Support Center > Search Results > SecureKnowledge Details
Integration of Check Point Capsule Workspace and Check Point SandBlast Mobile Protect applications Technical Level
Solution

Table of Contents

  • Introduction
  • How to configure / edit the policy
    • Background
    • Procedure
    • Available pairs of Keys and Values
  • Examples
  • Related solutions

 

Introduction

This article explains how to configure Check Point Capsule Workspace to use Check Point SandBlast Mobile Protect (former Check Point Protect) as an enforcement factor.

Administrator can now configure the Check Point Capsule Workspace to check whether Check Point SandBlast Mobile Protect is installed / enabled and act accordingly (block the connection to the VPN site, wipe the VPN site, etc.)

This feature is available since Capsule Workspace v7.1.44.6 in Google Play (released on 23 Apr 2017) / v1002.2.28 in Apple Store (released on 22 Apr 2017).

App Google Play Apple Store
Check Point Capsule Workspace Link Link
Check Point SandBlast Mobile Protect
(former Check Point Protect)
Link Link

 

How to configure / edit the policy

  • Background

    Administrator can now configure the Check Point Capsule Workspace to check whether Check Point SandBlast Mobile Protect is installed / enabled and act accordingly (forbid the connection to the VPN site, wipe the VPN site, etc.)

    Policy is configured on the Security Management Server / Domain Management Server using the GuiDBedit Tool.

    Policy is defined using pairs of Keys and Values in the relevant Capsule Workspace mobile profile (which are defined in SmartDashboard - "Mobile Access" tab - "Capsule Workspace Settings").

  • Procedure

    1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

    2. Go to File menu - click on Database Revision Control... - create a revision snapshot.

      Note: Database Revision Control is not supported for VSX objects (sk65420).

      In addition, refer to:

    3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

      Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.

    4. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

    5. In the upper left pane, go to Table - Other - mobile_profiles.

    6. In the upper right pane, select the relevant Capsule Workspace mobile profile (select Default_Profile if there are no additional configured profiles).

    7. Press CTRL+F (or go to Search menu - Find) - paste future_compatibility_fields - click on Find Next.

    8. In the lower pane, double-click on the future_compatibility_fields - do not enter / change anything - just click on OK.

      Two new lines will be added:

      • field_name
      • field_value

      Note: If an additional pair of Key and Value is required, then again double-click on the future_compatibility_fields - do not enter / change anything - just click on OK.

    9. To configure a desired pair of Key and Value:

      1. Right-click on the field_name - select Edit... - enter the name of the desired Key (case sensitive; refer to the "Available pairs of Keys and Values" section below) - click on OK



      2. Right-click on the field_value - select Edit... - enter the desired Value of the key (case sensitive; refer to the "Available pairs of Keys and Values" section below) - click on OK



      3. Result:

    10. Save the changes: go to File menu - click on Save All.

    11. Close the GuiDBedit Tool.

    12. Connect with SmartDashboard to Security Management Server / Domain Management Server.

    13. Install the policy onto the relevant Security Gateway / Cluster object.

    14. In Capsule Workspace, connect to the relevant Site to get the updated policy.

  • Available pairs of Keys and Values

    Note: Names and Values of the Keys are case sensitive.

    # Key Accepted Values Description
    1 protect_policy_enabled
    • true

    Main mandatory key - enables the ability to configure policy for Capsule Workspace to check whether SandBlast Mobile Protect is installed / enabled and act accordingly (forbid the connection to the VPN site, wipe the VPN site, etc.)

    If other keys are not defined, then the default behavior of Capsule Workspace will be as follows:

    Detected Risk Action taken by
    Capsule Workspace
    Report to
    Security Gateway
    Notes
    SandBlast Mobile Protect
    is not activated
    Block connection to Site Report about this incident
    is sent to Security Gateway

    The following Keys and default Values will be used:

    • protect_not_activated_action=block
    • protect_not_activated_report=true
    High risk threat
    was detected
    Block connection to Site Report about this incident
    is sent to Security Gateway

    The following Keys and default Values will be used:

    • protect_high_risk_action=block
    • protect_high_risk_report=true
    2 protect_not_activated_action
    • none
    • block
    • wipe

    Which action should Capsule Workspace perform when it detects that SandBlast Mobile Protect is not activated:

    • none = do not take any action (ignore)
    • block = block connection to Site
    • wipe = wipe (delete) the connection settings to Site
    protect_not_activated_report
    • true
    • false

    Should Capsule Workspace send a report about the incident (SandBlast Mobile Protect is not activated) to Security Gateway?

    • true = send a report
    • false = do not send any report

    This key is optional (if the key protect_not_activated_action was defined).

    protect_not_activated_message
    • free text

    Desired free text message that will be displayed to a user about the incident (SandBlast Mobile Protect is not activated).

    If action is set to "none", then the pop-up message will have the options "Continue Anyway" and "Sign Out".

    This key is optional (if the key protect_not_activated_action was defined).

    3 protect_high_risk_action
    • none
    • block
    • wipe

    Which action should Capsule Workspace perform when it detects a High Risk threat:

    • none = do not take any action (ignore)
    • block = block connection to Site
    • wipe = wipe (delete) the connection settings to Site
    protect_high_risk_report
    • true
    • false

    Should Capsule Workspace send a report about the incident (High Risk threat was detected) to Security Gateway?

    • true = send a report
    • false = do not send any report

    This key is optional (if the key protect_high_risk_action was defined).

    protect_high_risk_message
    • free text

    Desired free text message that will be displayed to a user about the incident (High Risk threat was detected).

    If action is set to "none", then the pop-up message will have the options "Continue Anyway" and "Sign Out".

    This key is optional (if the key protect_high_risk_action was defined).

 

Examples

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment