Adding a Mobile Device Management (MDM) profile

Create an MDM profile to enable the SafeLinx Server to connect to an MDM service to evaluate the compliance status of mobile devices. SafeLinx supports several MDM service providers, including IBM MaaS360, midpoints mobile.profiler, midpoints traveler.rules, and MobileIron.

Before you can create an MDM resource, you must obtain MDM administrator credentials and account details. The specific details vary depending on which MDM service is being created.
  • MaaS360
    MaaS360 requires an application access key from IBM MaaS360 Support. MaaS360 Support provides the key after it registers your SafeLinx Server as a MaaS360 application and provisions the application. Contact IBM MaaS360 Support and provide them with the information in the following table to allow for provisioning of the SafeLinx Server:
    Table 1. Provisioning SafeLinx Server for IBM MaaS360

    Information required for provisioning SafeLinx Server for IBM MaaS360

    Item Value Description
    Billing identifier Obtain from your MaaS360 administrator MaaS360 customer billing ID that is assigned by your MaaS360® administrator
    Platform identifier 3 The MaaS360 platform ID
    Application identifier com.hcl.cm The SafeLinx Server application identifier
    Application version 1.0 The SafeLinx Server MaaS360 API version identifier
  • midpoints
    midpoints requires a requester ID from the instance of your midpoints service. Contact midpoints support and provide them with the information in the following table to allow for the generation of the requester ID:
    Table 2. Provisioning SafeLinx Server for midpoints

    Information required for provisioning SafeLinx Server for midpoints

    Item Value Description
    Requester ID Obtain from midpoints support midpoints access ID
    Connection token hclsafelinx10 The SafeLinx connection token for midpoints
    Application version 1 The SafeLinx midpoints API version identifier
  • MobileIron

    MobileIron requires a user ID with API role access. A Super Administrator can assign the API role to a user. Refer to the MobileIron API Reference Document for MobileIron WebService.

Add an MDM resource to create a profile that defines how SafeLinx interacts with an MDM service. You associate an MDM profile to an authentication profile, such as an LDAP-bind or RADIUS profile, to establish a mechanism for verifying that mobile devices comply with MDM policies. If a mobile device passes the primary authentication challenge, the SafeLinx Server queries the MDM service to evaluate the status of the device. The query determines if the device is registered with the MDM service and that the device complies with selected MDM policies.

For each supported client application, you can create a unique MDM profile that enforces the level of verification that you want for that application. You then apply the MDM profile for the application to the authentication profile for the HTTP access service. For example, the HTTP access service that IBM® Chat clients use might have MDM profile A applied to its authentication profile. Meanwhile, the HTTP access service that Connections mobile devices use might have a different, more restrictive MDM profile applied to its authentication profile.

Each MDM profile is distinct from other MDM profiles and device compliance is tracked separately from one profile to another. Thus, a device might pass verification on MDM profile A, but fail verification against MDM profile B.

  1. In the SafeLinx Administrator Resources pane, right-click the OU in which you want to create the MDM resource, and then click Add Resource > MDM Integration > desired MDM service.
    The Add a New MDM Profile wizard starts and prompts you to provide the information for the profile.
  2. Follow the wizard prompts and provide the information that is listed in the following table:
    Note: Only the Common name and Server URL fields are required to complete the wizard. After you create the profile, you can provide additional information on the MDM profile properties pages.
    Table 3. MDM Profile Wizard fields

    MDM Profile Wizard input fields and values

    Field Description
    Common name Provide a name for the MDM profile, for example, IBM Chat MDM. The common name enables you to distinguish among multiple MDM profiles. Profiles are listed by their common name on the MDM page of the authentication profile properties. This field is required.
    Description An optional description of the MDM profile. For example, midpoints MDM profile for IBM Chat mobile devices.
    Server URL The URL of the MDM service server. This field is required.
    Administrator ID The user name of the admin account on the MDM server. SafeLinx Server must sign in to the MDM server with this account when it sends a device status query.
    Enter the Password

    Confirm the password

    The password for the administrator account on the MDM server.
    Note: If the SafeLinx Server issues invalid administrator credentials when it queries the MDM server, access is denied and the SafeLinx MDM profile is disabled automatically. Mobile devices cannot be authenticated while the MDM profile is disabled. The profile remains disabled until the next SafeLinx Server restart or until you apply a new configuration change to the profile.
    Example log messages:
    
    [WARN]  MDM Test#MDM_MaaS360: server error response 1002, Invalid credentials.
    [ERROR] MDM Test#MDM_MaaS360 ::getAuthToken: invalid server credentials, disabling MDM until updated
    Connect through an Internet proxy? Select the proxy server required to access the MDM server, or select None.
    Table 4. MDM Profile Wizard MaaS360 configuration fields

    MaaS360 configuration fields and values

    Field Description
    Billing identifier The customer account identifier that MaaS360 assigns to your Maas360 deployment.
    Platform identifier The platform identifier that is assigned to SafeLinx Servers that use MaaS360. Retain the default value of 3.
    Application identifier The application identifier that is assigned to SafeLinx Servers that use MaaS360. Retain the default value of com.hcl.cm.
    Application version The identifier for the MaaS360 API version that is implemented for the SafeLinx Server. Retain the default value of 1.0.
    Application access key The access key that IBM MaaS360 support assigns to your SafeLinx Server deployment after it is registered to use MaaS360. The application access key is a unique value that is related to the billing identifier for your SafeLinx Server deployment. Contact IBM MaaS360 support to obtain this value.
    Table 5. MDM Profile Wizard midpoints configuration fields

    midpoints configuration fields and values

    Field Description
    Requester ID The customer requester ID that midpoints assigns to your deployment.
    Connection token The connectionidentifier that is assigned to SafeLinx Servers that use midpoints. Retain the default value of hclsafelinx10.
    Application version The identifier for the midpoints API version that is implemented for the SafeLinx Server. Retain the default value of 1.
    Table 6. MDM Profile Wizard MobileIron configuration fields

    MobileIron configuration fields and values

    Field Description
    There are no additional MobileIron configuration fields. There are no additional MobileIron configuration fields.

To complete the configuration for the MDM profile, use SafeLinx Administrator to update the profile properties.