Versions Compared

Old Version 11

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Avi J. Levin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Conditional Registration - Limit the registration only to managed devices (with MDM)- supported with all MDM vendors in the market
  2. Conditional Access - Ongoing validation that device is managed and has not become Out of Compliant Compliance (OOC) as defined in the MDM vendor - supported with leading vendors listed below.

...

For Conditional registration SkypeShield SphereShield for SfB offers 3 approaches:


  1. WIFI - Limit the registration to be done from a WIFI that requires a certificate to connect. The certificate is then managed by MDM.
  2. SkypeShield app- Limit the registration to be done by using a company specific SkypeShield (SkypeShield) SphereShield for SfB app that is only available in the corporate store/catalog to devices that are managed
  3. VPN - Limit the registration to be done by using a corporate VPN that only managed devices can connect to.

...

For conditional access, you should configure your access to your MDM server in order to get the devices synced with SkypeShield DB SphereShield database and then enable the Maintenance service to continuously validate devices.

...

  • deviceId: The device id we retrieve from the MDM app. This may be UDID, IMEI etc. It depends on the MDM vendor.
  • deviceIdType: Which type of id we using. e.g. for MobileIron it's UDID and IMEI (UDID|IMEI)
  • username: the username that we retrieve from MDM app.
  • companyName: The company name must match the one entered on the access admin portal.
  • defaultHost: the external lyncdiscover URL
  • packageKey: A key that is used to verify that the app belongs to the company, do not change.
  • skypeShieldAndroidVersion: The minimum SkypeShield Android app version for this App configuration.
  • skypeShieldIosVersion: The minimum SkypeShield iOS app version for this App configuration.

...

 Company name value should be exactly the same as configured in the Access Admin portal under MDM integration settings.

...

Here are the considerations related to this decision:



Device Validation

SkypeShield SphereShield matches device by unique device ID.

When using the app – the application sends UDID/IMEI to the Bastion and the Bastion authenticates it with the Access Admin Portal/DB.

When using Wi-Fi (certificate) – Only managed devices can register and SkypeShield SphereShield matches devices with MDM based on parameters such as user, device type, OS version…

In the rare case in which SkypeShield SphereShield can't do an exact match (for example user has duplicate/multiple identical devices managed in the MDM) SkypeShield SphereShield will block all of the devices of this type if the MDM reports on one device that it is OOC (because SkypeShield SphereShield cannot tell which device exactly is OOC)

...

Please see IP filtering for restricting registration for a specific WIFI. The concept is that the will be accessible only to managed devices (by requiring a certificate) and configure SkypeShield SphereShield to allow the registration from this specific WIFI.

...

For ongoing conditional access, we have a module in the SkypeShield SphereShield Maintenance service services that validates devices against MDM server to make sure all SkypeShield SphereShield devices are managed and that none of them have become OOC.

...