Filter
Top Products
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
26
Because ISE depends on these features for policy enforcement, corporate devices and personal devices
with partial or full access should include a profile that specifies the Fiberlink MaaS360 Agent as a
mandatory application.
User is automatically taken to the App Store or Google Play to install the Fiberlink MaaS360 Agent
during the enrollment process. The Fiberlink MaaS360 Agent can also be installed by the user directly
from the App Store or Google Play store. In addition to supervising the device, the client application
offers the end users some useful information concerning the status of their devices. Users can determine
when a device last communicated with the Fiberlink MaaS360 server, receive messages or alerts from
the administrator, track data usage, or buzz the device to locate lost a device. Another useful feature of
the client application is the ability to manually refresh the device’s posture to the server. This need arises
when the device has been placed in MDM quarantine due to a compliance violation. For example, the
device may not have a PIN lock when one is required. When the user configures the device with a PIN
lock, the OS will not trigger an update to the MDM client. The client will detect the change during the
next security scan interval. Only then will the server discover this the next time the device is polled. This
could result in ISE continuing to place the device in quarantine even after the user has corrected the
issue. Rather than waiting for the MDM to poll the device for an update, the user could use the mobile
application to send the current data to the server.
Fiberlink MaaS360 also offers secure content distribution functionality that allow administrators to
distribute documents, audio files, video files, pictures, etc. securely to mobile devices. The content is
available in the Fiberlink MaaS360 agent, which provides a secure container for viewing documents.
Administrators can set policies to restrict copying, pasting, or emailing outside of the container, as well
as forcing the password-protection of content.
Device Ownership
One of the key components of BYOD is the mix of personal devices and corporate devices on the
network and the ability to establish policy based on this attribute. Both the ISE and the MDM have the
concept of asset classes, which can be used to classify user-owned or corporate-owned devices. In ISE,
this is based on the identity groups. Ownership is an important aspect of BYOD. For example, Fiberlink
MaaS360 recommends that support staff should not be allowed to issue a Full_Wipe of personal devices
or track the location of a personal device. However, corporate devices may get full wipes as a matter of
normal operation and may be used to track location, especially if travel is a key component of the job.
Having the ability to handle the information gathered from personal and corporate devices differently is
important.
In this first release, there is not a tight integration between assets classes defined on ISE and those
defined on the MDM. The API does not support such a device attribute. Complicating matters somewhat
is the key index used to identify a device. Within ISE, this is the device’s MAC address, which is unique
across the network; however Fiberlink MaaS360 uses the device’s UDID, which is globally unique.
ISE determines corporate devices through an identity group referred to as the Whitelist, which contains
the MAC addresses of corporate assets. Discovering the MAC address of Android and Apple devices is
typically a manual process. Apple lists the MAC on the Settings > General > About page. Fiberlink
MaaS360 allows devices to be grouped as corporate-owned or personally-owned only after device
enrollment. This can be done either via Web Services API or through Bulk Update feature of Fiberlink
MaaS360. Using Bulk Update, an administrator can change device ownership for the devices.
An enterprise may need to create a list of corporate MAC addresses and the associated UDIDs to
provision them as corporate devices on both systems. Apart from bulk imports, another option for daily
operations is device staging. This allows an administrator the ability to on-board devices on behalf of
users during which time the device can be declared as a corporate asset in both systems.