Host Checker for Android

Host Checker for Ivanti Secure Access Client-Android Clients

Host Checker is a component of Ivanti Secure Access Client that reports the integrity of Android endpoints that are attempting to connect to the system. Host Checker runs as a Trusted Network Connect (TNC) client on the endpoint. The client evaluates the endpoint according to predefined criteria and reports to the Trusted Network Connect server, which is a part of Ivanti Connect Secure. If the endpoint is not in compliance with the Host Checker policies, then the user might not get access to the network or might get limited access to the network depending upon the enforcement policies configured by the administrator.

For Android clients, Host Checker can evaluate client compliance based on the following predefined criteria:

•OS Checks- You can specify the Android version or minimal version that must be installed on the device.

•Rooting Detection-Rooting is a process that allows Android users to gain root access to the Android operating system and bypass usage and access limitations imposed by Android. With a Rooting device, an Android user can install applications that are not available through the Play Store. Rooted devices expose the device to a greater risk of running malicious applications.

Host Checker evaluation policies can be part of a larger Host Checker configuration that applies to many different types of clients or to Android devices only.

Configuring Host Checker for Ivanti Secure Access Client-Android

Host Checker policies can be part of a larger Host Checker configuration that applies to many different types of clients or to Android devices only. However, you might find it easiest to create a separate Host Checker policy specifically for Android devices.

To create a Host Checker policy for Android devices:

1.From the admin console, select Authentication > Endpoint Security > Host Checker.

2.In the Policies section, click New to open a New Host Checker Policy page.

3.Specify a name for the new policy and then click Continue to open the Host Checker Policy page.
The name appears in lists when you implement the policy so be sure to use a descriptive name, such as Android HC Policy.

4.Click the Mobile tab, and then click the Android tab.

5.In the Rule Settings section, click Select Rule Type and select one of the following options and then click Add:

•OS Checks-To specify the Android version that must be installed on the device:

•Specify a descriptive name for this rule. For example, Must-Be-Android-4.4-or-higher. Rule names cannot include spaces.

•Specify the criteria. For example, to enforce Android 4.4 and later, create two conditions: Equal to 4.4 and Above 4.4.

Host Checker supports Android versions 4.4 through 4.4.X.

•Click Save Changes.

•Rooting Detection- Rooting is a process that allows Android users to gain root access to the Android operating system and bypass usage and access limitations imposed by Android. With a Rooting device, an Android user can install applications that are not available through the Play Store. Rooted devices expose the device to a greater risk of running malicious applications

•Specify a descriptive name for this rule. For example, No-Android-Rooting.

•The Don't allow Rooted devices check box is enabled by default.

•Click Save Changes.

6.After you have configured all of your rules, specify how you want to enforce them by choosing one of the following options:

•All of the rules

•Any of the rules

•Custom

For Custom requirements, you can specify a custom expression using Boolean operators AND and OR and also group and nest conditions using parenthesis.

7.Specify remediation options:

•Enable custom instructions-If you enable this check box, a text box appears and allows you to type information that appears on the user's device if Host Checker discovers an issue.

•Send reason strings-Select this option to display a message to users (called a reason string) that explains why the client machine does not meet the Host Checker policy requirements. For example, if the Rooting detection policy fails, message appears, A Rooting device is not allowed to access the network. Please contact your network administrator.

8.When you are finished, click Save Changes.

Implementing Host Checker Policies for Ivanti for Android Devices

After you create one or more Host Checker policies for Android devices, you must implement them. The system can use Host Checker policies at the realm or the role level.

Realm Authentication-You can configure a realm authentication policy to download and run Host Checker with a particular Host Checker policy. If the Android device does not meet the Host Checker requirements, then the system can deny access. You can provide remediation information in the Host Checker policy to describe the requirement and help users take steps to solve the issue.

To enable a Host Checker policy for a realm:

1.From the admin console, select Users > User Realms > SelectRealm > Authentication Policy > Host Checker. The Host Checker page displays all of the available Host Checker policies.

2.Select the check box next to each policy you want to include. Select one or both of the following check boxes next to the policy:

•Evaluate Policies-Evaluates without enforcing the policy on the Android device and allows access.

•Require and Enforce-Requires that the Android device be in compliance with the Host Checker policy. The system downloads Host Checker to the Android device after the user is authenticated and before the user is mapped to any roles in the system. Selecting this option automatically enables the Evaluate Policies option.

3.Optionally select Allow access to realm if any ONE of the selected "Require and Enforce" policies is passed. This check box is available if you selected more than one Host Checker policy. If you enable this check box, an Android device is allowed access if it passes any of the Require and Enforce policies. The Cache Cleaner policy does not apply to Android devices.

4.Click Save Changes.

Role - You can configure a role to download and run Host Checker with a particular Host Checker policy. If the Android device does not meet the Host Checker requirements, then the system can deny access or assign the user to a remediation role that has limited access. You can provide remediation information in the Host Checker policy to help users take steps to solve the issue.

To enable a Host Checker policy for a role:

1.From the admin console, select Users > User Roles > SelectRole > General > Restrictions > Host Checker. The Host Checker page displays all of the available Host Checker policies.

2.Select Allow users whose workstations meet the requirements specified by these Host Checker policies.

3.In the Available Policies list, select the policies that you want to apply to select them, and then click Add to move them to the Selected Policies list. To select a policy click it. To select more than one policy, use Ctrl+click.

4.Optionally select Allow access to the role if any ONE of the selected policies (except cache-cleaner) is passed. This check box is available if you selected more than one Host Checker policy. If you enable this check box, an Android device is allowed access if it passes any of the Require and Enforce policies. The Cache Cleaner policy does not apply to Android devices.

5.Click Save Changes.