Transcription

Integrating Cisco ISE with NotifyMDM Quick StartNotifyMDM Version 3.xOverview 1

Table of ContentsOverview3Getting NotifyMDM Ready for ISE5Grant ISE Access to the NotifyMDM API . 6Import MDM Certificate to ISE . 7Add the NotifyMDM Server to ISE . 10Device Portal Management . 12MDM Network Access Restriction . 13NotifyMDM Version 3.xOverview 2

OverviewNotify Technology Corporation is a leading provider of MDM software used to establish and enforce policieson hand-held endpoints. This could include corporate-owned or employee-owned phones and tablets.Devices manufactured by all the major equipment providers are supported at some level. Apple iOS andAndroid devices are the primary focus, but NotifyMDM also supports Blackberry and Windows Phone.Mobile Device Management is being widely deployed in enterprise environments and is in a constant state ofexpansion.Features can be grouped into several categories: Device Restrictions – There are two common types of restrictions. Either some feature of the deviceis disabled, such as the camera, or there are additional requirements for basic usage, such as a PINlock or storage encryption. When a restriction is in place, the user is not offered the choice of noncompliance. Restrictions are used to reduce security risks to the enterprise. Device Compliance – This may also be referred to as posture enforcement. The MDM server willcheck the attributes of the device against a list of acceptable operational conditions. Compliancechecks can be enforced based on their severity. For example, NotifyMDM can automatically restrictdevice access if the device has been compromised. A compliance check is different from a restrictionbecause user actions can take the device out of compliance. Compliance can be used to increasesecurity or reduce operational costs. Notifications – Administrators can send a message to a large population of devices. This could be apush message to the device notification page. For example, “The fire drill is complete, you may returnto the building” could be sent to all devices on a particular campus. Notifications are used to increaseproductivity. Content Distribution – Documents can be made available to users on demand. Content distribution isused to increase productivity. Application Distribution – The MDM solution can offer a company catalog of available applications orinstall required applications. The applications can come from public repositories or can be corporatedeveloped applications. Application distribution has both security and productivity gains. Security isenhanced because any application distributed by the MDM, including local storage associated to theapplication, is removed as part of a corporate wipe. Corporate Resource Assignments – Corporate Resources are a collection of servers, networks, andother resources that MDM can make available to users. Using a user’s profile, MDM can manageapps, associate a device with servers or networks in the enterprise system, and configure useraccount settings to push out to the device. MDM can also push out resources such as ProvisioningProfiles, Subscribed Calendars, Web Clips, and an Access Point Name, CalDav and CardDAVservers, Exchange Server, LDAP Servers, Mail Servers, Managed Apps, SCEP server, VPN, andWi-Fi networksNotifyMDM Version 3.xOverview 3

The NotifyMDM solution has three main components: Policy server Device OS API Device client applicationBeyond these, there are additional components for enterprise integration and, email. NotifyMDM requires theclient application to detect some conditions, such as jail-broken (or the term Apple prefers, Compromised OS)or rooted devices.Purpose and DescriptionCisco Identity Services Engine (ISE) provides the enterprise with a method to screen any device trying to gainnetwork access via Wi-Fi. The Wi-Fi access point forwards all traffic to a Wireless LAN Controller (WLC). Mobile devices are discovered by Cisco ISE as they attempt to access the network. Using the device MAC address, ISE queries NotifyMDM for the device’s posture information. Based on information returned from the MDM server, ISE determines whether or not the device ispermitted access and gives the WLC information it needs to determine which Access Control List(ACL) to apply to the device. The ACL details what resources are permitted or denied for the device.For example, an ACL can deny access to internal networks, but may allow Internet access.Rules determining what ACL the Wireless LAN Controller should apply to the device are configured by theadministrator in ISE. Criteria such as registered, not registered, compliant, not compliant, etc. determinewhich ACL is assigned.Cisco ISE assigns network access level based on enrollment and posture results. ISE redirects unenrolleddevices to a page from which the NotifyMDM app can be downloaded (Android ) or to a web enrollment page(iOS).Integration Steps1. Import the primary root NotifyMDM site certificate to ISE2. Grant ISE access to the NotifyMDM API3. Add the NotifyMDM server to ISENotifyMDM Version 3.xOverview 4

Getting NotifyMDM Ready for ISEISE Requirements The ISE console v1.3 requires Windows Internet Explorer (10.x - 11.x) or Mozilla Firefox (24.x - 30.x) The ISE console v1.2 requires Windows Internet Explorer (10.x – 11.x); It does not work on Chromeor Firefox.Establishing Connectivity Between ISE and NotifyMDMThe first requirement is to establish basic connectivity between the Cisco ISE server and the NotifyMDMserver.For those using NotifyMDM on-demand service, a firewall is typically located between ISE and the NotifyMDMcloud. The firewall should be configured to allow an HTTPS session from ISE located in the data center to theNotifyMDM server located in the public Internet. The session is established outbound from ISE towards theMDM where ISE takes the client role. This is a common direction for web traffic over corporate firewalls.Figure 1 Typical Cloud Deployment ModelNotifyMDM Version 3.xGetting NotifyMDM Ready for ISE 5

Grant ISE Access to the NotifyMDM APIThe NotifyMDM API is protected by HTTPS and requires an Organization Administrator account that hasbeen granted permission to the API. Ideally a specific account would be configured for ISE with a very strongpassword.From the NotifyMDM dashboard, navigate to System Management Organization Administrators andclick Add Administrator to create an Organization Administrator account to be designated as the ISEadministrator. Once it is created, select it from the grid and mark it as the ISE Admin.Figure 5 Designate an Organization Administrator as the ISE AdminNotifyMDM Version 3.xGetting NotifyMDM Ready for ISE 6

Import MDM Certificate to ISEThe NotifyMDM server incorporates an HTTPS portal to support the various users of the system. In the caseof a cloud service, this website will be provided to the enterprise and ISE must establish trust with thiswebsite. Therefore the administrator must establish the trust relationship.Export the MDM Site CertificateThe simplest approach is to export the primary root MDM site certificate, then import the certificate into a localcert store in ISE. Most browsers allow this. Internet explorer and Firefox are shown in Figures 2 & 3 with acloud-based MDM deployment.Figure 2 Exporting the MDM Site Certificate with Internet ExplorerNotifyMDM Version 3.xGetting NotifyMDM Ready for ISE 7

Figure 3 Exporting the MDM Site Certificate with FirefoxNotifyMDM Version 3.xGetting NotifyMDM Ready for ISE 8

Import the Certificate to ISEISE has a certificate store to which you can import the MDM certificate.From the ISE console, select the Administration tab and choose Certificates.Select Trusted Certificates from the left panel.At the Certificate File field browse to locate the certificate file and add it.Verify that the checkbox next to, Trust for authentication within ISE is marked.Figure 4 Importing the Certificate to ISE Certificate StoreNotifyMDM Version 3.xGetting NotifyMDM Ready for ISE 9

Add the NotifyMDM Server to ISEOnce the administrator account has been defined on the NotifyMDM server with the proper role, ISE can beconfigured to use this account when querying the NotifyMDM server for device information. ISE will contactthe NotifyMDM server to gather posture information about devices or to issue device commands, such ascorporate wipe or lock. The session is initiated from ISE towards the NotifyMDM server.From the Cisco ISE console, navigate to Administration Network Resources External MDM toconfigure the NotifyMDM server.Enter the Name, IP Address, and (external) Port of the NotifyMDM server.In the User Name / Password fields, enter the MDM Organization Administrator credentials you havedesignated as the ISE Admin for NotifyMDM.Figure 6 Configure the MDM API on ISEPolling Interval. The polling interval specifies how often ISE will query the MDM for changes to deviceposture. ISE queries the NotifyMDM server for a list of the devices that are out of compliance. If a deviceassociated to the network is found to be out of MDM compliance the compliance remediation action is torestrict network access. ISE will then issue a Change of Authorization (CoA), forcing the device to reauthenticate. Likely the device will need to remediate with the MDM to return to compliance. Note that MDMcompliance requirements are configured on the MDM server and are independent of ant policy configured onISE. It is possible, although not practical, to set the polling interval even if the ISE policy does not consider theMDM Compliant dictionary attribute. Polling can be disabled by setting the value to 0 minutes, however, the advantage of polling is that if auser takes the device out of MDM compliance, they will be forced to reauthorize that device. Theshorter the polling interval, the quicker ISE will discover the condition.There are some considerations to be aware of before setting this value. The MDM compliance posture couldinclude a wide range of conditions not specific to network access. For example, the device administrator maywant to know when an employee on a corporate device has exceeded 80% of the data plan to avoid any overusage charges. In this case, blocking network access based solely on this attribute would aggravate the MDMNotifyMDM Version 3.xGetting NotifyMDM Ready for ISE 10

compliance condition and run counter to the device administrator’s intentions. In addition, the CoA willinterrupt the user Wi-Fi session, possibly terminating real-time applications such as VoIP calls.The polling interval is a global setting and cannot be set for specific users or asset classes. Therecommendation is to leave the polling interval at 0 until a full understanding of the MDM’s configuration iscomplete. If the polling interval is set, then it should match the device check-in period defined on the MDMserver. For example, if the MDM is configured such that devices will report their status every four hours, thenISE should be set to the same value and not less than half this value. Oversampling the device posture willcreate unnecessary loads on the MDM server.Updates do not happen in real time. Keep the following in mind when deciding upon a polling interval: Compliance changes on the device may not be reported to the MDM server until the device’s next scheduledcheck-in time.After the MDM server receives the changes from a device, compliance changes will not take effect until ISErequests a compliance update from the MDM server; MDM will not push.When ISE polls, it only asks for devices out of compliance.ISE only checks a specific device when the device creates a new session.ISE only reports updates which are criteria for compliance. For example: A user adds a pin lock, but pin lock isnot a compliance criteria. ISE will not report that the user added a pin lock.Test Connection. The Test Connection button will attempt to use the API to access the MDM server and isrequired prior to saving the settings with the MDM set to Enable. If the test does not complete successfully,the settings can still be saved, but the Enable box will be deselected and the connection to the MDM serverwill not be active.Some problems can occur when testing the connection to the MDM server. Table 1 shows some commonmessages generated when testing the connection between ISE and NotifyMDM. The last message shownbelow confirms a successful connection.Table 1: Connection MessagesMessageExplanationConnection failed: Please checkconnection parametersA routing or firewall problem exists between the ISE located in the datacenter and the MDM located in either the DMZ or Cloud. The firewall’sconfiguration should be checked to confirm HTTPS is allowed in thisdirection.Connection Failed 404: Not FoundThe most likely cause of an HTML 404 error code is that an instance wasconfigured when it was not required or that the wrong instance has beenconfigured.Connection Failed 403: ForbiddenThe user account setup on the NotifyMDM server does not have the properroles associated to it. Validate that the account being used by ISE isassigned the REST API MDM roles as shown above.Connection Failed 401:UnauthorizedThe user name or password is not correct for the account being used byISE. Another less likely scenario is that the URL entered is a valid MDMsite, but not the same site used to configure the MDM account above.Either of these could result in the NotifyMDM server returning an HTMLcode 401 to ISE.Connection Failed: There is aproblem with the server Certificateor ISE trust store.The MDM Server details are validand the connectivity was successful.NotifyMDM Version 3.xISE does not trust the certificate presented by the NotifyMDM website.This indicates the certificate was not imported to the ISE certificate storeas described above or the certificate has expired since it was imported.The connection has successfully been tested. The administrator shouldalso verify the MDM AUTHZ dictionary has been populated with attributes.Getting NotifyMDM Ready for ISE 11

Device Portal ManagementCisco ISE version 1.3 allows the administrator to configure certain end user elements including, but notlimited to Acceptable Use Policy Page Settings, Login Page Settings, and Portal Settings. These settings willdetermine how information appears on the device enrollment page. Instructions for the user can be madeavailable through these settings as well.From the ISE console, navigate to Administration Device Portal Management My Devices.Figure 8 Device Portal ManagementNotifyMDM Version 3.xGetting NotifyMDM Ready for ISE 12

MDM Network Access RestrictionNotifyMDM should be configured to restrict network access when devices are non-compliant.From the NotifyMDM dashboard, navigate to Organization Management Compliance Manager AccessRestrictions.Mark the box next to the Network Access option under Corporate Resources.Network Access restriction can also be imposed for a particular device platform, a single user, or a singledevice.Figure 9 MDM Network Access RestrictionNotifyMDM Version 3.xGetting NotifyMDM Ready for ISE 13

Cisco ISE assigns network access level based on enrollment and posture results. ISE redirects unenrolled devices to a page from which the NotifyMDM app can be downloaded (Android ) or to a web enrollment page (iOS). . MDM where ISE takes the client role. This is a c