Select the policy service for device management

You can use CyberArk Cloud Directory policy service or Active Directory Group Policy Management to set device configuration policies. When you select the CyberArk Cloud Directory policy service, you use policy sets created in the Admin Portal to set device configuration policies. When you use Active Directory group policy, you create group policy objects and edit them with the Group Policy Management Editor to set device configuration policies. See Manage device configuration policies for the details. You use roles to apply the policies to sets of users by linking the group policy object to an Active Directory organizational unit and then specify that organizational unit in the device enrollment settings.

You must use CyberArk Identity for mobile device management if you want to set the mobile device policies and install them in the device (see Mobile Device Management or single sign-on only).

Both methods provide largely the same policies—see List of device configuration policies for a summary of the policies available in each one. The method you select depends upon the types of accounts (CyberArk Cloud Directory or Active Directory) used for enrolling devices. Use the following guidelines to select the proper method for your organization:

You have devices enrolled by users with the following types of accounts

Select this method

Notes

Both users with CyberArk Cloud Directory and Active Directory accounts

CyberArk Cloud Directory policy service

If you select Active Directory, CyberArk Identity does not install the policies in devices enrolled by users with CyberArk Cloud Directory accounts.

Only users with Active Directory accounts

Either Active Directory or CyberArk Cloud Directory policy service

Select the method that is most convenient to you.

Only users with CyberArk Cloud Directory accounts

CyberArk Cloud Directory policy service

 

If you select Active Directory group policy, you still use policy sets to configure the Device Management Settings, Device Enrollment Settings, User Security Policies, and Application Policies. You use the group policy object just to set the device configuration policies (Policies > Endpoint Policies > settings in Common Mobile Settings, iOS Settings, etc.).

Select the CyberArk Cloud Directory policy service

If you select CyberArk Cloud Directory policy service, the CyberArk Identity uses the policy sets assigned to each role to set the device configuration policies. See Use the Admin Portal to set device configuration policies for the details.

Click the Download button to download the certificate for the CyberArk CA for your account for installation in the Exchange server, wi-fi access point, or VPN server or concentrator. The certificate is self-signed. See the following sections to configure the use of CyberArk CA certificates:

To select CyberArk Cloud Directory policy service for device policy management:

  1. Log in to the Admin Portal.
  2. Click Settings > Endpoints > Endpoint Management Settings.
  3. Enable CyberArk Cloud Directory Policy Service.

  4. Click the text box and enter the number of minutes for Policy push delay from last edit.

    The policy push delay specifies the number of minutes CyberArk Identity waits from the time you saved the policy set to push the changes to the devices.

  5. Select the issuing certificate authority.

    You can use either the Active Directory Certificate Service or the CyberArk Certificate Authority (CA) to generate user and computer certificates to authenticate users and devices for wi-fi connections, respectively. The certificates are created and installed on the device when the user enrolls the device. The default selection is Active Directory Certificate Service.

    1. Select Active Directory Certificate Service to use the default certification authority you configured in your Active Directory Certificate Service. (You can only use the default certification authority.) If you select this option, you need to create user and computer templates on the default certification authority. There may be some additional configuration required in the connector as well. See Manage AD certificates in devices for the details.

    2. Select Idaptive Tenant Certificate Authority to use the CyberArk CA for your CyberArk Identity account to generate user and computer certificates instead. You do not need to create templates when you select this option.

      CyberArk Identity includes a self-signed CyberArk CA for each customer CyberArk Identity. When you select the certification authority, it generates certificates that can be used to authenticate users for wi-fi and VPN connections and ActiveSync server log ins (Exchange 2010 and older only). The certificates are automatically generated and installed for users who are a member of a role that has a wi-fi, VPN, or Exchange server profile in the CyberArk Cloud Directory policy service in which certificates are used for authentication. The certificates are installed automatically when users enroll their devices.

    3. (Optional) Click the Download root certificate button to download the certificate for the CyberArk CA to install in the Exchange server (2010 and older), wi-fi access point, or VPN server or concentrator.

  6. Click Save.

See the following sections to configure the use of CyberArk CA certificates:

Select Active Directory group policy

If you select Active Directory group policy, the CyberArk Identity uses the group policy object you linked to the organizational unit specified in the Device Enrollment Settings for each role to set the device configuration policies. See Use the Group Policy Management Editor to set mobile device policies to specify the organizational unit; see Configure group policy objects and organizational units to link the group policy object to the organizational unit.

The certification authority you select generates certificates that can be used to authenticate users for wi-fi and VPN connections and Exchange ActiveSync server log ins. The certificates are automatically generated and installed for users who are a member of a role that has a wi-fi, VPN, or Exchange server profile in the group policy object linked to their organizational unit. The certificates are installed automatically when the user enrolls the device.

When you install the connector, it searches the Active Directory forest for the certification authorities you have configured in your Active Directory Certificate Service. You can select any certificate authority it finds to generate certificates.

When you use an Active Directory certification authority, you need to create user and computer templates on the certification authority you select. There may be some additional configuration required in the connector as well. See Manage AD certificates in devices for the details.

To select Active Directory for device policy management:

  1. Log in to the Admin Portal.
  2. Click Settings > Endpoints > Endpoint Management Settings.
  3. Enable Active Directory group policy in the Policy Management area.

  4. Set the update interval.

    The update interval sets how often the CyberArk Identity polls the domain controller for changes to the group policy objects. If the CyberArk Identity finds a group policy object has changed, it pushes the policy changes to the devices. Otherwise, it takes no action.

  5. Configure Hide unsupported mobile device CyberArk Cloud Directory policy settings. Enabled by default.

    Some device configuration policy settings are available for both Active Directory users (policy settings managed using Windows Group Policy Management Editor (GPME)) and CyberArk Cloud Directory users (policy settings managed using Admin Portal), while some are only available in Admin Portal for managing CyberArk Cloud Directory users. When Hide unsupported mobile device CyberArk Cloud Directory policy settings is enabled, we hide those device configuration policy settings that are only available in Admin Portal to minimize confusion.

    Typically, you disable this setting when your are planning to migrate your Active Directory users to CyberArk Cloud Directory, so you can see all the device configuration policy settings and make the necessary configurations.

  6. Configure the issuing certificate authority.

    Selecting Active Directory group policy automatically assigns the Active Directory Certificate Service as the issuing certificate authority.

    If you do not want to use the default certification authority, use the drop-down menu to select another. When you install the connector, it searches the Active Directory forest for the certification authorities you have configured in your Active Directory Certificate Service. You can select any certificate authority it finds to generate certificates.

    The certification authority you select generates certificates that can be used to authenticate users for wi-fi and VPN connections and Exchange ActiveSync server log ins. The certificates are automatically generated and installed for users who are a member of a role that has a wi-fi, VPN, or Exchange server profile in the group policy object linked to their organizational unit. The certificates are installed automatically when the user enrolls the device.

    When you use an Active Directory certification authority, you need to create user and computer templates on the certification authority you select. There may be some additional configuration required in the connector as well. See Manage AD certificates in devices for the details.
  7. Click Save.

Configure group policy objects and organizational units

When you use Active Directory group policy to set device configuration policies, you use group policy objects that you edit with the Group Policy Management Editor to set the policies. Next, you link that group policy object to an organizational unit. Finally, you specify the organizational unit to use for a given policy set when you configure the Device Enrollment Settings (see Enroll devices).

The organizational unit you specify in the Device Enrollment Settings is also the organizational unit in which the CyberArk Identity stores the Active Directory record when the user enrolls the device. You can use this record in Active Directory Users and Computers to get information about the device and send it commands. See Use Active Directory Users and Computers to manage devices for the details.

When you select Active Directory group policy, you should plan on how you will apply the group policy objects to CyberArk Identity roles before you create the policy sets and assign them to the roles. When you have your roles and policies planned, you use the following procedure to apply them to individual devices:

  1. Create a separate organizational unit for each role.
  2. Create the group policy object for that role and set the policies.
  3. Link the group policy object to the organizational unit.
  4. Specify the organizational unit when you set the Device Enrollment Settings for the policy set (see Enroll devices).
  5. Assign the policy set to the role.
  6. Add the users to the role.

You can use multiple roles or policy sets to apply different policies to users. In this case the rules for hierarchical policies are applied—see Apply hierarchical policy sets .