IBM MaaS360 integration guide
Integrations with Mobile Device Management (MDM) servers and the Mobile Security console provide the ability to:
Synchronize users and devices from the MDM.
Provide transparent user access to the GravityZone MTD.
Define groups to be used in policies and other configuration items.
Provide granular protection mechanisms in addition to the protections built-in the GravityZone MTD.
Auto-activate the apps through an application configuration push from the MDM and verify the device identifier and user.
To integrate Bitdefender Mobile Security console with IBM MaaS360 you must use a connection between the Mobile Security console and the IBM MaaS360 API server.
This is accomplished with the Internet using SSL.
Prerequisites
Item | Specifics |
---|---|
IBM MaaS360 MDM Enrolled Device | Release 7.2 and above |
API Administrator Account in IBM MaaS360 Management Console | Proper role defined. |
IBM MaaS360 Web Service Access | You must have web service access to your IBM MaaS360 environment. |
Python Access | Access to Python for optional initial setup of IBM MaaS360. |
MDM Password | Do not use a colon (:) in the MDM access password field, or use `password` as a password value. |
The MDM and Mobile Security console communication
The Mobile Security console has been set up to enable API access for sharing data with the IBM MaaS360 console.
Upon detection of an event, the GravityZone MTD refers to the existing Threat Policy on the device. If a particular Mobile Device Management (MDM) action is specified, it is subsequently transmitted to the Mobile Security console.
Subsequently, the console establishes communication with the appropriate IBM MaaS360 API Server and transmits the requisite directives to execute the specified operation.
In the event that a user is removed, they will be removed from the console as well. The changes made do not entail the elimination of any of the events linked to the said user or device.
Full MDM synchronization
After the original full synchronization during the MDM integration setup, a scheduled synchronization process runs every four hours.
On demand MDM synchronization
Due to the four-hour MDM synchronization window, there are times when a new MDM user has the mobile app pushed to their device and tries to start it before the device has been synced from the MDM.
This is taken care of by the Mobile Security console which does an on-demand device connection when the app tries to start up but there is no information for it yet.
For verification, the mobile security console gets the customer's identification information from the app and matches it with the right customer.
Once that happens, the mobile security console gets the information about the device and person from the MDM that was set up for that customer.
Now the device's mobile app is authorized and may proceed.
Setting up device application deployment
API access
MaaS360 requires these details to generate an authentication token to access their REST APIs.
Billing Id
App Id
App Version
Platform Id
App Access Key
Initial configuration
An optional Python script can be used to perform an initial configuration in the IBM MaaS360 environment. This script configures iOS and Android GravityZone MTD from the public store, custom attributes, and several device groups.
Download the GravityZone MTD file with the scripts and Readme file from here.
After logging in, this link allows you to download a ZIP file similar to the name: BitdefenderIntegrationScriptForMaaS360_version.zip where version is the version of the script and ZIP collection.
The ZIP file contains the ReadMe_v2.0.pdf file. This document gives the details of running the script.
Note
Before running the
Runner.py
script you need to have therequests
python package installed.Use
pip install requests
to install it on your platform in order to run this script on. You can also use other similar commands that would install this package in your python environment.The script in the ZIP file sets up the integration in the IBM MaaS360 environment and must only be run once.
To publish the GravityZone MTDlication from the public application store, create a new public application and search the appropriate store for app. At this point, the application is now published and installed on the assigned devices. Your users can now activate the application.
MDM configuration
To set up device synchronization, create an IBM MaaS360 administrator with the proper access:
Navigate to Setup > Roles > Add Role.
Enter a name and description for the new role.
Select the Service Administrator role as the template.
Manage Custom Attributes
Ability to add, change, or delete Custom Attributes.
Selective Wipe
Ability to selectively wipe corporate data from the device.
Set Custom Attribute Value
Ability to set custom attributes.
User - Read-only
View-only access to a user’s view.
View installed apps
Ability to view installed apps on a device.
View Private groups
Ability to view Private Device groups for all admins.
API access and device groups
To set up API access and create device groups:
Contact IBM Customer Support to get the REST API Key.
If required, create one or more Device Groups that contain the devices to be protected. If you do not want to use the predefined group, the Mobile Security console can use the Device Group(s) to synchronize devices and their associated users.
Set Up User and Device Synchronization in Bitdefender Mobile Security console
To set up the MDM integration in Mobile Security Console:
Log in to Mobile Security console.
Go to the Manage page.
Select Integrations.
Click on Add MDM and select the MDM integration you want to use.
Enter information pertinent to the UEM integration list in the table, and click Next.
Item
Specifics
URL
URL of the IBM MaaS360 API Server.
Username
IBM MaaS360 Administrator created with the API role access.
Password
The password for the IBM MaaS360 Administrator.
MDM Name
This document specifies the nomenclature utilized in the Mobile Security console for denoting the MDM integration. The term "name" is utilized as a prefix to concatenate with the group name, resulting in the formation of the Mobile Security console group name.
Background Sync
Check this box to ensure users/devices are synchronized with the IBM MaaS360 Device Groups. You can choose the groups on the next page.
Mask Imported Users
Information
Check this box to mask personally identifiable information about the user when displayed, such as name or email address.
App Access Key
The app access key value from this MDM provider. You get the API key value from IBM after enabling the web services.
Billing ID
The app access key value from this MDM provider.
App ID
The app identifier from this MDM provider.
App Version
The app version from this MDM provider.
Platform ID
The platform id from this MDM provider.
Send Device Activation email via the Mobile Security console for iOS Devices
Check this box to send an email to the user for every iOS device synced with the MDM.
Send Device Activation email via the Mobile Security console for Android Devices
Check this box to send an email to the user for every Android device synced with the MDM.
Click Next and choose the User Group(s) to synchronize. The available groups show up in the Available Device Groups list and can be moved to the Selected Mobile Security Console Groups list by clicking on the plus sign (‘+’). This can be reversed by clicking on the minus sign (‘-’).
Click Next.
Specify the MDM alerts if you want to be notified when there are MDM sync errors. If you want more than one email address, separate them by a comma.
Click Finish to save the configuration and start the first synchronization by clicking Sync Now.
Configuring device application auto-activation
iOS
The iOS GravityZone MTDlication makes use of the Managed Application Configuration when the app is pushed down to the device. This provides the best user experience, allowing the user to startup iOS GravityZone MTD without having to enter any credentials. The Managed Application configuration pre-programs iOS GravityZone MTD with the required information.
Configure the PLIST values and use these values also in the PLIST XML.
Configuration Key
Value Type
Configuration Value
Additional Notes
MDMDeviceID
String
%csn%
tenantid
String
Retrieve from Mobile Security Console
Copy the value from the Tenant ID field on the Mobile Security Console Manage page under the General tab.
defaultchannel
String
Retrieve from Mobile Security Console
Copy the value from the Default Channel field on the Mobile Security ConsoleManage page under the General tab.
tracking_id_1
String
Use the desired identifier
(Optional) This is a tracking identifier.
tracking_id_2
String
Use the desired identifier
(Optional) This is a tracking identifier.
display_eula
String
no
(Optional) If this key is not used, the default displays the End User License Agreement (EULA).
Choose Config XML File(Manual) or Key/Value for the App Config Source.
If you select the XML file option, the XML file has this example content for GravityZone MTD.
If you select the key-value pair option, you can enter the values without having to create a file.
Android
Android Enterprise users can continue to use the managed app configuration for activations. You need to make sure you are passing the right device ID value for the configuration parameter.
For native Android devices, activations require the use of activation URLs. These can be sent to end-users through the Mobile Security Console or the MDM.
Clicking on GravityZone MTD without the link does not activate GravityZone MTD for Android devices. When a user runs the app with the activation URL link, it activates and downloads the proper Threat Policy.
To access activation links, navigate to Mobile Security Console Manage and Integrations for MDMs.
After the MDM is added, the activation link is provided for devices. This activation link is used along with appending the MDM device identifier. The Mobile Security Console page displays the expiration date and time, and if needed, the link can be regenerated.
The administrator sends the concatenated activation link by email or text to users, along with instructions to accept the GravityZone MTD being pushed to them.
Use the values in the table for configuration:
Configuration Key | Value Type | Configuration Value | Additional Notes |
---|---|---|---|
MDMDeviceID | String | %deviceid% | |
tenantid | String | Retrieve from Mobile Security Console | Copy the value from the Tenant ID field on the Mobile Security Console Manage page under the General tab. |
defaultchannel | String | Retrieve from Mobile Security Console | Copy the value from the Default Channel field on the Mobile Security Console Manage page under the General tab. |
tracking_id_1 | String | Use the desired identifier | (Optional) This is a tracking identifier. |
tracking_id_2 | String | Use the desired identifier | (Optional) This is a tracking identifier. |
display_eula | String | no | (Optional) If this key is not used, the default displays the End User License Agreement (EULA). |