Cisco Systems MaaS360 manual Device Compliance/Restrictions, Device Scanning Intervals

Page 36

Table 5

MDM Responses

 

 

Action Type

Options

Jailbreak/Rooted Device Enforcement

Application Compliance

Currently the MDM does not provide a method to mark compliance checks that are not reported to ISE. ISE cannot assert that network security issue caused a device to be MDM non-compliant.

Device Compliance/Restrictions

Restrictions and compliance are distinct but related concepts. The user is required to meet compliance for non-restrictive access. If a PIN lock is required, the device will be locked until the user selects a PIN that meets the established complexity. If the camera has been disabled, the icon is removed and the user has no way to launch the camera application. Restrictions are policy elements that are enforced without exception. Non-compliance is when a device is operating outside of the established policy.

Non-restrictive items that could cause compliance events are things such as the minimum OS version. The key point is that it is not possible to be non-compliant with a restriction. The exception is restrictions that include a grace period.

Device Scanning Intervals

The MDM client application can periodically scan the device. There are several different scans that run on different intervals. They also available as device queries:

Device Information—General information about the device includes serial numbers, UDID, phone number, operating system, model, battery status, etc.

Security—Includes encryption status, device compromised, data roaming, SIM card status, and the number of profiles installed but not active.

Profiles—The installed profiles on the device, including those not installed by Fiberlink MaaS360.

Apps—A complete inventory of all the applications installed on the device.

Certificates—A list of the installed certificates on the device.

Scan information is available in device details screen. When a device periodically checks in with the MDM server, it will notify the server of the current scan results.

36Integrating Fiberlink MaaS360 with Cisco Identity Services Engine

Image 36
Contents Revised August 6 Page Page Fiberlink MaaS360 Capabilities and Features OverviewCapability Features Fiberlink MaaS360-Key Capabilities Deployment Models Getting Fiberlink MaaS360 Ready for ISE Import MDM Certificate to ISEExporting the MDM Site Certificate with Internet Explorer Grant ISE Access to the Fiberlink MaaS360 API Manage Administrator Account Add Account Add MDM Server to ISE Configure the MDM API on ISE Verify Connectivity to MDM Message ExplanationReview MDM Dictionaries Enterprise Integration DMZFiberlink MaaS360 Cloud Extender Download Cloud Extender Installation Wizard Active Directory/LDAP Integration AD Group MembershipsOwnership User Group Restrictions MDM Profiles Create Policies Shows the flow of this process Mobile Client Application-Fiberlink MaaS360 Agent MDM APNS/GCNDevice Ownership User Experience MDM On-boardingMDM Enrollment MDM Enrollment-Terms of Acceptance Enterprise Application Store Pass Code ComplexityInstallation of Maas360 Application Corporate Data Data at-RestCorporate Wipe Forced CoA from ISEVerify Device Compliance End User PortalISE Compliance versus MDM Compliance Action Type Options Device Compliance/Restrictions Device Scanning IntervalsPINLockStatus Manually Updating the MDM ServerManage Lost/Stolen Devices Jailbroken or Rooted devicesRegisterStatus Application Distribution Cisco Applications Jabber, etc Conclusion Disclaimer