Manualshelf

Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H
61626364656667686970
60 GlobalProtect Administrator’s Guide
Mobile Security Manager Deployment Best Practices Set Up the GlobalProtect Mobile Security Manager
Mobile Security Manager Deployment Best Practices
GlobalProtect Mobile Security Manager (running on the GP-100 appliance) works in concert with the rest of
the GlobalProtect infrastructure to ensure a complete mobile security solution. A Mobile Security Manager
deployment requires connectivity between the following components:
Palo Alto Updates—The Mobile Security Manager retrieves WildFire signature updates that enable it to
detect malware on managed Android devices. By default, the Mobile Security Manager retrieves WildFire
updates from the Palo Alto Networks Update server over its MGT interface. However, if your management
network does not provide access to the Internet, you will have to modify the service route for the Palo Alto
Updates service to use the ethernet1 interface.
GlobalProtect Gateways—To Configure HIP-Based Policy Enforcement for managed devices, the
GlobalProtect gateways retrieve the mobile device HIP reports from the Mobile Security Manager. The best
practice deployment is to enable the GlobalProtect Gateways management service on ethernet1.
Push Notification Services—Because the Mobile Security Manager cannot directly connect to the mobile
devices it manages, it must send push notifications over the Apple Push Notification service (APNs) or
Google Cloud Messaging (GCM) services whenever it needs to interact with a device, for example to send
a check-in request or perform an action such as sending a message or pushing a new policy. The best practice
is to configure the Push Notification service route to use the ethernet1 interface.
Mobile Devices—Mobile devices connect from the external network initially for enrollment and then to
check in and receive deployment policy. The best practice is to use ethernet1 for device enrollment and
check-in, but to use separate listening ports. To prevent the end user from seeing certificate warnings, use
port 443 (the default) for enrollment and use a different port (configurable to 7443 or 8443) for check-in.
Warning: Because the device check-in port is pushed to the device upon enrollment, changing it after initial
configuration will require devices to re-enroll with the Mobile Security Manager.
Figure: Mobile Security Manager best practice deployment