Configure GlobalProtect to Retrieve Host Information
Focus
Focus
GlobalProtect

Configure GlobalProtect to Retrieve Host Information

Table of Contents

Configure GlobalProtect to Retrieve Host Information

Learn how to configure GlobalProtect to retrieve host information from Workspace ONE devices using the MDM integration service.
Use the following instructions to configure GlobalProtect to retrieve host information from devices managed by Workspace ONE.
  1. Install the User-ID Agent. The User-ID agent must be in a location that enables secure connections to the VMware Workspace ONE Mobile Device Management (MDM) system.
    The Workspace ONE MDM integration service is included with the PAN-OS Windows-based User-ID agent.
  2. Configure SSL authentication between the Windows-based User-ID agent and the GlobalProtect gateway.
    When you configure SSL authentication, make sure:
    • The server certificate configured on the Windows-based User-ID agent has the same Common Name (CN) as the hostname/IP address of the User-ID agent host.
    • The server certificate is trusted by the firewall (included in the trusted CA list in the MDM configuration on the firewall).
    • The root certificate authority (CA) certificate of the MDM client certificate configured on the firewall must be imported into Windows trust store of the Windows server.
    1. Obtain a server certificate and private key for authentication between the Windows-based User-ID agent and the GlobalProtect gateway. The certificate bundle must be in PEM format that contains a PEM certificate, full certificate chain, and private key.
    2. Open the Windows-based User-ID agent and select
      Server Certificate
      .
    3. Add
      the server certificate.
    • Browse
      to the certificate file and
      Open
      the file to upload the certificate to the Windows-based User-ID agent.
    • Enter a
      Private Key Password
      for the certificate.
    • Click
      OK.
    The agent verifies the certificate is valid and stores the encryption password of the private key in the host machine’s Windows credential store.
    If installation is successful, detailed information about the certificate (including common name, expiration date, and issuer) appears on the
    Server Certificate
    tab.
    1. Restart the Windows-based User-ID agent.
  3. Configure the MDM integration service on the Windows-based User-ID agent.
    1. Select
      MDM Integration
      in the Windows-based User-ID agent.
    2. Specify a
      Gateway Connection TCP Port
      for TCP communications. The Windows-based User-ID agent listens at this port for all MDM-related messages. The default port is 5008. To change the port, specify a number from 1 to 65535.
    3. On the
      Setup
      tab, click
      Edit
      .
    4. Choose
      Workspace ONE
      for the
      MDM Vendor
      .
  4. Specify the
    MDM Event Notification
    settings to monitor and collect Workspace ONE events (for example, device enrollment, device wipe, and compliance changes). When an event occurs, the MDM integration service fetches the updated device information from the Workspace ONE API and pushes this information to all configured GlobalProtect gateways.
    For
    MDM Event Notification
    , make sure the values you enter here are also configured in the Workspace ONE console under
    Groups & Settings
    All Settings
    System
    Advanced
    API
    Event Notifications
    .
    • Set the
      TCP Port
      for communicating with the event notification service. Use this format:
      http://<external_hostname>/<ip_address>:<port>
      where
      <ip-address>
      is the IP address for the MDM integration service. The default port is 5011. To change the port, specify a number from 1 to 65535.
    • For event notification, enter the
      Username
      and
      Password
      credentials needed to authenticate incoming requests.
    • Enter the
      Permitted IP
      addresses to access MDM events. This is a comma-separated list of IP addresses from where MDM events are posted. For example, the IP address of the Workspace ONE server. Contact your Workspace ONE Support team for guidance on which IP addresses to specify.
  5. Add
    MDM API Authentication
    settings to connect with the Workspace ONE API.
    • Enter the
      Server Address
      of the Workspace ONE MDM server to which the Windows-based User-ID agent will connect. For example,
      api.awmdm.com
      .
    • Enter the
      Username
      and
      Password
      credentials needed to access the Workspace ONE MDM API.
    • Enter the
      Tenant Code.
      This is a unique hexadecimal code number required to access the Workspace ONE MDM API. On the Workspace ONE console, you can find the tenant code at
      System
      Advanced
      API
      REST API
      API Key
      .
    • Enter the
      Mobile Device State Retrieval Interval
      . This setting controls how often host information is retrieved from devices managed by Workspace ONE. The default interval is 30 minutes. To change the interval, specify a number from 1 to 600.
  6. Commit
    your changes.
  7. Click
    Test Connection
    to make sure the Windows-based User-ID agent can connect to the Workspace ONE API.
  8. Configure the GlobalProtect gateway to communicate with the MDM integration service to retrieve the HIP reports for the devices managed by Workspace ONE.
    1. In the PAN-OS web interface, select
      Network
      GlobalProtect
      MDM
      .
    2. Add
      the following information about the MDM integration service.
    • Name
      —Enter a name for the MDM integration service (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    • (
      Optional
      ) Select the virtual system to which the gateway belongs.
    • Server
      —Enter the IP address or FQDN of the interface on the Workspace ONE MDM integration service where the gateway connects to retrieve HIP reports. Ensure that you have a service route to this interface.
    • Connection Port
      —Enter the connection port where the MDM integration service listens for HIP report requests. The default port is 5008. To change the port, specify a number from 1 to 65535.
    • Client Certificate
      —Choose the client certificate for the gateway to present to the MDM integration service when it establishes an HTTPS connection. You can choose a client certificate from the drop down, or import a new client certificate. The
      Certificate Purpose
      must indicate that it is a client authentication certificate.
    The root certificate authority (CA) certificate of the client certificate must be imported into the Windows trust store of the Windows server where the User-ID Agent is installed.
    1. Add
      the root CA certificate associated with the server certificate installed on the MDM integration service host. You need both the root CA certificate and the server certificate to establish a secure connection between the gateway and the MDM integration service. You can choose a root CA certificate from the drop down, or Import a new certificate.
    2. Click
      OK
      .
    3. Commit
      your changes.
  9. Check your connection to make sure Workspace ONE device data is transferred to GlobalProtect.
    1. Open the Windows-based User-ID agent and select
      MDM Integration
      Mobile Devices
      . You should see a list of unique device IDs and user names for all the devices managed by Workspace ONE.
    2. (
      Optional
      ) You can
      Filter
      the list to find a specific
      Mobile Device
      .
    3. (
      Optional
      ). Select a device from the list of device IDs and click
      Retrieve Device State
      to extract the latest information about the device and see how it maps to host information profiles on the GlobalProtect gateway.

Recommended For You