Global Protect Hip check iOS UDID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Hip check iOS UDID

L3 Networker

I'm looking for some feedback on the UDID HIP check for iOS devices.  Currently there is no way to pull serial numbers from the Apple iOS platform unless you connect a compatible MDM solution to the PA.  There is however a way to pull the UDID or ( unique device ID) that apple has tagged on each device it builds.  I've added that under HIP object > General > host info > Host ID.

I've added those to a hip object in the following manner.    

Danross_0-1644850516993.png

There is a character limit of 255 for the HOST ID section for this particular check. My question is as follows:   I've attempted to add in several UDID's seperated by commas.  It appears that there is only one identifier that can be entered per object.

 

It was bad enough when I thought my limit was 255 characters and I could only fit in like 5 devices in the field given the UDID 32 character length.  Am I doing this wrong or are they expecting us to have an object for every device I have connected? 

GlobalProtect 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@danoman2,

That's a tough one. If you've gone down the path of making exceptions for personally owned devices connecting to what I would assume is a sensitive server, Host ID is a secure way of ensuring only devices you expect are connecting. There's more overhead in managing this type of exception and ensuring HIP-Objects are properly removed for devices as they get swapped out with new devices.

Personally I don't allow any of my clients to make these sort of exceptions. If they choose to allow BYOD VPN connections every BYOD endpoint is given access to the same basic set of resources that aren't sensitive or subject to regulatory restrictions. We don't allow special exceptions to that. Then I simply use scripting to grab the endpoints they're using to connect and store it in a simple Redis database. As soon as the hostname changes it generates alerts and sends it to the respective security group to follow up or block the endpoint.

 

It sounds like you've got "VIP" devices that are requiring elevated access on a BYOD endpoint that you otherwise restrict access to from a "normal" BYOD endpoint, or you don't allow BYOD endpoints? In that case, what you are doing is going to be the most secure way of ensuring that the device is what you expect it to be.  I would caution though that you should also be ensuring that the device isn't jailbroken. You can spoof UUID values on a jailbroken iOS device.

I would personally try pushing back on this sort of request if the server they are connecting to is actually sensitive in nature and enforcing they join it to an MDM. Obviously depending on organization and policies that may or may not be an option for you. If it isn't, continue the path that you are on and just document that it's not a perfect solution and someone with the proper knowledge could still bypass these restrictions. 

View solution in original post

4 REPLIES 4

L3 Networker

I've split up all my UDID's into seperate objects and added to a single hip profile.  It seems to be working now.  However it's a bit messy in the hip objects area.  There has to be a better way to manage this.

Cyber Elite
Cyber Elite

@danoman2,

There's really not if this is how you've decided to manage things. You are creating a Host-ID match HIP-Object, so you must only include a single Host-ID (UUID in this case) and create a new object for every single device you're looking to add. 

 

Can I ask why you're doing it like this though? I mean the benefit that you have is that you know exactly what devices are connecting, so it's secure, but you'll obviously have a ton of overhead associated with maintaining essentially a "whitelist" of devices that can connect. 

Usually when connecting iOS devices that are issued out to employees you would kind of expect it to have an MDM installed and I would simply recommend setting up MDM integration and certificate authentication. Your post makes it seem like they don't have MDM, so I would assume these are just personal devices? 

L3 Networker

Good guess.  At this moment, if a user issavvy enough to look at the settings menu on a device using Global Protect that I've setup for them, they can simply download Global Protect and connect another device to our network without me knowing.  I've got a "small" group of devices that I dont have ownership of.  I'm in the process of implementing these hip checks as well as others so I can limit the devices connecting to a specific server.  I'd be putting in place a security rule to enforce.  Is there a feature to block those settings being visible to end users?  What other methods should I be utilizing via the PA to limit connections like I described?

 

Cyber Elite
Cyber Elite

@danoman2,

That's a tough one. If you've gone down the path of making exceptions for personally owned devices connecting to what I would assume is a sensitive server, Host ID is a secure way of ensuring only devices you expect are connecting. There's more overhead in managing this type of exception and ensuring HIP-Objects are properly removed for devices as they get swapped out with new devices.

Personally I don't allow any of my clients to make these sort of exceptions. If they choose to allow BYOD VPN connections every BYOD endpoint is given access to the same basic set of resources that aren't sensitive or subject to regulatory restrictions. We don't allow special exceptions to that. Then I simply use scripting to grab the endpoints they're using to connect and store it in a simple Redis database. As soon as the hostname changes it generates alerts and sends it to the respective security group to follow up or block the endpoint.

 

It sounds like you've got "VIP" devices that are requiring elevated access on a BYOD endpoint that you otherwise restrict access to from a "normal" BYOD endpoint, or you don't allow BYOD endpoints? In that case, what you are doing is going to be the most secure way of ensuring that the device is what you expect it to be.  I would caution though that you should also be ensuring that the device isn't jailbroken. You can spoof UUID values on a jailbroken iOS device.

I would personally try pushing back on this sort of request if the server they are connecting to is actually sensitive in nature and enforcing they join it to an MDM. Obviously depending on organization and policies that may or may not be an option for you. If it isn't, continue the path that you are on and just document that it's not a perfect solution and someone with the proper knowledge could still bypass these restrictions. 

  • 1 accepted solution
  • 4951 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!