citrix xenmobile integration with checkpoint sandblast mobile · - inactive – indicates the...

Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile

1

Solution Guide

iOS Configuration

Citrix XenMobile integration with CheckPoint SandBlast Mobile

Introduction

Citrix XenMobile Enterprise is a comprehensive Unified Endpoint Management (UEM) solution that that supports a variety of Mobile platforms including Android, iOS, Mac OSX and Windows 10. Its broad capabilities are extended through integration with Citrix products including NetScaler, ShareFile, XenApp and XenDesktop.

As mobile device use in enterprises continues to grow the need to secure the platform and its content also grows. Check Point’s SandBlast Mobile protects your devices from advanced mobile threats, ensuring you can deploy and defend devices with confidence. Through integration with XenMobile - SandBlast Mobile provides valuable input to determine device compliance status and whether actions should be taken to protect enterprise apps, data, and or content.

Purpose of this document

This document is meant to guide administrators through configuration of the following

components:

• SandBlast Mobile integration with XenMobile

• XenMobile polices to support SandBlast Mobile threat detection capabilities


2

Configure CheckPoint SandBlast Mobile

Prerequisites

1. Licensed CheckPoint SandBlast Mobile account

2. Organization AD Group created and assigned to managed XenMobile users that

should also be managed by SandBlast Mobile.

SandBlast Mobile configuration

1. Login to the SandBlast Mobile Dashboard as an administrator

2. Navigate to Settings > Device Management and select “Citrix XenMobile” as the MDM

service. (See SandBlast Mobile documentation for more information on other default and

advanced settings)

3. Select Edit Settings and enter the following values:

a. Server = fqdn of XenMobile server

Ie: https://.xm.citrix.com:4443

b. Username & Password = XenMobile server administrator credentials

c. Organization AD Group = Active Directory domain group membership in

which will indicate whether a user should be managed by SandBlast Mobile


3

d. Mitigation attribute = a device property that SandBlast Mobile will toggle

to indicate the “status” of the mobile endpoint

Status options include:

- Active – indicates the SandBlast Mobile agent has been installed and

verified the device is complaint

- Inactive – indicates the SandBlast Mobile agent has been installed and

verified the device is complaint, but the device is offline

- Provisioned – indicates the device user is a member of the Organization AD

Group, but the SandBlast Mobile agent has not been installed/activate on it

yet

- No status - indicates the device user is NOT a member of the Organization

AD Group

4. Select “verify” to confirm access to the XenMobile Server

Configure XenMobile

Prerequisites

1. Configurated XenMobile Server or Service running version 10.7 or later, with an

Advanced, Enterprise, or Premium license.

2. Install XenMobile Secure Web (MDX), and SandBlast Mobile Protect (Public App Store)

NOTE: Configuration options and steps may change with each new release of XenMobile.

Please consult the latest documentation to verify settings

https://docs.citrix.com/en-us/xenmobile/server.html

https://docs.citrix.com/en-us/xenmobile/server.html


4

Configure Delivery Group

1. Login to the XenMobile Dashboard as an administrator

2. Navigate to Configure > Delivery Groups and select Add and enter a Delivery Group

Name

3. Select the appropriate domain, search for and select the SandBlast Mobile Active

Directory group


5

4. Click Next, apply the App Inventory policy by dragging it to the right. (subsequent

required policies will be added to the Delivery Group as they are created)

5. Continue to click Next until you reach the Summary page, and click Save.

Configure SandBlast Mobile Protect app

1. Navigate to Configure > Apps, click Add, and select Public App Store

2. Select Add and enter an App Name, and unselect all platforms except iPhone and iPad


6

3. Search for “SandBlast Mobile Protect” and select the result

4. Notice iPhone App Info

(consult XenMobile documentation for more information on default settings)

5. Near the bottom select Deployment Rules > Base and set “Deploy when” to Any

Select Advanced > New Rule


7

Select “Limit by known device property name”

Enter ”CHKP_Status”

Select “is equal to”

Enter “Provisioned”

Click the plus sign “+”

Click New Rule again




Enter “Active”






Enter “Inactive”


Click Next

6. Notice iPad App info, repeat the previous step and click Next

(consult XenMobile documentation for more information on default settings)

7. Click Next, select the appropriate Delivery Group, and click Save

Configure App Config policy

1. Navigate to Configure > Device Policies, click Add, and select App Configuration


8

2. Select Add and enter a Policy Name, and unselect all platforms except iOS

3. Populate the policy fields

Identifier: select Add New and enter “com.checkpoint.capsuleprotect”

Dictionary Content: enter the following XML string

Device Serial Number

${device.serialnumber}

DEVICE_MAC

$DEVICE_MAC$

DISPLAY_NAME

$DISPLAY_NAME$

EMAIL

$EMAIL$

FIRST_NAME

$FIRST_NAME$

LAST_NAME

$LAST_NAME$

USERID

$USERID$

Lacoon Server Address

gw.locsec.net


9

4. Select “Check Dictionary” to validate the XML


Configure Automated Actions – Device Out of Compliance

(Purpose: If device property "CHKP_Risk" is "High", then mark the device as out of compliance immediately.)

1. Navigate to Configure > Actions, click Add, enter “Device Out of Compliance”

2. Select/Enter the following and click Next

Trigger

Device Property


10

Other

CHKP_Risk

Is

High

Action

Mark the device as out of compliance

Is

True

0 (delay)

Minutes

3. Click Next, select the appropriate Delivery Group, click Next, and click Save

Configure Automated Actions – Clear Device Out of Compliance

(Purpose: If device property "CHKP_Risk" is "None", then mark the device as in compliance immediately.)




11

Trigger

Device Property

Other

CHKP_Risk

Is

None

Action

Mark the device as out of compliance

Is

False

0 (delay)

Minutes


Configure Automated Actions – Device at Risk

(Purpose: If device property "CHKP_Risk" is "High", then notify using the template "high risk" immediately, repeating after every 1 day(s).)



12


Trigger

Device Property

Other

CHKP_Risk

Is

High

Action

Send Notification

high risk

0 (delay)

Minutes

1 (delay)

Day



13

Configure Automated Actions – Out of Compliance – Selective Wipe (optional out of compliance action)

(Purpose: If device has been marked as Out of Compliance, then selectively wipe the device immediately.)

NOTE: Use caution with apply “Selective Wipe”. It will remove all apps, policies and

configurations applied by XenMobile on the enrolled device. It is one of several automated

action options that can be executed automatically based on device state. See XenMobile

documentation for more information.

1. Navigate to Configure > Actions, click Add, enter “Out of Compliance – Selective

Wipe”

q


Trigger

Device Property

Out of compliance

Is

True

Action

Selectively wipe the device

0 (delay)

Minutes


14


Configure Automated Actions – Out of Compliance – App Lock (optional alternative out of compliance action)

(Purpose: If device has been marked as Out of Compliance, then app lock the device immediately.)

NOTE: for iOS devices, you can select only one iOS app per policy. This means that users are

only able to use their device to run a single app. They cannot do any other activities on the

device except for the options you specifically allow when the app lock policy is enforced. In

addition, iOS devices must be supervised to push App Lock policies.

4. Navigate to Configure > Actions, click Add, enter “Out of Compliance”


Trigger

Device Property

Out of compliance

Is


15

True

Action

App Lock

0 (delay)

Minutes


Configure App Lock policy – Secure Web - (optional alternative to control XenMobile Secure Web browser use depending on security risk)

1. Navigate to Configure > Device Policies, click Add, and select App Lock

2. Enter a Policy Name and click next


16

3. Under the App bundle ID drop down select “Secure Web”

4. Under Deployment Rules (at the bottom of the screen) > Advanced > New Rule

Select “Limit by raw device property name”

Enter ”CHKP_Risk”


Enter “High”




Enter ” CHKP_Status”


Enter “Inactive”


Click Next

(The purpose of the deployment rules is to ensure that the App Lock is only applied to

devices that are either 1) At High Risk, or 2) Are enrolled by users that are members


17

of the SandBlast Mobile AD group, yet have not installed/activated the SandBlast

Mobile Protect app)


Configure App Lock policy – - (optional alternative to control use depending on security risk)

1. Repeat the configuration steps above for Secure Web, but in step 3 select the

appropriate app from the available list

Or if unavailable

Under App Bundle ID click “Add New” and enter the bundle id. For example,

“com.citrix.browser.ios” for the Safari browser

App Bundle ID (Note: this may be located by navigating to Configure > Apps > Add >

Add App > Enter a name, then search for the app in the appropriate public app store)

Testing

Prerequisites

1. Enrolled in a XenMobile environment with a user that is a member of the SandBlast

Mobile assigned Active Directory group

2. Install the Dropbox app from the Apple App Store

3. Login to the XenMobile Dashboard as an administrator

4. Login to SandBlast Mobile Dashboard as an administrator

Active - Compliant

1. Enroll with a user that is a member of the SandBlast Mobile AD group

2. Accept the prompt to install the SandBlast Mobile Protect app

3. Install XenMobile Secure Web from the Secure Hub store

4. From the XenMobile Dashboard navigate to Manage > Devices and click the down

arrow on the right and ensure CHKP_Status is checked


18

5. Notice the device object CHKP_Status is Active

6. You may also open the SandBlast Mobile Protect app and verify status from the device

Violation

1. In SBM Dashboard, navigate to App Analysis tab, and select an app running on the test

devices, such as Dropbox, and change the Policy to Black Listed, enter in a note, and

click OK.


19

2. Once the test device is marked at High Risk in SBM Dashboard you should receive a

notification in Secure Hub “Apps Locked: Your organization has locked your Citrix

Secure apps”

Also, when you try to open Secure Web you should be directed to Secure Hub and

receive the same message.

You will also see a violation notification in a red circle over the SandBlast Mobile

Protect app icon and more detail in the app


20

3. In the XenMobile Dashboard the device entry the in Manage > Devices should show

CHKP_Risk updated to High.

4. To remove the High Risk state, go back to SBM Dashboard > App Analysis and change

the policy back to Default for the app you blacklisted in the first step.

5. Once the test device is no longer at risk in SBM Dashboard, check the Manage > Devices

tab in XMS and check that the value of CHKP_Risk has been updated to Low.

6. Based on the check-in policies, go to the test device and try to open Secure Web. (Note:

you need to force a policy refresh, but you should be able to open the Secure Web app

now)

Conclusion

With the power of the XenMobile and SandBlast Mobile, Unified Endpoint Management and

Mobile Threat Detection solutions you can provide sound security for your Enterprise

Mobility environment protecting all your devices, apps, and content.


21

About the Authors and Contributors

Matt Brooks, Senior Technical Marketing Manager, Citrix Workspace

Pamela S. Lee, Technical Marketing Engineer, Mobile Security, Check Point Software

Technologies Inc

A special thanks to the reviewers of this Solutions Brief:

• Sameer Mehta

• Frank Srp

Enterprise Sales

North America | 800-424-8749

Worldwide | +1 408-790-8000

Locations

Corporate Headquarters | 851 Cypress Creek Road Fort Lauderdale, FL 33309, United States

Silicon Valley | 4988 Great America Parkway Santa Clara, CA 95054, United States

© 2017 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of

Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark

Office and in other countries. All other marks are the property of their respective owner(s).

Solution GuideIntroductionCitrix XenMobile Enterprise is a comprehensive Unified Endpoint Management (UEM) solution that that supports a variety of Mobile platforms including Android, iOS, Mac OSX and Windows 10. Its broad capabilities are extended through integration with Ci...As mobile device use in enterprises continues to grow the need to secure the platform and its content also grows. Check Point’s SandBlast Mobile protects your devices from advanced mobile threats, ensuring you can deploy and defend devices with confi...Purpose of this document

Configure CheckPoint SandBlast MobilePrerequisitesSandBlast Mobile configurationConfigure XenMobilePrerequisitesConfigure Delivery GroupConfigure SandBlast Mobile Protect appConfigure App Config policyConfigure Automated Actions – Device Out of Compliance(Purpose: If device property "CHKP_Risk" is "High", then mark the device as out of compliance immediately.)Configure Automated Actions – Clear Device Out of Compliance(Purpose: If device property "CHKP_Risk" is "None", then mark the device as in compliance immediately.)Configure Automated Actions – Device at Risk(Purpose: If device property "CHKP_Risk" is "High", then notify using the template "high risk" immediately, repeating after every 1 day(s).)Configure Automated Actions – Out of Compliance – Selective Wipe (optional out of compliance action)(Purpose: If device has been marked as Out of Compliance, then selectively wipe the device immediately.)Configure Automated Actions – Out of Compliance – App Lock (optional alternative out of compliance action)(Purpose: If device has been marked as Out of Compliance, then app lock the device immediately.)Configure App Lock policy – Secure Web - (optional alternative to control XenMobile Secure Web browser use depending on security risk)Configure App Lock policy – - (optional alternative to control use depending on security risk)

TestingPrerequisitesActive - CompliantViolation

ConclusionAbout the Authors and Contributors

citrix xenmobile integration with checkpoint sandblast mobile · - inactive – indicates the...

Documents