Deploying a BYOD Policy for MobileIron Managed Devices
This example shows how to use policies to enable security based on device identity, device posture, or user identity in a bring your own device (BYOD) environment for an enterprise that uses MobileIron® for mobile device management (MDM).
Requirements
The following table lists version information for the solution components shown in this example.
|
Component |
Version |
|
Ivanti Connect Secure |
Release 8.0r1 or later is required. |
|
MobileIron MDM |
Release 5.6 is used in this example. Any version that supports the device ID and device attributes you plan to query is compatible. |
Configuring the MobileIron MDM Service
This solution assumes you know how to configure and use the features of your MDM, and that you can enroll employees and their devices. For more information about the MobileIron MDM, refer to its documentation and support resources. This section focuses on the following elements of the MDM configuration that are important to this solution:
•Device identifier - The primary key for device records. Your MDM configuration determines whether a universal unique identifier (UUID), unique device identifier (UDID), or serial number is used as the device identifier. For MobileIron, UUID is supported and recommended.
•Device attributes - A standard set of data maintained for each device. For MobileIron, see Figure.
When the user installs the MDM application on the device and completes enrollment, the MDM pushes the device certificate to the device. After enrollment, the MDM maintains a database record that includes information about the enrollee-attributes related to device identity, user identity, and posture assessment against MDM policies. Table 61 describes these attributes. In this solution, these attributes are used in the role mapping that is the basis for network access and resource access policies. When you configure role-mapping rules, you specify the normalized Ivanti Connect Secure attribute name.
|
MobileIron Attribute |
Normalized Connect Secure Name |
Description |
Data Type |
|
deviceId |
Device identifier. |
String |
|
|
blockedReason |
blockedReason |
Reason MDM has blocked the device. Can be a multivalued string. Values are: AllowedAppControlPolicyOutOfCompliance AppControlPolicyOutOfCompliance DataProtectionNotEnabled DeviceAdminDeactivated DeviceComplianceStatusUnknown DeviceCompliant DeviceCompromised DeviceExceedsPerMailboxLimit DeviceManuallyBlocked DeviceNotRegistered DisallowedAppControlPolicyOutOfCompliance ExchangeReported HardwareVersionNotAllowed OsVersionLessThanSupportedOsVersion PolicyOutOfDate RequiredAppControlPolicyOutOfCompliance |
String |
|
compliance |
complianceReason |
MDM policy compliance status. Can be a multivalued string. Values are: AllowedAppControlPolicyOutOfCompliance AppControlPolicyOutOfCompliance DataProtectionNotEnabled DeviceAdminDeactivated DeviceComplianceStatusUnknown DeviceCompliant DeviceCompromised DeviceExceedsPerMailboxLimit DeviceManuallyBlocked DeviceNotRegistered DisallowedAppControlPolicyOutOfCompliance ExchangeReported HardwareVersionNotAllowed OsVersionLessThanSupportedOsVersion PolicyOutOfDate RequiredAppControlPolicyOutOfCompliance |
String |
|
compliance |
isCompliant |
True if the device is in compliance with its MDM security policies; false otherwise. |
Boolean |
|
compliance |
isCompromised |
True if the device is compromised; false otherwise. |
Boolean |
|
countryName |
countryName |
Country name corresponding with the country code of the device. |
String |
|
currentPhoneNumber |
phoneNumber |
Phone number entered during registration. |
String |
|
emailAddress |
userEmail |
E-mail address of device user. |
String |
|
employeeOwned |
ownership |
Values: Employee or Corporate. |
String |
|
homeOperator |
homeOperator |
The service operator for the device when it is not roaming. |
String |
|
iPhone IMEI (iOS), imei (Android) |
Imei |
IMEI number of the device. |
String |
|
iPhone UDID |
UDID |
Unique device identifier. |
String |
|
isBlocked |
isBlocked |
True if the device is blocked from accessing the ActiveSync server; false otherwise. |
Boolean |
|
isQuarantined |
isQuarantined |
True if the device is quarantined by the MDN; false otherwise. |
Boolean |
|
lastConnectAt |
lastSeen |
Date and time the device last made successful contact with the MDM. |
Timestamp |
|
manufacturer |
manufacturer |
Manufacturer is automatically reported by the device during registration. |
String |
|
mdmManaged |
mdmManaged |
True if the MDM profile is enabled on the device; false otherwise. This field applies only to iOS devices. For other devices, the value is always false. |
Boolean |
|
ModelName, model, device_model |
model |
Model is automatically reported by the device during registration. |
String |
|
name |
deviceName |
The concatenated name used to identify the device/user combination. |
String |
|
operator |
operator |
Service provider. The value PDA indicates no operator is associated with the device. |
String |
|
OSVersion (iOS), os_version (Android) |
osVersion |
OS version. |
String |
|
platform |
platform |
Platform specified during registration. |
String |
|
principal |
userId |
User ID. |
String |
|
quarantinedReason |
quarantinedReason |
MDM policy compliance status. Can be a multivalued string. Values are: AllowedAppControlPolicyOutOfCompliance AppControlPolicyOutOfCompliance DataProtectionNotEnabled DeviceAdminDeactivated DeviceComplianceStatusUnknown DeviceCompliant DeviceCompromised DeviceExceedsPerMailboxLimit DeviceManuallyBlocked DeviceNotRegistered DisallowedAppControlPolicyOutOfCompliance ExchangeReported HardwareVersionNotAllowed OsVersionLessThanSupportedOsVersion PolicyOutOfDate RequiredAppControlPolicyOutOfCompliance |
|
|
SerialNumber |
serialNumber |
Serial number. |
String |
|
statusCode |
isEnrolled |
True if the device has completed enrollment or registration; false otherwise. |
Boolean |
|
uuid |
UUID |
Universal unique device identifier. |
String |
|
userDisplayName |
userName |
Name of device user. |
String |
|
wifi_mac (iOS), wifi_mac_addr (Android) |
macAdress |
The Wi-Fi MAC address. |
String |
To configure the MDM:
1.Enroll devices in the MDM using the methods supported by the MDM.
2.Create a Simple Certificate Enrollment Protocol (SCEP) configuration that specifies the field and type of identifier for client device certificates. See Figure.
The MDM configuration templates provide flexibility in how the device identifier can be placed in the device certificate's subject or alternative subject. We recommend you include the user ID in the certificate, so the certificate can identify both the user and the device. For example:
CN=<DEVICE_UUID>, uid=<USER_ID>, o=Company
3.Create a VPN configuration that specifies the Ivanti SSL connection type and the URL for the system sign-in page. See Figure. During the enrollment process, this profile is provisioned to the device. Select the SCEP configuration completed in Step 1.
4.Select the VPN configuration and apply it to a group label you have provisioned to manage this group of devices. See Figure.
5.Apply the group label to the devices when you add them to the MDM. See Figure If they have already been added to the MDM, use the edit configuration utilities in the device inventory page to apply the group label.
Configuring the Device Access Management Framework
This section describes the basic steps for configuring the device access management framework.
Configuring the MDM Authentication Server
The MDM authentication server configuration is used by the system to communicate with the MDM. In the device access management framework, the MDM server is used as the device authorization server.
To configure the authentication server:
1.Select Authentication > Auth Servers to navigate to the authentication server configuration pages.
2.Select MDM Server and click New Server to display the configuration page shown in Figure.
3.Complete the configuration as described in Figure.
4.Save the configuration.
|
Settings |
Guidelines |
|
Specify a name for the configuration. |
|
|
Type |
Select MobileIron. |
|
Server |
|
|
Server Url |
Specify the URL for your MobileIron server. This is the URL MobileIron has instructed you to use to access its RESTful Web API (also called a RESTful Web service). You must configure your firewalls to allow communication between these two nodes over port 443. |
|
Viewer Url |
Specify the URL for the MobileIron report viewer. This URL is used for links from the Active Users page to the MobileIron report viewer. |
|
Request Timeout |
Specify a timeout period (0-60 seconds) for queries to the MDM server. The default is 15 seconds. Calibrate this value based on your observations on how long a query to the MDM server takes over your network. If your network experiences latency when querying the MDM cloud service, increase the timeout to account for the latency. The system queries the MDM when a user attempts to sign in. If a timeout occurs, role mapping proceeds without attributes. |
|
Administrator |
|
|
Username |
Specify the username for an account that has privileges to access the MobileIron RESTful Web API. |
|
Password |
Specify the corresponding password. |
|
Device Identifier |
|
|
ID Template |
Construct a template to derive the device identifier from the certificate attributes. The template can contain textual characters as well as variables for substitution. The variables are the same as those used in role mapping custom expressions and policy conditions. Enclose variables in angle brackets like this <variable>. For example, suppose the certificate DN is: CN=<DEVICE_UDID>, uid=<USER_ID>, o=Company. With this configuration, the certificate could identify both the user and the device. In this example, the device ID template is <certDN.CN>. |
|
|
|
|
ID Type |
Select the device identifier type that matches the selection in the MDM certificate configuration: UUID-Not applicable for the MobileIron MDM. Serial Number-The device serial number. UDID-The device unique device identifier. This is supported by the MobileIron MDM. |
Configuring the Certificate Server
The certificate server configuration enables device users to authenticate using the certificate pushed to the device by the MDM. The certificates are used for user authentication, and the users do not have to enter user credentials.
To configure authentication with the certificate server:
1.Select Authentication > Auth. Servers.
2.Select Certificate Server and click New Server.
3.Complete the configuration as described in Figure.
4.Save the configuration.
|
Settings |
Guidelines |
|
Specify a name to identify the server within the system. |
|
|
User Name Template |
Specify a username template. Specify how the system should construct a username. You may use any combination of certificate variables contained in angle brackets and plain text. The username template you configure must be consistent with the MDM certificate template configuration. Your goal is to identify the values specified in the MDM certificate that are to be used as the username in the system. This value populates the <USER> and <USERNAME> session variables for use throughout the rest of the system configuration. For example, suppose the certificate DN is: CN=<DEVICE_UDID>, uid=<USER_ID>, o=Company. With this configuration, the certificate could identify both the user and the device. In this example, the username template is <certDN.UID>. |
Adding the MDM Certificate to the Trusted Client CA Configuration
The system uses the uploaded certificate to verify that the browser-submitted certificate is valid. You must upload the MDM certificate that signed the client certificate that was pushed to the mobile devices. Typically, you obtain this certificate from the MDM when your company establishes its account with them.
To import a trusted client CA certificate:
1.Select System > Configuration > Certificates > Trusted Client CAs to display the page shown in Figure.
2.Click Import CA Certificate to display the page shown in Figure.
3.Browse to the certificate file, select it, and click Import Certificate to complete the import operation.
4.Click the link for the Trusted Client CA to display its details. Figureshows the configuration for this example.
Configuring User Roles
User roles are classifiers for network access control policies. You create a set of roles to use in your classification scheme: device status is MDM enrollment complete or incomplete; device status is MDM-policy compliant or non-compliant; device is employee owned or company owned; device platform is iOS, Android, or neither; and so forth.
The user role configuration also includes options to customize user interface features that are appropriate for a particular role. For MDM deployments, you can use the Personalized Greeting UI option to send a notification message to the device when the role has been applied.
To configure user roles:
1.Select Users > User Role to navigate to the role configuration page.
2.Click New Role to display the configuration page shown in Figure.
3.Complete the configuration for general options as described in Figure.
4.Save the configuration.
5.Click UI options to display the configuration page shown in Figure.
6.Complete the configuration for UI options as described in Figure.
7.Save the configuration.
8.Click Session Options to display the configuration page shown in Figure.
9.Complete the configuration for session options as described in Figure.
10.Save the configuration.
|
Settings |
Guidelines |
|
Name |
Specify a name for the configuration. |
|
Description |
Describe the purpose of the role so that other administrators are aware of it. |
|
Options |
Select UI Options so that you can customize a message to be sent to the device when the role is applied. |
|
UI Options tab |
|
|
Personalized greeting |
Select the Show notification message option and enter a message to be sent to the device (through the MDM API) after sign-in and this role has been applied. In this example, we are using the system to enforce MDM enrollment by flagging compromised devices. The message, therefore, is: Your device is compromised. Network access may be limited. The message is forwarded to the device using the MDM server Push Notification feature. When multiple roles are assigned, UI options are not merged. The UI options for the first role that matches are applied. |
|
Session Options |
|
|
Session lifetime |
Use the session lifetime options to establish the time limits that would require the user to sign in again. |
Configuring a Realm and Role Mapping Rules
The user realm configuration associates the authentication server data and MDM server data with user roles.
To configure the realm and role mapping rules:
1.Select Users > User Realms > New User Realm to display the configuration page shown in Figure.
2.Complete the configuration as described in Figure.
3.Save the configuration.
Upon saving the new realm, the system displays the role mapping rules page.
4.Click New Rule to display the configuration page shown in Figure.
5.Complete the configuration as described in Figure.
6.Save the configuration.
7.Click the Authentication Policy tab and then click the Certificate subtab to display the certificate restriction configuration page shown in Figure.
8.Complete the configuration as described in Figure.
9.Save the configuration.
|
Settings |
Guidelines |
|
Specify a name for the realm. If you enable sign-in using a realm suffix in the sign-in policy configuration, the realm name must match the username realm configured in the VPN profile. |
|
|
Description |
Describe the purpose of the realm so that other administrators are aware of it. |
|
Servers |
|
|
Authentication |
Select the user authentication server for this realm's users. This example uses the certificate server configured in the earlier step. When you use a certificate server, users are not prompted for their credentials. You can also select the authentication server used for employees. In that case, users are prompted by the sign-in page to provide their username and password. |
|
User Directory/Attribute |
Do not select. |
|
Accounting |
Do not select. |
|
Device Attributes |
Select the MDM server configured in the earlier step. |
|
Dynamic Policy Evaluation |
|
|
Dynamic Policy Evaluation |
Do not select this option. A limitation for this release is that role evaluation occurs only when the user signs in. To force role reevaluation, you must force the users to sign in again. |
|
Refresh interval |
Do not select. |
|
Refresh roles |
Do not select. |
|
Refresh resource policies |
Do not select. |
|
Session Migration |
|
|
Session Migration |
Do not select this option. Session migration is useful for endpoints running Ivanti Secure Access Client software, which is not the case for the endpoints in this MDM example. |
|
Settings |
Guidelines |
|
Rule based on |
Select Device Attribute and click Update to update the configuration page so that it displays settings for role mapping using device attributes. |
|
Name |
Specify a name for the configuration. |
|
Rule |
Select a device attribute (see Figure) and a logical operator (is or is not), and type a matching value or value pattern. In this example, select isCompromised and the logical operator is, and enter the value 1 (true). This means that devices with a compromised status match the rule. |
|
Role assignment |
Select the roles to apply if the data matches the rule. |
You likely are to create multiple roles and role-mapping rules to assign roles for different policy purposes. Your realm can have a set of rules based on user attribute, group membership, and device attribute. Be mindful that the user and device can map to multiple roles. Use stop rules and order your rules carefully to implement the policy that you want.
The following table describes the MobileIron record attributes that can be used in role mapping rules.
|
Role Mapping Attribute Name |
MobileIron Attribute Name |
Description |
Data Type |
|
blockedReason |
Reason MDM has blocked the device. Can be a multivalued string. Values are: AllowedAppControlPolicyOutOfCompliance AppControlPolicyOutOfCompliance DataProtectionNotEnabled DeviceAdminDeactivated DeviceComplianceStatusUnknown DeviceCompliant DeviceCompromised DeviceExceedsPerMailboxLimit DeviceManuallyBlocked DeviceNotRegistered DisallowedAppControlPolicyOutOfCompliance ExchangeReported HardwareVersionNotAllowed OsVersionLessThanSupportedOsVersion PolicyOutOfDate RequiredAppControlPolicyOutOfCompliance |
String |
|
|
complianceReason |
compliance |
MDM policy compliance status. Can be a multivalued string. Values are: AllowedAppControlPolicyOutOfCompliance AppControlPolicyOutOfCompliance DataProtectionNotEnabled DeviceAdminDeactivated DeviceComplianceStatusUnknown DeviceCompliant DeviceCompromised DeviceExceedsPerMailboxLimit DeviceManuallyBlocked DeviceNotRegistered DisallowedAppControlPolicyOutOfCompliance ExchangeReported HardwareVersionNotAllowed OsVersionLessThanSupportedOsVersion PolicyOutOfDate RequiredAppControlPolicyOutOfCompliance |
String |
|
countryName |
countryName |
Country name corresponding with the country code of the device. |
String |
|
deviceId |
@id |
Device identifier. |
String |
|
deviceName |
name |
The concatenated name used to identify the device/user combination. |
String |
|
homeOperator |
homeOperator |
The service operator for the device when it is not roaming. |
String |
|
Imei |
iPhone IMEI (iOS), imei (Android) |
IMEI number of the device. |
String |
|
isBlocked |
isBlocked |
True if the device is blocked from accessing the ActiveSync server; false otherwise. |
Boolean |
|
isCompliant |
compliance |
True if the device is in compliance with its MDM security policies; false otherwise. |
Boolean |
|
isCompromised |
compliance |
True if the device is compromised; false otherwise. |
Boolean |
|
isEnrolled |
statusCode |
True if the device has completed enrollment or registration; false otherwise. |
Boolean |
|
isQuarantined |
isQuarantined |
True if the device is quarantined by the MDN; false otherwise. |
Boolean |
|
lastSeen |
lastConnectAt |
Date and time the device last made successful contact with the MDM. |
Timestamp |
|
manufacturer |
manufacturer |
Manufacturer is automatically reported by the device during registration. |
String |
|
macAdress |
wifi_mac (iOS), wifi_mac_addr (Android) |
The Wi-Fi MAC address. |
String |
|
mdmManaged |
mdmManaged |
True if the MDM profile is enabled on the device; false otherwise. This field applies only to iOS devices. For other devices, the value is always false. |
Boolean |
|
model |
ModelName, model, device_model |
Model is automatically reported by the device during registration. |
String |
|
operator |
operator |
Service provider. The value PDA indicates no operator is associated with the device. |
String |
|
osVersion |
OSVersion (iOS), os_version (Android) |
OS version. |
String |
|
ownership |
employeeOwned |
Values: Employee or Corporate. |
String |
|
phoneNumber |
currentPhoneNumber |
Phone number entered during registration. |
String |
|
platform |
platform |
Platform specified during registration. |
String |
|
quarantinedReason |
quarantinedReason |
MDM policy compliance status. Can be a multivalued string. Values are: AllowedAppControlPolicyOutOfCompliance AppControlPolicyOutOfCompliance DataProtectionNotEnabled DeviceAdminDeactivated DeviceComplianceStatusUnknown DeviceCompliant DeviceCompromised DeviceExceedsPerMailboxLimit DeviceManuallyBlocked DeviceNotRegistered DisallowedAppControlPolicyOutOfCompliance ExchangeReported HardwareVersionNotAllowed OsVersionLessThanSupportedOsVersion PolicyOutOfDate RequiredAppControlPolicyOutOfCompliance |
|
|
|
|||
|
serialNumber |
SerialNumber |
Serial number. |
String |
|
UDID |
iPhone UDID |
Unique device identifier. |
String |
|
userEmail |
emailAddress |
E-mail address of device user. |
String |
|
userId |
principal |
User ID. |
String |
|
userName |
userDisplayName |
Name of device user. |
String |
|
UUID |
uuid |
Universal unique device identifier. |
String |
By design, you should be able to specify true or false, or 1 or 0, for Boolean data types in your role mapping rules. Due to an issue in this release, you must use 1 for true and 0 for false
|
Settings |
Guidelines |
|
Allow all users |
Do not select this option. If you select this option, the system does not request a client certificate during the TLS handshake. |
|
Allow all users and remember certificate |
If you select this option, the system requests a client certificate during the TLS handshake. If the realm has been configured with a user authentication server, it does allow endpoints to authenticate without a client certificate. For those with a client certificate, the certificate attributes are placed in the session context. Without a certificate, device attributes cannot be determined, and the session can be mapped only to roles that do not require particular device attributes. You might use this option to grant restricted access or to send a notification that MDM enrollment is required for a greater level of access. |
|
Only allow users with a client-side certificate |
If you select this option, the system requests a client certificate during the TLS handshake. It does not allow endpoints to authenticate without a valid client certificate. If the realm is configured with a certificate server, like this example, this option is the only option that can be selected. |
Configuring a Sign-In Policy
A sign-in policy associates devices with a realm.
To configure a sign-in policy:
1.Select Authentication > Signing In > Sign-In Policies to navigate to the sign-in policies configuration page.
2.Click New URL to display the configuration page shown in Figure
3.Complete the configuration as described in Figure
4.Save the configuration.
|
Settings |
Guidelines |
|
Select Users. |
|
|
Sign-in URL |
Enter a URL. |
|
Description |
Describe the purpose of the sign-in policy so that other administrators are aware of it. |
|
Sign-In Page |
Select a sign-in page. |
|
Authentication Realm |
|
|
User experience |
Select one of the following options: User types the realm name User picks from a list of authentication realms |
|
Realm |
Select the realm you configured in the earlier step. |
|
Configure Sign-in Notifications |
|
|
Pre-Auth Sign-in Notification |
Not used in this scenario. |
|
Post-Auth Sign-in Notification |
Not used in this scenario. |
Configuring a Resource Policy
A resource policy enforces role-based access to resources accessed during the SSL VPN session. You use the device access management framework to assign roles to devices, and you use the resource policy to deny access to resources that should not be downloaded onto a specific device platform-in this example, Android devices.
In this scenario, the role configuration and role mapping configuration create a classification for Android devices. Figure shows the user role configuration.
The following figure shows the role mapping configuration.
To configure a resource policy:
1.Select Resource Policies > VPN Tunneling > Access Control to display the access control policy configuration pages.
2.Click New Policy to display the configuration page shown in Figure
3.Complete the configuration as described in Figure.
4.Save the configuration.
