This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to limit global protect for specific android/ios users?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to limit global protect for specific android/ios users?

SThatipelly
L4 Transporter

‎06-18-2018 09:04 AM - edited ‎06-18-2018 09:20 AM

I have an interesting scenario. We have windows users accessing global protect. I am looking to buy gateway license to enable a set of users(10) out of 400 users to use android/iphone to connect to vpn. We  have IBM MaaS360 MDM installed on phone to collect mobile attributes. Is there a way I can enforce a policy to limit specific users to use mobile phones?

 

Your help is greatly appreciated. TIA

0 Likes Likes
9 REPLIES 9

BPry
Cyber Elite
Cyber Elite

‎06-18-2018 09:37 AM

@SThatipelly,

There is actually a few different places that you could do something like this. 

1) You could build out a special Authentication Profile specific to a group that is allowed to login via mobile devices and set the GlobalProtect Portal 'Authentication' Client Auth settings to include an entry that specifically lists the OS as [ Android iOS WindowsUWP ] and limit the other Client Auth settings specific to [ Browser Linux Mac ] and any user not included in the new profile simply couldn't auth if they attempted to utilize a mobile client. 

This option would limit the Auth from a Portal perspective. 

2) You could do the exact same thing but from the Gateway Auth page. 

 

You could take it a step further and utilize a HIP check and the Agent Client Settings but that gets messy and isn't really required if you do either of the two options above. 

 

0 Likes Likes

LukeBullimore
L5 Sessionator

‎06-18-2018 09:38 AM

Hi,

 

a) There are two ways you could do this, limit the OS in the portal agent configs section

 

portal config.png

 

b) with GP gateway license you can enforce policy upon HIP objects. one HIP object is moible device model

 

hip.png

 

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/host-infor...

 

Thanks,

Luke.

 

0 Likes Likes

Remo
L7 Applicator
In response to LukeBullimore

‎06-18-2018 10:53 AM

@LukeBullimore wrote:

Hi,

 

a) There are two ways you could do this, limit the OS in the portal agent configs section

 

portal config.png

 

 

@SThatipelly 

This probably is the easiest/best way. Here you could specify a usergroup, so only users of that usergroup receive the configuration for Android/iOS devices. Other users will be able to login to the portal actually but cannot connect as they will not receive the required configuration.

 

But if you already have an MDM, you don't really need the Gateway license. With the MDM for example you could deploy a client certificate to the specific devices and so only these devices will be able to connect. This does not require the gateway license as you would use the integrated VPN clients on the mobile devices.

0 Likes Likes

SThatipelly
L4 Transporter
In response to BPry

‎06-18-2018 01:49 PM

@BPry Thank you so much for your suggestion. We have users authentication against our RADIUS server which utilizes one-time-password. Doing this will require me to configure other auth method(preferably local) but this is not what my organisation is looking for. I am little confused at this point. 

0 Likes Likes

SThatipelly
L4 Transporter
In response to LukeBullimore

‎06-18-2018 01:51 PM - edited ‎06-18-2018 01:51 PM

@LukeBullimoreShouldn't I need a MDM to get the mobile attributes? We have a cloud based MDM server and unsure if the vendor provides HIP info. 

0 Likes Likes

SThatipelly
L4 Transporter
In response to Remo

‎06-18-2018 01:55 PM

@Remo Your suggestion boils down to authenticating GP users based on client certificates?  I dodnot want to make any kind of changes to exisiting windows users and add specific mobile users to exisiting gateway and portal. will this be addressed? Please correct me if I am wrong.

 

Thanks.

0 Likes Likes

Remo
L7 Applicator
In response to SThatipelly

‎06-18-2018 02:20 PM

You're right this "little" detail was missing in my post. But you could solve this with a dedicated global protect gateway for the iOS/Android devices.

0 Likes Likes

LukeBullimore
L5 Sessionator
In response to SThatipelly

‎06-19-2018 01:31 AM - edited ‎06-19-2018 01:32 AM

Hi @SThatipelly

@SThatipelly wrote:

@LukeBullimoreShouldn't I need a MDM to get the mobile attributes? We have a cloud based MDM server and unsure if the vendor provides HIP info. 

 

No you don't. The GlobalProtect App that is run on the mobile device is capable of pulling this information - so provided you have the Gateway License you can make full use of this functionality.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/globalprotect/objects-gl...

 

Thanks,

Luke.

0 Likes Likes

SThatipelly
L4 Transporter
In response to LukeBullimore

‎06-19-2018 05:30 AM

@LukeBullimore I had gone through that document before and found this little note:

 

To collect mobile device attributes and utilize them in HIP enforcement policies, GlobalProtect requires an MDM server. GlobalProtect currently supports HIP integration with the AirWatch MDM server.

 

This is what concerning me.

0 Likes Likes
  • 4430 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks