Because ISE depends on these features for policy enforcement, corporate devices and personal devices with partial or full access should include a profile that specifies the Fiberlink MaaS360 Agent as a mandatory application.

User is automatically taken to the App Store or Google Play to install the Fiberlink MaaS360 Agent during the enrollment process. The Fiberlink MaaS360 Agent can also be installed by the user directly from the App Store or Google Play store. In addition to supervising the device, the client application offers the end users some useful information concerning the status of their devices. Users can determine when a device last communicated with the Fiberlink MaaS360 server, receive messages or alerts from the administrator, track data usage, or buzz the device to locate lost a device. Another useful feature of the client application is the ability to manually refresh the device’s posture to the server. This need arises when the device has been placed in MDM quarantine due to a compliance violation. For example, the device may not have a PIN lock when one is required. When the user configures the device with a PIN lock, the OS will not trigger an update to the MDM client. The client will detect the change during the next security scan interval. Only then will the server discover this the next time the device is polled. This could result in ISE continuing to place the device in quarantine even after the user has corrected the issue. Rather than waiting for the MDM to poll the device for an update, the user could use the mobile application to send the current data to the server.

Fiberlink MaaS360 also offers secure content distribution functionality that allow administrators to distribute documents, audio files, video files, pictures, etc. securely to mobile devices. The content is available in the Fiberlink MaaS360 agent, which provides a secure container for viewing documents. Administrators can set policies to restrict copying, pasting, or emailing outside of the container, as well as forcing the password-protection of content.

Device Ownership

One of the key components of BYOD is the mix of personal devices and corporate devices on the network and the ability to establish policy based on this attribute. Both the ISE and the MDM have the concept of asset classes, which can be used to classify user-owned or corporate-owned devices. In ISE, this is based on the identity groups. Ownership is an important aspect of BYOD. For example, Fiberlink MaaS360 recommends that support staff should not be allowed to issue a Full_Wipe of personal devices or track the location of a personal device. However, corporate devices may get full wipes as a matter of normal operation and may be used to track location, especially if travel is a key component of the job. Having the ability to handle the information gathered from personal and corporate devices differently is important.

In this first release, there is not a tight integration between assets classes defined on ISE and those defined on the MDM. The API does not support such a device attribute. Complicating matters somewhat is the key index used to identify a device. Within ISE, this is the device’s MAC address, which is unique across the network; however Fiberlink MaaS360 uses the device’s UDID, which is globally unique.

ISE determines corporate devices through an identity group referred to as the Whitelist, which contains the MAC addresses of corporate assets. Discovering the MAC address of Android and Apple devices is typically a manual process. Apple lists the MAC on the Settings > General > About page. Fiberlink MaaS360 allows devices to be grouped as corporate-owned or personally-owned only after device enrollment. This can be done either via Web Services API or through Bulk Update feature of Fiberlink MaaS360. Using Bulk Update, an administrator can change device ownership for the devices.

An enterprise may need to create a list of corporate MAC addresses and the associated UDIDs to provision them as corporate devices on both systems. Apart from bulk imports, another option for daily operations is device staging. This allows an administrator the ability to on-board devices on behalf of users during which time the device can be declared as a corporate asset in both systems.

26Integrating Fiberlink MaaS360 with Cisco Identity Services Engine

Page 26
Image 26
Cisco Systems MaaS360 manual Device Ownership