Adding a Mobile Device Management (MDM) profile
Create an MDM profile to enable the SafeLinx Server to connect to an MDM service to evaluate the compliance status of mobile devices. SafeLinx supports several MDM service providers, including IBM MaaS360, midpoints mobile.profiler, midpoints traveler.rules, and MobileIron.
- MaaS360MaaS360 requires an application access key from IBM MaaS360 Support. MaaS360 Support provides the key after it registers your SafeLinx Server as a MaaS360 application and provisions the application. Contact IBM MaaS360 Support and provide them with the information in the following table to allow for provisioning of the SafeLinx Server:
Table 1. Provisioning SafeLinx Server for IBM MaaS360
Information required for provisioning SafeLinx Server for IBM MaaS360
Item Value Description Billing identifier Obtain from your MaaS360 administrator MaaS360 customer billing ID that is assigned by your MaaS360® administrator Platform identifier 3 The MaaS360 platform ID Application identifier com.hcl.cm The SafeLinx Server application identifier Application version 1.0 The SafeLinx Server MaaS360 API version identifier
- midpointsmidpoints requires a requester ID from the instance of your midpoints service. Contact midpoints support and provide them with the information in the following table to allow for the generation of the requester ID:
Table 2. Provisioning SafeLinx Server for midpoints
Information required for provisioning SafeLinx Server for midpoints
Item Value Description Requester ID Obtain from midpoints support midpoints access ID Connection token hclsafelinx10 The SafeLinx connection token for midpoints Application version 1 The SafeLinx midpoints API version identifier
MobileIron requires a user ID with API role access. A Super Administrator can assign the API role to a user. Refer to the MobileIron API Reference Document for MobileIron WebService.
Add an MDM resource to create a profile that defines how SafeLinx interacts with an MDM service. You associate an MDM profile to an authentication profile, such as an LDAP-bind or RADIUS profile, to establish a mechanism for verifying that mobile devices comply with MDM policies. If a mobile device passes the primary authentication challenge, the SafeLinx Server queries the MDM service to evaluate the status of the device. The query determines if the device is registered with the MDM service and that the device complies with selected MDM policies.
For each supported client application, you can create a unique MDM profile that enforces the level of verification that you want for that application. You then apply the MDM profile for the application to the authentication profile for the HTTP access service. For example, the HTTP access service that IBM® Chat clients use might have MDM profile A applied to its authentication profile. Meanwhile, the HTTP access service that Connections mobile devices use might have a different, more restrictive MDM profile applied to its authentication profile.
Each MDM profile is distinct from other MDM profiles and device compliance is tracked separately from one profile to another. Thus, a device might pass verification on MDM profile A, but fail verification against MDM profile B.
In the SafeLinx Administrator Resources pane, right-click the
OU in which you want to create the MDM resource, and then click .
The Add a New MDM Profile wizard starts and prompts you to provide the information for the profile.
Follow the wizard prompts and provide the information that is listed in the following
Note: Only the Common name and Server URL fields are required to complete the wizard. After you create the profile, you can provide additional information on the MDM profile properties pages.
Table 3. MDM Profile Wizard fields
MDM Profile Wizard input fields and values
Field Description Common name Provide a name for the MDM profile, for example, IBM Chat MDM. The common name enables you to distinguish among multiple MDM profiles. Profiles are listed by their common name on the MDM page of the authentication profile properties. This field is required. Description An optional description of the MDM profile. For example, midpoints MDM profile for IBM Chat mobile devices. Server URL The URL of the MDM service server. This field is required. Administrator ID The user name of the admin account on the MDM server. SafeLinx Server must sign in to the MDM server with this account when it sends a device status query. Enter the Password
Confirm the password
The password for the administrator account on the MDM server.Note: If the SafeLinx Server issues invalid administrator credentials when it queries the MDM server, access is denied and the SafeLinx MDM profile is disabled automatically. Mobile devices cannot be authenticated while the MDM profile is disabled. The profile remains disabled until the next SafeLinx Server restart or until you apply a new configuration change to the profile.Example log messages:
[WARN] MDM Test#MDM_MaaS360: server error response 1002, Invalid credentials. [ERROR] MDM Test#MDM_MaaS360 ::getAuthToken: invalid server credentials, disabling MDM until updated
Connect through an Internet proxy? Select the proxy server required to access the MDM server, or select None. Table 4. MDM Profile Wizard MaaS360 configuration fields
MaaS360 configuration fields and values
Field Description Billing identifier The customer account identifier that MaaS360 assigns to your Maas360 deployment. Platform identifier The platform identifier that is assigned to SafeLinx Servers that use MaaS360. Retain the default value of 3. Application identifier The application identifier that is assigned to SafeLinx Servers that use MaaS360. Retain the default value of com.hcl.cm. Application version The identifier for the MaaS360 API version that is implemented for the SafeLinx Server. Retain the default value of 1.0. Application access key The access key that IBM MaaS360 support assigns to your SafeLinx Server deployment after it is registered to use MaaS360. The application access key is a unique value that is related to the billing identifier for your SafeLinx Server deployment. Contact IBM MaaS360 support to obtain this value. Table 5. MDM Profile Wizard midpoints configuration fields
midpoints configuration fields and values
Field Description Requester ID The customer requester ID that midpoints assigns to your deployment. Connection token The connectionidentifier that is assigned to SafeLinx Servers that use midpoints. Retain the default value of hclsafelinx10. Application version The identifier for the midpoints API version that is implemented for the SafeLinx Server. Retain the default value of 1. Table 6. MDM Profile Wizard MobileIron configuration fields
MobileIron configuration fields and values
Field Description There are no additional MobileIron configuration fields. There are no additional MobileIron configuration fields.
To complete the configuration for the MDM profile, use SafeLinx Administrator to update the profile properties.