Cisco Systems MaaS360 Marine RADAR User Manual


 
37
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
PINLockStatus
The PINLockStatus is available to the API and can be used by ISE to set a minimum requirement
for network access, as shown in the CVD. Fiberlink MaaS360 allows the administrator to create a
PIN lock policy and set rules to force users to set PINs with a certain strength (alphanumeric,
length, require special characters, etc.)
The user is provided with a grace period to set u
p PIN lock. If user does not set up a PIN code
within 60 minutes, all corporate profiles pushed via Fiberlink MaaS360 will be removed from the
device. During this grace period, Fiberlink MaaS360 will return status as “Out of Compliance” if
queried by ISE.
As a best practice, when users are issued instructions explaining the on-boarding process, they
sho
uld be asked to set a PIN lock on their device prior to starting the on-boarding process, rather
than waiting for the forced PIN lock mid-way through the procedure. If the user does not follow
this, they will likely end up in a quarantine state from NAC. There are two issues at play:
First, the MDM server does not get a triggered update when a user creates a PIN lock. The
user is required to enter one, but it will be some time before the polling interval before the
server becomes aware of the PIN lock.
Second, the MDM on-boards by installing the MDM profile and certificate first. This secures
the communications between the server and device. After this profile is issued, the server will
send a check-in request to the device.
Because the MDM payload is required to respond to check-in messages
, this confirms the device
is fully under management. On the initial check-in, the device is loaded with the remaining
profiles, including the one containing the PIN lock. Before this completes, the user will have
clicked the continue button on the MDM redirect page, resulting in a CoA. This will re-authorize
the device before the user has been prompted to enter a PIN lock and the user will end up being
quarantined. The work around is to open the Fiberlink MaaS360 client and click the “Refresh”
button, as shown in Figure 28, to update the server of the new posture
. Then the user can try the
continue button again or bounce their wireless to force a
re-authorization.
Figure 28 Manually Updating the MDM Server