Mobile device configuration policies overview

CyberArk Identity provides a comprehensive range of policies for managing the security, features, and behavior of mobile devices.

  • If you do not see the CyberArk Management Settings when you open the Group Policy Management Editor, you need to install the Group Policy Console Extension on your computer. See Deploy the CyberArk Identity Connector for the instructions.

    Not all policies are supported in both the Group Policy Management Editor and CyberArk Identity policy service. The policy summaries in List of device configuration policies indicate whether each policy is available in one or both tools.

  • Although policies are listed in the Active Directory Group Policy Management Editor and CyberArk Identity policy service, their availability is determined by the licenses you have purchased.

Common Mobile Settings

Common Mobile Settings contains mobile device policies and two branches—Passcode Settings and Restrictions Settings—with additional policies. See Common Mobile Settings for the full list of policies.

Policies and branches

To do this

Common

Enable debug logging. Turns on the debug logging mode (the default is regular logging mode). When you set this policy, Enable Debug Logging in the device’s Setting page is set.

Restrictions Settings

Set rules governing the use of device features—for example, you can control the following:

  • whether or not the user can use the camera
  • whether or not the user can wipe device
  • whether or not the user can unenroll the device
  • whether or not the device reports the device location

Security Settings

Set the rules for CyberArk Identity mobile app PIN requirements on devices and device PIN requirements. Hover over the information icon associated with each setting for more detailed information.

  • Show Mobile Authenticator by default -- Controls the availability of the Mobile Authenticator option on user mobile devices. Hover your mouse over the information icon for more information. See Authentication mechanisms for information specific to the Mobile Authenticator mechanism.

  • Enable auto-login to Identity portal from Android browser with Android app unlock (applies to Android devices only)

    The following settings are available:

    • Yes -- Users are automatically signed in to CyberArk Identity Portal if CyberArk Identity Android app is already unlocked and open (no additional authentication is required).

    • -- or No (-- is the default setting) -- Users are not automatically signed in to CyberArk Identity Portal if CyberArk Identity Android app is already unlocked and open (additional unlock mechanisms are required to access CyberArk Identity Portal).

  • Require authentication to open CyberArk app -- This setting must be set to Yes to configure the following rules relating to CyberArk Identity mobile app PIN use:

    • Automatically locks the CyberArk Identity mobile app on devices after the specified number of minutes. If you configure this option, users can not configure the Inactive Timeout value on their devices.
    • Specifies the need for users to enter the PIN after the CyberArk Identity mobile app has been closed. If you configure this option, users can not configure the Lock on Exit switch on the device.

    On iOS, priority is given to FaceID or TouchID as per availability.

    On Android, priority is given to biometrics that qualify as "strong". Depending on the device, strong biometric options can include a fingerprint scanner, face recognition, an iris scan, or a combination of face recognition and iris scan. The fingerprint scanner is the most common strong biometric on Android devices. For more information about how Android biometric security is determined, refer to https://source.android.com/security/biometric/measure.

    In addition, selecting Yes makes Require biometric authentication for mobile authenticator and QR code authenticator redundant.

  • Require biometric authentication for mobile authenticator and QR code authenticator -- Controls the requirement of a biometric scan to approve the mobile authenticator request or to scan a QR code.

    On iOS, priority is given to FaceID or TouchID as per availability.

    On Android, priority is given to biometrics that qualify as "strong". Depending on the device, strong biometric options can include a fingerprint scanner, face recognition, an iris scan, or a combination of face recognition and iris scan. The fingerprint scanner is the most common strong biometric on Android devices. For more information about how Android biometric security is determined, refer to https://source.android.com/security/biometric/measure.

    The default value is equivalent to No. When you select Yes, you have the option to use App PIN as a fallback for the biometric scan.

  • Enable Mobile authenticator and Passcodes on Apple Watch -- Controls whether users can use a paired Apple Watch to respond to push notifications (mobile authenticator) and see passcodes, regardless of requirements for biometric authentication to use those challenges.

    • Select Yes to allow using Apple Watches for push notifications and passcodes even if you require biometric authentication on the iOS CyberArk Identity mobile app.

    • Select No to hide passcodes on Apple Watches and present an error message when users try to respond to a push notification on an Apple Watch. Behavior on the iOS app is not affected.

    The default behavior is equivalent to Yes.

Require number matching for mobile authenticator to prevent accidental approvals

Require passcode on device -- This setting must be set to Yes to configure the following rules relating to governing passcode use:

  • Allows a passcode with simple values
  • Automatically locks the device after a specified number of minutes
  • Specifies the maximum number of failed attempts before the device is wiped
  • Specifies a grace period (such as amount of time before users need to re-enter the passcode )
  • Specifies the number of passcodes to store and compare against new passcodes
  • Specifies the number of days a passcode stays valid until users must reset it
  • Specifies the minimum number of complex characters required for the passcode
  • Specifies the minimum number of characters required for the passcode
  • Specifies the alpha numeric value requirement for the passcode

Wi-Fi Settings

Configure Wi-Fi profiles for iOS devices and Android devices.

iOS settings

iOS Settings contains the policy you use to configure Exchange Sync communications on the device and a set of restrictions settings. See iOS Settings for the full list of restriction settings.

In addition, you can configure the device to run in kiosk mode. In this mode, the device runs a single application and lets you control the device’s operating features while that application is running.

Policy

To do this

Exchange Sync Settings

Configure the Exchange Sync profile for the iOS devices. For example, define the Exchange Sync server name and an attribute variable for the user name.

Restrictions Settings

Set rules governing the use of device features—for example, permitting or prohibiting Safari, YouTube, and Photos Stream use and setting requirements for encrypted backups and an iTunes Store password.

Domain Settings

Specify domains so that files downloaded from these domains using Safari must be opened using managed applications. This policy requires the “Permit opening managed app documents in unmanaged apps” and “Permit opening unmanaged app documents in managed apps” settings in iOS Settings, Restrictions to be set to “No”. See Data access by domains for Safari.

Specify domains so that email addresses that do not match these domains will be highlighted in the user’s email software.

Kiosk Mode

Put the device in single application mode and designate the home launcher.

Use the “Enable kiosk mode” policy to allow just a single application to run on the device and specify the application that will be the home launcher. You can use the other policies in this category to manage the user interface while the application is running. Only home launcher applications can be used in kiosk mode.

After the application is installed, the device automatically opens to kiosk mode.

You can specify the CyberArk Identity mobile app by selecting “Use MDM client as kiosk mode application.” When you select the CyberArk Identity mobile app, it behaves a little differently than in when it’s launched from the home screen:

  • There is no Authentication tab.
  • All web applications open in the CyberArk Identity mobile app built in browser only.
  • In the Settings tab, the Show Authenticator, Default Browser, and Unenroll Mobile Device options are hidden.

Global HTTP Proxy

Filter HTTP traffic on iOS devices by defining the proxy server that the device can access. You can manually enter the proxy server information or enter the URL for the proxy settings.

This policy only applies to supervised devices.

Per app VPN settings

Map a mobile application to a specific VPN connection.

See Configure VPNs in iOS devices for more details.

 

Data access by domains for Safari

You can specify that files downloaded from specific domains using Safari must be opened using managed applications.

To configure managed application data access by domains for Safari:

  1. Log in to the Admin portal.
  2. Click Core Services > Policies and select an existing relevant policy or create a new one.
  3. Click Endpoint Policies, iOS Settings, Domain Settings, Add button associated with the Managed Safari Web Domains section.
  4. Enter the relevant domains.
  5. Click Save on the add domain window and again on the domain settings window.
  6. Click Restrictions Settings.
  7. Select No for the “Permit opening managed app documents in unmanaged apps” and “Permit opening unmanaged app documents in managed apps” settings.
  8. Click Save.
On non-Safari browsers, how documents/data are handled by managed and unmanaged applications depend upon how the browsers were installed (as managed or unmanaged applications) and how you have configured the “Permit opening managed app documents in unmanaged apps” and “Permit opening unmanaged app documents in managed apps” settings.

OS X and iOS Settings

OS X and iOS Settings contains policies you set to configure communications and application synchronization for iOS-based devices and OS X-based Macs.

Policies

To do this

Certificate profiles

Create a profile to distribute certificates to iOS and OS X devices. Certificates can then be used by Wi-Fi providers or websites for authentication.

Configuration profiles

Upload configuration profiles (.mobileconfig files only) to iOS and OS X devices. For example, you can upload a WIFI configuration profile to define how WIFI should be configured.

VPN Settings

Configure VPN profiles for iOS devices and OS X devices

OS X Settings

The OS X Settings contains policies and a set of restriction settings. These policies apply only to the Mac computers enrolled. See CyberArk Identity Mac Policy Settings for the full list of Restriction Settings.

Policies and branches

To do this

Restrictions Settings

Enable application and preferences policies and set restrictions for the following:

  • Applications: Define the folders from which users can or cannot launch applications.
  • Media: Enable or disable user access to device media—for example, DVDs, external disks, and recordable disks.
  • Preferences: Restrict which system preferences are available to the user.

Custom settings

Specify preference domains for applications that use the standard OS X defaults plist system.

Open applications when user logs in

Specify applications to open when user logs in.

Open authenticated network mounts when user logs in

Specify authenticated network mounts opened when the user logs in.

Open files, folder and items when user logs in

Specify files, folders, and items to open at login.

Open network mounts when user logs in

Specify the network mounts to be opened when the user logs in.

Permit shift key to skip opening items when user logs in

Turn off the user's ability to bypass a login item.

Security and privacy settings

Enable the following usage policies:

  • Do not allow user to override Gatekeeper settings
  • Allow user to change password
  • Require password after sleep or screen saver begins
  • Allow user to set lock message
  • FileVault encryption for enrolled devices

    FileVault encryption is applied to enrolled devices when an administrator logs in. Encryption begins when the device is reset following an administrator log in. Only OS X users with administrative privileges can encrypt an enrolled device.

    Refer to https://support.apple.com/en-us/HT204837 for more information about FileVault.

    If you select Permit one-time display of recovery key on user’s Mac device, admin users see their recovery key the first time they log in after you enable the FileVault encryption policy. This is the only time users see the recovery key.

    After the FileVault encryption policy is pushed and an enrolled device’s FileVault is turned on, you can retrieve the recovery key by selecting Show FileVault Recovery Keyfrom the device’s action menu in the Identity Administration portal. Refer to Use device management commands for more information.

    Devices remain encrypted even if you disable the FileVault encryption policy in the Identity Administration portal. OS X admin users can only turn off FileVault encryption on the device if the policy is disabled in the Identity Administration portal or the device is unenrolled.

Application management

Enable the Munki Managed Software Center client to manage application deployment for your users. Refer to Mac application management for additional detail.

Touchdown settings

You use this Exchange Sync Settings to define the Exchange Sync profile on Android devices that use the Touchdown application for email.

Exchange profiles

You use the Exchange Settings policy to configure Exchange account profiles that are downloaded to devices by CyberArk Identity. Each profile defines the security and synchronization properties assigned to a specific Exchange Sync server. You must create a separate profile for each Exchange server.

You configure the Exchange Sync server profile separately for each type of device. For example, if your users have a mix of Android and iOS devices, you would define profiles in the following branches:

  • Touchdown Settings: You use this policy for Exchange Sync configuration for Android devices that do not provide a configurable email client.

  • iOS Settings: Use these policies for the iOS devices that use Exchange Sync servers.

    If you have a POP or IMAP server for your iOS email, do not use this policy. Instead, use the OS X and iOS Settings > Mail settings policy instead.

Do not create multiple profiles for any one platform (for example, an iOS or Android device) in the same group policy object or policy set unless each profile applies to a different Exchange server.

Set the user name

If you are using Active Directory or another LDAP server as your ID repository, you can use an attribute variable to specify an account’s user name. You can use any Active Directory/LDAP attribute that contains the user’s name, but the most useful ones are the following:

Active Directory/LDAP attribute

Enter this variable

userPrincipalName

%{userPrincipalName}

samAccountName

%{samAccountName}

For example, the following Exchange profile for an iOS device uses the Active Directory/LDAP userPrincipalName variable in the User Name field:

When a user enrolls a device, CyberArk Identity contacts Active Directory/LDAP to resolve the user name attribute value for that device.

When an authentication domain is specified in the profile, CyberArk Identity builds the user name with the authentication domain first, followed by a backslash and then the user name. For example, CyberArk Identity would resolve the following values to user name gmail.com\j.weeks:

  • Active Directory/LDAP user: j.weeks@acme.com
  • Authentication Domain: gmail.com
  • User Name attribute variable: %{samAccountName}

Certificates

You can configure the profile so that CyberArk Identity installs a certificate generated either by the CyberArk CA or the Active Directory Certificate Services certification authority you designated (see Select the policy service for device management). The certificate, regardless of the source, is automatically generated and installed in the device when the user enrolls the device.

When you use a certificate for authentication be sure to set the “Provide client certificate” option in the profile.

If you are using the CyberArk Cloud Directory policy service for device management policy, the CyberArk CA is used to generate certificates. If you’re using Active Directory group policy for device management policy, the Windows Certificate Authority server is used to generate certificates. You cannot have a hybrid in which, for example, you select the CyberArk Cloud Directory policy service for device management policy but use the Windows Certificate Authority server is used to generate certificates.

Some configuration is necessary to Windows servers if you are using either source:

Modify the IIS (Web) and Exchanger servers configuration for CyberArk CA certificates

There are two phases to configuring the Exchange server to trust the CyberArk CA

  • Adding the CyberArk CA certificate.
  • Configuring IIS to support client certificate authentication.

The following procedures illustrate one way to perform these tasks. However, if you have more familiar procedures you can use them.

To add the CyberArk CA certificate to the Exchange server:

  1. Open the Identity Administration portal, click Settings, and click Certificates.

    Click Download and copy the certificate to a folder you can access from the Exchange server.

  2. Open the Exchange server using an administrator account enter the following PowerShell command:

    certutil -dspublish <cert name>.cer NTAuthCA

    where <cert name> is the name of the certificate you downloaded in the Identity Administration portal.

    This command enters the certificate into the Active Directory configuration container. To confirm, you can open ADSI Edit and expand the Configuration container to CN=Public Key Services. The certificate should be added to the list.

  3. Open the Certificate Import Wizard.

    For example, double click the certificate’s file icon to open the Certificate Import Wizard and click Install Certificate.

  4. Select Local Machine and click Next.

  5. Select Automatically select the certificate store based on the type of certificate and click Next.

  6. Click Finish.

  7. Click OK to exit the wizard.

To configure the IIS connections to support client certificate authentication:

  1. On the Exchange server select Connections configuration and click the Exchange server node.
  2. Open the Authentication icon.

  3. Enable Active Directory Client Certificate Authentication.

  4. Expand Default Web Site and click Microsoft-Server-ActiveSync.

  5. Open the Authentication icon.

  6. Disable all of the authentication methods.

  7. Under IIS, open the SSL Settings (not shown in this picture).

  8. Set Require SSL and for Client certificates select either Accept or Require.

  9. Open the Configuration Editor icon.

  10. Expand system.webServer > security > authentication and enable clientCertificateMappingAuthentication.

  11. Expand Exchange Back End and select Microsoft-Server-ActiveSync.

  12. Open the Authentication icon.

  13. Enable Anonymous Authentication and Windows Authentication.

  14. Open the SSL Settings.

  15. Set Require SSL and for Client certificates select either Accept or Require.

Configure VPN profiles

You use the VPN Settings policy to configure profiles that are downloaded to devices by CyberArk Identity. Each profile defines a VPN connection name, the server name, VPN type, and other properties.

The following VPN types are supported:

  • PPTP
  • IPSEC (Cisco)
  • Third-Party VPN
  • IKEv2
  • L2TP

Configure the Custom vendor option

After a VPN profile has been created, you can modify the profile and specify the VPN vendor in the Security tab of the VPN Profile window. The Vendor options are:

  • Cisco AnyConnect
  • Juniper SSL
  • F5 SSL
  • SonicWALL Mobile Connect
  • Aruba VIA
  • Custom

The Custom option is the only vendor option that requires further configuration. To configure the Custom option:

  1. Right-click a VPN profile and choose Modify from the menu.
  2. In the VPN Profile window, click the Security tab on the left.
  3. Click the Vendor drop-down list and then choose Custom from the menu.
  4. Consult your VPN vendor to gather information to complete the Custom vendor form.
  5. Under the VPN Custom Data heading, click Add to display fields for keys and string values for VPN provider-specific custom data.
  6. After entering your custom vendor information, click Save.
Users of Pulse Secure 7.0+ should choose the Custom vendor option, rather than Juniper SSL(for more information, visit this knowledge base article).
Any VPN vendor app using Apple Network Extension must use Custom option otherwise it might affect WiFi or Exchange if they are using PKI Certificates.

Certificate-based authentication is available for VPN connections. When the profile specifies certificate authentication, CyberArk Identity calls either the CyberArk CA or the Active Directory Certificate Services certification authority server you are designated in (see Select the policy service for device management). CyberArk Identity works with the certificate authority to create the certificate when the user enrolls the device and then automatically installs it on the device.

Configure a VPN to use certificates for authentication

When you use certificates for authentication, the user or computer certificate is automatically generated and installed when the user enrolls the device. If you are using the CyberArk Cloud Directory policy service for device policy management, CyberArk Identity uses CyberArk CA to generate the certificate. If you are using Active Directory group policy for device policy management, CyberArk Identity uses the Windows certification authority server you designated in the connector to generate the certificate.

If CyberArk Identity uses the Windows certification authority server, you need to create the user and computer certificate templates—see Manage AD certificates in devices for the details.

When you configure the policy in the CyberArk Cloud Directory policy service, you may need to upload the certificate for the certification authority that issued the certificate for the VPN concentrator. You don’t need to upload the certification authority’s certificate if the VPN concentrator’s certificate was issued by a well-known, commercial, certification authority or is self-signed. However, if the VPN concentrator’s certificate is neither, you need to upload the certification authority's certificate to CyberArk Identity. You upload this certificate using the VPN Setting policy.

See your VPN concentrator or server vendor’s instructions for uploading the CyberArk CA certificate. You create a CyberArk CA certificate for uploading by clicking Download on the Device Policy Management page in the Identity Administration portal Settings (see Select the CyberArk Cloud Directory policy service).

Configure VPNs in iOS devices

You can define a VPN connection profile in the VPN Settings policy for use by all applications or only for use by an individual application. If you set the profile “for selected applications only,” you assign the VPN profile to the application in the Per App VPN settings policy.

The same profiles can be used on OS X devices.
Some VPN clients do not support both options. For example, the Cisco client supports the “VPN is only for selected applications” only.

When you set a VPN connection “for selected applications only,” you can also configure it to auto connect when the application is opened. There are two settings available:

  • Connect Automatically on application is launched: Set this option if you are assigning the VPN to native iOS applications.
  • Connect automatically for specified domains for Safari: Use this option to open the connection automatically when the user opens a web application from Safari. Enter the web application’s domain name to automate opening the connection.
  • VPN on demand: Enable to define specific domains that will automatically initiate a VPN connection when they are accessed and specific domains that will NOT automatically initiate a VPN connection when they are accessed.

See the help information associated with the configuration options (Identity Administration portal > Policies > Endpoint Policies > OS X and iOS Settings > VPN Settings) for information related to each option.

If you are using one profile for all applications, you can use certificates for authentication by selecting Third Party VPN as the VPN type in the General tab and then in the Security tab selecting Certificate for User Authentication. When you select Certificate, you need to specify the file name for the VPN server certificate in the VPN CA Certificate field.

For Juniper VPN, we support the Pulse Secure iOS client.

Configure Wi-Fi profiles

You use the Wi-Fi Settings policy to configure profiles that define the security type (for example WPA or WEP), accepted EAP types, and other properties for a Wi-Fi service set identifier (SSID).

You can define separate Wi-Fi profiles for the same SSID in the Common Mobile Settings.

Certificate-based authentication is available for establishing a Wi-Fi connection. If you are using the CyberArk Cloud Directory policy service for device policy management, you use the Identity Administration portal to create a policy set with the Wi-Fi profiles. In this case, the certificates are automatically issued by the CyberArk CA and installed by CyberArk Identity when the user enrolls the device. You must select either WEP Enterprise or WPA/WPA2 Enterprise as the Security type on the General tab and TLS as the EAP type to use certificates.

When you configure the policy in the CyberArk Cloud Directory policy service, you may need to upload the certificate for the certification authority that issued the certificate for the Wi-Fi access point. You don’t need to upload the certification authority’s certificate if the access point’s certificate was issued by a well-known, commercial, certification authority or is self-signed. However, if the access point’s certificate is neither, you need to upload the certification authority's certificate to CyberArk Identity. You upload this certificate using the Wi-Fi Setting policy.

See your Wi-Fi access point vendor’s instructions for uploading the CyberArk CA certificate. You create a CyberArk CA certificate for uploading by clicking Download on the Device Policy Management page in the Identity Administration portal Settings (see Select the CyberArk Cloud Directory policy service).

If you are using Active Directory group policy for device policy management, you use the Active Directory Group Policy Management Editor to create the Wi-Fi profiles. In this case, the certificates are automatically issued and renewed by the Active Directory Certificate Services certificate server you designate (see Select the policy service for device management) and installed by CyberArk Identity when the user enrolls the device. You must create user and computer templates for the certificates on the Windows Certificate Authority server. See Manage AD certificates in devices.