How to limit global protect for specific android/ios users?

Reply
L4 Transporter

How to limit global protect for specific android/ios users?

I have an interesting scenario. We have windows users accessing global protect. I am looking to buy gateway license to enable a set of users(10) out of 400 users to use android/iphone to connect to vpn. We  have IBM MaaS360 MDM installed on phone to collect mobile attributes. Is there a way I can enforce a policy to limit specific users to use mobile phones?

 

Your help is greatly appreciated. TIA

L7 Applicator

Re: How to limit global protect for specific android/ios users?

@SThatipelly,

There is actually a few different places that you could do something like this. 

1) You could build out a special Authentication Profile specific to a group that is allowed to login via mobile devices and set the GlobalProtect Portal 'Authentication' Client Auth settings to include an entry that specifically lists the OS as [ Android iOS WindowsUWP ] and limit the other Client Auth settings specific to [ Browser Linux Mac ] and any user not included in the new profile simply couldn't auth if they attempted to utilize a mobile client. 

This option would limit the Auth from a Portal perspective. 

2) You could do the exact same thing but from the Gateway Auth page. 

 

You could take it a step further and utilize a HIP check and the Agent Client Settings but that gets messy and isn't really required if you do either of the two options above. 

 

L5 Sessionator

Re: How to limit global protect for specific android/ios users?

Hi,

 

a) There are two ways you could do this, limit the OS in the portal agent configs section

 

portal config.png

 

b) with GP gateway license you can enforce policy upon HIP objects. one HIP object is moible device model

 

hip.png

 

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/host-infor...

 

Thanks,

Luke.

 

L7 Applicator

Re: How to limit global protect for specific android/ios users?


@LukeBullimore wrote:

Hi,

 

a) There are two ways you could do this, limit the OS in the portal agent configs section

 

portal config.png

 

 


@SThatipelly 

This probably is the easiest/best way. Here you could specify a usergroup, so only users of that usergroup receive the configuration for Android/iOS devices. Other users will be able to login to the portal actually but cannot connect as they will not receive the required configuration.

 

But if you already have an MDM, you don't really need the Gateway license. With the MDM for example you could deploy a client certificate to the specific devices and so only these devices will be able to connect. This does not require the gateway license as you would use the integrated VPN clients on the mobile devices.

L4 Transporter

Re: How to limit global protect for specific android/ios users?

@BPry Thank you so much for your suggestion. We have users authentication against our RADIUS server which utilizes one-time-password. Doing this will require me to configure other auth method(preferably local) but this is not what my organisation is looking for. I am little confused at this point. 

L4 Transporter

Re: How to limit global protect for specific android/ios users?

@LukeBullimoreShouldn't I need a MDM to get the mobile attributes? We have a cloud based MDM server and unsure if the vendor provides HIP info. 

L4 Transporter

Re: How to limit global protect for specific android/ios users?

@vsys_remo Your suggestion boils down to authenticating GP users based on client certificates?  I dodnot want to make any kind of changes to exisiting windows users and add specific mobile users to exisiting gateway and portal. will this be addressed? Please correct me if I am wrong.

 

Thanks.

L7 Applicator

Re: How to limit global protect for specific android/ios users?

You're right this "little" detail was missing in my post. But you could solve this with a dedicated global protect gateway for the iOS/Android devices.

L5 Sessionator

Re: How to limit global protect for specific android/ios users?

Hi @SThatipelly


@SThatipelly wrote:

@LukeBullimoreShouldn't I need a MDM to get the mobile attributes? We have a cloud based MDM server and unsure if the vendor provides HIP info. 


 

No you don't. The GlobalProtect App that is run on the mobile device is capable of pulling this information - so provided you have the Gateway License you can make full use of this functionality.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/globalprotect/objects-gl...

 

Thanks,

Luke.

L4 Transporter

Re: How to limit global protect for specific android/ios users?

@LukeBullimore I had gone through that document before and found this little note:

 

To collect mobile device attributes and utilize them in HIP enforcement policies, GlobalProtect requires an MDM server. GlobalProtect currently supports HIP integration with the AirWatch MDM server.

 

This is what concerning me.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!