CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module Version 1.0.1 ForeScout Mobile
Table of Contents About the Integration... 3 ForeScout MDM... 3 Additional Documentation... 3 About this Plugin... 3 How it Works... 4 Continuous Query Refresh... 4 Supported Devices... 5 Supported Network Infrastructures... 5 What to Do... 5 Accessing Fixes Made after this Release... 6 Requirements... 6 Version Requirements... 6 CounterACT / Hotfix Requirements... 6 Additional Plugin Requirements... 6 Registration and Activation Requirements... 7 Registration and Activation... 7 Networking Requirements... 7 Endpoint Requirements... 7 Installation and Configuration... 7 Test Plugin Communication with the MaaS Service... 10 Displaying Inventory Data... 11 Policy Templates... 12 Device Manageability Policy Template... 12 Using the Device Manageability Template... 13 Device Compliance Policy Template... 19 Using the Device Compliance Template... 20 Creating Unauthorized Application Lists... 23 Working with CounterACT Policies... 26 Version 1.0.1
Detecting Devices - Policy Properties... 26 Core Attributes... 27 Security and Compliance... 28 Hardware Inventory... 29 Network Information... 29 Additional Information... 29 Open Property Search... 30 Tag Devices - Policy Actions... 31 Custom Attribute Value Action... 31 Refresh Device Information Action... 32 Version 1.0.1 ii
About the Integration ForeScout MDM helps IT administrators streamline the process to provision, manage and secure today s expanding suite of smartphones and tablets, all from a single portal. ForeScout MDM for mobile devices is an easy to use platform that includes all of the essential functionality for end-to-end management of ios and Android devices. This means with a single unified security management and reporting system, you can ensure that your network is secured, regardless of the type of device a user may be carrying. Instead of implementing new security silos that are limited to mobile devices, you can extend your PC and network security systems to encompass mobile devices. ForeScout MDM ForeScout MDM is a cloud-based solution, enabling quick and easy deployment; enrollment, monitoring, management and support. Together with ForeScout CounterACT, ForeScout MDM provides a whole new level of centralized visibility and control for actionable insights into your entire computing landscape. Secure all Mobile Devices: ForeScout MDM supports all major smartphone and tablet platforms including ios and Android - in both Exchange and Lotus Notes environments. Embrace BYOD: ForeScout MDM provides workflows to discover, enroll, manage and report on personally owned devices as part of your mobile device operations. Experience simple device enrollment and approval: ForeScout MDM provides auto-quarantine for Exchange, and alerts IT personnel to approve all new devices. Additionally it provides for easy user self-enrollment, via web, email or SMS. Additional Documentation Refer to the documents at the following location for more technical information about the ForeScout MDM solution. http://updates.forescout.com/online/help/mdm/forescout_mdm_doc.pdf About this Plugin Integration with CounterACT lets you deliver a comprehensive MDM solution that provides powerful monitoring and enforcement capabilities not available when working solely with the solution. Use the Integration Plugin to complete the cycle of security by obtaining valuable capabilities: Automated real-time, continuous detection and compliance of mobile devices the moment they try to connect to your network, including unmanaged and unknown devices. Version 1.0.1 3
Unified network access control policy enforcement options. Allow compliant and managed devices on the network. Limit network access based on device type, device ownership, time of day, and device compliance. The limited access network can allow access to a subset of applications and data, blocking access to more sensitive corporate resources. Block noncompliant devices or specific types of devices from your network completely. Tag devices at the console, based on CounterACT detections. Enhance CounterACT inventory by populating it with information. How it Works The Integration Plugin queries the service for device attributes, for example core attributes, security and compliance information, hardware inventory and network information. All queries are performed by a single CounterACT Appliance that is designated for this purpose. This designated CounterACT Appliance, herein called the Connected Appliance, retrieves information from other CounterACT Appliances and the CounterACT Enterprise Manager and forwards the information to the service. Similarly, the Connected Appliance retrieves information from the MaaaS360 service and forwards it to other CounterACT Appliances and the CounterACT Enterprise Manager Port 5223/TCP must be open for outbound traffic. Continuous Query Refresh query mechanisms recheck endpoint attributes at a static frequency approximately once a day. However, after plugin installation, querying of endpoint properties is based on Version 1.0.1 4
CounterACT policy recheck definitions. The conditions under which to recheck hosts that match the policy. Specifically, you can define: How often hosts are rechecked once they match a policy Under what conditions to carry out the recheck This ensures continuous, real-time endpoint evaluation that can be customized for each CounterACT policy. Queries for device core attributes are initiated on the basis of the endpoint MAC address. Core attribute results return the device ID, which is used for further queries. As such, it is required that CounterACT learn endpoint MAC addresses in order to initiate the query process. You can use the Manageability Policy template to detect hosts at which MAC addresses are not learned. See Device Manageability Policy Template for details. Supported Devices The following devices are supported by ForeScout MDM: ios Android BlackBerry Windows Mobile Symbian The following devices are supported by the Integration Plugin: ios Android For exact OS version support, refer to the documentation: http://updates.forescout.com/online/help/mdm/forescout_mdm_doc.pdf Supported Network Infrastructures Devices connected to the network via a WiFi connection. What to Do To use the Integration Plugin, perform the following tasks: 1. Verify that you have met software and networking requirements. See Requirements. 2. Install, configure and test the plugin. See Installation and Configuration. 3. Create CounterACT policies that detect, manage and remediate devices. See Policy Templates and Working with CounterACT Policies. Version 1.0.1 5
4. Connect to the ForeScout Console to configure device policies: http://mdm.forescout.com/login Refer to the documents at the following location for more technical information about the ForeScout MDM solution. http://updates.forescout.com/online/help/mdm/forescout_mdm_doc.pdf Accessing Fixes Made after this Release New issues may be discovered and fixed after this release. These fixes will be made available as Beta fixes to the upcoming plugin version until the final version is posted on the ForeScout customer support page. You can access information about Beta fixes for the upcoming version at: http://updates.forescout.com/support/files/plugins/fiberlink/1.0.1/updates.pdf In addition, you can contact the ForeScout Beta Manager at beta@forescout.com to request the Beta plugin update with the fixes. Requirements This section lists version, registration and networking requirements. Version Requirements This section lists version requirements. CounterACT / Hotfix Requirements CounterACT version 6.3.4.1, Hotfix 6.0 or above. CounterACT version 6.3.4.10, Hotfix 1.0 or above. Additional Plugin Requirements HPS Inspection Engine Plugin version 9.4.3 or above. User Directory Plugin version 5.4.3 or above. Version 1.0.1 6
Registration and Activation Requirements This section lists registration and activation requirements. Registration and Activation 1. Register for access to the service at: http://mdm.forescout.com The service is available as 30-day free trial. 2. Activate the registration by sending an activation request to: mdm@forescout.com You will receive an email response with information required for configuring the plugin, as well as other information. Networking Requirements Mobile devices managed by the service cannot establish a connection to the cloud service via a proxy. If a proxy is setup at the enterprise network, you must open port TCP/5223 to 17.0.0.0/8 on the enterprise firewall. By doing this, the proxy is bypassed when the mobile device accesses the service. Endpoint Requirements Queries for device core attributes are initiated on the basis of the endpoint MAC address. Core attribute results return the device ID, which is used for further queries. As such, it is required that CounterACT learn endpoint MAC addresses in order to initiate the query process. You can use the Manageability Policy template to detect hosts at which MAC addresses are not learned. See Device Manageability Policy Template for details. Installation and Configuration This section describes how to install, configure and test the Integration Plugin. The configuration is used to ensure that the plugin can communicate with the service. To install: 1. After registering for the trail at http://mdm.forescout.com, you will receive an email that provides a download link. 2. Download and save the plugin installation file to the machine where the CounterACT Console is installed. 3. Log in to CounterACT and select Options from the Tools menu. 4. Select Plugins. The Plugins pane opens. Version 1.0.1 7
5. Select the Install button. The Open dialog box opens. 6. Navigate to the location where you saved the plugin installation file. 7. Select Install. Once installed, the Integration Plugin automatically adds a HTTP Redirect exception to the CounterACT NAC Redirect Exception list. CounterACT NAC HTTP redirect exceptions are designed to ensure users can access business essential Internet sites or important files on the Internet while allowing required HTTP blocking and redirection. In this case, incorporating an m.dm exception and a fiberlink exception ensures that devices can enroll with the service and still receive required HTTP notifications. See Device Manageability Policy Template for more information about this exception. 8. Start the plugin: Select Mobile Integration from the Plugins pane. Select the Start button. To configure the plugin: 1. Select Mobile Integration - from the Options window. The configuration is used to ensure that the plugin can communicate with the service. Version 1.0.1 8
2. Enter the following details about the service. Web Service Billing ID*. (This information is used in the Manageability template, HTTP notification actions when redirecting endpoint Web sessions to the MDM enrollment site. See the Device Manageability Policy Template for details. ) Application ID* Access Key* Authentication Username Authentication Password This information is provided by email after you activate your registration. See Registration and Activation Requirements for details. 3. In the Connected Appliance drop-down list, select the name of an Appliance that will service as a proxy between the MaaS service and the Enterprise Manager and enterprise Appliances. The CounterACT device listed here is the only device that will communicate directly with the service. An Enterprise Manager may not be selected here. 4. Select the Advanced tab. Version 1.0.1 9
5. The Web Service URL Name field displays default values. 6. The Application Version field Name field displays default values. 7. The Platform ID field displays default values. 8. In the Query Threshold field, define the maximum number of query requests to the service per threshold interval (defined in the following field). 9. In the Query Threshold Interval (Seconds) field, define the frequency that the plugin should query the service. 10. Select the Use a Proxy Server checkbox if there is a proxy between the Connected Appliance and the service in the cloud. 11. Enter the IP address of the proxy server in the DNS Name or IP Address of the Proxy Server field. 12. Enter the required proxy server port in the Port Number field. Test Plugin Communication with the MaaS Service Test the plugin communication with the MaaS service. To test communication: 1. Select the Test tab. 2. In the Device MAC Address filed, enter the MAC address of device in order to test plugin communication with the MaaS service. Do not enter colons. Use lower case. Version 1.0.1 10
Displaying Inventory Data Use the CounterACT Inventory to view a real-time display of device network activity at multiple levels, for example, software installed, core attributes or hardware information. The inventory lets you: Broaden your view of the organizational network from device-specific to activity-specific. View devices that have been detected with specific attributes. Easily track device activity. Incorporate inventory detections into policies. To access the inventory: 1. Select the Inventory icon from the Console toolbar. 2. Navigate to the entries. Version 1.0.1 11
The following information is available: Core Attributes: Device Type, Platform Name Hardware Inventory: Manufacturer, Model Operating System. Software Installed Refer to the CounterACT Console User s Manual or the Console, Online Help for information about how to work with the CounterACT Inventory. Policy Templates Two templates are available for detecting, managing and remediating devices: Device Manageability Policy Template Device Compliance Policy Template Device Manageability Policy Template Use this policy to detect Maas360 unmanageable devices. Devices that are unmanageable: Have not been detected with a MAC address Queries for device core attributes are initiated on the basis of the endpoint MAC address. Core attribute results return the device ID, which is used for further queries. Cannot be accessed via CounterACT at the Cloud Are not listed with the service Have not enrolled with the service Version 1.0.1 12
Remediation options, disabled by default, let you block unmanageable devices from the corporate network and redirect device user web sessions to a page where they can register for the purpose of becoming manageable. Prerequisites Consider which hosts you want to inspect. The policy does not handle hosts outside of the Internal Network. You should run the Asset Classification template first. The Hand Held group generated when running the Asset Classification template is included in Device Manageability template Scope. The template was most likely run during initial CounterACT setup. Verify that you have configured the Integration Plugin. Using the Device Manageability Template This section describes how to use the Device Manageability template. To use the Device Manageability template: 1. Select Add from the Policy Manager. 2. Navigate to the Mobile> folder and select the Device Manageability template. 3. Select Next. The Name page opens. Version 1.0.1 13
4. Accept the default name or change it as required and enter a description. 5. Select Next. The Scope dialog box opens. Use the dialog box to define which hosts should be inspected. Version 1.0.1 14
6. Select one of the following from the IP Address Range dialog box. Your selection appears in the IP Ranges section of the Scope page. Select the All button to include all IP addresses. Insert an IP address range. Select a network segment. The Hand Held group, generated from the Asset Classification policy, is automatically included in the Filter by Group section of the Scope. This ensures that only mobile devices are inspected. 7. Select Next. The Enrollment Address page opens. 8. The address listed here is retrieved from the billing ID that you defined in the plugin configuration, Web Service Billing ID field and is used for the purpose of redirecting the endpoint user to enroll with the service. After enrollment, devices can be managed. 9. Select Next. The Sub-Rules page opens. This page displays policy condition and actions. Version 1.0.1 15
10. Policy conditions tell CounterACT how to detect hosts. Unmanageable hosts are detected according to the following criteria: Hosts without a MAC address. Hosts not listed with the service Hosts not enrolled with the service The policy condition also verifies that CounterACT has access to the Cloud service. Hosts are inspected by each sub-rule in the order shown, until a match is found. 11. Policy actions instruct CounterACT how to respond to endpoints that are not enrolled or listed. Add to Group: Endpoints are automatically added to the CounterACT groups Not Listed and Not Enrolled. You can add these groups to other policy scopes for further handling. Virtual Firewall: Blocks all endpoint traffic, with the exception of traffic transmitted at port 80/TCP. This action is disabled by default. HTTP Notification: Endpoint web sessions are redirected to a page where users can register for the purpose of becoming manageable. See About HTTP Notification Actions. This action is disabled by default. About Enrollment This section describes how the device enrollment process works. When working with the template HTTP redirection actions, unmanageable endpoint web sessions are redirected to a enrollment site where users can register for the purpose of becoming manageable, i.e. they are enrolled and listed with the MaaS 360 service. This action is disabled by default. The device user is redirected to the following location: https://services.fiberlink.com/dp/a.htm?c=1016686 Version 1.0.1 16
Version 1.0.1 17
The user will be required to authenticate using Active Directory. To ensure the enrollment process, verify that you have reviewed System Requirements for the Cloud Extender for User Authentication and User Visibility Modules ( for Mobile Devices). A link to this information can be found at http://updates.forescout.com/online/help/mdm/forescout_mdm_doc.pdf (ForeScout MDM Technical Documentation and Support Contacts). Follow the link to Installation Guide for Cloud Extender. About HTTP Notification Actions This section describes automated processes that occur when using HTTP notification actions, available when working with the Not Listed and Not Enrolled sub-rules. CounterACT HTTP Redirect Exceptions Billing ID CounterACT HTTP Redirect Exceptions To avoid blocking access to the MDM enrollment site when working with the HTTP Notification actions, the MDM enrollment link is automatically added to the CounterACT NAC Redirect exception list. This list is designed to ensure that users can access business essential Internet sites or important files on the Internet while allowing required HTTP blocking and redirection. In this case, incorporating an m.dm exception and a fiberlink exception ensures that devices can enroll with the service and still receive required HTTP notifications. This redirect exception is automatically created when the plugin is installed. Web Service Billing ID The Web Service Billing ID URL entered in the plugin configuration, Web Service Configuration tab is automatically placed in the HTTP notification sent when working with the Not Listed and Not Enrolled sub-rules. This sight navigates to the enrollment site. Version 1.0.1 18
The URL is originally received after activating your registration. See Registration and Activation Requirements for details. Device Compliance Policy Template Use this policy to detect Maas360 compliant devices. Devices that are compliant: Are not running unauthorized applications Are not jailbroken or rooted Are compliant based on criteria Have installed the Fiberlink App Remediation options, disabled by default, let you block non-compliant devices from the corporate network and redirect device user web sessions to a remediation notification page. Version 1.0.1 19
Prerequisites In order to detect unauthorized applications you must create an unauthorized application list in CounterACT. See Creating Unauthorized Application Lists. Verify that you can detect the MAC address of devices that you are inspecting. Consider which hosts you want to inspect. The policy does not handle hosts outside of the Internal Network. You should run the Device Manageability template before running this template. The Devices Enrolled group generated when running the Device Manageability template is included in the Device Compliance template scope. Using the Device Compliance Template This section describes how to use the Device Compliance template. To use the Device Compliance template: 1. Select Add from the Policy Manager. 2. Navigate to the Mobile> folder and select the Device Compliance template. 3. Select Next. The Name page opens. Version 1.0.1 20
4. Accept the default name or change it as required and enter a description. 5. Select Next. The Scope dialog box opens. Version 1.0.1 21
6. Select one of the following from the IP Address Range dialog box. Your selection appears in the IP Ranges section of the Scope page. Select the All button to include all IP addresses. Insert an IP address range. Select a network segment. The Devices Enrolled group, generated from the Device Manageability policy, is automatically included in the Filter by Group section of the Scope. This ensures that only enrolled (manageable) devices are inspected. 7. Select Next. 8. The Sub-Rules page opens. This page displays policy condition and actions. 9. Policy conditions tell CounterACT how to detect hosts. Devices that are not compliant are detected according to the following criteria: Devices that are running unauthorized applications Devices that are jailbroken (ios) or rooted (Android) Devices that are not compliant based on criteria Devices that have not installed the Fiberlink App 10. Policy actions instruct CounterACT how to respond to endpoints that are not compliant. Add to Group: Endpoints are automatically added to the - Non Compliance Devices group. You can add this group to other policy scopes for further handling. Virtual Firewall: Blocks all endpoint traffic, with the exception of traffic transmitted at port 80/TCP. This action is disabled by default. HTTP Notification: Endpoint web sessions are redirected. A notification page is displayed indicating the non-compliant issue detected; warning the user that access to the corporate network is blocked and instructing the user to contact IT to remediate the issue. This action is disabled by default. Version 1.0.1 22
Creating Unauthorized Application Lists In order to work with the Compliance Policy template, you will need to compile a list of applications that you want to prohibit on your network. An unauthorized applications list is automatically created using the CounterACT Lists feature when the plugin is installed. You will need to add the applications you want to prohibit to the predefined List. The list is automatically incorporated into the Unauthorized Applications Installed sub-rule. Version 1.0.1 23
To add an application to the list: 1. Select the Options icon from the Console toolbar and then select Lists. Version 1.0.1 24
2. Select the Edit button. The Edit List dialog box opens. 3. Select the Add button. The Add Value dialog box opens. 4. Enter the name of the application you want to prohibit, and select OK. Version 1.0.1 25
5. Enter a description of the application in the Description field of the Edit List dialog box, and select OK. The application appears in the Lists Manager. 6. The following options are available for creating lists of unauthorized applications: Working with CounterACT Policies This section describes how to use CounterACT policies to detect and control devices. Create or edit a policy and use policy conditions to detect these devices with specific properties. To create a policy: 1. Log in to the CounterACT Console. 2. Select the Policy icon from the Console toolbar. 3. Create or edit a policy. For information about working with policies, select the Help button on the policy wizard. Detecting Devices - Policy Properties CounterACT policy conditions and properties let you instruct CounterACT which devices to detect, for example devices with specific restrictions. Expand the folder from a policy that you have created properties to be included in the policy condition. An extensive range of properties can be detected. The categories include: Core Attributes Security and Compliance Hardware Inventory Network Information Additional Information Open Property Search Version 1.0.1 26
Core Attributes Device ID Device Name Device Online Device Status Last Reported Managed Status Platform Name Indicates the device ID. Indicates the device name. Indicates if the device is online. Indicates the device active status, including: Device Active Device Not Active Indicates the date/time of the last reported event on a host. Indicates the managed status of the device including: Enrolled Not Active Not Enrolled Pending Control Removal User Removed Control Indicates the platform on which the device is running Android ios Version 1.0.1 27
User Name Indicates the user name associated with the device. Security and Compliance Android Device Rooted Android Settings Failed to Configure Compliance State Device Passcode Status Device Restrictions Hardware Encryption MDM Policy ios Mailbox Approval State Indicates if an enrolled Android device is rooted. Indicates if certain settings were not configured on an Android host. Indicates the Compliance state of the host, including: In Compliance Not Available Out of Compliance Indicates the device passcode status including: Compliant Not Available Not Compliant per Profiles Not Compliant Not Compliant per all Requirements Not Enabled Passcode Policy Configured Passcode Policy Not Configured Pending Compliance Confirmation Indicates restrictions configured on the device including: Allow Installing of Applications Allow Screen Capture Allow Use of Camera Allow Use of YouTube Allow User of itunes Music Store Allow User of Safari Indicates if certain hardware encryption values were detected on the host. Indicates an MDM policy applied to the device. Indicates the mailbox approval status of the device including: Approved Blocked Version 1.0.1 28
Out of Compliance Reasons ios Device JailBroken Hardware Inventory Custom Attributes Email Address Manufacturer Model Operating System Ownership Network Information ICCID Phone Number Additional Information Maas360 Software Installed Connectivity to Maas360 Cloud Listed in Service Device Discovery Not Available Quarantined Indicates if certain compliance out of compliance reasons were detected on the host. Indicates if the device is jailbroken. Indicates devices that were detected with specific device attributes, including an attribute or value. Indicates the Email Address of the device. Indicates the manufacturer of the device. Indicates the model of the device. Indicates the Operating System running on the device. Indicates the ownership of the device. Indicates an ICCID value detected on the device. Indicates the phone number associated with the device. Indicates if specific software is installed on the device. Indicates if CounterACT is connected to the cloud Indicates if the device is listed in service. Version 1.0.1 29
Open Property Search If the attributes you are looking for do not appear in any of the folders, you can use the Open Property search options to discover if a certain attribute exists or does not exist on a host, and fine-tune the search by looking for attributes that were detected at a certain date/time, with a certain integer or string. To work with Open Property tools: 1. Select the Plugin from the Plugin pane, and then select the Test button. The test results generate a list of attributes that can be used when working with open properties. 2. Copy an attribute name and paste it into the Attribute name section of a Open Properties property and enter the remaining property information. Version 1.0.1 30
Open Property Boolean Open Property Date Open Property Integer Open Property String Indicates if a specific attribute exists on the device or not. Indicates if a specific attribute exists on the device or not and if the attribute was detected at a certain date and time. Indicates if a specific attribute exists on the device or not and if the attribute included a certain integer. Indicates if a specific attribute exists on the device or not, and if the attribute included a certain string. Tag Devices - Policy Actions Custom Attribute Value Action Detect devices using a CounterACT policy and tag the devices with a user-defined Attribute Name and Attribute Value. This information is sent to the service cloud. For example, use CounterACT to detect devices that were resolved as guests and tag them as: Attribute Name: East Coast Office Attribute Value: Guest Devices will appear as East Coast Office Guests at the Console. Version 1.0.1 31
Refresh Device Information Action The Refresh Device Information action triggers the service to refresh attributes on the device. Version 1.0.1 32
Legal Notice Copyright ForeScout Technologies, 2000-2012. All rights reserved. The copyright and proprietary rights in the guide belong to ForeScout Technologies. It is strictly forbidden to copy, duplicate, sell, lend or otherwise use this guide in any way, shape or form without the prior consent of ForeScout Technologies. This product is based on software developed by ForeScout Technologies. The products described in this document are protected by U.S. patent # 6,363,489 issued March 2002 and may be protected by other U.S. Patents and foreign patents. Redistribution and use in source and binary forms are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials and other materials related to such distribution and use, acknowledge that the software was developed by ForeScout Technologies. THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. All other trademarks used in this document are the property of their respective owners. Send comments and questions regarding documentation to: documentation@forescout.com 6/5/12 Version 1.0.1 33