GlobalProtect
Mobile Device Management Overview
Table of Contents
Mobile Device Management Overview
As mobile endpoints become more powerful, end users
increasingly rely on them to perform business tasks. However, these
same endpoints that access your corporate network also connect to
the internet without protection against threats and vulnerabilities.
A mobile device management (MDM) system or enterprise mobility
management (EMM) system simplifies the administration of mobile
endpoints by enabling you to automatically deploy your corporate
account configuration and VPN settings to compliant endpoints. You
can also use your mobile device management system for remediation
of security breaches by interacting with an endpoint that has been compromised.
This protects both corporate data as well as personal end user data. For
example, if an end user loses an endpoint, you can remotely lock
the endpoint from the mobile device management system or even wipe
the endpoint (either completely or selectively).
In addition to the account provisioning and remote device management
functions that a mobile device management system can provide, when
integrated with your existing GlobalProtect™ VPN infrastructure,
you can use host information that the endpoint reports to enforce
security policies for access to apps through the GlobalProtect gateway.
You can also use the monitoring tools that are built into the Palo
Alto next-generation firewall to monitor mobile endpoint traffic.
GlobalProtect Integration With an MDM or EMM System
You
can integrate your GlobalProtect deployment with an MDM or EMM system using
one of the following methods:
Firewall Integration With an MDM or EMM System (Workspace ONE only)
You can configure the Windows User-ID
agent to communicate with the Workspace ONE MDM server to collect host
information from connecting endpoints. The User-ID agent sends this host information
to the GlobalProtect gateway as part of the HIP report for use in HIP-based policy
enforcement.
Firewall
integration is supported with PAN-OS 8.0 and later releases.
Firewall integration is supported only with VMware Workspace ONE.
GlobalProtect
App Integration With an MDM or EMM System
Starting with
version 5.0, the GlobalProtect app for iOS and Android endpoints can
obtain vendor data attributes and tags from MDM systems. For iOS
endpoints, MDM systems send these attributes to the GlobalProtect
app as part of the VPN profile. For Android endpoints, MDM systems
send these attributes as part of the App Restrictions configuration.
The GlobalProtect app can then send these attributes and tags to
the GlobalProtect gateway as part of the HIP report for use in HIP-based policy
enforcement.
GlobalProtect app integration is qualified with VMware Workspace ONE, MobileIron, and Microsoft
Intune. However, this integration method is also supported with any MDM or EMM
system that supports vendor data attributes in the VPN profile.
The following table describes the
supported vendor data attributes:
MDM Attribute | HIP Report Attribute | HIP Report Category | Description |
|---|---|---|---|
mobile_id | Host ID | General | Unique device identifier (UDID) of the endpoint. |
managed | Managed | General | Value that indicates whether the endpoint
is managed. If this value is Yes, the endpoint
is managed. If this value is No, the endpoint
is unmanaged. |
compliance | Tag | Mobile Device | Compliance status that indicates whether
the endpoint is compliant with the MDM compliance policies that
you have defined (for example, Compliant).
This value is appended to the Tag attribute
in the HIP report. |
ownership | Tag | Mobile Device | Ownership category of the endpoint (for
example, Employee Owned). This value is appended
to the Tag attribute in the HIP report. |
tag | Tag | Mobile Device | Tags to match against other MDM-based attributes. |