Cisco Systems MaaS360 manual Corporate Wipe, Forced CoA from ISE

Page 33

Querying Exchange Server using Microsoft PowerShell commands and standard APIs for vital information related to the ActiveSync enabled devices on the Exchange Server. The use of PowerShell and related APIs allows for abstraction from the specifics of the Exchange Server implementation and allows the Cloud Extender to support multiple Mailbox Servers and clustered/resilient Exchange server configurations.

Processes device and policy information and transmits it to the Fiberlink MaaS360 Portal for reporting and management functions.

Receives ActiveSync Policies, Device Actions, and Policy Assignments actions and carries out the relevant actions on the Exchange server.

Corporate Wipe

Both ISE and Fiberlink MaaS360 can remove corporate data from personal devices. Fiberlink MaaS360 calls this Selective Wipe. ISE refers to it as a Corporate Wipe. Other common terms used are selective wipe or partial wipe. When ISE issues this command, it is forwarded to Fiberlink MaaS360 via an API call. The MDM will then remove corporate applications using privileges granted to the MDM Profile. When these complete, the MDM profile is removed, which will remove all the associated sub-profiles. While it is also possible to leave some applications behind, all MDM profiles will be removed. Profiles not installed by the MDM are not deleted. This includes two profiles that were installed by ISE, one containing the CA certificate and the other containing the WiFi profile and user certificate. When an application is deleted, the associated data is also removed.

Selective wipes by themselves do not blacklist the device from either the MDM or ISE. An ISE administrator, the MDM administrator, or the user from either the ISE My Devices Portal or the Fiberlink MaaS360 may issue a selective wipe. If a selective wipe is being issued as a result of an employee’s termination, then additional steps must be undertaken, such as blacklisting the device with ISE and removing the user AD group memberships. This will prevent the user from re-enrolling the device. Optionally, the user certificate can be revoked on the CA server.

The final action is to force the user to re-authorize against ISE by disassociating them from the network. ISE release 1.2 now supports this directly from the Operations page, as shown in Figure 26. The device may immediately try to re-associate, but will match the blacklist thereby denying the device network access. The user will not be able to self-enroll this particular device until IT has removed the MAC address from the blacklist.

Figure 26 Forced CoA from ISE

Integrating Fiberlink MaaS360 with Cisco Identity Services Engine

33

 

 

Image 33
Contents Revised August 6 Page Page Overview Fiberlink MaaS360 Capabilities and FeaturesCapability Features Fiberlink MaaS360-Key Capabilities Deployment Models Import MDM Certificate to ISE Getting Fiberlink MaaS360 Ready for ISEExporting the MDM Site Certificate with Internet Explorer Grant ISE Access to the Fiberlink MaaS360 API Manage Administrator Account Add Account Add MDM Server to ISE Configure the MDM API on ISE Message Explanation Verify Connectivity to MDMReview MDM Dictionaries DMZ Enterprise IntegrationFiberlink MaaS360 Cloud Extender Download Cloud Extender Installation Wizard AD Group Memberships Active Directory/LDAP IntegrationOwnership User Group Restrictions MDM Profiles Create Policies Shows the flow of this process MDM APNS/GCN Mobile Client Application-Fiberlink MaaS360 AgentDevice Ownership MDM On-boarding User ExperienceMDM Enrollment MDM Enrollment-Terms of Acceptance Pass Code Complexity Enterprise Application StoreInstallation of Maas360 Application Data at-Rest Corporate DataForced CoA from ISE Corporate WipeVerify Device Compliance End User PortalISE Compliance versus MDM Compliance Action Type Options Device Scanning Intervals Device Compliance/RestrictionsManually Updating the MDM Server PINLockStatusManage Lost/Stolen Devices Jailbroken or Rooted devicesRegisterStatus Application Distribution Cisco Applications Jabber, etc Disclaimer Conclusion