Cisco Systems MaaS360 manual PINLockStatus, Manually Updating the MDM Server

Page 37

PINLockStatus

The PINLockStatus is available to the API and can be used by ISE to set a minimum requirement for network access, as shown in the CVD. Fiberlink MaaS360 allows the administrator to create a PIN lock policy and set rules to force users to set PINs with a certain strength (alphanumeric, length, require special characters, etc.)

The user is provided with a grace period to set up PIN lock. If user does not set up a PIN code within 60 minutes, all corporate profiles pushed via Fiberlink MaaS360 will be removed from the device. During this grace period, Fiberlink MaaS360 will return status as “Out of Compliance” if queried by ISE.

As a best practice, when users are issued instructions explaining the on-boarding process, they should be asked to set a PIN lock on their device prior to starting the on-boarding process, rather than waiting for the forced PIN lock mid-way through the procedure. If the user does not follow this, they will likely end up in a quarantine state from NAC. There are two issues at play:

First, the MDM server does not get a triggered update when a user creates a PIN lock. The user is required to enter one, but it will be some time before the polling interval before the server becomes aware of the PIN lock.

Second, the MDM on-boards by installing the MDM profile and certificate first. This secures the communications between the server and device. After this profile is issued, the server will send a check-in request to the device.

Because the MDM payload is required to respond to check-in messages, this confirms the device is fully under management. On the initial check-in, the device is loaded with the remaining profiles, including the one containing the PIN lock. Before this completes, the user will have clicked the continue button on the MDM redirect page, resulting in a CoA. This will re-authorize the device before the user has been prompted to enter a PIN lock and the user will end up being quarantined. The work around is to open the Fiberlink MaaS360 client and click the “Refresh” button, as shown in Figure 28, to update the server of the new posture. Then the user can try the continue button again or bounce their wireless to force a re-authorization.

Figure 28 Manually Updating the MDM Server

Integrating Fiberlink MaaS360 with Cisco Identity Services Engine

37

 

 

Image 37
Contents Revised August 6 Page Page Overview Fiberlink MaaS360 Capabilities and FeaturesCapability Features Fiberlink MaaS360-Key Capabilities Deployment Models Import MDM Certificate to ISE Getting Fiberlink MaaS360 Ready for ISEExporting the MDM Site Certificate with Internet Explorer Grant ISE Access to the Fiberlink MaaS360 API Manage Administrator Account Add Account Add MDM Server to ISE Configure the MDM API on ISE Message Explanation Verify Connectivity to MDMReview MDM Dictionaries DMZ Enterprise IntegrationFiberlink MaaS360 Cloud Extender Download Cloud Extender Installation Wizard AD Group Memberships Active Directory/LDAP IntegrationOwnership User Group Restrictions MDM Profiles Create Policies Shows the flow of this process MDM APNS/GCN Mobile Client Application-Fiberlink MaaS360 AgentDevice Ownership MDM On-boarding User ExperienceMDM Enrollment MDM Enrollment-Terms of Acceptance Pass Code Complexity Enterprise Application StoreInstallation of Maas360 Application Data at-Rest Corporate DataForced CoA from ISE Corporate WipeEnd User Portal Verify Device ComplianceISE Compliance versus MDM Compliance Action Type Options Device Scanning Intervals Device Compliance/RestrictionsManually Updating the MDM Server PINLockStatusJailbroken or Rooted devices Manage Lost/Stolen DevicesRegisterStatus Application Distribution Cisco Applications Jabber, etc Disclaimer Conclusion