Configuring IPS with MDM Servers

Configuring an Authentication Protocol Set

The authentication protocol set associated with the sign-in page must include the EAP method selected in the MDM Wi-Fi profile. The predefined authentication protocol set named 802.1x can be used as-is because it includes all the EAP methods currently configurable on MDMs.

To configure the authentication protocol set:

  1. Select Signing In > Authentication Protocols to display the configuration page.
  2. Click New Authentication Protocol or select the predefined 802.1x set. If anything other than MAC address is used as a device identifier then you must use cert auth and the protocol set has to be used for cert auth.
  3. Click Save.

Configuring the MDM Authentication Server

The MDM authentication server configuration is used by IPS to communicate with the MDM. In the device access management framework, the MDM server is used as the device authorization server.

To configure the authentication server:

  1. Select Authentication > Auth Servers to navigate to the authentication server configuration pages.
  2. Select MDM Server and click New Server to display the configuration page.
  3. Complete the configuration as described in Table below.
  4. Save the configuration.

Settings

Guidelines

Name

Specify a name for the configuration.

Type

Select the MDM server.

Port Selection

Choose the communicating interface/network for each auth server independently. This enables you to communicate using Internal, external, or management interface.

Server

Server Url

Specify the URL for your AirWatch server. This is the URL AirWatch has instructed you to use to access its RESTful Web API (also called a RESTful Web service). The URL for the AirWatch MDM server used in this example has the following form:

https://apidev-as.Awmdm.com

https://m.mobileiron.net/pulsesecuretest

You must configure your firewalls to allow communication between these two nodes over port 443.

Viewer Url

Specify the URL for the AirWatch report viewer. This URL is used for links from the Active Users page to the AirWatch report viewer. The URL for the AirWatch MDM viewer for this example has the following form:

https://apidev.awmdm.com/AirWatch/Devices/DeviceDetails/<deviceAttr.deviceId

>

https://m.mobileiron.net/pulsesecuretest/admin/admin.html#smartphones:all

Request Timeout

Specify a timeout period (0-60 seconds) for queries to the MDM server. The default is 15 seconds.

Calibrate this value based on your observations on how long a query to the MDM server takes over your network. If your network experiences latency when querying the MDM cloud service, increase the timeout to account for the latency. The system queries the MDM when a user attempts to sign in. If a timeout occurs, role mapping proceeds without attributes.

Administrator

Username

Specify the username for an account that has privileges to access the MDM RESTful Web API.

Password

Specify the corresponding password.

Tenant Code

Copy and paste the AirWatch API tenant code.

Device Identifier

Device identity

Select an option on whether to require that the MDM certificate is presented by the endpoint when signing in:

Require — Require that the device certificate pushed to client devices during enrollment be used at sign-in. If this option is selected, and the client device does not have a certificate, authorization fails. Use this option when you require endpoints to adhere to your certificate security requirements.

Use Certificate if present — Use the certificate to derive the device ID if the certificate is presented at sign-in, but do not reject authentication if the certificate is not present. You can use this option in conjunction with a role mapping rule and a remediation VLAN to identify devices that have not perfected MDM enrollment.

Always Use MAC address — In some cases, the MDM certificate might be configured without a device identifier. When the endpoint uses an 802.1x framework to authenticate, IPS can obtain the MAC address from the RADIUS return attribute callingStationID. The system can then use the MAC address as the device identifier.

ID Template

Construct a template to derive the device identifier from the certificate attributes. The template can contain textual characters as well as variables for substitution. The variables are the same as those used in role mapping custom expressions and policy conditions. Enclose variables in angle brackets like this <variable>.

For example, suppose the certificate DN is: CN=<EnrollmentUser>, serialNumber=<DeviceUid>, o=Company. With this configuration, the certificate could identify both the user and the device. In this example, the device ID template is <certDN.serialNumber>.

ID Type

Select the device identifier type that matches the selection in the MDM certificate configuration:

UUID— The device universal unique identifier. This is the key device identifier supported by MobileIron MDM.

Serial Number—The device serial number.

UDID—The device unique device identifier. This is supported by the AirWatch MDM.

  • Device ID - This is the key device identifier supported by Microsoft Intune.

Configuring the Certificate Server

The certificate server configuration enables device users to authenticate using the certificate pushed to the device by the MDM. The certificates are used for user authentication, and the users do not have to enter user credentials.

To configure authentication with the certificate server:

  1. Select Authentication > Auth. Servers.
  2. Select Certificate Server and click New Server to display the configuration page.
  3. Complete the configuration as described in table below.
  4. Save the configuration.

Settings

Guidelines

Name

Specify a name to identify the server within the system.

User Name Template

Specify a username template. Specify how the system should construct a username. You may use any combination of certificate variables contained in angle brackets and plain text. The username template you configure must be consistent with the MDM certificate template configuration. Your goal is to identify the values specified in the MDM certificate that are to be used as the username in IPS system. This value populates the <USER> and <USERNAME> session variables for use throughout the rest of the system configuration.

For example, suppose the certificate DN is: CN=<EnrollmentUser>, serialNumber=<DeviceUid>, o=Company. With this configuration, the certificate could identify both the user and the device. In this example, the username template is <certDN.CN>.

Adding the MDM Certificate to the Trusted Client CA Configuration

The system uses the uploaded certificate to verify that the browser-submitted certificate is valid. You must upload the MDM certificate that signed the client certificate that was pushed to the mobile devices. Typically, you obtain this certificate from the MDM when your company establishes its account with them.

To import a trusted client CA certificate:

  1. Select System > Configuration > Certificates > Trusted Client CAs.
  2. Click Import Trusted Client CA Certificate.
  3. Browse to the certificate file, select it, and click Import Certificate to complete the import operation.
  4. Click the link for the Trusted Client CA to display its details.

Configuring User Roles

User roles are classifiers for network access control policies. You create a set of roles to use in your classification scheme: device status is MDM enrollment complete or incomplete; device status is MDM-policy compliant or noncompliant; device is employee owned or company owned; device platform is iOS, Android, or neither; and so forth.

The user role configuration also includes options to customize user interface features that are appropriate for a particular role. For MDM deployments, you can use the Personalized Greeting UI option to send a notification message to the device when the role has been applied.

To configure user roles:

  1. Select Users > User Role to navigate to the role configuration page.
  2. Click New Role to display the configuration page.
  3. Complete the configuration for general options as described in below table.
  4. Save the configuration.
  5. Click UI options to display the configuration page.
  6. Complete the configuration for UI options as described in below table.
  7. Save the configuration.
  8. Click Session Options to display the configuration page.
  9. Complete the configuration for session options as described in below table.
  10. Save the configuration.
  11. Click Agentless to display the configuration page.
  12. Complete the configuration for agentless options as described in below table.
  13. Save the configuration.

Settings

Guidelines

Overview tab

Name

Specify a name for the configuration.

Description

Describe the purpose of the role so that other administrators are aware of it.

Options

Select UI Options so that you can customize a message to be sent to the device when the role is applied.

UI Options tab

Personalized greeting

Select the Show notification message option and enter a message to be sent to the device (through the MDM API) after sign-in and this role has been applied, or after role reevaluation if it results in a role change to this role.

In this example, we are using the system to enforce MDM enrollment by flagging compromised devices. The message, therefore, is:

Your device is compromised. Network access may be limited.

The message is forwarded to the device using the MDM server Push Notification feature.

The content of your notification message can vary depending on whether the switch or access point supports change of authorization (CoA). If the CoA is supported, reauthentication is automatic, so your message might simply state that “your level of access has changed.” If CoA is not supported, reauthentication needs to be done manually by the user in which case the message might state that “your level of access has changed, please reconnect.”

NOTE: When multiple roles are assigned, UI options are not merged. The UI options for the first role that matches are applied.

Session Options

Allow VPN Through Firewall

Enable this option to allow Infranet Enforcer traffic to act as a heartbeat and keep the session alive. This option is useful for iOS devices.

Agentless

Enable agentless access

Select this option for roles that you provision to access the network from BYOD devices. The solution that integrates with MDMs depends on the native supplicant, not an Ivanti agent.

Configuring a Realm and Role Mapping Rules

The user realm configuration associates the authentication server data and MDM server data with user roles.

To configure the realm and role mapping rules:

  1. Select Users > User Realms > New User Realm to display the configuration page.
  2. Upon saving the new realm, the system displays the role mapping rules page.
  3. Click New Rule to display the configuration page.
  4. Complete the configuration as described in table.
  5. Click the Authentication Policy tab and then click the Certificate subtab to display the certificate restriction configuration page.

Settings

Guidelines

Name

Specify a name for the realm.

If you enable sign-in using a realm suffix in the sign-in policy configuration, the realm name must match the username realm suffix configured in the MDN Wi-Fi profile.

Description

Describe the purpose of the realm so that other administrators are aware of it.

Servers

Authentication

Select the user authentication server for this realm’s users. This example uses the certificate server configured in the earlier step. When you use a certificate server, users are not prompted for their credentials. You can also select the authentication server used for employees. In that case, users are prompted by the sign-in page to provide their username and password.

User Directory/Attribute

This option is not used.

Accounting

This option is not used.

Device Attributes

Select the MDM server configured for device authorization.

Device Check Interval

Select this feature to leverage the MDM posture assessment checks and enforce compliance. For example, the MDM might detect that a device is out of compliance with its security policies, such as a password policy. At the next device check interval, IPS queries the MDM for updated attribute data. In this example, it learns that a formerly compliant device is now noncompliant. It assigns the device the noncompliant role and sends the 802.1x authenticator the corresponding RADIUS attribute to place it in a remediation VLAN.

Specify the interval at which to query the MDM for updated attribute data. Specify 0 to disable periodic queries. The minimum is 10 minutes and the maximum is 10080 minutes (7 days).

Specify an interval that is appropriate for the MDM. Some MDMs, for example, update records every 4 hours, so a 10-minute interval would not be productive.

Dynamic Policy Evaluation

Dynamic Policy Evaluation

This option is not used.

Settings

Guidelines

Rule based on

Select Device Attribute and click Update to update the configuration page so that it displays settings for role mapping using device attributes.

Name

Specify a name for the configuration.

Rule

Select a device attribute and a logical operator (is or is not), and type a matching value or value pattern.

In this example, select isCompromised and the logical operator is, and enter the value 1 (true). This means that devices with a compromised status match the rule.

Role assignment

Select the roles to apply if the data matches the rule.

The following table describes the AirWatch record attributes that can be used in role mapping rules.

Role Mapping Attribute Name

AirWatch Attribute Name

Description

Data Type

BlockLevelEncryption

BlockLevelEncryption

True if block-level encryption is enabled; false otherwise.

Boolean

complianceReason

ComplianceStatus

Values: Compliant, Non-Compliant.

String

CompromisedStatus

CompromisedStatus

True if the status is compromised; false otherwise.

Boolean

DataProtectionEnabled

DataProtectionEnabled

True if data protection is enabled; false otherwise.

Boolean

deviceId

Id.Value

Device identifier.

String

deviceName

DeviceFriendlyName

The concatenated name used to identify the device/user combination.

String

FileLevelEncryption

FileLevelEncryption

True if file-level encryption is enabled; false otherwise.

Boolean

IMEI

Imei

IMEI number of the device.

String

isCompliant

ComplianceStatus

Values: Compliant.

String

isCompromised

CompromisedStatus

True if the device is compromised; false otherwise.

Boolean

isEnrolled

EnrollmentStatus

True if MDM value is Enrolled; false otherwise.

Boolean

IsPasscodeCompliant

IsPasscodeCompliant

True if the passcode is compliant with the MDM policy; false otherwise

Boolean

IsPasscodePresent

IsPasscodePresent

True if a passcode has been configured; false otherwise.

Boolean

LastComplianceCheckOn

LastComplianceCheckOn

The refresh date and timestamp of the last status reported.

Timestamp

LastCompromisedCheckOn

LastCompromisedCheckOn

The refresh date and timestamp of the last status reported.

Timestamp

lastSeen

LastSeen

Date and time the device last made successful contact with the MDM.

Timestamp

LocationGroupName

LocationGroupName

MDM location group configuration value.

String

macAdress

MacAddress

The Wi-Fi MAC address.

String

model

Model

Model is automatically reported by the device during registration.

String

osVersion

OperatingSystem

OS version.

String

ownership

Ownership

Values: C, E, or S (Corporate, Employee, or Shared).

String

phoneNumber

PhoneNumber

Phone number entered during registration.

String

platform

Platform

Platform specified during registration.

String

serialNumber

SerialNumber

Serial number.

String

UDID

Udid

Unique device identifier.

String

userEmail

UserEmailAddress

E-mail address of device user.

String

userName

UserName

Name of device user.

String

UUID

Uuid

Universal unique identifier.

String

The following table describes the MobileIron record attributes that can be used in role mapping rules.

Role Mapping Attribute Name

MobileIron Attribute Name

Description

Data Type

blockedReason

blockedReason

Reason MDM has blocked the device. Can be a multivalued string. Values are:

AllowedAppControlPolicyOutOfCompliance

AppControlPolicyOutOfCompliance

DataProtectionNotEnabled

DeviceAdminDeactivated

DeviceComplianceStatusUnknown

DeviceCompliant

DeviceCompromised

DeviceExceedsPerMailboxLimit

DeviceManuallyBlocked

DeviceNotRegistered

DisallowedAppControlPolicyOutOfCompliance

ExchangeReported

HardwareVersionNotAllowed

OsVersionLessThanSupportedOsVersion

PolicyOutOfDate

RequiredAppControlPolicyOutOfCompliance

String

complianceReason

compliance

MDM policy compliance status. Can be a multivalued string. Values are:

AllowedAppControlPolicyOutOfCompliance

AppControlPolicyOutOfCompliance

DataProtectionNotEnabled

DeviceAdminDeactivated

DeviceComplianceStatusUnknown

DeviceCompliant

DeviceCompromised

DeviceExceedsPerMailboxLimit

DeviceManuallyBlocked

DeviceNotRegistered

DisallowedAppControlPolicyOutOfCompliance

ExchangeReported

HardwareVersionNotAllowed

OsVersionLessThanSupportedOsVersion

PolicyOutOfDate

RequiredAppControlPolicyOutOfCompliance

String

countryName

countryName

Country name corresponding with the country code of the device.

String

deviceId

@id

Device identifier.

String

deviceName

name

The concatenated name used to identify the device/user combination.

String

homeOperator

homeOperator

The service operator for the device when it is not roaming.

String

Imei

iPhone IMEI (iOS), imei (Android)

IMEI number of the device.

String

isBlocked

isBlocked

True if the device is blocked from accessing the ActiveSync server; false otherwise.

Boolean

isCompliant

compliance

True if the device is in compliance with its MDM security policies; false otherwise.

Boolean

isCompromised

compliance

True if the device is compromised; false otherwise.

Boolean

isEnrolled

statusCode

True if the device has completed enrollment or registration; false otherwise.

Boolean

isQuarantined

isQuarantined

True if the device is quarantined by the MDN; false otherwise.

Boolean

lastSeen

lastConnectAt

Date and time the device last made successful contact with the MDM.

Timestamp

manufacturer

manufacturer

Manufacturer is automatically reported by the device during registration.

String

macAdress

wifi_mac (iOS), wifi_mac_addr (Android)

The Wi-Fi MAC address.

String

mdmManaged

mdmManaged

True if the MDM profile is enabled on the device; false otherwise. This field applies only to iOS devices. For other devices, the value is always false.

Boolean

model

ModelName, model, device_model

Model is automatically reported by the device during registration.

String

operator

operator

Service provider. The value PDA indicates no operator is associated with the device.

String

osVersion

OSVersion (iOS), os_version (Android)

OS version.

String

ownership

employeeOwned

Values: Employee or Corporate.

String

phoneNumber

currentPhoneNumber

Phone number entered during registration.

String

platform

platform

Platform specified during registration.

String

quarantinedReason

quarantinedReason

MDM policy compliance status. Can be a multivalued string. Values are:

AllowedAppControlPolicyOutOfCompliance

AppControlPolicyOutOfCompliance

DataProtectionNotEnabled

DeviceAdminDeactivated

DeviceComplianceStatusUnknown

DeviceCompliant

DeviceCompromised

DeviceExceedsPerMailboxLimit

DeviceManuallyBlocked

DeviceNotRegistered

DisallowedAppControlPolicyOutOfCompliance

ExchangeReported

HardwareVersionNotAllowed

OsVersionLessThanSupportedOsVersion

PolicyOutOfDate

RequiredAppControlPolicyOutOfCompliance

 

serialNumber

SerialNumber

Serial number.

String

UDID

iPhone UDID

Unique device identifier.

String

userEmail

emailAddress

E-mail address of device user.

String

userId

principal

User ID.

String

userName

userDisplayName

Name of device user.

String

UUID

uuid

Universal unique device identifier.

String

 

Role Mapping Attribute Name

Microsoft Intune Attribute Name

Description

Data Type

deviceid

azureDeviceId

The device Id of the device after it has work place joined with Azure Active Directory.

String

IMEI

imei

The device unique identifier. IMEI (15 decimal digits: 14 digits plus a check digit) or IMEISV (16 digits) includes information on the origin, model, and serial number of the device.

String

isCompliant

complianceState

True or false (string) based on whether device is compliant or non-compliant.

Boolean

isEnrolled

isManaged

True or false (indicating whether the client is managed by Intune or not).

Boolean

lastSeen

lastContactTimeutc

The date time when the device last checked in with the Intune management service endpoint.

String

The format is

MM/DD/YYYY HH:MM:SS

macAddress

macAddress

MAC address of the device.

String

manufacturer

manufacturer

Device Manufacturer.

String

meid

meid

MEID is 56 bits

long (14 hex digits). It consists of three fields, including an 8-bit regional code (RR), a 24-bit manufacturer code, and a 24-bit manufacturer-assigned serial number.

String

model

model

Model of the device.

String

osVersion

osVersion

OS Version of the device.

String

serialNumber

serialNumber

Serial number of the device. Applies to iOS Devices only.

String

UDID

udid

The device unique identifier.

Unique Device Identifier (UDID), which is a sequence of 40 letters and numbers that is specific to iOS devices.

String

UUID

uuid

Universal unique device identifier.

String

Settings

Guidelines

Allow all users

Do not select this option. If you select this option, the system does not request a client certificate during the TLS handshake.

Allow all users and remember certificate

If you select this option, the system requests a client certificate during the TLS handshake. It does allow endpoints to authenticate without a client certificate. For those with a client certificate, the certificate attributes are placed in the session context.

Only allow users with a client-side certificate

If you select this option, the system requests a client certificate during the TLS handshake. It does not allow endpoints to authenticate without a valid client certificate. If the realm is configured with a certificate server, like this example, this option is the only option that can be selected.

Configuring a Sign-In Policy

A sign-in policy associates devices with a realm.

To configure a sign-in policy:

  1. Select Authentication > Signing In > Sign-In Policies to navigate to the sign-in policies configuration page.
  2. Click New URL to display the configuration page.
  3. Complete the configuration as described below.
  4. Save the configuration.

Settings

Guidelines

User type

Select Users.

Sign-in URL

Enter a URL.

Description

Describe the purpose of the sign-in policy so that other administrators are aware of it.

Sign-In Page

Select a sign-in page.

Authentication Realm

Realm

Select the realm you configured in the earlier step.

Authentication Protocol Set

Select the protocol you configured in the earlier step.

Realm name as a username suffix

Select this option if the username sent during sign-in includes a realm suffix.

To use this option, the realm name must match the username realm suffix configured in the MDN Wi-Fi profile.

This configuration enables you to dedicate the realm to the MDM traffic. Non-MDM traffic passing through the same switch then belongs to a different realm.

NOTE: In some cases, you can use authentication protocol sets to segregate traffic into a particular realm. For example, assuming only mobile endpoints use TLS and other endpoints do not, an authentication protocol set containing only TLS can be created and associated with a particular realm through a sign-in policy.

Remove realm suffix

Remove the realm suffix within system processes, such as rule processing and logs.