Sophos Mobile Control Network Access Control interface guide

Similar documents
Sophos Mobile Control User guide for Windows Mobile

Sophos Mobile Control Web service guide

Sophos Mobile Control User guide for Apple ios

Sophos Mobile Control User guide for Android

Sophos Mobile Control User guide for Apple ios. Product version: 2 Document date: December 2011

Sophos Mobile Control User guide for Windows Phone 8. Product version: 3.5

Sophos Mobile Control Super administrator guide. Product version: 3

Sophos Mobile Control Startup guide. Product version: 3

Sophos Mobile Control User guide for Android. Product version: 4

Sophos Mobile Control Installation guide. Product version: 3.5

Sophos Mobile Control Startup guide. Product version: 3.5

Sophos Mobile Control Installation guide. Product version: 3

Sophos Mobile Control Installation guide. Product version: 3.6

Sophos Mobile Control Installation guide

Sophos Mobile Control User guide for Apple ios. Product version: 4

Sophos SafeGuard Native Device Encryption for Mac quick startup guide. Product version: 7

Sophos Mobile Control as a Service Startup guide. Product version: 3.5

Sophos Mobile Control Technical guide

Sophos Mobile Control Administrator guide. Product version: 3

Sophos Mobile Control Installation prerequisites form

Sophos Mobile Control Administrator guide. Product version: 3.6

Sophos Mobile Control user help. Product version: 6.1

Capario B2B EDI Transaction Connection. Technical Specification for B2B Clients

Sophos Anti-Virus for NetApp Storage Systems startup guide

Sophos Deployment Packager user guide. Product version: 1.2

ADFS Integration Guidelines

Sophos Anti-Virus for Mac OS X network startup guide

Configuring Infoblox DHCP

Sophos Mobile Control SaaS startup guide. Product version: 6

Sophos Anti-Virus for Mac OS X network startup guide. For networked Macs running Mac OS X

Sophos Endpoint Security and Control How to deploy through Citrix Receiver 2.0

Communicating with a Barco projector over network. Technical note

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

SolarWinds Technical Reference

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

SafeGuard Enterprise upgrade guide. Product version: 6.1

Consuming a Web Service(SOAP and RESTful) in Java. Cheat Sheet For Consuming Services in Java

Sophos SafeGuard Disk Encryption for Mac Startup guide

Integration with IP Phones

Overview of Web Services API

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Sophos Endpoint Security and Control standalone startup guide

HTTPS Configuration for SAP Connector

DocuSign Connect for Salesforce Guide

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

Enabling Single Signon with IBM Cognos ReportNet and SAP Enterprise Portal

Configuring TLS Security for Cloudera Manager

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Sophos Anti-Virus standalone startup guide. For Windows and Mac OS X

Sophos Enterprise Console server to server migration guide. Product version: 5.1 Document date: June 2012

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Sophos SafeGuard File Encryption for Mac Quick startup guide. Product version: 6.1

Enabling Single Signon with IBM Cognos 8 BI MR1 and SAP Enterprise Portal

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

SecuraLive ULTIMATE SECURITY

CA Nimsoft Unified Management Portal

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

Sophos Mobile Control Installation guide. Product version: 5.1

CRM to Exchange Synchronization

Introduction to Mobile Access Gateway Installation

SafeGuard Easy upgrade guide. Product version: 7

Sophos Mobile Control Administrator guide

Share Point Document Management For Sage 100 ERP

BlackBerry Enterprise Service 10. Version: Configuration Guide

2 Downloading Access Manager 3.1 SP4 IR1

SafeGuard Enterprise Web Helpdesk

Shavlik Patch for Microsoft System Center

Dell Mobile Management. Apple Device Enrollment Program

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

QMX ios MDM Pre-Requisites and Installation Guide

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

CHAPTER 7 SSL CONFIGURATION AND TESTING

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

ICE Trade Vault. Public User & Technology Guide June 6, 2014

Android App User Guide

1 Overview Configuration on MACH Web Portal 1

Sophos Enterprise Console server to server migration guide. Product version: 5.2

Using Internet or Windows Explorer to Upload Your Site

SafeGuard Enterprise upgrade guide. Product version: 7

Mobility Manager 9.0. Installation Guide

MadCap Software. Upgrading Guide. Pulse

MaaS360 On-Premises Cloud Extender

Sophos for Microsoft SharePoint startup guide

Certificate technology on Pulse Secure Access

Setting Up SSL on IIS6 for MEGA Advisor

Sophos Enterprise Console Auditing user guide. Product version: 5.2

Sophos Mobile Control Technical Guide. Product version: 3.5

Certificate technology on Junos Pulse Secure Access

TIBCO Spotfire Platform IT Brief

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

Sophos SafeGuard Disk Encryption for Mac and the Casper Suite

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Identikey Server Windows Installation Guide 3.1

Setting Up Resources in VMware Identity Manager

Creating a Secure Web Service In Informatica Data Services

Management, Logging and Troubleshooting

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

QuickStart Guide for Mobile Device Management

Transcription:

Sophos Mobile Control Network Access Control interface guide Product version: 3.5 Document date: July 2013

Contents 1 About Sophos Mobile Control... 3 2 About Network Access Control integration... 4 3 Prerequisites... 5 4 Protocol... 6 5 Appendix... 8 6 Technical support... 11 7 Legal notices... 12.utimaco.com

NAC interface guide 1 About Sophos Mobile Control Sophos Mobile Control is a device management solution for mobile devices like smartphones and tablets. It allows configuration and software distribution as well as security settings and many other device management operations on mobile devices. With Sophos Mobile Control you can keep corporate data safe by managing apps and security settings. The Sophos Mobile Control client is easily installed and managed with over-the air setup and configuration through the Sophos Mobile Control web console. With the Sophos Mobile Control Self Service Portal for your users, you can reduce IT efforts by allowing them to register their own devices and carry out other tasks without having to contact the helpdesk. 3

Sophos Mobile Control 2 About Network Access Control integration Sophos Mobile Control offers a HTTP-based interface to integrate third-party Network Access Control (NAC) products. The implementation has to be done by the third-party vendor. The interface delivers a list of MAC addresses including the Sophos Mobile Control compliance status. NAC products may use the interface to permit or deny access to network segments depending on the compliance status of a device. 4

NAC interface guide 3 Prerequisites To use the NAC interface, you need a user account for logging on to the Sophos Mobile Control web console. An account consists of the following information: Customer User Password Note: Sophos Mobile Control is offered in two delivery models: Sophos Mobile Control for on-premise - installation and Sophos Mobile Control as a Service. Depending on the variant you use, NAC is configured by a super administrator (on-premise) or an administrator. For further information on the two variants, refer to the Sophos Mobile Control administrator help. For further information on how to configure NAC as a super administrator, refer to the Sophos Mobile Control super administrator guide. The NAC component needs to have a certificate (including private key). This certificate must be used to sign requests sent to the interface. The certificate s subject common name (CN) must start with the prefix SMCNAC and can be self-signed. The public certificate (usually with.cer or.crt file extension) needs to be uploaded to Sophos Mobile Control: 1. Log in at the Sophos Mobile Control web console 2. In the web console menu bar go to Settings, click System setup and go to the Network Access Control tab. 3. Upload the public certificate and save it. The interface delivers the MAC addresses of devices of the Sophos Mobile Control customer the certificate has been uploaded to. If you have uploaded the certificate in the super administrator customer, the devices of all customers are used. After NAC has been configured, log out from the web console and log in again. When you configure compliance rules in the web console, the checkbox Disallow Network Access is available. If you select this checkbox, Network Access is denied as soon as compliance criteria have been violated. 5

Sophos Mobile Control 4 Protocol The interface is HTTP-based and uses SSL encryption. It is available at https://[smc hostname]/servlets/nac/ You can use a HTTP GET request to verify that the servlet is running. 4.1 List request The protocol offers just one operation called list. This operation lists all known MAC addresses and the compliance statuses of the corresponding devices. The list command must be sent via HTTP POST. The string list must be set in the content. The HTTP request must then be signed using the private key of the certificate whose public part has been uploaded to SMC. The generated signature must be base64-encoded and sent as HTTP header mdm-signature. See the appendix for an example of how to sign a request using Java. 4.1.1 Example request HTTP method: POST HTTP header: mdm-protocol-version = 1 HTTP header: mdm-signature = MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEBGxp c3qaaaaaaacggdccaucwggknagrrwtdcmakgbyqgsm44bamwwzelmakga1ue[ ] Data: list 4.2 List response Sophos Mobile Control Server response lists the MAC addresses of compliant and non-compliant devices, separated by section markers. It also lists configuration values. The only configuration returned is the minimum query interval in seconds. If the NAC component queries too often, a 503 Service unavailable response is sent. It also includes a Retry-After header indicating the time period in seconds before retrying. 6

NAC interface guide 4.2.1 Example response HTTP status code: 200 Data: ---config--- refreshlistinterval=120 ---compliant--- 00:12:34:56:78:9a 00:76:54:32:10:bc ---non-compliant--- 00:ab:cd:f0:12:34 4.2.2 Example response if queried too often HTTP status code: 503 HTTP header: Retry-After = 67 4.2.3 Example response if signature is wrong or unknown HTTP status code: 403 7

Sophos Mobile Control 5 Appendix 5.1 Example using Java The following snippet shows a simplified Java example on how to sign a request, submit it and how to read the response. Exception and error handling is not included for brevity. The following example makes use of the BouncyCastle and Apache commons-codec libraries. public void example() Security.addProvider(new BouncyCastleProvider()); OutputStream out = null; InputStream in = null; HttpURLConnection connection = null; try // prepare the list command byte[] plaindata = "list".getbytes("utf 8"); // sign the data and encode it in base64 format String signedb64data = signandencodedata(plaindata); // open connection to NAC servlet URL url = new URL(("https://SMC URL/servlets/nac"); connection = (HttpURLConnection) url.openconnection(); connection.setrequestmethod("post"); connection.setrequestproperty("content type", ""); connection.setdoinput(true); connection.setdooutput(true); connection.setusecaches(false); connection.setrequestproperty("accept", "*/*"); // add the NAC servlet protocol version header connection.addrequestproperty("mdm protocol version", "1"); // add the signed list command base64 encoded connection.addrequestproperty("mdm signature", signedb64data); connection.connect(); out = connection.getoutputstream(); // write the list command out.write(plaindata); out.flush(); out.close(); // get the response int responsecode = connection.getresponsecode(); if (responsecode == 503) // maybe last request is not long enough ago, get next retry in seconds String nextretry = connection.getheaderfield("retry After"); // TODO your error handling here return; if (responsecode!= 200) // TODO your error handling here return; 8

NAC interface guide // get the response content in = connection.getinputstream(); BufferedReader br = new BufferedReader(new InputStreamReader(in)); List<String> allowed = new ArrayList<String>(); List<String> denied = new ArrayList<String>(); List<String> configuration = new ArrayList<String>(); // read the configuration String line = br.readline(); if (" config ".equals(line)) // read configuration until next block while (!" compliant ".equals((line = br.readline()))) if (line.isempty()) continue; configuration.add(line); // read mac addresses until next block while (!" non compliant ".equals((line = br.readline()))) if (line.isempty()) continue; allowed.add(line); // read mac addresses until end of content while ((line = br.readline())!= null) if (line.isempty()) continue; denied.add(line); // TODO use the received data catch (Exception e) // TODO your error handling here finally // TODO close all streams, cleanup resources 9

Sophos Mobile Control /** * Method signs plain data. Signed data will be returned as base64 encoded string. * @param plaindata byte[] * @return String signed data base64 encoded. * @throws Exception */ private String signandencodedata(byte[] plaindata) throws Exception InputStream in = null; try in = new FileInputStream(pathToKeystore); KeyStore keystore = KeyStore.getInstance("PKCS12"); keystore.load(in, keystorepassword); PrivateKey key = (PrivateKey)keyStore.getKey(certificateAlias, certificatepwd); Certificate[] chain = keystore.getcertificatechain(certificatealias); CertStore certsandcrls = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(chain)), "BC"); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); X509Certificate cert = (X509Certificate) chain[0]; gen.addsigner(key, cert, CMSSignedGenerator.DIGEST_SHA1); gen.addcertificatesandcrls(certsandcrls); CMSProcessable data = new CMSProcessableByteArray(plainData); CMSSignedData signed = gen.generate(data, true, "BC"); return Base64.encodeBase64URLSafeString(signed.getEncoded()); catch (Exception e) // TODO your error handling here finally // TODO close all streams, cleanup resources 10

NAC interface guide 6 Technical support You can find technical support for Sophos products in any of these ways: Visit the SophosTalk forum at http://community.sophos.com/ and search for other users who are experiencing the same problem. Visit the Sophos support knowledgebase at http://www.sophos.com/en-us/support.aspx. Download the product documentation at http://www.sophos.com/en-us/support/documentation.aspx. Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages. 11

Sophos Mobile Control 7 Legal notices Copyright 2011-2013 Sophos Ltd. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos is a registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information