Ivanti Neurons for MDM, Standalone Sentry, and device interaction
The following describe Ivanti Neurons for MDM, Standalone Sentry, and device interaction:
• | When an ActiveSync device accesses email |
•When an app accesses the backend resource
•When Ivanti Neurons for MDM detects a security policy violation
•Periodic Standalone Sentry check in with Ivanti Neurons for MDM
When an ActiveSync device accesses email
The following illustrates the interaction between Standalone Sentry, UEM, and the device when the device first attempts to access the ActiveSync server.
Figure 1. Device first attempt to access the ActiveSync server
1. | Device attempts to access the ActiveSync server. |
2. | Sentry queries Ivanti Neurons for MDM for registered devices and unregistered tunnels that might match the device. |
Sentry checks for unregistered tunnels to ensure that the device is not already allowed on a different Sentry registered to Ivanti Neurons for MDM.
3. | Standalone Sentry correlates the list provided by Ivanti Neurons for MDM and picks the best match based on the following criteria: Active Sync ID, User ID. If a match is found, Sentry does additional checks to ensrue that the device is in compliance before allowing or blocking the device access to the ActiveSync server. |
4. | Standalone Sentry adds the device to its list of devices. |
5. | If access is allowed, device continues email processing. |
If access is blocked, the device will not be able to process email through Standalone Sentry.
6. | Standalone Sentry checks in with Ivanti Neurons for MDM, at the next check-in interval, to update Ivanti Neurons for MDM with the tunnel (activesync and app) inventory in its list. |
The next time a device attempts to access the ActiveSync server, the device is already in the Standalone Sentry’s list. Standalone Sentry periodically checks in with Ivanti Neurons for MDM to update the compliance status for the device. The device is either allowed or blocked access based on the compliance status.
If Standalone Sentry cannot communicate with Ivanti Neurons for MDM
Allowing or blocking new device access to the ActiveSync server, if Ivanti Neurons for MDM is not accessible, is configured on Ivanti Neurons for MDM.
1. | Based on the setting in Ivanti Neurons for MDM, Standalone Sentry either allows or blocks access to the ActiveSync server. |
2. | When the connection is reestablished, Standalone Sentry evaluates the status of the device following the steps described in When an ActiveSync device accesses email. |
When an app accesses the backend resource
When using Standalone Sentry for AppTunnel, when an app first attempts to access the backend resource, the following occurs:
1. | UEM tells Standalone Sentry whether to allow or block the app’s access to the backend resource based on: |
- | the device’s security policy and traffic control rules |
- | whether the app is an authorized app |
2. | Standalone Sentry creates an AppTunnel for the app to access the backend resource based on the AppTunnel status provided by the UEM. |
3. | The AppTunnel view on the UEM now includes the new AppTunnel. |
4. | The next time the app attempts to access the backend resource, the app uses the AppTunnel that was created to access the backend resource. |
On the first attempt, if Standalone Sentry is temporarily unable to communicate with the UEM due to, for example, a network error, the following occurs:
1. | Standalone Sentry allows the app to access the backend resource. |
2. | At the periodic Sentry check in with Ivanti Neurons for MDM, the UEM sends Standalone Sentry the proper state of the device (allowed, blocked, or wiped). |
When Ivanti Neurons for MDM detects a security policy violation
Ivanti Neurons for MDM detects a security policy violation when, for example, a device checks in. At the periodic Ivanti Neurons for MDM-Sentry check in, Standalone Sentry get the updated status for the devices and blocks the device from accessing the ActiveSync server and backend resources if Ivanti Neurons for MDM is configured so that Sentry blocks the device.
When Sentry initializes
When Standalone Sentry starts or restarts, the following occurs:
1. | When a device attempts to access the ActiveSync server it is as though it is the first time. See When an ActiveSync device accesses email. |
2. | Standalone Sentry retrieves the AppTunnels equal to the Sentry device cache size (number). |
Periodic Standalone Sentry check in with Ivanti Neurons for MDM
Standalone Sentry periodically checks in with Ivanti Neurons for MDM to do the following:
•Get the updated compliance status for devices.
•Get any administrator actions taken on tunnels. Example: If a tunnel is blocked, Standalone Sentry retrieves the blocked status when it periodically checks in with Ivanti Neurons for MDM.
•Update Ivanti Neurons for MDM with the tunnel (ActiveSync and app) inventory in its list.
These are separate check ins with Ivanti Neurons for MDM and occur on different schedules.