Mobile Access for Smartphones and Tablets

Overview of Mobile Access for Smartphones and Tablets

To manage your users and their access to resources, make sure to:

For email, calendar, and contact access, configure Mobile Mail or ActiveSync applications.

This can be done automatically in the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Wizard.
Configure Web applications, if necessary.
Make sure users have the information and credentials required to authenticate to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

For client certificates, use the Certificate Creation and Distribution Wizard (see the "Creating Client Certificates" section).
Make sure users' Mobile Settings meet your organization's needs (see the "Managing Mobile Settings" section).
Tell users which App to install.
Make sure smartphone and tablet users are included in your Mobile Access Policy.

Certificate Authentication for Handheld Devices

For handheld devices to connect to the Security Gateway, these certificates must be properly configured:

If the configured authentication methods is Personal Certificate, generate client certificates for users (see the "Managing Client Certificates" section).
A server certificate signed by a trusted third-party Certification Authority (for example, Entrust) is strongly recommended. If you have a third-party certificate, make sure the CA is trusted by the device. If you do not have a third-party certificate, a self-signed (ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.) certificate, is already configured on the server.

Managing Client Certificates

Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-factor authentication with client certificates and username/password. The certificate is signed by the internal CA of the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. that manages the Mobile Access Security Gateway.

Manage client certificates in Security Policies > Access Control > Access Tools > Client Certificates..

The page has two panes.

In the Client Certificates pane:
- Create, edit, and revoke client certificates.
- See all certificates, their status, expiration date and enrollment key. By default, only the first 50 results show in the certificate list. Click Show more to see more results.
- Search for specified certificates.
- Send certificate information to users.
In the Email Templates for Certificate Distribution pane:
- Create and edit email templates for client certificate distribution.
- Preview email templates.

Creating Client Certificates

Note - If you use LDAP or AD, creation of client certificates does not change the LDAP or AD server. If you get an error message regarding LDAP/AD write access, ignore it and close the window to continue.

To create and distribute certificates with the client certificate wizard

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Access Control > Access Tools > Client Certificates.
In the Client Certificates pane, click New.

The Certificate Creation and Distribution wizard opens.
In the Certificate Distribution page, select how to distribute the enrollment keys to users. You can select one or both options.
1. Send an email containing the enrollment keys using the selected email template -Each user gets an email, based on the template you choose, that contains an enrollment key.
  - Template - Select the email template that is used.
  - Site - Select the Security Gateway, to which users connect.
  - Mail Server - Select the mail server that sends the emails.
  You can click Edit to view and change its details.
2. Generate a file that contains all of the enrollment keys - Generate a file for your records that contains a list of all users and their enrollment keys.
Optional: To change the expiration date of the enrollment key, edit the number of days in Users must enroll within x days.
Optional: Add a comment that will show next to the certificate in the certificate list on the Client Certificates page.
Click Next.

The Users page opens.
Click Add to add the users or groups that require certificates.
- Type text in the search field to search for a user or group.
- Select a type of group to narrow your search.
When all included users or groups show in the list, click Generate to create the certificates and send the emails.
If more than 10 certificates are being generated, click Yes to confirm that you want to continue.

A progress window shows. If errors occur, an error report opens.
Click Finish.
Click Save.
In SmartConsole, install the Policy.

Revoking Certificates

If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not show in the Client Certificate list.

Creating Templates for Certificate Distribution

To create or edit an email template

In SmartConsole, select Security Policies > Access Control > Access Tools > Client Certificates.
To create a new template: In the Email Templates for Certificate Distribution pane, select New.

To edit a template: In the Email Templates for Certificate Distribution pane, double-click a template.

The Email Template opens.
Enter a Name for the template.
Optional: Enter a Comment. Comments show in the Mail Template list on the Client Certificates page.
Optional: Click Languages to change the language of the email.
Enter a Subject for the email. Click Insert Field to add a predefined field, such as a Username.
In the message body add and format text. Click Insert Field to add a predefined field, such as Username, Registration Key, or Expiration Date.
Click inside the E-mail Template body.
Click Insert Link and select the type of link to add (link or QR code).
- Site and Certificate Creation
  For users who already have a Check Point app installed.
  
  When users scan the QR code or go to the link, it creates the site and registers the certificate.
  
  Select the client type that will connect to the site- Select one client type that users will have installed:
  - Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
  - Capsule Connect/VPN - A full Layer 3 tunnel app that gives users network access to all mobile applications.
- Download Application
  Direct users to download a Check Point App for their mobile devices.
  
  Select the client device operating system:
  - iOS
  - Android
  Select the client type that will connect to the site- Select one client type that users will have installed:
  - Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
  - Capsule Connect/VPN - A full Layer 3 tunnel app that gives users network access to all mobile applications.
- Custom URL
  
  Lets you configure your own URL.
For each link type, you can select which elements are added to the mail template
- Link URL - Enter the full link address.
- QR Code - When enabled, users scan the code with their mobile devices.
- HTML Link - When enabled, users tap the link on their mobile devices.
  
  You can select both QR Code and HTML Link to include both in the email.
- Display Text - Enter the text for the link title.
Click OK.
Optional: Click Preview in Browser to see a preview of how the email will look.
Click OK.
Publish the changes

Cloning a Template

Clone an email template to create a template that is similar to one that already exists.

Remote Wipe

Remote Wipe removes the offline data cached on the user's mobile device.

When the administrator revokes the internal CA certificate, a Remote Wipe push notification is sent, if the Remote Wipe configuration for the client enables Remote Wipe by Push Notification. Remote Wipe is triggered when the device gets the push notification.

Note: Remote Wipe by Push Notification works by best effort. There is no guarantee that the Security Gateway will send the notification, or that the client will get it successfully.

If the device does not get the Remote Wipe push notification, Remote Wipe is triggered when the client does an activity that requires connection to the Security Gateway while using a revoked internal CA certificate.

Remote Wipe send logs:

If a Remote Wipe Push Notification is sent.
When a Remote Wipe process ends successfully.

To configure Remote Wipe

Run the command on the Security Gateway.

Syntax: cvpnd_settings <conf_file_path> {set|listAdd|listRemove} <name> <value>
- To enable or disable Remote Wipe:
  
  [Expert@HostName:0]# cvpnd_settings $CVPNDIR/conf/cvpnd.C set RemoteWipeEnabled {true|false}
  
  Remote Wipe is enabled by default.
- To enable or disable Remote Wipe by Push Notification (wipe is done if client gets notification):
  
  [Expert@HostName:0]# cvpnd_settings $CVPNDIR/conf/cvpnd.C set RemoteWipePushEnabled {true|false}
  
  The Remote Wipe Push Notifications feature is enabled by default. For supported clients, see sk95587.
- To set supported devices for Remote Wipe Push Notifications, based on operating system:
  
  [Expert@HostName:0]# cvpnd_settings $CVPNDIR/conf/cvpnd.C listAdd RemoteWipePushSupportedClientOS {iOS | Android}
Run:

[Expert@HostName:0]# cvpnrestart

You must restart the cvpn service to apply the changes.

To see that your changes are applied, open the $CVPNDIR/conf/cvpnd.C file in Read-Only mode.

Managing Mobile Settings

For Capsule Workspace, many settings that affect the user experience on mobile devices come from the Mobile Profile.

Each Mobile Access user group has an assigned Mobile Profile. By default, all users get the Default Profile.

The settings in the Mobile Profile include:

Passcode Settings
Mail, Calendar, and Contacts availability
Settings for offline content
Where contacts come from

Manage the Mobile Profiles in Mobile Access tab > Capsule Workspace Settings.

In the Mobile Profiles pane:
- See all Mobile Profiles.
- Create, edit, delete, clone, and rename Mobile Profiles.
In the Mobile Profile Policy pane:
- Create rules to assign Mobile Profiles to user groups.
- Search for a user or group within the policy rules.

Creating and Editing Mobile Profiles

Capsule Workspace Settings in the Mobile Profile

Instructions

In the Access Settings area, configure:
- Session timeout - After users authenticate with the authentication method configured in Gateway Properties > Mobile Access > Authentication, configure how long they stay authenticated to the Security Gateway.
- Activate Passcode lock - Select to protect the Business Secure Container area of the mobile device with a passcode.
  - Passcode profile - Select a passcode profile to use. The profile includes the passcode complexity, length, expiration, and number of failed attempts allowed.
  - Allow storing user credentials on the device for single-sign on - If username and password authentication is used, store the authentication credentials on the device. Then users are only prompted for their passcode not also for their username and password.
- Report jail-broken devices - Create a log if a jail-broken device connects to the Security Gateway.
  - Block access from jail-broken devices - Block devices that are jail-broken from connecting to the Security Gateway.
- Track user's GPS location (upon user's approval) - Tracks devices connecting to the Security Gateway.
In the Allowed Items area, select which Exchange features are available on devices:
- Mail
- Calendar
- Contacts
- Notes (iOS only)
In the Offline Content area, configure what data is saved and for how long when the Check Point App cannot reach the Security Gateway.
- Mail from the last x days - Select the length of time from which emails are saved.
  - Cache Mail - Select which parts of the email are saved in the offline cache.
- Calendar from the last x months and the following x months - Select which parts of the calendar are saved: the length of time in the past and length of time in the future.
  - Cache Calendar - Select which parts of the calendar entry are saved in the offline cache.
- Synchronize contacts - Synchronize contacts so they are available offline.
In the Push Notifications area, select if you allow push notifications on devices and which notification templates to use.

See the Push Notifications section below for details.

To use this, push notifications must be enabled for Capsule Workspace on the Security Gateway that users connect to.
In the Mail area, select Allow copy paste of mail content if you allow contents of emails to be pasted into other apps.
In the Calendar area, select Allow business calendar to sync to the device's native calendar if you want to sync both calendars on the device. Events from Capsule Workspace will show in the device's calendar, outside of Capsule Workspace.
In the Contacts area, select which additional contacts to show on the device:
- Global Address List
- Local Phone
In the Check Point Capsule Docs area, select the Capsule Docs information that is stored in Capsule Workspace:
- Allow caching Check Point Capsule Docs credentials - The credentials are required to open Capsule Docs protected documents are cached on the device. If they are not cached, users must enter their credentials each time they open a document for the first time.
- Allow caching Check Point Capsule Docs keys - The Capsule Docs keys are cached on the device. If they are cached users can open a previously opened document with no need to enter credentials.

Managing Passcode Profiles

A passcode lock protects Capsule Workspace in mobile devices. In each Mobile Profile, configure which Passcode Profile it uses. The profile includes the passcode requirements, expiration, and number of failed attempts allowed. The default passcode profiles are Normal, Permissive, and Restrictive. You can edit the default profiles and create new profiles.

Passcode Profile Settings

A Passcode Profile includes these settings:

Passcode Requirements - The complexity requirements. When you configure this, remember that users usually have a small on-screen keyboard.
- Simple Passcode (4 digits) - Users create a simple password of 4 numbers.
- Custom passcode strength - Select from the requirements below.
  - Minimum passcode length - Enter the minimum number of characters.
  - Require alphanumeric characters - Show an alphanumeric keyboard and require at least one character to be a letter.
  - Minimum complex characters - Enter the number of characters that must be a special character.
Force passcode expiration - Enter the number of days after which user's passcodes expires and must be replaced.
Allow grace period for entering passcode - Select to let users access the Business Secure Container for a specified period of time without re- entering their passcode. Enter the quantity of time in minutes.
Exit after a few failures in passcode verification - Select to lock users out after a specified number of failed attempts. After the failed attempts, users must re-authenticate. If the authentication method includes username and password, users must enter them. If the authentication is certificate-only, users need a new certificate.
Enforce passcode history - When selected, users cannot use a passcode that is the same as earlier passcodes. Select the number of earlier passcodes that users cannot use.

Push Notifications

This feature sends push notifications for incoming emails and meeting requests on handheld devices, while the Mobile Mail app is in the background. The app icon shows the number of new, unhandled notifications. One user can get notifications for multiple devices.

Push notifications are disabled by default, but enabled when you run the Mobile Access First Time Wizard.

To use push notifications, the Security Gateway must have connectivity to these URLs on ports 443 and 80:

https://push.checkpoint.com (209.87.211.173 and 217.68.8.71)
http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl
http://crl.verisign.com/pca3-g5.crl

Notes:

Users must enable notifications for the Mobile Mail app on iOS devices
Push notifications can increase Exchange server CPU usage if many users are connected
The Exchange server must have access to the Mobile Access Portal.
If you change the URL or IP address of the Mobile Access Portal after you enable push notifications, you must update the Push Portal attributes with Database Tool (GuiDBEdit Tool):
1. In Database Tool (GuiDBEdit Tool) (see sk13009), go to the Portals section of your Security Gateway > portal_name > ExchangeRegistration.
2. Change main_url and ip_address to match the URL of the Mobile Access Portal.
3. Save the changes and close Database Tool (GuiDBEdit Tool).
4. In SmartDashboard, install policy on the Security Gateway.

Configuring Push Notifications

To enable push notifications

Enable push notifications from the Mobile Access Wizard or from the Security Gateway Properties of each Security Gateway.

From the Mobile Access Wizard:
- If you enable Mobile Mail in the Mobile Access Wizard, push notifications are automatically enabled for the Security Gateway.
- If you enable Mobile Mail from the Mobile Access tab, push notifications are NOT enabled.
From the Security Gateway Properties:
1. Open a Security Gateway object that has Mobile Access enabled.
2. Select Mobile Access > Capsule Workspace from the tree.
3. Select Enable Push Notifications.
4. Click OK.

Customizing Push Notifications

Customize push notifications from the mobile profile in the Mobile Access tab > Capsule Workspace Settings.

You can customize templates for Mail and Meeting notifications.

Exchange Server and Security Gateway Communication

Make sure that the Exchange server can access the Mobile Access Portal.

All confidential information between the Exchange server and the Security Gateway uses encrypted SSL tunnels. Non-confidential information can use unencrypted HTTP connections.

You can configure all push notification communication to use SSL tunnels.

By default, Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). authentication is not enabled for Push Notification registration to the Exchange server. To enable it, follow the instructions in sk110629.

To force all push notification communication to go through SSL tunnels

Install a trusted server certificate on the Mobile Access Security Gateway. See sk98203.
Close all SmartConsole windows connected to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
Connect with Database Tool (GuiDBEdit Tool) (sk13009) to the Management Server.
Search for the field main_url (Ctrl +F).
Press F3 to see next main_url until you find main_url that contains the value ExchangeRegistration.
Double-click the ExchangeRegistration main_url field and edit the value to be https:// and not http://.
Save the changes and close Database Tool (GuiDBEdit Tool).
Connect with SmartConsole to the Management Server.
Open the Mobile Access Security Gateway object.
Click OK.
Install policy.

To import a certificate to the Exchange server

Download the certificate to the Exchange server.
Double-click the certificate file, and follow the Windows certificate installation wizard steps.
Run the Microsoft Management Console.
In the window that opens, click File > Add/Remove Snap-in.

Add or Remove Snap-ins window opens.
Select Certificates from the Available snap-ins, and click Add.
Select My user account.
Click Finish.
Select Certificates and click Add again.
Select Computer account.
Click Next.
Click Finish.
Click OK.

The certificate is stored in Local computer and in Current user stores.

Push Notification Status Utility

Use the Push Notification Status Utility to understand if your environment is configured correctly for push notifications.

Intructions

Run the $CVPNDIR/bin/PushReport command to generate a report that contains this data:

License - Shows if the license is valid or if you have an evaluation license.
Configuration - Shows if push notifications are configured and enabled in the database.
Connectivity - Shows if you have a connection to the Check Point Cloud and CRLs list.
Callback URL - Shows the configured callback URL. If it is an https URL, the utility shows that a certificate is needed.

Output Example

[admin@gw-105 bin]# PushReport

This is your configuration status:

==================================

Topic Status Description

-----------------------------------------------------------------------------

License OK You are not using an evaluation license

Configuration OK Push is enabled in configuation

Connectivity OK You have connectivity to cloud

Callback URL OK Your callback push url is: http://198.51.100.2/ExchangeRegistration. Make sure you have internal connectivity to this URL.

Monitoring Push Notification Usage

Use the fwpush commands to monitor, debug, and troubleshoot push notification activity.

Note - Users must first install the latest version of the Capsule Workspace app from the app store and connect to the site created on the Security Gateway.

To see failed batches, expired push notifications, and delayed push notifications, see: $FWDIR/log/pushd_failed_posts

ESOD Bypass for Mobile Apps

Hand-held devices cannot run Endpoint Security on Demand (ESOD) components. By default, ESOD is disabled for smartphones and tablets.

If your organization has ESOD enabled, mobile apps cannot access ESOD enforced applications.

Note - Mobile apps are not recognized by their HTTP User-Agent header.

MDM Cooperative Enforcement

Support for Mobile Device Management (MDM) through third-party vendors enforces a unified security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. for devices that access internal resources. Only managed devices that comply with the organizational security policy can successfully connect and access your business resources.

Check Point Apps establish a secure VPN connection to the corporate network through a Check Point Security Gateway. The Security Gateway queries the policy of the MDM server. The MDM server verifies the compliance level of employees' mobile devices when the VPN connection is established. The Security Gateway uses the MDM results to allow or block access, according to the device security and the user's permissions.

This feature is supported by Check Point Capsule Connect and Capsule Workspace clients.

For the most updated vendor information see sk98201.

To configure MDM Cooperative Enforcement with iOS 7, see sk98447.

Configuring MDM on the Security Gateway

Enable MDM Enforcement in a configuration file on the Security Gateway. Then define global options and vendor-specific options.

To configure Mobile Device Management on a Security Gateway

Connect to the command line ine the Security Gateway.
Log in to the Expert mode mode.
Edit the $FWDIR/conf/mdm.conf file.

Edit the global options.

Description

MDM is disabled by default. You must change the value of the enabled parameter to 1.

mdm.conf Options	Description
`enabled`	`0` - MDM disabled `1` - MDM enabled
`monitor_only`	`0` - Full enforcement: non-compliant mobile devices cannot log in. `1` - Monitor only: non-compliant devices can log in and attempts are logged.
`fail_open`	Defines behavior for cases of uncertainty, when an error occurs while checking MDM status. `0` - Drop VPN connections when an error occurs while checking MDM compliance status. `1` - Allow VPN connections when an error occurs while checking MDM compliance status.
`session_timeout_in_sec`	Maximum seconds allowed to determine device compliance status between the Security Gateway and the MDM cloud service. Starts at device login. If passed, the action of `fail_open` starts. Recommended: keep default.
`active_vendor`	Name of active third-party vendor, to test MDM compliance. You can configure multiple MDM vendors, but only one can be active. See the Advanced Vendor Support section below.
`password_is_obscured`	`0` - `password` parameters in mdm.conf show in clear text. `1` - `password` parameters in mdm.conf show strings. Recommended: keep default (1). If the global property password_is_obscured is enabled, you cn obscure all parameters named `password` in the Vendor Configuration blocks. To get an obscured password string from your password: Run in the Expert mode: `# obfuscate_password <Your Expert mode Password>` The output is a string. For example: `33542b323a3528343640` Copy the string to the mdm.conf file, as the `password` value. Save the file. Install policy.
`verify_ssl_cert`	`0` - SSL certificates not verified when Security Gateway accesses MDM cloud services. `1` - SSL certificates verified. Prevents some DNS poisoning, spoofing, man-in-the-middle attacks against Security Gateway. Recommended: keep default (1). If the MDM server is in a cloud, this parameter must be `1`. If you change it, the devices will be vulnerable to MITM attacks. (This risk is lower if the MDM server is local.)
`ssl_ca_bundle_path`	Local path on Security Gateway of known CA certificate files. You can add more certificates to those that come with installation. Recommended: keep default.
`ssl_cipher_list`	Allowed ciphers for HTTPS between Security Gateway and MDM cloud services. Recommended: keep default.
`ssl_use_tls_v1`	To use TLSv1 or SSL for HTTPS between Security Gateway and MDM cloud services. Recommended: keep default.

Edit the vendor options.

Description

You can add more, if you have an understanding of the vendor's API and expertise with PHP programming.

See the Advanced Vendor Support section below.

For the most updated vendor information see sk98201.
Save the $FWDIR/conf/mdm.conf file.
Install policy.
Test the configuration.

Advanced Vendor Support

You can add more vendors. This requires PHP programming skills and an understanding of the third-party MDM vendor's cloud API.

Instructions

In these steps, we use "BestMDM" as the name of a fictional MDM vendor.

BestMDM's API requires an XML request to be sent to their URL that includes credentials and the ID of the device.

It returns an XML response with the device status and reason.

Example Request:

<request>

<username>api_username</username>

<password>api_password</password>

<device>device_id</device>

</request >

Example Response:

<response>

<status>compliance_status_code</status>

<reason>reason</reason>

</response >

Example URL:

https://bestmdm.com/api

We use these examples in the steps below.

To add support for a new third-party vendor:

Edit the $CVPNDIR/phpincs/MDMVendors.php file.
Search for the text: to add another vendor
Remove the comment for a case branch.

Enter your MDM vendor name.

For example:

case "BestMDM":

BestMDM($mdm_data);

break;

At the end of the file, add a new PHP function. It must access the vendor's cloud API, and return a status and reason array.

For example:

function BestMDM($mdm_data) {

// Build the request XML

$request_xml = new

SimpleXMLElement("<request><username/><password/><device/></request>");

// Fill its fields with data from $mdm_data.

// Note that "username", "password" and "device_id" always in $mdm_data.

$request_xml ->username = $mdm_data["username"];

$request_xml->password = $mdm_data["password"];

$request_xml->device = $mdm_data["device_id"];

// Make POST request using the supplied class URLRequest

// (The class URLRequest is defined in the same .php file).

$url = "https://bestmdm.com/api";

$conn = new URLRequest(); // open HTTP/HTTPS request session

$resp_data = $conn->Request( $url, $post_body = $xml->asXML() );

// Handle possible network error.

If ($resp_data === FALSE)

return array("status"=>MDM_ERROR, "reason"=> $conn->get_error_message());

// Now $resp_data is raw string returned by the cloud API. Parse it as XML:

$resp_xml = new SimpleXMLElement($resp_data);

// Check the status codes returned by the vendor's API.

$status = MDM_ERROR;

switch ($resp_xml->status) {

case "not_managed":

return array("status"=>MDM_NOT_MANAGED, "reason"=>"");

case "compliant":

return array("status"=>MDM_COMPLIANT, "reason"=>"");

case "not_compliant":

return array("status"=>MDM_NOT_COMPLIANT, "reason"=>$resp_xml->reason);

default:

return array("status"=>MDM_ERROR, "reason"=>"unknown status");

} // end switch

} // end BestMDM compliance protocol handler

Status Codes:

MDM_ERROR - Error occurred while accessing the MDM vendor's Cloud API.
MDM_NOT_MANAGED - The device is not registered in the vendor's database.
MDM_NOT_COMPLIANT - The device is known to the vendor as "not compliant with its policy".
MDM_COMPLIANT - The device is known to the vendor as "compliant with its policy".

Define $mdm_data as an array of data from mdm.conf and the device ID.

Array(

"device_id"=><MAC address of device, or other ID known by the vendor>,

"username"=><username to access the API of the MDM vendor>,

"password"=><password to access the API of the MDM vendor>

)

Important Notes:

Global parameters and vendor parameters are merged in one list.
If a vendor parameter is the same name as a global parameter, the vendor parameter overrides the global parameter.
If $mdm_data includes a password parameter, and password_is_obscured=1, the password is decrypted automatically. The function gets the clear text password.

Example of $mdm_data:

With mdm.conf:	$mdm_data value:
`(` `:enabled (1)` `:monitor_only (0)` `:fail_open (0)` `:active_vendor (BestVendor)` `:BestVendor (` `:username (MyUser)` `:auth_key (12345)` `)` `)`	`Array(` `"enabled"=>1,` `"monitor_only"=>0,` `"fail_open"=>0,` `"active_vendor"=>"BestVendor",` `"username"=>"MyUser",` `"auth_key"=>"12345",` `"device_id"=>"12:34:56:78:9A:BC:DE:F0"` `)`

With mdm.conf:

$mdm_data value:

(
  :enabled (1)
  :monitor_only (0)
  :fail_open (0)
  :active_vendor (BestVendor)
  :BestVendor (
     :username (MyUser)
     :auth_key (12345)
  )
)

Array(
  "enabled"=>1,
  "monitor_only"=>0,
  "fail_open"=>0,
  "active_vendor"=>"BestVendor",
  "username"=>"MyUser",
  "auth_key"=>"12345",
  "device_id"=>"12:34:56:78:9A:BC:DE:F0"
)

Save the $CVPNDIR/phpincs/MDMVendors.php file.
Edit the $FWDIR/conf/mdm.conf file.

Add a section after the last block for the new vendor.

For example:

:BestMDM (

:username (MyUserName)

:password (123456)

)

Change the value of active_vendor to be the name of the new vendor.

For example: :active_vendor (BestMDM)
Save the $FWDIR/conf/mdm.conf file.
Install policy.

Testing MDM

Advanced Testing

You can make sure the MDM configuration works without a device in hand, but it requires expert knowledge. You log in to a test web page and enter the WiFi MAC address of a real device. For security, the MDM test page is disabled by default.

To enable the test page

Connect to the command line on the Security Gateway and log in the Expert mode.
Back up the $CVPNDIR/conf/includes/Login.location.conf file.
Edit the $CVPNDIR/conf/includes/Login.location.conf file.
Search for test your integration, and carefully follow the instructions there.
After you make required changes, save the file and run:

[Expert@HostName:0]# cvpnrestart
Open the Mobile Access Portal with the /Login/MDMProxy path.

For example: https://<Security Gateway Hostname>/sslvpn/Login/MDMProxy
Enter the device MAC address.
Click Submit.

If there are issues for that device to access the third-party MDM vendor, the page shows diagnostics.
Revert Login.location.conf to the backup file.
Run:

[Expert@HostName:0]# cvpnrestart

To prevent security risks, always revert and close the test page.

System Specific Configuration

This section describes system specific configuration required for iPhones, iPads, and Android devices. In some instances, end-user configuration is also required.

iPhone and iPad Configuration

Android Configurations

Instructions for End Users

Give these instructions to end users to configure their mobile devices to work with Mobile Access.

iPhone/iPad End User Configuration

Do these procedures on your iPhone/iPad so you can work with Mobile Access.

Before you start, make sure that your administrator gives you:

The name of the site you will connect to.
The required Registration key (also called Activation key).
Important - Do only the procedures that your network administrator has instructed you to do.

To connect to the corporate site:

Get Check Point Capsule Workspace from the App Store.
When prompted, enter the:
- Site Name
- Registration key

To connect to corporate email:

Sign in to the Mobile Access site.
Tap Mail Setup.
Do the on-screen instructions.
When asked for the password, enter the Exchange password.

To configure logs:

Tap Information.

Before login, this is on the top right. After login, this is on the bottom right.
Tap Report a Problem on the navigation bar.

If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.

When an email account is configured, the email page opens. The logs are attached.

Note - The email account that the iPhone uses to send the email is the default account. This might not be your organization's ActiveSync account.

If the iPhone is not configured for a destination email address for logs, the email that opens has an empty To field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.

To disable SSO on a client:

Tap Settings.
Scroll down to the Capsule Workspace icon and tap it.
In the Mobile global settings, tap the Single Sign On > Enabled switch.

Android End User Configuration

Do these procedures on your Android device so you can work with Mobile Access.

Before you start, make sure that your administrator gives you:

The name of the site you will connect to.
The required Registration key (also called Activation key).

Important - Do only the procedures that your network administrator has instructed you to do.

Advanced Security Gateway Configuration for Handheld Devices

You can customize client authentication, device requirements, certificate details, and ActiveSync behavior. Use the CLI commands explained here to change the configuration file:
$CVPNDIR/conf/cvpnd.C

Note - Disable Link Translation Domain on Mobile Access Security Gateways before you connect to them with the Android client. To apply changes:

Restart the Mobile Access services: cvpnrestart

If you use a cluster, copy the $CVPNDIR/conf/cvpnd.C file to all cluster members and restart the services on each.

To set Mobile Access attributes:

cvpnd_settings set <attribute_name> "<value>"

To get the current value of an attribute:

cvpnd_settings get <attribute_name>

Attributes

Attribute	Description
ActiveSyncAllowed (true)	If access to ActiveSync applications is allowed.
ActiveSyncExchangeServerAuthentication Method (basic)	Method of forwarding authentication from the Mobile Access Security Gateway to the internal Exchange server. Valid values: `basic`, `digest`, `ntlm`
MobileAppAllowActiveSyncProfileConfig (true)	Make the automatic ActiveSync Profile configuration for iPhones and iPads available to users. If true, only users with authorization to access ActiveSync applications see this feature. If false, no user sees this feature.
MobileAppMinRequiredClientOSVersion (3.1)	Minimum operating system version for iPhones and iPads. If a client fails this requirement, user sees `Your OS version must be upgraded`
MobileAppAndroidMinRequiredClient OSVersion (2.1)	Minimum operating system version for Android. If a client fails this requirement, user sees `Your OS version must be upgraded`
MobileAppMinRecommendedClient OSVersion (3.1)	Recommended operating system version for iPhones and iPads. If a client fails this recommendation, user sees a message but usage continues. Note: value must be equal to or greater than Required value, or Mobile Access will not start.
MobileAppAndroidMinRecommendedClient OSVersion (2.1)	Recommended operating system version for Android. If a client fails this recommendation, user sees a message but usage continues. Note: value must be equal to or greater than Required value, or Mobile Access will not start.
MobileAppMinRequiredClientAppVersion (1.3)	Minimum App version required for iPhones and iPads. If a client fails this requirement, user sees `Application Update Required`
MobileAppAndroidMinRequiredClient AppVersion (1.0)	Minimum App version required for Android. If a client fails this requirement, user sees `Application Update Required`
MobileAppMinRecommendedClient AppVersion (1.3)	Recommended App version for iPhones and iPads. If a client fails this recommendation, user sees a message but usage continues. Note: value must be equal to or greater than Required value, or Mobile Access will not start.
MobileAppAndroidMinRecommendedClient AppVersion (1.0)	Recommended App version for Android. If a client fails this recommendation, user sees a message but usage continues. Note: value must be equal to or greater than Required value, or Mobile Access will not start.
MobileAppMinClientOSVersionForProfile Config (3.1)	Minimum operating system version for iPhone and iPad to configure ActiveSync with the app. If you want data encryption, change this value from the default to `4.0`. Make sure the ActiveSync policy (configured on the Exchange server) enforces data encryption.
MobileAppAndroidMinClientOSVersionFor ProfileConfig (2.1)	Minimum operating system version for Android to configure ActiveSync with the app. If you want data encryption, change this value from the default to `3.0`. Make sure the ActiveSync policy (configured on the Exchange server) enforces data encryption.
MobileAppBypassESODforApps (false)	When true, mobile apps are allowed access to Mobile Access applications whose protection level requires Endpoint Security on Demand compliance. Mobile apps can always access the Mobile Access Portal.
MobileAppAllowClientCertExport (false)	When true, allows mobile app clients to export their client certificates to other apps and devices. See Using 3rd Party Android Mail Clients.