Check Point SandBlast Mobile · under licensing restricting their use, ... catch rate for iOS and Android. ... vulnerabilities to reduce the attack surface

©2017 Check Point Software Technologies Ltd. All rights reserved | P. 1 May 31, 2017

Check Point SandBlast Mobile: MDM Integration Guide | BlackBerry BES12 & UEM

Check Point SandBlast Mobile

MDM Integration Guide with BlackBerry BES12 & UEM

C

lass

ifica

tion:

non

e



© 2017 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed

under licensing restricting their use, copying, distribution, and recompilation. No part of this product or

related documentation may be reproduced in any form or by any means without prior written

authorization of Check Point. While every precaution has been taken in the preparation of this book,

Check Point assumes no responsibility for errors or omissions. This publication and features described

herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph

(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and

FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.

Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a list

of relevant copyrights and third-party licenses.

Check Point and SandBlast are registered trademarks of Check Point Software Technologies Ltd. All

rights reserved. Android and Google Play are trademarks of Google, Inc. App Store is a registered

trademark of Apple Inc. iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the

U.S. and certain other countries. iOS® is used under license by Apple Inc. BlackBerry, BES, BES12,

and UEM are registered trademarks of BlackBerry Limited and/or its affiliates.



About This Guide Only Check Point provides a complete mobile security solution that protects devices from threats on the device (OS), in apps, in SMS messages, and in the network, and delivers the industry’s highest threat catch rate for iOS and Android. Check Point SandBlast Mobile uses malicious app detection to find known and unknown threats by applying threat emulation, advanced static code analysis, app reputation and machine learning.

• Perform advanced app analysis to detect known and unknown threats • Monitor network activity for suspicious or malicious behavior • Monitor SMS messages received for malicious URLs • Assess device-level (OS) vulnerabilities to reduce the attack surface

It uses a variety of patent-pending algorithms and detection techniques to identify mobile device risks, and triggers appropriate defense responses that protect business and personal data.

The Check Point SandBlast Mobile solution (“the Solution”) includes the following components: • Check Point SandBlast Mobile Behavioral Risk Engine (“the Engine”) • Check Point SandBlast Mobile Gateway (“the Gateway”) • Check Point SandBlast Mobile Management Dashboard (“the SandBlast Mobile Dashboard”) • SandBlast Mobile Protect app (“the App”) for iOS and Android

In cooperation with an MDM, the SandBlast Mobile Solution provides integral risk assessment of the device to which the MDM can use to quarantine or enforce a set of policies that are in effect until the device is no longer at High Risk. Such policy enforcement could be to disable certain capabilities of a device, such as blocking access to corporate assets, such as email, internal websites, etc., thus, providing protection of the corporation’s network and data from mobile based threats. This guide first describes how to integrate the SandBlast Mobile Dashboard with the BlackBerry BES12/UEM MDMs. It provides a quick tour through the interface of the BES12/UEM Management Console (“BB Console”) and the SandBlast Mobile Dashboard in order enable integration, alerting, and policy enforcement.

Note: BlackBerry BES12 was renamed BlackBerry UEM on release 12.6. And the Good for BES12 client has been renamed to BlackBerry UEM client.

This includes activation and protection of a new device, malware detection, and mitigation (including mitigation flow).

Note: During the procedures in this this document there a quite a few pieces of information that you will need to gather or create. There is a form in Section 7.3 that you can record your settings for easy reference.



Contents 1 SOLUTION ARCHITECTURE................................................................................................................................................ 5

1.1 COMPONENTS ..................................................................................................................................................................... 5

2 PREPARING MDM PLATFORM FOR INTEGRATION ............................................................................................................ 6

2.1 PREREQUISITES .................................................................................................................................................................... 6 2.2 BB CONSOLE ....................................................................................................................................................................... 6 2.3 CREATING A SANDBLAST MOBILE ADMINISTRATOR ACCOUNT (OPTIONAL) ...................................................................................... 7 2.4 ADDING A USER ................................................................................................................................................................. 15 2.5 CREATING A USER PROVISIONING GROUP ............................................................................................................................... 20 2.6 ADDING A DEVICE TO AN EXISTING USER ................................................................................................................................ 29 2.7 CREATING A MITIGATION PROCESS ........................................................................................................................................ 35

3 CONFIGURING THE CHECK POINT SANDBLAST MOBILE DASHBOARD MDM INTEGRATION SETTINGS ............................ 41

3.1 PREREQUISITES .................................................................................................................................................................. 41 3.2 CONFIGURING MDM INTEGRATION SETTINGS ......................................................................................................................... 42

4 CONFIGURING MDM TO DEPLOY SANDBLAST MOBILE PROTECT APP ............................................................................ 46

4.1 PREREQUISITES .................................................................................................................................................................. 46 4.2 ADDING THE SANDBLAST MOBILE PROTECT APP TO YOUR APP CATALOG ..................................................................................... 46 4.3 DEPLOYING SANDBLAST MOBILE PROTECT APP ........................................................................................................................ 57 4.4 REQUIRING THE SANDBLAST MOBILE PROTECT APP TO BE INSTALLED ........................................................................................... 61 4.5 REDEPLOYMENT OF THE SANDBLAST MOBILE PROTECT APP – IOS ............................................................................................... 68 4.6 REDEPLOYMENT OF THE SANDBLAST MOBILE PROTECT APP - ANDROID ........................................................................................ 68 4.7 RESENDING SANDBLAST MOBILE ACTIVATION CODE ................................................................................................................. 68

5 SANDBLAST MOBILE PROTECT APP DEPLOYMENT ON THE DEVICES ............................................................................... 69

5.1 REGISTRATION OF AN IOS DEVICE .......................................................................................................................................... 69 5.2 REGISTRATION OF AN ANDROID DEVICE .................................................................................................................................. 71

6 TESTING HIGH RISK ACTIVITY DETECTION AND POLICY ENFORCEMENT ......................................................................... 72

6.1 BLACKLISTING A TEST APP .................................................................................................................................................... 73 6.2 VIEW OF NON-COMPLIANT DEVICE........................................................................................................................................ 74 6.3 ADMINISTRATOR VIEW ON THE SANDBLAST MOBILE DASHBOARD ............................................................................................... 75 6.4 ADMINISTRATOR VIEW ON THE BB CONSOLE ........................................................................................................................... 76

7 APPENDICES ................................................................................................................................................................... 77

7.1 SANDBLAST MOBILE DASHBOARD COMMUNICATION INFORMATION ............................................................................................ 77 7.2 DISCOVERING YOUR SANDBLAST MOBILE SERVER NAME AND REGION ......................................................................................... 78 7.3 INTEGRATION INFORMATION ................................................................................................................................................ 79



1 Solution Architecture

1.1 Components Component Description 1 SandBlast Mobile

Protect app • The SandBlast Mobile Protect app is a lightweight app for iOS® and Android™

that gathers data and helps analyze threats to devices in an Enterprise environment. It monitors operating systems and information about apps and network connections and provides data to the Solution which it uses to identify suspicious or malicious behavior.

• To protect user privacy, the App examines critical risk indicators found in the anonymized data it collects.

• The App performs some analysis on the device while resource-intensive analysis is performed in the cloud. This approach minimizes impact on device performance and battery life without changing the end-user experience.

2 EMM/MDM • Enterprise Mobility Management/Mobile Device Management • Device Management and Policy Enforcement System.

3 SandBlast Mobile Gateway

• The cloud-based Check Point SandBlast Mobile Gateway is a multi-tenant architecture to which mobile devices are registered.

• The Gateway handles all Solution communications with enrolled mobile devices and with the customer’s (“organization’s”) SandBlast Mobile Dashboard instance.

4 Dashboard

• The cloud-based web-GUI Check Point SandBlast Mobile Management Dashboard enables administration, provisioning, and monitoring of devices and policies and is configured as a per-customer instance.

• The SandBlast Mobile Dashboard can be integrated with an existing Mobile Device Management (MDM)/Enterprise Mobility Management (EMM) solution for automated policy enforcement on devices at risk.

• When using this integration, the MDM/EMM serves as a repository with which the SandBlast Mobile Dashboard syncs enrolled devices and identities.

5 Behavioral Risk Engine

• The cloud-based Check Point SandBlast Mobile Behavioral Risk Engine uses data it receives from the App about network, configuration, and operating system integrity data, and information about installed apps to perform in-depth mobile threat analysis.

• The Engine uses this data to detect and analyze suspicious activity, and produces a risk score based on the threat type and severity.

• The risk score determines if and what automatic mitigation action is needed to keep a device and its data protected.

• No Personal Information is processed by or stored in the Engine.



2 Preparing MDM Platform for Integration

2.1 Prerequisites 2.1.1. BlackBerry BES 12.5 or higher, includes BlackBerry UEM 12.6. 2.1.2. For on-premise BlackBerry BES12/UEM Deployments, the port used for the BES12/UEM

Web Services API (default: TCP 18084) must be accessible remotely by the SandBlast Mobile servers in your region through your firewall before trying to connect. The SandBlast Mobile server IP addresses and ports required to be opened in the firewall are listed in Section 7.1.

2.2 BB Console 2.2.1. Login to your BB Console.

Note: During the procedures in this this document there are quite a few pieces of information that you will need to gather or create. There is a form in Section 7.3 that you can record your settings for easy reference.



2.3 Creating a SandBlast Mobile Administrator Account (optional) For the interaction at the API, we will create an API admin user in the BB Console that you use to limit the capability of the admin credentials used between the SandBlast Mobile Dashboard and the BlackBerry MDM system.

Note: It is a best practice to create such an admin account and highly recommended, but is optional.

Note: Creating an administrator account and administrator role requires a “Security Administrator” level role.

To create an “API” Administrator Account, follow this process.

2.3.1 Create a New API Only Administrator Role 2.3.1.1. Navigate to Settings > Administrators > Roles, click “Add Role” button.



2.3.1.2. Enter in a Role Name, such as “mtp_api_role”, and a description, select the “Junior HelpDesk” from the “Permissions copied from role” drop-down menu.

2.3.1.3. Scroll down to the “Users and Devices” section, and select: 2.3.1.3.1. “View user and activated devices”, 2.3.1.3.2. “Edit users”, and 2.3.1.3.3. “Assign user roles”.

2.3.1.4. Scroll down and select “View Apple DEP device information”. 2.3.1.5. Scroll down to the “Groups” section, and select: 2.3.1.5.1. “View group settings”, and 2.3.1.5.2. “Add and remove users from user groups”.



2.3.1.6. Scroll down to the “Policies and Profiles” section, and select: 2.3.1.6.1. “View IT policies”, 2.3.1.6.2. “View compliance profiles”, and 2.3.1.6.3. “View device profiles”.

2.3.1.7. Scroll down to the “Dashboard” section, and select “View dashboard”.

2.3.1.8. Scroll down to the bottom of the screen, and click the “Save” button.



2.3.2 Create a New Administrator Account

2.3.2.1 Create a New User Account 2.3.2.1.1. Navigate to Users, click the “Add user” button.

2.3.2.1.2. On the “Add a user” pop-up window “Local” tab, fill in the “Display name”, “Username”,

and an “Email address” for the new user. In our example, we will create an admin username of “mtp_admin”.

2.3.2.1.3. Enter in a temporary console password for this user. When we login the first time with these credentials, we will be prompted to set a new password.



2.3.2.1.4. Scroll down and select the “Do not set device activation password” radio button.

2.3.2.1.5. Click the “Save” button.

2.3.2.2 Assign New User to Administrator Role 2.3.2.2.1. Navigate to Settings > Administrators > Users, click the “Add Admin” button.



2.3.2.2.2. On the “Add an Administrator” pop-up window, search/select the user you created in the previous section (2.3.2.1).

2.3.2.2.3. Click the user’s “Name”. 2.3.2.2.4. Under “Assign a role” select the SandBlast Mobile API Role you created in Section

2.3.1, in our example “mtp_api_role”.



2.3.2.2.5. Click the “Save” button. 2.3.2.2.6. Finish the creation of the new admin account by logging out of the BB Console, and

then logging back in using the temporary credentials you assigned to this new admin, in our example “mtp_admin/Temporary123!”. This will force you to select a new unique password.

2.3.2.2.7. Click the “Sign In” button. 2.3.2.2.8. On the “New password” pop-up window, enter in a new password.



2.3.2.2.9. Click the “Submit” button. 2.3.2.2.10. On the “Find out about…” pop-up window, select “Do not show this again”.

2.3.2.2.11. Click the “Start” button. 2.3.2.2.12. Click the “Log out” button.

Note: Log out and log back into the BB Console with your “Security Administrator” credentials to continue with the configuration.



2.4 Adding a User There are two ways to add a user, “Add a Local User”, or sync with a corporate user directory.

Note: You can integrate with your Corporate User Directory to import group and associated user information. Imported information can be used for automatic provisioning of users, group based policy assignment and App distribution. Supported User Directories are Microsoft Active Directory and LDAP.

2.4.1 Adding a User from Corporate Directory If you have configured your BB Console to integrate with your company user directory, follow these steps to add a user to the BB Console.

2.4.1.1. Navigate to Users, click the “Add user” button.

2.4.1.2. On the “Add a user” pop-up window “Company directory” tab, start typing the name of

the user you want to add. When the name is displayed, select it from the drop-down list.



2.4.1.3. The required user information such as Display Name, Username, and Email address will be filled in from the company directory entry.



2.4.1.4. Scroll down to the bottom on the pop-up window and set the “Device activation” settings as required for your company.

2.4.1.5. Click the “Save” button.

2.4.2 Adding a Local User We are going to show how to add a local user using the “Add User” method. 2.4.2.1. Navigate to Users, click the “Add user” button.



2.4.2.2. On the “Add a user” pop-up window “Local” tab, fill in all the required (*) fields with the

appropriate information, such as in the example below. 2.4.2.3. Enter in a temporary console password for this user and select “Send password to user”.



2.4.2.4. Scroll down to the bottom on the pop-up window and set the “Device activation” settings

as required for your company.


Note: The user is already notified with device enrollment procedures upon the creation of the user.



2.5 Creating a User Provisioning Group To create a group of users whose devices will be registered to the Check Point SandBlast Mobile solution, follow this procedure.

2.5.1 Creating a User Group based on Corporate User Directory 2.5.1.1. Navigate to Groups > User groups, click the “Add a directory-linked group” icon.

2.5.1.2. On the “Add directory-linked group” pop-up window, enter in a Group Name, such as “MTP_Users_AD”, and, if desired, a Group Description.

2.5.1.3. Click the “+” sign to add a Linked directory group.



2.5.1.4. On the “Search company directory” pop-up window, enter in the first few letters of the corporate directory group you want to link, and hit enter.

2.5.1.5. Click the “Add” button.



2.5.1.6. We haven’t created any IT policies and profiles or added Apps to our App Catalog as of yet, so we will add those in subsequent sections.


2.5.2 Creating a Local User Group 2.5.2.1. Navigate to Groups > User groups, click the “Add a user group” icon.



2.5.2.2. On the “Add a user group” pop-up window, enter in a Group Name, such as

“MTP_Users”, and, if desired, a Group Description.

2.5.2.3. Click the “+” sign to add a User role assignment.



2.5.2.4. On the “Assign user role” pop-up window, select the User role from the drop-down menu.



2.5.2.5. Click the “Add” button. 2.5.2.6. We haven’t created any IT policies and profiles or added Apps to our App Catalog as of

yet, so we will add those in subsequent sections.




2.5.3 Adding an Existing User to the User Group To add an existing user to the User Group we created in the previous section (2.5.1 or 2.5.2), follow this procedure. Our example will be using the Local User group (“MTP_Users”).

2.5.3.1. Navigate to Users, scroll and select the user you want to add to the user group, and click the “Add to user groups” icon.

2.5.3.2. On the “Add to user groups” pop-up window, select the User Group from the “Available

groups” list, can click the right arrow button.




2.5.3.4. The User is now part of the User Group.

2.5.4 Adding a New User to an Existing User Group Adding a new user to an existing user group is close to the same procedure in Section 2.4.

2.5.4.1. Navigate to Users, click the “Add user” button.



2.5.4.2. On the “Add a user” pop-up window “Local” tab, fill in all the required (*) fields with the

appropriate information, such as in the example below. 2.5.4.3. Select the User Group from the “Available groups” list and click the right arrow.



2.5.4.4. Scroll down to the bottom on the pop-up window, and enter in a temporary console

password for this user and select “Send password to user”. 2.5.4.5. Set the “Device activation” settings as required for your company.


Note: The user is already notified with device enrollment procedures upon the creation of the user.

2.6 Adding a Device to an Existing User 2.6.0.1. Navigate to Users, scroll to or search for the user, and select that user. 2.6.0.2. Click the “Send activation email” button.



2.6.0.3. On the “Set device activation password” pop-up window, Set the “Device activation” settings as required for your company.

2.6.0.4. Click the “Send” button.

Note: Repeat these steps to add another device.

2.6.1 Enrolling an iOS Device to BlackBerry BES12/UEM 2.6.1.1. The user will receive two email messages regarding device activation email from the

BlackBerry BES12/UEM system. 2.6.1.2. The first email message contains the device activation password.



2.6.1.3. The second email message contains the instructions for activating the device.

2.6.1.4. The user is instructed to download/install the appropriate BlackBerry UEM client app for their device. In the case of iOS, the user must install the “BlackBerry UEM client” app from the iTunes App store.

2.6.1.5. The user will visit their app store and search for the appropriate BlackBerry UEM client app.

2.6.1.6. The user selects the app to install. 2.6.1.7. After the app is installed, the user must launch the app to continue with registration to

the BlackBerry BES12/UEM system. 2.6.1.8. The user will be prompted to accept the “End User License Agreement” by tapping “I

Agree”.



2.6.1.9. The user will be prompted to begin activation by entering in their email address and

activation password they received via email. 2.6.1.10. The user must “Install” the iOS Mobile Device Management profile.

2.6.1.11. The user must tap “Install” through this procedure.

Note: If there is already a device management profile installed, the user must uninstall the existing profile and then continue with the BlackBerry UEM MDM profile installation.

2.6.1.12. After the BlackBerry UEM client app is installed, the user is automatically taken to the

app to accept or deny Notifications.



2.6.1.13. The device has been successfully enrolled to the BlackBerry BES12/UEM system.

2.6.2 Enrolling an Android Device to BlackBerry BES12/UEM 2.6.2.1. The user will receive two email messages regarding device activation email from the

BlackBerry BES12/UEM system. 2.6.2.2. The first email message contains the device activation password.

2.6.2.3. The second email message contains the instructions for activating the device.



2.6.2.4. The user is instructed to download/install the appropriate BlackBerry UEM client app for

their device. In the case of Android, the user must install the “BlackBerry UEM Client” app from Google Play.

2.6.2.5. The user will visit their app store and search for the appropriate BlackBerry UEM client app.

2.6.2.6. The user taps “INSTALL”, and taps “ACCEPT” to accept the app access permissions. 2.6.2.7. After the app is installed, the user must launch the app to continue with registration to

the BlackBerry BES12/UEM system, by tapping “OPEN”. 2.6.2.8. The user must accept the End User License Agreement by tapping “I Agree”.

2.6.2.9. The user is prompted for their email address, and “activation password” sent in the email.

2.6.2.10. The user must “Allow” the UEM Client to make/manage phone calls. 2.6.2.11. To continue device activation, the user taps “Next”. 2.6.2.12. The user must tap “Activate” to allow the BlackBerry UEM Client app to be a device

administrator.



2.6.2.13. After click the “Activate” button, if the device is a Samsung, the user will be prompted to “Confirm” the terms and conditions for Samsung KNOX Privacy Notice.

2.6.2.14. Then the device has been successfully enrolled to the BlackBerry BES12/UEM system.

2.7 Creating a Mitigation Process In this procedure, you will create a mitigation group that the SandBlast Mobile Dashboard will use to group any device in High Risk as determined by the SandBlast Mobile Analysis. This group will allow the BlackBerry BES12/UEM system to identify which devices are at High Risk and to enforce configured compliance and mitigation policies against those devices.

2.7.1 Creating a User Mitigation Group 2.7.1.1. Navigate to Groups > User groups, click the “Add a user group” button.



2.7.2 Creating Compliance Policies Now that we have a User Mitigation Group, we can create Compliance Policies that will be enforced on devices that are at High Risk. In this section, we will create Security Policies and Compliance Rules that will be used to enforce these actions.

Note: We will show a couple of different compliance policies, but these enforcement policies are something that the customer should create for their environment and needs. In a production environment, the customer should configure the compliance policies according to their internal security policy.

The policy will specify the actions taken on High Risk devices. In our example, we will disable the camera, but you might create a policy that disables access to the corporate network or assets.



2.7.2.1. Navigate to Policies and profiles, and click the “Add an IT policy” link under “IT policies”.

2.7.2.2. Enter a Name for the policy, such as “Non-Compliant Devices”, select the “iOS” tab. 2.7.2.3. Under “Device functionality”, unselect “Allow use of camera”.



2.7.2.4. Select the “Android” tab. 2.7.2.5. Under “Native OS > Device functionality”, select “Disable camera”.

2.7.2.6. Scroll to “KNOX MDM > Device functionality”, unselect “Allow camera”.

2.7.2.7. Scroll to “KNOX Premium – Workspace > Device functionality”, unselect “Allow camera”.

2.7.2.8. Scroll to the bottom of the screen and Click the “Add” button.



2.7.3 Applying the Compliance Policy to the User Mitigation Group Now that we have created the compliance policy (“Non-Compliant Devices”) we want to enforce, we need to link this policy to our User Mitigation Group (“Users_High_Risk”) we created in Section 2.7.1. 2.7.3.1. Navigate to Groups > User groups, find the user mitigation group you created in

Section 2.7.1, in our example “Users_High_Risk”, and click the group name link.

2.7.3.2. On the user mitigation group detailed view, click the “Settings” tab. 2.7.3.3. On the “Settings” tab, click the “+” button on the “IT policy and profiles section. 2.7.3.4. On the pop-up window, select the compliance policy, in our example “Non-Compliant

Devices” from the drop-down menu, and click button to add “IT policy and profiles”. 2.7.3.5. Select the “type” of policy/profile you want to link, in our example “IT policy”.



2.7.3.6. On the “Assign an IT policy” pop-up window, select the IT policy we created in Section 2.7.2, in our example “Non-Compliant Devices”.

2.7.3.7. Click the “Assign” button.

Note: Now any device placed into the User Mitigation Group (“Users_High_Risk”) by the SandBlast Mobile system will have the compliance actions in the Compliance Rule (“Non-Compliant Devices”) acted upon it.

Note: At this point, we have all the information we will need to configure the MDM integration settings in the SandBlast Mobile Dashboard. We are going to do that and then return to the BB Console to configure the SandBlast Mobile Protect app deployment settings.

From Our Examples: • Server URL = https://<FQDN of BlackBerry BES12/UEM Server>:<port to Web

Services API> (ie. https://bes.acme.us:18084) • SandBlast Mobile API Admin Username/Password = mtp_api_admin/<hidden> • User Provisioning Group(s) = MTP_Users • User Mitigation Group = Users_High_Risk



3 Configuring the Check Point SandBlast Mobile Dashboard MDM Integration Settings

3.1 Prerequisites 3.1.1. You will need the following details from your BlackBerry BES12/UEM Deployment:

Note: There is a table in Section 7.3 that you can record your settings for easy reference.

3.1.1.1. Server: The root URL to your BlackBerry BES12/UEM Web Services API including the leading https://, such as https://bes12.acme.us:18084

3.1.1.2. BlackBerry BES12/UEM SandBlast Mobile Administrator Username and Password: These are the Admin credentials that the SandBlast Mobile Dashboard will use to connect to the MDM. You may have created a special API Admin account in Section 2.3 for this purpose.

3.1.1.3. Groups(s): This is the BlackBerry BES12/UEM user provisioning group to which the users/devices to be registered to SandBlast Mobile are grouped, and will be integrated with the SandBlast Mobile Dashboard. Multiple groups can be integrated with the one SandBlast Mobile Dashboard instance by entering each group name separated with a semicolon (;). This is the User Provisioning Group we created in Section 2.5 (“MTP_Users”).

Note: Multiple SandBlast Mobile Dashboards can be integrated to one BlackBerry BES12/UEM instance by separating the devices into different “User Provisioning Groups”, such as creating a user provisioning group for All EU Users (i.e. “MTP_EU_Users”) and a user provisioning group for All US Users (i.e. “MTP_US_Users”). Then, the SandBlast Mobile Dashboard in the EU would be integrated to “MTP_EU_Users” and the SandBlast Mobile Dashboard in the US would be integrated to “MTP_US_Users”.

3.1.1.4. Mitigation Group: This is the user mitigation group that the devices will be assigned to when they are determined to be in High Risk. This is the user mitigation group we created in Section 2.7.1 (“Users_High_Risk”).

3.1.2. For on-premise MDM environments, the BlackBerry BES12/UEM Web Services port (TCP 18084) must be remotely accessible through your firewall from the SandBlast Mobile Dashboard to the MDM system before trying to connect.

3.1.2.1. See Section 7.1 for the SandBlast Mobile Dashboard IP addresses for your region. 3.1.2.2. If you do not know your SandBlast Mobile Dashboard’s region, follow the instructions in

Section 7.2 to find out. 3.1.3. Delete any existing devices in the SandBlast Mobile Dashboard, and ensure that any

devices that are to be enrolled via BlackBerry BES12/UEM integration are removed from other SandBlast Mobile Dashboards.

3.1.4. If your organization will be using the SandBlast Mobile Protect Enterprise iOS app with BlackBerry BES12/UEM, then your SandBlast Mobile Dashboard must be enabled for using the Enterprise iOS app. Please contact Check Point Support if this is not the case.

3.1.4.1. You will need to sign the Enterprise app with your own company signature. 3.1.4.2. The differences between using the Apple App Store version versus the Enterprise

version: 3.1.4.2.1. Enterprise iOS app will be able to provide full protection of: 3.1.4.2.1.1. Advanced App Analysis 3.1.4.2.1.2. Network Analysis 3.1.4.2.1.3. OS/Device Vulnerability Assessments 3.1.4.2.2. The Apple App Store version interoperating with BlackBerry BES12/UEM cannot

provide “Advanced App Analysis”, but can still provide “Network Analysis” and “OS/Device Vulnerability Assessments”.



Note: Only the devices are synchronized from the MDM to the SandBlast Mobile Dashboard, not users.

3.2 Configuring MDM Integration Settings 3.2.0.1. Navigate to Settings > Device Management > Setting. 3.2.0.2. Select “BES” from the “MDM service” drop-down menu under the Device Management

Settings area.

3.2.0.3. A pop-up window will open. Configure the settings as are appropriate for your UEM Deployment, such as those you have created in Section 2.



3.2.0.4. If the BES instance is self-signed, you can upload the 64Base Certificate information to the SandBlast Mobile server by turning on “Advanced options”, by click the “Upload Certificate” button and selecting the Base64 certificate you saved from your BES instance’s Web Services page (i.e. https://bes.acmecorp.us:18084).

3.2.0.5. Click the “VERIFY” button. If the settings are correct, and the SandBlast Mobile Dashboard can communicate with the BlackBerry BES12/UEM system, you will be able to click the “SAVE” button to finish configuration.



3.2.0.6. After successful configuration and sync, the “Devices” tab will show the devices added to SandBlast Mobile and their status is “Provisioned” which indicates that they have not yet tried to register to the SandBlast Mobile Dashboard.

3.2.1 Registration Email and Registration Limit Settings 3.2.1.1. Navigate to Settings > Device Management > Setting, under the “Notify user when

device was added by MDM” section, when a MDM Service is configured, these settings can be altered. Registration email (Android) needs to be turned “ON”. Daily registration limit is set to 100.



3.2.2 MDM Advanced Settings When a MDM Service is configured, the Device Management Advanced Settings are automatically configured based on recommendations of the selected MDM provider, in this case from UEM. If you wish to change these settings follow this process.

3.2.2.1. Navigate to Settings > Device Management > Advanced, and make any appropriate changes.

Setting Description

Device sync interval Interval to connect with MDM to sync devices. Values: 10-1440 minutes, in 10 minute intervals.

Device deletion threshold Percentage of devices allowed for deletion after MDM device sync. 100% for no threshold

Deletion delay interval Delay device deletion after sync – device will not be deleted if it will be re-sync from MDM during the threshold interval. Values: 0-48 hours

3.2.2.2. If you make changes to the default settings, click the “Save” button to have changes take

effect.



4 Configuring MDM to Deploy SandBlast Mobile Protect app

4.1 Prerequisites 4.1.1. SandBlast Mobile Gateway/Server – Server name of the SandBlast Mobile

gateway/server, which should be us-gw01 or eu-gw01. If you don’t know your SandBlast Mobile server name, follow the instructions in Section 7.2 to find out.

4.2 Adding the SandBlast Mobile Protect App to Your App Catalog Now that the MDM and Check Point SandBlast Mobile Dashboard are communicating, we can now start deploying the SandBlast Mobile Protect app from the public stores to those devices that will be protected by Check Point SandBlast Mobile. We will need to add the App for both iOS and Android operating systems.

Note: There are some slight differences with BlackBerry BES12 and BlackBerry UEM with regards to the deployment and configuration of the SandBlast Mobile Protect iOS App. Please take note that these differences are described in the following sections.

4.2.1 iOS App – Add to Catalog

4.2.1.1 Within BlackBerry BES12 For the iOS app, BlackBerry BES12 can automatically deploy, but not configure the SandBlast Mobile Protect app registration server and key on an iOS device. Completing app deployment requires the user to launch the SandBlast Mobile Protect app to finish device registration. There are two possible deployment scenarios for iOS, using the Apple App Store app or the Enterprise iOS app that has been signed by your organization. This procedure describes deploying the Apple App Store app.

4.2.1.1.1. Navigate to Apps > Apps, and select the button.



4.2.1.1.2. Select “iTunes” from the Store List.

4.2.1.1.3. In the “App” field, enter “SandBlast Mobile Protect”, select the appropriate store for your country, and click the “Search” button to search the store.

4.2.1.1.4. Select SandBlast Mobile Protect app as indicated below by clicking the “Add” button.



4.2.1.1.5. A pop-up an App Configuration window for “SandBlast Mobile Protect” will open. 4.2.1.1.6. Many of the configuration settings are already defaulted, but can be altered to suit your

organization’s needs.



4.2.1.1.7. Scroll down to the bottom of the window, and click the “Add” button.

4.2.1.2 Within BlackBerry UEM For the iOS app, BlackBerry UEM can automatically deploy and configure the SandBlast Mobile Protect app registration server and key on an iOS device. It does require the user to launch the SandBlast Mobile Protect app to finish device registration. There are two possible deployment scenarios for iOS, using the Apple App Store app or the Enterprise iOS app that has been signed by your organization. This procedure describes deploying the Apple App Store app.

4.2.1.2.1. Navigate to Apps > Apps, and select the button.



4.2.1.2.2. Select “iTunes” from the Store List.

4.2.1.2.3. In the “App” field, enter “SandBlast Mobile Protect”, select the appropriate store for your country, and click the “Search” button to search the store.

4.2.1.2.4. Select SandBlast Mobile Protect app as indicated below by clicking the “Add” button.



4.2.1.2.5. A pop-up an App Configuration window for “SandBlast Mobile Protect” will open.



4.2.1.2.6. Scroll down to the “App Configuration” table, and click the “+” button.

4.2.1.2.7. Enter in an “App configuration name”, such as iOS_Protect. 4.2.1.2.8. Click the “+” button to add “String” type of Key/Value pair, twice.



4.2.1.2.9. Add the following Key/Value pairs: 4.2.1.2.9.1. Lacoon Server Address = us-gw01.locsec.net 4.2.1.9.2.1.1. This value should match the value of your SandBlast Mobile gateway 4.2.1.9.2.1.2. See Section 7.2 if you do not know your SandBlast Mobile gateway 4.2.1.2.9.2. Device Serial Number = %SerialNumber%

4.2.1.2.10. Click the “Save” button.

4.2.1.2.11. Click the “Add” button.



4.2.2 Android App – Add to Catalog BlackBerry BES12/UEM can automatically deploy, but not configure the SandBlast Mobile Protect app registration server and key on an Android device. Completing deployment requires the user to launch the SandBlast Mobile Protect app to finish device registration, by entering the registration server and registration key the user received via email.

4.2.2.1. Navigate to Apps > Apps, and select the button.

4.2.2.2. Select “Google Play App” from the Store List.



4.2.2.3. Click "Open Google Play" and search for the app that you want to add. You can then copy and paste information from Google Play in the following steps and also download icons and screen shots.



4.2.2.4. In the App name field, type the app name, “SandBlast Mobile Protect”. 4.2.2.5. In the App description field, type a description for the app. 4.2.2.6. In the Vendor field, type the name of the app vendor, “Check Point Software

Technologies, Ltd.” 4.2.2.7. In the App icon field, click Browse. Locate and select an icon for the app. The supported

formats are .png, .jpg, .jpeg, or .gif.

Note: Do not use Google Chrome to download the icon because an incompatible .webp image is downloaded.

4.2.2.8. In the App web address from Google Play field, type the web address of the app in Google Play.

4.2.2.8.1. https://play.google.com/store/apps/details?id=com.lacoon.security.fox




4.3 Deploying SandBlast Mobile Protect app

4.3.1 Within BlackBerry BES12 To deploy the SandBlast Mobile Protect app to devices that will be registered to the Check Point SandBlast Mobile solution we need to link the SandBlast Mobile Protect app in our app catalog to the User Provisioning Group we created in Section 2.5.

4.3.1.1. Navigating to Groups > User groups, click the name of the User Provisioning Group, in our example “MTP_Users”.

4.3.1.2. Click the Settings tab.

4.3.1.3. Click the “+” button on the “Assigned apps” section. 4.3.1.4. On the “Assign app” pop-up window, select both the Android and the iOS SandBlast

Mobile Protect apps.

4.3.1.5. Click the “Next” button.



4.3.1.6. Set the “Disposition” to “Required” for both apps.




4.3.2 Within BlackBerry UEM To deploy the SandBlast Mobile Protect app to devices that will be registered to the Check Point SandBlast Mobile solution we need to link the SandBlast Mobile Protect app in our app catalog to the User Provisioning Group we created in Section 2.5.

4.3.2.1. Navigating to Groups > User groups, click the name of the User Provisioning Group, in our example “MTP_Users”.

4.3.2.2. Click the Settings tab.

4.3.2.3. Click the “+” button on the “Assigned apps” section. 4.3.2.4. On the “Assign app” pop-up window, select both the Android and the iOS SandBlast

Mobile Protect apps.

4.3.2.5. Click the “Next” button.



4.3.2.6. Set the “Disposition” to “Required” for both apps. 4.3.2.7. Select the “App configuration” from the drop-down menu, in our example “iOS_Protect”.




4.4 Requiring the SandBlast Mobile Protect App to be Installed The SandBlast Mobile Protect app is required by creating a Compliance Policy for iOS and Android devices, then assigning this compliance policy to the User Provisioning Group we created in Section 2.5.

4.4.1 Creating Compliance Policy (Policy) The policy will specify the actions taken on all SandBlast Mobile devices that do not have required apps, such as SandBlast Mobile Protect, installed.

4.4.1.1. Navigate to Security > Policies and profiles, and click the “Add a profile” link under “Compliance”.



4.4.1.2. Enter a Name for the policy, such as “SandBlast_Mobile_Protect_Required”, enter a “Description” of “iOS MDM”, and select the “iOS” tab.



4.4.1.3. Select “Required app is not installed” and set appropriate actions to be taken if the user doesn’t install the app.

4.4.1.4. Select the “Android” tab. 4.4.1.5. Select “Required app is not installed” and set appropriate actions to be taken if the user

doesn’t install the app.



4.4.1.6. Scroll down to the bottom of the page. 4.4.1.7. Click the “Add” button.

4.4.2 Applying App Required Compliance Policy to User Provisioning Group The policies created in the previous section are assigned to the user provisioning group created in Section 2.5, in our example “MTP_Users”.

4.4.2.1. Navigate to Groups > User groups, locate the user provisioning group, click the group’s name link.



4.4.2.2. Select the “Settings” tab, and click the “+” button in the “IT policy and profiles” section. 4.4.2.3. Select “Compliance” from the pop-up list.

4.4.2.4. On the “Assign a Compliance profile” pop-up window, select the “Compliance Policy” we created in the previous section.


Note: Any device that belongs to the User Provisioning Group (“MTP_Users”) that hasn’t installed the SandBlast Mobile Protect app will be out of compliance.



4.4.3 Device Out of Compliance – Missing SandBlast Mobile Protect App

4.4.3.1. BB Console Home Screen indicates an “Out of Compliance” issue.

4.4.3.2. Clicking on the “Non-compliant” pie piece, opens a reporting window.



4.4.3.3. Device Details View indicates an “Out of Compliance” issue.

4.4.3.4. The user will receive an alert email as well as an in-app notification.



4.5 Redeployment of the SandBlast Mobile Protect App – iOS

4.5.1 Within BlackBerry BES12 If the user removes the SandBlast Mobile Protect app, the device will be out of compliance. Because the iOS app is not auto-configured, the user needs to open the BlackBerry UEM client App Catalog, and choose to install SandBlast Mobile Protect. If the user requires an activation code sent to them, the administrator can follow the instructions as described in Section 4.7.

4.5.2 Within BlackBerry UEM If the user removes the SandBlast Mobile Protect app, the device will be out of compliance. Because the iOS app is auto-configured, the user only needs to open the BlackBerry UEM client App Catalog, and choose to install SandBlast Mobile Protect.

Note: The instructions for installing and registration of the SandBlast Mobile Protect app are described in Section 5.1.

4.6 Redeployment of the SandBlast Mobile Protect App - Android If the user removes the SandBlast Mobile Protect app, the device will be out of compliance. Because the Android app is not auto-configured, the user needs to open the BlackBerry UEM client App Catalog, and choose to install SandBlast Mobile Protect. They will also need to refer back to their registration email from SandBlast Mobile, or the administrator will need to resend the registration activation key. If the user requires an activation code sent to them, the administrator can follow the instructions as described in Section 4.7.

Note: The instructions for installing and registration of the SandBlast Mobile Protect app are described in Section 5.2.

4.7 Resending SandBlast Mobile Activation Code If the user requires the activation registration email/SMS to be resent to them, the administrator will log into the SandBlast Mobile Dashboard. 4.7.1. Navigating to the Devices tab, select the device to which to send activation code, and

click the “Send activation” button.

4.7.2. On the pop-up “Send Activation Message” window, select the type of message, and click the “Send” button. If the device has a phone number assigned, the message could be sent via SMS text message as well.



5 SandBlast Mobile Protect App Deployment on the Devices This section describes the user experience during the deployment of the SandBlast Mobile Protect app.

5.1 Registration of an iOS Device

5.1.1 Integrated with BlackBerry BES12 After the device is registered to the BlackBerry BES12 system and the SandBlast Mobile Protect app has been “Assigned” to the User Provisioning Group (“MTP_Users”), the user will be prompted to install the SandBlast Mobile Protect App.

5.1.1.1. The user taps “INSTALL”. 5.1.1.2. After the App has been installed on the iOS Device, the user only needs to launch the

App to finish the registration. 5.1.1.3. The user must input the server and activation code sent to them via email, as show

above. 5.1.1.4. The user will be prompted for notifications and location permissions.



5.1.1.5. Once the App is done scanning the system, it will display the state of the device. In this

case, the device is without malicious or high risk apps, network and OS threats.

5.1.2 Integrated with BlackBerry UEM After the device is registered to the BlackBerry UEM system and the SandBlast Mobile Protect app has been “Assigned” to the User Provisioning Group (“MTP_Users”), the user will be prompted to install the SandBlast Mobile Protect App. 5.1.2.1. The user taps “INSTALL”. 5.1.2.2. After the App has been installed on the iOS Device, the user only needs to launch the

App to finish the registration. 5.1.2.3. The App will automatically register. The registration server and key are automatically

configured in the App by the BlackBerry BES12/UEM system.

5.1.2.4. Once the App is done scanning the system, it will display the state of the device. In this




5.2 Registration of an Android Device After the device is registered to the BlackBerry BES12/UEM system and the SandBlast Mobile Protect app has been “Assigned” to the User Provisioning Group (“MTP_Users”), the user will be prompted to install the SandBlast Mobile Protect App. 5.2.1. The user is prompted to install the SandBlast Mobile Protect app, tapping “OK”. 5.2.2. The user taps the “Install” button and the “Accept” button. 5.2.3. The user taps the “Open” button to continue the registration process.

5.2.4. After the App is installed, the user must launch the App to finish its deployment and

registration to Check Point SandBlast Mobile. 5.2.5. The user must enter the server address and registration key to complete registration. This

information was sent to the user in a separate email. 5.2.6. The user must tap “Activate” to allow the SandBlast Mobile Protect app to be a device

administrator.

5.2.7. Once the App is done scanning the system, it will display the state of the device. In this




6 Testing High Risk Activity Detection and Policy Enforcement

If the user’s device is determined to be at a High Risk state either due to a malicious app or malicious activity, the SandBlast Mobile system notifies the User via in-app notifications as well as updates the High Risk state to the BlackBerry BES12/UEM system for that device. UEM receives the state change, and upon recognizing the Mitigation Group being tied to a compliance policy, enacts the policy actions. In the following example, the Administrator will blacklist an app, such as in our example “Dropbox”. As a result, all the devices with the app, “Dropbox”, installed will be identified to be at High Risk due to the blacklisted app, “Dropbox”. The SandBlast Mobile Dashboard will notify the user, and mark the device as High Risk to the BlackBerry BES12/UEM system. The BlackBerry BES12/UEM System will then enforce policy actions specified in the IT policy, in our example “Non-Compliant Devices”, based on the compliance rules specifying that devices belonging to the Mitigation Group, in our example “Users_High_Risk”, will be remediated. This mitigation process was the one we created in Section 2.7.



6.1 Blacklisting a Test App The first step is to blacklist an app, in our example “Dropbox”. By blacklisting this app, all release versions and OS types of this app will also be blacklisted. In our example, “Dropbox” for Android will be blacklisted which will result in all Dropbox for Android numbered release versions being blacklisted as well. 6.1.1. Log into the SandBlast Mobile Dashboard. 6.1.2. Navigate to App Analysis tab, and search for the app you wish to blacklist, in our

example “Dropbox”.

6.1.3. Click the “Policy” link of “Default”. 6.1.4. On the “Changing application policy” pop-up window, select “Black Listed” from the “New

policy” drop-down menu, and enter a reason for this change in the “Audit Trail note”.

6.1.5. Click the “OK” button.



6.2 View of Non-Compliant Device

6.2.1 SandBlast Mobile Protect App Notifications 6.2.1.1. The user receives a SandBlast Mobile Protect notification indicating that the blacklisted

app is not allowed by Corporate Policy, in our example “Dropbox”.

6.2.1.2. The user will not be able to use the device’s camera, as specified in the compliance actions (policy) we created in Section 2.7.2, in our example “Non-Compliant Devices” until the user removes the blacklisted app.



6.3 Administrator View on the SandBlast Mobile Dashboard 6.3.1. From the SandBlast Mobile Dashboard, the Administrator will see that there are devices at

high risk.

6.3.2. Clicking the High Risk will display a list of devices at high risk. 6.3.3. Selecting the desired device from the left-side list, the Administrator can see that the high

risk state is caused by the existence of the blacklisted app, “Dropbox”.



6.3.4. Navigating to Settings > Audit Trail, the Administrator will see that there was an alert sent to the MDM, and hovering over the Event Data information, it will pop-up the Event that was sent.

6.3.5. In this example Device ID of 84 was moved to Profile “Users_High_Risk” which is the Mitigation Group we created in Section 2.7.1, and configured in the Device Management Settings for UEM.

6.4 Administrator View on the BB Console 6.4.1. In the BES Console, in the User Device Detail screen the Administrator can see that the

user is now part of the “Users_High_Risk” group, and that the IT policy “Non-Compliant Devices” has been assigned.



7 Appendices

7.1 SandBlast Mobile Dashboard Communication Information The following table describes the networking rules required to configure your security systems in order to allow the Solution’s integration with your on premise systems (MDMs, syslog, etc.). If you do not know your SandBlast Mobile Dashboard’s region, please contact [email protected], or alternatively, perform the procedure in Section 7.2.

Description Source Destination Port Region Connection to customer’s MDM (EU)

52.51.115.5 52.31.98.20 52.30.229.13 52.51.47.83

Customer MDM and/or UDM

443 EU

Connection to customer’s MDM (US)

54.84.231.79 54.84.219.180 52.6.231.218 52.0.129.11 52.71.46.86 52.203.42.126 52.202.99.13

Customer MDM and/or UDM

443 US

Connection to Customer’s ArcSight/Syslog (EU)

52.51.115.5 52.31.98.20 52.30.229.13 52.51.47.83

Customer ArcSight/Syslog

Protocol and port as configured in the SandBlast Mobile Dashboard Settings > Syslog screen

EU

Connection to Customer’s ArcSight/Syslog (US)

54.84.231.79 54.84.219.180 52.6.231.218 52.0.129.11 52.71.46.86 52.203.42.126 52.202.99.13

Customer ArcSight/Syslog

Protocol and port as configured in the SandBlast Mobile Dashboard Settings > Syslog screen

US

UDM connection to SandBlast Mobile (EU)

Customer UDM server

52.17.79.161 443 EU

UDM connection to SandBlast Mobile (US)

Customer UDM server

54.84.231.79 54.84.219.180 52.6.231.218 52.0.129.11 52.21.154.72

443 US

Connection to the customer’s SMTP server if configured in SandBlast Mobile Dashboard (Settings > SMTP Settings)

52.1.198.108 52.7.158.188 52.202.99.13 52.71.46.86 52.203.42.126

Customer SMTP server

SMTP port configured in the SandBlast Mobile Dashboard SMTP screen

Any

In order to prevent spam filters from blocking SandBlast Mobile’s emails, the following IP address should be allowed as a sender: 167.89.59.134.

mailto:[email protected]




7.2 Discovering your SandBlast Mobile Server Name and Region If you do not know your SandBlast Mobile Dashboard’s region, please follow these instructions.

Note: These instructions must be done prior to configuring the Device Management Settings in the SandBlast Mobile Dashboard.

7.2.1. Login to your SandBlast Mobile Dashboard. 7.2.2. Navigate to Devices. 7.2.3. Click the “Add new device” button to add a new device.

7.2.4. In the pop-up window, enter a name, enter your email address, and ensure that “Send

registration email” is checked. Click the “ADD” button.

7.2.5. Retrieve your email. In the Device Registration email from [email protected]

the Server Address will be listed. 7.2.5.1. EU Region = eu-gw01.locsec.net 7.2.5.2. US Region = us-gw01.locsec.net 7.2.6. Go back into the SandBlast Mobile Dashboard > Devices, select the device you just

created, and click the “Delete” button. Confirm deletion of device.




7.3 Integration Information UEM Server URL

UEM Web Services URL

UEM SandBlast Mobile Admin Username

UEM SandBlast Mobile Admin Password

UEM Group(s)

UEM Mitigation Group

SandBlast Mobile Gateway

SandBlast Mobile App Name (iOS) SandBlast Mobile Protect

SandBlast Mobile App ID (iOS) com.checkpoint.capsuleprotect

SandBlast Mobile App Name (Android) SandBlast Mobile Protect

SandBlast Mobile App ID (Android) com.lacoon.security.fox

FOR MORE INFORMATION, VISIT CHECKPOINT.COM/MOBILESECURITY

Documents

Check Point SandBlast Mobile · under licensing restricting their use, ... catch rate for iOS and Android. ... vulnerabilities to reduce the attack surface