MDM Interoperability with IPS

Overview

Mobile Device Management (MDM) servers secure, monitor, manage, and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers consist of a device authorization server that controls the use of some applications on a mobile device (for example, an e-mail application) in the deployed environment. The IPS queries the MDM servers for the necessary device attributes and evaluates them while assigning roles before giving access to the network.

For example, the MDM might detect that a device is out of compliance with IPS role mapping rules. At the next device check interval, IPS queries the MDM for updated attribute data. The compliance check is done periodically and if a formerly compliant device is now non-compliant, it assigns the device the non-compliant role and enforces the same on switch or firewall based on the IPS configuration.

Supported MDM Servers

Ivanti Policy Secure(IPS) supports the following MDM servers:

  • Airwatch
  • Mobile Iron
  • Microsoft Intune

Ivanti Policy Secure(IPS) determines the device identifiers using the following methods:

  • Device Certificate
  • MAC Address

The dynamic policy evaluation feature is not used in the device access management framework.

The device-attribute-based roles are specified for the following policies:

  • 802.1x network access control RADIUS return attribute policies (Layer 2)
  • Infranet Enforcer resource policies (Layer 3)

MDM Integration Work Flow

The MDM integration work flow is described below:

  1. The user associates a device to SSID.
  2. (Optional) If the device is not registered, the user goes through the device on-boarding process.
  3. Ivanti Policy Secure(IPS) queries the MDM server with device details through MAC address or device attributes.
  4. The MDM server returns device attributes with which IPS uses one or more attributes to determine device access.
  5. Ivanti Policy Secure(IPS) allows or denies access based on the attributes.

MDM Dictionary Attributes

This section focuses on the following elements of the MDM configuration that are important to this solution:

  • Device identifier—The primary key for device records. Your MDM configuration determines whether a universal unique identifier (UUID), unique device identifier (UDID), or serial number is used as the device identifier.
    For AirWatch, UDID is supported and recommended. For MobileIron, UUID is supported and recommended.
  • Device attributes—A standard set of data maintained for each device. The device attributes for AirWatch, MobileIron,and Microsoft Intune are described below.

When the user installs the MDM application on the device and completes enrollment, the MDM pushes the device certificate to the device. After enrollment, the MDM maintains a database record that includes information about the enrollee—attributes related to device identity, user identity, and posture assessment against MDM policies.

Table describes these attributes. In this solution, these attributes are used in IPS role mapping that is the basis for network access and resource access policies. When you configure role-mapping rules, you specify the normalized attribute name.

AirWatch Attribute

Normalized Name

Description

Data Type

BlockLevelEncryption

BlockLevelEncryption

True if block-level encryption is enabled; false otherwise.

Boolean

ComplianceStatus

complianceReason

Values: Compliant, Non-Compliant.

String

ComplianceStatus

isCompliant

True if the status is compliant with MDM policies; false otherwise.

Boolean

CompromisedStatus

CompromisedStatus

True if the status is compromised; false otherwise.

Boolean

CompromisedStatus

isCompromised

True if the device is compromised; false otherwise.

Boolean

DataProtectionEnabled

DataProtectionEnabled

True if data protection is enabled; false otherwise.

Boolean

DeviceFriendlyName

deviceName

The concatenated name used to identify the device/user combination.

String

EnrollmentStatus

isEnrolled

True if MDM value is Enrolled; false otherwise.

Boolean

FileLevelEncryption

FileLevelEncryption

True if file-level encryption is enabled; false otherwise.

Boolean

Id.Value

deviceId

Device identifier.

String

Imei

IMEI

IMEI number of the device.

String

IsPasscodeCompliant

IsPasscodeCompliant

True if the passcode is compliant with the MDM policy; false otherwise

Boolean

IsPasscodePresent

IsPasscodePresent

True if a passcode has been configured; false otherwise.

Boolean

LastComplianceCheckOn

LastComplianceCheckOn

The refresh date and timestamp of the last status reported.

Timestamp

LastCompromisedCheckOn

LastCompromisedCheckOn

The refresh date and timestamp of the last status reported.

Timestamp

LastSeen

lastSeen

Date and time the device last made successful contact with the MDM.

Timestamp

LocationGroupName

LocationGroupName

MDM location group configuration value.

String

MacAddress

macAdress

The Wi-Fi MAC address.

String

Model

model

Model is automatically reported by the device during registration.

String

OperatingSystem

osVersion

OS version.

String

Ownership

ownership

Values: C, E, or S (Corporate, Employee, or Shared).

String

PhoneNumber

phoneNumber

Phone number entered during registration.

String

Platform

platform

Platform specified during registration.

String

SerialNumber

serialNumber

Serial number.

String

Udid

UDID

Unique device identifier.

String

UserEmailAddress

userEmail

E-mail address of device user.

String

UserName

userName

Name of device user.

String

Uuid

UUID

Universal unique identifier.

String

 

MobileIron Attribute

Normalized Name

Description

Data Type

@id

deviceId

Device identifier.

String

blockedReason

blockedReason

Reason MDM has blocked the device. Can be a multivalued string. Values are:

  • AllowedAppControlPolicyOutOfCompliance
  • AppControlPolicyOutOfCompliance
  • DataProtectionNotEnabled
  • DeviceAdminDeactivated
  • DeviceComplianceStatusUnknown
  • DeviceCompliant
  • DeviceCompromised
  • DeviceExceedsPerMailboxLimit
  • DeviceManuallyBlocked
  • DeviceNotRegistered
  • DisallowedAppControlPolicyOutOfCompliance
  • ExchangeReported
  • HardwareVersionNotAllowed
  • OsVersionLessThanSupportedOsVersion
  • PolicyOutOfDate
  • RequiredAppControlPolicyOutOfCompliance

String

compliance

complianceReason

MDM policy compliance status. Can be a multivalued string. Values are:

  • AllowedAppControlPolicyOutOfCompliance
  • AppControlPolicyOutOfCompliance
  • DataProtectionNotEnabled
  • DeviceAdminDeactivated
  • DeviceComplianceStatusUnknown
  • DeviceCompliant
  • DeviceCompromised
  • DeviceExceedsPerMailboxLimit
  • DeviceManuallyBlocked
  • DeviceNotRegistered
  • DisallowedAppControlPolicyOutOfCompliance
  • ExchangeReported
  • HardwareVersionNotAllowed
  • OsVersionLessThanSupportedOsVersion
  • PolicyOutOfDate
  • RequiredAppControlPolicyOutOfCompliance

String

compliance

isCompliant

True if the device is in compliance with its MDM security policies; false otherwise.

Boolean

compliance

isCompromised

True if the device is compromised; false otherwise.

Boolean

countryName

countryName

Country name corresponding with the country code of the device.

String

currentPhoneNumber

phoneNumber

Phone number entered during registration.

String

emailAddress

userEmail

E-mail address of device user.

String

employeeOwned

Ownership

Values: Employee or Corporate.

String

homeOperator

homeOperator

The service operator for the device when it is not roaming.

String

iPhone IMEI (iOS), imei (Android)

Imei

IMEI number of the device.

String

iPhone UDID

UDID

Unique device identifier.

String

isBlocked

isBlocked

True if the device is blocked from accessing the ActiveSync server; false otherwise.

Boolean

isQuarantined

isQuarantined

True if the device is quarantined by the MDN; false otherwise.

Boolean

lastConnectAt

lastSeen

Date and time the device last made successful contact with the MDM.

Timestamp

manufacturer

manufacturer

Manufacturer is automatically reported by the device during registration.

String

mdmManaged

mdmManaged

True if the MDM profile is enabled on the device; false otherwise. This field applies only to iOS devices. For other devices, the value is always false.

Boolean

ModelName, model, device_model

Model

Model is automatically reported by the device during registration.

String

name

deviceName

The concatenated name used to identify the device/user combination.

String

operator

Operator

Service provider. The value PDA indicates no operator is associated with the device.

String

OSVersion (iOS), os_version (Android)

osVersion

OS version.

String

platform

Platform

Platform specified during registration.

String

principal

userId

User ID.

String

quarantinedReason

quarantinedReason

MDM policy compliance status. Can be a multivalued string. Values are:

  • AllowedAppControlPolicyOutOfCompliance
  • AppControlPolicyOutOfCompliance
  • DataProtectionNotEnabled
  • DeviceAdminDeactivated
  • DeviceComplianceStatusUnknown
  • DeviceCompliant
  • DeviceCompromised
  • DeviceExceedsPerMailboxLimit
  • DeviceManuallyBlocked
  • DeviceNotRegistered
  • DisallowedAppControlPolicyOutOfCompliance
  • ExchangeReported
  • HardwareVersionNotAllowed
  • OsVersionLessThanSupportedOsVersion
  • PolicyOutOfDate
  • RequiredAppControlPolicyOutOfCompliance

 

SerialNumber

serialNumber

Serial number.

String

statusCode

isEnrolled

True if the device has completed enrollment or registration; false otherwise.

Boolean

uuid

UUID

Universal unique device identifier.

String

userDisplayName

userName

Name of device user.

String

wifi_mac (iOS), wifi_mac_addr (Android)

macAdress

The Wi-Fi MAC address.

String

 

Intune Attribute

Normalized Name

Description

Data Type

complianceState

isCompliant

True or false (string) based on whether device is compliant or non-compliant.

Boolean

isManaged

isEnrolled

True or false (indicating whether the client is managed by Intune or not).

Boolean

macAddress

macAddress

MAC address of the device.

String

serialNumber

serialNumber

Serial number of the device. Applies to iOS Devices only.

String

imei

IMEI

The device unique identifier. IMEI (15 decimal digits: 14 digits plus a check digit) or IMEISV (16 digits) includes information on the origin, model, and serial number of the device.

String

udid

UDID

The device unique identifier.

Unique Device Identifier (UDID), which is a sequence of 40 letters and numbers that is specific to iOS devices.

String

meid

MEID

MEID is 56 bits

long (14 hex digits). It consists of three fields, including an 8-bit regional code (RR), a 24-bit manufacturer code, and a 24-bit manufacturer-assigned serial number.

String

osVersion

osVersion

OS Version of the device.

String

model

Model

Model of the device.

String

manufacturer

manufacturer

Device Manufacturer.

String

azureDeviceId

deviceId

The device Id of the device after it has work place joined with Azure Active Directory.

String

lastContactTimeUtc

lastSeen

The date time when the device last checked in with the Intune management service endpoint.

String

The format is

MM/DD/YYYY HH:MM:SS

Refer to third-party documentation for complete information and configuration details.