PINLockStatus

The PINLockStatus is available to the API and can be used by ISE to set a minimum requirement for network access, as shown in the CVD. Fiberlink MaaS360 allows the administrator to create a PIN lock policy and set rules to force users to set PINs with a certain strength (alphanumeric, length, require special characters, etc.)

The user is provided with a grace period to set up PIN lock. If user does not set up a PIN code within 60 minutes, all corporate profiles pushed via Fiberlink MaaS360 will be removed from the device. During this grace period, Fiberlink MaaS360 will return status as “Out of Compliance” if queried by ISE.

As a best practice, when users are issued instructions explaining the on-boarding process, they should be asked to set a PIN lock on their device prior to starting the on-boarding process, rather than waiting for the forced PIN lock mid-way through the procedure. If the user does not follow this, they will likely end up in a quarantine state from NAC. There are two issues at play:

First, the MDM server does not get a triggered update when a user creates a PIN lock. The user is required to enter one, but it will be some time before the polling interval before the server becomes aware of the PIN lock.

Second, the MDM on-boards by installing the MDM profile and certificate first. This secures the communications between the server and device. After this profile is issued, the server will send a check-in request to the device.

Because the MDM payload is required to respond to check-in messages, this confirms the device is fully under management. On the initial check-in, the device is loaded with the remaining profiles, including the one containing the PIN lock. Before this completes, the user will have clicked the continue button on the MDM redirect page, resulting in a CoA. This will re-authorize the device before the user has been prompted to enter a PIN lock and the user will end up being quarantined. The work around is to open the Fiberlink MaaS360 client and click the “Refresh” button, as shown in Figure 28, to update the server of the new posture. Then the user can try the continue button again or bounce their wireless to force a re-authorization.

Figure 28 Manually Updating the MDM Server

Integrating Fiberlink MaaS360 with Cisco Identity Services Engine

37

 

 

Page 37
Image 37
Cisco Systems MaaS360 manual PINLockStatus, Manually Updating the MDM Server