Mobile device configuration policies overview

CyberArk Identity provides a comprehensive range of policies for managing the security, features, and behavior of mobile devices.

Samsung has deprecated the KNOX container feature for S10 devices and newer. Devices using KNOX 3.3 and higher are no longer supported; however, devices prior to the S10 will continue to support KNOX containers.

https://docs.samsungknox.com/dev/knox-sdk/com-deprecation.htm

https://docs.samsungknox.com/dev/knox-sdk/container-create-byod.htm

  • If you do not see the CyberArk Management Settings when you open the Group Policy Management Editor, you need to install the Group Policy Console Extension on your computer. See Deploy the CyberArk Identity Connector for the instructions.

    Not all policies are supported in both the Group Policy Management Editor and CyberArk Identity policy service. The policy summaries in List of device configuration policies indicate whether each policy is available in one or both tools.
  • Although policies are listed in the Active Directory Group Policy Management Editor and CyberArk Identity policy service, their availability is determined by the licenses you have purchased. See License keys for the details.

Common Mobile Settings

Common Mobile Settings contains mobile device policies and two branches—Passcode Settings and Restrictions Settings—with additional policies. See Common Mobile Settings for the full list of policies.

Policies and branches

To do this

Common

Enable debug logging. Turns on the debug logging mode (the default is regular logging mode). When you set this policy, Enable Debug Logging in the device’s Setting page is set.

This policy is not supported on Samsung KNOX devices.

Restrictions Settings

Set rules governing the use of device features—for example, you can control the following:

  • whether or not the user can use the camera
  • whether or not the user can wipe device
  • whether or not the user can unenroll the device
  • whether or not the device reports the device location
  •  

Security Settings

Set the rules for CyberArk Identity mobile app PIN requirements on devices and device PIN requirements. Hover over the information icon associated with each setting for more detailed information.

  • Show Mobile Authenticator by default -- Controls the availability of the Mobile Authenticator option on user mobile devices. Hover your mouse over the information icon for more information. See Authentication mechanisms for information specific to the Mobile Authenticator mechanism.
  • Enable auto-login to Identity portal from Android browser with Android app unlock (applies to Android devices only)

    The following settings are available:

    • Yes -- Users are automatically signed in to the CyberArk Identity Portal if the CyberArk Identity Android app is already unlocked and open (no additional authentication is required).

    • -- or No (-- is the default setting) -- Users are not automatically signed in to the CyberArk Identity Portal if the CyberArk Identity Android app is already unlocked and open (additional unlock mechanisms are required to access the CyberArk Identity Portal).

  • Require authentication to open CyberArk app -- This setting must be set to Yes to configure the following rules relating to CyberArk Identity mobile app PIN use:

    • Automatically locks the CyberArk Identity mobile app on devices after the specified number of minutes. If you configure this option, users can not configure the Inactive Timeout value on their devices.
    • Specifies the need for users to enter the PIN after the CyberArk Identity mobile app has been closed. If you configure this option, users can not configure the Lock on Exit switch on the device.

    On iOS, priority is given to FaceID or TouchID as per availability.

    On Android, priority is given to biometrics that qualify as "strong". Depending on the device, strong biometric options can include a fingerprint scanner, face recognition, an iris scan, or a combination of face recognition and iris scan. The fingerprint scanner is the most common strong biometric on Android devices. For more information about how Android biometric security is determined, refer to https://source.android.com/security/biometric/measure.

    In addition, selecting Yes makes Require biometric authentication for mobile authenticator and QR code authenticator redundant.

  • Require biometric authentication for mobile authenticator and QR code authenticator -- Controls the requirement of a biometric scan to approve the mobile authenticator request or to scan a QR code.

    On iOS, priority is given to FaceID or TouchID as per availability.

    On Android, priority is given to biometrics that qualify as "strong". Depending on the device, strong biometric options can include a fingerprint scanner, face recognition, an iris scan, or a combination of face recognition and iris scan. The fingerprint scanner is the most common strong biometric on Android devices. For more information about how Android biometric security is determined, refer to https://source.android.com/security/biometric/measure.

    The default value is equivalent to No. When you select Yes, you have the option to use App PIN as a fallback for the biometric scan.

Require passcode on device -- This setting must be set to Yes to configure the following rules relating to governing passcode use:

  • Allows a passcode with simple values
  • Automatically locks the device after a specified number of minutes
  • Specifies the maximum number of failed attempts before the device is wiped
  • Specifies a grace period (such as amount of time before users need to re-enter the passcode )
  • Specifies the number of passcodes to store and compare against new passcodes
  • Specifies the number of days a passcode stays valid until users must reset it
  • Specifies the minimum number of complex characters required for the passcode
  • Specifies the minimum number of characters required for the passcode
  • Specifies the alpha numeric value requirement for the passcode

Wi-Fi Settings

Configure Wi-Fi profiles for iOS devices and Android devices other than Samsung KNOX devices.

iOS settings

iOS Settings contains the policy you use to configure Exchange Sync communications on the device and a set of restrictions settings. See iOS Settings for the full list of restriction settings.

In addition, you can configure the device to run in kiosk mode. In this mode, the device runs a single application and lets you control the device’s operating features while that application is running.

Policy

To do this

Exchange Sync Settings

Configure the Exchange Sync profile for the iOS devices. For example, define the Exchange Sync server name and an attribute variable for the user name.

Restrictions Settings

Set rules governing the use of device features—for example, permitting or prohibiting Safari, YouTube, and Photos Stream use and setting requirements for encrypted backups and an iTunes Store password.

Domain Settings

Specify domains so that files downloaded from these domains using Safari must be opened using managed applications. This policy requires the “Permit opening managed app documents in unmanaged apps” and “Permit opening unmanaged app documents in managed apps” settings in iOS Settings, Restrictions to be set to “No”. See Data access by domains for Safari.

Specify domains so that email addresses that do not match these domains will be highlighted in the user’s email software.

Kiosk Mode

Put the device in single application mode and designate the home launcher.

Use the “Enable kiosk mode” policy to allow just a single application to run on the device and specify the application that will be the home launcher. You can use the other policies in this category to manage the user interface while the application is running. Only home launcher applications can be used in kiosk mode.

After the application is installed, the device automatically opens to kiosk mode.

You can specify the CyberArk Identity mobile app by selecting “Use MDM client as kiosk mode application.” When you select the CyberArk Identity mobile app, it behaves a little differently than in when it’s launched from the home screen:

  • There is no Authentication tab.
  • All web applications open in the CyberArk Identity mobile app built in browser only.
  • In the Settings tab, the Show Authenticator, Default Browser, and Unenroll Mobile Device options are hidden.

Global HTTP Proxy

Filter HTTP traffic on iOS devices by defining the proxy server that the device can access. You can manually enter the proxy server information or enter the URL for the proxy settings.

This policy only applies to supervised devices.

Per app VPN settings

Map a mobile application to a specific VPN connection.

See Configure VPNs in iOS devices for more details.

 

Data access by domains for Safari

You can specify that files downloaded from specific domains using Safari must be opened using managed applications.

To configure managed application data access by domains for Safari:

  1. Log in to the Admin portal.
  2. Click Core Services > Policies and select an existing relevant policy or create a new one.
  3. Click Endpoint Policies, iOS Settings, Domain Settings, Add button associated with the Managed Safari Web Domains section.
  4. Enter the relevant domains.
  5. Click Save on the add domain window and again on the domain settings window.
  6. Click Restrictions Settings.
  7. Select No for the “Permit opening managed app documents in unmanaged apps” and “Permit opening unmanaged app documents in managed apps” settings.
  8. Click Save.
On non-Safari browsers, how documents/data are handled by managed and unmanaged applications depend upon how the browsers were installed (as managed or unmanaged applications) and how you have configured the “Permit opening managed app documents in unmanaged apps” and “Permit opening unmanaged app documents in managed apps” settings.

OS X and iOS Settings

OS X and iOS Settings contains policies you set to configure communications and application synchronization for iOS-based devices and OS X-based Macs.

Policies

To do this

Certificate profiles

Create a profile to distribute certificates to iOS and OS X devices. Certificates can then be used by Wi-Fi providers or websites for authentication.

Configuration profiles

Upload configuration profiles (.mobileconfig files only) to iOS and OS X devices. For example, you can upload a WIFI configuration profile to define how WIFI should be configured.

VPN Settings

Configure VPN profiles for iOS devices and OS X devices

OS X Settings

The OS X Settings contains policies and a set of restriction settings. These policies apply only to the Mac computers enrolled. See CyberArk Identity Mac Policy Settings for the full list of Restriction Settings.

Policies and branches

To do this

Restrictions Settings

Enable application and preferences policies and set restrictions for the following:

  • Applications: Define the folders from which users can or cannot launch applications.
  • Media: Enable or disable user access to device media—for example, DVDs, external disks, and recordable disks.
  • Preferences: Restrict which system preferences are available to the user.

Custom settings

Specify preference domains for applications that use the standard OS X defaults plist system.

Open applications when user logs in

Specify applications to open when user logs in.

Open authenticated network mounts when user logs in

Specify authenticated network mounts opened when the user logs in.

Open files, folder and items when user logs in

Specify files, folders, and items to open at login.

Open network mounts when user logs in

Specify the network mounts to be opened when the user logs in.

Permit shift key to skip opening items when user logs in

Turn off the user's ability to bypass a login item.

Security and privacy settings

Enable the following usage policies:

  • Do not allow user to override Gatekeeper settings
  • Allow user to change password
  • Require password after sleep or screen saver begins
  • Allow user to set lock message
  • FileVault encryption for enrolled devices

    FileVault encryption is applied to enrolled devices when an administrator logs in. Encryption begins when the device is reset following an administrator log in. Only OS X users with administrative privileges can encrypt an enrolled device.

    Refer to https://support.apple.com/en-us/HT204837 for more information about FileVault.

    If you select Permit one-time display of recovery key on user’s Mac device, admin users see their recovery key the first time they log in after you enable the FileVault encryption policy. This is the only time users see the recovery key.

    After the FileVault encryption policy is pushed and an enrolled device’s FileVault is turned on, you can retrieve the recovery key by selecting Show FileVault Recovery Keyfrom the device’s action menu in the Admin Portal. Refer to Use device management commands for more information.

    Devices remain encrypted even if you disable the FileVault encryption policy in the Admin Portal. OS X admin users can only turn off FileVault encryption on the device if the policy is disabled in the Admin Portal or the device is unenrolled.

Application management

Enable the Munki Managed Software Center client to manage application deployment for your users. Refer to Mac application management for additional detail.

Samsung KNOX Device Settings

You use the policies in this category to configure VPN, Wi-Fi, and Exchange Sync communications and a wide variety of other controls for Samsung KNOX devices. These policies are applied to the device when the user is outside the KNOX container only.

The Samsung KNOX Device policies have been introduced over time with each new version of the Samsung KNOX device’s mobile device management (MDM) software. The MDM version required for the policy is shown in each policy’s configuration instructions and in the tables in Samsung KNOX Device Settings.

All of the policies in the Samsung KNOX Device Settings can be applied to Samsung KNOX version 1 and version 2 devices.

Policies

To do this

Exchange Sync Settings

Configure the Exchange Sync profiles for server communications and account synchronization for the email application running outside the KNOX container.

You define the Exchange ActviceSync profile for server communications and account synchronization for the email application running inside the container separately in the Samsung KNOX Workspace Settings.

VPN settings

Configure VPN connection profiles for Samsung KNOX devices and applications running outside of the KNOX container.

You define the VPN profiles for the KNOX container and applications running inside the container separately in the Samsung KNOX Workspace Settings.

APN Settings

Create Access Point Name profiles.

You can create multiple access point profiles. All of the profiles are downloaded to the device, however, the only profile that appears in the configuration is the profile in which the MCC and MNC in the profile match the MCC and MNC in the SIM.

Wi-Fi Settings

Configure Wi-Fi connection profiles for Samsung KNOX devices.

Kiosk mode

 

Set the device to single application mode

Use the “Enable kiosk mode” policy to allow just a single application to run and specify the application. You can use the other kiosk policies to permit multiple windows, navigation and status bar visibility, and task manager access when the device is in kiosk mode.

Important: To use kiosk mode, make sure that you do not have the “Prevent installation of applications” policy enabled on the Application Management page.

After the application is installed, the device automatically opens to kiosk mode.

You can use either the native Android home screen, a custom application, or the CyberArk Identity mobile app as the home launcher when the device is turned on.When you select the CyberArk Identity mobile app, it behaves a little differently in kiosk mode:

  • There is no Authentication tab.
  • All web applications open in the CyberArk Identity mobile app built in browser only.
  • In the Settings tab, the Always Show Authenticator, Default Browser, and Unenroll this device options are hidden.
  • Application statuses, such as Install and Update, are not displayed when a device is in kiosk mode.

When you select the CyberArk Identity mobile app, the default is to automatically update the software when there is a change. The update is performed on the device at the time you select. If you disable, updating the software is the same procedure as though you were changing the home launcher—see Change home launchers for the details.

IMAP and POP Settings

Create IMAP or POP profiles for the native email application installed in personal mode.

 

Policy branches

To do this

Application Management

Define a variety of application usage restrictions, including applications the user can or cannot install, launch, or stop; application permissions; and applications include list and exclude list.

Bluetooth Settings

Configure a device’s Bluetooth interface

Bookmark Settings

Specify websites that you want bookmarked on the device home screen. After you have configured them, users can access these bookmarked websites outside of the CyberArk Identity mobile app in kiosk mode and non-kiosk mode. Sample bookmark website on the device home screen:

Device Inventory Settings

Enable or disable the device’s logs (for example, call information, Wi-Fi network data bytes, and data network usage).

Firewall Settings

Configure URL filtering and iptable allow and deny rules.

Passcode Settings

Set the rules governing password use in Samsung KNOX devices—for example, forbidden strings, password pattern enforcement, and minimum number of changed characters in a new password. This category also includes policies that manage other password-related behaviors including password and screen-lock visibility and wiping external storage in the event the user fails to enter the correct password.

There are several passcode policies labeled as Advanced. In the Group Policy Management Editor they are listed in a separate category and in the CyberArk Cloud Directory policy service they are called out in the bubble text. Changing the settings in these policies will require all users affected by this policy to change their password regardless of whether their current password meets the new criteria.

Notes:

  • The Samsung default requirements set in the device may be stronger than the values you set in the mobile device policies. If you set a value that is weaker, the stronger policy is enforced.
  • You set the rules governing the container passcode in a separate policy—see the Samsung KNOX Workspace Container Passcode settings.

Restrictions Settings

Set rules governing the use of device features. There’s a long list of policies available to enable or disable such features as varied as Bluetooth access, Android and S Beam use, audio recording, and home-key functionality.

You enable or disable Wi-Fi and VPN using the policies in this policy category. However, you define the Wi-Fi and VPN profiles in separate nodes.

Roaming Settings

Enable or disable operation of the device in roaming mode.

Security Settings

Enable or disable enrollment with an MDM server, enable a SIM card lock, and encrypt or not encrypt the external storage.

VPN Restrictions

Configure to allow only IPsec or SSL/TLS VPN connections.

Wi-Fi Restrictions

Configure a wide variety of Wi-Fi network access point properties and user privileges.

Change home launchers

When you change the home launcher settings for Samsung devices, the device will not display the newly selected launcher until the device has been reset to use the default TouchWiz launcher.

To change the home launcher:

  1. On the Kiosk Mode page, select No in the Enable Kiosk Mode dropdown. This selection will allow the device to prompt for selection of the default TouchWiz launcher.
  2. Click Save and push the policy to the devices.
  3. Request the device user to select either of the two TouchWiz launcher options and Just Once on the device.
  4. On the Kiosk Mode page, select Yes in the Enable Kiosk Mode dropdown then select the new launcher.
  5. Click Save and push the policy to the devices.

    The newly selected home launcher should now be available on the device.

Samsung KNOX Workspace Settings

The Samsung KNOX Workspace Settings policies enable users to create a Samsung KNOX enterprise container when they enroll their device and let you manage the policies settings that apply when users are in the container. For example, you can configure separate Exchange Sync, VPN, IMAP/POP email, firewall, and device restrictions settings for Samsung KNOX containers.

The following tables summarize the policies in Samsung KNOX Workspace Settings. See List of device configuration policies for the full list.

See Samsung KNOX devices for procedures that show you how to use a KNOX Workspace Settings policy to enable users to create a Samsung KNOX container and add a mobile application to the Applications SSO whitelist.

Samsung KNOX Workspace policies

Policy

To do this

Configure applications that can sync with container

Synchronize data between the personal and KNOX mode instances of the Contacts and S Planner (Calendar) applications.

Enable Common Criteria mode

Enable the following policies for Samsung Workspace devices only:

  • Common Mobile Settings/Passcode Settings/Maximum number of failed attempts

    The number of failed attempts is set to the value you set in the Enable Common Criteria mode policy for the Samsung devices only.

  • Samsung KNOX Device Settings/Security Settings/Encrypt removable storage

    The user encrypts the removable storage from the SETUP REQUIRED screen in CyberArk Identity mobile app.

In addition, when you set Enable Common Criteria mode, the Common Mobile Settings/Passcode Settings/Passcode History policy is disabled.

The policy settings are implemented on the devices only—they are not indicated in the Admin Portal policy set or the Active Directory group policy object. This allows you to have separate settings for these policies for other types of devices.

Common Criteria mode puts the target device in an operational mode that enforces the following security features and policies:

  • Bootloader blocks KIES download mode, enforces an integrity check of the kernel, and self-tests the crypto modules.
  • The device verifies additional signature on firmware-over-the-air (FOTA) updates using RSA-PSS signature and uses FIPS 140-2 validated crypto module for EAP-TLS wi-fi connections

This policy is only available on the following KNOX 2 devices: Galaxy S4, Galaxy S5, Galaxy Note 3, Galaxy NotePro, Galaxy Note 10.1 and Galaxy Note 10.1 2014 Edition.

Enable Enterprise Billing

Enterprise Billing

Enable separate bill generation for personal and enterprise data usage.

To enable enterprise billing, two different Access Point Names (APNs) are configured on the KNOX device. Personal data is routed via the default APN and enterprise data is routed via the dedicated enterprise APN specified in the policy.

This policy is only available for KNOX 2.1 devices.

Enable KNOX container

Enable the device to allow the user to create a Samsung KNOX enterprise container after the device is enrolled.

See Enable the device to allow users to create an enterprise container for more details.

On some Samsung devices, users can also create a KNOX personal container. You do not need to set a policy to allow them to create the personal container.

Enable ODE Trusted Boot verification

Enable to consider attestation state before decrypting the data partition.

Attestation confirms that the boot loader, kernel, and system software have not been tampered with. Attestation is performed when the user boots the device and periodically thereafter. The current attestation status is shown in the device details in the Admin Portal.

Enable TIMA Key Store

Enable to use the TIMA key store to store symmetric keys, RSA key pairs and certificates. The TIMA key store is implemented as a key store provider for the Java Keystore class. When this policy is enabled, it provides TrustZone-based secure storage and controls access based on the attestation state.

Attestation confirms that the boot loader, kernel, and system software have not been tampered with. Attestation is performed when the user boots the device and periodically thereafter. The current attestation status is shown in the device details in the Admin Portal.

Require attestation verification

Enable to consider attestation state before allowing the user to create a KNOX container.

Attestation confirms that the boot loader, kernel, and system software have not been tampered with. Attestation is performed when the user boots the device and periodically thereafter. The current attestation status is shown in the device details in the Admin Portal.

VPN Settings

Configure VPN profiles for Samsung KNOX Workspace devices.

Samsung KNOX Workspace Container categories and policies

Policies

To do this

Enable Google Play store

Allow users to install applications in a KNOX version 2 container from Google Play.

This policy does not apply to devices with KNOX version 1 containers.

Exchange Sync Settings

Configure the Exchange Sync profiles for server communications and account synchronization for the email application running in the Samsung KNOX container.

IMAP and POP Settings

Configure account profiles for IMAP and POP mail servers.

These settings only apply to the mail application running in the Samsung KNOX container.

Per app VPN settings

Map a mobile application to a specific VPN connection for applications installed in the container.

You can specify multiple VPN profiles and application pairs. You configure the VPN profiles in the Samsung KNOX Workspace VPN Settings policy.

 

Categories

To do this

Application Management

 

Define a variety of operating parameters for applications installed in the container. For example, policies are provided that let you set the following:

  • Define which mobile applications are allowed to use the KNOX container single sign-on service.
  • Define which applications can be installed and added to the home screen.
  • Define which applications can synchronize data with applications outside the container.
  • Define which applications are disabled.
If you are installing any applications that use the Samsung KNOX SSO service you must add them to the Application SSO whitelist policy in this category before users can open them. See Add mobile applications that use SSO to the Application SSO whitelist for the details.

Browser Settings

Control browser behavior—for example, enable or disable pop-up windows, cookies, and JavaScript

Container Account Settings

Create an include list and exclude list of user accounts to limit the types of accounts users can create in the KNOX container.

Email Settings

Control email application behavior—for example, prohibit adding new accounts and forwarding email through a personal account.

Firewall Settings

Configure URL filtering and iptable allow and deny rules.

Passcode Settings

Configure rules governing passcode properties (for example, minimum length, character occurrence, number of complex characters, and sequence length), usage (for example, number of failed attempts, visibility, and history), and quality.

Notes:

  • The Minimum password length policy sets the minimum length for the password and the PIN.
  • The “Require two factor authentication” policy is only available for devices that have a fingerprint reader and applies only to opening the container. (It does not apply to opening the device.)
  • There are several more passcode policies in the Advanced category. Changing the settings in these policies will require all users affected by this policy to change their password regardless of whether their current password meets the new criteria.

Restriction Settings

Permit or prohibit use of container and device features, such as moving files between the device and the container, screen capture, the camera, and more.

Samsung KNOX Workspace Device policies

Policies

To do this

Enable Audit Log

Enable the device to keep an activities log.

You can fetch the audit log using an Admin Portal command.

Enable certificate validation before installation

Validate the certificate before installation in the device's certificate store

Enable revocation check for application SSL connections

Specify applications to check for certificate revocation

Per app VPN settings

Map a mobile application to a specific VPN connection for applications installed in personal mode (outside the container).

You can specify multiple VPN profiles and application pairs. You configure the VPN profiles in the Samsung KNOX Workspace VPN Settings policy.

Trusted certificate authorities

Add a list of trusted CA certificates

Touchdown settings

You use this Exchange Sync Settings to define the Exchange Sync profile on Android devices that use the Touchdown application for email.

Exchange profiles

You use the Exchange Settings policy to configure Exchange account profiles that are downloaded to devices by CyberArk Identity. Each profile defines the security and synchronization properties assigned to a specific Exchange Sync server. You must create a separate profile for each Exchange server.

You configure the Exchange Sync server profile separately for each type of device. For example, if your users have a mix of Android, iOS, and Samsung KNOX devices, you would define profiles in the following branches:

  • Touchdown Settings: You use this policy for Exchange Sync configuration for Android devices that do not provide a configurable email client.
    Touchdown policy is not supported on Samsung KNOX devices. Use the Exchange policies instead.
  • iOS Settings: Use these policies for the iOS devices that use Exchange Sync servers.

    If you have a POP or IMAP server for your iOS email, do not use this policy. Instead, use the OS X and iOS Settings > Mail settings policy instead.
  • Samsung KNOX Device Settings: Use the policy in this category to configure the email application installed outside the Samsung KNOX container.

  • Samsung KNOX Workspace Container Settings: Use the policy in this category to configure the email application installed inside the KNOX container.

    You can have separate policies for the email application running outside and inside the container on Samsung KNOX Workspace devices.

Do not create multiple profiles for any one platform (for example, an iOS or Android device) in the same group policy object or policy set unless each profile applies to a different Exchange server.

Set the user name

If you are using Active Directory or another LDAP server as your ID repository, you can use an attribute variable to specify an account’s user name. You can use any Active Directory/LDAP attribute that contains the user’s name, but the most useful ones are the following:

Active Directory/LDAP attribute

Enter this variable

userPrincipalName

%{userPrincipalName}

samAccountName

%{samAccountName}

For example, the following Exchange profile for an iOS device uses the Active Directory/LDAP userPrincipalName variable in the User Name field:

When a user enrolls a device, the CyberArk Identity contacts Active Directory/LDAP to resolve the user name attribute value for that device.

When an authentication domain is specified in the profile, the CyberArk Identity builds the user name with the authentication domain first, followed by a backslash and then the user name. For example, the CyberArk Identity would resolve the following values to user name gmail.com\j.weeks:

  • Active Directory/LDAP user: j.weeks@acme.com
  • Authentication Domain: gmail.com
  • User Name attribute variable: %{samAccountName}

Certificates

You can configure the profile so that the CyberArk Identity installs a certificate generated either by the CyberArk CA or the Active Directory Certificate Services certification authority you designated (see Select the policy service for device management). The certificate, regardless of the source, is automatically generated and installed in the device when the user enrolls the device.

When you use a certificate for authentication be sure to set the “Provide client certificate” option in the profile.

If you are using the CyberArk Cloud Directory policy service for device management policy, the CyberArk CA is used to generate certificates. If you’re using Active Directory group policy for device management policy, the Windows Certificate Authority server is used to generate certificates. You cannot have a hybrid in which, for example, you select the CyberArk Cloud Directory policy service for device management policy but use the Windows Certificate Authority server is used to generate certificates.

Some configuration is necessary to Windows servers if you are using either source:

Modify the IIS (Web) and Exchanger servers configuration for CyberArk CA certificates

There are two phases to configuring the Exchange server to trust the CyberArk CA

  • Adding the CyberArk CA certificate.
  • Configuring IIS to support client certificate authentication.

The following procedures illustrate one way to perform these tasks. However, if you have more familiar procedures you can use them.

To add the CyberArk CA certificate to the Exchange server:

  1. Open the Admin Portal, click Settings, and click Certificates.

    Click Download and copy the certificate to a folder you can access from the Exchange server.

  2. Open the Exchange server using an administrator account enter the following PowerShell command:

    certutil -dspublish <cert name>.cer NTAuthCA

    where <cert name> is the name of the certificate you downloaded in the Admin Portal.

    This command enters the certificate into the Active Directory configuration container. To confirm, you can open ADSI Edit and expand the Configuration container to CN=Public Key Services. The certificate should be added to the list.

  3. Open the Certificate Import Wizard.

    For example, double click the certificate’s file icon to open the Certificate Import Wizard and click Install Certificate.

  4. Select Local Machine and click Next.

  5. Select Automatically select the certificate store based on the type of certificate and click Next.

  6. Click Finish.

  7. Click OK to exit the wizard.

To configure the IIS connections to support client certificate authentication:

  1. On the Exchange server select Connections configuration and click the Exchange server node.
  2. Open the Authentication icon.

  3. Enable Active Directory Client Certificate Authentication.

  4. Expand Default Web Site and click Microsoft-Server-ActiveSync.

  5. Open the Authentication icon.

  6. Disable all of the authentication methods.

  7. Under IIS, open the SSL Settings (not shown in this picture).

  8. Set Require SSL and for Client certificates select either Accept or Require.

  9. Open the Configuration Editor icon.

  10. Expand system.webServer > security > authentication and enable clientCertificateMappingAuthentication.

  11. Expand Exchange Back End and select Microsoft-Server-ActiveSync.

  12. Open the Authentication icon.

  13. Enable Anonymous Authentication and Windows Authentication.

  14. Open the SSL Settings.

  15. Set Require SSL and for Client certificates select either Accept or Require.

Configure VPN profiles

You use the VPN Settings policy to configure profiles that are downloaded to devices by the CyberArk Identity. Each profile defines a VPN connection name, the server name, VPN type, and other properties.

The following VPN types are supported:

  • PPTP
  • IPSEC (Cisco)
  • Third-Party VPN
  • IKEv2
  • L2TP

Configure the Custom vendor option

After a VPN profile has been created, you can modify the profile and specify the VPN vendor in the Security tab of the VPN Profile window. The Vendor options are:

  • Cisco AnyConnect
  • Juniper SSL
  • F5 SSL
  • SonicWALL Mobile Connect
  • Aruba VIA
  • Custom

The Custom option is the only vendor option that requires further configuration. To configure the Custom option:

  1. Right-click a VPN profile and choose Modify from the menu.
  2. In the VPN Profile window, click the Security tab on the left.
  3. Click the Vendor drop-down list and then choose Custom from the menu.
  4. Consult your VPN vendor to gather information to complete the Custom vendor form.
  5. Under the VPN Custom Data heading, click Add to display fields for keys and string values for VPN provider-specific custom data.
  6. After entering your custom vendor information, click Save.

Note: Users of Pulse Secure 7.0+ should choose the Custom vendor option, rather than Juniper SSL(for more information, visit this knowledge base article).

Note: Any VPN vendor app using Apple Network Extension must use Custom option otherwise it might affect WiFi or Exchange if they are using PKI Certificates.

Configure the Custom VPN vendor

When you choose

You configure a VPN connection profile separately for each type of device associated with either the policy set (when you use the CyberArk Cloud Directory policy service for device management policy) or group policy object (when you use Active Directory group policy for device policy management. For example, if your users have a mix of Samsung KNOX devices and iOS devices, you would define profiles in the following categories:

  • OS X and iOS Settings: Define profiles for iOS devices and OS X devices.
  • Samsung KNOX Device Settings: Define profiles for the Samsung KNOX devices that do not have a Workspace license.

  • Samsung KNOX Workspace Settings: Define profiles for use inside and outside the container on devices with a Workspace license.

    The VPN profiles in Samsung KNOX Workspace devices are configured separately for device and container use. See Configure VPN profiles for KNOX devices.

Do not define multiple profiles for the same VPN server for the same device type.

Certificate-based authentication is available for VPN connections. When the profile specifies certificate authentication, the CyberArk Identity calls either the CyberArk CA or the Active Directory Certificate Services certification authority server you are designated in (see Select the policy service for device management). The CyberArk Identity works with the certificate authority to create the certificate when the user enrolls the device and then automatically installs it on the device.

Configure a VPN to use certificates for authentication

When you use certificates for authentication, the user or computer certificate is automatically generated and installed when the user enrolls the device. If you are using the CyberArk Cloud Directory policy service for device policy management, the CyberArk Identity uses CyberArk CA to generate the certificate. If you are using Active Directory group policy for device policy management, the CyberArk Identity uses the Windows certification authority server you designated in the connector to generate the certificate.

If the CyberArk Identity uses the Windows certification authority server, you need to create the user and computer certificate templates—see Manage AD certificates in devices for the details.

When you configure the policy in the CyberArk Cloud Directory policy service, you may need to upload the certificate for the certification authority that issued the certificate for the VPN concentrator. You don’t need to upload the certification authority’s certificate if the VPN concentrator’s certificate was issued by a well-known, commercial, certification authority or is self-signed. However, if the VPN concentrator’s certificate is neither, you need to upload the certification authority's certificate to the CyberArk Identity. You upload this certificate using the VPN Setting policy.

See your VPN concentrator or server vendor’s instructions for uploading the CyberArk CA certificate. You create a CyberArk CA certificate for uploading by clicking Download on the Device Policy Management page in the Admin Portal Settings (see Select the CyberArk Cloud Directory policy service).

Configure VPNs in iOS devices

You can define a VPN connection profile in the VPN Settings policy for use by all applications or only for use by an individual application. If you set the profile “for selected applications only,” you assign the VPN profile to the application in the Per App VPN settings policy.

The same profiles can be used on OS X devices.
Some VPN clients do not support both options. For example, the Cisco client supports the “VPN is only for selected applications” only.

When you set a VPN connection “for selected applications only,” you can also configure it to auto connect when the application is opened. There are two settings available:

  • Connect Automatically on application is launched: Set this option if you are assigning the VPN to native iOS applications.
  • Connect automatically for specified domains for Safari: Use this option to open the connection automatically when the user opens a web application from Safari. Enter the web application’s domain name to automate opening the connection.
  • VPN on demand: Enable to define specific domains that will automatically initiate a VPN connection when they are accessed and specific domains that will NOT automatically initiate a VPN connection when they are accessed.

See the help information associated with the configuration options (Admin Portal > Policies > Endpoint Policies > OS X and iOS Settings > VPN Settings) for information related to each option.

If you are using one profile for all applications, you can use certificates for authentication by selecting Third Party VPN as the VPN type in the General tab and then in the Security tab selecting Certificate for User Authentication. When you select Certificate, you need to specify the file name for the VPN server certificate in the VPN CA Certificate field.

For Juniper VPN, we support the Pulse Secure iOS client.

Configure VPN profiles for KNOX devices

You create VPN profiles for KNOX Workspace devices in either or both the Samsung KNOX Device Settings and the Samsung KNOX Workspace Settings, depending upon whether or not you have Samsung KNOX Workspace devices.

When you create the profile for a Samsung KNOX Workspace device, you may have the option to designate it for one of two purposes, depending upon the VPN client you are using on the device:

  • VPN for all mobile applications—Mocana (IPSec), F5 (SSL), and Juniper (SSL) clients
  • VPN is only for selected mobile applications—Mocana (IPSec), F5 (SSL), Juniper (SSL) and Cisco (IPSec and SSL) clients

(These options are not available for VPN profiles in the Samsung KNOX Device Settings.)

If you select “VPN for all applications,” you create one VPN profile, and it is used by all of the mobile applications installed in personal mode and inside the KNOX mode container.

If you select “VPN is only for selected applications,” you can create multiple VPN profiles and then you use the “Per app VPN settings” policy in the Device Settings and Container Settings to map a profile to specific mobile applications. The mappings in the Device Settings category apply to the mobiles applications installed in personal mode and the policy in the Container Settings category for mobile applications installed in the KNOX mode container.

The “Per app VPN settings” policy Explain tab in the Group Policy Management Editor and tooltip help in the CyberArk Cloud Directory policy service explain how to set a single VPN profile for use by all applications or different VPN profiles for individual applications.

  • When you use Active Directory group policy for device policy management, you can specify certificate-based authentication for Samsung KNOX Workspace devices with SSL-type VPNs using either the Juniper or F5 client. For IPSec type VPNs, you can specify certificate-based authentication using the Mocana client. (Certificate-based authentication is not available for Active Directory users using the Cisco client.)

    To use certificates, you must create a user and computer certificate template on the Windows certification authority server first. See Manage AD certificates in devices for the details.

  • Similarly, when you use the CyberArk Cloud Directory policy service for device policy management, the Juniper and F5 SSL clients and Mocana IPSec client support certificate-based authentication. (Again, the Cisco based clients do not support certificate-based authentication.)

    When you configure the policy in the CyberArk Cloud Directory policy service, you need to specify the VPN server’s certificate file in the profile to upload it to the CyberArk Identity.

  • There is a slight operational difference for devices with KNOX 1 versus KNOX 2 containers. From the policy configuration perspective, there is no difference. That is, configuring the VPN and Per app VPN policies are the same regardless of the container version.

    However, users with KNOX 2 containers will have two VPN clients installed: one outside the container and one inside the container. (The CyberArk Identity mobile app automatically installs both copies when you deploy the VPN client software from the Admin Portal.) In addition, if users are required to enter their password to open the VPN, they will have to provide their password for both clients. On KNOX 1 devices, just one VPN client is installed.

  • When you configure the VPN profile for the Juniper client, you must specify the authentication realm and User role fields. However, you can leave the User name field blank. Users can fill in this field in the CyberArk Identity mobile app when they configure the VPN settings.

    If you are using the Mocana VPN client, you must use a version later than 2.3.6.

Configure Wi-Fi profiles

You use the Wi-Fi Settings policy to configure profiles that define the security type (for example WPA or WEP), accepted EAP types, and other properties for a Wi-Fi service set identifier (SSID).

You configure Wi-Fi profiles for iOS and Android separately from Samsung KNOX devices:

  • Use the Common Mobile Settings for the iOS and Android devices.
  • Use Samsung KNOX Device Settings for all Samsung KNOX devices.

The Samsung KNOX Device Settings provide additional policies in the Wi-Fi Restrictions category. You use them to control the users ability to modify the wi-fi connections in the Samsung device’s Settings application. However, these go into effect only for the profiles you define in Samsung KNOX Device Wi-Fi settings.

You can define separate Wi-Fi profiles for the same SSID in the Common Mobile Settings and Samsung KNOX Device Settings.

Certificate-based authentication is available for establishing a Wi-Fi connection. If you are using the CyberArk Cloud Directory policy service for device policy management, you use the Admin Portal to create a policy set with the Wi-Fi profiles. In this case, the certificates are automatically issued by the CyberArk CA and installed by the CyberArk Identity when the user enrolls the device. You must select either WEP Enterprise or WPA/WPA2 Enterprise as the Security type on the General tab and TLS as the EAP type to use certificates.

When you configure the policy in the CyberArk Cloud Directory policy service, you may need to upload the certificate for the certification authority that issued the certificate for the Wi-Fi access point. You don’t need to upload the certification authority’s certificate if the access point’s certificate was issued by a well-known, commercial, certification authority or is self-signed. However, if the access point’s certificate is neither, you need to upload the certification authority's certificate to the CyberArk Identity. You upload this certificate using the Wi-Fi Setting policy.

See your Wi-Fi access point vendor’s instructions for uploading the CyberArk CA certificate. You create a CyberArk CA certificate for uploading by clicking Download on the Device Policy Management page in the Admin Portal Settings (see Select the CyberArk Cloud Directory policy service).

If you are using Active Directory group policy for device policy management, you use the Active Directory Group Policy Management Editor to create the Wi-Fi profiles. In this case, the certificates are automatically issued and renewed by the Active Directory Certificate Services certificate server you designate (see Select the policy service for device management) and installed by CyberArk Identity when the user enrolls the device. You must create user and computer templates for the certificates on the Windows Certificate Authority server. See Manage AD certificates in devices.