Recommended mobile security management

Similar Messages

• ISE integration with Mobile Device Management ( MDM ) help required

  Dear Techies,
       Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
       We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
  Setup Brief :
  =========
        Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
       Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
  Activity Brief:
  =========
       As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
  Clarifications Required
  ================
  Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
  Wireless Scenario
  MDM can be integrated to ISE ? 
  How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
  What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
  If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
  Is MDM will do client provisioning or ISE should do ?
  Is MDM send or update patches of Mobile Devices ?
  As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
  Thanks for Reading...
  Arun

  I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.
  Kindly let me know your views or any documents on the following scenarios with the current release in mind
  1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).
  The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
  2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).
  Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
  3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.
  Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
  4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?
  For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
  There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
  5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
  This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
  You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
  6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.
  For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
  7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.
  IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
  Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.
  Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Looking for help - Company is going to Mobile Asset Management service that does not support BB - especially BB 10.

  Hello,
  I am looking for ideas/help. I currently have a BB Z10 (10.1.0.2039) with Verizon Wireless.  The company has a BB Enterprise Server for older devices (I previously was on that).  I bought a Z10 several months ago and have been connecting to the corporate network through Lotus Traveler. They do not have and will not implement a BB 10 Enterprise Server. Some in IT informed that if the company used the BB software they could manage all devices..... not accepted.
  All my contacts, calendar, and company email is funneled to the BB Hub.....
  So my company is implementing a Mobile Asset Management Service that I have to sign up for (Airwatch?).  They only support Android and IPhone.
  Will future versions of the BB OS support Android Apps.... Soon (I have less than 2 weeks)
  I have read where it is possible to put the device in development mode to run Android Apps.  I don't know if that will work with this and have no idea how stable the phone is in that mode. I travel internationally so I don't know how a development mode would work overseas. Any thoughts?
  I like my Z10 but will need to switch to keep functionality if I can't find a work around 
  Any assistance ????
  Thanks for any help.

  Hi and Welcome to the Community!
  BB10 devices have the ability to run .apk apps via special methods. Development Mode is used only for installing the app...not for normal operation. So you install (side-load) the app in Development Mode, then go back to normal mode for normal operations.
  If a .bar file for the .apk app already exists somewhere, you can side load it to the BB10 device and see if it works or not. If there is not yet any .bar file, there is an app called SideSwype that can convert many .apk apps to .bar and install it to your device.
  Good luck!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Questions on mobile device management

  Hi All,
  I'm not sure where to post this question since I couldn't find a forum specific to Afaria, so thought someone here might be able to help.
  1. Afaria mobile device management solution claims that data and content is backed up and can be deleted if a device is stolen or lost. Can this deletion be done if the mobile is switched off of the SIM card has been removed? What is the mechanism of the data deletion process when the device is either ON/OFF?
  2. How does Afaria handle online and offline user authentication? If a mobile app is opened, can Afaria be configured to force the user to enter credentials for authentication? Or should there be a separate login page as a part of the mobile app? (The user's credentials are needed to find his role from LDAP and the rest of the app to work properly, which is y the question).
  Thanks & Regards,
  Vaishnavi

  This forum is fine for Afaria discussions and questions, no worries. 
  1.  If mobile device is switched off or not network connected then Afaria is not able to do anything with that device.  The content though would be secured, encrypted etc. so that there should be no risk as long as the device is switched off.  The "kill device" command that can be sent from Afaria will work if device is turned on and connected to a network.
  2.  Afaria can force quite a lot of things and one of them is regarding the device itself, forcing a password/pin type of unlocking.  The mobile app normally has it's own mechanism for authentication, user name and password.  That is a SUP function and has little to do with Afaria, I don't believe Afaria can force that part of authentication. 
  You can get a good overview of the technical part of Afaria here:  [Afaria Technical White paper|http://www.sybase.com/files/White_Papers/Afaria-Technical-WP.pdf]

• Disable or uninstal HP ProtectTools security manager

  My fingerprint scanner has gone down.
  I assume it is a hardware issue as have gone through all HP recomendations to get it working at: http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&dlc=en&docname=c02519007&lc=en&jumpid=reg_r1002_us...
  but nothing has worked.
  Anyway the notebook never leaves my house so it's not an issue. However, everytime I turn the notebook on and log in with my password, HP security manager butts in and spends a minute looking for the reader before telling me the biometric authentication service is not working and asks if I would like to continue without it.
  Can I disable this program to speed boot up time as it is not needed in my instance?

  Hi @taliz ,
  To get your issue more exposure I would suggest posting it in the commercial forums since this is a commercial product. You can do this at Commercial Forums.
  Even though this is a Commercial product, You could follow these steps, even though, I don't recommend this as it is Security Tools.
  Step 1:Click Start, then "All Programs." Select "HP Protect Tools Security Manager" from the list of programs.
  Step 2:Click "Settings." Click the box to the left of the menu. The green check in the box should disappear, which means that the application is disabled.
  Step 3:Close the window and restart the computer. 
  Hope this helps you.
  Thanks.
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the bottom to say “Thanks” for helping!

• Unable to Install Cisco Security Manager

  Hi,
  I facing issue when trying to install Cisco Security Manager in my Windows Server 2008.
  I had attach the print screen of my server version and error message.
  The error message had mention that it was due to unsupport OS or terminal service.
  But, i check and it show that my Window Server was the recommend version and no terminal service been enable.

  Hi Vincent,
  Please understand that Window Server 2008 R2 Enterprise Server is not same as Windows Server 2008 Enterprise Server. I had faced the same problem earlier. The R2 version is supported only CSM 4.1 onwards.
  Regards,
  Chetan

• FIRMWARE N MOBILE SECURITY 4.0 ON N-70

  I did a firmware upgrade yesterday and it went fine till I noticed that the Symantec Mobile Security 4.0 which was pre-installed on my phone could not not be found anywhere on the phone. I can locate it on the memory card through Application Manager but I can't do much from there and when I check to see the "certificate", it says "Problem: Unable to locate root certificate". The Nokia website says only to back-up "contacts, messages and images" as they will be lost in some phone models. They do not mention anything about applications and softwares installed on the phone. Can anybody help me out in restoring this software back on my phone without having to pay for it. The software was valid for almost 2 years. Any ideas?

  I tried a lot to re-install the software before I put up my post but couldn't do so from within the phone. Then it occurred to me to try from the card reader and even there I couldn't locate the file. Later I ticked the option to show the hidden files and I could see it. So I had to copy the .sis file onto the PC and then from there install it on the phone. But now I am getting a validity period of only 6 months as opposed to the the previous 18-20 months. For future reference if you could explain to me how I can directly re-install files from within the phone menu, that would be great. Thanx a lot for your response. I greatly appreciate it.

• Kespersky mobile security.

  hi..
  I installed kespersky mobile security 9.0 in my nokia N 8 few months back but  I forgot the password. As it was for one month only and now of no use, I want to uninstall it but I can't as it doesn't allow to do any thing without password.
  Is there any way I can recover my password or I can Uninstall the software.
  thanks in advance.
  Neo 

  @Kespersky
  You may have to contact the Kaspersky support:http://www.kaspersky.com/contacts
  Suggest that you have a look at this thread:http://forum.kaspersky.com/index.php?showtopic=155189 as although it can be removed by carrying out a "hard reset" this is too destructive a process to recommend on N8.
  I believe that proof of purchase plus IMEI may have to be submitted to Kaspersky Lab.
  Happy to have helped forum with a Support Ratio = 42.5

• IPhone composition   The payload of   and mobile device management is not installable in a utility.

  Hello.
  You.
  And thank you.
  I want you to help me if you please.
  I am not good at English.
  The status code of 201,204 which Apache returns from a MDM server.
  iPhone composition   The payload of   and mobile device management is not installable in a utility.
  iPhone composition   Console of a utility.
  May 1 09:46:15 unknown mc_mobile_tunnel[13281] <Notice>: (Note) MC: mc_mobile_tunnel shutting down.
  May    1 09:46:18 unknown. profiled [13274] <Notice>:   (Note)  MC:   Checking. for. MDM installation ... May 1 09:46:18 unknown profiled[13274] <Notice>: (Note) MC: ...finished checking for MDM installation.
  May    1 09:46:18 unknown. profiled [13274] <Notice>:   (Note)  MC:   Beginning. profile. installation ... May 1 09:46:20 unknown profiled[13274] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:Desc     : Since a transaction with the server in "https://www.anetm.com/dav/chkin" was in the situation of "204", it failed.
  US Desc:   A transaction with the server at"https://www.anetm.com/dav/chkin"has failed with the status"204."
  Domain : MCHTTPTransactionErrorDomain
  Code   : 23001
  Type   : MCFatalError
  Params : (
  "https://www.anetm.com/dav/chkin",
  204
  May    1 09:46:20 unknown profiled [13274] <Notice>:   (Error) MC:   Cannot install MDM "mobile device management" .Error:   NSError:
  Desc    :   A payload "mobile device management" was not able to be installed.
  Sugg    :   Since a transaction with the server in "https://www.anetm.com/dav/chkin" was in the situation of "204", it failed.
  US Desc:   The payload "mobile device management" could not be installed.
  US Sugg:   A transaction with the server at"https://www.anetm.com/dav/chkin"has failed with the status"204."
  Domain : MCInstallationErrorDomain
  Code   : 4001
  Type   : MCFatalError
  Params : (
  "\U30e2\U30d0\U30a4\U30eb\U30c7\U30d0\U30a4\U30b9\U7ba1\U7406"
  ...Underlying error:
  NSError:
  Desc    :   Since a transaction with the server in "https://www.anetm.com/dav/chkin" was in the situation of "204", it failed.
  US Desc:   A transaction with the server at"https://www.anetm.com/dav/chkin"has failed with the status"204."
  Domain : MCHTTPTransactionErrorDomain
  Code   : 23001
  Type   : MCFatalError
  Params : (
  "https://www.anetm.com/dav/chkin",
  204
  I would like to solve this problem.
  If you please, please help me.

  Hello Jack,
  Thank you for providing the details about the Apple Mobile Device USB Driver is not being listed.  I found an article with some additional steps you can take. 
  I recommend following the steps in the section titled "If the Apple Mobile Device USB Driver is not listed" in step 5 of the following article:
  iOS: Device not recognized in iTunes for Windows
  http://support.apple.com/kb/TS1538
  Thank you for using Apple Support Communities.
  Best,
  Sheila M.

• Audit Reports on Cisco Security Manager

  Is there a way to schedule audit reports from Cisco Security Manager and distribute those reports via email or some other method?
  My auditors want a daily report of firewall configuration changes. They do not want to login into CS-Mgr every day to manually generate the report.

  Security Audit operates in one of two modes-the Security Audit wizard, which lets you choose which potential security-related configuration changes to implement on your router, and One-Step Lockdown, which automatically makes all recommended security-related configuration changes.
  On routers that do not support the command scheduler interval, Security Audit configures the scheduler allocate command whenever possible. When a router is fast-switching a large number of packets, it is possible for the router to spend so much time responding to interrupts from the network interfaces that no other work gets done. Some very fast packet floods can cause this condition. It may stop administrative access to the router, which is very dangerous when the device is under attack. The scheduler allocate command guarantees a percentage of the router CPU processes for activities other than network switching, such as management processes.
  The configuration that will be delivered to the router to set the scheduler allocate percentage is as follows:
  scheduler allocate 4000 1000

• Ensuring applications use a Security Manager

  Is it possible to enable the use of a security manager by default for Java applications?
  I understand that I can enable a security manager by using the -Djava.security.manager command-line option to java and javaw. But to utilise that I need to modify all scripts that call java/javaw, and I need to remember to include it when running all future java applications I acquire.
  These are the possibilities I've looked at:
  1. A configuration file that stores default options to those commands (similar to the ide.cfg in Netbeans). To my knowledge this feature doesn't exist.
  2. A configuration file for specifying default system properties (the -D prefix indicates it's a system property to be passed to the VM). Again, to my knowledge such a feature doesn't exist.
  3. An option in the ${java.home}/lib/java.security "master security properties file" which forces security managers by default. I couldn't find any such option. In fact, I couldn't find any solid documentation about this master security properties file on the Java web site. (The only information I found was about the JAAS extensions to this file).
  Any help will be greatly appreciated.
  There are two further options I would like to try, but they are nontrivial.
  A. Move to a Unix-based platform where the java/javaw commands are likely to be implemented as shell scripts to which the default options can readily by added. Or if they are not can be seemlessly replaced with a shell script. (I would really like to do this, I've tried to make the switch thrice in the past but have so far encountered difficulties).
  B. Build new java.exe and javaw.exe executables that invoke the originals (perhaps renamed to java-unsafe.exe) with the required default options (perhaps even reading the options from a text file a la Netbeans).
  Thanks in advance. Hopefully there is something obvious I've overlooked that does this.
  P.-S. I notice another poster raised this issue last year, but it received no replies. That post can be found here:
  http://forum.java.sun.com/thread.jsp?forum=61&thread=301657

  For those following this thread I've managed to make one step towards ensuring that no Java code is run locally without a Security Manager.
  It's an OS-level solution protecting against code run by double-clicking a jar file. (Admittedly this is not something I do often, but it's a start).
  The OS is Windows 2000 Professional. To add this protection, I performed the following steps.
  1. Choose the 'Tools'|'Folder Options...' menu item from within Windows Explorer.
  2. Within the 'File Types' tab, select the 'JAR' extension and click 'Advanced'.
  3. Click 'New...'.
  4. Type something like 'run with manager' in the 'Action' field. Type cmd.exe /c "java.exe -Djava.security.manager -jar "%1" %* & pause.exe" in the other field. Click OK.
  5. Ensure that this 'run with manager' action is the default. (I believe that the 'Set Default' button is supposed to do this. It did not do so for me. On my setup the default action was always the action with the earliest alphabetically-listed name.)
  sudheesh_j: Do you have any recommendations as to how to contact Sun? Should I post a Feature Request, or is there a list or email address that I should contact?

• Uninstall hp protect tool security manager

  I have installed "hp protect tool kit security manager" But I face a problem that when I shut down my system it goes to that point where the windows logon. it does not completely shut down. and when I try to uninstall it demand for pasword, but I didn't gave any password. and when i enter the windows password it gives invalid password error.
  kindly give me some. I don't want to refresh windows.

  Hi @Aqeel_Rafique ,
  Thank you for visiting the HP Support Forums and Welcome. I have looked into your issue about your Elitebook and issues with HP ProtectTools Security Manager password. The password could be the one that you use to log onto your Notebook or entered at the BIOS.
   You could follow these steps, even though, I don't recommend this as it is Security Tools.
  Step 1:Click Start, then "All Programs." Select "HP Protect Tools Security Manager" from the list of programs.
  Step 2:Click "Settings." Click the box to the left of the menu. The green check in the box should disappear, which means that the application is disabled.
  Step 3:Close the window and restart the computer. Then try to uninstall the software
  Provided by 3rd Party site.
  To get your issue more exposure I would suggest posting it in the commercial forums since this is a commercial product. You can do this at Commercial Forums.
  Thanks
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the bottom to say “Thanks” for helping!

• Security Manager on server with teamed NICs ?

  Can anyone confirm that Security Manager will run on server with teamed NICs (i.e. 2 physical connections, but 1 logical IP address) ?
  I ask because the data sheet for Security Manager 3.0.1 states :-
  "100BASE-T (100 Mbps) or faster network connection; single interface only". and
  "One static IP address".
  I already have a server that meets all the specs, but it has dual NICs to dual switches for resilience, teamed together with a single IP. The Cisco document is open for interpretation, so has anyone got a definitive answer or is running a setup like this already ?
  Thanks.
  Mark.

  It's recommended that you can use only one interface when installing CSM. However, if the second interface is using the same IP it should not be a problem.

• Get firefox mobile password manager auto fill login to sites?

  Is there a way i can get my firefox mobile password manager to auto matically fill or login to my sites?

  The master password will not be of any help. It just adds a layer of security for people who are extra careful with their passwords.
  There can be several issues.
  Mobile sites can exist on a different subdomain. The sites m.example.com and www.example.com are two different websites and Firefox will not share passwords between the two. There could be two different companies running the m.example.com and www.example.com thus it is not safe to share account info.
  Some websites tell Firefox not to remember passwords using a flag called autocomplete="off".
  Some websites use complicated script to submit the form data. These can be difficult to detect.

• WLAN and ESET Mobile Security

  A few weeks ago, I had a problem with WLAN on my phone Nokia E71; I was using the application ESET Mobile Security, and when i delete this application, the WLAN don´t work. Now, I reinstalled this application and WLAN is working fine. I recommend be carefull with this antivirus.

  phonehacker wrote:
  LOL you don't need antivirus. read this http://3lib.ukonline.co.uk/viruses.htm
  is this applied all S60 devices, such as S60 5th edition? (X6,N97,5800,etc.)
  Glad to help