exit the editor.

  6. In SmartConsole, install the Access Control Policy on the Mobile Access Gateway.

Advanced Vendor Support

Important - In a Cluster, you must configure all the Cluster Members in the same way.

You can add more vendors in the $FWDIR/conf/mdm.conf file. This requires PHP programming skills and an understanding of the third-party MDM vendor's cloud API.

In the example steps below, we use "BestMDM" as the name of a fictional MDM vendor. BestMDM's API requires to send to their URL an XML request that includes credentials and the ID of the device. It returns an XML response with the device status and reason.

We use these examples in the steps below:

Example Request:

Copy
<request>
     <username>api_username</username>
     <password>api_password</password>
     <device>device_id</device>
</request>

Example Response:

Copy
<response>
     <status>compliance_status_code</status>
     <reason>reason</reason>
</response>

Example URL:

https://bestmdm.com/api

To add support for a new third-party vendor:

  1. Edit the $CVPNDIR/phpincs/MDMVendors.php file:

    vi $CVPNDIR/phpincs/MDMVendors.php

  2. Search for this text:

    to add another vendor uncomment the following

  3. Remove the comment from this branch:

    case "MDM_VENDOR_NAME"

    Notes:

    • Remove the /* characters above the word "case"

    • Remove the */ characters after the word "break"

    • Enter your MDM vendor name.

    For example:

    Copy
    case "BestMDM":
         BestMDM($mdm_data);
         break;

  4. At the end of the file, add a new PHP function. It must access the vendor's cloud API, and return a status and reason array.

    For example:

    Copy
    function BestMDM($mdm_data) {
         // Build the request XML
         $request_xml = new
         SimpleXMLElement("<request><username/><password/><device/></request>");
         // Fill its fields with data from $mdm_data.
         // Note that "username", "password" and "device_id" always in $mdm_data.
         $request_xml ->username = $mdm_data["username"];
         $request_xml->password = $mdm_data["password"];
         $request_xml->device = $mdm_data["device_id"];
         // Make POST request using the supplied class URLRequest
         // (The class URLRequest is defined in the same .php file).
         $url = "https://bestmdm.com/api";
         $conn = new URLRequest(); // open HTTP/HTTPS request session
         $resp_data = $conn->Request( $url, $post_body = $xml->asXML() );
         // Handle possible network error.
         If ($resp_data === FALSE)
         return array("status"=>MDM_ERROR, "reason"=>
         $conn->get_error_message());
         // Now $resp_data is raw string returned by the cloud API. Parse it as XML:
         $resp_xml = new SimpleXMLElement($resp_data);
         // Check the status codes returned by the vendor’s API.
         $status = MDM_ERROR;
         switch ($resp_xml->status) {
              case "not_managed":
                   return array("status"=>MDM_NOT_MANAGED, "reason"=>"");
              case "compliant":
                   return array("status"=>MDM_COMPLIANT, "reason"=>"");
              case "not_compliant":
                   return array("status"=>MDM_NOT_COMPLIANT, "reason"=>$resp_xml->reason);
              default:
                   return array("status"=>MDM_ERROR, "reason"=>"unknown status");
              } // end switch
         } // end BestMDM compliance protocol handler

    Status Codes:

    • MDM_ERROR

      Error occurred while accessing the MDM vendor’s Cloud API.

    • MDM_NOT_MANAGED

      The device is not registered in the vendor’s database.

    • MDM_NOT_COMPLIANT

      The device is known to the vendor as "not compliant with its policy".

    • MDM_COMPLIANT

      The device is known to the vendor as "compliant with its policy".

  5. Define $mdm_data as an array of data from the mdm.conf and the device ID.

    Copy
    Array(
         "device_id"=><MAC address of device, or other ID known by the vendor>,
         "username"=><username to access the API of the MDM vendor>,
         "password"=><password to access the API of the MDM vendor>
    )

    Important Notes:

    • Global parameters and vendor parameters are merged in one list.

    • If a vendor parameter has the same name as a global parameter, the vendor parameter overrides the global parameter.

    • If $mdm_data includes a "password" parameter, and the value of the parameter "password_is_obscured" is (1), the Security Gateway decrypts the password automatically. The function gets the clear text password.

    Example of $mdm_data:

    Configuration in the mdm.conf File

    Configuration in the $mdm_date

    (

         :enabled (1)

         :monitor_only (0)

         :fail_open (0)

         :active_vendor (BestVendor)

         :BestVendor (

           :username (MyUser)

           :auth_key (12345)

         )

    )

    Array(

         "enabled"=>1,

         "monitor_only"=>0,

         "fail_open"=>0,

         "active_vendor"=>"BestVendor",

         "username"=>"MyUser",

         "auth_key"=>"12345",

    "device_id"=>"12:34:56:78:9A:BC:DE:F0"

    )

  6. Save the changes in the file and exit the editor.

  7. Edit the $FWDIR/conf/mdm.conf file:

    vi $FWDIR/conf/mdm.conf

  8. Add a section after the last block for the new vendor.

    For example:

    Copy
         :BestMDM (
         :username (MyUserName)
         :password (123456)
         )

  9. Change the value of the global parameter "active_vendor" to be the name of the new vendor.

    For example: :active_vendor (BestMDM)

  10. Save the changes in the file and exit the editor.

  11. In SmartConsole, install the Access Control Policy on the Mobile Access Gateway.

Testing MDM

To make sure that MDM functionality is configured correctly:

  • On a mobile device, launch the Capsule Workspace and (or) Capsule Connect / VPN.

  • Connect to the Security Gateway.

  • Look for Mobile Access login logs in SmartConsole (Logs & Monitor) or SmartView.

    The Compliance Check, Information, and Reason values in the details of the device login, show data about MDM compliance status and requirements.

Advanced Testing

You can make sure the MDM configuration works without a device in hand, but it requires expert knowledge. You log in to a test web page and enter the WiFi MAC address of a real device. For security, the MDM test page is disabled by default.

To enable the test page:

Important - In a Cluster, you must configure all the Cluster Members in the same way.

  1. Connect to the command line on the Mobile Access Gateway.

  2. Log in to the Expert mode.

  3. Back up the $CVPNDIR/conf/includes/Login.location.conf file:

    cp -v $CVPNDIR/conf/includes/Login.location.conf{,_BKP}

  4. Edit the $CVPNDIR/conf/includes/Login.location.conf file:

    vi $CVPNDIR/conf/includes/Login.location.conf

  5. Search for this text:

    To test your integration with the MDM vendor

    Follow the instructions in that section.

  6. Save the changes in the file and exit the editor.

  7. Restart the Mobile Access services:

    cvpnrestart

    Important - This disconnects client TCP connections. Mobile Access sessions remain intact (stored in a kernel table).

  8. In a web browser, open the Mobile Access Portal at this URL:

    https://<Host Name of Mobile Access Portal>/sslvpn/Login/MDMProxy

  9. Enter the device MAC address.

  10. Click Submit.

    The page's status bar indicates the device's status (compliant, incompliant, or unmanaged) or any error the gateway encounters while connecting to the MDM vendor's Web service.

  11. On the Mobile Access Gateway, revert the $CVPNDIR/conf/includes/Login.location.conf file:

    cp -v $CVPNDIR/conf/includes/Login.location.conf{_BKP,}

  12. Restart the Mobile Access services:

    cvpnrestart

    Important - This disconnects client TCP connections. Mobile Access sessions remain intact (stored in a kernel table).

To prevent security risks, always revert and close the test page.

Example Diagnostics:

  • Parameters for the MDM vendor’s cloud service (such as Username or Password) are not configured correctly in $FWDIR/conf/mdm.conf.

  • There is a network problem accessing MDM vendor’s cloud service.

  • There is a problem with SSL certificates, which prevents the Mobile Access gateway from accessing the MDM vendor’s cloud service.