NIST SPECIAL PUBLICATION 1800-21C

Mobile Device Security:

Corporate-Owned Personally-Enabled (COPE)

Volume C:

How-to Guides

Joshua M. Franklin*

Gema Howell

Kaitlin Boeckl

Naomi Lefkovitz

Ellen Nadeau*

Applied Cybersecurity Division Information Technology Laboratory

Dr. Behnam Shariati

University of Maryland, Baltimore County Department of Computer Science and Electrical Engineering Baltimore, Maryland

Jason G. Ajmo

Christopher J. Brown

Spike E. Dog

Frank Javar

Michael Peck

Kenneth F. Sandlin

The MITRE Corporation McLean, Virginia

*Former employee; all work for this publication done while at employer.

September 2020

Final

This publication is available free of charge from:

https://doi.org/10.6028/NIST.SP.1800-21

The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/projects/building-blocks/mobile-device-security/enterprise

DISCLAIMER

Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other insignia in order to acknowledge their participation in this collaboration or to describe an experimental procedure or concept adequately. Such identification is not intended to imply special status or relationship with NIST or recommendation or endorsement by NIST or NCCoE; neither is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 1800-21C Natl. Inst. Stand. Technol. Spec. Publ. 1800-21C, 167 pages, (September 2020), CODEN: NSPUE2

FEEDBACK

As a private-public partnership, we are always seeking feedback on our practice guides. We are particularly interested in seeing how businesses apply NCCoE reference designs in the real world. If you have implemented the reference design, or have questions about applying it in your environment, please email us at mobile-nccoe@nist.gov.

All comments are subject to release under the Freedom of Information Act.

National Cybersecurity Center of Excellence
National Institute of Standards and Technology
100 Bureau Drive
Mailstop 2002
Gaithersburg, MD 20899
Email: nccoe@nist.gov

NATIONAL CYBERSECURITY CENTER OF EXCELLENCE

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under Cooperative Research and Development Agreements (CRADAs), including technology partners—from Fortune 50 market leaders to smaller companies specializing in information technology security—the NCCoE applies standards and best practices to develop modular, adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework and details the steps needed for another entity to re-create the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Maryland.

To learn more about the NCCoE, visit https://www.nccoe.nist.gov.
To learn more about NIST, visit https://www.nist.gov.

NIST CYBERSECURITY PRACTICE GUIDES

NIST Cybersecurity Practice Guides (Special Publication 1800 series) target specific cybersecurity challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They show members of the information security community how to implement example solutions that help them align with relevant standards and best practices, and provide users with the materials lists, configuration files, and other information they need to implement a similar approach.

The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

ABSTRACT

Mobile devices provide access to vital workplace resources while giving employees the flexibility to perform their daily activities. Securing these devices is essential to the continuity of business operations.

While mobile devices can increase efficiency and productivity, they can also leave sensitive data vulnerable. Mobile device management tools can address such vulnerabilities by helping secure access to networks and resources. These tools are different from those required to secure the typical computer workstation.

This practice guide focuses on security enhancements that can be made to corporate-owned personally-enabled (COPE) mobile devices. COPE devices are owned by an enterprise and issued to an employee. Both the enterprise and the employee can install applications onto the device.

To address the challenge of securing COPE mobile devices while managing risks, the NCCoE at NIST built a reference architecture to show how various mobile security technologies can be integrated within an enterprise’s network.

This NIST Cybersecurity Practice Guide demonstrates how organizations can use standards-based, commercially available products to help meet their mobile device security and privacy needs.

KEYWORDS

Corporate-owned personally-enabled; COPE; mobile device management; mobile device security, on-premise; bring your own device; BYOD

ACKNOWLEDGEMENTS

We are grateful to the following individuals for their generous contributions of expertise and time.

Name	Organization
Donna Dodson	NIST
Vincent Sritapan	Department of Homeland Security, Science and Technology Directorate
Jason Frazell	Appthority (acquired by Symantec—A division of Broadcom)
Joe Midtlyng	Appthority (acquired by Symantec—A division of Broadcom)
Chris Gogoel	Kryptowire
Tom Karygiannis	Kryptowire
Tim LeMaster	Lookout
Victoria Mosby	Lookout
Michael Carr	MobileIron
Walter Holda	MobileIron
Farhan Saifudin	MobileIron
Jeff Lamoureaux	Palo Alto Networks
Sean Morgan	Palo Alto Networks
Kabir Kasargod	Qualcomm
Viji Raveendran	Qualcomm
Lura Danley	The MITRE Corporation
Eileen Durkin	The MITRE Corporation
Sallie Edwards	The MITRE Corporation
Marisa Harriston	The MITRE Corporation
Milissa McGinnis	The MITRE Corporation
Nick Merlino	The MITRE Corporation
Doug Northrip	The MITRE Corporation
Titilayo Ogunyale	The MITRE Corporation
Oksana Slivina	The MITRE Corporation
Tracy Teter	The MITRE Corporation
Paul Ward	The MITRE Corporation

The Technology Partners/Collaborators who participated in this build submitted their capabilities in response to a notice in the Federal Register. Respondents with relevant capabilities or product components were invited to sign a Cooperative Research and Development Agreement (CRADA) with NIST, allowing them to participate in a consortium to build this example solution. We worked with:

Technology Partner/Collaborator	Build Involvement
Appthority*	Appthority Cloud Service, Mobile Threat Intelligence
Kryptowire	Kryptowire Cloud Service, Application Vetting
Lookout	Lookout Cloud Service/Lookout Agent Version 5.10.0.142 (iOS), 5.9.0.420 (Android), Mobile Threat Defense
MobileIron	MobileIron Core Version 9.7.0.1, MobileIron Agent Version 11.0.1A (iOS), 10.2.1.1.3R (Android), Enterprise Mobility Management
Palo Alto Networks	Palo Alto Networks PA-220
Qualcomm	Qualcomm Trusted Execution Environment (version is device dependent)

*Appthority (acquired by Symantec—A division of Broadcom)

List of Figures

Figure 1‑1 Logical Architecture Summary

Figure 2‑1 MobileIron Repository Configuration

Figure 2‑2 MobileIron Core Version

Figure 2‑3 MobileIron Download Status

Figure 2‑4 Validating Database Data

Figure 2‑5 Validating Database Data Confirmation

Figure 2‑6 Database Data Validation Initiation Confirmation

Figure 2‑7 Database Data Validation Status

Figure 2‑8 Software Updates Reboot Prompt

Figure 2‑9 Software Update Reboot Confirmation

Figure 2‑10 Reboot Configuration Save Prompt

Figure 2‑11 Upgrade Status

Figure 2‑12 Ability to Upgrade to 9.7.0.1

Figure 2‑13 LDAP Settings

Figure 2‑14 LDAP OUs

Figure 2‑15 LDAP User Configuration

Figure 2‑16 LDAP Group Configuration

Figure 2‑17 Selected LDAP Group

Figure 2‑18 LDAP Advanced Options

Figure 2‑19 Testing LDAP Configuration

Figure 2‑20 LDAP Test Result 1

Figure 2‑21 MobileIron Device Labels

Figure 2‑22 Adding a Device Label

Figure 2‑23 Device Label Matches

Figure 2‑24 MobileIron Label List

Figure 2‑25 MobileIron SCEP Configuration

Figure 2‑26 Test SCEP Certificate Configuration

Figure 2‑27 Test SCEP Certificate

Figure 2‑28 MobileIron VPN Configuration

Figure 2‑29 Palo Alto Networks Management Interface Enabled

Figure 2‑30 Management Interface Configuration

Figure 2‑31 Palo Alto Networks Firewall General Information

Figure 2‑32 Palo Alto Networks Services Configuration

Figure 2‑33 DNS Configuration

Figure 2‑34 NTP Configuration

Figure 2‑35 Ethernet Interfaces

Figure 2‑36 Ethernet Interface Configuration

Figure 2‑37 WAN Interface IPv4 Configuration

Figure 2‑38 WAN Interface IP Address Configuration

Figure 2‑39 Completed WAN Interface Configuration

Figure 2‑40 Security Zone List

Figure 2‑41 LAN Security Zone Configuration

Figure 2‑42 Virtual Router Configuration

Figure 2‑43 Virtual Router General Settings

Figure 2‑44 SSL VPN Tunnel Interface

Figure 2‑45 Application Categories

Figure 2‑46 MobileIron Core Palo Alto Networks Application Configuration

Figure 2‑47 MobileIron Application Port Configuration

Figure 2‑48 DMZ Access to MobileIron Firewall Rule Configuration

Figure 2‑49 DMZ Access to MobileIron Security Rule Source Zone Configuration

Figure 2‑50 DMZ Access to MobileIron Security Rule Destination Address Configuration

Figure 2‑51 DMZ Access to MobileIron Security Rule Application Protocol Configuration

Figure 2‑52 DMZ Access to MobileIron Security Rule Action Configuration

Figure 2‑53 Outbound NAT Rule

Figure 2‑54 Outbound NAT Original Packet Configuration

Figure 2‑55 Outbound NAT Translated Packet Configuration

Figure 2‑56 LDAP Profile

Figure 2‑57 Authentication Profile

Figure 2‑58 Advanced Authentication Profile Settings

Figure 2‑59 LDAP Group Mapping

Figure 2‑60 LDAP Group Include List

Figure 2‑61 Authentication Policy Source Zones

Figure 2‑62 Authentication Policy Destination Zones

Figure 2‑63 Authentication Profile Actions

Figure 2‑64 Import MobileIron Certificate

Figure 2‑65 Certificate Profile

Figure 2‑66 Internal Root Certificate Profile

Figure 2‑67 SSL/TLS Service Profile

Figure 2‑68 Custom URL Category

Figure 2‑69 URL Filtering Profile

Figure 2‑70 URL Filtering Security Policy

Figure 2‑71 General GlobalProtect Gateway Configuration

Figure 2‑72 GlobalProtect Authentication Configuration

Figure 2‑73 GlobalProtect Tunnel Configuration

Figure 2‑74 VPN Client IP Pool

Figure 2‑75 VPN Client Settings

Figure 2‑76 VPN Authentication Override Configuration

Figure 2‑77 VPN User Group Configuration

Figure 2‑78 VPN Split Tunnel Configuration

Figure 2‑79 GlobalProtect Portal Configuration

Figure 2‑80 GlobalProtect Portal SSL/TLS Configuration

Figure 2‑81 GlobalProtect External Gateway Configuration

Figure 2‑82 GlobalProtect Portal Agent Configuration

Figure 2‑83 Schedule Link

Figure 2‑84 Threat Update Schedule

Figure 2‑85 MobileIron Users

Figure 2‑86 Kryptowire API User Configuration

Figure 2‑87 MobileIron User List

Figure 2‑88 Kryptowire API User Space Assignment

Figure 2‑89 Kryptowire Device List

Figure 2‑90 MobileIron User List

Figure 2‑91 MobileIron Lookout User Configuration

Figure 2‑92 Lookout MobileIron Admin Account

Figure 2‑93 Lookout Account Space Assignment

Figure 2‑94 MobileIron Label List

Figure 2‑95 MTP Low Risk Label Configuration

Figure 2‑96 MobileIron App Catalog

Figure 2‑97 Adding Lookout for Work to the MobileIron App Catalog

Figure 2‑98 Lookout for Work Application Configuration

Figure 2‑99 Lookout for Work Application Configuration

Figure 2‑100 Lookout for Work AFW Configuration

Figure 2‑101 Apply Lookout for Work to Android Devices

Figure 2‑102 Apply To Labels Dialogue

Figure 2‑103 Lookout for Work with Applied Labels

Figure 2‑104 MobileIron App Catalog

Figure 2‑105 Lookout for Work Selected From iTunes

Figure 2‑106 Lookout for Work App Configuration

Figure 2‑107 Lookout for Work App Configuration

Figure 2‑108 Lookout for Work Managed App Settings

Figure 2‑109 App Catalog with Lookout for Work

Figure 2‑110 Lookout for Work Selected

Figure 2‑111 Apply To Labels Dialogue

Figure 2‑112 App Catalog with Lookout for Work

Figure 2‑113 Importing Managed Application Configuration

Figure 2‑114 plist File Configuration

Figure 2‑115 Lookout Configuration Selected

Figure 2‑116 Apply To Label Dialogue

Figure 2‑117 Lookout Configuration With Labels

Figure 2‑118 Add Lookout Connector Display

Figure 2‑119 Connector Settings

Figure 2‑120 Connector Enrollment Settings

Figure 2‑121 Connector Sync Settings

Figure 2‑122 MobileIron App Control Rule

Figure 2‑123 MobileIron App Control Rule

Figure 2‑124 MTP High Risk Compliance Action

Figure 2‑125 Baseline Policy Selection

Figure 2‑126 MTP High Risk Policy

Figure 2‑127 Security Policy Trigger

Figure 2‑128 Policy List

Figure 2‑129 Apply To Label Dialogue

Figure 2‑130 Appthority User Settings

Figure 2‑131 Appthority Connector User

Figure 2‑132 Appthority Connector Space Assignment

Figure 2‑133 Appthority Connector CLI Configuration

Figure 2‑134 Appthority EMM Connector Status

Figure 2‑135 iOS Reset Screen

Figure 2‑136 Erase iPhone Confirmation

Figure 2‑137 Erase iPhone Final Confirmation

Figure 2‑138 Entering iOS Passcode

Figure 2‑139 iOS Trust Computer Confirmation

Figure 2‑140 Entering Passcode to Trust Computer

Figure 2‑141 Configurator 2 Erase Confirmation

Figure 2‑142 Restoring iPhone

Figure 2‑143 Device Preparation Options

Figure 2‑144 MDM Server Selection

Figure 2‑145 Signing into Apple Account

Figure 2‑146 Organization Assignment Dialogue

Figure 2‑147 Creating an Organization

Figure 2‑148 Supervisory Identity Configuration

Figure 2‑149 Organization Selection

Figure 2‑150 Supervising Identity Selection

Figure 2‑151 Selected Organization

Figure 2‑152 Create an Organization Supervision Identity Configuration

Figure 2‑153 Setup Assistant Configuration

Figure 2‑154 Waiting for iPhone

Figure 2‑155 iOS Device MobileIron Registration Page

Figure 2‑156 Opening Settings Confirmation

Figure 2‑157 Profile Installation

Figure 2‑158 Profile Installation

Figure 2‑159 Profile Installation Warning

Figure 2‑160 Profile Installation Trust Confirmation

Figure 2‑161 Profile Installation Confirmation

Figure 2‑162 Lookout for Work Splash Screen

Figure 2‑163 Lookout for Work Permission Information

Figure 2‑164 Notifications Permissions Prompt

Figure 2‑165 Locations Permission Prompt

Figure 2‑166 Lookout for Work Home Screen

Figure 2‑167 MobileIron AFW Configuration

Figure 2‑168 AFW Configuration

Figure 2‑169 MobileIron Enrollment Process

Figure 2‑170 AFW Enrollment

Figure 2‑171 MobileIron Installation

Figure 2‑172 Accepting AFW Terms and Conditions

Figure 2‑173 MobileIron Privacy Information

Figure 2‑174 MobileIron Configuration Required Notification

Figure 2‑175 MobileIron Device Status

Figure 2‑176 AFW Configuration

Figure 2‑177 AFW Workspace Creation

Figure 2‑178 MobileIron Work Profile Lock Preferences

Figure 2‑179 MobileIron Google Account Configuration

Figure 2‑180 MobileIron Device Status

List of Tables

Table 1‑1 Typographic Conventions

Table 2‑1 Implemented Security Policies

Table 2‑2 Implemented Security Policies

Table 2‑3 Implemented Security Policies

1 Introduction¶

The following volumes of this guide show information technology (IT) professionals and security engineers how we implemented this example solution. We cover all of the mobile device security products employed in this reference design. We do not re-create the product manufacturers’ documentation, which is presumed to be widely available. Rather, these volumes show how we incorporated the products together in our environment.

Note: These are not comprehensive tutorials. There are many possible service and security configurations for these products that are out of scope for this reference design.

1.1 Practice Guide Structure¶

This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide demonstrates a standards-based reference design and provides users with the information they need to replicate addressing mobile device security (MDS) for Corporate-Owned Personally-Enabled (COPE) implementation challenges. This reference design is modular and can be deployed in whole or in part.

This guide contains three volumes:

NIST SP 1800-21A: Executive Summary
NIST SP 1800-21B: Approach, Architecture, and Security Characteristics – what we built and why
NIST SP 1800-21C: How-To Guides – instructions for building the example solution (you are here)

Depending on your role in your organization, you might use this guide in different ways:

Business decision makers, including chief security and technology officers, will be interested in the Executive Summary, NIST SP 1800-21A, which describes the following topics:

challenges that enterprises face in securely deploying COPE mobile devices
example solution built at the National Cybersecurity Center of Excellence (NCCoE)
benefits of adopting the example solution

Technology or security program managers who are concerned with how to identify, understand, assess, and mitigate risk will be interested in NIST SP 1800-21B, which describes what we did and why. The following sections will be of particular interest:

Section 3.4, Risk Assessment, describes the risk analysis we performed.
Section 4.3, Security Control Map, discusses the security mappings of this example solution to cybersecurity standards and best practices.

You might share the Executive Summary, NIST SP 1800-21A, with your leadership team members to help them understand the importance of adopting standards-based solutions when addressing COPE mobile device security implementation challenges.

IT professionals who want to implement an approach like this will find this whole practice guide useful. You can use this How-To portion of the guide, NIST SP 1800-21C, to replicate all or parts of the build created in our lab. This How-To portion of the guide provides specific product installation, configuration, and integration instructions for implementing the example solution. We do not recreate the product manufacturers’ documentation, which is generally widely available. Rather, we show how we incorporated the products together in our environment to create an example solution.

This guide assumes that IT professionals have experience implementing security products within the enterprise. While we have used a suite of commercial products to address this challenge, this guide does not endorse these particular products. Your organization can adopt this solution or one that adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and implementing parts of this guide’s example solution for on-premises mobile device security management. Your organization’s security experts should identify the products that will best integrate with your existing tools and IT system infrastructure. We hope that you will seek products that are congruent with applicable standards and best practices. Section 3.6, Technologies, lists the products that we used and maps them to the cybersecurity controls provided by this reference solution.

A NIST Cybersecurity Practice Guide does not describe “the” solution, but a possible solution. Comments, suggestions, and success stories will improve subsequent versions of this guide. Please contribute your thoughts to mobile-nccoe@nist.gov.

1.2 Build Overview¶

When a business is on the go, mobile devices can serve as a temporary workstation replacement. They provide convenience of use, portability, and functionality. However, in many ways, mobile devices are different from the common computer workstation, and alternative management tools are required to secure their interactions with the enterprise. To address this security challenge, the NCCoE worked with its Community of Interest and build team partners and developed a real-world scenario for mobile deployment within an enterprise. The scenario presents a range of security challenges that an enterprise may experience when deploying mobile devices.

The lab environment used in developing this solution includes the architectural components, functionality, and standard best practices, which are described in Volume B. The build team partners provided the security technologies used to deploy the architecture components and functionality. The standard best practices are applied to the security technologies to ensure the appropriate security controls are put in place to meet the challenges presented in the devised scenario.

This section of the guide documents the build process and discusses the specific configurations used to develop a secure mobile deployment.

Note: Android for Work (AFW) has been re-branded as Android Enterprise. At the time of writing this document, it was named Android for Work.

1.3 Typographic Conventions¶

The following table presents typographic conventions used in this volume.

Table 1-1 Typographic Conventions

Typeface/ Symbol	Meaning	Example
Italics	file names and path names; references to documents that are not hyperlinks; new terms; and placeholders	For language use and style guidance, see the NCCoE Style Guide.
Bold	names of menus, options, command buttons, and fields	Choose File > Edit.
`Monospace`	command-line input, onscreen computer output, sample code examples, and status codes	`Mkdir`
`Monospace Bold`	command-line user input contrasted with computer output	`service sshd start`
blue text	link to other parts of the document, a web URL, or an email address	All publications from NIST’s NCCoE are available at https://www.nccoe.nist.gov.

1.4 Logical Architecture Summary¶

The following graphic illustrates the main components of this example implementation and provides a view of how they interact.

Figure 1‑1 Logical Architecture Summary

2 Product Installation Guides¶

This section of the practice guide contains detailed instructions for installing and configuring key products used for the architecture illustrated below.

In our lab environment, the example solution was logically separated by a virtual local area network (VLAN) wherein each VLAN represented a separate mock enterprise environment. The network perimeter for this example implementation was enforced by a Palo Alto Networks virtual private network (VPN)/firewall appliance. It maintains three zones: one each for the internet/wide area network (WAN), a demilitarized zone (DMZ), and the organizational local area network (LAN).

2.1 Appthority Mobile Threat Detection¶

Appthority contributed a test instance of its Mobile Threat Detection service. Contact Appthority (Symantec) (https://www.symantec.com/) to establish an instance for your organization.

2.2 Kryptowire EMM+S¶

Kryptowire contributed a test instance of its EMM+S application-vetting service. Contact Kryptowire (https://www.kryptowire.com/mobile-app-security/) to establish an instance for your organization.

2.3 Lookout Mobile Endpoint Security¶

Lookout contributed a test instance of its Mobile Endpoint Security (MES) service. Contact Lookout (https://www.lookout.com/products/mobile-endpoint-security) to establish an instance for your organization.

2.4 MobileIron Core¶

MobileIron Core is the central product in the MobileIron suite. The following sections describe the steps for installation, configuration, and integration with Active Directory (AD).

2.4.1 Installation of MobileIron Core and Stand-Alone Sentry¶

Follow the steps below to install MobileIron Core:

Obtain a copy of the On-Premise Installation Guide for MobileIron Core, Sentry, and Enterprise Connector from the MobileIron support portal.
Follow the MobileIron Core pre-deployment and installation steps in Chapter 1 of the On-Premise Installation Guide for MobileIron Core, Sentry, and Enterprise Connector for the version of MobileIron being deployed in your environment. In our lab implementation, we deployed MobileIron Core 9.5.0.0 as a Virtual Core running on VMware 6.0. Post-installation, we performed an upgrade to MobileIron Core 9.7.0.1 following guidance provided in CoreConnectorReleaseNotes9701_Rev12Apr2018. Direct installations to MobileIron Core 9.7.0.1 will experience slightly different results, as some added features in this version are not used with earlier versions of configuration files.

2.4.2 General MobileIron Core Setup¶

The following steps are necessary for mobile device administrators or users to register devices with MobileIron.

Obtain a copy of MobileIron Core Device Management Guide for iOS Devices from the MobileIron support portal.
Complete all instructions provided in Chapter 1, Setup Tasks.

2.4.3 Upgrade MobileIron Core¶

The following steps were used to upgrade our instance of MobileIron Core from 9.5.0.0 to 9.7.0.1. Note there was no direct upgrade path between these two versions; our selected upgrade path was 9.5.0.0 > 9.5.0.1 > 9.7.0.1.

Obtain upgrade credentials from MobileIron Support.
In MobileIron Core System Manager, navigate to Maintenance > Software Updates.
In the Software repository configuration section:
1. In the User Name field, enter the username provided by MobileIron Support.
2. In the Password field, enter the password provided by MobileIron Support.
3. In the Confirm Password field, reenter the password provided by MobileIron Support.
4. Select Apply.

Figure 2‑1 MobileIron Repository Configuration

In the Software Updates section:
1. Select Check Updates; after a few seconds, the available upgrade path options appears.
2. Select the Core 9.5.0.1 status: Not Downloaded option.
3. Select Download Now. After a delay, the Software Download dialogue appears.

Figure 2‑2 MobileIron Core Version

In the Download Software dialogue, click OK.

Figure 2‑3 MobileIron Download Status

In the Software updates section:
1. Select the Core 9.5.0.1 status: Downloaded option.
2. Select the Validate Database Structure and Data option.
3. Select Validate.

Figure 2‑4 Validating Database Data

In the Confirm dialogue, click Yes to validate database structure and data.

Figure 2‑5 Validating Database Data Confirmation

In the Validate Update dialogue, click OK.

Figure 2‑6 Database Data Validation Initiation Confirmation

In the Software updates section, select Stage for Install.

Figure 2‑7 Database Data Validation Status

The Download Updates dialogue appears.

In the Download Updates dialogue, select Reboot Now; a series of dialogues appears.

Figure 2‑8 Software Updates Reboot Prompt

In the Confirm dialogues:
1. Click Yes to confirm the appliance reboot.

Figure 2‑9 Software Update Reboot Confirmation

Click Yes to confirm saving the current configuration.

Figure 2‑10 Reboot Configuration Save Prompt

The Upgrade Status website hosted by Core automatically opens.

Figure 2‑11 Upgrade Status

Once the upgrade is complete, System Manager > Maintenance > Software Updates > Software Updates now shows the capability to upgrade to 9.7.0.1.

Figure 2‑12 Ability to Upgrade to 9.7.0.1

The image shows the Core patch levels this instance can upgrade to. Specifically, it shows Core 9.6.0.3 and Core 9.7.0.1.

Repeat Steps 4b through 11 above, replacing 9.5.0.1 with 9.7.0.1 during Steps 4b and 6; this will complete the upgrade path from MobileIron Core 9.5.0.0 to 9.7.0.1.

2.4.4 Integration with Microsoft Active Directory¶

In our implementation, we chose to integrate MobileIron Core with Active Directory using lightweight directory access protocol (LDAP). This is optional. General instructions for this process are covered in the Configuring LDAP Servers section in Chapter 2 of On-Premise Installation Guide for MobileIron Core, Sentry, and Enterprise Connector. The configuration details used during our completion of selected steps (retaining the original numbering) from that guide are given below:

From Step 4 in the MobileIron guide, in the New LDAP Server dialogue:
1. Directory Connection:

Figure 2‑13 LDAP Settings

Note: The light gray text is default text, and your own directory URL should be entered.

Directory Configuration—OUs (organizational units):

Figure 2‑14 LDAP OUs

Directory Configuration—Users:

Figure 2‑15 LDAP User Configuration

Directory Configuration—Groups:

Figure 2‑16 LDAP Group Configuration

LDAP Groups:

As a preparatory step, we used Active Directory Users and Computers to create a new security group for mobile-authorized users on the Domain Controller for the govt.mds.local domain. In our example, this group is named Mobile Users.

In the search bar, enter the name of the LDAP group for mobile-authorized users.

Select the magnifying glass button; the group name should be added to the Available list.

In the Available list box:

1. Select the Mobile Users list item.

2. Select the right-arrow button; the Mobile Users list item should move to the Selected list box.

Figure 2‑17 Selected LDAP Group

In the Selected list:

1. Select the default Users group list item.

2. Select the left-arrow button; the Users list item should move to the Available list box.

Custom Settings: Custom settings were not specified.

Advanced Options: Advanced options were configured as shown in Figure 2‑18.

Figure 2‑18 LDAP Advanced Options

Note: In our lab environment, we did not enable stronger Quality of Protection or enable the Use of Client Transport Layer Security Certificate or Request Mutual Authentication features. However, we recommend that implementers consider using those additional mechanisms to secure communication with the LDAP server.

From Steps 19 through 21 from the MobileIron guide, we tested that MobileIron can successfully query LDAP for Derived Personal Identity Verification Credential (DPC) Users.
1. In the New LDAP Setting dialogue, click the Test button to open the LDAP Test dialogue.
2. In the LDAP Test dialogue, enter a User ID for a member of the DPC Users group, then click the Submit button. A member of the Mobile Users group in our environment is gema.

Figure 2‑19 Testing LDAP Configuration

The LDAP Test dialogue indicates the query was successful:

Figure 2‑20 LDAP Test Result

2.4.5 Create a Mobile Users Label¶

MobileIron uses labels to link policies and device configurations with users and mobile devices. Creating a unique label for each category of authorized mobile user allows mobile device administrators to apply a consistent set of controls applicable to users with a common mobile use case. Our limited usage scenario only required a single MobileIron label to be created.

In the MobileIron Core Admin Portal, navigate to Devices & Users > Labels.

Select Add Label.

Figure 2‑21 MobileIron Device Labels

In the Name field, enter a unique name for this label (Mobile Users in this example).

In the Description field, enter a meaningful description to help others identify its purpose.

Under the Criteria section:

In the blank rule:

In the Field drop-down menu, select User > LDAP > Groups > Name.

In the Value drop-down menu, select the Active Directory group created to support mobile user policies (named Mobile User in this example).

Select the plus sign icon to add a blank rule.

In the newly created blank rule:

In the Field drop-down menu, select Common > Platform.

In the Value drop-down menu, select Android.

Figure 2‑22 Adding a Device Label

The list of matching devices appears below the specified criteria.

Select Save.

Figure 2‑23 Device Label Matches

Navigate to Devices & Users > Labels to confirm the label was successfully created.

Figure 2‑24 MobileIron Label List

2.5 Integration of Palo Alto Networks GlobalProtect with MobileIron¶

The following steps detail how to integrate MobileIron Core, Microsoft Certificate Authority (CA), and Palo Alto Networks GlobalProtect to allow mobile users to authenticate to the GlobalProtect gateway using user-aware device certificates issued to mobile devices by Microsoft CA during enrollment with MobileIron Core.

2.5.1 MobileIron Configuration¶

The following steps create the MobileIron Core configurations necessary to support integration with Palo Alto Networks GlobalProtect and Microsoft CA.

2.5.1.1 Create Simple Certificate Enrollment Protocol (SCEP) Configuration¶

In the MobileIron Admin Portal, navigate to Policies & Configs > Configurations.
Select Add New > Certificate Enrollment > SCEP; the New SCEP Configuration Enrollment Setting dialogue will open.
In the New SCEP Certificate Enrollment Setting dialogue:
1. For the Name field, enter a unique name to identify this configuration.
2. Enable the Device Certificate option.
3. In the URL field, enter the URL where SCEP is hosted within your environment.
4. In the CA-Identifier (ID) field, enter the subject name of the Microsoft CA that will issue the device certificates.
5. In the Subject drop-down menu, select $DEVICE_IMEI$.

Figure 2‑25 MobileIron SCEP Configuration

In the Fingerprint field, enter the fingerprint of the Microsoft CA that will issue the device certificates.

For the Challenge Type drop-down menu, select Microsoft SCEP.

Below the Subject Alternative Names list box, select Add; a new list item appears.

For the new list item:

i. For the Type drop-down menu, select NT Principal Name.

ii. For the Value drop-down menu, select $USER_UPN$.

Click Issue Test Certificate; the Certificate dialogue should indicate success.

Figure 2‑26 Test SCEP Certificate Configuration

In the Certificate dialogue, click OK.

Figure 2‑27 Test SCEP Certificate

Click Save.

2.5.1.2 Create Palo Alto Networks GlobalProtect Configuration¶

The GlobalProtect configuration instructs the mobile client to use the provisioned device certificate and to automatically connect to the correct VPN URL; mobile users will not need to manually configure the application. The following steps will create the GlobalProtect configuration.

In the MobileIron Admin Portal, navigate to Policies & Configs > Configurations.
Select Add New > VPN; the Add VPN Setting dialogue will appear.
In the Add VPN Setting dialogue:
1. In the Name field, enter a unique name to identify this VPN setting.
2. In the Connection Type drop-down menu, select Palo Alto Networks GlobalProtect.
3. In the Server field, enter the fully qualified domain name (FQDN) of your Palo Alto Networks appliance; our sample implementation uses vpn.govt.mdse.nccoe.org.
4. For the User Authentication drop-down menu, select certificate.
5. For the Identity Certificate drop-down menu, select the SCEP enrollment profile created in the previous section.
6. Click Save.

Figure 2‑28 MobileIron VPN Configuration

2.5.2 Basic Palo Alto Networks Configuration¶

During basic configuration, internet protocol (IP) addresses are assigned to the management interface, domain name system (DNS), and network time protocol (NTP). The management interface allows the administrator to configure and implement security rules through this interface.

2.5.2.1 Configure Management Interface¶

The following steps will configure the Palo Alto Networks appliance management interface.

In the Palo Alto Networks portal, navigate to Device > Setup > Interfaces.
On the Interfaces tab, enable the Management option; the Management Interface Setting page opens.

Figure 2‑29 Palo Alto Networks Management Interface Enabled

On the Management Interface Setting screen:
1. In the IP Address field, enter the IP address for the Palo Alto Networks appliance.
2. In the Netmask field, enter the netmask for the network.
3. In the Default Gateway field, enter the IP address of the router that provides the appliance with access to the internet.
4. Under Administrative Management Services: Enable the Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), Secure Shell (SSH), and Ping options.
5. Click OK.

Figure 2‑30 Management Interface Configuration

To verify the configuration, navigate to Palo Alto Networks Portal > Dashboard; the General Information section should reflect the appliance’s network configuration.

Figure 2‑31 Palo Alto Networks Firewall General Information

2.5.2.2 Configure DNS and NTP¶

In the Palo Alto Networks Portal, navigate to Device > Setup > Services.
In the Services tab, select the gear icon.

Figure 2‑32 Palo Alto Networks Services Configuration

On the Services > Services tab:
1. For the Primary DNS Server field, enter the primary DNS server IP address.
2. For the Secondary DNS Server field, enter the secondary DNS server IP address, if applicable.
Select the NTP tab.

Figure 2‑33 DNS Configuration

On the NTP tab:
1. For the Primary NTP Server > NTP Server Address field, enter the IP address of the primary NTP server to use.
2. For the Secondary NTP Server > NTP Server Address field, enter the IP address of the backup NTP server to use, if applicable.
Click OK.

Figure 2‑34 NTP Configuration

2.5.3 Palo Alto Networks Interfaces and Zones Configuration¶

Palo Alto Networks firewall model PA-220 has eight interfaces that can be configured as trusted (inside) or untrusted (outside) interfaces. This section describes creating a zone and assigning an interface to it.

2.5.3.1 Create Ethernet Interfaces and Addresses¶

Our example implementation uses three interfaces:

LAN: Orviliaʼs LAN, which hosts intranet web and mail services
DMZ: Orviliaʼs DMZ network subnet, which hosts MobileIron Core and MobileIron Sentry
WAN: provides access to the internet and is the inbound interface for secure sockets layer (SSL) VPN connections

To create and configure Ethernet interfaces:

Navigate to Palo Alto Networks Portal > Network > Ethernet > Interfaces > Ethernet.

Figure 2‑35 Ethernet Interfaces

Ethernet interface shown.

In the Ethernet tab, select the name of the interface to configure; the Ethernet Interface dialogue will appear.
In the Ethernet Interface dialogue:
1. In the Comment field, enter a description for this interface.
2. For the Interface Type drop-down menu, select Layer3.

Figure 2‑36 Ethernet Interface Configuration

Select the IPv4 tab.

On the IPv4 tab:

In the IP list box, select Add; a blank list item appears.

In the blank list item, select New Address; the Address dialogue appears.

Figure 2‑37 WAN Interface IPv4 Configuration

In the Address dialogue:

1. For the Name field, enter a unique name to identify this address.

2. For the Description field, enter a meaningful description of the purpose of this address.

3. In the unnamed field following the Type drop-down menu, enter the IPv4 address that this interface will use in Classless Inter-Domain Routing notation. This example uses 10.6.1.2/24 for the WAN interface in our lab environment.

4. Click OK.

Figure 2‑38 WAN Interface IP Address Configuration

The address should now appear as an item in the IP list box; select OK; the Address dialogue closes.

Figure 2‑39 Completed WAN Interface Configuration

Click OK.
Repeat Steps 2 and 3 for each of the additional Ethernet/Layer3 interfaces.

2.5.3.2 Create Security Zones¶

The PA Security Zone is a collection of single or multiple interfaces that have the same security rules. For this setup, four different zones have been configured:

Mobile_Lab_GOVT: inside (trusted) interface connecting to the government (GOVT) segment
Mobile_Lab_DMZ: inside (trusted) interface connecting to the DMZ segment
Mobile_Lab_WAN: outside (untrusted) interface to permit trusted inbound connections (e.g., Lookout cloud service) from the untrusted internet and allow internet access to on-premises devices
Mobile_Lab_SSLVPN: outside (untrusted) interface for VPN connections by trusted mobile devices originating from untrusted networks (e.g., public Wi-Fi)

To configure each zone:

Navigate to Palo Alto Networks Portal > Network > Zones.

Figure 2‑40 Security Zone List

Network tab settings.

In the Zones pane, select Add; the Zones page opens.
On the Zones page:
1. For the Name field, provide a unique name for the zone.
2. For the Type drop-down menu, select Layer 3.
3. Under Interfaces, select Add; a blank drop-down menu appears.
4. In the drop-down menu, select the interface to assign to this zone; this example shows selection of ethernet 1/3, which is associated with the LAN interface.
5. Click OK.

Figure 2‑41 LAN Security Zone Configuration

Repeat Step b for each zone.

2.5.4 Configure Router¶

Palo Alto Networks uses a virtual router to emulate physical connectivity between interfaces in different zones. To permit systems to reach systems in other zones, the following steps will create a virtual router and add interfaces to it. The router also sets which of these interfaces will act as the local gateway to the internet.

In the Palo Alto Networks Portal, navigate to Network > Virtual Routers.
Below the details pane, select Add; the Virtual Router form opens.
In the Virtual Router form, on the Router Settings tab:
1. For the Name field, enter a unique name to identify this router.
2. On the Router Settings > General tab:
  1. Under the Interfaces list box, select Add; a new list item appears.
  2. In the new list item drop-down menu, select an existing interface.
  3. Repeat Steps 3a and 3b to add all existing interfaces to this router.
Select the Static Routes tab.
On the Static Routes > IPv4 tab:
1. Below the list box, select Add; the Virtual Router - Static Route - IPv4 form opens.
2. In the Virtual Router—Static Route—IPv4 form:
  1. For the Name field, enter a unique name to identify this route.
  2. For the Destination field, enter 0.0.0.0/0.
  3. For the Interface drop-down menu, select the interface that provides access to the internet.
  4. For the Next Hop drop-down menu, select IP Address.
  5. In the field below Next Hop, enter the IP address of the gateway that provides access to the internet.
  6. Click OK.

Figure 2‑42 Virtual Router Configuration

Click OK.

Figure 2‑43 Virtual Router General Settings

2.5.5 Configure Tunnel Interface¶

The SSL VPN uses a tunnel interface to secure traffic from the external zone to the internal zone where organizational resources available to mobile users are maintained. To configure the tunnel interface:

Navigate to Palo Alto Networks Portal > Network > Ethernet > Interfaces > Tunnel.
Below the details pane, select Add; the Tunnel Interface form opens.
In the Tunnel Interface form on the Config tab:
1. In the Assign Interface To section:
  1. For the Virtual Router drop-down menu, select the virtual router created in the previous section.
  2. For the Security Zone drop-down menu, select the security zone created for the SSL VPN.
2. Click OK.

Figure 2‑44 SSL VPN Tunnel Interface

2.5.6 Configure Applications and Security Policies¶

Security policies work similarly to firewall rules; they block or allow traffic between defined zones identified by a source, destination, and application(s) (contextually, Palo Alto Networks’ objects define network protocols and ports). Palo Alto Networks has built-in applications for a large number of standard and well-known protocols and ports (e.g., LDAP and Secure Shell), but we defined custom applications for MobileIron-specific traffic.

2.5.6.1 Configure Applications¶

The following steps will create an application:

In the Palo Alto Networks Portal, navigate to Objects > Applications.

Figure 2‑45 Application Categories

Display of category, subcategory, and technology application object filters.

On the Applications screen:
Select Add; the Application form opens.
On the Application > Configuration screen:
1. In the General > Name field, provide a unique name to identify this application.
2. In the General > Description field, enter a meaningful description of its purpose.
3. For the Properties > Category drop-down menu, select a category appropriate to your environment; our sample implementation uses networking.
4. For the Properties > Subcategory drop-down menu, select a subcategory appropriate to your environment; our sample implementation uses infrastructure.
5. For the Properties > Technology drop-down menu, select a technology appropriate to your environment; our sample implementation uses client-server.

Figure 2‑46 MobileIron Core Palo Alto Networks Application Configuration

Select the Advanced tab.
On the Application > Advanced screen:
1. Select Defaults > Port.
2. Under the Ports list box, select Add; a blank list item appears.
3. In the blank list item, enter the port number used by the application; this example uses 9997.
Click OK.

Figure 2‑47 MobileIron Application Port Configuration

Repeat Steps 2 through 7 with the following modifications to create an application for the MobileIron Core system administration console:
1. Configuration > General > Name is MobileIron8443.
2. Configuration > Properties > Category is business-systems.
3. Configuration > Properties > Subcategory is management.
4. Advanced > Defaults > Port first entry is 8443.

2.5.6.2 Configure Security Policies¶

Security policies allow or explicitly deny communication within, between, or (externally) to or from Palo Alto Networks zones. For this sample implementation, several security policies were created to support communication by other components of the architecture. The first subsection covers the steps to create a given security policy. The second subsection provides a table illustrating the security policies we used; these policies would need to be adapted to host names and IP addresses specific to your network infrastructure.

2.5.6.2.1 Create Security Policies¶

To create a security policy:

In the Palo Alto Networks Portal, navigate to Policies > Security.
Select Add; the Security Policy Rule form will open.
In the Security Policy Rule form:
1. In the Name field, enter a unique name for this security rule.
2. For the Rule Type drop-down menu, select the scope of the rule, following the guidance provided in the Palo Alto Networks documentation for creating firewall rules.

Figure 2‑48 DMZ Access to MobileIron Firewall Rule Configuration

Select the Source tab.
On the Source tab:
1. If the security rule applies to a specific source zone:
  1. Under the Source Zone list box, select Add; a new entry appears in the list box.
  2. For the new list item, select the source zone for this rule.
2. If the rule applies to only specific source IP addresses:
  1. Under the Source Address list box, select Add; a new list item appears.
  2. For the new list item, select the source address for this rule.

Figure 2‑49 DMZ Access to MobileIron Security Rule Source Zone Configuration

Select the Destination tab.
On the Destination tab:
1. If the security rule applies to a specific destination zone:
  1. Under the Destination Zone list box, select Add; a new destination list item appears.
  2. For the new Source Zone list item, select the destination zone for this rule.
2. If the rule applies to only specific destination IP addresses:
  1. Under the Destination Address list box, select Add; a new list item appears.
  2. For the new list item, select the destination address for this rule.

Figure 2‑50 DMZ Access to MobileIron Security Rule Destination Address Configuration

Select the Application tab.
On the Application tab:
1. Under the Applications list box, select Add; a new list item appears.
2. For the new Applications list item, select the application representing the protocol and port combination of the traffic to control.
3. Repeat Steps 9a and 9b for each application involving the same source and destination that would also have its traffic allowed or explicitly blocked (if otherwise allowed by a more permissive security rule).

Figure 2‑51 DMZ Access to MobileIron Security Rule Application Protocol Configuration

Select the Actions tab.
On the Actions tab: Unless explicitly blocking traffic permitted by a more permissive security rule, ensure that the Action Setting > Action drop-down menu is set to Allow.

Figure 2‑52 DMZ Access to MobileIron Security Rule Action Configuration

Click OK.

2.5.6.2.2 Implemented Security Policies¶

The implemented security policies are provided in Table 2‑1, Table 2‑2, and Table 2‑3. Configuration options that aren’t shown were left as their default values.

Table 2‑1 Implemented Security Policies

Name	Tags	Type	Source Zone	Source Address
DMZAccessVirtualIPCore	none	universal	Mobile_lab_WAN	any
CoretoAppleSrvs	none	universal	Mobile_Lab_DMZ	MI_Core
AdminAccessToMI	none	interzone	Mobile_Lab_GOVT	MDS.govt.admin
AppthorityConnectorAccessToMI-Core	none	interzone	Mobile_Lab_GOVT	govt.appthority
MICoreObtainDeviceCERT	none	interzone	Mobile_Lab_DMZ	MI_Core
MICoreAccessDNS	none	interzone	Mobile_Lab_DMZ	MI_Core
MICoreRelaySMSNotifications	none	interzone	Mobile_Lab_DMZ	MI_Core
MICoreSyncLDAP	none	interzone	Mobile_Lab_DMZ	MI_Core

Table 2‑2 Implemented Security Policies

Name	Source User	Source Host Information Protocol Profile	Destination Zone	Destination Address
DMZAccessVirtualIPCore	any	any	any	10.6.1.120
CoretoAppleSrvs	any	any	any	17.0.0.0/8
AdminAccessToMI	any	any	Mobile_Lab_DMZ	MI_Core;MI_Sentry
AppthorityConnectorAccessToMI-Core	any	any	Mobile_Lab_DMZ	MI_Core
MICoreObtainDeviceCERT	any	any	Mobile_Lab_GOVT	SCEP_server
MICoreAccessDNS	any	any	Mobile_Lab_GOVT	DNS_Server
MICoreRelaySMSNotifications	any	any	Mobile_Lab_GOVT	SMTP_Relay
MICoreSyncLDAP	any	any	Mobile_Lab_GOVT	LDAP_Server

Table 2‑3 Implemented Security Policies

Name	Application	Service	Action	Profile	Options
DMZAccessVirtualIPCore	dns;ping;ssl;web-browsing	any	allow	none	none
CoretoAppleSrvs	any	any	allow	none	none
AdminAccessToMI	AdminAccessMI;ssh;ssl	any	allow	none	none
AppthorityConnectorAccessToMI-Core	AdminAccessMI;ssl;web-browsing	any	allow	none	none
MICoreObtainDeviceCERT	scep;web-browsing	application-default	allow	none	none
MICoreAccessDNS	dns	application-default	allow	none	none
MICoreRelaySMSNotifications	smtp	application-default	allow	none	none
MICoreSyncLDAP	ldap	application-default	allow	none	none

2.5.7 Network Address Translation¶

To allow communication with external networks over the internet, the appliance also needs to be configured with Network Address Translation (NAT) rules. To configure NAT:

In the Palo Alto Networks Portal, navigate to Policies > NAT.
Below the details pane, select Add; the NAT Policy Rule form opens.
In the NAT Policy Rule form, on the General tab:
1. In the Name field, provide a unique name for this NAT policy rule.
2. Ensure the NAT Type drop-down menu is set to ipv4.

Figure 2‑53 Outbound NAT Rule

Select the Original Packet tab.
On the Original Packet tab:
1. Under the Source Zone list box, select Add; a new Source Zone list item appears.
2. For the new Source Zone list item, select the zone that represents your LAN subnet; in this sample implementation, that is Mobile_Lab_GOVT.
3. Repeat Steps 5a and 5b to add the zone that represents your DMZ; in this sample implementation, that is Mobile_Lab_DMZ.
4. Repeat Steps 5a and 5b to add the zone that represents your SSL VPN; in this sample implementation, that is Mobile_Lab_SSLVPN.
5. For the Destination Zone drop-down menu, select the zone that represents the internet; in this sample implementation, that is Mobile_lab_WAN.
6. For the Destination Interface, select the adapter that is physically connected to the same subnet as your internet gateway; in this sample implementation, that is ethernet1/1.
7. Under the Source Address list box, select Add; a new Source Address list item appears.
8. For the new Source Address list item, select the address that represents the subnet (IP address range) for the LAN.
9. Repeat Steps 5f and 5g to add the address representing the DMZ subnet.
10. Repeat Steps 5f and 5g to add the address representing the SSL VPN subnet.

Figure 2‑54 Outbound NAT Original Packet Configuration

Select the Translated Packet tab.
On the Translated Packet tab, under Source Address Translation:
1. For the Translation Type drop-down menu, select Dynamic IP and Port.
2. For the Address Type drop-down menu, select Interface Address.
3. For the Interface drop-down menu, select the same interface selected in Step 5e.
4. For the IP Address drop-down menu, select the IPv4 address on the same subnet as your internet gateway.

Figure 2‑55 Outbound NAT Translated Packet Configuration

Select OK.

2.5.8 Configure SSL VPN¶

The SSL VPN enables remote mobile device users to create an encrypted connection to the enterprise from unencrypted networks (e.g., public Wi-Fi hot spots).

2.5.8.1 Configure End-User Authentication¶

The following steps establish the integrations and configurations related to mobile user identification and authentication.

2.5.8.1.1 Configured Server Profile¶

The following steps integrate this appliance with Microsoft Active Directory Domain Services to manage mobile user permissions via AD groups and roles.

In the Palo Alto Networks Portal, navigate to Devices > Server Profiles > LDAP.
Below the details pane, select Add; the LDAP Server Profile form opens.
In the LDAP Server Profile form:
1. In the Profile Name field, enter a unique name to identify this profile.
2. Under the Service List box, select Add; a new Server List item appears.
3. In the new Service List item:
  1. In the Name column, enter a name to identify the server.
  2. In the LDAP Server column, enter the IP address of the LDAP server.
  3. The value in the Port column defaults to 389; change this if your LDAP server communicates over a different port number.
  4. Repeat Steps 3ci through 3ciii for each LDAP server that you intend to use.
4. Under Server Settings:
  1. In the Type drop-down menu, select active-directory.
  2. In the Base DN drop-down menu, select the DN for your Active Directory domain users who will use the SSL VPN.
  3. In the Bind DN field, enter the Active Directory domain user account that will authenticate to LDAP to perform queries.
  4. In the Password field, enter the password for the Active Directory user account specified in the previous step.
  5. In the Confirm Password field, reenter the password entered in the previous step.
Click OK.

Figure 2‑56 LDAP Profile

2.5.8.2 Configure Authentication Profile¶

In the Palo Alto Networks Portal, navigate to Device > Authentication Profile.
Under the details pane, select Add; the Authentication Profile form opens.
In the Authentication Profile form:
1. In the Name field, provide a unique name to identify this authentication profile.
2. On the Authentication tab:
  1. For the Type drop-down menu, select LDAP.
  2. For the Server Profile drop-down menu, select the name of the LDAP Server Profile created in the previous section.
  3. For the Login Attribute field, enter userPrincipalName.
  4. For the User Domain, enter the name of your enterprise domain; our sample implementation uses govt.

Figure 2‑57 Authentication Profile

Select the Advanced tab.

On the Advanced tab:

Under the Allow List box, select Add; this creates a new list item.

In the new list item, select the Active Directory group for your mobile users.

Repeat Steps 3di and 3dii for any additional groups that should authenticate to the SSL VPN.

Click OK.

Figure 2‑58 Advanced Authentication Profile Settings

2.5.8.3 Configure User Identification¶

In the Palo Alto Networks Portal, navigate to Device & User Identification.
In the details pane, select the Group Mapping Settings tab.
Below the details pane, select Add. The Group Mapping form opens.
In the Group Mapping form:
1. In the Name field, enter a unique name to identify this group mapping.
2. In the Server Profile tab:
  1. For the Server Profile drop-down menu, select the LDAP Server Profile created previously.
  2. For Domain Setting > User Domain, enter the name of your Active Directory domain; this sample implementation uses govt.

Figure 2‑59 LDAP Group Mapping

Select the Group Includes List tab.

On the Group Includes List tab:

In the Available Groups list box, expand the Active Directory domain to reveal configured user groups.

For each Active Directory group to be included in this User Identification configuration:

1. Select the Active Directory group.

2. Select the plus icon to transfer the group to the Included Groups list box.

Figure 2‑60 LDAP Group Include List

Select OK.

2.5.8.4 Configure Authentication Policy Rule¶

Navigate to Policies > Authentication.
Click Add.
Give the policy a name. In this implementation, Mobile_Lab_Auth_Rule was used.
Click Source.
Under Source Zone, click Add. Select the SSL VPN zone.
Under Source Zone, click Add. Select the WAN zone.

Figure 2‑61 Authentication Policy Source Zones

Click Destination.
Under Destination Zone, click Add.
Select the LAN zone (in this implementation, Mobile_Lab_GOVT).

Figure 2‑62 Authentication Policy Destination Zones

Click Service/URL Category.
Under service, click Add.
Select service-http.
Under service, click Add.
Select service-https.
Click Actions.
Next to Authentication Enforcement, select default-web-form.
Leave Timeout and Log Settings as their default values.

Figure 2‑63 Authentication Profile Actions

Click OK and commit the changes.

2.5.9 Import Certificates¶

Certificates need to be imported into the appliance to configure certificate profiles that will affect how they are used in supporting communication with other systems. In particular, device certificates issued to mobile devices will be used to identify and authenticate mobile users.

Note: The certificate private keys must be password-protected to import them into the firewall.

In the Palo Alto Networks Portal, navigate to Device > Certificate Management > Certificates.
Under the details pane, select Import; the Import Certificate form opens.
In the Import Certificate form:
1. For the Certificate Type, select Local.
2. For the Certificate Name field, enter a unique name to identify this certificate.
3. Next to the Certificate File field, Select Browse… to specify the full path to the file containing the certificate.
4. For the File Format drop-down menu, select the certificate encoding appropriate to the certificate file; this example assumes the certificate and private key are in separate files, and select PEM. Note: The certificate’s private key must be password-protected to import it into Palo Alto Networks appliances.
5. If the certificate identifies the Palo Alto Networks appliance:
  1. Enable the Import private key checkbox.
  2. Next to Key File, select Browse… to specify the full path to the file containing the private key for the uploaded certificate.
  3. For the Passphrase field, enter the pass phrase protecting the private key.
  4. For the Confirm Passphrase field, re-enter the pass phrase protecting the private key.

Figure 2‑64 Import MobileIron Certificate

Select OK.

Repeat Step 3 for each certificate to import into the Palo Alto Networks appliance. This will include all certificates that the appliance will use to identify itself or authenticate to remote systems, all certificates in the chain of trust for each such certificate, and any chain-of-trust certificates supporting identity verification for remote systems to which this appliance will require certificate-based identification and authentication. This sample implementation uses certificates for the following systems:
- server certificate for this appliance issued by DigiCert
- DigiCert root CA certificate
- DigiCert subordinate CA certificate
- Microsoft CA enterprise root certificate
- Microsoft CA enterprise subordinate CA certificate

2.5.10 Configure Certificate Profile¶

In the Palo Alto Networks Portal, navigate to Device > Certificate Management > Certificate Profile.
Under the details pane, select Add; the Certificate Profile form opens.
In the Certificate Profile form:
1. In the Name field, enter a unique name to identify this certificate profile.
2. In the Username Field drop-down menu, select Subject Alt.
3. Select the Principal Name option.
4. In the User Domain field, enter the Active Directory domain name for your enterprise; this sample implementation uses govt.
5. Under the CA Certificate list box, select Add; a secondary Certificate Profile form appears.
6. In the secondary Certificate Profile form, in the CA Certificate drop-down menu, select the Microsoft Active Directory Certificate Services root certificate uploaded in Section 2.5.9.
7. Click OK.
8. Repeat Step 3f for each intermediary certificate in the trust chain between the root certificate and the subordinate CA certificate that issues certificates to mobile devices.

Figure 2‑65 Certificate Profile

Click OK.

Figure 2‑66 Internal Root Certificate Profile

Click OK.

2.5.11 Configure SSL/TLS Service Profile¶

The following steps will configure the SSL/TLS profile, which determines what certificates to trust when mobile devices are connecting to the VPN and what certificate to use when establishing outbound SSL/TLS connections.

In the Palo Alto Networks Portal, navigate to Device > Certificate Management > SSL/TLS Service Profile.
Below the details pane, select Add; the SSL/TLS Service Profile form opens.
In the SSL/TLS Service Profile form:
1. In the Name field, enter a unique name to identify this service profile.
2. For the Certificate drop-down menu, select the certificate to use for this SSL/TLS service profile; our sample implementation uses a client certificate obtained from a Microsoft enterprise CA via SCEP.
3. For the Min Version drop-down menu, select TLSv1.2. For Max Version, select Max.
4. Select OK.

Figure 2‑67 SSL/TLS Service Profile

Repeat Step 3 to add an identical SSL/TLS service profile for this applianceʼs server certificate issued through DigiCert.

2.5.12 URL Filtering Configuration¶

Navigate to Objects > Custom Objects > URL Category.
Click Add.
Give the category a name and description.
Add sites to be blocked. For this example, *.example.com was used.

Figure 2‑68 Custom URL Category

Click OK.
Navigate to Objects > Security Profiles > URL Filtering.
Check the box next to default and click Clone.
Select default from the window that appears.
Click OK.
Click the newly created profile, default-1.
Give the newly created profile called default-1 a meaningful name and provide a description for the new profile.
Scroll to the bottom of the list. The name of the created category will be last on the list.
Click the option below Site Access and next to your created URL category.
Set the Site Access option to block.

Figure 2‑69 URL Filtering Profile

Click OK.
Navigate to Policies > Security.
Click the default outbound policy for the internal network (not VPN).
Click Actions.
Next to Profile Type, select Profiles.
Next to URL Filtering, select the newly created profile.
Click OK.
Repeat Steps 18 through 21 for the SSL VPN outbound traffic.

Figure 2‑70 URL Filtering Security Policy

Click Commit in the upper right-hand corner.
In the popup window, click Commit.

2.5.13 GlobalProtect Gateway and Portal Configuration¶

The SSL VPN configuration requires creation of both a GlobalProtect gateway and a GlobalProtect portal, the latter of which could be used to manage VPN connections across multiple gateways. In this sample implementation, only a single gateway and portal are configured.

2.5.13.1 Configure GlobalProtect Gateway¶

The GlobalProtect gateway provides remote users with secure access to internal resources based on their Microsoft AD group. To configure the GlobalProtect gateway:

In the Palo Alto Networks Portal, navigate to Network > GlobalProtect > Gateways.
Below the details pane, select Add; the GlobalProtect Gateway Configuration form opens.
In the GlobalProtect Gateway Configuration form, on the General tab:
1. In the Name field, enter a unique name to identify this GlobalProtect Gateway.
2. Under Network Settings:
  1. In the Interface drop-down menu, select the physical interface connected to the subnet on which the internet gateway device is located.
  2. In the IPv4 Address drop-down menu, select the IP address associated with the physical interface specified in the previous step.

Figure 2‑71 General GlobalProtect Gateway Configuration

Select the Authentication tab.

In the Authentication tab:

For the Server Authentication > SSL/TLS Service Profile drop-down menu, select the TLS/SSL profile associated with the publicly trusted server certificate for this appliance.

For the Client Authentication > Certificate Profile drop-down menu, select the client TLS/SSL profile associated with the internally trusted client certificates issued to mobile devices.

Figure 2‑72 GlobalProtect Authentication Configuration

Select the Agent tab.

On the Agent > Tunnel Settings tab:

Select the Tunnel Mode checkbox.

Select the Enable IPSec checkbox to disable IPSec.

Figure 2‑73 GlobalProtect Tunnel Configuration

Select the Agent > Client IP Pool tab.

On the Agent > Client IP Pool tab:

Below the IP Pool list box, select Add; a new list item will appear.

For the new IP Pool list item, enter the network address for the IP address pool from which connected devices will be allocated an IP address.

Figure 2‑74 VPN Client IP Pool

Select the Agent > Client Settings tab.

On the Agent > Client Settings tab:

Under the Client Settings list box, select Add; the Configs form opens.

Figure 2‑75 VPN Client Settings

In the Configs form on the Authorization Override tab, enter a unique name to identify this client configuration.

Figure 2‑76 VPN Authentication Override Configuration

Select the User/User Group tab.

On the User/User Group tab:

1. Below the Source User list box, select Add; a new list item appears.

2. In the Source User list item, select the Microsoft AD user group to grant access to internal resources through this GlobalProtect gateway.

Figure 2‑77 VPN User Group Configuration

Select the Split Tunnel tab.

On the Split Tunnel tab, on the Access Route tab:

Under the Include list box, select Add; a new list item appears.

In the new Include list item, enter 0.0.0.0/0. This enforces full tunneling.

Figure 2‑78 VPN Split Tunnel Configuration

Click OK.

Click OK.

2.5.13.2 Configure GlobalProtect Portal¶

In the Palo Alto Networks Portal, navigate to Network > GlobalProtect > Portal.
Below the details pane, select Add; the GlobalProtect Portal Configuration form opens.
In the GlobalProtect Portal Configuration form, on the General tab:
1. In the Name field, enter a unique name to identify this GlobalProtect portal.
2. In the Interface drop-down menu, select the physical interface connected to the subnet where the internet gateway device is located.
3. In the IP Address Type drop-down menu, select IPv4 Only.

Figure 2‑79 GlobalProtect Portal Configuration

Select the Authentication tab.
In the Authentication tab:
1. For the Server Authentication > SSL/TLS Service Profile drop-down menu, select the SSL/TLS service profile based on your third-party server certificate.
2. For the Certificate Profile drop-down menu, select the client TLS/SSL profile associated with the internally trusted client certificates issued to mobile devices.
3. Click Add.
4. Enter a profile name. In this example implementation, Client Authentication was used.
5. For the Authentication Profile drop-down menu, select the previously created authentication profile.
6. Click OK.

Figure 2‑80 GlobalProtect Portal SSL/TLS Configuration

Select the Agent tab.
On the Agent tab:
1. Below the Agent list box, select Add; the Configs form will open.
2. In the Configs form:
  1. In the Authentication tab, below Components that Require Dynamic Passwords, check the box next to Portal.
  2. In the External tab, under the External Gateways list box select Add; the External Gateway form opens.
  3. In the External Gateway form:
    
    1. In the Name field, enter a unique name to identify this external gateway.
    
    2. For the Address option, enter the FQDN for this appliance; in this sample implementation, the FQDN is vpn.govt.mdse.nccoe.org.
    
    3. Below the Source Region list box, select Add; a new list item appears.
    
    4. In the new Source Region list item, select Any.
    
    5. Select the Manual checkbox.
    
    6. Click OK.

Figure 2‑81 GlobalProtect External Gateway Configuration

Below the Trusted Root CA list box, select Add; a new list item appears.

In the new Trusted Root CA list item, select your internal CA root certificate.

Repeat Steps 7biii and 7biv to add each certificate in your internal or third-party certificate trust chains used when mobile devices contact the GlobalProtect portal.

Click App. Ensure that Connect Method is set to User-logon (Always On).

Figure 2‑82 GlobalProtect Portal Agent Configuration

Click OK.

2.5.14 Configure Automatic Threat and Application Updates¶

In the PAN-OS portal, navigate to Device > Dynamic Updates.
Click Check Now at the bottom of the page.
Under Applications and Threats, click Download next to the last item in the list, with the latest Release Date. It will take a minute to download the updates.
When the download completes, click Done.
Click Install next to the downloaded update.
Click Continue Installation.
When installation completes, click Close.
Next to Schedule, click the link with the date and time.

Figure 2‑83 Schedule Link

Select the desired recurrence. For this implementation, Weekly was used.
Select the desired day and time. For this implementation, Saturday at 23:45 was used.
Next to Action, select download-and-install.

Figure 2‑84 Threat Update Schedule

Click OK.
Click Commit in the upper right-hand corner.
In the popup window, click Commit.

2.6 Integration of Kryptowire EMM+S with MobileIron¶

Kryptowireʼs application vetting service uses the MobileIron application programming interface (API) to regularly pull current device application inventory information from MobileIron Core. Updated analysis results are displayed in the Kryptowire portal.

2.6.1 Add MobileIron API Account for Kryptowire¶

The following steps will create an administrative account that will grant Kryptowire the specific permissions it requires within MobileIron.

In the MobileIron Admin Portal, navigate to Devices & Users > Users.
On the Users page:
1. Select Add > Add Local User; the Add New User dialogue opens.

Figure 2‑85 MobileIron Users

In the Add New User dialogue:

In the User ID field, enter the user identity that the Kryptowire cloud will authenticate under; our implementation uses a value of kryptowire.

In the First Name field, enter a generic first name for Kryptowire.

In the Last Name field, enter a generic last name for Kryptowire.

In the Display Name field, optionally enter a displayed name for this user account.

In the Password field, provide the password that the Kryptowire identity will use to authenticate to MobileIron.

In the Confirm Password field, enter the same password as in the preceding step.

In the Email field, provide an email account for the Kryptowire identity; this could be used in configuring automatic notifications and should be an account under the control of your organization.

Click Save.

Figure 2‑86 Kryptowire API User Configuration

In the MobileIron Admin Portal, navigate to Admin > Admins.
On the Admins page:
1. Enable the account you created for Kryptowire during Step 2.
2. Select Actions > Assign to Space; this opens the Assign to Space dialogue for the Kryptowire account.

Figure 2‑87 MobileIron User List

In the Assign to Space dialogue:

In the Select Space drop-down menu, select Global.

Figure 2‑88 Kryptowire API User Space Assignment

Enable each of the following settings:

Admin Roles > Device Management > View device page, device details

Admin Roles > Device Management > View dashboard

Admin Roles > Privacy Control > View apps and ibooks in device details

Admin Roles > Privacy Control > View device IP and MAC address

Admin Roles > App Management > View app

Admin Roles > App Management > View app inventory

Other Roles > Common Services Provider (CSP)

Other Roles > API

Click Save.

2.6.2 Contact Kryptowire to Create Inbound Connection¶

Once the MobileIron API account has been created, contact Kryptowire customer support to integrate your instance of MobileIron Core. Note that this will require creation of firewall rules that permit inbound connections from IP addresses designated by Kryptowire to MobileIron Core on port 443. Once the connection has been established, the Kryptowire portal will populate with information on devices registered with MobileIron. The EMM (Enterprise Mobility Management) ID presented by Kryptowire will be the same as the Universally Unique ID assigned to a device by MobileIron Core.

Figure 2‑89 Kryptowire Device List

2.7 Integration of Lookout Mobile Endpoint Security with MobileIron¶

Lookoutʼs Mobile Endpoint Security cloud service uses the MobileIron API to pull mobile device details and app inventory from MobileIron Core. Following analysis, Lookout uses the API to apply specific labels to devices to categorize them by the severity of any issues detected. MobileIron can be configured to automatically respond to the application of specific labels per built-in compliance actions.

2.7.1 Add MobileIron API Account for Lookout¶

The following steps will create an administrative account that will grant Lookout the specific permissions it requires within MobileIron.

In the MobileIron Admin Portal, navigate to Devices & Users > Users.
On the Users page:
1. Select Add > Add Local User; the Add New User dialogue opens.

Figure 2‑90 MobileIron User List

In the Add New User dialogue:

In the User ID field, enter the user identity that the Lookout cloud will authenticate under. Our implementation uses a value of lookout.

In the First Name field, enter a generic first name for Lookout.

In the Last Name field, enter a generic last name for Lookout.

In the Display Name field, optionally enter a displayed name for this user account.

In the Password field, provide the password that the Lookout identity will use to authenticate to MobileIron.

In the Confirm Password field, enter the same password as in the preceding step.

In the Email field, provide an email account for the Lookout identity; since this may be used for alerts, it should be an account under the control of your organization.

Click Save.

Figure 2‑91 MobileIron Lookout User Configuration

In the MobileIron Admin Portal, navigate to Admin.
On the Admin page:
1. Enable the account you created for Lookout during Step 2.
2. Select Actions > Assign to Space; this opens the Assign to Space dialogue for the Lookout account.

Figure 2‑92 Lookout MobileIron Admin Account

In the Assign to Space dialogue:

In the Select Space drop-down menu, select Global.

Figure 2‑93 Lookout Account Space Assignment

Enable each of the following settings:

Admin Roles > Device Management > View device page, device details

Admin Roles > Device Management > View dashboard

Admin Roles > Label Management > View Label

Admin Roles > Label Management > Manage Label

Admin Roles > Privacy Control > View apps and ibooks in device details

Admin Roles > Privacy Control > View device IP and MAC address

Admin Roles > App Management > Distribute app

Admin Roles > Logs and Event Management > View Audit logs

Admin Roles > Logs and Event Management > View events

Other Roles > CSP

Other Roles > Connector

Other Roles > API

Click Save.

2.7.2 Add MobileIron Labels for Lookout¶

Lookout will dynamically apply MobileIron labels to protected devices to communicate information about their current state. The following steps will create a group of Lookout-specific labels.

In the MobileIron Admin Portal, navigate to Devices & Users > Labels.
On the Labels page:
1. Select Add Label; the Add Label dialogue appears.

Figure 2‑94 MobileIron Label List

In the Add Label dialogue:

In the Name field, enter the name of the label. Note: future steps will use the Label Names presented here but use of these names is optional.

In the Description field, enter a brief description for this label.

For the Type option, select Manual; this hides all other form inputs.

Click Save.

Figure 2‑95 MTP Low Risk Label Configuration

Complete Step 2 for each label in the following table:

Label Name

Purpose

Lookout for Work

Device enrollment

MTP - Pending

Lifecycle management: devices with Lookout not yet activated

MTP - Secured

Lifecycle management: devices with Lookout activated

MTP - Threats Present

Lifecycle management: devices with threats detected by Lookout

MTP - Deactivated

Lifecycle management: devices with Lookout deactivated

MTP - Low Risk

Risk posture: devices with a low risk score in Lookout

MTP - Moderate Risk

Risk posture: devices with a moderate risk score in Lookout

MTP - High Risk

Risk posture: devices with a high risk score in Lookout

Note: Administrators can choose to alter the label names to something more appropriate for their environment.

2.7.3 Add Lookout for Work for Android to MobileIron App Catalog¶

The following steps will add the Lookout for Work app for Android to MobileIron.

In the MobileIron Admin Portal, navigate to Apps > App Catalog.
On the App Catalog page, select Add; this starts the workflow to add a new app to the app catalog.

Figure 2‑96 MobileIron App Catalog

On the App Catalog > Choose page:
1. Select Google Play; additional controls will be displayed.
2. In the Application Name field, enter Lookout for Work.
3. Select Search; search results will be displayed in the lower pane.
4. In the list of search results, select the Lookout for Work app.
5. Select Next.

Figure 2‑97 Adding Lookout for Work to the MobileIron App Catalog

On the App Catalog > Describe page:
1. In Category drop-down menu, optionally assign the app to a category as appropriate to your MobileIron deployment strategy.
2. Select Next.

Figure 2‑98 Lookout for Work Application Configuration

On the App Catalog > App Configuration page:
1. In the Apps@Work Catalog section, Enable Feature this App in the Apps@Work catalog.

Figure 2‑99 Lookout for Work Application Configuration

In the Android Enterprise (Android for Work [AFW]) section:

Enable Install this app for Android enterprise; additional controls display.

Enable Auto Update this App.

Ensure Silently Install is enabled.

Click Finish.

Figure 2‑100 Lookout for Work AFW Configuration

The Lookout for Work app should now appear in the App Catalog with the AFW indicator.

2.7.4 Apply Labels to Lookout for Work for Android¶

On the App Catalog page:
1. Enable Lookout for Work.
2. Select Actions > Apply To Labels; the Apply To Labels dialogue appears.

Figure 2‑101 Apply Lookout for Work to Android Devices

In the Apply To Labels dialogue:

Enable the Lookout for Work and Android labels, plus any other labels appropriate to your organization’s mobile security policies.

Select Apply.

Figure 2‑102 Apply To Labels Dialogue

The Lookout for Work app appears with the Lookout for Work and Android labels applied.

Figure 2‑103 Lookout for Work with Applied Labels

2.7.5 Add Lookout for Work app for iOS to MobileIron App Catalog¶

The following steps will add the Lookout for Work app for iOS to MobileIron, apply appropriate MobileIron labels, and create and upload a configuration file for one-touch activation of the app.

2.7.5.1 Import Lookout for Work App¶

In the MobileIron Admin Portal, navigate to Apps > App Catalog.
On the App Catalog page, select Add; this starts the workflow to add a new app to the app catalog.

Figure 2‑104 MobileIron App Catalog

On the App Catalog > Choose page:
1. Select iTunes; additional controls display.
2. In the Application Name field, enter Lookout for Work.
3. Select Search; the search results display in the lower pane.
4. In the list of search results, select the Lookout for Work app.
5. Select Next.

Figure 2‑105 Lookout for Work Selected From iTunes

On the App Catalog > Describe page:
1. In Category drop-down menu, optionally assign the app to a category as appropriate to your MobileIron deployment strategy.
2. Select Next.

Figure 2‑106 Lookout for Work App Configuration

On the App Catalog > App Store page:
1. In the Apps@Work Catalog section:
  1. Enable Allow conversion of app from unmanaged to managed (iOS 9 or later).
  2. Enable Feature this App in the Apps@Work catalog.
  3. Select Next.

Figure 2‑107 Lookout for Work App Configuration

In the App Catalog > App Configuration section:

Enable Send installation request or send convert unmanaged to managed app request (iOS 9 and later) on device registration or sign-in.

Enable Advanced Settings > Automatically update app when new version is available.

Click Finish.

Figure 2‑108 Lookout for Work Managed App Settings

The Lookout for Work app should now appear in the App Catalog with AFW indicator.

Figure 2‑109 App Catalog with Lookout for Work

2.7.5.2 Apply MobileIron Labels to Lookout for Work App¶

On the App Catalog page:
1. Enable Lookout for Work.
2. Select Actions > Apply To Labels; the Apply To Labels dialogue will appear.

Figure 2‑110 Lookout for Work Selected

In the Apply To Labels dialogue:

Enable the Lookout for Work and iOS labels, plus any other labels appropriate to your organization’s mobile security policies.

Select Apply.

Figure 2‑111 Apply To Labels Dialogue

The Lookout for Work app appears with the Lookout for Work and iOS labels applied.

Figure 2‑112 App Catalog with Lookout for Work

2.7.5.3 Create Managed App Configuration File for Lookout for Work¶

MobileIron can push a configuration file down to managed iOS devices to allow users to activate Lookout for Work. The following steps will create and upload the necessary file.

Using a plain text editor, create the following text file by replacing the asterisks on line 13 with your organization’s Global Enrollment Code.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"

"https://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>MDM</key>

<string>MOBILEIRON</string>

<key>DEVICE_UDID</key>

<string>$DEVICE_UDID$</string>

<key>EMAIL</key>

<string>$EMAIL$</string>

<key>GLOBAL_ENROLLMENT_CODE</key>

<string>*******</string>

</dict>

</plist>

In the MobileIron Admin Portal, navigate to Policies & Configs > Configurations.
On the Configurations Page:
1. Select Add New > iOS and OS X > iOS Only > Managed App Config; the New Managed App Config Setting dialogue opens.

Figure 2‑113 Importing Managed Application Configuration

In the Managed App Config Setting dialogue:

In the Name field, provide a name for this configuration; our implementation used Activate Lookout.

In the Description field, provide the purpose for this configuration.

In the BundleId field, enter the bundle ID for Lookout at Work, which for our version was com.lookout.work.

Select Choose File… to upload the plist file created during Step 1.

Click Save.

Figure 2‑114 plist File Configuration

2.7.5.4 Apply Labels to Managed App Configuration for Lookout for Work¶

The following steps will apply the managed app configuration created in the previous section to labels.

In the MobileIron Admin Portal, navigate to Policies & Configs > Configurations.
On the Configurations page:
1. Enable the Lookout Activation managed app configuration created in the previous section.
2. Select Actions > Apply To Label; the Apply To Label dialogue opens.

Figure 2‑115 Lookout Configuration Selected

In the Apply To Label dialogue:

Enable the iOS and Lookout for Work labels.

Select Apply.

Figure 2‑116 Apply To Label Dialogue

The system should now reflect that the Lookout for iOS and iOS labels have been applied to the Activate Lookout configuration.

Figure 2‑117 Lookout Configuration With Labels

2.7.6 Add MDM Connector for MobileIron to Lookout MES¶

The following instructions will connect Lookout with your MobileIron instance and associate Lookout device states with the MobileIron labels created previously.

Using the most-recent version of MDM Service IP allowed addresses available from the Lookout support portal, configure your organization’s firewalls to permit inbound connections from the IP addresses provided on port 443 to your instance of MobileIron Core.
In the Lookout MES portal, navigate to Lookout > System > Connectors.
On the Connectors page:
1. Select Add Connector > MobileIron; a new form opens.

Figure 2‑118 Add Lookout Connector Display

In the Connector Settings section of the form:

For the MobileIron URL field, enter the FQDN for your instance of MobileIron. In our example implementation, the URL was mi-core.govt.mdse.nccoe.org.

For the Username field, enter the User ID of the MobileIron admin account created in 2.7.1. In our example implementation, the User ID is lookout.

For the Password field, enter the password associated with that MobileIron admin account.

Select Create Connector; this enables additional sections of the form.

Figure 2‑119 Connector Settings

In the Enrollment Management section of the form:

Toggle Device Enrollment > Automatically drive Lookout for Work enrollment on MobileIron managed devices to On.

For the Device Enrollment > Use the following label to identify devices that should have the Lookout for Work app activated drop-down menu, select the Lookout for Work label.

Toggle Device Enrollment > Automatically send activation emails to MobileIron managed devices to On.

Select Save Changes.

Figure 2‑120 Connector Enrollment Settings

In the State Sync section of the form:

Toggle State Sync > Synchronize Device Status to MobileIron to On.

For each entry in the table below:

1. Toggle the control to On.

2. From the drop-down menu, select the MobileIron Label with the associated Purpose from the table in Section 2.6.2 Add MobileIron Labels for Lookout. We provide the Label Name we used for each Purpose in our example implementation.

State

Purpose

Label Name

Devices that have not activated Lookout yet

Lifecycle management: devices with Lookout not yet activated

MTP - Pending

Devices with Lookout activated

Lifecycle management: devices with Lookout activated

MTP - Secured

Devices on which Lookout is deactivated

Lifecycle management: devices with Lookout deactivated

MTP - Deactivated

Devices with any issues present

Lifecycle management: devices with threats detected by Lookout

MTP - Threats Detected

Devices with Low Risk issues present

Risk posture: devices with a low risk score in Lookout

MTP - Low Risk

Devices with Medium Risk issues present

Risk posture: devices with a moderate risk score in Lookout

MTP - Moderate Risk

Devices with High Risk issues present

Risk posture: devices with a high risk score in Lookout

MTP - High Risk

Note: Administrators can choose to alter the label names to something more appropriate for their environment.

Select Save Changes.

Figure 2‑121 Connector Sync Settings

2.7.7 Configure MobileIron Risk Response¶

The following steps will allow MobileIron to generate responses to various device states as assigned to devices by Lookout (e.g., MTP - High Risk).

2.7.7.1 Add MobileIron App Control Rule¶

In the MobileIron Admin Portal, navigate to Apps > App Control.
Select Add; the Add App Control Rule dialogue appears.
In the Add App Control Rule dialogue:
1. In the Name field, enter Threats Present Trigger.
2. Of the Type options, select Required.
3. In the App Identifier/Name field enter app does not exist.
4. In the Device Platform drop-down menu, select All.
5. In the Comment field, optionally enter Forces non-compliant state.
6. Click Save.

Figure 2‑122 MobileIron App Control Rule

The new app control rule should now appear on the Apps > App Control page.

Figure ‑ MobileIron App Control Rule

2.7.7.2 Add MobileIron Compliance Actions¶

A Compliance Action defines what actions MobileIron will take when an App Control policy, like the one created in the previous section, is violated by a managed mobile device. The following steps will create and configure an example Compliance Action in response to the MTP - High Risk App Control rule. Note that a single Compliance Action can be associated with multiple App Control rules if the same response would be configured for each. Otherwise, a new Compliance Action should be created.

In the MobileIron Admin Portal, navigate to Policies & Configs > Compliance Actions.
Select Add; the Add Compliance Action dialogue opens.
In the Add Compliance Action dialogue:
1. In the Name field, add a description of the compliance action; we recommend indicating the kind of action taken. This example illustrates creating a compliance action that will be associated with the MTP - High Risk label.
2. Select the Enforce Compliance Actions Locally on Devices check box.
3. Select the Send a compliance notification or alert to the user check box.
4. Select the Block email access and AppConnect apps check box.
5. Select the Quarantine the device check box.
6. Deselect the Remove All Configurations check box.
7. Click Save.

Figure 2‑124 MTP High Risk Compliance Action

2.7.7.3 Create MobileIron Security Policy for Lookout MES¶

In addition to potentially defining other controls, such as password requirements, a Security Policy can map a Compliance Action to an App Control rule, enabling MobileIron to execute the configured actions whenever a device that applies the policy violates the App Control rule. The following steps will create a new Security Policy for Lookout MES High Risk devices using an existing policy as a baseline from which to apply more stringent controls.

In the MobileIron Admin Portal, navigate to Policies & Configs > Policies.
On the Policies page:
1. Select the security policy to use as a baseline.
2. Select More Actions > Save As; this opens the New Security Policy dialogue.

Figure 2‑125 Baseline Policy Selection

In the New Security Policy dialogue:

In the Name field, rename the policy to MTP - High Risk.

In the Priority drop-down menu, select a current policy. The new policy will be prioritized based on the selection. In this example, the new policy is higher than the MTP Medium Risk policy. Note: for ease of setting priority, it is recommended to add new security policies in ascending order (lowest to highest priority).

Figure 2‑126 MTP High Risk Policy

Under Access Control > For All Platforms section:

1. For the when a device violates the following app control rules drop-down menu, select the MTP - High Risk compliance action.

2. In the Available list of app control rules, highlight MTP High Risk Trigger.

3. Select the right arrow to move MTP High Risk Trigger item into the Enabled List.

Click Save.

Figure 2‑127 Security Policy Trigger

2.7.7.4 Apply Lookout MES Label to MobileIron Security Policy¶

The following steps will apply the MTP - High Risk label to the security policy created in the previous section. As a result, once the Lookout cloud service applies the label to any device with a detected high-risk threat and such a device checks in with MobileIron, the security policy will automatically be applied to it (provided it is of higher priority than the policy currently applied). In turn, that will cause the MTP High Risk Trigger App Control policy to be violated and the MTP - High Risk Compliance Action to be taken. Once Lookout detects that the threat has been resolved, the Lookout service will remove the MTP - High Risk label, and on device check-in, MobileIron will then apply the next-lower-priority security policy.

In the MobileIron Admin Portal, navigate to Policies & Configs > Policies.
On the Policies page:
1. Select the check box in the MTP High Risk security policy item.
2. Select More Actions > Apply to Label; the Apply to Label dialogue opens.

Figure 2‑128 Policy List

In the Apply to Label dialogue:

Select the check box for the MTP - High Risk item.

Select Apply.

Figure 2‑129 Apply To Label Dialogue

2.8 Integration of Appthority Mobile Threat Detection with MobileIron¶

Appthority provides an on-premises connector for MobileIron that runs as a Docker container on RedHat Linux. The connector uses the MobileIron API to obtain information on managed devices and their installed apps, which is then synchronized with the cloud service instance to obtain app and device risk scores, which are assigned to devices using custom attributes. The following sections provide the steps to create a MobileIron API account and deploy and configure the Appthority connector.

2.8.1 Create MobileIron API Account for Appthority Connector¶

The following steps will create an administrative account that will grant Appthority the specific permissions it requires within MobileIron.

In the MobileIron Admin Portal, navigate to Devices & Users > Users.
On the Users page:
1. Select Add > Add Local User; the Add New User dialogue opens.
2. In the Add New User dialogue:
  1. In the User ID field, enter the user identity the Appthority connector will authenticate under. Our implementation uses a value of Appthority.
  2. In the First Name field, enter a generic first name for Appthority.
  3. In the Last Name field, enter a generic last name for Appthority.
  4. In the Display Name field, optionally enter a displayed name for this user account.
  5. In the Password field, provide the password the Appthority identity will use to authenticate to MobileIron.
  6. In the Confirm Password field, enter the same password as in the preceding step.
  7. In the Email field, provide an email account for the Appthority identity; this should be an account under the control of your organization.
  8. Click Save.

Figure 2‑130 Appthority User Settings

In the MobileIron Admin Portal, navigate to Admin.
On the Admin page:
1. Enable the account you created for Appthority during Step 2.
2. Select Actions > Assign to Space; this opens the Assign to Space dialogue for the Appthority account.

Figure 2‑131 Appthority Connector User

In the Assign to Space dialogue:

In the Select Space drop-down menu, select Global.

Figure 2‑132 Appthority Connector Space Assignment

Enable each of the following settings:

Device Management > View device page, device details

Privacy Control > View apps and ibooks in device details

App Management > Apply and remove application label

Other Roles > API

Click Save.

2.8.2 Deploy Appthority Connector Open Virtualization Appliance¶

One deployment option for the Appthority connector is a pre-built RedHat virtual machine distributed as an Open Virtualization Appliance (OVA). We imported the OVA into our virtual lab environment following guidance provided in Connector On-Premises: Virtual Machine Setup available from the Appthority support portal: https://support.appthority.com/.

2.8.3 Run the Enterprise Mobility Management Connector Deployment Script¶

Once the Appthority docker container is running, the setup script will configure it to use the MobileIron API account created previously. Detailed instructions on using the script are available on the Appthority support portal at https://help-mtp.appthority.com/SetUp/EMM/EMM_Script/RunEMMDeployScript.html. The first two steps ask for Appthority-supplied credentials necessary to verify your subscription and to link the connector with the correct instance of their cloud service. In the third step you will provide details to integrate with your on-premises instance of MobileIron core. Our results from completing the third step are shown below.

Obtain a copy of Run the EMM Connector Deployment Script from the Appthority support portal at https://help-mtp.appthority.com/SetUp/EMM/EMM_Script/RunEMMDeployScript.html (authentication to the portal is required).
Execute the script. The third step in the script involves providing settings to enable the Appthority Connector to communicate with MobileIron Core. The results of our completion of that step are provided below as a reference.

Figure 2-133 Appthority Connector CLI Configuration

Once the script has been completed, verify successful synchronization with the Appthority cloud service by accessing the Appthority MTP portal and navigating to Admin > EMM and viewing items under Connector Status.

Figure 2‑134 Appthority EMM Connector Status

2.9 Registering Devices with MobileIron Core¶

In this scenario, the employee manages their own personal apps, data, and many device functions. The organization manages work-related apps and data, and has control over specific device functions, such as requiring a complex device unlock PIN or being able to remotely wipe a lost device. The mechanisms to achieve similar security characteristics between iOS and Android devices differ.

2.9.1 Supervising and Registering iOS Devices¶

Many MDM-based security controls are only applicable to iOS devices that are running in Supervised Mode. The following steps outline how to place an iOS device into this mode, and then register with MobileIron Core.

2.9.1.1 Resetting the iOS Device¶

Before a device can be placed into Supervised Mode, it must be in a factory-reset state with the Activation Lock on the device removed. If Activation Lock is in-place, Configurator 2 will be unable to place the device into Supervised Mode.

2.9.1.1.1 Reset an Unsupervised Device Using Settings App¶

If a device is not already in Supervised Mode, it is recommended to have the current device user manually reset and activate the device to factory settings using the following steps:

Navigate to Settings > General > Reset.
Select Erase All Content and Settings.

Figure 2‑135 iOS Reset Screen

At the warning that this will delete all media and data and reset all settings, select Erase iPhone.

Figure 2‑136 Erase iPhone Confirmation

At the warning that all media, data, and settings will be irreversibly erased, select Erase iPhone. Once the reset process is complete, the device will reboot and need to be activated.

Figure 2‑137 Erase iPhone Final Confirmation

Once the device displays the Hello screen, press the Home key.
At the Select Your Language screen, select English.
At the Select Your Country or Region screen, select United States.
At the Quick Start screen select Set up Manually.
At the Choose a Wi-Fi Network screen, select the Service Set Identifier (SSID) for the network and authenticate to your on-premises SSID Wi-Fi network; the device should indicate it is being activated. Note: you may need to attempt activation again if there is a delay in the device establishing connectivity to the internet.
Stop at the Data & Privacy screen. At this point, the device should be placed into Supervised Mode using Configurator 2.

2.9.1.1.2 Reset a Supervised Device Using Configurator 2¶

Connect the iOS device with the system running Configurator 2 over Universal Serial Bus (USB).
On the device at the Enter Passcode screen (if locked), enter the device unlock passcode.

Figure 2‑138 Entering iOS Passcode

At the Trust this Computer? dialogue, select Trust. Note that this step, along with step that follows, is only encountered the first time a device is paired with a given system.

Figure 2‑139 iOS Trust Computer Confirmation

At the Enter Device Passcode to Trust This Computer screen:
1. Enter the device unlock passcode.
2. Click OK.

Figure 2‑140 Entering Passcode to Trust Computer

In Configurator 2, select the representation of the connected device.
From the context menu, select Advanced > Erase All Content and Settings.
At the Are you sure you want to erase “<device name>”? dialogue, select Erase.

Figure 2‑141 Configurator 2 Erase Confirmation

At the License Agreement screen:
1. Review the license agreement.
2. Select Accept to agree to the license and continue using the software.
Configurator 2 will take several minutes to restore the device to factory default settings. Configurator 2 will also activate the device following restoration.

Figure 2‑142 Restoring iPhone

2.9.1.2 Placing an iOS Device into Supervised Mode¶

iOS devices that have been factory reset and subsequently activated (the Activation Lock has been removed) can be placed into Supervised Mode using software available from Apple, Configurator 2, by the following steps:

Pair the target iOS device with the system running Configurator 2 over USB.
Navigate to Configurator 2 > Unsupervised; a representation of the connected device should appear.
On the All Devices tab:
1. Select the representation of the paired device.
2. From the context menu, select Prepare; a wizard opens to guide the process.
For the Prepare Devices step:
1. Enable Supervise Devices.
2. Select Next.

Figure 2‑143 Device Preparation Options

For the Enroll in MDM Server step:
1. Ensure the Server drop-down menu has Do not enroll in MDM selected.
2. Select Next.

Figure 2‑144 MDM Server Selection

For the Sign into the Device Enrollment Program step, select Skip.

Figure 2‑145 Signing into Apple Account

For the Assign to Organization step:
1. If you have previously created your organization, select Next and continue with Step 9.
2. If you have not created your organization, from the Organization drop-down menu, select New Organization…

Figure 2‑146 Organization Assignment Dialogue

At the Create an Organization screen:
1. In the Name field, enter the name of your organization.
2. In the Phone field, enter an appropriate support number for your mobility program
3. In the Email field, enter an appropriate support email for your mobility program
4. In the Address field, enter the address for your organization
5. Select Next.

Figure 2‑147 Creating an Organization

If your organization has established a digital identity for placing devices into Supervised Mode:
1. Continue with Step 10. Note: that the same digital identity must be used for any given device.
2. Otherwise, continue with Step 14.
In the Create an Organization screen:
1. For the Generate or choose a supervision identity option, select Choose an existing supervision identity.
2. Select Next.

Figure 2‑148 Supervisory Identity Configuration

Select Choose…

Figure 2‑149 Organization Selection

At the Choose a supervising identity for the organization dialogue:
1. Select the digital certificate from the list of those available to the system.
2. Select Choose.

Figure 2‑150 Supervising Identity Selection

At the Create an Organization screen, select Next.

Figure 2-151 Selected Organization

In the Create an Organization screen:
1. For the Generate or choose a supervision identity option, select Generate a new supervision identity.
2. Select Next.

Figure 2‑152 Create an Organization Supervision Identity Configuration

For the Configure iOS Setup Assistant step:
1. Ensure the Setup Assistant drop-down menu shows Show only some steps selected; additional options will appear.
2. Enable each of the Privacy, Passcode, Apple ID, and Location Services check-boxes.
3. Select Prepare.

Figure 2‑153 Setup Assistant Configuration

Configurator 2 will take several minutes to prepare the device and place it into Supervised Mode.

Figure 2‑154 Waiting for iPhone

2.9.1.3 Registration with MobileIron Core¶

The following steps will register an iOS device in Supervised Mode with MobileIron Core, which uses a web-based process rather than the Mobile@Work app.

Using Safari, navigate to the MobileIron Core page, substituting <FQDN> for your organization’s instance of MobileIron Core. In our example implementation, the resulting URL is https://mi-core.govt.mdse.nccoe.org/go.

Figure 2‑155 iOS Device MobileIron Registration Page

At the warning that the web site is trying to open Settings to show a configuration profile, select Allow; the Settings built-in app opens.

Figure 2‑156 Opening Settings Confirmation

At the Settings > Install Profile screen:
1. Verify the Signed by field indicates the server identity is Verified.
2. Select Install.

Figure 2‑157 Profile Installation

At the Installing Profile screen, select Install.

Figure 2‑158 Profile Installation

At the Warning screen:
1. Verify that information under Root Certificate and MDM is consistent with information provided by your mobile device administrator.
2. Select Install.

Figure 2‑159 Profile Installation Warning

In the Remote Management dialogue, select Trust.

Figure 2‑160 Profile Installation Trust Confirmation

At the Profile Installed screen, select Done. The device is now registered with MobileIron.

Figure 2‑161 Profile Installation Confirmation

2.9.2 Activating Lookout for Work on iOS¶

The configuration of the Lookout for Work (iOS) app in the MobileIron app catalogue causes a configuration file to be included during the automatic install.

Upon launching the app, additional action is required to grant Lookout for Work the permissions necessary for it to provide optimal protection.

Launch the Lookout for Work app; activation occurs silently at the splash screen.

Figure 2‑162 Lookout for Work Splash Screen

At the welcome screen, select Continue.

Figure 2‑163 Lookout for Work Permission Information

At the “Lookout Work” Would Like to Send You Notifications dialogue, select Allow.

Figure 2‑164 Notifications Permissions Prompt

At the Allow “Lookout Work” To Access Your Location? dialogue, select Always Allow.

Figure 2‑165 Locations Permission Prompt

Lookout for Work should automatically perform scans of device and app activity and provide feedback to the user.

Figure 2‑166 Lookout for Work Home Screen

2.9.3 Provisioning Work-Managed Android Devices with a Work Profile¶

In this scenario, Android devices are deployed as work-managed with a work profile. Enabling this feature for AFW-capable devices requires a change to the AFW configuration. It also requires that the device user already has a personal Google account to provision the work profile; it is not created as part of the workflow to register a device with MobileIron Core.

2.9.3.1 Enable Work Profile on Work-Managed Devices¶

In the MobileIron Admin Portal, navigate to Policies > Configs > Configurations.
Enable the check box in the row for the AFW configuration.
In the Configuration Details pane, select Edit.

Figure 2‑167 MobileIron AFW Configuration

In the Edit Android enterprise (all modes) Setting dialogue:
1. Enable Enable Managed Devices with Work Profile on the devices.
2. Enable Add Google account.
3. In the Google Account text box, provide a valid Google domain account. The example in our reference implementation will map a MobileIron user ID of gema to an email address of mdse.gema@gmail.com. This needs to be done for each user. See MobileIron Core 9.4.0.0 Device Management Guide for AFW for a list of variables to appropriately adapt this field to your existing identity management strategy.
4. Click Save.

Figure 2‑168 AFW Configuration

2.9.3.2 Registering Android Devices¶

The following steps can only be completed when working with an Android device that is still set to (or has been reset to) factory default settings.

When prompted to sign in with your Google Account:
1. In the Email or phone field, enter afw#mobileiron.core.
2. Select Next.

Figure 2‑169 MobileIron Enrollment Process

When AFW prompts you to install Mobile@Work, select Install; this downloads the

Mobile@Work client to the device.

Figure 2‑170 AFW Enrollment

At the prompt to install MobileIron, select Install.

Figure 2‑171 MobileIron Installation

At the Set up your device screen, select Accept.

Figure 2‑172 Accepting AFW Terms and Conditions

This screen notifies the user of the data that Mobile@Work collects and how it is used. When this information has been reviewed, select Accept. Mobile@Work minimizes and returns to the operating system home screen.

Figure 2‑173 MobileIron Privacy Information

When MobileIron sends a Configuration Required notification, select the notification.

Figure 2‑174 MobileIron Configuration Required Notification

On the Device Status > Create Work Profile screen, select Continue.

Figure 2‑175 MobileIron Device Status

At the AFW prompt, select Continue.

Figure 2‑176 AFW Configuration

AFW notifies the user that it is creating the personal workspace. The next two screens repeat Steps 3 and 4 as above.

Figure 2‑177 AFW Workspace Creation

At the Device Status > Work Profile Lock Preferences screen, select Continue.

Figure 2‑178 MobileIron Work Profile Lock Preferences

The user will be prompted to create a passcode to protect the AFW container.
At the Device Status > Add Google Account screen, select Continue.

Figure 2‑179 MobileIron Google Account Configuration

The user will be prompted to authenticate to the same Google domain account mapped to their MobileIron account based on the email address set in the AFW configuration in MobileIron Core. In our example implementation, the mapped Google account is mdse.gema@gmail.com.
Once the Mobile@Work app has been provisioned with the user’s account, the Device Status screen should appear; the device has now successfully been provisioned into MobileIron.

Figure 2‑180 MobileIron Device Status