Manualshelf

Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H
81828384858687888990
80 GlobalProtect Administrator’s Guide
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager
Define Deployment Policies
After a mobile device successfully enrolls with the GlobalProtect Mobile Security Manager, it checks in with the
Mobile Security Manager to submit its host data at regular intervals (every hour by default). The Mobile Security
Manager uses deployment policy rules you define to determine what configuration profiles to push to the device. This
allows you to have granular control over what configuration profiles, if any, get deployed to and/or removed
from the device. For example, you could create different configurations for different user groups with varying
access needs. Or you could create policy rules that only allow configurations to be pushed to devices that are
security compliant.
The following sections provide information about how to plan your Mobile Security Management strategy and
instructions for setting up your policies and profiles:
About Mobile Security Manager Policy Deployment
Mobile Security Manager Policy Best Practices
Integrate the Mobile Security Manager with your LDAP Directory
Define HIP Objects and HIP Profiles
Create Configuration Profiles
Create Deployment Policies
About Mobile Security Manager Policy Deployment
After a mobile device enrolls with the GlobalProtect Mobile Security Manager, it checks in with the Mobile
Security Manager at regular intervals. The check-in process includes four parts:
Authentication—In order to connect to the Mobile Security Manager for check-in, the mobile device
presents the identity certificate that was issued to it during enrollment. If you have enabled access to your
LDAP server, the Mobile Security Manager can use the authenticated username to determine a policy match
based on user or group membership. See Integrate the Mobile Security Manager with your LDAP Directory.
Collection of device data—The mobile device provides HIP data, which the Mobile Security Manager
processes in order to create a full HIP Report for the device. The HIP report provides identifying
information about the device, information about the device state (such as whether it is jailbroken/rooted, if
encryption is enabled, and if a passcode is set), and a listing of all apps installed on the device. For Android
devices, the Mobile Security Manager computes a hash for each app and uses this data to determine if any
of the installed apps are known to have malware based on the latest APK content updates. For more
information about HIP data collection, see Collection of Device Data.
Policy deployment—Each Mobile Security Manager policy rule is composed of two parts: match criteria and
configurations. When a device checks in, the Mobile Security Manager compares the user information
associated with the device and the HIP data collected from the device against the match criteria. When it
finds the first matching rule, it pushes the corresponding configuration(s) to the device.
Match Criteria—The Mobile Security Manager uses the username of the device user and/or HIP
matching to determine a policy match. Using the username allows you to deploy policy based on group
membership. See About User and Group Matching. Using HIP matching allows you to push
deployment policies based on the security compliance of the device and/or using other identifying