Filter
Top Products
21
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
Figure 14 CVD Use Policies
These groups can be extended to the MDM such that members are issued profiles that complement
their level of network access. As an example, Table 3 shows some arbitrary policies that can be
established and enforced based on the CVD use cases.
Ta b l e 3 Policies Based on CVD Cases
Ownership User Group Restrictions
Employee-Owned
De
vice
Domain Users Internet Only, personal devices are not
required to on-board with the MDM.
BYOD_Partial_Access Fairly restrictive polic
y that isolates
corporate data into containers. Restrictions
prevent users from disabling the policy.
BYOD_Full_Access
Trusted users are offered a slightly less
rest
rictive policy. Corporate data is still
isolated in containers.
Corporate-Owned
De
vice
All Users classes Very restrictive device policy disabling
non-essential business functions such as
the game center.
Domain_Users is the default AD group. By definition, every user defined in the directory is a
d
omain user. While it is possible to create the reciprocal group on the MDM, it is not needed. The
CVD treats non-domain members as temporary guests that are unlikely to need MDM
management. More important, if a user is not a domain member, then the MDM administrator will
need to define a local user account. This is likely a very small set of users that are handled as an
exception, such as distinguished guests. Domain_Users are essentially everyone with an account
on the MDM, including members of BYOD_Partial_Access and BYOD_Full_Access.
MDM profiles and ISE AuthZ rules are fundamentally dif
ferent with respect to AD Groups. ISE
policy may include the AD group match as a condition for establishing a specific and single policy.
MDM profiles are not a singular result. Most devices will be provisioned with multiple profiles
based on various attributes. Members of the BYOD_Full_Access and Domain_Users can each be
configured for a specific profile. But if a user happens to have membership in both
BYOD_Partial_Access and BYOD_Full_Access, then that user’s device is provisioned with both
profiles. In addition, everyone will be provisioned with basic security restrictions. ISE will check
the device to ensure these restrictions are meet before granting network access. These restrictions
establish ISE compliance and are defined here as required PIN lock, encrypted storage, and
non-jail broken or rooted device.