Filter
Top Products
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
38
Jailbroken or Rooted devices
These are devices where the user has gained direct access to the operating system, bypassing the control
imposed on the device by the service provider. Devices in this state are generally considered
compromised and there has been some recent legislative action to prohibit users defeating locks imposed
on the device by the providers. The BYOD CVD offers a policy that does not allow jailbroken or rooted
devices on the network. This is based on the MDM API. The MDM server will require a mobile client
app installed on the device to determine the root status of the device. There are a few limitations to be
aware of. Usually the process of rooting a device requires the user to reinstall the operating system.
There is a good chance the user will uninstall the Fiberlink MaaS360 agent at the same time. Without
the software, the server cannot with certainty say the device is rooted, only that it has been compromised
and is no long under management. If the user also removes the MDM profile, then all of the child profiles
are also removed with it, effectively resulting in a selective wipe. As a reminder, the MDM profile may
not be locked. At this point, the user may attempt to on-board the device in a rooted or jailbroken state.
The server will not be able to assess this condition until the mobile client is reinstalled on the device and
has had a chance to complete a scan. There is a time delay between when a device is compromised and
when the MDM server becomes aware of a problem. There is no requirement in the MDM protocol that
a device should contact the MDM when the MDM payload is removed. The server is left to poll for the
condition periodically. This delay can carry forth into ISE policy because ISE can only respond to the
attributes as they are returned by the MDM.
RegisterStatus
When a device is being on-boarded, ISE will check the RegisterStatus attribute of the device via an API
call to the MDM. If the device is not registered, the user is redirected to the Fiberlink MaaS360
enrollment page. Obtaining a status of registered with the MDM means that the device is known to the
MDM, an MDM payload and the associated certificate are on the device, and the device has responded
to at least one check-in request issued through APNS or GCM. A register status does not guarantee that
all the profiles have been pushed to the device. Instead it indicates that the profile containing the MDM
payload has been installed and that the device has responded to the initial check-in request. It is possible
for profiles to be withheld until a posture assessment has been completed and reported back to the server.
This could result in a registered device that is not equipped with the full set of intended restrictions.
Manage Lost/Stolen Devices
Corporate and Personal devices require specific responses when reported lost or stolen. Personal devices
reported as stolen should undergo an enterprise wipe to remove all corporate data. Lost devices may be
handled in the same manner, although the user may attempt to locate the device from the myDevices page
first (but only if that service is allowed with the user’s role privileges and location services are enabled
on the mobile device). The user or Admin can also try to issue a “find device” if the either the mobile
client app or secure content locker is installed on the device. The device will emit a sound at period
intervals to help the user locate the lost device. If the device remains lost after an attempt to locate it,
then an enterprise wipe is prudent. The device can be restored if later found by the user. The admin may
also choose to blacklist the device on the network depending on the situation, forcing the user to call
support to regain access.
Corporate devices have some more flexibility with respect to location information. If this information is
available, then the administrator may have some options. They could choose to: