Single Sign On Plugin configuration for BMC Mid Tier / HP Web Tier
CounterACT Plugin Configuration Guide for … Plugin Configuration Guide for ForeScout Mobile...
Transcript of CounterACT Plugin Configuration Guide for … Plugin Configuration Guide for ForeScout Mobile...
CounterACT Plugin Configuration Guide for
ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
ForeScout Mobile
Version 1.0.1
Table of Contents
About the MaaS360 Integration ...................................................................................... 3
ForeScout MDM ............................................................................................................ 3
Additional Documentation .............................................................................................. 3
About this Plugin ............................................................................................................. 3
How it Works ................................................................................................................ 4
Continuous Query Refresh ....................................................................................... 4
Supported Devices ....................................................................................................... 5
Supported Network Infrastructures................................................................................ 5
What to Do .................................................................................................................... 5
Accessing Fixes Made after this Release...................................................................... 6
Requirements .................................................................................................................. 6
Version Requirements .................................................................................................. 6
CounterACT / Hotfix Requirements .......................................................................... 6
Additional Plugin Requirements ............................................................................... 6
Registration and Activation Requirements .................................................................... 7
MaaS360 Registration and Activation ....................................................................... 7
Networking Requirements .............................................................................................. 7
Endpoint Requirements .................................................................................................. 7
Installation and Configuration ........................................................................................ 7
Test Plugin Communication with the MaaS Service .................................................... 10
Displaying Inventory Data ............................................................................................. 11
MaaS360 Policy Templates ........................................................................................... 12
MaaS360 Device Manageability Policy Template ........................................................ 12
Using the MaaS360 Device Manageability Template ............................................. 13
MaaS360 Device Compliance Policy Template ........................................................... 19
Using the MaaS360 Device Compliance Template ................................................. 20
Creating Unauthorized Application Lists ..................................................................... 23
Working with CounterACT Policies .............................................................................. 26
Version 1.0.1 ii
Detecting MaaS360 Devices - Policy Properties ......................................................... 26
Core Attributes ....................................................................................................... 27
Security and Compliance ....................................................................................... 28
Hardware Inventory ................................................................................................ 29
Network Information ............................................................................................... 29
Additional Information ............................................................................................ 29
Open Property Search............................................................................................ 30
Tag MaaS360 Devices - Policy Actions ...................................................................... 31
Custom Attribute Value Action ................................................................................ 31
Refresh Device Information Action ......................................................................... 32
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
3
About the MaaS360 Integration
ForeScout MDM helps IT administrators streamline the process to provision, manage and
secure today’s expanding suite of smartphones and tablets, all from a single portal. ForeScout
MDM for mobile devices is an easy to use platform that includes all of the essential
functionality for end-to-end management of iOS and Android devices.
This means with a single unified security management and reporting system, you can ensure
that your network is secured, regardless of the type of device a user may be carrying.
Instead of implementing new security silos that are limited to mobile devices, you can extend
your PC and network security systems to encompass mobile devices.
ForeScout MDM
ForeScout MDM is a cloud-based solution, enabling quick and easy deployment; enrollment,
monitoring, management and support. Together with ForeScout CounterACT, ForeScout
MDM provides a whole new level of centralized visibility and control for actionable insights
into your entire computing landscape.
Secure all Mobile Devices: ForeScout MDM supports all major smartphone
and tablet platforms including iOS and Android - in both Exchange and Lotus
Notes environments.
Embrace BYOD: ForeScout MDM provides workflows to discover, enroll,
manage and report on personally owned devices as part of your mobile device
operations.
Experience simple device enrollment and approval: ForeScout MDM
provides auto-quarantine for Exchange, and alerts IT personnel to approve all
new devices. Additionally it provides for easy user self-enrollment, via web,
email or SMS.
Additional Documentation
Refer to the documents at the following location for more technical information about the
ForeScout MDM solution. http://updates.forescout.com/online/help/mdm/ForeScout_MDM_doc.pdf
About this Plugin
Integration with CounterACT lets you deliver a comprehensive MDM solution that provides
powerful monitoring and enforcement capabilities not available when working solely with the
MaaS360 solution. Use the MaaS360 Integration Plugin to complete the cycle of security by
obtaining valuable capabilities:
Automated real-time, continuous detection and compliance of mobile devices
the moment they try to connect to your network, including unmanaged and
unknown devices.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
4
Unified network access control policy enforcement options.
Allow compliant and managed devices on the network.
Limit network access based on device type, device ownership, time of day,
and device compliance. The limited access network can allow access to a
subset of applications and data, blocking access to more sensitive
corporate resources.
Block noncompliant devices or specific types of devices from your
network completely.
Tag devices at the MaaS360 console, based on CounterACT detections.
Enhance CounterACT inventory by populating it with MaaS360 information.
How it Works
The MaaS360 Integration Plugin queries the MaaS360 service for device attributes, for
example core attributes, security and compliance information, hardware inventory and network
information. All MaaS360 queries are performed by a single CounterACT Appliance that is
designated for this purpose. This designated CounterACT Appliance, herein called the
MaaS360 Connected Appliance, retrieves information from other CounterACT Appliances and
the CounterACT Enterprise Manager and forwards the information to the MaaS360 service.
Similarly, the MaaS360 Connected Appliance retrieves information from the MaaaS360
service and forwards it to other CounterACT Appliances and the CounterACT Enterprise
Manager
Port 5223/TCP must be open for outbound traffic.
Continuous Query Refresh
MaaS360 query mechanisms recheck endpoint attributes at a static frequency — approximately
once a day. However, after plugin installation, querying of endpoint properties is based on
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
5
CounterACT policy recheck definitions. The conditions under which to recheck hosts that
match the policy. Specifically, you can define:
How often hosts are rechecked once they match a policy
Under what conditions to carry out the recheck
This ensures continuous, real-time endpoint evaluation that can be customized for each
CounterACT policy.
Queries for device core attributes are initiated on the basis of the endpoint MAC address. Core
attribute results return the device ID, which is used for further queries. As such, it is required
that CounterACT learn endpoint MAC addresses in order to initiate the query process. You can
use the MaaS360 Manageability Policy template to detect hosts at which MAC addresses are
not learned. See MaaS360 Device Manageability Policy Template for details.
Supported Devices
The following devices are supported by ForeScout MDM:
iOS
Android
BlackBerry
Windows Mobile
Symbian
The following devices are supported by the MaaS360 Integration Plugin:
iOS
Android
For exact OS version support, refer to the MaaS360 documentation:
http://updates.forescout.com/online/help/mdm/ForeScout_MDM_doc.pdf
Supported Network Infrastructures
Devices connected to the network via a WiFi connection.
What to Do
To use the MaaS360 Integration Plugin, perform the following tasks:
1. Verify that you have met software and networking requirements.
See Requirements.
2. Install, configure and test the plugin.
See Installation and Configuration.
3. Create CounterACT policies that detect, manage and remediate devices.
See MaaS360 Policy Templates and Working with CounterACT Policies.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
6
4. Connect to the ForeScout MaaS360 Console to configure device policies:
http://mdm.forescout.com/login
Refer to the documents at the following location for more technical information about the
ForeScout MDM solution.
http://updates.forescout.com/online/help/mdm/ForeScout_MDM_doc.pdf
Accessing Fixes Made after this Release
New issues may be discovered and fixed after this release. These fixes will be made available
as Beta fixes to the upcoming plugin version until the final version is posted on the ForeScout
customer support page.
You can access information about Beta fixes for the upcoming version at:
http://updates.forescout.com/support/files/plugins/fiberlink/1.0.1/Updates.pdf
In addition, you can contact the ForeScout Beta Manager at [email protected] to request the
Beta plugin update with the fixes.
Requirements
This section lists version, registration and networking requirements.
Version Requirements
This section lists version requirements.
CounterACT / Hotfix Requirements
CounterACT version 6.3.4.1, Hotfix 6.0 or above.
CounterACT version 6.3.4.10, Hotfix 1.0 or above.
Additional Plugin Requirements
HPS – Inspection Engine Plugin version 9.4.3 or above.
User Directory Plugin version 5.4.3 or above.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
7
Registration and Activation Requirements
This section lists registration and activation requirements.
MaaS360 Registration and Activation
1. Register for access to the MaaS360 service at:
http://mdm.forescout.com
The service is available as 30-day free trial.
2. Activate the registration by sending an activation request to:
You will receive an email response with information required for configuring the
plugin, as well as other information.
Networking Requirements
Mobile devices managed by the MaaS360 service cannot establish a connection to the
MaaS360 cloud service via a proxy. If a proxy is setup at the enterprise network, you must
open port TCP/5223 to 17.0.0.0/8 on the enterprise firewall. By doing this, the proxy is
bypassed when the mobile device accesses the MaaS360 service.
Endpoint Requirements
Queries for device core attributes are initiated on the basis of the endpoint MAC address. Core
attribute results return the device ID, which is used for further queries. As such, it is required
that CounterACT learn endpoint MAC addresses in order to initiate the query process. You can
use the MaaS360 Manageability Policy template to detect hosts at which MAC addresses are
not learned. See MaaS360 Device Manageability Policy Template for details.
Installation and Configuration
This section describes how to install, configure and test the MaaS360 Integration Plugin. The
configuration is used to ensure that the plugin can communicate with the MaaS360 service.
To install:
1. After registering for the trail at http://mdm.forescout.com, you will receive an email
that provides a download link.
2. Download and save the plugin installation file to the machine where the CounterACT
Console is installed.
3. Log in to CounterACT and select Options from the Tools menu.
4. Select Plugins. The Plugins pane opens.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
8
5. Select the Install button. The Open dialog box opens.
6. Navigate to the location where you saved the plugin installation file.
7. Select Install.
Once installed, the MaaS360 Integration Plugin automatically adds a MaaS360 HTTP
Redirect exception to the CounterACT NAC Redirect Exception list. CounterACT NAC
HTTP redirect exceptions are designed to ensure users can access business essential
Internet sites or important files on the Internet while allowing required HTTP blocking
and redirection. In this case, incorporating an m.dm exception and a fiberlink
exception ensures that devices can enroll with the MaaS360 service and still receive
required HTTP notifications. See MaaS360 Device Manageability Policy Template
for more information about this exception.
8. Start the plugin:
Select Mobile Integration – MaaS360 from the Plugins pane.
Select the Start button.
To configure the plugin:
1. Select Mobile Integration - MaaS360 from the Options window. The configuration is
used to ensure that the plugin can communicate with the MaaS360 service.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
9
2. Enter the following details about the MaaS360 service.
MaaS360 Web Service Billing ID*. (This information is used in the
Manageability template, HTTP notification actions when redirecting
endpoint Web sessions to the MDM enrollment site. See the MaaS360
Device Manageability Policy Template for details. )
MaaS360 Application ID*
MaaS360 Access Key*
MaaS360 Authentication Username
MaaS360 Authentication Password
This information is provided by email after you activate your registration. See
Registration and Activation Requirements for details.
3. In the MaaS360 Connected Appliance drop-down list, select the name of an
Appliance that will service as a proxy between the MaaS service and the Enterprise
Manager and enterprise Appliances. The CounterACT device listed here is the only
device that will communicate directly with the MaaS360 service. An Enterprise
Manager may not be selected here.
4. Select the Advanced tab.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
10
5. The MaaS360 Web Service URL Name field displays default values.
6. The MaaS360 Application Version field Name field displays default values.
7. The MaaS360 Platform ID field displays default values.
8. In the MaaS360 Query Threshold field, define the maximum number of query
requests to the MaaS360 service per threshold interval (defined in the following field).
9. In the MaaS360 Query Threshold Interval (Seconds) field, define the frequency that
the plugin should query the MaaS360 service.
10. Select the Use a Proxy Server checkbox if there is a proxy between the MaaS360
Connected Appliance and the MaaS360 service in the cloud.
11. Enter the IP address of the proxy server in the DNS Name or IP Address of the
Proxy Server field.
12. Enter the required proxy server port in the Port Number field.
Test Plugin Communication with the MaaS Service
Test the plugin communication with the MaaS service.
To test communication:
1. Select the Test tab.
2. In the Device MAC Address filed, enter the MAC address of device in order to test
plugin communication with the MaaS service. Do not enter colons. Use lower case.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
11
Displaying Inventory Data
Use the CounterACT Inventory to view a real-time display of MaaS360 device network
activity at multiple levels, for example, software installed, core attributes or hardware
information.
The inventory lets you:
Broaden your view of the organizational network from device-specific to
activity-specific.
View MaaS360 devices that have been detected with specific attributes.
Easily track MaaS360 device activity.
Incorporate inventory detections into policies.
To access the inventory:
1. Select the Inventory icon from the Console toolbar.
2. Navigate to the MaaS360 entries.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
12
The following information is available:
Core Attributes: Device Type, Platform Name
Hardware Inventory: Manufacturer, Model Operating System.
Software Installed
Refer to the CounterACT Console User’s Manual or the Console, Online Help for information
about how to work with the CounterACT Inventory.
MaaS360 Policy Templates
Two templates are available for detecting, managing and remediating MaaS360 devices:
MaaS360 Device Manageability Policy Template
MaaS360 Device Compliance Policy Template
MaaS360 Device Manageability Policy Template
Use this policy to detect Maas360 unmanageable devices. Devices that are unmanageable:
Have not been detected with a MAC address
Queries for device core attributes are initiated on the basis of the endpoint MAC
address. Core attribute results return the device ID, which is used for further queries.
Cannot be accessed via CounterACT at the MaaS360 Cloud
Are not listed with the MaaS360 service
Have not enrolled with the MaaS360 service
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
13
Remediation options, disabled by default, let you block unmanageable devices from the
corporate network and redirect device user web sessions to a page where they can register for
the purpose of becoming manageable.
Prerequisites
Consider which hosts you want to inspect. The policy does not handle hosts
outside of the Internal Network.
You should run the Asset Classification template first. The Hand Held group
generated when running the Asset Classification template is included in
MaaS360 Device Manageability template Scope. The template was most likely
run during initial CounterACT setup.
Verify that you have configured the MaaS360 Integration Plugin.
Using the MaaS360 Device Manageability Template
This section describes how to use the MaaS360 Device Manageability template.
To use the MaaS360 Device Manageability template:
1. Select Add from the Policy Manager.
2. Navigate to the Mobile> MaaS360 folder and select the MaaS360 Device
Manageability template.
3. Select Next. The Name page opens.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
14
4. Accept the default name or change it as required and enter a description.
5. Select Next. The Scope dialog box opens. Use the dialog box to define which hosts
should be inspected.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
15
6. Select one of the following from the IP Address Range dialog box. Your selection
appears in the IP Ranges section of the Scope page.
Select the All button to include all IP addresses.
Insert an IP address range.
Select a network segment.
The Hand Held group, generated from the Asset Classification policy, is automatically
included in the Filter by Group section of the Scope. This ensures that only mobile
devices are inspected.
7. Select Next. The Enrollment Address page opens.
8. The address listed here is retrieved from the billing ID that you defined in the plugin
configuration, MaaS360 Web Service Billing ID field and is used for the purpose of
redirecting the endpoint user to enroll with the MaaS360 service. After enrollment,
devices can be managed.
9. Select Next. The Sub-Rules page opens. This page displays policy condition and
actions.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
16
10. Policy conditions tell CounterACT how to detect hosts. Unmanageable hosts are
detected according to the following criteria:
Hosts without a MAC address.
Hosts not listed with the MaaS360 service
Hosts not enrolled with the MaaS360 service
The policy condition also verifies that CounterACT has access to the MaaS360 Cloud
service. Hosts are inspected by each sub-rule in the order shown, until a match is
found.
11. Policy actions instruct CounterACT how to respond to endpoints that are not enrolled
or listed.
Add to Group: Endpoints are automatically added to the CounterACT
groups MaaS360 Not Listed and MaaS360 Not Enrolled. You can add
these groups to other policy scopes for further handling.
Virtual Firewall: Blocks all endpoint traffic, with the exception of traffic
transmitted at port 80/TCP. This action is disabled by default.
HTTP Notification: Endpoint web sessions are redirected to a page where
users can register for the purpose of becoming manageable. See About
HTTP Notification Actions. This action is disabled by default.
About Enrollment
This section describes how the device enrollment process works.
When working with the template HTTP redirection actions, unmanageable endpoint web
sessions are redirected to a MaaS360 enrollment site where users can register for the purpose
of becoming manageable, i.e. they are enrolled and listed with the MaaS 360 service. This
action is disabled by default.
The device user is redirected to the following location:
https://services.fiberlink.com/dp/a.htm?c=1016686
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
17
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
18
The user will be required to authenticate using Active Directory.
To ensure the enrollment process, verify that you have reviewed System Requirements for the
Cloud Extender for User Authentication and User Visibility Modules (MaaS360 for Mobile
Devices). A link to this information can be found at
http://updates.forescout.com/online/help/mdm/ForeScout_MDM_doc.pdf (ForeScout MDM
Technical Documentation and Support Contacts). Follow the link to Installation Guide for
Cloud Extender.
About HTTP Notification Actions
This section describes automated processes that occur when using HTTP notification actions,
available when working with the Not Listed and Not Enrolled sub-rules.
CounterACT HTTP Redirect Exceptions
Billing ID
CounterACT HTTP Redirect Exceptions
To avoid blocking access to the MDM enrollment site when working with the HTTP
Notification actions, the MDM enrollment link is automatically added to the CounterACT
NAC Redirect exception list. This list is designed to ensure that users can access business
essential Internet sites or important files on the Internet while allowing required HTTP
blocking and redirection. In this case, incorporating an m.dm exception and a fiberlink
exception ensures that devices can enroll with the MaaS360 service and still receive required
HTTP notifications. This redirect exception is automatically created when the plugin is
installed.
MaaS360 Web Service Billing ID
The MaaS360 Web Service Billing ID URL entered in the plugin configuration, MaaS360
Web Service Configuration tab is automatically placed in the HTTP notification sent when
working with the Not Listed and Not Enrolled sub-rules. This sight navigates to the MaaS360
enrollment site.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
19
The URL is originally received after activating your registration. See Registration and
Activation Requirements for details.
MaaS360 Device Compliance Policy Template
Use this policy to detect Maas360 compliant devices. Devices that are compliant:
Are not running unauthorized applications
Are not jailbroken or rooted
Are compliant based on MaaS360 criteria
Have installed the Fiberlink App
Remediation options, disabled by default, let you block non-compliant devices from the
corporate network and redirect device user web sessions to a remediation notification page.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
20
Prerequisites
In order to detect unauthorized applications you must create an unauthorized
application list in CounterACT. See Creating Unauthorized Application Lists.
Verify that you can detect the MAC address of devices that you are inspecting.
Consider which hosts you want to inspect. The policy does not handle hosts
outside of the Internal Network.
You should run the MaaS360 Device Manageability template before running
this template. The MaaS360 Devices Enrolled group generated when running
the MaaS360 Device Manageability template is included in the MaaS360
Device Compliance template scope.
Using the MaaS360 Device Compliance Template
This section describes how to use the MaaS360 Device Compliance template.
To use the MaaS360 Device Compliance template:
1. Select Add from the Policy Manager.
2. Navigate to the Mobile> MaaS360 folder and select the MaaS360 Device Compliance
template.
3. Select Next. The Name page opens.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
21
4. Accept the default name or change it as required and enter a description.
5. Select Next. The Scope dialog box opens.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
22
6. Select one of the following from the IP Address Range dialog box. Your selection
appears in the IP Ranges section of the Scope page.
Select the All button to include all IP addresses.
Insert an IP address range.
Select a network segment.
The MaaS360 Devices Enrolled group, generated from the MaaS360 Device
Manageability policy, is automatically included in the Filter by Group section of the
Scope. This ensures that only enrolled (manageable) devices are inspected.
7. Select Next.
8. The Sub-Rules page opens. This page displays policy condition and actions.
9. Policy conditions tell CounterACT how to detect hosts. Devices that are not compliant
are detected according to the following criteria:
Devices that are running unauthorized applications
Devices that are jailbroken (iOS) or rooted (Android)
Devices that are not compliant based on MaaS360 criteria
Devices that have not installed the Fiberlink App
10. Policy actions instruct CounterACT how to respond to endpoints that are not
compliant.
Add to Group: Endpoints are automatically added to the MaaS360 - Non
Compliance Devices group. You can add this group to other policy scopes
for further handling.
Virtual Firewall: Blocks all endpoint traffic, with the exception of traffic
transmitted at port 80/TCP. This action is disabled by default.
HTTP Notification: Endpoint web sessions are redirected. A notification
page is displayed indicating the non-compliant issue detected; warning the
user that access to the corporate network is blocked and instructing the
user to contact IT to remediate the issue. This action is disabled by default.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
23
Creating Unauthorized Application Lists
In order to work with the MaaS360 Compliance Policy template, you will need to compile a
list of applications that you want to prohibit on your network.
An unauthorized applications list is automatically created using the CounterACT Lists feature
when the plugin is installed. You will need to add the applications you want to prohibit to the
predefined List. The list is automatically incorporated into the Unauthorized Applications
Installed sub-rule.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
24
To add an application to the list:
1. Select the Options icon from the Console toolbar and then select Lists.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
25
2. Select the Edit button. The Edit List dialog box opens.
3. Select the Add button. The Add Value dialog box opens.
4. Enter the name of the application you want to prohibit, and select OK.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
26
5. Enter a description of the application in the Description field of the Edit List dialog
box, and select OK. The application appears in the Lists Manager.
6. The following options are available for creating lists of unauthorized applications:
Working with CounterACT Policies
This section describes how to use CounterACT policies to detect and control MaaS360
devices. Create or edit a policy and use policy conditions to detect these devices with specific
properties.
To create a policy:
1. Log in to the CounterACT Console.
2. Select the Policy icon from the Console toolbar.
3. Create or edit a policy. For information about working with policies, select the Help
button on the policy wizard.
Detecting MaaS360 Devices - Policy Properties
CounterACT policy conditions and properties let you instruct CounterACT which MaaS360
devices to detect, for example devices with specific restrictions.
Expand the MaaS360 folder from a policy that you have created properties to be included in
the policy condition. An extensive range of properties can be detected. The categories include:
Core Attributes
Security and Compliance
Hardware Inventory
Network Information
Additional Information
Open Property Search
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
27
Core Attributes
MaaS360
Device ID
Indicates the MaaS360 device ID.
MaaS360
Device Name
Indicates the MaaS360 device name.
MaaS360
Device Online
Indicates if the MaaS360 device is online.
MaaS360
Device Status
Indicates the MaaS360 device active status, including:
Device Active
Device Not Active
MaaS360 Last
Reported
Indicates the date/time of the last reported event on a host.
MaaS360
Managed
Status
Indicates the managed status of the MaaS360 device including:
Enrolled
Not Active
Not Enrolled
Pending Control Removal
User Removed Control
MaaS360
Platform Name
Indicates the platform on which the MaaS360 device is running
Android
iOS
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
28
MaaS360 User
Name
Indicates the user name associated with the MaaS360 device.
Security and Compliance
MaaS360
Android Device
Rooted
Indicates if an enrolled Android device is rooted.
MaaS360
Android
Settings Failed
to Configure
Indicates if certain settings were not configured on an Android
host.
MaaS360
Compliance
State
Indicates the MaaS360 Compliance state of the host, including:
In Compliance
Not Available
Out of Compliance
MaaS360
Device
Passcode
Status
Indicates the MaaS360 device passcode status including:
Compliant
Not Available
Not Compliant per Profiles
Not Compliant
Not Compliant per all Requirements
Not Enabled
Passcode Policy Configured
Passcode Policy Not Configured
Pending Compliance Confirmation
MaaS360
Device
Restrictions
Indicates restrictions configured on the MaaS360 device
including:
Allow Installing of Applications
Allow Screen Capture
Allow Use of Camera
Allow Use of YouTube
Allow User of iTunes Music Store
Allow User of Safari
MaaS360
Hardware
Encryption
Indicates if certain hardware encryption values were detected on
the host.
MaaS360 MDM
Policy
Indicates an MDM policy applied to the MaaS360 device.
MaaS360 iOS
Mailbox
Approval State
Indicates the mailbox approval status of the MaaS360 device
including:
Approved
Blocked
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
29
Device Discovery
Not Available
Quarantined
MaaS360 Out
of Compliance
Reasons
Indicates if certain compliance out of compliance reasons were
detected on the host.
MaaS360 iOS
Device
JailBroken
Indicates if the MaaS360 device is jailbroken.
Hardware Inventory
MaaS360
Custom
Attributes
Indicates devices that were detected with specific MaaS360
device attributes, including an attribute or value.
MaaS360 Email
Address
Indicates the Email Address of the MaaS360 device.
MaaS360
Manufacturer
Indicates the manufacturer of the MaaS360 device.
MaaS360
Model
Indicates the model of the MaaS360 device.
MaaS360
Operating
System
Indicates the Operating System running on the MaaS360 device.
MaaS360
Ownership
Indicates the ownership of the MaaS360 device.
Network Information
MaaS360
ICCID
Indicates an ICCID value detected on the MaaS360 device.
MaaS360
Phone Number
Indicates the phone number associated with the MaaS360 device.
Additional Information
Maas360
Software
Installed
Indicates if specific software is installed on the MaaS360 device.
Connectivity to
Maas360 Cloud
Indicates if CounterACT is connected to the MaaS360 cloud
MaaS360
Listed in
Service
Indicates if the device is listed in MaaS360 service.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
30
Open Property Search
If the attributes you are looking for do not appear in any of the MaaS360 folders, you
can use the Open Property search options to discover if a certain attribute exists or
does not exist on a host, and fine-tune the search by looking for attributes that were
detected at a certain date/time, with a certain integer or string.
To work with Open Property tools:
1. Select the MaaS360 Plugin from the Plugin pane, and then select the Test button. The
test results generate a list of attributes that can be used when working with open
properties.
2. Copy an attribute name and paste it into the Attribute name section of a MaaS360
Open Properties property and enter the remaining property information.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
31
MaaS360 Open
Property
Boolean
Indicates if a specific attribute exists on the device or not.
MaaS360 Open
Property Date
Indicates if a specific attribute exists on the device or not and if
the attribute was detected at a certain date and time.
MaaS360 Open
Property
Integer
Indicates if a specific attribute exists on the device or not and if
the attribute included a certain integer.
MaaS360 Open
Property String
Indicates if a specific attribute exists on the device or not, and if
the attribute included a certain string.
Tag MaaS360 Devices - Policy Actions
Custom Attribute Value Action
Detect devices using a CounterACT policy and tag the devices with a user-defined Attribute
Name and Attribute Value. This information is sent to the MaaS360 service cloud. For
example, use CounterACT to detect devices that were resolved as guests and tag them as:
Attribute Name: East Coast Office
Attribute Value: Guest
Devices will appear as East Coast Office Guests at the MaaS360 Console.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
32
Refresh Device Information Action
The Refresh Device Information action triggers the MaaS360 service to refresh MaaS360
attributes on the device.
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module – MaaS360
Version 1.0.1
33
Legal Notice
Copyright © ForeScout Technologies, 2000-2012. All rights reserved.
The copyright and proprietary rights in the guide belong to ForeScout Technologies. It is strictly forbidden to
copy, duplicate, sell, lend or otherwise use this guide in any way, shape or form without the prior consent of
ForeScout Technologies.
This product is based on software developed by ForeScout Technologies. The products described in this
document are protected by U.S. patent # 6,363,489 issued March 2002 and may be protected by other U.S.
Patents and foreign patents.
Redistribution and use in source and binary forms are permitted, provided that the above copyright notice
and this paragraph are duplicated in all such forms and that any documentation, advertising materials and
other materials related to such distribution and use, acknowledge that the software was developed by
ForeScout Technologies.
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
All other trademarks used in this document are the property of their respective owners.
Send comments and questions regarding documentation to: [email protected]
6/5/12