Integrating Fiberlink MaaS360 with Cisco Identity Services Engine Revised: August 6, 2013
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine This document supplements the Cisco Bring Your Own Device (BYOD) CVD (http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD _Design_Guide.html) and provides mobile device management (MDM) partner-specific information as needed to integrate with Cisco ISE. In an effort to maintain readability, some of the information presented in the CVD is repeated here.
Table 1 Fiberlink MaaS360—Key Capabilities Capability Architecture and Adminintration Device Enrollment Proactive Device Security Central Policy Management Features • SaaS delivery model • Multi-tenant, scalable, and redundant cloud architecture • Independent SOC2 Type II cloud compliance audit conducted annually • Safe Harbor Certification for European Union Directive on Data Protection • Authority to operate (OTA) in accordance with U.S.
Table 1 Fiberlink MaaS360—Key Capabilities Enterprise Application Catalog • Manage and distribute third-party and in-house mobile apps from the Fiberlink MaaS360 Admin Portal • Develop a catalog of recommended mobile apps on iOS and Android devices • Users can view apps, install, and be alerted to updated apps on private app catalog • Manage lifecycle of app workflow: – Real-time software inventory reports – App distribution and installation tracking – App update publishing – Provisioning profile
Table 1 Monitoring and Reporting Enterprise Integrations Fiberlink MaaS360—Key Capabilities • Detailed hardware and software inventory reports • Configuration and vulnerability details • Integrated smart search capabilities across any attribute • Customizable watch lists to track and receive alerts • BYOD privacy settings block collection of personally identifiable information • Mobile expense management for real-time data usage monitoring and alerting • Instant discovery of devices accessin
Getting Fiberlink MaaS360 Ready for ISE The first requirement is to establish basic connectivity between the Cisco ISE server and the Fiberlink MaaS360 MDM server. A firewall is typically located between ISE and the Fiberlink MaaS360 cloud. The firewall should be configured to allow an HTTPS session from ISE located in the data center to the Fiberlink MaaS360 server located in the public Internet. The session is established outbound from ISE towards the MDM where ISE takes the client role.
Figure 2 Exporting the MDM Site Certificate with Internet Explorer Fiberlink MaaS360 utilizes a wildcard certificate that is valid for all portal websites belonging to the Fiberlink MaaS360 portals domain. Exporting a certificate from Firefox is covered in the CVD and repeated in Figure 3.
Figure 4 Importing the Certificate in ISE Grant ISE Access to the Fiberlink MaaS360 API The Fiberlink MaaS360 API is protected by HTTPS and requires an administrator account that has been granted permission to the API. Ideally a specific account would be configured for ISE with a very strong password. In addition to this account, only a limited number of administrator accounts should be granted the ability to create new administrators or assign administrator roles.
Figure 5 Manage Administrator Account Each account type can be assigned roles entitling that user to specific features of the system. Also the role of service administrator can be used to manage the API from ISE.
Figure 6 Add Account The MDM role created for ISE requires the REST API features. The list shown in Figure 7 identifies the rights which should be selected.
Figure 7 Assign Role to the Account Once the role as been added, an admin account can be created for ISE. Add MDM Server to ISE Once the account has been defined on the Fiberlink MaaS360 MDM server with the proper roles, ISE can be configured to use this account when querying the MDM for device information. ISE will contact the MDM to gather posture information about devices or to issue device commands, such as corporate wipe or lock. The session is initiated from ISE towards the MDM server.
Figure 8 Configure the MDM API on ISE The polling interval specifies how often ISE will query the MDM for changes to device posture. Polling can be disabled by setting the value to 0 minutes. Polling can be used to periodically check the MDM compliance posture of an end station. If the device is found to be out of MDM compliance and the device is associated to the network, then ISE will issue a Change of Authorization (CoA), forcing the device to re-authenticate.
The Test Connection button will attempt to log in to the API and is required prior to saving the settings with the MDM set to Enable. If the test does not complete successfully, the settings can still be saved, but the Enable box will be deselected and the MDM will not be active. Verify Connectivity to MDM Some problems can occur when testing the connection to the MDM server. Table 2 shows some common messages generated when testing the connection between ISE and Fiberlink MaaS360.
Table 2 Connection Messages Message Explanation ISE does not trust the certificate presented by the Fiberlink MaaS360 website. This indicates the certificate was not imported to the ISE certificate store as described above or the certificate has expired since it was imported. The connection has successfully been tested. The administrator should also verify the MDM AUTHZ dictionary has been populated with attributes.
Enterprise Integration Fiberlink MaaS360 offers a solution that enables integration with existing enterprise infrastructures such as AD, Exchange, and a certificate authority. This is achieved using a component called Fiberlink MaaS360 Cloud Extender. The Fiberlink MaaS360 Cloud Extender is a small program that runs as a service on a Microsoft Windows machine in your network.
The installation of the Cloud Extender is straightforward and fully documented by Fiberlink MaaS360. All the information required to install is available by logging onto Fiberlink MaaS360 and going to SETUP > Enrollment Settings, as shown in Figure 11. Figure 11 Fiberlink MaaS360 Cloud Extender Download When Cloud Extender is installed, Installation Wizards guide the administrator to configure AD for user authentication and User Visibility.
Figure 12 Cloud Extender Installation Wizard Integrating Fiberlink MaaS360 with Cisco Identity Services Engine 19
Figure 13 Cloud Extender AD Configuration Active Directory/LDAP Integration Integrating ISE and the MDM to a common directory is important for overall operations. One benefit is the ability to set a requirement that a user periodically change their directory password. If the MDM were using a local directory, it would be nearly impossible to keep the accounts in synchronization. But with a centralized directory structure, password management can be simplified.
Figure 14 CVD Use Policies These groups can be extended to the MDM such that members are issued profiles that complement their level of network access. As an example, Table 3 shows some arbitrary policies that can be established and enforced based on the CVD use cases. Table 3 Policies Based on CVD Cases Ownership User Group Restrictions Employee-Owned Device Domain Users Internet Only, personal devices are not required to on-board with the MDM.
MDM Profiles Device profiles are an important concept of mobile device management. They are defined as part of the MDM protocol implemented by the operating system. The concept can be extended to application profiles, but as discussed here, they are found under the settings of the device. Each profile can contain one or more payloads. A payload has all the attributes needed to provision some aspect of built-in system functions, such as PIN lock and Device Restrictions.
Figure 15 Create Policies To bind policies to user groups, Go to Users > Groups and assign appropriate policy, as shown in Figure 16.
Figure 16 Binding Policies to User Groups With the example configuration shown above, users that belong to BYOD_Employee_Access will get Full_Access_policy pushed to their devices. User will see two profiles installed by ISE and two or three from the MDM. The server will install the MDM payload during the on-boarding process. After that profile has been installed, the device will be issued a check-in request via APNS or GCM.
Figure 17 Enrollment Network Flows Device MDM APNS/GCN WebEnroll Authenticate User MDM Profile Mobileconfig (mdm, cert) APNS Registration MDM Check-in Request Device Check-in Security Scan Check-in Notification Policy Assessment 293804 Profile Install SCEP Fiberlink MaaS360 can provision certificates onto the device via SCEP-PROXY.
Because ISE depends on these features for policy enforcement, corporate devices and personal devices with partial or full access should include a profile that specifies the Fiberlink MaaS360 Agent as a mandatory application. User is automatically taken to the App Store or Google Play to install the Fiberlink MaaS360 Agent during the enrollment process. The Fiberlink MaaS360 Agent can also be installed by the user directly from the App Store or Google Play store.
User Experience For the most part, the fact that a device is under management is seamless to the user. If they are running the mobile client application as recommended for ISE compliance checks, then the user will have some additional information about their device that will be useful for troubleshooting with ISE. Users will also be required to complete the on-boarding procedure. MDM On-boarding The workflow that users must complete to on-board their device is set by the ISE policy.
Figure 18 MDM Enrollment Figure 19 MDM Enrollment—Login Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
Figure 20 MDM Enrollment—Terms of Acceptance Figure 21 MDM Enrollment—Maas360 Profile Installation Figure 22 MDM Enrollment—Maas360 Application Installation After the device has enrolled, the server will request a check-in. During the initial check-in, additional profiles, applications, or Web Clips will be provisioned on the device. Web Clips are HTML bookmarks that are displayed as application icons on an Apple mobile device. Android devices simply call these bookmarks.
Pass Code Complexity The user may be required to configuring a PIN lock on their device during the on-boarding process if the device is not already configured with one. When this occurs, the user will need to launch the client app and send data. This is explained in more detail in Device Compliance/Restrictions. The MDM administrator can chose the minimum password length and complexity. The natural tendency is to require very strong passwords, however there may be unintended consequences.
• Manage and distribute third-party and in-house mobile apps. • Allow users to view, install, and be alerted to updated apps on a private catalog. • Manage mobile app lifecycle workflow to all devices, device groups, and individual devices. • Administer mobile app security and compliance policies. • Host and distribute in-house developed mobile applications. • Support for Apple App Store Volume Purchase Programs (VPPs).
Figure 25 Maas360 Applcation Corporate Data Fiberlink MaaS360 and ISE can work closely together to create a comprehensive approach to managing corporate data. This is generally known as data loss prevention (DLP). Data comes in two forms, at-rest and in-flight. Data at-rest is stored directly the mobile device and data in-flight is the movement of data. This can be extended to include moving data between two storage containers on the same device.
• Querying Exchange Server using Microsoft PowerShell commands and standard APIs for vital information related to the ActiveSync enabled devices on the Exchange Server. The use of PowerShell and related APIs allows for abstraction from the specifics of the Exchange Server implementation and allows the Cloud Extender to support multiple Mailbox Servers and clustered/resilient Exchange server configurations.
End User Portal Fiberlink MaaS360 offers an End User portal that allows the user to manage their devices. Users can perform actions like Lock Device, Locate Device, Wipe Device, Reset Passcode, and Check-in device with Fiberlink MaaS360 service. Figure 27 Fiberlink MaaS360 End User Portal ISE also provides a My Devices Portal as detailed in the CVD. Currently the two sites are distinct and not cross- linked. Some of the functionality does overlap, such as the MDM actions.
The attributes shown in Table 4 should help clarify the difference between compliance policies. Table 4 Compliance Attributes ISE Compliance Attributes Fiberlink MaaS360 Compliance Attributes Before using the DeviceCompliantStatus attribute provided by the MDM, especially if the ISE administrator is not the MDM administrator, great care is needed to ensure network access is not restricted due to a non-related MDM compliancy condition.
Table 5 MDM Responses Action Type Options Jailbreak/Rooted Device Enforcement Application Compliance Currently the MDM does not provide a method to mark compliance checks that are not reported to ISE. ISE cannot assert that network security issue caused a device to be MDM non-compliant. Device Compliance/Restrictions Restrictions and compliance are distinct but related concepts. The user is required to meet compliance for non-restrictive access.
PINLockStatus The PINLockStatus is available to the API and can be used by ISE to set a minimum requirement for network access, as shown in the CVD. Fiberlink MaaS360 allows the administrator to create a PIN lock policy and set rules to force users to set PINs with a certain strength (alphanumeric, length, require special characters, etc.) The user is provided with a grace period to set up PIN lock.
Jailbroken or Rooted devices These are devices where the user has gained direct access to the operating system, bypassing the control imposed on the device by the service provider. Devices in this state are generally considered compromised and there has been some recent legislative action to prohibit users defeating locks imposed on the device by the providers. The BYOD CVD offers a policy that does not allow jailbroken or rooted devices on the network. This is based on the MDM API.
• Reassign the device to a secured location group. This group effectively removes all corporate applications and data, provisions lock-down profiles—effectively rendering the device useless—and leaves the device under management such that forensic data is available in the event the enterprise would pursue legal options. • Blacklist the device in ISE to prevent corporate access. Also issue an Enterprise Wipe command to the device to remove all corporate data. This also removes the MDM profile.
Cisco Applications (Jabber, etc.) Cisco offers a wide range of mobile business applications for both increased productive and security. Table 6 shows some popular applications. Table 6 Popular Cisco Mobile Applications AnyConnect—AnyConnect is a security application for improved VPN access, including on-demand domain-based split tunneling. WebEx—WebEx is a productive application to allow mobile users to connect to online meetings.
Figure 29 AnyConnect Provisioning Profile Conclusion The integration of the network policy enforced by Cisco ISE and the device policy offered by the Fiberlink MaaS360 MDM engine offers a new paradigm for BYOD deployments where security and productivity are not competing objectives. Disclaimer The Fiberlink MaaS360 configurations shown in this document should not be considered validated design guidance with respect to how the Fiberlink MaaS360 should be configured and deployed.
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
