Mobile Access for Smartphones and Tablets
Overview of Mobile Access for Smartphones and Tablets
To manage your users and their access to resources, do these actions:
-
For email, calendar, and contact access, configure Mobile Mail or ActiveSync applications.
This can be done automatically in the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Wizard.
-
Configure Web applications, if necessary.
-
Make sure users have the information and credentials required to authenticate to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
For client certificates, use the Certificate Creation and Distribution Wizard (see the "Creating Client Certificates" section).
-
Make sure users' Mobile Settings meet your organization's needs (see the "Managing Mobile Settings" section).
-
Tell users which App to install.
-
Make sure smartphone and tablet users are included in your Mobile Access Policy.
Certificate Authentication for Handheld Devices
For handheld devices to connect to the Security Gateway, these certificates must be properly configured:
-
If you configure Personal Certificate as the authentication method, make sure to generate client certificates for users (see the "Managing Client Certificates" section).
-
A server certificate signed by a trusted third-party Certification Authority (for example, Entrust) is strongly recommended. If you have a third-party certificate, make sure the CA is trusted by the device. If you do not have a third-party certificate, a self-signed (ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.) certificate, is already configured on the server.
Managing Client Certificates
Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-factor authentication with client certificates and username/password. The certificate is signed by the internal CA of the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. that manages the Mobile Access Security Gateway.
Manage client certificates in Security Policies > Access Control > Access Tools > Client Certificates.
The page has two panes.
-
In the Client Certificates pane:
-
Create, edit, and revoke client certificates.
-
See all certificates, their status, expiration date and enrollment key. By default, only the first 50 results show in the certificate list. Click Show more to see more results.
-
Search for specified certificates.
-
Send certificate information to users.
-
-
In the Email Templates for Certificate Distribution pane:
-
Create and edit email templates for client certificate distribution.
-
Preview email templates.
-
Creating Client Certificates
Note - If you use LDAP or AD, creation of client certificates does not change the LDAP or AD server. If you get an error message regarding LDAP/AD write access, ignore it and close the window to continue.
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Access Control > Access Tools > Client Certificates.
-
In the Client Certificates pane, click New.
The Certificate Creation and Distribution wizard opens.
-
In the Certificate Distribution page, select how to distribute the enrollment keys to users. You can select one or both options.
-
Send an email containing the enrollment keys using the selected email template -Each user gets an email, based on the template you choose, that contains an enrollment key.
-
Template - Select the email template that is used.
-
Site - Select the Security Gateway, to which users connect.
-
Mail Server - Select the mail server that sends the emails.
You can click Edit to view and change its details.
-
-
Generate a file that contains all of the enrollment keys - Generate a file for your records that contains a list of all users and their enrollment keys.
-
-
Optional: To change the expiration date of the enrollment key, edit the number of days in Users must enroll within x days.
-
Optional: Add a comment that will show next to the certificate in the certificate list on the Client Certificates page.
-
Click Next.
The Users page opens.
-
Click Add to add the users or groups that require certificates.
-
Type text in the search field to search for a user or group.
-
Select a type of group to narrow your search.
-
-
When all included users or groups show in the list, click Generate to create the certificates and send the emails.
-
If more than 10 certificates are being generated, click Yes to confirm that you want to continue.
A progress window shows. If errors occur, an error report opens.
-
Click Finish.
-
Click Save.
-
In SmartConsole, install the Policy.
Revoking Certificates
If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not show in the Client Certificate list.
-
Select the certificate or certificates from the Client Certificate list.
-
Click Revoke.
-
Click OK.
After you revoke a certificate, it does not show in the Client Certificate list.
Creating Templates for Certificate Distribution
-
In SmartConsole, select Security Policies > Access Control > Access Tools > Client Certificates.
-
To create a new template: In the Email Templates for Certificate Distribution pane, select New.
To edit a template: In the Email Templates for Certificate Distribution pane, double-click a template.
The Email Template opens.
-
Enter a Name for the template.
-
Optional: Enter a Comment. Comments show in the Mail Template list on the Client Certificates page.
-
Optional: Click Languages to change the language of the email.
-
Enter a Subject for the email. Click Insert Field to add a predefined field, such as a Username.
-
In the message body add and format text. Click Insert Field to add a predefined field, such as Username, Registration Key, or Expiration Date.
-
Click inside the E-mail Template body.
-
Click Insert Link and select the type of link to add (link or QR code).
-
Site and Certificate Creation
For users who already have a Check Point app installed.
When users scan the QR code or go to the link, it creates the site and registers the certificate.
Select the client type that will connect to the site- Select one client type that users will have installed:
-
Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
-
Capsule Connect/VPN - A full Layer 3 tunnel app that gives users network access to all mobile applications.
-
-
Download Application
Direct users to download a Check Point App for their mobile devices.
Select the client device operating system:
-
iOS
-
Android
Select the client type that will connect to the site- Select one client type that users will have installed:
-
Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
-
Capsule Connect/VPN - A full Layer 3 tunnel app that gives users network access to all mobile applications.
-
-
Custom URL
Lets you configure your own URL.
For each link type, you can select which elements are added to the mail template-
Link URL - Enter the full link address.
-
QR Code - When enabled, users scan the code with their mobile devices.
-
HTML Link - When enabled, users tap the link on their mobile devices.
You can select both QR Code and HTML Link to include both in the email.
-
Display Text - Enter the text for the link title.
-
-
Click OK.
-
Optional: Click Preview in Browser to see a preview of how the email will look.
-
Click OK.
-
Publish the changes.
Cloning a Template
Clone an email template to create a template that is similar to one that already exists.
-
Select a template from the template list in the Client Certificates page.
-
Click Clone.
-
A new copy of the selected template opens for you to edit.
Remote Wipe
Remote Wipe removes the offline data cached on the user's mobile device.
When the administrator revokes the internal CA certificate, a Remote Wipe push notification is sent, if the Remote Wipe configuration for the client enables Remote Wipe by Push Notification. Remote Wipe is triggered when the device gets the push notification.
|
Note - Remote Wipe by Push Notification works by best effort. There is no guarantee that the Security Gateway will send the notification, or that the client will get it successfully. |
If the device does not get the Remote Wipe push notification, Remote Wipe is triggered when the client does an activity that requires connection to the Security Gateway while using a revoked internal CA certificate.
Remote Wipe send logs:
-
If a Remote Wipe Push Notification is sent.
-
When a Remote Wipe process ends successfully.
-
Run the applicable command on the Security Gateway in the Expert mode.
Syntax:
cvpnd_settings <Path to Conf File> {set | listAdd | listRemove} <Name> <Value>
-
To enable or disable Remote Wipe:
cvpnd_settings $CVPNDIR/conf/cvpnd.C set RemoteWipeEnabled {true | false}
Remote Wipe is enabled by default.
-
To enable or disable Remote Wipe by Push Notification (wipe is done if client gets notification):
cvpnd_settings $CVPNDIR/conf/cvpnd.C set RemoteWipePushEnabled {true | false}
The Remote Wipe Push Notifications feature is enabled by default. For supported clients, see sk95587.
-
To set supported devices for Remote Wipe Push Notifications, based on operating system:
cvpnd_settings $CVPNDIR/conf/cvpnd.C listAdd RemoteWipePushSupportedClientOS {iOS | Android}
-
-
Restart the CVPN service to apply the changes:
cvpnrestart
To see that your changes are applied, open the $CVPNDIR/conf/cvpnd.C
file in Read-Only mode.
-
Make sure that the
$CVPNDIR/conf/cvpnd.C
file is configured for Remote Wipe and, if you want, for Push Notifications.If you change the file, run:
[Expert@HostName:0]# cvpnrestart
-
Revoke the client certificate:
-
Open Mobile Access tab > Client Certificates.
-
Select certificates.
-
Click Revoke.
-
Click OK.
-
-
Open SmartConsole.
-
From the left navigation panel, click Logs & Events > Logs.
-
Query for:
"Remote Wipe" AND blade:"Mobile Access" action:"Failed Log In"
You can filter these results for user DN, device ID, or certificate serial number.
Mobile Device Profiles
For Capsule Workspace, many settings that affect the user experience on mobile devices come from the Mobile Profile.
Each Mobile Access user group has an assigned Mobile Profile. By default, all users get the Default Profile.
The settings in the Mobile Profile include:
-
Passcode Settings
-
Mail, Calendar, and Contacts availability
-
Settings for offline content
-
Where contacts come from
Manage the Mobile Profiles in Mobile Access tab > Capsule Workspace Settings.
-
In the Mobile Profiles pane:
-
See all Mobile Profiles.
-
Create, edit, delete, clone, and rename Mobile Profiles.
-
-
In the Mobile Profile Policy pane:
-
Create rules to assign Mobile Profiles to user groups.
-
Search for a user or group within the policy rules.
-
Creating and Editing Mobile Profiles
-
In SmartConsole, from the left taskbar, click Manage & Settings.
-
Click Blades.
-
In the Mobile Access section, click the Capsule Workspace Settings button.
The Capsule Workspace Settings menu opens.
-
Open the Profiles tab.
-
Do one of these:
-
To create a new Mobile Profile, right click inside the table > click New.
-
To edit an existing Mobile Profile, right click on the table row that contains the profile > click Edit...
The Mobile Profile window opens.
-
-
Change settings. See the Capsule Workspace Settings in the Mobile Profile section below.
-
Click OK.
-
Install policy.
Capsule Workspace Settings in the Mobile Profile
-
In the Security tab, configure Access Settings:
-
Session timeout - After users authenticate with the authentication method configured in Gateways & Servers > Security Gateway object > Mobile Access > Authentication, configure how long they stay authenticated to the Security Gateway.
-
Activate Passcode lock - Select to protect the Business Secure Container area of the mobile device with a passcode.
-
Passcode profile - Select a passcode profile to use. The profile includes the passcode complexity, length, expiration, and number of failed attempts allowed.
-
Allow storing user credentials on the device for single-sign on - If username and password authentication is used, store the authentication credentials on the device. Then users are only prompted for their passcode not also for their username and password.
-
-
Report jail-broken devices - Create a log if a jail-broken device connects to the Security Gateway.
-
Block access from jail-broken devices - Block devices that are jail-broken from connecting to the Security Gateway.
-
-
Block third party keyboard - Block keyboards that are not the native keyboard for the operating system of the endpoint device.
-
Hide 'connect anyway' on SSL trust screen - If the endpoint device does not trust the certificate of the Security Gateway, users do not have the option to connect.
-
-
In the Applications tab, select which application features are available on devices:
-
Mail
-
Allow printing mail - allows users of the endpoint device to print email.
-
Max attachment size (MB) - select the maximum attachment size to allow.
-
-
Offline Content - configure what data is saved and for how long when the Check Point App cannot reach the Security Gateway.
-
Mail from the last x days - Select the length of time from which emails are saved.
-
Calendar from the last x months and the following x months - Select which parts of the calendar are saved: the length of time in the past and length of time in the future.
-
Synchronize contacts - Synchronize contacts from the organization's mail server to the endpoint device.
-
-
Push Notifications - allow push notifications on devices. See the Push Notifications section below for details. To use this, push notifications must be enabled for Capsule Workspace on the Security Gateway that users connect to.
-
Calendar - select Allow business calendar to sync to the device's native calendar if you want to sync both calendars on the device. Events from Capsule Workspace will show in the device's calendar, outside of Capsule Workspace.
-
Contacts - select which additional contacts to show in Capsule Workspace on the device:
-
Global Address List - contacts from the end user's corporate Microsoft Outlook application.
-
Mobile Device's contact list - contacts from the mobile device's contact list.
-
-
Web Applications - Save local web cache configure what data is saved and for how long when the Check Point App cannot reach the Security Gateway. By default, the endpoint device is allowed to save data in its local cache.
-
Check Point Capsule Documents - select the Capsule Docs information that is stored in Capsule Workspace.
-
Allow caching Check Point Capsule Docs credentials - The credentials are required to open Capsule Docs protected documents are cached on the device. If they are not cached, users must enter their credentials each time they open a document for the first time.
-
Allow caching Check Point Capsule Docs keys - The Capsule Docs keys are cached on the device. If they are cached users can open a previously opened document with no need to enter credentials.
-
-
-
In the Data Loss Prevention tab, configure settings for Outbound and Inbound traffic.
-
Outbound
-
Share protected files extensions to external apps - Select which types of protected files can "exit the boundaries" of Capsule Workspace. In Android, this setting restricts the "share" action. In iOS, this setting restricts all actions that take a file from Capsule Workspace.
-
Share unprotected files extensions to external apps - Select which types of unprotected files can "exit the boundaries" of Capsule Workspace. In Android, this setting restricts the "share" action. In iOS, this setting restricts all actions that take a file from Capsule Workspace.
-
Open the following extensions with external apps when they cannot be opened with Capsule viewer - This rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. applies only in Android. This rule describes which types of files can "exit the boundaries" of Capsule Workspace when Capsule Workspace cannot display the file. Capsule Workspace prompts the user to pick an app in which to open the file.
-
Block Screenshot - select to block end users from taking screenshots inside of Capsule Workspace.
-
Allow copy paste to external apps - select to allow Capsule Workspace users to copy content and paste it into external apps.
-
Block forward attachments by mail - select to prevent Capsule Workspace users from forwarding email attachments outside of the organization.
-
Allow domain for forward attachments by mail - Enter a fully qualified domain name that Capsule Workspace users are allowed to forward emails. You can enter more than one FQDN separated by commas. For the entered domains this setting overrides the previous setting.
-
-
Inbound
-
Accept protected files with these extensions from external apps - Select which types of protected files can "enter the boundaries" of Capsule Workspace.
-
Accept unprotected files with these extensions from external apps - Select which types of unprotected files can "enter the boundaries" of Capsule Workspace. This holds only for files not protected by Capsule Docs.
-
Offer Capsule as a viewer for external protected documents - Select to configure the device to offer Capsule Workspace as a document viewer for protected documents from outside of the organization. This is similar to the behavior of Capsule Docs.
-
Allow taking photos and videos - Select to allow the device's camera to take pictures and videos and bring them into Capsule Workspace.
-
Allow Importing media From Gallery - Select to allow the user to import media from the device into Capsule Workspace.
-
-
-
In the Harmony Mobile section, configure settings for Harmony Mobile integration with the Harmony Mobile application or with Harmony App Protect.
-
Enabled application integration - Capsule Workspace enforces installation of Harmony Mobile. If Harmony Mobile does not meet the requirements of the policy, Capsule Workspace does the enforcement action.
-
Enforcement policy - Select under which conditions Capsule Workspace does the enforcement action:
-
Not enforced - Capsule Workspace does not enforce a security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..
-
Ensure application installed - If Harmony Mobile is not installed on the device, Capsule Workspace does the enforcement action.
-
Ensure application activated - If Harmony Mobile is not activated on the device, Capsule Workspace does the enforcement action.
-
Ensure application compliant - If Harmony Mobile finds that the device is not compliant with the security policy, Capsule Workspace does the enforcement action.
-
-
Enforcement action - Select what Capsule Workspace does when the device does not meet the Harmony enforcement policy:
-
Warn - Capsule Workspace warns the user that the device does not meet the policy.
-
Block - Capsule Workspace does not open.
-
-
Enforcement Message - Enter a free text message for Capsule Workspace to show the user when it does the enforcement action. If you do not enter an enforcement action, then Capsule Workspace users see pop-up messages with the options Continue Anyway (only if the enforcement action is Warn) and Sign Out.
-
-
Enable Harmony App Protect - enable the administrator to use the software development kit (SDK) to configure the behavior of Capsule Workspace. This feature requires an additional license. Enter the license in the Harmony App Protect license field. For each kind of security vulnerability that Harmony App Protect can detect, select how Harmony App Protect enforces policy for Capsule Workspace.
List of security vulnerabilities:
-
Device Compromised
-
Malware
-
Man in the Middle Attack
-
OS Integrity Compromised
-
Suspicious App
-
Suspicious Enterprise Certificate
List of enforcement actions:
-
Block - Capsule Workspace shows users a block page and is not usable.
-
Notify - Capsule Workspace shows users a popup window that says there is a security vulnerability.
-
Ignore - Capsule Workspace does nothing.
-
-
-
In the Client Customization tab, configure what end users see in the client
-
Appearance
-
Application light mode color: Enter a hex color.
-
Application dark mode color: Enter a hex color.
-
-
Allowed items - select which Exchange features are available on endpoint devices.
-
Mail
-
Messages
-
Calendar
-
Contact
-
Tasks
-
Notes (iOS only)
-
Saved Files
-
-
Certificates - enter a message to show to the end user when the client certificate expires.
-
-
In the Advanced tab, configure custom fields for new Capsule Workspace features that do not exist in your version of SmartConsole.
-
In the Custom Fields section, click the plus (+) icon.
The New Future Compatibility Field window opens.
-
Enter the Key for the feature.
-
Enter the Value for the feature.
-
Click OK.
-
Managing Passcode Profiles
A passcode lock protects Capsule Workspace in mobile devices. In each Mobile Profile, configure which Passcode Profile it uses. The profile includes the passcode requirements, expiration, and number of failed attempts allowed. The default passcode profiles are Normal, Permissive, and Restrictive. You can edit the default profiles and create new profiles.
-
In SmartConsole, from the left taskbar, click Security Policies.
-
Click Blades.
-
In the Mobile Access section, click the Capsule Workspace Settings button.
The Capsule Workspace Settings menu opens.
-
Open the Passcodes tab.
-
Do one of these:
-
To create a new Passcode Profile, right click inside the table > click New.
-
To edit an existing Mobile Profile, right click on the table row that contains the profile > click Edit...
The Passcode window opens.
-
-
Change settings. See the Passcode Profile Settings section below.
-
Click OK.
-
Install policy.
A Passcode Profile includes these settings:
-
Passcode Requirements - The complexity requirements. When you configure this, remember that users usually have a small on-screen keyboard.
-
Simple Passcode (4 digits) - Users create a simple password of 4 numbers. If this is not selected, configure options for a complex passcode:
-
-
Minimum passcode length - Enter the minimum number of characters.
-
Require alphanumeric characters - Show an alphanumeric keyboard and require at least one character to be a letter.
-
Minimum complex characters - Enter the number of characters that must be a special character.
-
-
-
Force passcode expiration - Enter the number of days after which user's passcodes expires and must be replaced.
-
Allow grace period for entering passcode - Select to let users access the Business Secure Container for a specified period of time without re- entering their passcode. Enter the quantity of time in minutes.
-
Exit after a few failures in passcode verification - Select to lock users out after a specified number of failed attempts. After the failed attempts, users must re-authenticate. If the authentication method includes username and password, users must enter them. If the authentication is certificate-only, users need a new certificate.
-
Enforce passcode history - When selected, users cannot use a passcode that is the same as earlier passcodes. Select the number of earlier passcodes that users cannot use.
Configuring Push Notifications
Enable push notifications from the Mobile Access Wizard or from the Security Gateway Properties of each Security Gateway.
-
From the Mobile Access Wizard:
-
If you enable Mobile Mail in the Mobile Access Wizard, push notifications are automatically enabled for the Security Gateway.
-
If you enable Mobile Mail from the Mobile Access tab, push notifications are NOT enabled.
-
-
From the Security Gateway Properties:
-
Open a Security Gateway object that has Mobile Access enabled.
-
Select Mobile Access > Capsule Workspace from the tree.
-
Select Enable Push Notifications.
-
Click OK.
-
Exchange Server and Security Gateway Communication
Make sure that the Exchange server can access the Mobile Access Portal.
All confidential information between the Exchange server and the Security Gateway uses encrypted SSL tunnels. Non-confidential information can use unencrypted HTTP connections.
You can configure all push notification communication to use SSL tunnels.
By default, Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). authentication is not enabled for Push Notification registration to the Exchange server. To enable it, follow the instructions in sk110629.
-
Install a trusted server certificate on the Mobile Access Security Gateway. See sk98203.
-
Close all SmartConsole windows connected to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
-
Connect with Database Tool (GuiDBEdit Tool) to the Management Server.
-
Search for the field main_url (Ctrl +F).
-
Press F3 to see next main_url until you find main_url that contains the value ExchangeRegistration.
-
Double-click the ExchangeRegistration main_url field and edit the value to be https:// and not http://.
-
Save the changes and close Database Tool (GuiDBEdit Tool).
-
Connect with SmartConsole to the Management Server.
-
Open the Mobile Access Security Gateway object.
-
Click OK.
-
Install policy.
-
Download the certificate to the Exchange server.
-
Double-click the certificate file, and follow the Windows certificate installation wizard steps.
-
Run the Microsoft Management Console.
-
In the window that opens, click File > Add/Remove Snap-in.
Add or Remove Snap-ins window opens.
-
Select Certificates from the Available snap-ins, and click Add.
-
Select My user account.
-
Click Finish.
-
Select Certificates and click Add again.
-
Select Computer account.
-
Click Next.
-
Click Finish.
-
Click OK.
The certificate is stored in Local computer and in Current user stores.
Push Notification Status Utility
Use the Push Notification Status Utility to understand if your environment is configured correctly for push notifications.
Run the $CVPNDIR/bin/PushReport
command to generate a report that contains this data:
-
License - Shows if the license is valid or if you have an evaluation license.
-
Configuration - Shows if push notifications are configured and enabled in the database.
-
Connectivity - Shows if you have a connection to the Check Point Cloud and CRLs list.
-
Callback URL - Shows the configured callback URL. If it is an https URL, the utility shows that a certificate is needed.
Output Example
|
Monitoring Push Notification Usage
Use the fwpush commands to monitor, debug, and troubleshoot push notification activity.
|
Note - Users must first install the latest version of the Capsule Workspace app from the app store and connect to the site created on the Security Gateway. |
To see failed batches, expired push notifications, and delayed push notifications, see: $FWDIR/log/pushd_failed_posts
Check Point uses Apple and Google services to deliver push notifications to iOS and Android devices. This is consistent with industry practice and similar to other application vendors. Accordingly, Check Point assumes no liability in the event a notification is not sent or is not successfully pushed.
Information which is sent as a push notification passes through Check Point's push service and the Apple or Google push service (according to the user's device). Check Point does not keep, filter, or read any information that passes through. Check Point may review basic information to determine if a push notification reached its destination.
Check Point provides configuration options for the information sent as a push notification. The administrator can choose whether to set the subject, the sender, or the importance of any email, and can send the meeting location for meeting invitations.
Check Point will not be held liable for any loss of information that may result during the push notification process.
ESOD Bypass for Mobile Apps
Hand-held devices cannot run Endpoint Security on Demand (ESOD) components. By default, ESOD is disabled for smartphones and tablets.
If your organization has ESOD enabled, mobile apps cannot access ESOD enforced applications.
Note - Mobile apps are not recognized by their HTTP User-Agent header.
-
On the Security Gateway run this command with the applicable value:
cvpnd_settings $CVPNDIR/conf/cvpnd.C set MobileAppBypassESODforApps "true"
or
cvpnd_settings $CVPNDIR/conf/cvpnd.C set MobileAppBypassESODforApps "false"
where:
-
true - Bypasses ESOD for mobile apps (default).
-
false - Does not bypass ESOD.
-
-
Restart the Mobile Access services:
cvpnrestart
-
If you use a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., copy the
$CVPNDIR/conf/cvpnd.C
file to all cluster members and restart the services on each.
System Specific Configuration
This section describes system specific configuration required for iPhones, iPads, and Android devices. In some instances, end-user configuration is also required.
iPhone and iPad Configuration
When you allow access to an ActiveSync application, users see the ActiveSync Setup item and can install the ActiveSync profile. This gives users access to their corporate email.
|
Note - If your ActiveSync application requires a client certificate to connect, the ActiveSync profile works only if a client certificate is also required for Capsule Workspace. |
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To connect to corporate email:
-
Sign in to the Mobile Access site.
-
Tap Mail Setup.
-
Do the on-screen instructions.
To resolve issues with client devices, tell the users to send you the logs. The iPhone or iPad must have an email account set up.
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To configure logs:
-
Tap the i icon.
Before login, this is on the top right. After login, this is on the bottom right.
-
Tap Report a Problem on the navigation bar.
If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.
When an email account is configured, the email page opens. The logs are attached.
Note - The email account that the iPhone uses to send the email is the default account. This might not be your organization's ActiveSync account.
If the iPhone is not configured for a destination email address for logs, the email that opens has an empty To field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.
Single Sign On (SSO) lets users in a session connect to the Mobile Access Security Gateway, without authenticating when the client starts. If a user cannot access the Security Gateway while SSO is enabled, disable it.
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To disable SSO on a client:
-
Tap Settings.
-
Scroll down to the Check Point Mobile icon and tap it.
-
In the Mobile global settings, tap the Single Sign On > Enabled switch.
Android Configurations
When browsing from the Android app to a server with an untrusted server certificate, you are denied access and you get this message:
"Some resources on this page reside on an untrusted host."
In some cases, such as in a staging or demo environment, you can enable browsing to servers with untrusted certificates.
|
Important - Disabling the server certificate validation in the client app is forbidden for production setups since it allows any 3rd-party to intercept the SSL traffic. |
For Androids, idle timeout cannot be modified or enforced by the device or the Security Gateway.
The only timeout setting that applies to the device is the active session timeout. It is configured in SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings.: Mobile Access Software Blade > Additional Settings > Session > Re-authenticate users every x minutes option. This setting indicates the maximum session length. When this period is reached, the user must log in again. For example, if re-authentication is set to 120 minutes, a user will need to log in again after 2 hours in an active session.
To resolve issues with client devices, tell the users to send you the logs.
The next procedure is for end users to configure on their devices. For all end user configuration procedures, see Instructions for End Users.
To send logs:
-
Open the Check Point application.
-
Tap About.
-
Press the Menu button on the device.
-
Tap Send Logs.
-
Select a way to send the logs.
Instructions for End Users
Give these instructions to end users to configure their mobile devices to work with Mobile Access.
iPhone/iPad End User Configuration
Do these procedures on your iPhone/iPad so you can work with Mobile Access.
Before you start, make sure that your administrator gives you:
-
The name of the site you will connect to.
-
The required Registration key (also called Activation key).
|
Important - Do only the procedures that your network administrator instructed you to do. |
To connect to the corporate site:
-
Get Check Point Capsule Workspace from the App Store.
-
When prompted, enter the:
-
Site Name
-
Registration key
-
To connect to corporate email:
-
Sign in to the Mobile Access site.
-
Tap Mail Setup.
-
Do the on-screen instructions.
-
When asked for the password, enter the Exchange password.
To configure logs:
-
Tap Information.
Before login, this is on the top right. After login, this is on the bottom right.
-
Tap Report a Problem on the navigation bar.
If you do not have an email account configured on the iPhone, a message shows that one must be configured. After this is done, you must open Check Point Mobile Access again.
When an email account is configured, the email page opens. The logs are attached.
Note - The email account that the iPhone uses to send the email is the default account. This might not be your organization's ActiveSync account.
If the iPhone is not configured for a destination email address for logs, the email that opens has an empty To field. You can enter the destination address now, or set up a default destination address for Check Point Mobile logs.
To disable SSO on a client:
-
Tap Settings.
-
Scroll down to the Capsule Workspace icon and tap it.
-
In the Mobile global settings, tap the Single Sign On > Enabled switch.
Android End User Configuration
-
Launch the Check Point Mobile app.
-
Log in to the site.
-
Press the menu button and tap Settings.
-
Enable Allow connection to untrusted servers.
-
Launch the Check Point Mobile app.
-
Log in to the site.
-
Press the menu button and tap Settings.
-
Enable Allow connection to untrusted servers.
Do these procedures on your Android device so you can work with Mobile Access.
Before you start, make sure that your administrator gives you:
-
The name of the site you will connect to.
-
The required Registration key (also called Activation key).
|
Important - Do only the procedures that your network administrator instructed you to do. |
-
Get the Check Point Mobile app from the Android Market.
-
When prompted, enter the:
-
Site Name
-
Registration key
-
-
Open the Check Point application.
-
Tap About.
-
Press the Menu button on the device.
-
Tap Send Logs.
-
Select a way to send the logs.
-
Launch the Check Point Mobile app.
-
Log in to the site.
-
Press the menu button and tap Settings.
-
From the Export Certificate option, tap Export. The Export Certificate window opens.
If the Export Certificate option is disabled, contact the system administrator.
-
Select the certificate format appropriate for your mail client: P12 or PFX.
-
Select the location to save the certificate.
The default path is /sdcard (for devices that have an SD card) or an external resource folder (for devices that do not have an SD card). -
Tap OK to save the certificate to the selected location.
A window opens:
Export succeeded. Certificate password is: _______
-
You can copy the password to the clipboard.
You need the password when you import the certificate to the third party mail app.
Advanced Security Gateway Configuration for Handheld Devices
You can customize client authentication, device requirements, certificate details, and ActiveSync behavior.
Use the CLI commands below to change the settings in the configuration file:
|
To apply changes, restart the Mobile Access services:
|
|
Notes:
|
To set Mobile Access attributes:
|
To get the current value of an attribute:
|
Attributes: