Cisco Systems MaaS360 manual Ownership User Group Restrictions

Page 21

Figure 14 CVD Use Policies

These groups can be extended to the MDM such that members are issued profiles that complement their level of network access. As an example, Table 3 shows some arbitrary policies that can be established and enforced based on the CVD use cases.

Table 3

Policies Based on CVD Cases

 

 

 

 

 

Ownership

 

User Group

Restrictions

 

 

 

Employee-Owned

Domain Users

Internet Only, personal devices are not

Device

 

 

required to on-board with the MDM.

 

 

 

 

 

 

BYOD_Partial_Access

Fairly restrictive policy that isolates

 

 

 

corporate data into containers. Restrictions

 

 

 

prevent users from disabling the policy.

 

 

 

 

 

 

BYOD_Full_Access

Trusted users are offered a slightly less

 

 

 

restrictive policy. Corporate data is still

 

 

 

isolated in containers.

 

 

 

Corporate-Owned

All Users classes

Very restrictive device policy disabling

Device

 

 

non-essential business functions such as

 

 

 

the game center.

 

 

 

 

Domain_Users is the default AD group. By definition, every user defined in the directory is a domain user. While it is possible to create the reciprocal group on the MDM, it is not needed. The CVD treats non-domain members as temporary guests that are unlikely to need MDM management. More important, if a user is not a domain member, then the MDM administrator will need to define a local user account. This is likely a very small set of users that are handled as an exception, such as distinguished guests. Domain_Users are essentially everyone with an account on the MDM, including members of BYOD_Partial_Access and BYOD_Full_Access.

MDM profiles and ISE AuthZ rules are fundamentally different with respect to AD Groups. ISE policy may include the AD group match as a condition for establishing a specific and single policy. MDM profiles are not a singular result. Most devices will be provisioned with multiple profiles based on various attributes. Members of the BYOD_Full_Access and Domain_Users can each be configured for a specific profile. But if a user happens to have membership in both BYOD_Partial_Access and BYOD_Full_Access, then that user’s device is provisioned with both profiles. In addition, everyone will be provisioned with basic security restrictions. ISE will check the device to ensure these restrictions are meet before granting network access. These restrictions establish ISE compliance and are defined here as required PIN lock, encrypted storage, and non-jail broken or rooted device.

Integrating Fiberlink MaaS360 with Cisco Identity Services Engine

21

 

 

Image 21
Contents Revised August 6 Page Page Overview Fiberlink MaaS360 Capabilities and FeaturesCapability Features Fiberlink MaaS360-Key Capabilities Deployment Models Import MDM Certificate to ISE Getting Fiberlink MaaS360 Ready for ISEExporting the MDM Site Certificate with Internet Explorer Grant ISE Access to the Fiberlink MaaS360 API Manage Administrator Account Add Account Add MDM Server to ISE Configure the MDM API on ISE Message Explanation Verify Connectivity to MDMReview MDM Dictionaries DMZ Enterprise IntegrationFiberlink MaaS360 Cloud Extender Download Cloud Extender Installation Wizard AD Group Memberships Active Directory/LDAP IntegrationOwnership User Group Restrictions MDM Profiles Create Policies Shows the flow of this process MDM APNS/GCN Mobile Client Application-Fiberlink MaaS360 AgentDevice Ownership MDM On-boarding User ExperienceMDM Enrollment MDM Enrollment-Terms of Acceptance Pass Code Complexity Enterprise Application StoreInstallation of Maas360 Application Data at-Rest Corporate DataForced CoA from ISE Corporate WipeVerify Device Compliance End User PortalISE Compliance versus MDM Compliance Action Type Options Device Scanning Intervals Device Compliance/RestrictionsManually Updating the MDM Server PINLockStatusManage Lost/Stolen Devices Jailbroken or Rooted devicesRegisterStatus Application Distribution Cisco Applications Jabber, etc Disclaimer Conclusion