NIST SPECIAL PUBLICATION 1800-22C

Mobile Device Security:

Bring Your Own Device (BYOD)

Volume C:

How-to Guides


Kaitlin Boeckl

Nakia Grayson

Gema Howell

Naomi Lefkovitz

Applied Cybersecurity Division

Information Technology Laboratory


Jason Ajmo

R. Eugene Craft

Milissa McGinnis*

Kenneth Sandlin

Oksana Slivina

Julie Snyder

Paul Ward

The MITRE Corporation

McLean, VA


*Former employee; all work for this publication done while at employer



September 2023


FINAL


This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-22


nccoenistlogos




DISCLAIMER

Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other insignia in order to acknowledge their participation in this collaboration or to describe an experimental procedure or concept adequately. Such identification is not intended to imply special status or relationship with NIST or recommendation or endorsement by NIST or NCCoE; neither is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 1800-22C Natl. Inst. Stand. Technol. Spec. Publ. 1800-22C, 99 pages, (September 2023), CODEN: NSPUE2

FEEDBACK

As a private-public partnership, we are always seeking feedback on our practice guides. We are particularly interested in seeing how businesses apply NCCoE reference designs in the real world. If you have implemented the reference design, or have questions about applying it in your environment, please email us at mobile-nccoe@nist.gov.

All comments are subject to release under the Freedom of Information Act.

National Cybersecurity Center of Excellence
National Institute of Standards and Technology
100 Bureau Drive
Mailstop 2002
Gaithersburg, MD 20899
Email: nccoe@nist.gov

NATIONAL CYBERSECURITY CENTER OF EXCELLENCE

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under Cooperative Research and Development Agreements (CRADAs), including technology partners—from Fortune 50 market leaders to smaller companies specializing in information technology security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Maryland.

To learn more about the NCCoE, visit https://www.nccoe.nist.gov/. To learn more about NIST, visit
https://www.nist.gov.

NIST CYBERSECURITY PRACTICE GUIDES

NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They show members of the information security community how to implement example solutions that help them align with relevant standards and best practices, and provide users with the materials lists, configuration files, and other information they need to implement a similar approach.

The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

This Practice Guide demonstrates a standards-based reference design and provides users with the information they need to replicate enhancing the security of bring your own device (BYOD) solutions. This reference design is modular and can be deployed in whole or in part.

This guide contains four volumes:

  • NIST SP 1800-22A: Executive Summary

  • NIST SP 1800-22B: Approach, Architecture, and Security Characteristics – what we built and why

  • NIST SP 1800-22 Supplement: Example Scenario: Putting Guidance into Practice – how organizations can implement this example solution’s guidance

  • NIST SP 1800-22C: How-To Guides – instructions for building the example solution

ABSTRACT

Bring Your Own Device (BYOD) refers to the practice of performing work-related activities on personally owned devices. This practice guide provides an example solution demonstrating how to enhance security and privacy in Android and Apple phones and tablets used in BYOD deployments.

Incorporating BYOD deployments into an organization can increase the opportunities and methods available to access organizational resources. For some organizations, the combination of traditional in-office processes with mobile device technologies enables portable communication approaches and adaptive workflows. For others, it fosters a mobile-first approach in which their employees communicate and collaborate primarily using their mobile devices.

However, some of the features that make BYOD mobile devices increasingly flexible and functional also present unique security and privacy challenges to both organizations and device owners. The unique nature of these challenges is driven by the differing risks posed by the type, age, operating system (OS), and other variances in mobile devices.

Enabling BYOD capabilities in the enterprise introduces new cybersecurity risks. Solutions that are designed to secure corporate devices and on-premises data do not provide an effective cybersecurity solution for BYOD. Finding an effective solution can be challenging due to the unique risks that BYOD deployments impose. Additionally, enabling BYOD capabilities introduces new privacy risks to employees by providing their employer a degree of access to their personal devices, opening up the possibility of observation and control that would not otherwise exist.

To help organizations benefit from BYOD’s flexibility while protecting themselves from critical security and privacy challenges, this practice guide provides an example solution using standards-based, commercially available products and step-by-step implementation guidance.

KEYWORDS

Bring your own device; BYOD; mobile device management; mobile device security.

ACKNOWLEDGMENTS

We are grateful to the following individuals for their generous contributions of expertise and time.

Name

Organization

Donna Dodson*

NIST

Joshua M. Franklin*

NIST

Dylan Gilbert

NIST

Jeff Greene*

NIST

Natalia Martin

NIST

William Newhouse

NIST

Cherilyn Pascoe

NIST

Murugiah Souppaya

NIST

Kevin Stine

NIST

Chris Brown

The MITRE Corporation

Nancy Correll*

The MITRE Corporation

Spike E. Dog

The MITRE Corporation

Sallie Edwards

The MITRE Corporation

Parisa Grayeli

The MITRE Corporation

Marisa Harriston*

The MITRE Corporation

Brian Johnson*

The MITRE Corporation

Karri Meldorf

The MITRE Corporation

Steven Sharma*

The MITRE Corporation

Jessica Walton

The MITRE Corporation

Erin Wheeler*

The MITRE Corporation

Dr. Behnam Shariati

University of Maryland, Baltimore County

Jeffrey Ward*

IBM

Cesare Coscia*

IBM

Chris Gogoel

Kryptowire (now known as Quokka)

Tom Karygiannis*

Kryptowire (now known as Quokka)

Jeff Lamoureaux

Palo Alto Networks

Sean Morgan

Palo Alto Networks

Kabir Kasargod

Qualcomm

Viji Raveendran

Qualcomm

Mikel Draghici*

Zimperium

*Former employee; all work for this publication done while at employer.

The Technology Partners/Collaborators who participated in this build submitted their capabilities in response to a notice in the Federal Register. Respondents with relevant capabilities or product components were invited to sign a Cooperative Research and Development Agreement (CRADA) with NIST, allowing them to participate in a consortium to build this example solution. We worked with:

Technology Partner/Collaborator

Build Involvement

IBM

Mobile Device Management

Kryptowire (now known as Quokka)

Application Vetting

Palo Alto Networks

Firewall; Virtual Private Network

Qualcomm

Trusted Execution Environment

Zimperium

Mobile Threat Defense

DOCUMENT CONVENTIONS

The terms “shall” and “shall not” indicate requirements to be followed strictly to conform to the publication and from which no deviation is permitted. The terms “should” and “should not” indicate that among several possibilities, one is recommended as particularly suitable without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited. The terms “may” and “need not” indicate a course of action permissible within the limits of the publication. The terms “can” and “cannot” indicate a possibility and capability, whether material, physical, or causal.

PATENT DISCLOSURE NOTICE

NOTICE: The Information Technology Laboratory (ITL) has requested that holders of patent claims whose use may be required for compliance with the guidance or requirements of this publication disclose such patent claims to ITL. However, holders of patents are not obligated to respond to ITL calls for patents and ITL has not undertaken a patent search in order to identify which, if any, patents may apply to this publication.

As of the date of publication and following call(s) for the identification of patent claims whose use may be required for compliance with the guidance or requirements of this publication, no such patent claims have been identified to ITL.

No representation is made or implied by ITL that licenses are not required to avoid patent infringement in the use of this publication.

List of Figures

Figure 1‑1 High-Level Build Architecture

Figure 2‑1 Post-Deployment Configuration

Figure 2‑2 PasswordMax Registry Configuration

Figure 2‑3 NDES Domain Bindings

Figure 2‑4 Cloud Extender Architecture

Figure 2‑5 Old Cloud Extender Interface

Figure 2‑6 Cloud Extender Service Account Details

Figure 2‑7 Administrator Settings

Figure 2‑8 Administrator Configuration Options

Figure 2‑9 Cloud Extender SCEP Configuration

Figure 2‑10 Cloud Extender Certificate Properties

Figure 2‑11 Enterprise Binding Settings Confirmation

Figure 2‑12 Where to Click to Download the Public Key

Figure 2‑13 MDM configuration in Apple Business Manager

Figure 2‑14 Creating the DEP token

Figure 2‑15 VPP token in MaaS360

Figure 2‑16 iOS Enrollment Configuration

Figure 2‑17 Android GlobalProtect Application Compliance

Figure 2‑18 Zimperium MaaS360 Integration Configuration

Figure 2‑19 Zimperium zIPS iOS Configuration

Figure 2‑20 Zimperium zIPS Android Configuration

Figure 2‑21 Add Alert Button

Figure 2‑22 Zimperium Risk Posture Alert Configuration

Figure 2‑23 DNS Proxy Object Configuration

Figure 2‑24 Original Packet Network Address Translation Configuration

Figure 2‑25 Certificate Profile

Figure 2‑26 Custom URL Category

Figure 2‑27 URL Filtering Profile

Figure 2‑28 URL Filtering Security Policy

Figure 2‑29 Generating the Root CA

Figure 2‑30 Blocked Website Notification

Figure 2‑31 Service Route Configuration

Figure 2‑32 LDAP Server Profile

Figure 2‑33 LDAP Group Mapping

Figure 2‑34 LDAP User Authentication Profile

Figure 2‑35 Configured Tunnel Interfaces

Figure 2‑36 SSL VPN Tunnel Interface Configuration

Figure 2‑37 GlobalProtect iOS Authentication Profile

Figure 2‑38 LDAP Authentication Group Configuration

Figure 2‑39 VPN Zone Configuration

Figure 2‑40 GlobalProtect Portal General Configuration

Figure 2‑41 GlobalProtect Portal Authentication Configuration

Figure 2‑42 GlobalProtect Portal Agent Authentication Configuration

Figure 2‑43 GlobalProtect Portal Agent Configuration

Figure 2‑44 Captive Portal Configuration

Figure 2‑45 GlobalProtect Portal

Figure 2‑46 Downloaded Threats and Applications

Figure 2‑47 Schedule Time Hyperlink

Figure 2‑48 Application and Threats Update Schedule

Figure D‑1 Contact Created in Work Profile

Figure D‑2 Personal Profile Can’t See Work Contacts

Figure D‑3 Contact Created in Managed App

Figure D‑4 Unmanaged App Can’t See Managed Contacts

Figure D‑5 Fictitious Phishing Webpage Blocked

Figure D‑6 iOS MaaS360 OS Compliance Alert

Figure D‑7 Zimperium Risk Detected

Figure D‑8 Kryptowire Application Report

Figure D‑9 Android Passcode Configuration

Figure D‑10 iOS Passcode Configuration

Figure D‑11 Zimperium Detecting Disabled Lock screen

Figure D‑12 Application Report with Hardcoded Credentials

Figure D‑13 Attempting to Access the VPN on an Unmanaged iOS Device

Figure D‑14 Attempting to Access the VPN on an Unmanaged Android Device

Figure D‑15 Attempting to Access the VPN on a Managed Android Device

Figure D‑16 Selective Wiping a Device

Figure D‑17 Selective Wipe Complete

Figure D‑18 Corporate Data Removal Confirmation Notification on iOS

Figure D‑19 Work Profile Removal Notification on Android

Figure D‑20 iOS DLP Configuration Options

Figure D‑21 Android DLP Configuration

Figure D‑22 Attempting to Paste Text on iOS Between Unmanaged and Managed Apps

Figure D‑23 Selective Wipe

Figure D‑24 Application Inventory Information

Figure D‑25 Location Information Restricted

Figure D‑26 Non-Administrator Failed Portal Login

Figure D‑27 Admin Login Settings

Figure D‑28 Administrator Levels

Figure D‑29 Mobile Device Information Collection Notification

Figure D‑30 Mobile Device Information Collection Notification

Figure D‑31 Privacy and Information Access of the Application

Figure D‑32 Application Analysis

1 Introduction

The following volumes of this guide show information technology (IT) professionals and security engineers how we implemented this example solution. We cover all of the products employed in this reference design. We do not re-create the product manufacturers’ documentation, which is presumed to be widely available. Rather, these volumes show how we incorporated the products together in our environment.

Note: These are not comprehensive tutorials. There are many possible service and security configurations for these products that are out of scope for this reference design.

1.1 Practice Guide Structure

This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide demonstrates a standards-based reference design and provides users with the information they need to replicate enhancing the security of bring your own device (BYOD) solutions. This reference design is modular and can be deployed in whole or in part.

This guide contains four volumes:

Depending on your role in your organization, you might use this guide in different ways:

Business decision makers, including chief security and technology officers, will be interested in the Executive Summary, NIST SP 1800-22A*, which describes the following topics:

  • challenges that enterprises face in managing the security of BYOD deployments

  • the example solution built at the NCCoE

  • benefits of adopting the example solution

Technology or security program managers who are concerned with how to identify, understand, assess, and mitigate risk will be interested in NIST SP 1800-22B, which describes what we did and why. The following sections will be of particular interest:

You might share the Executive Summary, NIST SP 1800-22A, with your leadership team members to help them understand the importance of adopting standards-based BYOD solutions.

IT professionals who want to implement an approach like this will find this whole practice guide useful. You can use this How-To portion of the guide, NIST SP 1800-22C, to replicate all or parts of the build created in our lab. This How-To portion of the guide provides specific product installation, configuration, and integration instructions for implementing the example solution. We do not recreate the product manufacturers’ documentation, which is generally widely available. Rather, we show how we incorporated the products together in our environment to create an example solution.

This guide assumes that IT professionals have experience implementing security products within the enterprise. While we have used a suite of commercial products to address this challenge, this guide does not endorse these particular products. Your organization can adopt this solution or one that adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and implementing parts of a BYOD solution. Your organization’s security experts should identify the products that will best integrate with your existing tools and IT system infrastructure. We hope that you will seek products that are congruent with applicable standards and best practices. Volume B, Section 4.3, Technologies that Support the Security and Privacy Objectives of the Example Solution, lists the products that we used and maps them to the cybersecurity controls provided by this reference solution.

For those who would like to see how the example solution can be implemented, this practice guide contains an example scenario about a fictional company called Great Seneca Accounting. The example scenario shows how BYOD objectives can align with an organization’s priority security and privacy capabilities through NIST risk management standards, guidance, and tools. It is provided in this practice guide’s supplement, NIST SP 1800-22 Example Scenario: Putting Guidance into Practice.

A NIST Cybersecurity Practice Guide does not describe “the” solution, but a possible solution. This is a draft guide. We seek feedback on its contents and welcome your input. Comments, suggestions, and success stories will improve subsequent versions of this guide. Please contribute your thoughts to mobile-nccoe@nist.gov.

1.2 Build Overview

In our lab at the National Cybersecurity Center of Excellence (NCCoE), NIST engineers built an environment that contains an example solution for managing the security of BYOD deployments. In this guide, we show how an enterprise can leverage this example solution’s concepts to implement Enterprise Mobility Management (EMM), mobile threat defense, application vetting, secure boot/image authentication, and virtual private network (VPN) services in support of a BYOD solution.

These technologies were configured to protect organizational assets and end-user privacy, providing methodologies to enhance the data protection posture of the adopting organization. The standards, best practices, and certification programs that this example solution is based upon help ensure the confidentiality, integrity, and availability of enterprise data on mobile systems.

1.3 Typographic Conventions

The following table presents typographic conventions used in this volume.

Typeface/Symbol

Meaning

Example

Italics

file names and path names; references to documents that are not hyperlinks; new terms; and placeholders

For language use and style guidance, see the NCCoE Style Guide.

Bold

names of menus, options, command buttons, and fields

Choose File > Edit.

Monospace

command-line input, onscreen computer output, sample code examples, and status codes

mkdir

Monospace Bold

command-line user input contrasted with computer output

service sshd start

blue text

link to other parts of the document, a web URL, or an email address

All publications from NIST’s NCCoE are available at https://www.nccoe.nist.gov.

Acronyms can be found in Appendix A.

1.4 Logical Architecture Summary

Figure 1-1 shows the components of the build architecture and how they interact on a high level.

Figure 1‑1 High-Level Build Architecture

The architecture that was developed for the practice guide.

2 Product Installation Guides

This section of the practice guide contains detailed instructions for installing and configuring all the products used to build an instance of the example solution.

This guide assumes that a basic active directory (AD) infrastructure has been configured. The domain controller (DC) is used to authenticate users when enrolling devices as well as when connecting to the virtual private network (VPN). In this implementation, the domain enterprise.mds.local was used.

2.1 Network Device Enrollment Services Server

A Network Device Enrollment Service (NDES)/Simple Certificate Enrollment Protocol (SCEP) server was used to issue client certificates to new devices that were enrolled by using MaaS360. This guide assumes that a basic AD and certificate authority (CA) are in place, containing a root and subordinate CA, and that their certificates have been exported.

2.1.1 NDES Configuration

This section outlines configuration of an NDES that resides on its own server. Alternatively, the NDES can be installed on the SUB-CA. This section assumes a new domain-attached Windows Server is running.

  1. From the Server Manager, select Manage > Add Roles and Features.

  2. Click Next three times until Server Roles is highlighted.

  3. Check the box next to Active Directory Certificate Services.

  4. Click Next three times until Role Services is highlighted.

  5. Uncheck Certification Authority. Check Network Device Enrollment Service.

  6. Click Add Features on the pop-up.

  7. Click Next three times.

  8. Click Install.

  9. When the installation completes, click the flag in the upper right-hand corner, and click Configure Active Directory Certificate Services.

Figure 2‑1 Post-Deployment Configuration

Post-deployment configuration popup, which is displayed when clicking the flag with the warning triangle next to it.

  1. Specify the credentials of a Domain Administrator. Click Next.

Note: The domain administrator credentials are required only to configure the NDES. Once the service is configured, the service is executed as the NDES service account, which does not require domain administrator permissions, created in step 12 below.

  1. Check Network Device Enrollment Service. Click Next.

  2. Configure an NDES service account by performing the following actions:

    1. On the active directory server, open Active Directory Users and Computers.

    2. Click Users and create a new user for the service. For this example, it will be named NDES. Be sure the password never expires.

    3. On the NDES server, open Edit local users and groups.

    4. Click Groups. Right-click IIS_IUSRS, click Add to Group, and click Add.

    5. Search for the service account name—in this case, NDES. Click Check Names, then click OK if no errors were displayed.

    6. Click Apply and click OK.

    7. Close all windows except the NDES configuration window.

  3. Click Select next to the box and enter the service account credentials. Click Next.

  4. Because the NDES runs on its own server, we will target it at the SUB-CA. Select Computer name and click Select. Type in the computer name—in this case, SUB-CA. Click Check Names, and if no errors occurred, click OK.

  5. Click Next three times.

  6. Click Configure.

  7. On the SUB-CA, open the Certification Authority application.

  8. Expand the SUB-CA node, right-click on Certificate Templates, and click Manage.

  9. Right-click on IPSec (Offline Request) and click Duplicate Template.

  10. Under the General tab, set the template display name to NDES.

  11. Under the Security tab, click Add.

  12. Select the previously configured NDES service account.

  13. Click OK. Ensure the NDES service account is highlighted, and check Read and Enroll.

  14. Click Apply.

  15. In the Certification Authority program, right-click on Certificate Templates, and select New > Certificate Template to Issue.

  16. Select the NDES template created in step 24.

  17. Click OK.

  18. On the NDES server, open the Registry Editor (regedit).

  19. Expand the following key: HKLM\SOFTWARE\Microsoft\Cryptography.

  20. Select the MSCEP key and update all entries besides (Default) to be NDES.

  21. Expand the following key: HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP.

  22. Right-click on MSCEP and select New > Key. Name it PasswordMax.

  23. Right-click on the newly created key and select New > DWORD (32-bit) Value.

  24. Name it PasswordMax and give it a value of 0x00003e8. This increases the NDES password cache to 1,000 entries instead of the default 5. This value can be further adjusted based on NDES demands.

Figure 2‑2 PasswordMax Registry Configuration

The Windows Registry, with the PasswordMax key selected, showing the PasswordMax value set to 0x000003e8.

Note: The PasswordMax key governs the maximum number of NDES passwords that can reside in the cache. A password is cached when a valid certificate request is received, and it is removed from the cache when the password is used or when 60 minutes have elapsed, whichever occurs first. If the PasswordMax key is not present, the default value of 5 is used.

  1. In an elevated command prompt, execute %windir%\system32\inetsrv\appcmd set config /section:requestFiltering /requestLimits.maxQueryString:8192 to increase the maximum query string. This prevents requests longer than 2,048 bytes from being dropped.

  2. Open the Internet Information Services (IIS) Manager.

  3. On the left, expand NDES > Sites, and select Default Web Site.

  4. On the right, click Bindings…

  5. Click Add.

  6. Below Host Name, enter the host name of the server. For this implementation, ndes.enterprise.mds.local was used.

  7. Click OK.

Figure 2‑3 NDES Domain Bindings

The NDES server IIS site bindings, showing it bound to all hosts on port 80, as well as ndes.enterprise.mds.local on port 80.

  1. Click Close and close the IIS Manager.

  2. In an elevated command prompt, execute iisreset, or reboot the NDES server.

2.2 International Business Machines MaaS360

International Business Machines (IBM) contributed an instance of MaaS360 to deploy as the mobile device management (MDM) solution.

2.2.1 Cloud Extender

The IBM MaaS360 Cloud Extender is installed within the AD domain to provide AD and lightweight directory access protocol (LDAP) authentication methods for the MaaS360 web portal, as well as corporate VPN capabilities. The cloud extender architecture [C1], as shown in Figure 2‑4, gives a visual overview of how information flows between the web portal and the MaaS360 Cloud Extender.

Figure 2‑4 Cloud Extender Architecture

The cloud extender architecture, showing how the cloud extender connects to MaaS360 over the internet.

2.2.1.1 Cloud Extender Download

  1. Log in to the MaaS360 web portal.

  2. Click Setup > Cloud Extender.

  3. Click the link that says Click here to get your License Key. The license key will be emailed to the currently logged-in user’s email address.

  4. Click the link that says Click here to download the Cloud Extender. Save the binary.

  5. Move the binary to a machine behind the corporate firewall that is always online. Recommendation: Install it while logged in as a domain user on a machine that is not the domain controller.

  6. Install .NET 3.5 Features in the Server Manager on the machine where the MaaS360 Cloud Extender will run.

2.2.1.2 Cloud Extender Active Directory Configuration

  1. On the target machine, run the installation binary.

  2. Enter the license key when prompted.

  3. Proceed through the setup until the Cloud Extender Configuration Utility opens.

  4. If using the old cloud extender interface, click Switch to Modern.

Figure 2‑5 Old Cloud Extender Interface

Cloud extender configuration tool landing page, using the basic UI and the configuration options for the proxy.

  1. Enable the toggle below User Authentication.

  2. Create a new authentication profile by entering the username, password, and domain of the created service account.

Figure 2‑6 Cloud Extender Service Account Details

Cloud extender service account configuration. Username, password, and domain name configuration.

  1. Click Next.

  2. (optional) Use the next page to test the active directory integration.

  3. Click Save.

  4. In MaaS360, navigate to Setup > Cloud Extender. Ensure that configuration information is displayed, indicating that the MaaS360 Cloud Extender is running.

2.2.1.3 MaaS360 Portal Active Directory Authentication Configuration

  1. Log in to the MaaS360 web portal as an administrator.

  2. Go to Setup > Settings.

  3. Expand Administrator Settings and click Advanced.

Figure 2‑7 Administrator Settings

Administrator settings for login settings, including single sign-on and strong authentication configuration.

  1. Select Configure Federated Single Sign-on.

  2. Select Authenticate against Corporate User Directory.

  3. Next to Default Domain, enter the active directory domain. In this implementation, enterprise.mds.local was used.

  4. Check the box next to Allow existing Administrators to use portal credentials as well.

  5. Check the box next to Automatically create new Administrator accounts and update roles based on user groups.

  6. Under User Groups, enter the distinguished name of the group(s) that should be allowed to log in. In this implementation, CN=Domain Admins, CN=Users, DC=enterprise, DC=mds, DC=local was used.

  7. Next to the box, select Administrator–Level 2. This allows domain admins to log in as MaaS360 administrators.

Figure 2‑8 Administrator Configuration Options

Administrator configuration options with the user group DN filled in.

  1. Click Save.

2.2.1.4 Cloud Extender NDES Integration

To properly generate device certificates, MaaS360 must be integrated with the on-premises public key infrastructure (PKI).

  1. Log in to the server running the MaaS360 Cloud Extender.

  2. Launch the Cloud Extender Configuration Tool.

  3. Toggle the button below Certificate Integration.

  4. Click Add New Template.

  5. Ensure Microsoft CA and Device Identity Certificates are selected.

  6. Click Next.

  7. Enter NDES for the Template Name and SCEP Default Template.

  8. Enter the uniform resource locator (URL) of the NDES server next to SCEP Server.

  9. Enter credentials of a user with enroll permissions on the template for Challenge Username and Challenge Password. For this demo implementation, we use the NDES service account.

Figure 2‑9 Cloud Extender SCEP Configuration

Cloud extender SCEP configuration, showing the template name, SCEP server hostname, SCEP server challenge type, challenge username, and challenge password.

  1. Click Next.

  2. (optional) Check the box next to Cache certs on Cloud Extender and specify a cache path on the machine.

Figure 2‑10 Cloud Extender Certificate Properties

Cloud extender certificate properties, showing subject name, subject alternative name, and optional certificate caching configuration.

  1. Click Next.

  2. (optional) Enter values for uname and email and generate a test certificate to test the configuration.

  3. Click Save.

Note: If a file access message appears, delete the file, and re-save the file.

2.2.2 Android Enterprise Configuration

A Google account was used to provision Android Enterprise on the mobile devices. A managed domain can be used, but in this use case it was not necessary. A managed domain is necessary only if the corporation already has data stored in Google’s cloud.

  1. Create a Google account if you do not have one you wish to bind with.

  2. From the MaaS360 portal, navigate to Setup > Services.

  3. Click Mobile Device Management.

  4. Check the box next to Enable Android Enterprise Solution Set.

  5. Enter your password and click Enable.

  6. Click Mobile Device Management.

  7. Click the radio button next to Enable via Managed Google Play Accounts (no G Suite).

  8. Ensure all pop-up blockers are disabled. Click the link on the word here.

  9. Enter your password and click Enable.

  10. In the new page that opens, ensure you are signed into the Google account you wish to bind.

  11. Click Get started.

  12. Enter your business name and click Next.

  13. If General Data Protection Regulation compliance is not required, scroll to the bottom, check the I agree box, and click Confirm. If compliance is required, fill out the requested information first.

  14. Click Complete Registration.

  15. Confirm binding on the Setup page under Mobile Device Management. The settings should look like Figure 2‑11, where the blurred-out portion is the Google email address used to bind.

Figure 2‑11 Enterprise Binding Settings Confirmation

The Enterprise Bindings configuration within MaaS360, with "Enable Android Enterprise Solution Set" and "Managed Google Play" options both selected.

2.2.3 iOS APNs Certificate Configuration

For the iOS Apple Push Notification services (APNs) certificate configuration, the build team followed the IBM documentation.

2.2.4 Apple User Enrollment (UE) Configuration

The following sections detail the configuration process for Apple User Enrollment, which enables BYOD on iOS devices.

2.2.4.1 Apple Business Manager (ABM) Configuration

  1. In MaaS360, navigate to Setup > Settings > Enrollment Programs, and click Configure next to Apple Device Enrollment Program.

  2. In the popup, click Continue.

  3. Click Tokens > Add Token.

  4. In the popup, give the token a name and click on the here link in step 2 of the popup to download the public key file.

Figure 2‑12 Where to Click to Download the Public Key

Token management screen.

  1. In Apple Business Manager, sign in with an administrator account.

  2. Click the user’s name in the bottom left corner > Settings.

  3. Click Add next to “Your MDM Servers” and enter a unique name for the server.

  4. Upload the public key certificate file downloaded in step (4), then click Save.

  5. Click Download Token to save the server token.

Figure 2‑13 MDM configuration in Apple Business Manager

MDM Server information.

  1. In MaaS360, click Browse and select the token downloaded in step (9).

  2. Click Add.

Figure 2‑14 Creating the DEP token

Apple Business Manager token management.

  1. In Apple Business Manager, click the user’s name in the bottom left corner and click Payments and Billing.

  2. Under Server Tokens, click the token that corresponds to the Apple Business Manager tenant and save the token.

  3. In MaaS360, navigate to Apps > Catalogue. Click More > Apple VPP Licenses.

  4. Click Add Token and give the token a name. Click Browse and select the token file downloaded in step (13).

  5. Click Policies and configure the VPP token policy based on organizational requirements.

  6. Click Distribution and configure based on organizational requirements.

  7. Click Submit.

Figure 2‑15 VPP token in MaaS360

VPP token information including users and user groups.

2.2.4.2 MaaS360 Configuration

  1. In the MaaS360 web portal, navigate to Setup > Settings.

  2. Navigate to Device Enrollment Settings > Advanced.

  3. Under Advanced Management for Apple Devices > Select default enrollment mode for managing employee owned (BYOD) devices, select the radio button next to User enrollment mode.

  4. Scroll to the top of the page and click Save.

Figure 2‑16 iOS Enrollment Configuration

The iOS enrollment configuration in MaaS360, with the "User enrollment mode" radio button selected.

2.2.5 Android Configuration

The following sections detail the configuration policies applied to enrolled Android devices.

2.2.5.1 Policy Configuration

  1. Navigate to Security > Policies.

  2. Click the appropriate deployed Android policy.

  3. Click Edit.

  4. Navigate to Android Enterprise Settings > Passcode.

  5. Check the box next to Configure Passcode Policy.

  6. Configure the passcode settings based on corporate requirements.

  7. Navigate to Android Enterprise Settings > Restrictions.

  8. Check the box next to Configure Restrictions.

  9. Configure restrictions based on corporate requirements.

  10. Click Save.

2.2.5.2 VPN Configuration

  1. Navigate to Security > Policies.

  2. Click the currently deployed Android device policy.

  3. Click Edit.

  4. Navigate to Android Enterprise Settings > Certificates.

  5. Check the box next to Configure CA Certificates.

  6. Click Add New.

  7. Give the certificate a name, such as Internal Root.

  8. Click Browse and navigate to the exported root CA certificate from earlier in the document.

  9. Click Save.

  10. Select Internal Root from the drop-down next to CA Certificate.

  11. Click the + icon on the far right.

  12. Repeat steps 6–10 with the internal sub-CA certificate.

  13. Check the box next to Configure Identity Certificates.

  14. From the drop-down next to Identity Certificate, select the profile that matches the name configured on the MaaS360 Cloud Extender—for this example, NDES.

  15. Click Save and Publish and follow the prompts to publish the updated policy. Click Apps.

  16. Click Add > Android > Google Play App.

  17. Select the radio button next to Add via Public Google Play Store.

  18. Search for GlobalProtect.

  19. Select the matching result.

  20. Click I Agree when prompted to accept the permissions.

  21. Check the three boxes next to Remove App on.

  22. Check the box next to Instant Install.

  23. Select All Devices next to Distribute to.

  24. Click Add.

  25. Next to the newly added GlobalProtect application, select More > Edit App Configurations.

  26. Click Check for Settings.

  27. Next to Portal, enter the GlobalProtect portal address. In this implementation, vpn.ent.mdse.nccoe.org was used.

  28. Next to Username, enter %username%.

  29. Next to Connection Method, enter user-logon. (Note: This will enable an always-on VPN connection for the work profile. The user will always see the VPN key icon, but it will apply only to applications contained within the work profile.)

  30. Click Save and follow the prompts to update the application configuration.

  31. Navigate to Security > Policies.

  32. Click the used Android policy.

  33. Select Android Enterprise Settings > App Compliance.

  34. Click Edit.

  35. Click the + on the row below Configure Required Apps.

  36. Enter the App Name, GlobalProtect.

  37. Enter the App ID, com.paloaltonetworks.globalprotect.

  38. Click Save And Publish and follow the prompts to publish the policy.

Figure 2‑17 Android GlobalProtect Application Compliance

Configure Applications Compliance image within MaaS360.

2.2.6 iOS Configuration

The following sections detail the configuration policies applied to enrolled iOS devices.

2.2.6.1 Policy Configuration

  1. Navigate to Security > Policies.

  2. Click the deployed iOS policy.

  3. Click Edit.

  4. Check the box next to Configure Passcode Policy.

  5. Check the box next to Enforce Passcode on Mobile Device.

  6. Configure the rest of the displayed options based on corporate requirements.

  7. Click Restrictions.

  8. Check the box next to Configure Device Restrictions.

  9. Configure restrictions based on corporate requirements.

  10. Click Save.

2.2.6.2 VPN Configuration

  1. Click Device Settings > VPN.

  2. Click Edit.

  3. Next to Configure for Type, select Custom SSL.

  4. Enter a name next to VPN Connection Name. In this sample implementation, Great Seneca VPN was used.

  5. Next to Identifier, enter com.paloaltonetworks.globalprotect.vpn.

  6. Next to Host name of the VPN Server, enter the URL of the VPN endpoint without http or https.

  7. Next to VPN User Account, enter %username%.

  8. Next to User Authentication Type, select Certificate.

  9. Next to Identity Certificate, select the name of the certificate profile created during the NDES configuration steps. In this sample implementation, NDES was used.

  10. Next to Custom Data 1, enter allowPortalProfile=0.

  11. Next to Custom Data 2, enter fromAspen=1.

  12. Next to Apps to use this VPN, enter the application identifications (IDs) of applications to go through the VPN. This will be the applications deployed to the devices as work applications.

  13. Next to Provider Type, select Packet Tunnel.

  14. In Apple Business Manager, click Apps and Books.

  15. Search for GlobalProtect.

  16. Select the non-legacy search result.

  17. Select the business’s location and enter the desired number of licenses (installations) and click Get.

  18. In MaaS360, navigate to Apps > Catalog.

  19. Navigate to More > Apple VPP Licenses.

  20. In the VPP line, select More > Sync. Follow the confirmation pop-ups to confirm the sync with Apple Business Manager.

  21. Navigate to Apps > Catalog.

  22. Click Add > iOS > iTunes App Store App.

  23. Search for GlobalProtect.

  24. Select the non-Legacy version.

  25. Click Policies and Distribution.

  26. Check all three boxes next to Remove App on.

  27. Select All Devices next to Distribute to.

  28. Check the box next to Instant Install.

  29. Click Add.

  30. Navigate to Security > Policies.

  31. Click the used iOS policy.

  32. Click Application Compliance.

  33. Click Edit.

  34. Click the + next to the first row under Configure Required Applications.

  35. Search for GlobalProtect.

  36. Select the non-Legacy result.

  37. Navigate to Advanced Settings > Certificate Credentials.

  38. Check the box next to Configure Credentials for Adding Certificates on the Device.

  39. Click Add New.

  40. Give the certificate a name, such as Internal Root.

  41. Click Browse and navigate to the exported root CA certificate from earlier in the document.

  42. Click Save.

  43. Select Internal Root from the drop-down next to CA Certificate.

  44. Click the + icon on the far right.

  45. Repeat steps 33–35 with the internal sub-CA certificate.

  46. From the drop-down next to Identity Certificate, select the profile that matches the name configured on the MaaS360 Cloud Extender—for this example, NDES.

  47. Click Save And Publish and follow the prompts to publish the policy.

2.3 Zimperium

Zimperium was used as a mobile threat defense service via a MaaS360 integration.

Note: For Zimperium automatic enrollment to function properly, users must have an email address associated with their MaaS360 user account.

2.3.1 Zimperium and MaaS360 Integration

This section assumes that IBM has provisioned an application programming interface (API) key for Zimperium within MaaS360.

  1. Log in to the zConsole.

  2. Navigate to Manage > MDM.

  3. Select Add MDM > MaaS360.

  4. Fill out the MDM URL, MDM username, MDM password, and API key.

Note: For the MDM URL, append the account ID to the end. For example, if the account ID is 12345, the MDM URL would be https://services.fiberlink.com/12345.

  1. Check the box next to Sync users.

Figure 2‑18 Zimperium MaaS360 Integration Configuration

Zimperium MDM integration configuration options, including URL and Username.

  1. Click Next.

  2. Select the MaaS360 groups to synchronize with Zimperium. In this case, All Devices was selected.

  3. Click Finish. Click Sync Now to synchronize all current MaaS360 users and devices.

2.3.2 Automatic Device Activation

Note: This requires contacting Zimperium support to get required application configuration values.

  1. In Apple Business Manager, click Apps and Books.

  2. Search for Zimperium zIPS.

  3. Select the non-legacy search result.

  4. Select the business’s location and enter the desired number of licenses (installations) and click Get.

  5. In MaaS360, navigate to Apps > Catalog.

  6. Navigate to More > Apple VPP Licenses.

  7. In the VPP line, select More > Sync. Follow the confirmation pop-ups to confirm the sync with Apple Business Manager.

  8. Click Apps on the navigation bar.

  9. Click Add > iOS > iTunes App Store App.

  10. Search for Zimperium zIPS. Click the result that matches the name.

  11. Click Policies and Distribution.

  12. Check the three checkboxes next to Remove App on.

  13. Next to Distribute to, select All Devices.

  14. Click Configuration.

  15. Set App Config Source to Key/Value.

  16. The configuration requires three parameters: uuid, defaultchannel, and tenantid. uuid can be set to %csn%, but defaultchannel and tenantid must come from Zimperium support.

Figure 2‑19 Zimperium zIPS iOS Configuration

Zimperium iOS configuration options in MaaS360.

  1. Click Add.

  2. Click Add > Android > Google Play App.

  3. Select the radio button next to Add via Public Google Play Store.

  4. Search for Zimperium Mobile IPS (zIPS).

  5. Click the matching result.

  6. Click I Agree when prompted to accept permissions.

  7. Click Policies and Distribution.

  8. Check all three boxes next to Remove App on.

  9. Check Instant Install.

  10. Select All Devices next to Distribute to.

  11. Click App Configurations.

  12. Check Configure App Settings.

  13. Enter the values provided by Zimperium next to Default Acceptor and Tenant.

  14. Next to MDM Device ID, insert %deviceid%.

  15. Adjust any other configuration parameters as appropriate for your deployment scenario.

Figure 2‑20 Zimperium zIPS Android Configuration

Zimperium Android configuration options in MaaS360.

  1. Click Add.

2.3.3 Enforce Application Compliance

From the IBM MaaS360 web portal:

  1. Navigate to Security > Policies.

  2. Select the default Android policy.

  3. Navigate to Android Enterprise Settings > App Compliance.

  4. Click Edit.

  5. Check the box next to Configure Required Apps if not checked already. If it is, click the + icon.

  6. Enter com.zimperium.zips as the App ID.

  7. Click Save And Publish. This will prevent the user from uninstalling zIPS once it is installed.

  8. Navigate to Security > Policies.

  9. Select the default iOS policy.

  10. Click Application Compliance.

  11. Click Edit.

  12. Check the box next to Configure Required Applications if not checked already. If it is, click the + icon.

  13. Enter Zimperium zIPS for the Application Name.

  14. Click Save And Publish and follow the prompts to publish the policy.

2.3.4 MaaS360 Risk Posture Alerts

  1. From the MaaS360 home screen, click the + button that says Add Alert.

Figure 2‑21 Add Alert Button

MaaS360 Alert Center with the "Add Alert" button highlighted.

  1. Next to Available for select All Administrators.

  2. For Name, enter Zimperium Risk Posture Elevated.

  3. Under Condition 1, select Custom Attributes for the Category.

  4. Select zimperium_risk_posture for Attribute.

  5. Select Equal To for Criteria.

  6. For Value, select Elevated for the count of risk posture elevated devices or Critical for risk posture critical devices.

Figure 2‑22 Zimperium Risk Posture Alert Configuration

Zimperium risk posture alert configuration, showing the alert level set to Elevated.

  1. Click Update.

2.4 Palo Alto Networks Virtual Firewall

Palo Alto Networks contributed an instance of its VM-100 series firewall for use on the project.

2.4.1 Network Configuration

  1. Ensure that all Ethernet cables are connected or assigned to the virtual machine and that the management web user interface is accessible. Setup will require four Ethernet connections: one for management, one for wide area network (WAN), one for local area network, and one for the demilitarized zone (DMZ).

  2. Reboot the machine if cables were attached while running.

  3. Navigate to Network > Interfaces > Ethernet.

  4. Click ethernet1/1 and set the Interface Type to be Layer3.

  5. Click IPv4, ensure that Static is selected under Type, and click Add to add a new static address.

  6. If the appropriate address does not exist yet, click New Address at the bottom of the prompt.

  7. Once the appropriate interfaces are configured, commit the changes. The Link State icon should turn green for the configured interfaces. The commit dialogue will warn about unconfigured zones. That is an expected dialogue warning.

  8. Navigate to Network > Zones.

  9. Click Add. Give the zone an appropriate name, set the Type to Layer3, and assign it an interface.

  10. Commit the changes.

  11. Navigate to Network > Virtual Routers.

  12. Click Add.

  13. Give the router an appropriate name and add the internal and external interfaces.

  14. Click Static Routes > Add. Give the static route an appropriate name, e.g., WAN. Set the destination to be 0.0.0.0/0, set the interface to be the WAN interface, and set the next hop internet protocol (IP) address to be the upstream gateway’s IP address.

  15. (optional) Delete the default router by clicking the checkbox next to it and clicking Delete at the bottom of the page.

  16. Commit the changes. The commit window should not display any more warnings.

  17. Navigate to Network > DNS Proxy.

  18. Click Add.

  19. Give the proxy an appropriate name. Under Primary, enter the primary domain name system (DNS) IP address.

  20. (optional) Enter the secondary DNS IP address.

  21. Add the interfaces under Interface. Click OK.

Figure 2‑23 DNS Proxy Object Configuration

Palo Alto DNS proxy configuration.

  1. Navigate to Device > Services.

  2. Click the gear in the top-right corner of the Services panel.

  3. Under DNS settings, click the radio button next to DNS Proxy Object. Select the created DNS proxy object from the drop-down.

  4. Click OK and commit the changes. This is where static DNS entries will be added in the future.

  5. Navigate to Objects > Addresses.

  6. For each device on the network, click Add. Give the device an appropriate name, enter an optional description, and enter the IP address.

  7. Click OK.

  8. Once all devices are added, commit the changes.

  9. Navigate to Policies > NAT.

  10. Click Add.

  11. Give the network address translation rule a meaningful name, such as External Internet Access.

  12. Click Original Packet.

  13. Click Add and add the zone representing the intranet—in this case, Enterprise_Intranet.

  14. Repeat step 34 for the secure sockets layer (SSL) VPN zone.

  15. Under Source Address, click Add.

  16. Enter the subnet corresponding to the intranet segment.

  17. Repeat step 37 for the SSL VPN segment.

  18. Click Translated Packet. Set the translation type to Dynamic IP and Port. Set Address Type to be Interface Address. Set Interface to be the WAN interface and set the IP address to be the WAN IP of the firewall.

  19. Click OK and commit the changes.

Figure 2‑24 Original Packet Network Address Translation Configuration

Palo Alto NAT policy configuration.

2.4.2 Demilitarized Zone Configuration

  1. Navigate to Network > Interfaces.

  2. Click the interface that has the DMZ connection.

  3. Add a comment, set the Interface Type to Layer3, and assign it to the virtual router created earlier.

  4. Click IPv4 > Add > New Address. Assign it an IP block and give it a meaningful name. Click OK.

  5. Navigate to Network > Zones.

  6. Click Add. Give it a meaningful name, such as Enterprise_DMZ.

  7. Set the Type to Layer3 and assign it the new interface that was configured—in this case, ethernet1/3.

  8. Click OK.

  9. Navigate to Network > DNS Proxy. Click Add under Interface and add the newly created interface. Click OK.

  10. Commit the changes.

  11. Navigate to Network > Interfaces, and the configured interfaces should be green.

2.4.3 Firewall Configuration

  1. Navigate to Policies > Security.

  2. Click Add.

  3. Give the rule a meaningful name, such as Intranet Outbound.

  4. Click Source. Click Add under Source Zone and set the source zone to be the internal network.

  5. Click Destination. Click Add under Destination Zone and set the destination zone to be the WAN zone.

  6. Click Service/URL Category. Under Service, click Add, and add service-dns. Do the same for service-http and service-https.

  7. Click OK.

  8. Click Add.

  9. Click Destination. Add the IP address of the Simple Mail Transfer Protocol (SMTP) server.

  10. Click Application. Click Add.

  11. Search for smtp. Select it.

  12. Click OK.

  13. Commit the changes.

  14. Internal hosts should now be able to communicate on the internet.

2.4.4 Certificate Configuration

  1. Navigate to Device > Certificate Management > Certificate Profile.

  2. Click Add.

  3. Give the profile a meaningful name, such as Enterprise_Certificate_Profile.

  4. Select Subject under Username Field.

  5. Select the radio button next to Principal Name.

  6. Enter the domain under User Domain—in this case, enterprise.

  7. Click Add under CA Certificates. Select the internal root CA certificate.

  8. Click Add under CA Certificates. Select the internal sub-CA certificate. (Note: The entire certificate chain must be included in the certificate profile.)

  9. Click OK.

  10. Commit the changes.

Figure 2‑25 Certificate Profile

The configured certificate profile, including all certificates in the chain.

2.4.5 Website Filtering Configuration

The following sections detail the configuration of website blocking on the Palo Alto firewall.

2.4.5.1 Configure Basic Website Blocking

  1. Navigate to Objects > URL Category.

  2. Click Add.

  3. Enter a name for the URL Category. Click Add on the bottom.

  4. Add websites that should be blocked. Use the form *.example.com for all subdomains and example.com for the root domain.

Figure 2‑26 Custom URL Category

Custom URL category, showing example.com and \*.example.com as entries.

  1. Click OK.

  2. Navigate to Objects > URL Filtering.

  3. Click Add.

  4. Give the filtering profile a name.

  5. Scroll to the bottom of the categories table. The profile created in step 4 should be the last item in the list, with an asterisk next to it. Click where it says allow and change the value to block.

  6. Configure any additional categories to allow, alert, continue, block, or override.

Figure 2‑27 URL Filtering Profile

The URL filtering profile, showing the newly created Block List at the bottom of the list. The Block List's actions are set to block traffic.

  1. Click OK.

  2. Navigate to Policies > Security.

  3. Select a policy to apply the URL filtering to.

  4. Select Actions.

  5. Next to Profile Type, select Profiles.

  6. Next to URL Filtering, select the created URL filtering profile.

Figure 2‑28 URL Filtering Security Policy

The URL filtering profile being applied to a security policy.

  1. Click OK.

  2. Repeat steps 13–17 for any policies that need the filtering profile applied.

  3. Commit the changes.

2.4.5.2 Configure SSL Website Blocking

Note: This section is optional. Section 2.4.5.1 outlines how to configure basic URL filtering, which will serve a URL blocked page for unencrypted (http [hypertext transfer protocol]) connections, and it will send a transmission control protocol reset for encrypted (https [hypertext transfer protocol secure]) connections, which will show a default browser error page. This section outlines how to configure the firewall so that it can serve the same error page for https connections as it does for http connections. This is purely for user experience and has no impact on blocking functionality.

  1. Navigate to Device > Certificates.

  2. Click Generate on the bottom of the page.

  3. Give the root certificate a name, such as SSL Decryption Root; and a common name (CN) such as PA Root.

  4. Check the box next to Certificate Authority.

Figure 2‑29 Generating the Root CA

Generating a local root certificate for SSL decryption.

  1. Click Generate.

  2. Click Generate at the bottom of the page.

  3. Give the certificate a name, such as SSL Decryption Intermediate.

  4. Give the certificate a CN, such as PA Intermediate.

  5. Next to Signed By, select the generated root CA. In this case, SSL Decryption Root was selected.

  6. Check the box next to Certificate Authority.

  7. Click Generate.

  8. Click the newly created certificate.

  9. Check the boxes next to Forward Trust Certificate and Forward Untrust Certificate.

  10. Click OK.

  11. Navigate to Policies > Decryption.

  12. Click Add.

  13. Give the policy a name and description.

  14. Click Source.

  15. Under Source Zone, click Add.

  16. Select the source zone(s) that matches the security policy that uses URL filtering. In this implementation, the Intranet and SSL VPN zones were selected.

  17. Click Destination.

  18. Under Destination Zone, click Add.

  19. Select the destination zone that matches the security policy that uses URL filtering. Most likely it is the WAN zone.

  20. Click Service/URL Category.

  21. Under URL Category, click Add.

  22. Select the created block list. This ensures that only sites matching the block list are decrypted.

  23. Click Options.

  24. Next to Action, select Decrypt.

  25. Next to Type, select SSL Forward Proxy.

  26. Next to Decryption Profile, select None.

  27. Click OK.

  28. Commit the changes.

Figure 2‑30 Blocked Website Notification

The URL filtering blocking an example webpage.

2.4.6 User Authentication Configuration

  1. Navigate to Device > Setup > Services > Service Route Configuration.

  2. Click Destination.

  3. Click Add.

  4. Enter the IP address of the internal LDAP server for Destination.

  5. Select the internal network adapter for Source Interface.

  6. Select the firewall’s internal IP address for Source Address.

  7. Click OK twice and commit the changes.

Figure 2‑31 Service Route Configuration

The service route configuration, showing the Active Directory server being routed through the proper ethernet interface.

  1. Navigate to Device > Server Profiles > LDAP.

  2. Click Add.

  3. Give the profile a meaningful name, such as Enterprise_LDAP_Server.

  4. Click Add in the server list. Enter the name for the server and the IP.

  5. Under Server Settings, set the Type drop-down to active-directory.

  6. Enter the Bind DN and the password for the Bind DN.

Note: In this implementation, a new user, palo-auth, was created in Active Directory. This user does not require any special permissions or groups beyond the standard Domain Users group.

  1. Ensure that Require SSL/TLS secured connection is checked.

  2. Click the down arrow next to Base DN. If the connection is successful, the Base DN (Distinguished Name) should display.

  3. Click OK.

Figure 2‑32 LDAP Server Profile

The LDAP server profile, showing how the firewall connects to the LDAP server to verify user identities.

  1. Navigate to Device > User Identification > Group Mapping Settings.

  2. Click Add.

  3. Give the mapping a name, such as Enterprise_LDAP_Usermap.

  4. Select the server profile, and enter the user domain—in this case, Enterprise.

  5. Click Group Include List.

  6. Expand the arrow next to the base DN and then again next to cn=users.

  7. For each group that should be allowed to connect to the VPN, click the proper entry and then the + button. In this example implementation, mobile users, domain users, and domain admins were used.

Figure 2‑33 LDAP Group Mapping

Configuring the LDAP group mapping, showing mobile users, domain admins, and domain users as included.

  1. Click OK.

  2. Navigate to Device > Authentication Profile.

  3. Click Add.

  4. Give the profile a meaningful name, such as Enterprise_Auth.

  5. For the Type, select LDAP.

  6. Select the newly created LDAP profile next to Server Profile.

  7. Set the Login Attribute to be sAMAcountName.

  8. Set the User Domain to be the LDAP domain name—in this case, enterprise.

Figure 2‑34 LDAP User Authentication Profile

The configured enterprise authentication profile.

  1. Click on Advanced.

  2. Click Add. Select enterprisedomain users.

  3. Repeat step 33 for mobile users and domain admins.

  4. Click OK.

  5. Commit the changes.

2.4.7 VPN Configuration

  1. Navigate to Network > Interfaces > Tunnel.

  2. Click Add.

  3. Enter a tunnel number. Assign it to the main virtual router. Click OK.

Figure 2‑35 Configured Tunnel Interfaces

The configured tunnel interfaces, showing the enterprise VPN tunnel.

  1. Click the newly created tunnel.

  2. Click the drop-down next to Security Zone. Select New Zone.

  3. Give it a name and assign it to the newly created tunnel. Click OK twice.

Figure 2‑36 SSL VPN Tunnel Interface Configuration

The SSL VPN tunnel interface configuration.

  1. Commit the changes.

  2. Navigate to Policies > Authentication.

  3. Click Add.

  4. Give the policy a descriptive name. For this example, the rule was named VPN_Auth.

  5. Click Source.

  6. Click Add and add the VPN and WAN zones.

  7. Click Destination.

  8. Check the Any box above Destination Zone.

  9. Click Service/URL Category.

  10. Click Add under Service and add service-https.

  11. Click Actions.

  12. Next to Authentication Enforcement, select default-web-form.

  13. Click OK.

2.4.7.1 Configure the GlobalProtect Gateway

  1. Navigate to Network > GlobalProtect > Gateways.

  2. Click Add.

  3. Give the gateway a meaningful name. For this implementation, the name Enterprise_VPN_Gateway was used.

  4. Under Interface, select the WAN Ethernet interface.

  5. Ensure that IPv4 Only is selected next to IP Address Type.

  6. Select the WAN IP of the firewall next to IPv4 Address. Ensure that end clients can resolve it.

  7. Click Authentication.

  8. Select the created SSL/TLS service profile next to SSL/TLS Service Profile.

  9. Click Add under Client Authentication.

  10. Give the object a meaningful name, such as iOS Auth.

  11. Next to OS, select iOS.

  12. Next to Authentication Profile, select the created Authentication Profile.

  13. Next to Allow Authentication with User Credentials OR Client Certificate, select Yes.

Figure 2‑37 GlobalProtect iOS Authentication Profile

The client authentication profile for iOS, requiring either a certificate or password.

  1. Click OK.

  2. Click Add under Client Authentication.

  3. Give the object a meaningful name, such as Android Auth.

  4. Next to OS, select Android.

  5. Next to Authentication Profile, select the created Authentication Profile.

  6. Next to Allow Authentication with User Credentials OR Client Certificate, select No.

  7. Click Agent.

  8. Check the box next to Tunnel Mode.

  9. Select the created tunnel interface next to Tunnel Interface.

  10. Uncheck Enable IPSec.

  11. Click Timeout Settings.

  12. Set Disconnect On Idle to an organization defined time.

  13. Click Client IP Pool.

  14. Click Add and assign an IP subnet to the clients—in this case, 10.3.3.0/24.

  15. Click Client Settings.

  16. Click Add.

  17. Give the config a meaningful name, such as Enterprise_Remote_Access.

  18. Click User/User Group.

  19. Click Add under Source User.

  20. Enter the LDAP information of the group allowed to use this rule. In this example, implementation, domain users, and mobile users were used.

Figure 2‑38 LDAP Authentication Group Configuration

The LDAP authentication configuration, allowing domain and mobile users to authenticate.

  1. Click Split Tunnel.

  2. Click Add under Include.

  3. Enter 0.0.0.0/0 to enable full tunneling.

  4. Click OK.

  5. Click Network Services.

  6. Set Primary DNS to be the internal domain controller/DNS server—in this case, 192.168.8.10.

  7. Click OK.

  8. Navigate to Network > Zones.

  9. Click the created VPN zone.

  10. Check the box next to Enable User Identification.

Figure 2‑39 VPN Zone Configuration

The enterprise VPN zone creation and configuration.

  1. Click OK.

  2. Commit the changes.

2.4.7.2 Configure the GlobalProtect Portal

  1. Navigate to Network > GlobalProtect > Portals.

  2. Click Add.

  3. Give the profile a meaningful name, such as Enterprise_VPN_Portal.

  4. For Interface, assign it the firewall’s WAN interface.

  5. Set IP Address Type to IPv4 Only.

  6. Set the IPv4 address to the firewall’s WAN address.

  7. Set all three appearance options to be factory-default.

Figure ‑ GlobalProtect Portal General Configuration

The GlobalProtect Portal general configuration.

  1. Click Authentication.

  2. Select the created SSL/TLS service profile.

  3. Click Add under Client Authentication.

  4. Give the profile a meaningful name, such as Enterprise_Auth.

  5. Select the created authentication profile next to Authentication Profile.

  6. Click OK.

Figure 2‑41 GlobalProtect Portal Authentication Configuration

Enabling of client authentication settings, and the naming of the SSL/TLS Service Profile.

  1. Click Agent and click Add under Agent.

  2. Give the agent configuration a name.

  3. Ensure that the Client Certificate is set to None, and Save User Credentials is set to No.

  4. Check the box next to External gateways-manual only.

Figure 2‑42 GlobalProtect Portal Agent Authentication Configuration

GlobalProtect agent configuration, including name, and the selection of the client certificate.

  1. Click External.

  2. Click Add under External Gateways.

  3. Give the gateway a name and enter the fully qualified domain name (FQDN) of the VPN end point.

  4. Click Add under Source Region and select Any.

  5. Check the box next to Manual.

  6. Click OK.

  7. Click App.

  8. Under App Configurations > Connect Method, select On-demand.

  9. Next to Welcome Page, select factory-default.

  10. Click OK.

  11. Click Add under Trusted Root CA.

  12. Select the internal root certificate used to generate device certificates.

  13. Click Add again. Select the root certificate used to create the VPN end-point SSL certificate. For this implementation, it is a DigiCert root certificate.

  14. Click Add again. Select the root certificate used for SSL URL filtering, created in a previous section.

  15. Check the box next to Install in Local Root Certificate Store for all three certificates.

Figure 2‑43 GlobalProtect Portal Agent Configuration

The image shows certificate installation setting configurations and certificate installation locations including the Agent User Override Key.

  1. Click OK.

2.4.7.3 Activate Captive Portal

  1. Navigate to Device > User Identification > Captive Portal Settings.

  2. Click the gear icon on the top right of the Captive Portal box.

  3. Select the created SSL/TLS service profile and authentication profile.

  4. Click the radio button next to Redirect.

  5. Next to Redirect Host, enter the IP address of the firewall’s WAN interface—in this case, 10.8.1.2.

Figure 2‑44 Captive Portal Configuration

Captive portal configuration, with a selected SSL/TLS Service Profile and Authentication Profile.

  1. Click OK.

  2. Commit the changes.

2.4.7.4 Activate the GlobalProtect Client

  1. Navigate to Device > GlobalProtect Client.

  2. Acknowledge pop up messages.

  3. Click Check Now at the bottom of the page.

  4. Click Download next to the first release that comes up. In this implementation, version 5.0.2atewas used.

  5. Click Activate next to the downloaded release.

  6. Navigate to the FQDN of the VPN. You should see the Palo Alto Networks logo and the GlobalProtect portal login prompt, potentially with a message indicating that a required certificate cannot be found. This is expected on desktops because there is nothing in place to seamlessly deploy client certificates.

Figure 2‑45 GlobalProtect Portal

The GlobalProtect login page where the Username and Password are entered.

Note: If you intend to use the GlobalProtect agent with a self-signed certificate (e.g., internal PKI), be sure to download the SSL certificate from the VPN website and install it in the trusted root CA store.

2.4.8 Enable Automatic Application and Threat Updates

  1. In the PAN-OS portal, navigate to Device > Dynamic Updates.

  2. Install the latest updates.

    1. At the bottom of the page, click Check Now.

    2. Under Applications and Threats, click Download next to the last item in the list with the latest Release Date. This will take a few minutes.

    3. When the download completes click Close. (Figure 2-46)

    4. Click Install on the first row.

    5. Click Continue Installation, leaving the displayed box unchecked. Installation will take a few minutes.

    6. When the installation completes click Close.

  3. Enable automatic threat updates. (Note: Automatic threat updates are performed in the background and do not require a reboot of the appliance.)

    1. At the top of the page, next to Schedule, click the hyperlink with the date and time, as shown in Figure 2‑47.

    2. Select the desired recurrence. For this implementation, weekly was used.

    3. Select the desired day and time for the update to occur. For this implementation, Saturday at 23:45 was used.

    4. Next to Action, select download-and-install.

    5. Click OK. (Figure 2-48)

    6. Commit the changes.

Figure 2‑46 Downloaded Threats and Applications

Downloaded threats and applications.

Figure 2‑47 Schedule Time Hyperlink

Threat update schedule information, with a box around the scheduled time.

Figure 2‑48 Application and Threats Update Schedule

Configuring the applications and threats update schedule.

2.5 Kryptowire

Kryptowire was used as an application vetting service via a custom active directory-integrated web application.

2.5.1 Kryptowire and MaaS360 Integration

  1. Contact IBM support to provision API credentials for Kryptowire.

  2. Contact Kryptowire support to enable the MaaS360 integration, including the MaaS360 API credentials.

  3. In the Kryptowire portal, click the logged-in user’s email address in the upper right-hand corner of the portal. Navigate to Settings > Analysis.

  4. Set the Threat Score Threshold to the desired amount. In this sample implementation, 75 was used.

  5. Enter an email address where email alerts should be delivered.

  6. Click Save Settings. Kryptowire will now send an email to the email address configured in step 5 when an analyzed application is at or above the configured alert threshold.