Fr Apple ios
Cpyright This dcument is prtected by the United States cpyright laws, and is prprietary t Zscaler Inc. Cpying, reprducing, integrating, translating, mdifying, enhancing, recrding by any infrmatin strage r retrieval system r any ther use f this dcument, in whle r in part, by anyne ther than the authrized emplyees, custmers, users r partners (licensees) f Zscaler, Inc. withut the prir written permissin frm Zscaler, Inc. is prhibited. Cpyright 2015 Zscaler Trademark Statements Zscaler and NanLg are trademarks r registered trademarks f Zscaler, Inc. All ther trademarked names used herein are the prperties f their respective wners, and are used fr identificatin purpses nly. Zscaler fr Apple ios, Fr Apple ios Cpyright 2015 Zscaler 2
Cntents Abut the Zscaler Mbile ios Slutin... 4 Deplyment Methds... 5 Frwarding Traffic frm Supervised Devices... 5 Frwarding Traffic frm Nn-Supervised Devices... 5 Requirements... 6 Cnfiguring... 6 Abut the Mbile Prtal... 7 Cnfiguring a SecureAgent Plicy... 7 Cnfiguring the Acceptable Use Plicy (AUP)... 11 Cnfiguring Reminder Ntificatins... 12 Abut SecureAgent... 13 Installing SecureAgent n a Device... 14 Registering the Device... 15 Installing SecureAgent with an MDM... 19 Cnfiguratin Example: Airwatch... 19 Custmizing Blck Ntificatins... 22 Abut the SecureAgent Dashbard... 23 Remving a Prfile... 24 Abut SSL Inspectin fr Mbile Traffic... 25 Enabling SSL Inspectin... 25 Exempting URLs frm SSL Inspectin... 25 Fr Apple ios Cpyright 2015 Zscaler 3
Abut the Zscaler Mbile ios Slutin With the prliferatin f mbile devices, bth crprate and user wned, security fr mbile devices has becme increasingly critical. The Zscaler ios slutin extends the Zscaler security service t Apple ios devices, whether they re cnnected t Wi-Fi r cellular netwrks. It enfrces the plicies that yu set in the Admin prtal t prtect web and mbile traffic, and prvides the ability t define plicies that prtect mbile devices as well. Fr example, yu can cntrl whether users can use the camera r install apps n the mbile device. This cmprehensive slutin secures every aspect f yur user s mbile usage, cvering the device and its brwser and app traffic as well. Frm the Zscaler Admin Prtal where yu define administrative settings and plicies fr web and mbile traffic, yu can g t the Mbile Prtal t manage mbile devices. On the Mbile Prtal, yu can define plicies that cntrl hw a device frwards traffic t the Zscaler service and which apps, functinality and cntent can be accessed frm a device. The prtal als has a Dashbard where yu can mnitr the mbile devices and view their cmpliance status. Additinally, yu can define an Acceptable Use Plicy (AUP) and ntificatins specifically fr mbile devices. Zscaler SecureAgent is an app that is installed n mbile devices t authenticate the mbile device users and frward their traffic t the Zscaler service. When yu run SecureAgent, it installs the plicy that yu cnfigured n the Mbile prtal as a prfile n yur mbile device. Additinally, it enrlls the device t the Zscaler service. Once the device is enrlled, the device establishes a VPN tunnel t the Zscaler gateway n demand whenever the user surfs the Internet. As the brwser retrieves web pages, the service scans all inbund and utbund traffic t prtect devices frm malware and malicius apps that can cmprmise the security f yur data. Fr Apple ios Cpyright 2015 Zscaler 4
Deplyment Methds The Zscaler ios slutin ffers an enfrceable, intelligent n-demand IPsec VPN thrugh which users can frward all mbile traffic (brwser and apps) ver cellular r Wi-Fi netwrks t the Zscaler service. The VPN can be used by bth supervised and nn-supervised ios devices. Frwarding Traffic frm Supervised Devices Apple ios devices supprt the ability t cnfigure devices as supervised. Supervising devices is a useful ptin fr crprate-wned devices because it prvides tighter cntrl ver devices. Admins cnfigure supervised devices ver the air using the Apple Device Enrllment prgram r by using Apple Cnfiguratr. (Fr mre infrmatin n supervising devices, refer t the Apple ios dcumentatin.) Supervised devices supprt Glbal HTTP Prxy, a feature that redirects all mbile traffic t a prxy server. Yu can leverage the Glbal HTTP Prxy feature t ensure that Internet cnnectivity ver Wi- Fi r cellular netwrks is always redirected t the Zscaler service, when the IPsec VPN is nt in use. Yu can use the fllwing traffic frwarding mechanisms fr supervised devices: Enfrceable VPN: Zscaler recmmends this slutin, which cmbines frwarding mbile traffic thrugh the IPsec VPN and defining the Zscaler service as the prxy server in a Glbal HTTP Prxy prfile. If users turn ff the VPN, the device autmatically uses the Glbal HTTP Prxy prfile t frward its traffic t the Zscaler service. This mechanism prevents users frm circumventing the Zscaler service. Using the Glbal HTTP Prxy, yu can be assured that all traffic t/frm the ios device is directed t the service. Glbal HTTP Prxy + Surrgate IP: This slutin cmbines defining the Zscaler service as the prxy server in a glbal HTTP prxy prfile t enfrce frwarding all mbile traffic t the Zscaler service and leveraging the Zscaler Surrgate IP feature t map users t device IP addresses. The service then uses this mapping t apply the apprpriate grup and user plicies and fr lgging purpses. (Fr mre infrmatin n Surrgate IP, refer t the Web and Mbile Security Administratr s Guide.) This is useful, fr example, fr schls wh want t prtect student devices when they are n the schl Wi-Fi netwrk. The Glbal HTTP Prxy + Surrgate IP frwarding mechanism can nly be used in Wi-Fi netwrks. It cannt be used in cellular netwrks. Frwarding Traffic frm Nn-Supervised Devices Yu can cnfigure nn-supervised devices t use the IPsec VPN t frward traffic t the Zscaler service. If yur rganizatin has an existing MDM slutin, Zscaler recmmends that yu wrk with yur MDM slutin prvider t define a prfile t push SecureAgent n mbile devices fr enfrceability. Fr Apple ios Cpyright 2015 Zscaler 5
Requirements Yu will need the fllwing: A Zscaler SecureAgent subscriptin An ios device (iphne, ipd r ipad) that runs ios 6.0 r higher Cnfiguring These instructins describe the tasks necessary t secure the mbile devices f current Zscaler users. It assumes that the users have been prvisined n the service, an authenticatin mechanism has been installed, and the plicies have been cnfigured n the Admin Prtal. 1. On the Zscaler Mbile prtal, cnfigure the device-specific plicies and ptinally, AUP and reminders. See Abut the Mbile Prtal. 2. Yu can supervise devices and deply a Glbal HTTP Prxy ver the air using Apple s Device Enrllment Prgram r by using Apple Cnfiguratr. Fr infrmatin abut the Device Enrllment Prgram, g t https://www.apple.cm/educatin/it/dep/ r t https://www.apple.cm/business/dep/ Fr infrmatin abut Apple Cnfiguratr, g t http://help.apple.cm/cnfiguratr 3. Install SecureAgent n a mbile device and register the mbile device t the Zscaler service. T install SecureAgent n a mbile device, see Installing SecureAgent n a Device If yur rganizatin uses an MDM, refer t the dcumentatin f that MDM. This guide prvides an example using Airwatch. See Installing SecureAgent with an MDM. 4. Enable SecureAgent t push ntificatins t users when it blcks r restricts mbile apps frm accessing certain sites, files, r Internet applicatins. Yu can custmize the ntificatins. See Custmizing Blck Ntificatins. 5. If yu are using the Glbal HTTP Prxy + Surrgate IP traffic frwarding mechanism, g t the Admin Prtal and enable Surrgate IP fr the lcatin. After yu cmplete these tasks, yu can view the status f devices by ging t the SecureAgent Dashbard. Fr Apple ios Cpyright 2015 Zscaler 6
Abut the Mbile Prtal In additin t the Admin Prtal where yu manage users and plicies that cntrl web and mbile traffic, the service als prvides the Mbile Prtal where yu manage mbile devices. The Mbile Prtal prvides the fllwing: The SecureAgent Dashbard where yu can track mbile devices and their cmpliance status. A Plicy tab where yu can define SecureAgent plicies that cntrl and secure mbile devices An Administratin tab where yu can create a custm AUP just fr mbile devices and where yu can define reminders t users wh may need t update their security prfile Cnfiguring a SecureAgent Plicy The SecureAgent plicy cntrls the functins, apps and media cntent that a device can access and cntrls hw the device frwards traffic t the Zscaler service. The plicy is installed as a prfile n a mbile device when the Secure Agent app is installed. The SecureAgent plicy specifies the fllwing: The user grup t which the plicy applies The PAC file URL Mbile devices use a PAC file t frward traffic t the service. The service prvides a default PAC file that sends all brwser traffic t prt 8080 f the nearest Zscaler Enfrcement Nde (ZEN). The traffic frwarding mechanism Apps and cntent users can access The service prvides a default plicy that specifies the default PAC file hsted n the Zscaler clud fr mbile devices. This default plicy applies t all grups and cannt be changed r deleted. T add a new plicy fr ios devices: 1. G t Plicy > Mbile Prtal. 2. Frm the Mbile prtal, g t the Plicy tab. 3. G t ios Plicy Settings frm the menu n the left and click Add. Fr Apple ios Cpyright 2015 Zscaler 7
4. Cmplete the fllwing in the General tab: Enter a name fr the plicy and ptinally, a descriptin. Enable the rule. The service autmatically sets the rule rder, which yu can change, as necessary. Enter a passcde that users need t enter befre they can remve the prfile frm their device. Enter the URL frm which the device fetches the PAC file. Fr Apple ios Cpyright 2015 Zscaler 8
5. D the fllwing in the Traffic Frwarding tab: Enable traffic frwarding. Chse a traffic frwarding mechanism. URL String Prbe: Enter a URL frm yur internal netwrk. If the device tries t access this URL, then the mbile device wn t send the traffic thrugh the VPN. SSID Match: Enter the SSID f yur internal wireless lcal-area netwrk (WLAN). When the device uses this SSID, then it will nt send the traffic thrugh the VPN. 6. By default, users are allwed t access all available apps, functinality and media cntent. T restrict access, click Enable Restrictins and select the items yu want t blck: Fr Apple ios Cpyright 2015 Zscaler 9
7. If the Apple devices are supervised, select any additinal restrictins yu want t place. 8. Additinally, yu can restrict the cntent that yur users can access. Fr example, yu can allw them t view nly PG rated mvies and TV shws and t install a specific number f apps. 9. Click Save. Fr Apple ios Cpyright 2015 Zscaler 10
Cnfiguring the Acceptable Use Plicy (AUP) Yu can create an Acceptable Use Plicy (AUP) statement specifically fr mbile devices and require users t accept it befre the Zscaler service allws them t brwse the Internet frm their mbile devices. T cnfigure: 1. G t Plicy > Mbile Prtal. 2. Frm the Mbile prtal, g t Administratin. 3. Chse Acceptable Usage Plicy Settings frm the menu n the left. 4. Cmplete the fllwing: 5. Click Save. Chse hw ften the service displays the AUP page. Yu can chse ne f the predefined intervals r select Custm and enter the number f days, between 1 and 180 inclusive. The service tracks the AUP acceptance time and expiratin fr each user. Type in r paste an "Acceptable Use" statement. Yu can enter HTML tags as well as images, as lng as the image files are accessible frm the Internet. Yu can click Preview t view the AUP as yur users wuld see it. Fr Apple ios Cpyright 2015 Zscaler 11
Cnfiguring Reminder Ntificatins Yu can send reminders n demand r schedule reminders t users wh turn ff the Zscaler VPN r wh need t update their SecureAgent prfile. T schedule reminders: 1. G t Plicy > Mbile Prtal. 2. Frm the Mbile prtal, g t Administratin. 3. Chse Reminder Ntificatin Settings frm the menu n the left. 4. D the fllwing: Chse hw ften the service sends reminders. Type in r paste text fr the reminder. Yu can enter HTML tags as well as images, as lng as the image files are accessible frm the Internet. 5. Click Save t exit the dialg. T send a reminder t a user: 1. G t Plicy > Mbile Prtal. 2. Frm the Mbile prtal, g t Dashbard. 3. Chse Device Overview frm the menu n the left. 4. Pint t the user and click the Edit icn. 5. Click Send Reminder. Fr Apple ios Cpyright 2015 Zscaler 12
Abut SecureAgent The Zscaler SecureAgent app is used in cnjunctin with the Zscaler service t secure every aspect f yur users mbile usage. SecureAgent is required n all mbile devices that frward traffic t the Zscaler service. When a user installs SecureAgent n a mbile device, SecureAgent authenticates the user using yur crprate authenticatin mechanism and des the fllwing: Installs the apprpriate SecureAgent prfile, which includes the VPN settings and certificates. The service generates a unique per-user VPN certificate which establishes the user cntext. Registers the mbile device t the Zscaler service. The device then establishes a VPN tunnel t the Zscaler gateway n demand whenever the user surfs the Internet. The Zscaler service can nw enfrce grup and user plicies and prvide per-user and per-department lgging and reprting. Additinally, SecureAgent displays ntificatins t users when the service blcks transactins due t plicy r malware that it detected. The service issues ntificatins t mbile devices via the Apple Push Ntificatin Service. Zscaler SecureAgent then displays the ntificatins and stres them until the user clears them. These ntificatins infrm the user abut the transactins blcked frm specific apps, including the reasns. Yu can custmize the ntificatins that are displayed t the user n the Zscaler Admin Prtal. Users can dwnlad and install SecureAgent frm the itunes App stre. If yur rganizatin has an MDM, Zscaler recmmends that yu use yur MDM slutin prvider t define a prfile t push SecureAgent t mbile devices. Fr Apple ios Cpyright 2015 Zscaler 13
Installing SecureAgent n a Device Zscaler SecureAgent fr Apple ios devices is available fr dwnlad n the itunes App stre. When yu dwnlad it, ensure that SecureAgent is allwed t push ntificatins t yur ios device. Fr Apple ios Cpyright 2015 Zscaler 14
Registering the Device 1. On the mbile device, click the installed SecureAgent app. 2. When it displays the lgin frm, enter the user s Zscaler credentials. Fr Apple ios Cpyright 2015 Zscaler 15
SecureAgent starts the registratin prcess. Fr Apple ios Cpyright 2015 Zscaler 16
3. When SecureAgent is ready t install the prfile, click Install. 4. Yu may be required t enter the pin cde, if it was set n the device. Fr Apple ios Cpyright 2015 Zscaler 17
5. When the app displays the warning, click Install. SecureAgent displays a page similar t the ne shwn belw after the prfile is successfully installed. Fr Apple ios Cpyright 2015 Zscaler 18
Installing SecureAgent with an MDM Fr nn-supervised devices, Zscaler recmmends that yu wrk with yur MDM slutin prvider t push SecureAgent t mbile devices. Yur MDM prvider will need t d the fllwing: Deply a certificate fr each user. Optinally, cnfigure a PIN t restrict the remval f the prfile. Cnfiguratin Example: Airwatch The admin must cmplete the fllwing tasks: 1. Create an ios device supervisin and device enrllment plan. Fr infrmatin abut the Device Enrllment Prgram, g t https://www.apple.cm/educatin/it/dep/ r t https://www.apple.cm/business/dep/ Fr infrmatin abut Apple Cnfiguratr, g t http://help.apple.cm/cnfiguratr 2. Cnfigure SecureAgent prfiles n the Zscaler Mbile Prtal. See Cnfiguring a SecureAgent Plicy. 3. Cnfigure Airwatch Prfiles t push the Zscaler SecureAgent app. See Cnfigure Airwatch Prfiles t Push SecureAgent. On the ios device, users must d the fllwing: 1. Enrll the device t Airwatch. Fr infrmatin abut this task, refer t the Airwatch dcumentatin. Nte that nce the device is enrlled t the Airwatch MDM, Zscaler SecureAgent will be installed n the device autmatically. 2. Register the ios device t the Zscaler service. See Registering the Device Fr Apple ios Cpyright 2015 Zscaler 19
Cnfigure Airwatch Prfiles t Push SecureAgent This dcument assumes that the Airwatch MDM is already deplyed and user/grup cnfiguratin and ther related cnfiguratins required t enrll the device t the MDM are already cmpleted. Please cntact Airwatch Supprt fr the deplyment instructins. This sectin prvides guidelines n hw t push the SecureAgent app using the Airwatch MDM.Fr additinal infrmatin n the steps and questins related t Airwatch MDM, please cntact Airwatch Supprt. Cnfigure Apps & Bks prfile fr Zscaler SecureAgent ios App, such that it is installed n the user s device when the user enrlls with Airwatch MDM. Please nte that in certain cnditins, it may nt be pssible t install SecureAgent silently and will need user apprval. Please cntact Airwatch Supprt fr the exact steps. Please nte the fllwing: Zscaler SecureAgent fr ios devices is available n the itunes AppStre. The Airwatch prfile can be cnfigured t install the app using the AppStre Link, as shwn belw. On supervised devices, the app is installed silently. Fr nn-supervised device, please cntact Airwatch Supprt fr instructins n hw t install the app silently. Fr Apple ios Cpyright 2015 Zscaler 20
Fr Apple ios Cpyright 2015 Zscaler 21
Custmizing Blck Ntificatins The Zscaler service can push ntificatins t users when it blcks r restricts mbile apps frm accessing certain sites, files, r Internet applicatins. Fr example, the Zscaler service will send a ntificatin when an app tries t access a site that has certain vulnerabilities r when an app is blcked because it is knwn t leak infrmatin t third parties. The Zscaler service can send ntificatins when it blcks r restricts knwn apps as well as thse that it cannt identify. After the initial ntificatin, yu can suppress subsequent ntificatins fr a selected number f minutes, t avid users receiving multiple successive ntificatins frm a single app. Yu can specify the number f minutes per app and per user. T cnfigure ntificatins fr the SecureAgent app: 1. Frm the Admin Prtal, g t Administratin > Resurces > Secure Agent Ntificatins. 2. Cmplete the fllwing: Enable Send Push Ntificatins. Yu can enable the service t suppress the ntificatin fr a certain time perid s the user sees the ntificatin at certain intervals nly and nt after every blcked transactin. Enable Send Ntificatins fr Unknwn Apps t allw the service t send ntificatins when it blcks r restricts access t apps that it cannt identify. Enter the text fr the Ntificatin Message (up t 128 bytes). 3. Click Save and activate the change. Fr Apple ios Cpyright 2015 Zscaler 22
Abut the SecureAgent Dashbard The SecureAgent Dashbard prvides infrmatin abut the mbile devices that have SecureAgent in yur crprate netwrk. The Dashbard prvides multiple views s yu can mnitr the status f the mbile devices and take actin when yu see unregistered devices r devices with utdated prfiles. Cmpliance Overview gives yu a view f the cmpliance status f the mbile devices in yur rganizatin. Fr Apple ios Cpyright 2015 Zscaler 23
Device Overview lists the users and their device infrmatin, including their plicy status. The plicy status indicates whether the device is registered, has an updated r utdated prfile, r whether the prfile has been remved r is pending. Frm this Dashbard, yu can either remve a prfile frm the user's device r send a reminder t users abut updates they need t make. Remving a Prfile Yu can remve a prfile frm a device if, fr example, an emplyee leaves the cmpany. T remve a prfile: 1. Frm the Mbile prtal, g t Dashbard. 2. Chse Device Overview frm the menu n the left. 3. Pint t the user and click the Edit icn. 4. Click Remve. Fr Apple ios Cpyright 2015 Zscaler 24
Abut SSL Inspectin fr Mbile Traffic Yu can enable SSL inspectin t allw the Zscaler service t decrypt and inspect HTTPS traffic t and frm the brwser n a mbile device, and t and frm the destinatin server. SecureAgent installs the Zscaler intermediate certificate by default. If yu wuld like t use an intermediate certificate signed by yur wn CA, install that certificate n the mbile devices. (Fr mre infrmatin n SSL Inspectin, refer t the SSL Cnfiguratin Guide.) Enabling SSL Inspectin T enable SSL inspectin fr mbile devices: 1. Frm the Admin prtal, g t Plicy > SSL Inspectin. 2. In the Plicy fr Mbile Traffic sectin, select Enable SSL Scanning fr Mbile Traffic. 3. Click Save and active the change. Exempting URLs frm SSL Inspectin T exempt specific URLs frm SSL inspectin, add them t the Bypassed URLs list. The service des nt decrypt transactins t sites in this list. The fllwing instructins describe hw t create a custm categry fr the URLs and hw t add the custm categry t the Bypassed URLs list. If yu already have a custm categry fr bypassed URLS, edit the categry and add the URLs. Fr Apple ios Cpyright 2015 Zscaler 25
T create a custm URL categry: 1. Frm the Admin prtal, g t Administratin > URL Categries. 2. Click Add and d the fllwing: Enter a name fr the categry. Add the fllwing t the Custm URLs field: itunes.apple.cm.mzstatic.cm gs.apple.cm albert.apple.cm phbs.apple.cm securemetrics.apple.cm.phbs.apple.cm mzstatic.cm deims.apple.cm.deims.apple.cm.albert.apple.cm.gs.apple.cm ax.itunes.cm.ax.itunes.cm.securemetrics.apple.cm.itunes.apple.cm 3. Click Save and active the change. Fr Apple ios Cpyright 2015 Zscaler 26
T add the custm categry t the Bypassed URL Categries list: 1. Frm the Admin prtal, g t Plicy > SSL Inspectin. 2. Frm Bypassed URL Categries, chse the URL categry that cntains the URLs that are exempted frm decryptin. 3. Click Save and activate the change. Fr Apple ios Cpyright 2015 Zscaler 27
Firewall Requirements Cnfigure yur firewall t allw the fllwing necessary cnnectins: Used fr the Apple Push Ntificatin Service: Prt 5223, 2195, 2196, 443. Used t cnnect with the Zscaler Enfrcement Nde (ZEN): 8080 (utbund nly) Web prts: 80, 4O43, Fr Apple ios Cpyright 2015 Zscaler 28