Junos Pulse Mobile Security Gateway

Transcription

1 Junos Pulse Mobile Security Gateway Administration Guide Release 2.1 Published:

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright , Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton s EGP, UC Berkeley s routing daemon (routed), and DCN s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Junos Pulse Mobile Security Gateway Administration Guide All rights reserved. Revision History Initial release Feature updates The information in this document is current as of the date listed in the revision history. ii

3 END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. iii

4 iv

5 Table of Contents About This Guide ix Objectives ix Audience ix Document Conventions ix Related Documentation ix Obtaining Documentation x Documentation Feedback x Requesting Technical Support x Self-Help Online Tools and Resources xi Opening a Case with JTAC xi Part 1 Junos Pulse Mobile Security Gateway Chapter 1 Getting Started Pulse Mobile Security Overview Administrators and Roles New Features in Pulse Mobile Security Release Accessing the Pulse Mobile Security Gateway Using the Pulse Mobile Security Gateway Management Interface Chapter 2 Setting Up the Pulse Mobile Security Gateway Configuring Automatic Registration Using Device Identity Servers Importing Certificates for Device Identity Servers Importing the Certificate for the Pulse Mobile Security Gateway Starting the Automatic Registration Process Sending Registration Requests to a Device Identity Server Configuring Device Identity Servers Configuration Requirements for Device Identity Servers Configuring Responses from a Device Identity Server Changing the Enterprise or User Account of a Registered Device Reporting Registration Results to a Device Identity Server Adding a Partner Adding an Enterprise Viewing the General Enterprise Settings Editing the Default Enterprise Settings Adding Administrator Accounts Adding an Administrator Role Adding a User Account Assigning a Role and User Control List to a User Account v

6 Junos Pulse Mobile Security Gateway Administration Guide Chapter 3 Device Profiles and Prohibited Applications Defining Prohibited Applications Managing Firewall Rules and Profiles Adding a New Firewall Rule Modifying a Firewall Rule Deleting a Firewall Rule Adding a Firewall Profile Modifying a Firewall Profile Deleting Firewall Profiles Managing Antispam Rules and Profiles Adding an Antispam Rule Modifying an Antispam Rule Deleting Antispam Rules Adding an Antispam Profile Modifying an Antispam Profile Deleting Antispam Profiles Chapter 4 User Accounts Managing User Accounts and User Groups Adding a User Account Modifying User Accounts Deleting a User Account Managing User Groups Chapter 5 Devices Devices Overview Adding Devices Manually Modifying Device Settings Sending Device Commands Backing Up and Restoring Personal Data Managing Device Groups Chapter 6 Reports Viewing Reports Removing Applications From Managed Devices Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices Tracking Devices with GPS Part 2 Appendices Appendix A Summary of Supported Features Pulse Mobile 2.1 Security Features by Device Type Part 3 Index Index vi

7 List of Tables About This Guide ix Table 1: Notice Icons ix Table 2: Related Documentation x Part 1 Junos Pulse Mobile Security Gateway Chapter 5 Devices Table 3: Device Commands Part 2 Appendices Table 4: Feature Support by Device Type Table 5: Personal Data Erased by Handset Wipe Command Appendix A Summary of Supported Features Table 4: Feature Support by Device Type Table 5: Personal Data Erased by Handset Wipe Command vii

8 Junos Pulse Mobile Security Gateway Administration Guide viii

9 About This Guide Objectives Objectives on page ix Audience on page ix Document Conventions on page ix Related Documentation on page ix Obtaining Documentation on page x Documentation Feedback on page x Requesting Technical Support on page x Audience The Junos Pulse Mobile Security Gateway Administration Guide describes how to configure and manage security for mobile (handheld) devices that are running Junos Pulse client software. Document Conventions The Junos Pulse Mobile Security Gateway Administration Guide is for security administrators who are responsible for setting up and maintaining security on mobile devices using the Junos Pulse Mobile Security Gateway. Table 1: Notice Icons Table 1 on page ix defines notice icons used in this guide. Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Related Documentation Table 2 on page x describes related Junos Pulse documentation. ix

10 Junos Pulse Mobile Security Gateway Administration Guide Table 2: Related Documentation Title Description Junos Pulse Administration Guide Describes Junos Pulse for Windows endpoints and includes procedures for network administrators who are responsible for setting up and maintaining network access using Junos Pulse client software through Juniper Networks gateways. SA Series SSL VPN Appliances Administration Guide Describes how to configure and maintain a Juniper Networks SA Series gateway. Junos Pulse for Mobile Devices Integration Guide Describes how to configure a Juniper Networks SA Series appliance to support smartphone access. Junos Pulse Supported Mobile Platforms Guide Describes the mobile devices that support the Pulse Mobile Security Suite. Obtaining Documentation Documentation Feedback To obtain the most current version of all Juniper Networks technical documentation, see the products documentation page on the Juniper Networks Web site at To order a documentation CD, which contains this guide, contact your sales representative. Copies of the Management Information Bases (MIBs) available in a software release are included on the documentation CDs and at We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at If you are using , be sure to include the following information with your comments: Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at x

11 About This Guide Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see xi

12 Junos Pulse Mobile Security Gateway Administration Guide xii

13 PART 1 Junos Pulse Mobile Security Gateway Getting Started on page 3 Setting Up the Pulse Mobile Security Gateway on page 9 Device Profiles and Prohibited Applications on page 27 User Accounts on page 33 Devices on page 37 Reports on page 47 1

14 Junos Pulse Mobile Security Gateway Administration Guide 2

15 CHAPTER 1 Getting Started Pulse Mobile Security Overview The following topics provide an overview of the Junos Pulse Mobile Security Gateway. Pulse Mobile Security Overview on page 3 Accessing the Pulse Mobile Security Gateway on page 6 Using the Pulse Mobile Security Gateway Management Interface on page 6 The Pulse Mobile Security Gateway lets you centrally manage mobile (handheld) devices that are protected by the Junos Pulse Mobile Security Suite. The Pulse Mobile Security Suite is client software that protects mobile devices from viruses, spyware, identity theft and other threats. Users can install the Pulse client software from the applications store associated with any of the following mobile operating systems: Apple ios RIM Blackberry Google Android Nokia Symbian Windows Mobile For a list of the supported versions of each operating system, see the Junos Pulse Mobile Supported Platforms Guide, which is available at The Layer 3 VPN feature of the Pulse client (not supported by Blackberry) provides secure access to private networks by connecting to a Juniper Networks SA Series SSL VPN appliance. To activate all other security features, the mobile device must be registered with the Pulse Mobile Security Gateway. Registration enables the gateway to manage the device, and allows users to log in to the gateway Dashboard to locate a lost or stolen device, view reports of the device usage, or use other security features. The Pulse Mobile Security Suite provides the following features: Antivirus Devices are protected by real-time antivirus and malware protection with automatic updates. You can scan files across network connections, perform on-demand 3

16 Junos Pulse Mobile Security Gateway Administration Guide scans, and provide virus and malware detection alerts. Note that users can enable the following options on Android devices: Scan Memory Card on Insert The memory card is scanned when it is first installed (if the power is on), not when files are added. Scan application on install Applications are scanned for malware during installation. If the administrator defines any prohibited applications, scanning occurs during installation even if this feature is disabled. Personal firewall Provides inbound and outbound IP address and port filtering. Antispam Provides filtering to block voice and SMS spam and to deny unknown or unwanted calls. Backup and restore The contact list and calendar on a device can be backed up in a standard format and restored to another device. Loss and theft protection From the gateway, you can perform remote lock, remote wipe, GPS locate and track, remote alarm and notification, and SIM change notification. Device monitoring and control The gateway provides tools for application inventory and removal, monitoring (SMS, MMS, message content, and photos stored on device), and the ability to view the call log and the user s address book and contacts. NOTE: The iphone supports the VPN feature of the Pulse client, but not the features provided by the Pulse Mobile Security Suite. The firewall and antispam features are supported only by the Windows Mobile and Symbian devices. For more information about version support for each device type, see the Junos Pulse Supported Mobile Platforms Guide. Administrators and Roles Each gateway administrator account requires a role that determines the functions that the user can perform and a user access control list that determines the mobile devices the user can access. User roles and accounts can be defined at each administrative level (Root, Partner, and Enterprise), but most administrators will have an Enterprise account. Each role specifies the permissions (view, add, edit, delete, and move) for the following objects that you manage in the Pulse Mobile Security Gateway: Partner A group of one or more Enterprises. Only Root and Partner administrators can add or view Partners. Enterprise An organization that manages mobile devices. Managed devices exist only at the Enterprise level. Each Enterprise has a Consumer or Enterprise license. Enterprise administrators can allow users to log in to the gateway Dashboard to locate a lost phone or use other security features. User An Enterprise user account is created automatically when a mobile device is registered. To create an administrator account, you can add a role and access control list to an existing user account, or manually create a new account. 4

17 Chapter 1: Getting Started User Group Enterprise user accounts can be organized into user groups, such as by department or business unit. You can then issue commands to the devices associated with the users in one or more groups. Device A device record is created in the appropriate Enterprise when a mobile device is registered. Mobile devices are identified by their MSISD (Mobile Subscriber Integrated Services Digital Network number, which includes the phone number, country code, and area code) and IMEI number (International Mobile Equipment Identity). Device Group Enterprise devices can be organized into device groups. You can then issue commands to the devices in one or more groups or view reports for a selected device group. Profiles Groups of rules that you can assign to an Enterprise or apply to specific devices. Profiles assigned to an Enterprise are applied to each device that registers with the Enterprise. The current profiles are: Firewall Profile Defines Internet access permissions, both inbound and outbound, for Windows Mobile and Symbian devices. Antispam Profile Defines antispam conditions that let you block incoming calls and SMS messages from specific phone numbers on Windows Mobile and Symbian devices. Each role also lets you allow or disallow certain tasks, such as sending commands to devices or viewing specific device reports. If you are not authorized for certain tasks, the related menu items and buttons are hidden or disabled. For each new Enterprise, a Root or Partner administrator must create the Enterprise and add an Enterprise user account and role for use by the Enterprise administrator. Partner administrators can manage all Enterprises associated with the Partner. Root administrators can manage all Partners and Enterprises. New Features in Pulse Mobile Security Release 2.1 Release 2.1 includes the following new features: Android tablet support Android device support now includes tablets that have Android release 3.0. All security features provided for Android handsets also apply to tablets, except for voice and SMS-based features, such as sending commands. Malware protection on Android devices The Pulse Mobile Security Gateway provides signatures to detect malware and suspicious applications on Android devices. The malware signatures are updated periodically, and you can define a list of prohibited applications that should not be installed on Android devices. Users can view and remove the malware, suspicious, and prohibited applications discovered on their device. An administrator can view the same information for all devices on the Android Malware report. Pulse Client rebranding for Android devices Juniper Professional Services can rebrand the Pulse client for Android devices with customer-specific logos, colors and text. A rebranded Pulse client can include the URL for a device identity server for automatic registration. 5

18 Junos Pulse Mobile Security Gateway Administration Guide Automatic registration for Android devices Customers who have device identity servers can register Android devices with the Pulse Mobile Security Gateway without requiring users to enter a license key. Rebranded Pulse clients that include the appropriate URL can contact the identity server automatically; unbranded clients require the administrator to send an or SMS message with the server URL. Local gateway installation Juniper Professional Services now provides support for installing the Pulse Mobile Security Gateway in your own network. This option is intended primarily for mobile service providers. In most cases, the most efficient solution is to access a gateway hosted by Juniper Networks so that you can manage your mobile devices without having to maintain the physical gateway. Accessing the Pulse Mobile Security Gateway The URL used to access the management Console of a Pulse Mobile Security Gateway depends on whether you are hosting the gateway in your own network. To access the management console of a gateway hosted by Juniper Networks, enter the following URL in your browser: Use the login credentials provided for you. If you are the Root administrator logging in for the first time to a gateway in your own network, use root@smobilesystems.com and password for the username and password. If access to the gateway Dashboard is enabled, users can use their registration address and password to log in to the Dashboard at the following URL to view device reports, locate a missing device, or use other security features. The Dashboard URL for a gateway hosted by Juniper Networks is: For users who can enter just the license key during registration, the IMEI number is used for the address (imei@a.a) and password. Administrators can change the defaults and notify the user. NOTE: To use the Pulse Mobile Security Gateway, your browser must be Google Chrome version 6.0, Microsoft Internet Explorer version 7.0 or 8.0, or Mozilla Firefox 3.0, 3.5, or 3.6. JavaScript and cookies must be enabled on the browser. Using the Pulse Mobile Security Gateway Management Interface The management interface of the Pulse Mobile Security Gateway has a navigation panel on the left, a central data panel, and a top panel for additional features, such as search and help. The navigation panel displays a hierarchy of the Partners and Enterprises that you can manage. Most administrators can manage a single Enterprise and its associated user groups and device groups (see Figure 1 on page 7). 6

19 Chapter 1: Getting Started NOTE: Be sure to select the appropriate item in the navigation panel before you perform an operation. The action you take is applied to the selected Partner, Enterprise, or group. For example, select a device group to view reports for just the devices in that group. Figure 1: Pulse Mobile Security Gateway Management Console The top panel provides the following selections: Admin Lets you to define and assign user roles. Root administrators can also configure certificates and the connections to the Control Center, and the Signature Update Server. Help Provides the list of commands that can be sent to managed devices, and the current list of known viruses. Search Lets you search for device phone numbers, user login names and first and last user names. When you log in as an Enterprise administrator or select an Enterprise in the navigation panel, you see the following tabs: Reporting Shows a summary of virus and registration activity and provides links to more detailed reports. For more information about reports, see Viewing Reports on page 47. Policies Lets you define firewall and antispam profiles for Windows Mobile and Symbian devices in the Enterprise. In addition, a Root administrator can define a list of prohibited applications for the Android devices in all Enterprises. 7

20 Junos Pulse Mobile Security Gateway Administration Guide Users Lists the current user accounts. When a mobile device is registered, the gateway creates a user account that includes the device information. You can edit user records to reset the password or make other changes. Devices Shows each registered mobile device. You can edit the settings for individual devices, move devices into a device group, and send commands to selected devices. You can also add and delete device groups, and send commands to the devices in one or more groups. Settings Provides a summary of the Enterprise settings and lets you define the default security settings that are applied to mobile devices when they register with the Enterprise. Logs Provides access to the gateway logs. You can search the logs and view the log entries. 8

21 CHAPTER 2 Setting Up the Pulse Mobile Security Gateway The following topics describe set up the gateway and register devices: Configuring Automatic Registration Using Device Identity Servers on page 9 Adding a Partner on page 19 Adding an Enterprise on page 19 Viewing the General Enterprise Settings on page 21 Editing the Default Enterprise Settings on page 21 Adding Administrator Accounts on page 25 Configuring Automatic Registration Using Device Identity Servers The Pulse Mobile Security Gateway supports automatic registration of Android devices after they are approved by a customer-specific device identity server. Before a device is registered, the Pulse client requests the identity server to approve the device. If the device is approved, the server returns a Security Assertion Markup Language (SAML) assertion to the Pulse client. The Pulse client then registers the approved device with the gateway without requiring the user to enter a license key The automatic registration process has several steps: 1. After a user installs a standard Junos Pulse client, the administrator sends an or SMS message that specifies a link to a web page where the user can select a junospulse URL to access the device identity server. Pulse clients that are rebranded can have the URL of the identity server predefined. 2. When the user confirms that they want to register, the Pulse client sends an approval request to the identity server that includes the device identifiers. 3. If the device is approved, the identity server returns a SAML assertion, along with the URL of the Pulse Mobile Security Gateway. The SAML assertion includes the Enterprise code or Consumer license key needed to register the device, the device identifiers, the user s account name, and (optionally) a password that allows the user to access the gateway Dashboard. 9

22 Junos Pulse Mobile Security Gateway Administration Guide If the device is not approved, the identity server returns an error. The error can display a customized message to be user. 4. If the identity server approves the device, the Pulse client sends the registration request and SAML assertion to the gateway. 5. The gateway registers the device and returns a profile of settings to the device. To encrypt the SAML assertions, the device identity server must import a certificate from the Pulse Mobile Security Gateway, and to verify the SAML assertions, the gateway must import a certificate from the identity server. The following topics describe the certificates, the encoded URL and HTTPS registration request, and the possible responses from the identity server: Importing Certificates for Device Identity Servers on page 11 Importing the Certificate for the Pulse Mobile Security Gateway on page 12 Starting the Automatic Registration Process on page 12 Sending Registration Requests to a Device Identity Server on page 13 Configuring Device Identity Servers on page 14 Reporting Registration Results to a Device Identity Server on page 18 10

23 Chapter 2: Setting Up the Pulse Mobile Security Gateway Importing Certificates for Device Identity Servers The certificate for each Device Identity Server to be used for automatic registration must be imported to the Pulse Mobile Security Gateway. The public key in the certificate is needed to verify the signature in the SAML assertions sent by the identity server. To import a certificate for a device identity server: 1. Obtain the certificate file for the device identity server in Distinguished Encoding Rules (DER) format. 2. Log in to the Pulse Mobile Security Gateway as a Root administrator. 3. On the Home page, click Device Identity Servers, and then click Add Device Identity Server. 4. Specify the following server properties: Device Identity Server Name of the identity server. SAML Issuer Name of the issuer that the identity server specifies in the SAML assertions sent to approve a device. Signing Certificate Click Browse and select the certificate file for the identity server. 6. Click Save to import the certificate. 11

24 Junos Pulse Mobile Security Gateway Administration Guide Importing the Certificate for the Pulse Mobile Security Gateway A private key and certificate for the Pulse Mobile Security Gateway must be created with a third-party tool (such as OpenSSL) and imported to the gateway. The private key and certificate must be saved in a PKCS12 file. The certificate file (without the private key) must be imported to the device identity server in DER format so that the public key in the certificate can be used to encrypt the SAML assertions. NOTE: The Delete Device Identity Server role permission is required to import the certificate. To import the certificate for the Pulse Mobile Security Gateway: 1. Generate a private key and certificate in a PKCS12 file. 2. Log in to the Pulse Mobile Security Gateway as a Root administrator. 3. On the Home page, click Device Identity Servers, and then click Decryption Key and Certificate. 4. Click Choose File and select the PKCS12 file that contains the certificate and private key for the gateway. 5. Enter the password that was used to encrypt the private key. 6. Click Save to import the certificate. 7. Import the gateway certificate file (in DER format) to each identity server to be used for automatic registration. Starting the Automatic Registration Process For rebranded Pulse clients that include a URL for a device identity server, the registration process starts automatically after the client is installed. For other Pulse clients, the administrator sends an or SMS message to the device with a link to a web page where users can select a junospulse URL. The junospulse URL includes an encoded URL for the identity server and any other parameters used by the server. NOTE: For security purposes, always use HTTPS for the URL of the device identity server. The Pulse client uses the junospulse URL to send a registration request to the identity server. If the Pulse client on the device is already registered with the Junos Pulse Mobile Security Gateway, clicking the junospulse URL does not start another registration request. The general format of the junospulse URL is: junospulse://?method=mss&action=<action>&url=<encoded-url> 12

25 Chapter 2: Setting Up the Pulse Mobile Security Gateway The <action> variable specifies one of the following commands: Command Description autoregister Sends an automatic registration request to the URL of the device identity server specified in the &url= parameter of the junospulse URL. autoregisterretrynow Sends an automatic registration request after an initial failure without waiting for the retry timer to elapse. In this case, the &url= parameter is omitted. manualregister Sends a manual registration request to the URL of the Pulse Mobile Security Gateway specified in the &url= parameter of the junospulse URL. The user is prompted to register manually by entering a license key, address, and password. This option allows users to register when an identity server does not exist or is unavailable. For the following example, the Pulse client will send an automatic registration request to the identity server at that includes the device identifiers (see Sending Registration Requests to a Device Identity Server on page 13). junospulse://?method=mss&action=autoregister&url=https%3a%2f%2fident.example.com %2Fident%2Fregister For Android devices, the Intent format also can be used, where the command names are uppercase (AUTO_REGISTER, MANUAL_REGISTER, and AUTO_REGISTER_RETRY_NOW) and are appended to net.juniper.junos.pulse.intent.action.. For example: intent:#intent;action=net.juniper.junos.pulse.intent.action. AUTO_REGISTER;category=android.intent.category.BROWSABLE;S.&url=https%3A%2F%2F ident.example.com%2fident%2fregister;end intent:#intent;action=net.juniper.junos.pulse.intent.action. AUTO_REGISTER_RETRY_NOW;category=android.intent.category.BROWSABLE;end Sending Registration Requests to a Device Identity Server To obtain approval to register a device, the Pulse client sends an HTTP GET request to an identity server that includes query parameters for the device identifiers. The following parameters are provided for Android devices: imei The International Mobile Equipment Identity is a number that identifies GSM and WCDMA phones. imsi The International Mobile Subscriber Identity is a number associated with GSM and UMTS phones. msisdn The Mobile Subscriber Integrated Services Digital Network number is the device s phone number, including country code, specified on the device s SIM card in 13

26 Junos Pulse Mobile Security Gateway Administration Guide CDMA, GSM, and UMTS phones. The Pulse client cannot access the MSISDN on some Android devices. sim The Subscriber Identity Module number is the serial number of the device s SIM card (GSM and WCDMA phones only). If the identity server s URL includes any additional parameters, they are appended to the registration request. The following sample GET request includes the SIM, IMEI, and IMSI to identify an Android device: Configuring Device Identity Servers GET /registerdevice.htm?sim= &imei= &imsi= HTTP/1.1 Host: ident-server:8081 Accept: */* The following topics describe how to configure device identity servers for automatic registration: Configuration Requirements for Device Identity Servers on page 14 Configuring Responses from a Device Identity Server on page 14 Changing the Enterprise or User Account of a Registered Device on page 18 Configuration Requirements for Device Identity Servers To support automatic registration of mobile devices with the Pulse Mobile Security Gateway, a device identity server requires the following: The SAML issuer name that is specified on the gateway (see Importing Certificates for Device Identity Servers on page 11). The SAML issuer name must be encrypted with the identity server s private key and used to sign the SAML assertions that are sent to the Pulse client. A copy of the gateway s certificate (in DER format). The public key in the certificate is used to encrypt SAML assertions. The URL of the Pulse Mobile Security Gateway must be included with the SAML assertion sent to the Pulse client when a device is approved for registration. If possible, two device identifiers provided by the Pulse client should be verified before the registration is approved. The username for a device must be included in the SAML assertion to create a user account on the gateway. An optional password can be included to allow the user to log in to the gateway s Dashboard. Configuring Responses from a Device Identity Server The identity server responds to registration requests from the Pulse client with an HTTP status code and a response body that includes a SAML assertion for an approved device or an optional message and delay value (in seconds) indicating when (or if) the Pulse client can resend the registration request. 14

27 Chapter 2: Setting Up the Pulse Mobile Security Gateway The following table describes the status codes and message formats for each response: HTTP Status Description 200 OK Indicates the device is approved for registration. The body of the message is an XML document in the following format: <response> <saml>encrypted SAML assertion in Base64 encoding</saml> <url>url of the Pulse Mobile Security Gateway</url> <reporturl>optional URL where the Pulse client reports registration status</reporturl> </response> The SAML assertion must include the following: A subject statement that specifies a name for the device user (such as an address). The name is used to create a user account on the gateway. An attribute statement with the name net.juniper.mss.license-code or net.juniper.mss.enterprise that specifies the Consumer license key or Enterprise code for the device registration. Optionally, the attribute net.juniper.mss.password can be included to specify a password that allows the user to log in to the gateway Dashboard. One or more of the following attributes that specify the device identifiers: net.juniper.mss.imei net.juniper.mss.imsi net.juniper.mss.esn net.juniper.mss.did net.juniper.mss.msisdn Optionally, the SAML assertion can include NotBefore and NotOnOrAfter conditions that specify a time limit for registering the device with the gateway. The following example shows the Base64-encoded SAML assertion: HTTP/ OK Content-Language: en-us Content-Type: text/xml; charset=iso Expires: Thu, 01 Jan :00:00 GMT Content-Length: 6075 <response> <saml>pd94bwwgdmvyc2lvbj0ims4wii...=</saml> <url> <reporturl> </response> 15

28 Junos Pulse Mobile Security Gateway Administration Guide HTTP Status Description 403 Forbidden Indicates the device is not approved for registration. By default, the Pulse client resends the registration request in 24 hours, and if the user taps the Security button, the message Your service provider has not enabled security features for your device. is displayed. To change these defaults, the response can include the following XML document: <response> <message>message displayed when the user taps the Security or About button</message> <retrydelayseconds>number of seconds before the next retry</retrydelayseconds> </response> If the retrydelayseconds is set to 0, the Pulse client sends no additional registration requests. For example: HTTP/ Forbidden Content-Language: en-us Content-Type: text/xml; charset=iso Expires: Thu, 01 Jan :00:00 GMT Content-Length: 179 <response> <retrydelayseconds>0</retrydelayseconds> <message>you do not appear to be one of our customers, so you are not authorized for security services</message> </response> To retry the registration after the retrydelayseconds is set to 0, the user can click an autoregisterretrynow URL (see Starting the Automatic Registration Process on page 12), clear the Pulse client s data, or uninstall and reinstall the Pulse client. 500 Internal Server Error Indicates that an error has occurred. By default, if the user taps the Security or About button, the message Activation of security features is in progress. Please try again later. is displayed, and the Pulse client resends the registration request in 4 hours. These defaults can be changed by including the XML document described for the 403 response. For example: HTTP/ Internal Server Error Content-Language: en-us Content-Type: text/xml; charset=iso Expires: Thu, 01 Jan :00:00 GMT Content-Length: 168 <response> <retrydelayseconds>7200</retrydelayseconds> <message>security services will be automatically enabled soon. Please check again later.</message> </response> SAML Assertion Examples The following example shows a SAML assertion before encryption: <?xml version="1.0" encoding="utf-8"?><saml:assertion xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" IssueInstant=" T19:17:10.238Z" Version="2.0"> <saml:issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ident.junospulse. juniper.net</saml:issuer><ds:signature xmlns:ds=" <ds:signedinfo> 16

29 Chapter 2: Setting Up the Pulse Mobile Security Gateway <ds:canonicalizationmethod Algorithm=" <ds:signaturemethod Algorithm=" <ds:reference URI=""> <ds:transforms> <ds:transform Algorithm=" <ds:transform Algorithm=" xmlns:ec=" PrefixList="ds saml"/></ds:transform> </ds:transforms> <ds:digestmethod Algorithm=" <ds:digestvalue>/yasv2qbptfwfrxpapq1vn7i580=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue> Nn/P2X7iADXUCOY/0xDqYD1JJF77CgnBA+aa9kLF8zg1YC8xsVx/IE9PB6Wuy2BeGnLw9EDKEQBP ZFZgVusp7eiWHsXJSsYgVSgRdOMHG+XzFm+HtFZhaG7dFnpse4XnNqcQdFl1bLxF4/xSnKs0SNmC BlmNuoAkUKGQU5aO1Rk= </ds:signaturevalue> </ds:signature><saml:subject><saml:nameid Format="urn:oasis:names:tc:SAML:1.1: <saml:conditions NotOnOrAfter=" T19:22:10.238Z"/><saml:AuthnStatement AuthnInstant=" T19:17:10.238Z"/><saml:AttributeStatement><saml:Attribute Name="net.juniper.mss.enterprise"><saml:AttributeValue>default</saml:AttributeValue> </saml:attribute><saml:attribute Name="net.juniper.mss.password"><saml:AttributeValue> example123</saml:attributevalue></saml:attribute><saml:attribute Name="net.juniper.mss.imei"> <saml:attributevalue> </saml:attributevalue></saml:attribute> </saml:attributestatement></saml:assertion> After encryption, and before Base64 encoding, the SAML assertion looks like the following: <?xml version="1.0" encoding="utf-8"?><saml:encryptedassertion xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"><xenc:encrypteddata xmlns:xenc=" Id="_facb12fd7bbacbe1db9511b9de3c166d" Type=" Algorithm=" xmlns:xenc=" xmlns:ds=" Id="_9a7d e1f0a1a1529b155ed73c3" xmlns:xenc=" Algorithm=" xmlns:xenc=" Algorithm=" xmlns:ds=" <ds:keyvalue><ds:rsakeyvalue><ds:modulus>5cdpmtqg9c9jb9nie42pc6gsnhdxgr42hrvnujoy2bqs0cvplaa5 /SHkCKIhQPZwSqwKiqR/XIEq/lyuNmWo+sWieF8ED7REUBHBRv4k0ZYCWbQeyD4dAnyBsIG/r5OumsDYMGrBwyazaf2oLF 9LsZTFZiQpAo1wREA6gMaCiPU=</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue> </ds:keyvalue></ds:keyinfo><xenc:cipherdata xmlns:xenc=" xmlenc#"><xenc:ciphervalue xmlns:xenc=" OpEfAfbUhY+JbtyUCwxrC+PfLRLftQkrsMIt40EQ09C+ZCJl95kt0YYdaNNiUuoVrwHDItA5iiw1JMN6BQ OFqoRdDZtfXGYO0UeuHG7SuShGyRh7hVfbUYfb2MnAzjKTxgT1nKUXJBGatS7v09cyoflLV6Oeu5M7dKlo4 pbhu14=</xenc:ciphervalue></xenc:cipherdata></xenc:encryptedkey></ds:keyinfo> <xenc:cipherdata xmlns:xenc=" xmlns:xenc=" RK/kq+z8NOEd2+n/RmDgtf+5rPqfg9CpCmon7NNgJ...==</xenc:CipherValue></xenc:CipherData> </xenc:encrypteddata></saml:encryptedassertion> 17

30 Junos Pulse Mobile Security Gateway Administration Guide Changing the Enterprise or User Account of a Registered Device After a device is registered through a device identity server, the Enterprise, username, or password associated with the device can be changed by changing the database on the identity server, and then initiating another automatic registration. To change the registered Enterprise or user account for a device: 1. On the device identity server, update the Enterprise, username, or password. 2. On the device, clear the Pulse client s data, or uninstall and reinstall the Pulse client. 3. Initiate an automatic registration on the device by clicking an autoregister URL (see Starting the Automatic Registration Process on page 12). Reporting Registration Results to a Device Identity Server After the identity server approves a device, the Pulse client attempts to register the device with the Pulse Mobile Security Gateway. If the approval response from the identity server includes a reporturl, the Pulse client reports the success or failure of the gateway registration by sending an HTTP GET request to the URL with the appended query parameter &result=success or &result=failure. For example: The id= value included in the report URL allows the identity server to match the report message with the appropriate device. The identity server responds to the report message with one of the following HTTP status codes: HTTP Status Description 200 OK Indicates the identity server accepted the report. If the registration with the gateway succeeded, the process is complete. If the registration failed, by default the message Activation of security features is in progress. Please try again later. is displayed when the user taps the Security or About button, and the Pulse client retries the registration in 4 hours. Optionally, the identity server can include a response body to override the default message and the retry delay. For example: HTTP/ OK Content-Language: en-us Content-Type: text/xml; charset=iso Expires: Thu, 01 Jan :00:00 GMT Content-Length: 168 <response> <retrydelayseconds>7200</retrydelayseconds> <message>security services will be enabled soon. Please check again later.</message> </response> Note that when the Pulse client retries the registration, it sends another registration request to the identity server, and does not reuse the SAML assertion from the previous request. 404 Not Found Indicates the identity server does not recognize the approved device. In this case, an error has occurred, probably on the identity server. If the registration was successful, the registration remains in effect and all the security features operate normally. 18

31 Chapter 2: Setting Up the Pulse Mobile Security Gateway HTTP Status Description 500 Internal Server Error Indicates that the identity server could not process the report. By default the Pulse client resends the report every 4 hours, unless the identity server includes a response body to override the retry delay. For example: HTTP/ Internal Server Error Content-Language: en-us Content-Type: text/xml; charset=iso Expires: Thu, 01 Jan :00:00 GMT Content-Length: 168 <response> <retrydelayseconds>7200</retrydelayseconds> </response> If the Pulse client cannot connect to the identity server, Pulse tries again in 4 hours only if the registration with the gateway was successful. If the registration failed, no additional attempts are made to report the results because the registration will be retried. Adding a Partner A Partner is used to identify a group of Enterprises. At least one Partner is required, and the Default Partner is created automatically. A Root administrator can define new Partners or change the Default Partner. Root administrators can then add one or more Enterprises or create a user account for a Partner administrator who can add the needed Enterprises. To add a Partner: 1. Log in to the gateway as a Root administrator. 2. On the Home page, click Add Partner. 3. Specify the following properties: Partner Name Typically, the name of the organization. Notes Information such as how to contact the Partner administrator. 4. Click Save to create the Partner. Adding an Enterprise An Enterprise is any organization that manages mobile devices. For each Partner, a Default Enterprise is created automatically. A Root or Partner administrator can define new Enterprises or change the Default Enterprise. Root or Partner administrators can manage each Enterprise or create a user account for an Enterprise administrator who can perform Enterprise-specific management tasks. To add an Enterprise: 1. Log in to the gateway as a Root or Partner administrator. 2. On the navigation panel, select the Partner where you want to add an Enterprise, and click Add Enterprise. 19