Support Center > Search Results > SecureKnowledge Details
Harmony Connect App - Best practices for wide deployment Technical Level
Solution

Overview


Harmony Connect App secures your employees everywhere and protects them from Internet cyber-threats. The best way to quickly activate the app for all of your end users is to use endpoint management tools that can push apps to the managed devices.

Examples of unified endpoint management tools:
  • Check Point SmartEndpoint for Endpoint Compliance 
  • Microsoft System Center Configuration Manager (SCCM) or its cloud product Microsoft Endpoint Manager (formerly known as Intune)
  • Jamf
  • Altiris
  • HP Intelligent Management Center (IMC)
  • Symantec Endpoint Management
In addition, other common endpoint management software packages support this seamless software distribution workflow.

Getting a universal installer for all the end users

  1. Navigate to Settings > Identity Provider and connect your identity provider.
  2. Navigate to Assets > Users & Devices, click Download App and select to download the .msi installer for Windows (.dmg installer for Mac is coming soon). This installer is universal and does not contain any company or user-related information.
    1. Note that the Download App option only appears at Users & Devices page if an identity provider was connected. 
  3. Use your endpoint management tool to distribute this application across your selected managed user endpoints. Configure to install the app silently using this command:
    msiexec /i HarmonyConnect.msi /qn
4. In case you deploy Harmony Connect App using corporate tools such as Microsoft SCCM or others, there is no need to restart the end user's machine to make the app install and run.

Make sure Global DNS is enabled on your users' machines

Check Point Harmony Connect App uses a local DNS resolver to execute one of its key operational features - bypassing selected domain names from its tunnels. This could collide with a setting of Microsoft Windows 10, that potentially prevents DNS resolutions to newly added network interfaces. 

It is strongly recommended to upgrade affected customers to at least version 1709 of Windows 10.

Then, apply the following group policy must be set prior to distributing Harmony Connect App:
1. Open Group Policy Editor by running the following command:
gpedit.msc 
2. On the left sidebar navigate to Computer Configuration > Administrative Templates > Network > Network Connectivity Status Indicator
3. Enable Specify Global DNS (make sure the box for Use Global DNS is ticked).



4. Run the following command:
gpupdate /force
5. Please note that a reboot is required for each machine after this change is applied.


An alternative to applying it via Group Policy Update is with modifying the registry.
1. Run this command
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f
2. Reboot the computer

 

How does Harmony Connect use zero-touch activation to identify the end user

After the app completes its installation, it activates itself based on the end user's logged-on domain and logged-on username.
    • The app retrieves the logged-on domain using this logic:
      • It checks the User Principal Name (UPN) of the machine by running
        whoami /UPN
        and then checks which Infinity Portal Account is mapped to this domain.
      • If the previous call did not retrieve any domain, or if none of the Infinity Portal Accounts have this domain as a verified domain, the app then checks from the environment variable
        %USERDNSDOMAIN% 
        and matches it with the verified domain that was added as part of the identity provider connection.

    • The app retrieves the logged-on username when it opens a tab at the end user's default browser and attempts to get the end user name through the browser cookies. 

    • The two actions above guarantee a zero-touch activation experience for most of the end users. In case your managed devices are not configured with the above domain address or you did not configure a seamless single sign-on (SSO), the end users have to enter manually their email address and corporate credentials.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment