Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Similar documents
XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

On-boarding and Provisioning with Cisco Identity Services Engine

TrustSec How-To Guide: On-boarding and Provisioning

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Cisco TrustSec How-To Guide: Guest Services

Cisco ISE 1.2 BYOD Lab Guide

Configure ISE Version 1.4 Posture with Microsoft WSUS

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists

Implementing and Configuring Cisco Identity Services Engine SISE v1.3; 5 Days; Instructor-led

Getting Started - MDM Setup

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Mobile Device Management Version 8. Last updated:

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Integrating Cisco Identity Services Engine with GO!Enterprise MDM

Active Directory Self-Service FAQ

AVG Business SSO Partner Getting Started Guide

How to Obtain an APNs Certificate for CA MDM

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Copyright 2013, 3CX Ltd.

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Install and End User Reference Guide for Direct Access to Citrix Applications

Manual Wireless Extender Setup Instructions. Before you start, there are two things you will need. 1. Laptop computer 2. Router s security key

USG40HE Content Filter Customization

Initial Access and Basic IPv4 Internet Configuration

QuickStart Guide for Mobile Device Management

Advanced Configuration Steps

Quick Installation Guide

Preparing for GO!Enterprise MDM On-Demand Service

Stefan Dürnberger. Consulting Systems Engineer Cisco Deutschland. sduernbe@cisco.com. Co-Author Bitkom Leitfaden BYOD


QuickStart Guide for Mobile Device Management. Version 8.6

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

QUICK INSTALLATION GUIDE ACTIVATE

BlackBerry Universal Device Service. Demo Access. AUTHOR: System4u

Remote Access End User Reference Guide for SHC Portal Access

VoIP Intercom and Cisco Call Manager Server Setup Guide

The BYOD Wave: Policy, Security, and Wireless Infrastructure

VMware Identity Manager Connector Installation and Configuration

mystanwell.com Installing Citrix Client Software Information and Business Systems

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

VMware Identity Manager Administration

Manual for configuring NIC VPN in Windows OS

Administering Cisco ISE

Recommended Browser Setting for MySBU Portal

Server Software Installation Guide

Introduction to Mobile Access Gateway Installation

Comodo Mobile Device Manager Software Version 1.0

Multi-Factor Authentication Job Aide

Defender Token Deployment System Quick Start Guide

Centrify Identity Service and Mac - Online Training

Wazza s QuickStart 1. Leopard Server - Install & Configure DNS

D-Link DAP-1360 Repeater Mode Configuration

Windows Server 2008 R2 Initial Configuration Tasks

Dolphin Ocean Server and Dolphin Mobile Client Installation Guide for Android and ios. May 2012

Windows XP User guide for wired network v1.1

ARUBA WIRELESS AND CLEARPASS 6 INTEGRATION GUIDE. Technical Note

STATIC IP SET UP GUIDE VERIZON 7500 WIRELESS ROUTER/MODEM

OneLogin Integration User Guide


How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

Vodafone Secure Device Manager Administration User Guide

Symantec VIP Integration with ISE

How To Use 1Bay 1Bay From Awn.Net On A Pc Or Mac Or Ipad (For Pc Or Ipa) With A Network Box (For Mac) With An Ipad Or Ipod (For Ipad) With The

EMR Link Server Interface Installation

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

TP-LINK TD-W8901G. Wireless Modem Router. Advanced Troubleshooting Guide

Mac OS X User Manual Version 2.0

PrinterOn Print Management Overview

A Guide to New Features in Propalms OneGate 4.0

Introduction to Google Apps for Business Integration

Configuring a customer owned router to function as a switch with Ultra TV

vcloud Director User's Guide

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

Virtual Data Centre. User Guide

Using Cisco UC320W with Windows Small Business Server

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

How To Check If Your Router Is Working Properly On A Nr854T Router (Wnr854) On A Pc Or Mac) On Your Computer Or Ipad (Netbook) On An Ipad Or Ipa (Networking

10/ English Edition 1. Quick Start Guide. NWA1100N-CE CloudEnabled Business N Wireless Access Point

Sophos Mobile Control SaaS startup guide. Product version: 6

Quick Start Guide Sendio Hosted

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

VPN User Guide. For Mac

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

7 6.2 Windows Vista / Windows IP Address Syntax Mobile Port Windows Vista / Windows Apply Rules To Your Device

Troubleshooting Guide

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

REMOTE ACCESS DDNS CONFIGURATION MANUAL

VPN: Virtual Private Network Setup Instructions

Student BYOD - Olathe Public Schools

It is recommended that you use a clean installation of Lion client before upgrading to Lion Server.

District 211 Technology. ipad Setup Instructions

Egnyte Single Sign-On (SSO) Installation for OneLogin

Chapter 6 Using Network Monitoring Tools

Web Sites, Virtual Machines, Service Management Portal and Service Management API Beta Installation Guide

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Introduction to the EIS Guide

Transcription:

Good MDM Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Imran Bashir Date: December 2012

Table of Contents Mobile Device Management (MDM)... 3 Overview... 3 MDM Integration Use-case... 3 Components... 4 Using MDM Integration Configuration Steps... 6 Cisco ISE and MDM integration configuration... 6 Review the MDM dictionaries... 10 Configure ISE Authorization Policies... 10 Appendix A: Good for Enterprise Configuration... 15 Appendix B: END user Flow... 20 Appendix C: References... 26 Cisco TrustSec System:... 26 Device Configuration Guides:... 26 Cisco Systems 2015 Page 2

Mobile Device Management (MDM) Overview Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a policy server, a mobile device client and an optional inline enforcement point that controls the use of some applications on a mobile device (like email) in the deployed environment. However the network is the only entity that can provide granular access to endpoints (based on ACL s, TrustSec SGT s etc). It is envisaged that Cisco Identity Services Engine (ISE) would be an additional network based enforcement point while the MDM policy server would serve as the policy decision point. ISE expects specific data from MDM servers to provide a complete solution The following are the high-level use cases in this solution. Device registration- Non registered endpoints accessing the network on-premises will be redirected to registration page on MDM server for registration based on user role, device type, etc Remediation- Non compliant endpoints will be given restricted access based on compliance state Periodic compliance check Periodically check with MDM server for compliance Ability for administrator in ISE to issue remote actions on the device through the MDM server (e.g.: remote wiping of the managed device) Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. Full Wipe, Corporate Wipe and PIN Lock. Sample Network Topology Figure 1. ISE+MDM Integration Topology MDM Integration Use-case 1. User associates device to SSID 2. If user device is not registered, user goes through the BYOD on-boarding flow, details listed in Appendix Cisco Systems 2015 Page 3

3. ISE makes an API call to MDM server 4. This API call returns list of devices for this user and the posture status for the devices Please note that we can pass MAC address of endpoint device as input parameter. 5. If user s device is not in this list, it means device is not registered with the MDM provider. ISE will send an authorization to NAD to redirect to ISE, which will re-direct users to the MDM server (home page or landing page) 6. ISE will know that this device needs to be provisioned using MDM and will present an appropriate page to user to proceed to registration. 7. User will be transferred to the MDM policy engine where registration will be completed by the user. Control will transfer back to ISE either through automatic redirection by MDM server or by user refreshing their browser again. 8. ISE will query MDM again to gain knowledge of posture status 9. If the user device is not in compliant to the posture (compliance) policies configured on MDM, they will be notified that the device is out of compliance, reason for non-compliance and the need to be in compliance to access network resources. 10. Once user s device becomes compliant, MDM server will update the device state in its internal tables. 11. At this stage user can refresh the browser at which point control would transfer back to ISE. 12. ISE would also poll the MDM server periodically to get compliance information and issue COA s appropriately. Components Table 1. Table 1: Components Used in this Document Component Hardware Features Tested Cisco IOS Software Release The Cisco Identity Services Engine (ISE) Any: 1121/3315, 3355, 3395, VMware Integrated AAA, policy server, and services (guest, profiler, and posture) ISE 1.2 MDM Server MDM Certificate Authority Server (Optional) Any per specification of Microsoft (Windows 2008 R2 Enterprise SP2) SCEP, Certificate Authority Server N/A Wireless LAN Controller (WLC) 5500-series 2500-series Profiling and Change of Authorization (CoA) Unified Wireless 7.2 WLSM-2 Virtual Controller Test Devices: Apple & Google N/A Apple ios 5.0 Cisco Systems 2015 Page 4

Component Hardware Features Tested Cisco IOS Software Release E.g. Apple ios, Google Android and higher Google Android 2.3 and higher Within this document, we demonstrated MDM configuration only. We recommend using our How-To-Guide to configure ISE and WLC to a recommended state. How-to-Guide: http://www.cisco.com/en/us/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificate s.pdf More guides are available at: http://www.cisco.com/en/us/solutions/ns340/ns414/ns742/ns744/landing_designzone_trustsec.html Cisco Systems 2015 Page 5

Using MDM Integration Configuration Steps Cisco ISE and MDM integration configuration Figure 3 shows the main steps in configuring MDM Integration. Figure 2. MDM Configuration Flow Add External MDM Server to ISE MDM Servers can be used as a cloud service or installed locally on premises. Once the installation, basic setup and compliance checks are configured on the MDM server, it can then be added to ISE Export MDM Server Certificate Step 1 Step 1: Export MDM Server Certificate and save it on local machine. Cisco Systems 2015 Page 6

Figure 3. Export MDM Certificate Step 2 Import the certificate in to ISE. Navigate to: Administration -> Certificates -> Certificate Store -> Import. Optional: Add a friendly name and then click Submit Figure 4. Import MDM Certificate to Cisco ISE Step 3 Verify that Certificate is in Certificate Store. Cisco Systems 2015 Page 7

Figure 5. Verify MDM Certificate in Cisco ISE Step 4 Add MDM Server. Administration -> MDM Note: Please review Appendix A to ensure that the account used to connect to Airwatch MDM Server has the API role assigned. Figure 6. ADD MDM Server in Cisco ISE Step 5 Click ADD, and then enter MDM Server details. Cisco Systems 2015 Page 8

Figure 7. ADD MDM Server in Cisco ISE Step 6 Click Test Connection, ISE will confirm that connection is working. Figure 8. ADD MDM Server in Cisco ISE Step 7 Click OK on this pop-up and then select the checkbox. Step 8 Click the Submit button, the server will be added, the following success message with the presented to the admin. Figure 9. ADD MDM Server in Cisco ISE Cisco Systems 2015 Page 9

Figure 10. Server Added Review the MDM dictionaries Once the MDM server is added, the supported dictionaries now show-up in ISE, which could be later used in to ISE Authorization Policies. Step 1 Navigate to: Policy -> Policy Elements -> Dictionaries -> MDM -> Dictionary Attribute Figure 11. Review MDM Dictionaries in Cisco ISE Configure ISE Authorization Policies Once MDM server is added in to ISE, we can configure authorization polices in ISE to leverage the new dictionaries added for MDM servers. Note: Within this document, we demonstrated using dictionary attributes MDM:DeviceRegisterStatus EQUALS UnRegistered and MDM:DeviceCompliantStatus EQUALS NonCompliant. Please configure and test additional attributes as well Cisco Systems 2015 Page 10

Step 2 Create an ACL named NSP-ACL in the Wireless LAN Controller, which would be used in the policy later to redirect clients selected for BYOD supplicant provisioning, Certificate provisioning and MDM Quarantine. The Cisco Identity Services Engine IP address = 10.35.50.165 Internal Corporate Networks = 192.168.0.0, 172.16.0.0 (to redirect) MDM Server subnet = 204.8.168.0 Explanation of the NSP-ACL in Figure 13 is as follows Figure 12. Access Control List for re-directing client to BYOD flow 1. Allow all traffic outbound from Server to Client 2. Allow ICMP traffic inbound from Client to Server for trouble shooting, it is optional 3. Allow access to MDM server for un-registered and non-compliant devices to download the MDM agent and proceed with compliance checks 4. Allow all traffic inbound from Client to Server to ISE for Web Portal and supplicant and Certificate provisioning flows 5. Allow DNS traffic inbound from Client to Server for name resolution. 6. Allow DHCP traffic inbound from Client to Server for IP addresses. Cisco Systems 2015 Page 11

7. Deny all traffic inbound from Client to Server to corporate resources for redirection to ISE (As per company policy) 8. Deny all traffic inbound from Client to Server to corporate resources for redirection to ISE (As per company policy) 9. Deny all traffic inbound from Client to Server to corporate resources for redirection to ISE (As per company policy) 10. Deny all traffic inbound from Client to Server to corporate resources for redirection to ISE (As per company policy) 11. Deny all traffic inbound from Client to Server to corporate resources for redirection to ISE (As per company policy) 12. Deny all traffic inbound from Client to Server to corporate resources for redirection to ISE (As per company policy) 13. Permit all the rest of traffic (Optional) Step 3 Step 4 Create an Authorization Profile named MDM_Quarantine for devices which are not in compliant to MDM polices. In this case all non-compliant devices will be redirected to ISE and presented with a message. Click Policy Policy Elements Results, Click Authorization Authorization Profiles ADD Figure 13. Authorization Profiles Navigation Figure 14. Authorization Policy Configuration Cisco Systems 2015 Page 12

Figure 15. Authorization Policy Configuration Figure 16. NSP-ACL Note: NSP-ACL needs to be defined on the Wireless LAN Controller. Step 5 Create Authorization Policy. Click Policy Authorization Authorization Profiles. Click Insert New Rule Below. Figure 17. Insert New Rule Cisco Systems 2015 Page 13

Please add the following Authorization Policy MDM_Un_Registered = This Authorization Rule is added for devices which are not yet registered with an MDM server. Once the device hits this rule, it will be forwarded to ISE MDM landing page, which will present user with information on registering the device with MDM. MDM_Non_Compliant = This Authorization Rule is added for devices which are not in compliant to MDM policies. Once the Android device hits the Register button during device registration, ISE sends a Re-Auth COA to the controller. Once the device hits this rule, it will be forwarded to ISE MDM landing page, which will present user with information on compliance failure. PERMIT = Once the device is registered with ISE, registered with MDM and is in compliance to ISE and MDM policies it will be granted access to the network Figure 18. Authorization Policy Configuration View You are done! Please see the HowTo guide: BYOD Using Certificates for Differentiated Access for more information on provisioning certificates along with the supplicant profile. Note: MDM policies could also be defined in more granular details on Cisco ISE, e.g Demonstrations If interested in looking at the end-user experience for on-boarding i-devices, Android, Windows and MAC OSx, please visit the following website. http://wwwin.cisco.com/tech/snsbu/prod-sols/ise/#sectionname=4 Figure 19. Demo URL Cisco Systems 2015 Page 14

Appendix A: Good for Enterprise Configuration In this section we will review configuration of the GoodGood for Enterprise server for the corporate policies. This highlight the following: Verify admin account privileges for REST API, i.e. account used by ISE to send a REST API call to GoodGood server Review the Default Security Policies Review the ios APP installation configuration (AnyConnect) Step 1 Access the GoodGood Mobile Control administrative interface. a. On Admin PC, launch Mozilla Firefox web browser. Enter GoodGMC login URL in the address bar: e.g. https://206.124.127.119:8443/login.do Note: URL listed here is a sample URL b. Login with Admin username and password. Once you login, the Home tab should display. Figure 20. Login Screen Step 2 Configuring ISE user to access Good Mobile Control. a. The vendor will provide the admin username. To see the details of the admin user, Navigate to Rolesà Service Administratorsà Add as shown below: Cisco Systems 2015 Page 15

Figure 21. Add Roles b. Admin user role that will be configured to call Good for Enterprise APIs should have the Right Provide access to Cisco ISE. Figure 22. Troubleshooting Rights Cisco Systems 2015 Page 16

c. Select the domain in this case PSA type the admin user provided by the vendor here GoodAdmin and press on Lookup which will display the roles of the admin user. You can change the roles. Figure 23. PSA Type Step 3 Adding end users to Good Mobile Control for enrolling GFE or MDM devices a. Create end user as shown below. Navigate to Handhelds and then Add Handhelds. Figure 24. Add Handhelds Cisco Systems 2015 Page 17

b. Search for already created temp users as shown below. Figure 25. Add Handhelds c. Selected any one of the listed users and add the user as shown below. Figure 26. Add Handhelds Cisco Systems 2015 Page 18

d. Select the added user and note down the OTA PIN and Email address is required during the device enrollment process. Figure 27. OTA PIN Step 4 Security Policies on Good Server a. Navigate to POLICIES > Policy set à Default Security Policy. You can crate policies based on the corporate requirement. Figure 28. Policy Sets Cisco Systems 2015 Page 19

Appendix B: END user Flow Step 1 Complete the BYOD process and onboard the device to the corporate network, Once done continue to the MDM enrollment process, you will see the below page and hit enroll. Figure 29. MDM Enrollment Step 2 The process will redirect you to the apple store to install the MDM agent. Install the app. Figure 30. MDM Agent Cisco Systems 2015 Page 20

Step 3 Once app is installed run the app to complete the enrollment process. Hit the start tab as shown below. Figure 31. Application Start Screnn Step 4 Enter the Email ID and OTA created for the handheld from the above process. Figure 32. Login Process Step 5 Scroll down and select the server URL. Cisco Systems 2015 Page 21

Figure 33. Good Derver Step 6 Once you hit next in the above step the device will perform the below process and enroll the device. Figure 34. Enrollment Process Cisco Systems 2015 Page 22

Step 7 Once the process completes the user will be notified with the below screen. Figure 35. Server Set-up Step 8 Once the device is enrolled completely with the MDM server hit continue on the device browser to get the complete corporate access. Figure 36. MDM Enrollment Cisco Systems 2015 Page 23

Step 9 Verify that the handheld created in MDM server is associated with the device enrolled as shown below. Figure 37. MDM Server Figure 38. Handhelds Cisco Systems 2015 Page 24

Cisco Systems 2015 Page 25

Appendix C: References Cisco TrustSec System: http://www.cisco.com/go/trustsec http://www.cisco.com/en/us/solutions/ns340/ns414/ns742/ns744/landing_designzone_trustsec.html Device Configuration Guides: Cisco Identity Services Engine User Guides: http://www.cisco.com/en/us/products/ps11640/products_user_guide_list.html For more information about Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software releases, please refer to following URLs: For Cisco Catalyst 2900 series switches: http://www.cisco.com/en/us/products/ps6406/products_installation_and_configuration_guides_list.html For Cisco Catalyst 3000 series switches: http://www.cisco.com/en/us/products/ps7077/products_installation_and_configuration_guides_list.html For Cisco Catalyst 3000-X series switches: http://www.cisco.com/en/us/products/ps10745/products_installation_and_configuration_guides_list.html For Cisco Catalyst 4500 series switches: http://www.cisco.com/en/us/products/hw/switches/ps4324/products_installation_and_configuration_guides_ list.html For Cisco Catalyst 6500 series switches: http://www.cisco.com/en/us/products/hw/switches/ps708/products_installation_and_configuration_guides_li st.html For Cisco ASR 1000 series routers: http://www.cisco.com/en/us/products/ps9343/products_installation_and_configuration_guides_list.html For Cisco Wireless LAN Controllers: http://www.cisco.com/en/us/docs/wireless/controller/7.2/configuration/guide/cg.html Cisco Systems 2015 Page 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information