Hardware reference guide
GlobalProtect Administrator’s Guide 73
Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management
Configure the Mobile Security Manager for Enrollment
In order for a mobile device to be managed by the GlobalProtect Mobile Security Manager, it must be enrolled
with the service. There are two phases to enrollment:
Authentication—Before a mobile device can be enrolled, the device user must authenticate to the Mobile
Security Manager so that you can determine the identity of the user and ensure that he/she is a part of your
organization.The GlobalProtect Mobile Security Manager supports the same authentication methods that
are supported on the other GlobalProtect components: local authentication, external authentication to an
existing LDAP, Kerberos, or RADIUS service (including support for two-factor OTP authentication). For
details on these methods, see About GlobalProtect User Authentication.
Identity Certificate Generation—After successfully authenticating the end user, the Mobile Security
Manager will issue an identity certificate to the device. To enable the Mobile Security Manager to issue
identity certificates, generate a self-signed CA certificate to use for signing. In addition, if you have an
enterprise Simple Certificate Enrollment Protocol (SCEP) server such as the Microsoft SCEP server, you
can configure the Mobile Security Manager to use the SCEP server to issue certificates for iOS devices. After
enrollment, the Mobile Security Manager will use the identity certificate to authenticate the mobile device
when it checks in.
Use the following procedure to set up the enrollment infrastructure on the Mobile Security Manager:
In order for Android devices to receive push notifications from the Mobile Security Manager, you
must also ensure that your firewall has connectivity with GCM services. If you are using a Palo
Alto Networks firewall, configure a security policy to allow google-cloud-messaging application
traffic (on your firewall, select
Policies > Security). If you are using a firewall with port
management, open ports 5228, 5229, and 5230 on the firewall for GCM to use and also set the
firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in
Google’s ASN of 15169. Refer to Google Cloud Messaging for Android for more information.
Set Up the Mobile Security Manager for Enrollment
Step 1 Create an authentication profile for
authenticating device users when they
connect to the Mobile Security Manager
for enrollment.
As a best practice, use the same
authentication service that is used to
authenticate end users for access to
corporate resources, such as email and
Wi-Fi. This allows the Mobile Security
Manager to capture the credentials for use
in the configuration profiles it deploys to
the devices. For example, the Mobile
Security Manager can automatically
deploy configurations that include the
credentials required to access corporate
resources, such email and Wi-Fi, from the
device.
1. Configure the Mobile Security Manager to connect to the
authentication service you plan to use so that it can access the
authentication credentials.
• If you plan to authenticate using LDAP, Kerberos, or
RADIUS you must create a server profile that instructs the
Mobile Security Manager how to connect to the service and
access the authentication credentials for your users. Select
Setup > Server Profiles and add a new profile for the
specific service you will be accessing.
• If you plan to use local database authentication, you must
first create the local database. Select
Setup > User Database
> Local Users
and add the users to be authenticated.
2. Create an authentication profile that references the server
profile or local user database you just created. Select
Setup >
Authentication Profile
and add a new profile. The
authentication profile name cannot contain any spaces.