OneFabric Connect and Fiberlink MaaS360 Mobile Device Management (MDM) Configuration and Integration Guide Abstract: This document provides instructions for integrating Extreme Networks OneFabric Mobile IAM and OneFabric Connect with Fiberlink MaaS360 Mobile Device Management. Published: June 2014 Extreme Networks, Inc. 145 Rio Robles San Jose, California 95134 Phone / +1 408.579.2800 Toll-free / +1 888.257.3000 www.extremenetworks.com 2012 2014 Extreme Networks, Inc. All Rights Reserved. AccessAdapt, Alpine, Altitude, BlackDiamond, Direct Attach, EPICenter, ExtremeWorks Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ExtremeXOS ScreenPlay, ReachNXT, Ridgeline, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks logo, the Alpinelogo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries. sflow is the property of InMon Corporation. Specifications are subject to change without notice. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on Extreme Networks trademarks, see www.extremenetworks.com/company/legal/trademarks. 120955-00
Overview This document highlights the integration of Extreme Networks Mobile IAM and OneFabric Connect solutions with Fiberlink MaaS360 Mobile Device Management. The document describes the necessary installation and configuration actions required to complete the Extreme Networks Fiberlink integration. Fiberlink MaaS360 for Mobile Devices is a cloud-based multi-tenant platform providing enhanced management of ios and Android devices. MaaS360 is designed to provide maximum control over mobile devices and reduce risks to corporate data without jeopardizing employee productivity. It will monitor mobile devices - both employee-owned and those provided by the organization to ensure compliance with corporate security policies. With the integration Extreme Networks and Fiberlink solutions, network administrators benefit from single-pane-of-glass management control of corporate network resources, based on established profiles and policies. Requirements Extreme Networks Software Requirements Extreme Networks NetSight 6.1 or above NMS- XXX (e.g. NMS-10 - NetSight License for up to 10 devices and 100 thin Aps) Extreme Networks NAC 6.1 or above NAC-A-XX, NAC-V-XX or IA-ES-XX (e.g.ia-es-1k - Identity and Access 1,000 end-system license, IA licenses with appliance IA-A-XX require NMS- ADV-XXX NetSight Advanced licenses ) with 802.1X or Web Authentication / Registration where usernames are populated into NAC Manager. Fiberlink MaaS360 Requirements Fiberlink MaaS360 account that will be used by OpenFabric Connect to access information about mobile devices. Extreme Networks, Inc. All rights reserved. 2
Solution Components Overview The integration requires the following software and hardware components. Fiberlink MaaS360 MDM - Can be either on-premise or cloud-based implementation Extreme Networks Mobile IAM Appliance - Performs end-system identification, authentication, and assessment for the mobile devices. Working in combination with the OneFabric Connect, a bidirectional communication channel is established to provide automatic and precise provisioning of mobile devices whether they are enrolled with Fiberlink MaaS360 or not. Extreme Networks NetSight Server - This server consists of several components: Extreme Networks OneFabric Connect Module - The core module in the integration, OneFabric Connect provides services for mobile device discovery, management of the local cache and administrative interface. Call-Back Web Services The front end to the OneFabric Connect Module is used to connect and communicate with Fiberlink MaaS360 to update mobile device information within Mobile IAM. Mobile Device Assessment Engine - This component is responsible for verifying the compliance of a mobile device. Data Store local cache populated with device information obtained from Fiberlink MaaS360 system. Extreme Networks, Inc. All rights reserved. 3
Network Infrastructure - All the required networking hardware, servers, and software for the local environment, both Extreme Networks and 3 rd party based. Mobile Devices - Supported mobile devices include Android, Apple ios, and Windows Mobile tablets and smartphones. Theory of Operation Initial Database Population and Re-synch Process The OneFabric Connect module will poll the Fiberlink MaaS360 system for devices (1). The Fiberlink MaaS360 system returns its current list of mobile devices to the OneFabric Connect module (2). The OneFabric Connect module will write the device information to the local datastore. The local datastore used to supplement the end-system population within the Mobile IAM as well as provide data for the Assessment Engine (3). This datastore will then be maintained through updates that Fiberlink MaaS360 will send to the OneFabric Connect module. Extreme Networks, Inc. All rights reserved. 4
Mobile Device On-Boarding Process Process Extreme Networks Mobile IAM detects an end-system connection event and identifies the mobile device based on device-type profiling and the data provided by the OneFabric Connect module (1). If the mobile device is a recognized Fiberlink MaaS360 enrolled device, an assessment can be triggered (2). The Assessment Engine will then query the local datastore and verify the compliance of the mobile device (3). The Assessment Engine returns the compliance results to the Mobile IAM (4). The Mobile IAM will provision the device according to the assessment results (if triggered), device ownership, or according to the device-type profiling configuration within the Mobile IAM (5). For example, an unregistered mobile device can be assigned a separate network access policy (Extreme Networks-based hardware only), redirected to a captive portal, or confined to a specific VLAN. Extreme Networks, Inc. All rights reserved. 5
OneFabric Connect Installation Note Please reference the OneFabric Connect Plugin and NetSight API Installation Guide. Configuration Note Fiberlink MaaS360 account information is required for the integration The Fiberlink MaaS360 integration requires Fiberlink authentication credentials and other account settings. This information is used in the Fiberlink MaaS360 module tab. Service configuration 1 settings: Username: the login/username that will be used to execute the Fiberlink MaaS360 web services. Password: the password that is used to authenticate the login/username. MaaS360 Webservice URL: use https://services.fiberlink.com unless told otherwise by Fiberlink. Account Billing ID: the account billing ID is used to identify the Fiberlink MaaS360 account. To find the account billing ID, log into the Fiberlink MaaS360 management page. In the example below, the account billing ID is 30001503. Extreme Networks, Inc. All rights reserved. 6
General Module configuration default setting are usually not changed. Service specific configuration default settings: End system group for Managed Business Mobile Devices: Mobile IAM end system group that will be used for mobile devices that are corporate owned. End system group for Managed Personal Mobile Devices: Mobile IAM end system group that will be used for mobile devices that are personally owned. End system group for Default Mobile Devices: Mobile IAM end system group that will be used for mobile devices that do not have their ownership set. End system group for performing a remote wipe: Mobile IAM end system group that is monitored to perform a remote wipe on a mobile device. To perform a remote wipe, enable the remote wipe option and use either Mobile IAM or OneView and add the end system to the remote wipe system group. Enable Remote Wipe: Enable remote wipe by selecting either a selective wipe or a full wipe. Update Kerberos Username For End systems: Update Mobile IAM end system username with the username from Fiberlink MaaS360. Update Device Type For End systems: Update Mobile IAM end system device type with the device type from Fiberlink MaaS360. Notify User When Quarantined: Send a notification message to the mobile user when Mobile IAM quarantines the end system. Enable Assessment: Retrieve additional data for end system assessment. For more information please visit https://community.extremenetworks.com/extreme. Please direct your questions and comments to sai@extremenetworks.com. Extreme Networks, Inc. All rights reserved. 7