citrix xenmobile integration with checkpoint sandblast mobile · - inactive – indicates the...
TRANSCRIPT
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
1
Solution Guide
iOS Configuration
Citrix XenMobile integration with CheckPoint SandBlast Mobile
Introduction
Citrix XenMobile Enterprise is a comprehensive Unified Endpoint Management (UEM) solution that that supports a variety of Mobile platforms including Android, iOS, Mac OSX and Windows 10. Its broad capabilities are extended through integration with Citrix products including NetScaler, ShareFile, XenApp and XenDesktop.
As mobile device use in enterprises continues to grow the need to secure the platform and its content also grows. Check Point’s SandBlast Mobile protects your devices from advanced mobile threats, ensuring you can deploy and defend devices with confidence. Through integration with XenMobile - SandBlast Mobile provides valuable input to determine device compliance status and whether actions should be taken to protect enterprise apps, data, and or content.
Purpose of this document
This document is meant to guide administrators through configuration of the following
components:
• SandBlast Mobile integration with XenMobile
• XenMobile polices to support SandBlast Mobile threat detection capabilities
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
2
Configure CheckPoint SandBlast Mobile
Prerequisites
1. Licensed CheckPoint SandBlast Mobile account
2. Organization AD Group created and assigned to managed XenMobile users that
should also be managed by SandBlast Mobile.
SandBlast Mobile configuration
1. Login to the SandBlast Mobile Dashboard as an administrator
2. Navigate to Settings > Device Management and select “Citrix XenMobile” as the MDM
service. (See SandBlast Mobile documentation for more information on other default and
advanced settings)
3. Select Edit Settings and enter the following values:
a. Server = fqdn of XenMobile server
Ie: https://.xm.citrix.com:4443
b. Username & Password = XenMobile server administrator credentials
c. Organization AD Group = Active Directory domain group membership in
which will indicate whether a user should be managed by SandBlast Mobile
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
3
d. Mitigation attribute = a device property that SandBlast Mobile will toggle
to indicate the “status” of the mobile endpoint
Status options include:
- Active – indicates the SandBlast Mobile agent has been installed and
verified the device is complaint
- Inactive – indicates the SandBlast Mobile agent has been installed and
verified the device is complaint, but the device is offline
- Provisioned – indicates the device user is a member of the Organization AD
Group, but the SandBlast Mobile agent has not been installed/activate on it
yet
- No status - indicates the device user is NOT a member of the Organization
AD Group
4. Select “verify” to confirm access to the XenMobile Server
Configure XenMobile
Prerequisites
1. Configurated XenMobile Server or Service running version 10.7 or later, with an
Advanced, Enterprise, or Premium license.
2. Install XenMobile Secure Web (MDX), and SandBlast Mobile Protect (Public App Store)
NOTE: Configuration options and steps may change with each new release of XenMobile.
Please consult the latest documentation to verify settings
https://docs.citrix.com/en-us/xenmobile/server.html
https://docs.citrix.com/en-us/xenmobile/server.html
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
4
Configure Delivery Group
1. Login to the XenMobile Dashboard as an administrator
2. Navigate to Configure > Delivery Groups and select Add and enter a Delivery Group
Name
3. Select the appropriate domain, search for and select the SandBlast Mobile Active
Directory group
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
5
4. Click Next, apply the App Inventory policy by dragging it to the right. (subsequent
required policies will be added to the Delivery Group as they are created)
5. Continue to click Next until you reach the Summary page, and click Save.
Configure SandBlast Mobile Protect app
1. Navigate to Configure > Apps, click Add, and select Public App Store
2. Select Add and enter an App Name, and unselect all platforms except iPhone and iPad
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
6
3. Search for “SandBlast Mobile Protect” and select the result
4. Notice iPhone App Info
(consult XenMobile documentation for more information on default settings)
5. Near the bottom select Deployment Rules > Base and set “Deploy when” to Any
Select Advanced > New Rule
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
7
Select “Limit by known device property name”
Enter ”CHKP_Status”
Select “is equal to”
Enter “Provisioned”
Click the plus sign “+”
Click New Rule again
Select “Limit by known device property name”
Enter ”CHKP_Status”
Select “is equal to”
Enter “Active”
Click the plus sign “+”
Click New Rule again
Select “Limit by known device property name”
Enter ”CHKP_Status”
Select “is equal to”
Enter “Inactive”
Click the plus sign “+”
Click Next
6. Notice iPad App info, repeat the previous step and click Next
(consult XenMobile documentation for more information on default settings)
7. Click Next, select the appropriate Delivery Group, and click Save
Configure App Config policy
1. Navigate to Configure > Device Policies, click Add, and select App Configuration
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
8
2. Select Add and enter a Policy Name, and unselect all platforms except iOS
3. Populate the policy fields
Identifier: select Add New and enter “com.checkpoint.capsuleprotect”
Dictionary Content: enter the following XML string
Device Serial Number
${device.serialnumber}
DEVICE_MAC
$DEVICE_MAC$
DISPLAY_NAME
$DISPLAY_NAME$
EMAIL
$EMAIL$
FIRST_NAME
$FIRST_NAME$
LAST_NAME
$LAST_NAME$
USERID
$USERID$
Lacoon Server Address
gw.locsec.net
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
9
4. Select “Check Dictionary” to validate the XML
5. Click Next, select the appropriate Delivery Group, and click Save
Configure Automated Actions – Device Out of Compliance
(Purpose: If device property "CHKP_Risk" is "High", then mark the device as out of compliance immediately.)
1. Navigate to Configure > Actions, click Add, enter “Device Out of Compliance”
2. Select/Enter the following and click Next
Trigger
Device Property
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
10
Other
CHKP_Risk
Is
High
Action
Mark the device as out of compliance
Is
True
0 (delay)
Minutes
3. Click Next, select the appropriate Delivery Group, click Next, and click Save
Configure Automated Actions – Clear Device Out of Compliance
(Purpose: If device property "CHKP_Risk" is "None", then mark the device as in compliance immediately.)
1. Navigate to Configure > Actions, click Add, enter “Device Out of Compliance”
2. Select/Enter the following and click Next
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
11
Trigger
Device Property
Other
CHKP_Risk
Is
None
Action
Mark the device as out of compliance
Is
False
0 (delay)
Minutes
3. Click Next, select the appropriate Delivery Group, click Next, and click Save
Configure Automated Actions – Device at Risk
(Purpose: If device property "CHKP_Risk" is "High", then notify using the template "high risk" immediately, repeating after every 1 day(s).)
1. Navigate to Configure > Actions, click Add, enter “Device Out of Compliance”
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
12
2. Select/Enter the following and click Next
Trigger
Device Property
Other
CHKP_Risk
Is
High
Action
Send Notification
high risk
0 (delay)
Minutes
1 (delay)
Day
3. Click Next, select the appropriate Delivery Group, click Next, and click Save
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
13
Configure Automated Actions – Out of Compliance – Selective Wipe (optional out of compliance action)
(Purpose: If device has been marked as Out of Compliance, then selectively wipe the device immediately.)
NOTE: Use caution with apply “Selective Wipe”. It will remove all apps, policies and
configurations applied by XenMobile on the enrolled device. It is one of several automated
action options that can be executed automatically based on device state. See XenMobile
documentation for more information.
1. Navigate to Configure > Actions, click Add, enter “Out of Compliance – Selective
Wipe”
q
2. Select/Enter the following and click Next
Trigger
Device Property
Out of compliance
Is
True
Action
Selectively wipe the device
0 (delay)
Minutes
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
14
3. Click Next, select the appropriate Delivery Group, click Next, and click Save
Configure Automated Actions – Out of Compliance – App Lock (optional alternative out of compliance action)
(Purpose: If device has been marked as Out of Compliance, then app lock the device immediately.)
NOTE: for iOS devices, you can select only one iOS app per policy. This means that users are
only able to use their device to run a single app. They cannot do any other activities on the
device except for the options you specifically allow when the app lock policy is enforced. In
addition, iOS devices must be supervised to push App Lock policies.
4. Navigate to Configure > Actions, click Add, enter “Out of Compliance”
5. Select/Enter the following and click Next
Trigger
Device Property
Out of compliance
Is
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
15
True
Action
App Lock
0 (delay)
Minutes
6. Click Next, select the appropriate Delivery Group, click Next, and click Save
Configure App Lock policy – Secure Web - (optional alternative to control XenMobile Secure Web browser use depending on security risk)
1. Navigate to Configure > Device Policies, click Add, and select App Lock
2. Enter a Policy Name and click next
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
16
3. Under the App bundle ID drop down select “Secure Web”
4. Under Deployment Rules (at the bottom of the screen) > Advanced > New Rule
Select “Limit by raw device property name”
Enter ”CHKP_Risk”
Select “is equal to”
Enter “High”
Click the plus sign “+”
Click New Rule again
Select “Limit by known device property name”
Enter ” CHKP_Status”
Select “is equal to”
Enter “Inactive”
Click the plus sign “+”
Click Next
(The purpose of the deployment rules is to ensure that the App Lock is only applied to
devices that are either 1) At High Risk, or 2) Are enrolled by users that are members
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
17
of the SandBlast Mobile AD group, yet have not installed/activated the SandBlast
Mobile Protect app)
5. Click Next, select the appropriate Delivery Group, and click Save
Configure App Lock policy – - (optional alternative to control use depending on security risk)
1. Repeat the configuration steps above for Secure Web, but in step 3 select the
appropriate app from the available list
Or if unavailable
Under App Bundle ID click “Add New” and enter the bundle id. For example,
“com.citrix.browser.ios” for the Safari browser
App Bundle ID (Note: this may be located by navigating to Configure > Apps > Add >
Add App > Enter a name, then search for the app in the appropriate public app store)
Testing
Prerequisites
1. Enrolled in a XenMobile environment with a user that is a member of the SandBlast
Mobile assigned Active Directory group
2. Install the Dropbox app from the Apple App Store
3. Login to the XenMobile Dashboard as an administrator
4. Login to SandBlast Mobile Dashboard as an administrator
Active - Compliant
1. Enroll with a user that is a member of the SandBlast Mobile AD group
2. Accept the prompt to install the SandBlast Mobile Protect app
3. Install XenMobile Secure Web from the Secure Hub store
4. From the XenMobile Dashboard navigate to Manage > Devices and click the down
arrow on the right and ensure CHKP_Status is checked
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
18
5. Notice the device object CHKP_Status is Active
6. You may also open the SandBlast Mobile Protect app and verify status from the device
Violation
1. In SBM Dashboard, navigate to App Analysis tab, and select an app running on the test
devices, such as Dropbox, and change the Policy to Black Listed, enter in a note, and
click OK.
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
19
2. Once the test device is marked at High Risk in SBM Dashboard you should receive a
notification in Secure Hub “Apps Locked: Your organization has locked your Citrix
Secure apps”
Also, when you try to open Secure Web you should be directed to Secure Hub and
receive the same message.
You will also see a violation notification in a red circle over the SandBlast Mobile
Protect app icon and more detail in the app
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
20
3. In the XenMobile Dashboard the device entry the in Manage > Devices should show
CHKP_Risk updated to High.
4. To remove the High Risk state, go back to SBM Dashboard > App Analysis and change
the policy back to Default for the app you blacklisted in the first step.
5. Once the test device is no longer at risk in SBM Dashboard, check the Manage > Devices
tab in XMS and check that the value of CHKP_Risk has been updated to Low.
6. Based on the check-in policies, go to the test device and try to open Secure Web. (Note:
you need to force a policy refresh, but you should be able to open the Secure Web app
now)
Conclusion
With the power of the XenMobile and SandBlast Mobile, Unified Endpoint Management and
Mobile Threat Detection solutions you can provide sound security for your Enterprise
Mobility environment protecting all your devices, apps, and content.
-
Citrix.com | Solutions Guide| Citrix XenMobile integration with CheckPoint SandBlast Mobile
21
About the Authors and Contributors
Matt Brooks, Senior Technical Marketing Manager, Citrix Workspace
Pamela S. Lee, Technical Marketing Engineer, Mobile Security, Check Point Software
Technologies Inc
A special thanks to the reviewers of this Solutions Brief:
• Sameer Mehta
• Frank Srp
Enterprise Sales
North America | 800-424-8749
Worldwide | +1 408-790-8000
Locations
Corporate Headquarters | 851 Cypress Creek Road Fort Lauderdale, FL 33309, United States
Silicon Valley | 4988 Great America Parkway Santa Clara, CA 95054, United States
© 2017 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of
Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark
Office and in other countries. All other marks are the property of their respective owner(s).
Solution GuideIntroductionCitrix XenMobile Enterprise is a comprehensive Unified Endpoint Management (UEM) solution that that supports a variety of Mobile platforms including Android, iOS, Mac OSX and Windows 10. Its broad capabilities are extended through integration with Ci...As mobile device use in enterprises continues to grow the need to secure the platform and its content also grows. Check Point’s SandBlast Mobile protects your devices from advanced mobile threats, ensuring you can deploy and defend devices with confi...Purpose of this document
Configure CheckPoint SandBlast MobilePrerequisitesSandBlast Mobile configurationConfigure XenMobilePrerequisitesConfigure Delivery GroupConfigure SandBlast Mobile Protect appConfigure App Config policyConfigure Automated Actions – Device Out of Compliance(Purpose: If device property "CHKP_Risk" is "High", then mark the device as out of compliance immediately.)Configure Automated Actions – Clear Device Out of Compliance(Purpose: If device property "CHKP_Risk" is "None", then mark the device as in compliance immediately.)Configure Automated Actions – Device at Risk(Purpose: If device property "CHKP_Risk" is "High", then notify using the template "high risk" immediately, repeating after every 1 day(s).)Configure Automated Actions – Out of Compliance – Selective Wipe (optional out of compliance action)(Purpose: If device has been marked as Out of Compliance, then selectively wipe the device immediately.)Configure Automated Actions – Out of Compliance – App Lock (optional alternative out of compliance action)(Purpose: If device has been marked as Out of Compliance, then app lock the device immediately.)Configure App Lock policy – Secure Web - (optional alternative to control XenMobile Secure Web browser use depending on security risk)Configure App Lock policy – - (optional alternative to control use depending on security risk)
TestingPrerequisitesActive - CompliantViolation
ConclusionAbout the Authors and Contributors