MDM Frequently Asked Questions

Owned by Agat Support
Last updated: Apr 14, 2022 by Avi J. Levin (Unlicensed)
2 min read

 

General Overview

 

This is a general overview. For detailed information please see our full article.

 

Our MDM solution with Skype for Business is applied during the sign-in process. We validate the device id against the MDM provider using an additional app during the sign-in process. This is then processed by our reverse proxy that stands in front of the Lync-discover request.

 

Our solution works in two ways:

1. Client-side -The user has the Sphereshield app on the device which is being prompted during the sign-in process and sends a request with the device ID.

 2. Server-side - The sign-in request is intercepted by our reverse proxy, which blocks or allows the sign-in by comparing the device id to the list of the devices and users by the MDM provider.

We are able to integrate with the provider directly by pulling the list of devices from the MDM API by a process designated for asynchronous operations we call the Maintenance Service. You can read more about the Maintenance Service in the following article.

 

When is S4B on the mobile logged out/blocked exactly?

During the sign-in process

 

Where is the Maintenance Service located and what is its role?

The Maintenance Service is an independent service we usually deploy along with the server that hosts the Admin Portal. Its main job is to perform asynchronous operations that relate to the database.

 

When does a device become out of compliance?

The Maintenance Service pulls the device list multiple times a day (based on user configuration) which afterward get compared

 


What happens when a device becomes non-compliant? 

The user is unable to sign-in from that device

 

Does the user need to have the SkypeShield App open on the mobile device?

The app is only required during the sign-in process and the user is redirected automatically from the S4B mobile app.

We have an option between requiring the SphereShield App for every sign-in or just for the first sign-in

 

How exactly is this done?

 

We deploy a server that operates as a reverse proxy (named Bastion) and it redirects the mobile client to the SphereShield app

 

What does the product offer and how?
Our  product allows you to add an additional factor to authentication, based on the Device UUID which integrates with the following MDM solutions and verifies they are not out of compliance:

  1. MobileIron

  2. Maas360

  3. Air Watch

  4. Citrix XenApp

 

What components are involved?

You can find a detailed description of the way we integrate with MDM in the following link.
Our MDM solution works in two ways:

  1. Server-side - We pull the list of devices and their status from the MDM provider and use it when verifying device registration

  2. Client-side - An app installed on the managed devices which is used along with the sign-in process and send the UUID along with the regular sign-in process.

 

The verification itself is being handled by the LAC filter on the Bastion server and the list of devices is being pulled regularly by the Maintenance Service which is typically installed on the Admin Portal.

An overview of the different approaches you can use when deploying our integration with MDM providers and can be found in this article