Cisco MaaS360 User Manual

Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
Revised: August 6, 2013
2
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco’s trademarks can be found at
http://www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their
respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
© 2013 Cisco Systems, Inc. All rights reserved.
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
3
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
This document supplements the Cisco Bring Your Own Device (BYOD) CVD (
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD _Design_Guide.html) and provides mobile device management (MDM) partner-specific information as
needed to integrate with Cisco ISE. In an effort to maintain readability, some of the information presented in the CVD is repeated here. However this document is not intended to provide standalone BYOD guidance. Furthermore, only a subset of the Fiberlink MaaS360 functionality is discussed. Features not required to extend ISE’s capabilities may be mentioned, but not in the detail required for a comprehensive understanding. The reader should be familiar with the Fiberlink MaaS360 Administrator’s guide.
This document is targeted at existing or new Fiberlink MaaS360 customers. Information necessary to select an MDM partner is not offered in this document. The features discussed are considered to be core functionality present in all MDM software and are required to be compatible with the ISE API.

Overview

Fiberlink MaaS360 secures and manages BYOD and company provided smartphones and tablets. This cloud-based service provides IT administrators the ability to quickly on-board and proactively secure iOS, Android, BlackBerry, and Kindle devices. Fiberlink MaaS360 also provides pre-built integrations with critical enterprise security, identity, email, and mobility infrastructure for a seamless enterprise mobility and collaboration experience on both campus WLAN and carrier networks.

Fiberlink MaaS360 Capabilities and Features

Fiberlink MaaS360 provides the life-cycle management capabilities and features highlighted in Tab l e 1.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2013 Cisco Systems, Inc. All rights reserved.
Ta b l e 1 Fiberlink MaaS360—Key Capabilities
Capability Features
Architecture and Adminintration
SaaS delivery model
Multi-tenant, scalable, and redundant cloud architecture
Independent SOC2 Type II cloud compliance audit conducted annually
Safe Harbor Certification for European Union Directive on Data Protection
Authority to operate (OTA) in accordance with U.S. Federal Information Security Management
Act (FISMA)
Role-based admin access to Fiberlink MaaS360 Admin Portal
Custom branding capabilities
API support
Multiple mobile OS support including iOS, Android, BlackBerry, Windows, and Kindle
Device Enrollment Select device management services and configure device enrollment settings on Fiberlink
MaaS360 Admin Portal
Send enrollment requests over the air using SMS, email, or a custom URL
Authenticate users against Active Directory/LDAP, one- time passcode, or SAML
Create and distribute customized acceptable use policies and End User License Agreements
(EULA)
Enroll both corporate and employee owned (BYOD) devices
Proactive Device Security
Central Policy Management
Initiate either individual or bulk device enrollments
Apply or modify default device policy settings
Require passcode policies with configurable quality, length, and duration
Enforce encryption and password visibility settings
Set device restrictions on features, camera, applications, iCloud, and content ratings
Detect and restrict jail broken and rooted devices
Remotely locate, lock, and wipe lost or stolen devices
Selectively wipe corporate data, leaving personal data intact
Define and implement real-time compliance rules with automated actions
Enable geo-fencing rules to enforce location related compliance
Configure email, calendar, contacts, Wi-Fi, and VPN profiles over-the-air (OTA)
Approve or quarantine new mobile devices on the network
Create custom groups for granular or role-based policy management
Define role-based administrative portal access rights to Fiberlink MaaS360 Admin Portal
Decommission devices by removing corporate data and mobile device management control
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
5
Table 1 Fiberlink MaaS360—Key Capabilities
Enterprise Application Catalog
Secure Content Distribution
Manage and distribute third-party and in-house mobile apps from the Fiberlink MaaS360 Admin
Portal
Develop a catalog of recommended mobile apps on iOS and Android devices
Users can view apps, install, and be alerted to updated apps on private app catalog
Manage lifecycle of app workflow:
Real-time software inventory reports
App distribution and installation tracking
App update publishing
Provisioning profile management
Administer mobile app security and compliance policies:
Blacklist and whitelist mobile apps downloaded from Apple App Store and Google Play
Enforce out-of compliance rules by sending user alerts, blocking email or VPN, and remote wiping
Limit native apps available on the device such as YouTube
Require user authentication and authorization before they download in-house apps
Detailed reporting across app compliance events and remediation actions
Host and distribute in-house mobile apps on Fiberlink MaaS360 Cloud
Support for volume purchase programs on Apple App Store:
Automatically upload redemption codes in Fiberlink MaaS360 Cloud
Track provisioning, manage licenses, monitor compliance, and eliminate manual VPP management
Securely access, view, and share documents in the Doc Catalog on iPads, iPhones, and Android
Devices
Add additional security with native device encryption, passcode, and remote wipe of lost or
stolen devices
Support for multiple document formats including:
Microsoft
Google
Apple Productivity Suites
PDF, web, audio, and video files
Host documents on a corporate network or on Fiberlink MaaS360 Cloud
Block documents from being opened in file sharing or word processing applications for data loss
prevention
Set policies on certain documents to restrict them from being emailed from corporate or personal
accounts
Alert users on new or updated content in their Doc Catalog without the need to manually check
for updates
Generate reports on documents, users, and devices to monitor status and usage for compliance
6
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
Table 1 Fiberlink MaaS360—Key Capabilities
Monitoring and Reporting
Enterprise Integrations
Detailed hardware and software inventory reports
Configuration and vulnerability details
Integrated smart search capabilities across any attribute
Customizable watch lists to track and receive alerts
BYOD privacy settings block collection of personally identifiable information
Mobile expense management for real-time data usage monitoring and alerting
Instant discovery of devices accessing enterprise systems with Fiberlink MaaS360 Connector
Integrate with Microsoft Exchange, Lotus Notes, and Microsoft Office 365 including:
Microsoft Exchange 2007 and 2010
BPOS and Office 365
Lotus Traveler 8.5.2
Integrate with existing Active Directory/LDAP and Certificate Authorities
Manage BlackBerry Enterprise Server policies on BlackBerry Enterprise Server 5.0 and higher
Connect with other operational systems through web APIs
The Fiberlink MaaS360 solution has three main components:
Portals (Administration and End User)
Fiberlink MaaS360 Server in the Cloud that manages policies and compliance rules
Fiberlink MaaS360 Agent software that runs on mobile devices
Beyond these, there is an additional component for enterprise integration called Fiberlink MaaS360 Cloud Extender that integrates with AD, LDAP, email servers, and the PKI infrastructure. The majority of the base functionality is available through the MDM API built into the mobile device operating system. Fiberlink MaaS360 requires the client software to detect some conditions, such as jail-broken or rooted devices. Because ISE tests for these conditions, the Fiberlink MaaS360 server is configured to treat the client software as a required application and will install the software during the on-boarding process.

Deployment Models

Fiberlink MaaS360 offers only a cloud-based service model. To integrate with enterprise backend systems, customers need to install Fiberlink MaaS360 Cloud Extender software on either a physical or virtual machine within their network. Fiberlink MaaS360 Cloud Extender is lightweight software that establishes outbound connection with the Fiberlink MaaS360 cloud. There is no requirement to open any inbound firewall ports to support the Fiberlink MaaS360 Cloud Extender.
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
7

Getting Fiberlink MaaS360 Ready for ISE

AD/LDAP
Certificate
Authority
Cloud
Extender
FiberLink
Cloud
Cisco ISE
The first requirement is to establish basic connectivity between the Cisco ISE server and the Fiberlink MaaS360 MDM server. A firewall is typically located between ISE and the Fiberlink MaaS360 cloud. The firewall should be configured to allow an HTTPS session from ISE located in the data center to the Fiberlink MaaS360 server located in the public Internet. The session is established outbound from ISE towards the MDM where ISE takes the client role. This is a common direction for web traffic over corporate firewalls.
Figure 1 Traffic Through Firewall

Import MDM Certificate to ISE

The Fiberlink MaaS360 MDM server incorporates an HTTPS portal to support the various users of the system. In the case of a cloud service, this website will be provided to the enterprise and ISE must establish trust with this website. Even though the cloud website is authenticated with a publicly signed certificate, ISE does not maintain a list of trusted root CAs. Therefore the administrator must establish the trust relationship. The simplest approach is to export the MDM site certificate, then import the certificate into a local cert store in ISE. Most browsers allow this. Internet explorer is shown in Figure 2 with a cloud-based MDM deployment.
8
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
Figure 2 Exporting the MDM Site Certificate with Internet Explorer
Fiberlink MaaS360 utilizes a wildcard certificate that is valid for all portal websites belonging to the Fiberlink MaaS360 portals domain.
Exporting a certificate from Firefox is co
vered in the CVD and repeated in Figure 3.
Figure 3 Exporting the MDM Site Certificate with Firefox
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
9
Figure 4 Importing the Certificate in ISE

Grant ISE Access to the Fiberlink MaaS360 API

The Fiberlink MaaS360 API is protected by HTTPS and requires an administrator account that has been granted permission to the API. Ideally a specific account would be configured for ISE with a very strong password. In addition to this account, only a limited number of administrator accounts should be granted the ability to create new administrators or assign administrator roles.
Before the user is created, an API role should be created for ISE, as shown in Figure 5. This role will then be tied to an administrator account assigned to ISE along with a location group for the account.
istrators can manage the system settings assigned to their role, which can be selected on a per role
Admin basis. Additional details concerning location groups are available in the Fiberlink MaaS360 documentation. A local administrator account is required for the REST MDM API roles to function properly.
10
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
Figure 5 Manage Administrator Account
Each account type can be assigned roles entitling that user to specific features of the system. Also the role of service administrator can be used to manage the API from ISE.
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
11
Figure 6 Add Account
The MDM role created for ISE requires the REST API features. The list shown in Figure 7 identifies the rights which should be selected.
12
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
Figure 7 Assign Role to the Account
Once the role as been added, an admin account can be created for ISE.

Add MDM Server to ISE

Once the account has been defined on the Fiberlink MaaS360 MDM server with the proper roles, ISE can be configured to use this account when querying the MDM for device information. ISE will contact the MDM to gather posture information about devices or to issue device commands, such as corporate wipe or lock. The session is initiated from ISE towards the MDM server. As shown in Figure 8, the URL for the Fiberlink MaaS360 server and the configuration is illustrated. This is configured under Administration > Network resources > MDM.
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
13
Loading...
+ 29 hidden pages