Support Center > Search Results > SecureKnowledge Details
MDM cooperative enforcement for Mobile clients
Solution

Overview

The Mobile Device Management (MDM) cooperative enforcement feature allows integration of Check Point Mobile VPN clients (Check Point Capsule Workspace, Check Point Capsule VPN, Check Point Capsule Connect) with third party MDM vendors. When the feature is enabled and properly configured - only devices that comply with (third-party) MDM vendor’s policy will be allowed to connect with the VPN clients. The benefit of this feature is increased security, preventing non-compliant, and potentially security-compromised mobile devices from accessing company resources over VPN.

Note: The Capsule Workspace, Capsule VPN and Capsule Connect apps have to be installed from the MDM vendor site to work.

Right now, the following third-party MDM vendors are supported out of the box:

Additionally, the following vendors are supported after installing the update available below:

 

There is also a way for administrators to manually add support for additional third party MDM vendors - refer to the R77 Versions Mobile Access Administration Guide - Chapter "Mobile Access for Smartphones and Tablets" - "MDM Cooperative Enforcement".

Note: Currently, Check Point integration with MobileIron and Airwatch are the only ones which officially supports iOS7 devices. Most vendors are planning to add this support soon. Please follow this SK for further news (either revisit this SK, or subscribe to RSS feed at the top). Also see sk98447.

 

Updates

The most updated MDM support files can be downloaded from here.

The ZIP archive contains three files:

  1. mdm.conf - a configuration file that should be placed in the $FWDIR/conf/ directory on Mobile Access Gateway.

  2. MDMVendors.php - a PHP file that should be placed in the $CVPNDIR/phpincs/ directory on Mobile Access Gateway.

  3. cpvpn.plist - a sample "property list" file for reporting device UDID and MAC addresses via managed applications.

 

Configuration

  1. Connect to command line on Mobile Access Gateway.

  2. Log in to Expert mode.

  3. Edit the $FWDIR/conf/mdm.conf file as described below and in R77 Versions Mobile Access Administration Guide - Chapter "Mobile Access for Smartphones and Tablets" - "MDM Cooperative Enforcement".

  4. Save the file.

  5. Install policy.

Note, when encountering communication issues with MDM servers, consider setting 'ssl_cipher_list' with a specific cipher (e.g. "AES128-SHA") in $FWDIR/conf/mdm.conf configuration file.

 

Global options

  • enabled - Can be 0 for "feature disabled", or 1 for "feature enabled".

  • monitor_only - 0 will enable full enforcement, that is, non-compliant mobile devices won't be able to log in. 1 will enable "monitor only" mode, where logins of non-compliant mobile device will be allowed. In any case such attempts will be logged.

  • fail_open - Defines behavior for cases of uncertainty, when error occurs while checking MDM status. 1 will allow VPN connections when error occurs while checking MDM compliance status. 0 will disallow VPN connections when error occurs while checking MDM compliance status.

  • session_timeout_in_sec - This defines maximum time (in seconds) to allow for conversation between the gateway and the MDM cloud service in order to determine the device status (at each device login). Action that will be performed upon expiration of this timeout is defined in the fail_open attribute above. It is recommended to keep the default value.

  • active_vendor - This holds name of "active" third-party vendor that gateway will check device MDM compliance against. Each vendor is configured in its own section (see below), but only one vendor can be "active" at a time.

  • password_is_obscured - Defines whether parameters named "password" are obscured or appear in the clear in the $FWDIR/conf/mdm.conf file. 0 will assume parameters named "password" in the $FWDIR/conf/mdm.conf file appear in the clear, "as is". This mode may be considered insecure by some administrators. 1 will assume parameters named "password" in the $FWDIR/conf/mdm.conf file are obscured. It is recommended to leave this "1".

    Password obscuring feature:

    In case global property password_is_obscured is enabled, all parameters named "password" in the per-vendor configuration blocks should be obscured. This is done so passwords will not be seen in the clear in the $FWDIR/conf/mdm.conf file. To receive obscured password string from your password, execute the following command: obfuscate_password

    For example, if your password is "mypassword", then execute the following command: obfuscate_password mypassword.
    The command will print obfuscated password string, that looks similar to this: 33542b323a3528343640.

    Copy this string and paste it into the $FWDIR/conf/mdm.conf file as the "password" value.
  • verify_ssl_cert - Defines whether SSL certificates should be checked when gateway accesses the MDM Cloud services. This should help dealing with some DNS poisoning, spoofing or man-in-the-middle attacks against the gateway. 0 will not verify SSL certificates. 1 will verify SSL certificates. It is recommended to keep the default value.

  • ssl_ca_bundle_path - Defines local path on the gateway where known CA certificate files are located. There is a given set of certificates already there, but it is possible to add user-defined certificates to that directory. It is recommended to keep the default value.

  • ssl_cipher_list - Defines list of allowed ciphers to use when performing HTTPS conversation between the gateway and the MDM cloud service. It is recommended to keep the default value.

  • ssl_use_tls_v1 - Defines whether to use TLSv1 rather than SSL for HTTPS conversation between the gateway and the MDM cloud service. It is recommended to keep the default value.

 

Per-vendor options

Each vendor can be configured with separate set of options. Only one vendor can be "active" at a time, to select your preferred vendor, edit the "active_vendor" option in the $FWDIR/conf/mdm.conf file.

  • MobileIron vendor parameters are:

    • username - user name for the MobileIron account

    • password - password for the MobileIron account

    • url - URL of the MobileIron web service. You will need to edit this URL to match the one given to you by the MobileIron when you register your account there.

    • not_managed_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not managed by MobileIron MDM.

    • incompliant_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not compliant with the MobileIron MDM policy.

    • block_jailbroken_devices - whether to allow jail broken iOS devices to connect.

    • block_rooted_devices - whether to allow rooted Android devices to connect.


  • Fiberlink vendor parameters are:

    • username - user name for the Fiberlink account

    • password - password for the Fiberlink account

    • billing_id - billing id obtained from Fiberlink (numeric code)

    • app_id - application id obtained from Fiberlink (may look like "com.app.your_company_name")

    • app_access_key - application-specific access key obtained from Fiberlink

    • url - URL of the Fiberlink cloud web service. It is recommended to keep the default value.

    • not_managed_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not managed by Fiberlink MDM.

    • incompliant_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not compliant with the Fiberlink MDM policy.

    • append_incompliance_reason_from_mdm_server_to_message - can be 0 or 1. If 1 - device will append incompliance reason to the "incompliant_message_to_user" message.


  • SAP vendor parameters are:

    • username - user name for the SAP Afaria account

    • password - password for the SAP Afaria account

    • url - URL of the SAP Afaria web service. You will need to edit this URL to match the one given to you by the SAP when you register your account there.

    • not_managed_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not managed by SAP Afaria MDM.

    • incompliant_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not compliant with the SAP Afaria MDM policy.


  • FancyFon vendor parameters are:

    • username - user name for the FancyFon FAMOC account

    • password - password for the FancyFon FAMOC account

    • url - URL of the FancyFon FAMOC web service. You will need to edit this URL to match the one given to you by the FancyFon when you register your account there.

    • not_managed_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not managed by FancyFon FAMOC MDM.

    • incompliant_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not compliant with the FancyFon FAMOC MDM policy.

    • block_outdated_devices - OUTDATED status is prepared for situation when device is managed, was compliant, but after some change in policy settings that policy was not yet applied on the device. This attribute decides whether to block such devices.


  • Skycure vendor parameters are:

    • auth_token - authentication token for the Skycure account

    • url - URL of the Skycure web service. You will need to edit this URL to match the one given to you by the Skycure when you register your account there.

    • not_managed_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not managed by Skycure MDM.

    • incompliant_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not compliant with the Skycure MDM policy.


  • CommuniTake vendor parameters are:

    • auth_token - authentication token for the CommuniTake account

    • customer_uuid - unique id for the CommuniTake customer

    • url - URL of the CommuniTake web service. You will need to edit this URL to match the one given to you by the CommuniTake when you register your account there.

    • url_path - the path part of the URL of CommuniTake web service.

    • not_managed_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not managed by CommuniTake MDM.

    • incompliant_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not compliant with the CommuniTake MDM policy.


  • Sophos vendor parameters are:

    • username - user name for the Sophos  account 
    • password - password for the Sophos  account
    • url - URL of the Sophos web service. You will need to edit this URL to match the one given to you by the Sophos when you register your account there.
    • not_managed_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not managed by Sophos MDM. 
    • incompliant_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not compliant with the Sophos MDM policy.


  • AirWatch vendor parameters are:

    • username - user name for the Airwatch account.

    • url - URL of the Airwatch web service

    • auth_token - The API key provided by the Airwatch administrator.

    • not_managed_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not managed by Airwatch MDM.

    • incompliant_message_to_user - Custom message that will be displayed on mobile device when it attempts to connect to Check Point gateway, but is not compliant with the Airwatch MDM policy.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment