Product Documentation

Secure Mobile Gateway Policy Modes

Sep 27, 2015

Secure Mobile Gateway can run in the following six modes:

  • Allow All. This policy mode will grant access for all traffic passing through Secure Mobile Gateway. No other filtering rules are used.
  • Deny All. This policy mode will block access for all traffic passing through Secure Mobile Gateway. No other filtering rules are used.
  • Static Rules: Block Mode. This policy mode will execute static rules with an implicit deny or block statement at the end. Devices that are not allowed or permitted via other filter rules will be blocked by Secure Mobile Gateway.
  • Static Rules: Permit Mode. This policy mode will execute static rules with an implicit permit or allow statement at the end. Devices that are not blocked or denied via other filter rules will be allowed through Secure Mobile Gateway.
  • Static + ZDM Rules: Block Mode. This policy mode will execute static rules first, followed by dynamic rules from Device Manager with an implicit deny or block statement at the end. Devices are permitted or denied based on defined filters and Device Manager rules. Any devices that do not match on defined filters and rules are blocked.
  • Static + ZDM Rules: Permit Mode. This policy mode will execute static rules first, followed by dynamic rules from XenMobile Device Manager with an implicit permit or allow statement at the end. Devices are permitted or denied based on defined filters and Device Manager rules. Any devices that do not match on defined filters and rules are allowed.

The Secure Mobile Gateway process permits or blocks for dynamic rules based on unique ActiveSync IDs for iOS and Windows-based mobile devices received from Device Manager. Android devices differ in their behavior based on the manufacturer and some do not readily expose a unique ActiveSync ID. To compensate, Device Manager sends user ID information for Android devices to make a permit or block decision. As a result, if a user has only one Android device, permits and blocks function normally. If the user has multiple Android devices, all the devices are allowed since Android devices cannot be definitively differentiated. The gateway can still be configured to statically block these devices by ActiveSyncID, if they are known, and can also be configured to block based on device type or user agent.

To specify the policy mode, in the SMG Controller Configuration utility, do the following:
  1. Click the Path Filters tab and then click Add.
  2. In the Path Properties dialog box, select a policy mode from the Policy drop-down list and then click Save.

You can review rules on the Policies tab of the configuration utility. The rules are processed on Secure Mobile Gateway from top to bottom. The active policy is displayed with green checkmark, while the rules that are not active show a red circle with a line through it. To refresh the screen and see the most updated rules, click Refresh. The ordering of rules can be modified in the config.xml file.

To test rules, click the Simulator tab. Specify values in the fields. These can also be obtained from the logs. Click Simulate. A result message will appear specifying Allow or Block.

To configure a connection to XenMobile Device Manager

Secure Mobile Gateway communicates with XenMobile Device Manager and other remote configuration providers through secure web services.

  1. In the SMG Controller Configuration utility, click the Config Providers tab and then click Add.
  2. In the Config Providers dialog box, in Name, enter a user name that will be used for basic HTTP authorization with the Device Manager web server and has administrative privileges.
  3. In Url, enter the Web address of the Device Manager GCP, typically in the format https://ZdmHost/zdm/services/MagConfigService. The MagConfigService name is case sensitive.
  4. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server.
  5. In Managing Host, enter the Secure Mobile Gateway server name.
  6. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset is pulled from Device Manager.
  7. In Delta interval, specify a time period for when an update of dynamic rules is pulled.
  8. In Request Timeout, specify the server request timeout interval.
  9. In Config Provider, select if the config provider server instance is providing the policy configuration.
  10. In Events Enabled, enable this option if you want Secure Mobile Gateway to notify Device Manager when a device is blocked. This option is required if you are using Secure Mobile Gateway rules in any of your Device Manager Automated Actions.
  11. Click Save and then click Test Connectivity to test gateway to configuration provider connectivity . If the connection fails, check that the local firewall settings allow the connection or contact the Device Manager administrator.
  12. When the connection succeeds, clear the Disabled check box and then click Save.

When you add a new configuration provider, Secure Mobile Gateway automatically creates one or more policies associated with the provider. These policies are defined by a template definition contained in config\policyTemplates.xml in the NewPolicyTemplate> section. For each Policy element defined within this section, a new policy is created. The operator may add, remove, or modify policy elements provided that the policy element conforms to the schema definition, and that the standard substitution strings (enclosed in braces) are mot modified. Next, add new groups for the provider and update the policy to include the new groups.

To import a policy from Device Manager

  1. In the SMG Controller Configuration utility, click the Config Providers tab and then click Add.
  2. In the Config Providers dialog box, in Name, enter a user name that will be used for basic HTTP authorization with the Device Manager web server and that has administrative privileges.
  3. In Url, enter the Web address of the XenMobile Device Manager Gateway Configuration Service (GCP), typically in the format https://xdmHost/xdm/services/MagConfigService. The MagConfigService name is case sensitive.
  4. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server.
  5. Click Test Connectivity to test gateway to configuration provider connectivity . If the connection fails, check that your local firewall settings allow the connection, or check with your administrator.
  6. When a connection is successfully made, clear the Disabled check box and then click Save.
  7. In Managing Host, leave the default DNS name of the local host computer. This setting used to coordinate communication with Device Manager when multiple Forefront Threat Management Gateway (TMG) servers are configured in an array. For details, see Configuring Multiple Instances of Secure Mobile Gateway in a Threat Management Gateway Array.

After you save the settings, open the GCS.

To configure static rules

You configure static rules on Secure Mobile Gateway by using the SMG Controller Configuration utility. You must enter static rules with values that are read by the ISAPI filtering of the ActiveSync connection HTTP request. Static rules enable Secure Mobile Gateway to permit or block traffic by the following criteria:

  • User. Secure Mobile Gateway uses the authorized user value and name structure that was captured during device enrollment. This is commonly found as domain\username as referenced by the server running XenMobile Device Manager connected to Active Directory via LDAP. The Log tab within the Secure Mobile Gateway configuration utility will show the values that are passed through Secure Mobile Gateway if the value structure needs to be determined or is different.
  • Deviceid (ActiveSyncID). Also known as the ActiveSyncID of the connected device. This value is commonly found within the specific device properties page in the Device Manager web console. This value can also be screened from the Log tab in the Secure Mobile Gateway configuration utility.
  • DeviceType. Secure Mobile Gateway can determine if a device is an iPhone, iPad or other device type and permit or block based on that criteria. As with other values, the SMG Controller Configuration utility can reveal all connected device types being processed for the ActiveSync connection.
  • UserAgent. Contains information on the ActiveSync client that is utilized. In most cases, the value specified corresponds to a specific operating system build and version for the mobile device platform.

The SMG Controller Configuration utility running on the server always manages the static rules.

To add a static rule

  1. In the SMG Controller Configuration utility, click the Static Rules tab and then click Add.
  2. In the Static Rule Properties dialog box, specify the values that you want to use as criteria. For example, you can enter a user to allow access by entering the user name (for example, AllowedUser, and clearing the Disabled check box.
  3. Click Save. The static rule is now in effect. Additionally, you can use regular expressions to define values, but you must enable the rule processing mode in the config.xml file.

To configure dynamic rules

Dynamic rules are defined by device policies and properties in XenMobile Device Manager and can trigger a dynamic Secure Mobile Gateway filter based on the presence of a policy violation or property setting. The Secure Mobile Gateway filters work by analyzing a device for a given policy violation or property setting and if the device meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of devices that meet the criteria defined. The following configuration options enable you to define whether you want to allow or deny the devices in the Device List by using Secure Mobile Gateway.

Note: These dynamic rules must be configured on the Device Manager web console.
  1. Open the Device Manager web console and then click Options from the console banner.
  2. In the left-hand navigation, click Mobile Configuration and then click Secure Mobile Gateway.
  3. In the Enable column, select the check boxes for the filters that you want to enable and then select either the Allow or Deny check box.

Choosing Secure Mobile Gateway Filters

Secure Mobile Gateway filters work by analyzing a device for a given policy violation or property setting. If the device meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of devices that meet the criteria defined. The following filters are available for Secure Mobile Gateway within XenMobile Device Manager.
  • Blacklisted Apps. Allows or denies devices based on the Device List defined by Blacklist policies and the presence of blacklisted apps.
  • Whitelisted Apps only. Allows or denies devices based on the Device List defined by Whitelist policies and the presence of non-whitelisted apps.
  • Unmanaged Devices. Creates a Device List of all devices in the Device Manager database. The Mobile Application Gateway needs to be deployed in a Block Mode.
  • Rooted Android /Jailbroken iOS Devices. Creates a Device List of all devices flagged as rooted and allows or denies based on rooted status.
  • Out of Compliance Devices. Allows you to deny or allow devices that meet your own internal IT compliance criteria. Compliance is an arbitrary setting defined by the device property named Out of Compliance, which is a Boolean flag that can be either True or False. (You can create this property manually and set the value, or you can use Automated Actions to create this property on a device if the device does or does not meet specific criteria.)
    • Out of Compliance = True. If a device does not meet the compliance standards and policy definitions set by your IT department, the device is out of compliance.
    • Out of Compliance = False. If a device does meet the compliance standards and policy definitions set by your IT department, the device is compliant.
  • Noncompliant password. Creates a Device List of all devices that do not have a passcode on the device.
  • Revoked Status. Creates a Device List of all revoked devices and allows or denies based on revoked status.
  • Inactive devices. Creates a Device List of devices that have not communicated with Device Manager within a specified period of time and are thus considered inactive and allows or denies the devices accordingly.
  • Anonymous Devices. Allows or denies those devices that are enrolled in Device Manager but the user's identity is unknown. For example, this could be a user who was enrolled but their Active Directory password is expired, or a user who enrolled with unknown credentials.
  • Implicit Allow / Deny. Creates a Device List of all devices that do not meet any of the other filter rule criteria and allows or denies based on that list. The Implicit Allow/Deny option ensures that the Secure Mobile Gateway status in the Devices tab is enabled and shows Secure Mobile Gateway status for your devices. The Implicit Allow/Deny option also controls all of the other Secure Mobile Gateway filters that have not been selected. For example, Blacklists Apps will be denied (blocked) by Secure Mobile Gateway, whereas all other filters will be allowed because the Implicit Allow/Deny option is selected to Allow.