You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Access Management Framework > Device Access Management Framework > Deploying a BYOD Policy for AirWatch Managed Devices > Configuring the AirWatch MDM Service

Configuring the AirWatch MDM Service

This solution assumes you know how to configure and use the features of your MDM, and that you can enroll employees and their devices. For more information about the AirWatch MDM, refer to its documentation and support resources. This section focuses on the following elements of the MDM configuration that are important to this solution:

When the user installs the MDM application on the device and completes enrollment, the MDM pushes the device certificate to the device. After enrollment, the MDM maintains a database record that includes information about the enrollee—attributes related to device identity, user identity, and posture assessment against MDM policies. Table 52 describes these attributes. In this solution, these attributes are used in the role mapping that is the basis for network access and resource access policies. When you configure role-mapping rules, you select the normalized Connect Secure attribute name.

Table 52: AirWatch Device Attributes

AirWatch Attribute

Normalized Connect SecureName

Description

Data Type

BlockLevelEncryption

BlockLevelEncryption

True if block-level encryption is enabled; false otherwise.

Boolean

ComplianceStatus

complianceReason

Values: Compliant, Non-Compliant.

String

ComplianceStatus

isCompliant

True if the status is compliant with MDM policies; false otherwise.

Boolean

CompromisedStatus

CompromisedStatus

True if the status is compromised; false otherwise.

Boolean

CompromisedStatus

isCompromised

True if the device is compromised; false otherwise.

Boolean

DataProtectionEnabled

DataProtectionEnabled

True if data protection is enabled; false otherwise.

Boolean

DeviceFriendlyName

deviceName

The concatenated name used to identify the device/user combination.

String

EnrollmentStatus

isEnrolled

True if MDM value is Enrolled; false otherwise.

Boolean

FileLevelEncryption

FileLevelEncryption

True if file-level encryption is enabled; false otherwise.

Boolean

Id.Value

deviceId

Device identifier.

String

Imei

IMEI

IMEI number of the device.

String

IsPasscodeCompliant

IsPasscodeCompliant

True if the passcode is compliant with the MDM policy; false otherwise

Boolean

IsPasscodePresent

IsPasscodePresent

True if a passcode has been configured; false otherwise.

Boolean

LastComplianceCheckOn

LastComplianceCheckOn

The refresh date and timestamp of the last status reported.

Timestamp

LastCompromisedCheckOn

LastCompromisedCheckOn

The refresh date and timestamp of the last status reported.

Timestamp

LastSeen

lastSeen

Date and time the device last made successful contact with the MDM.

Timestamp

LocationGroupName

LocationGroupName

MDM location group configuration value.

String

MacAddress

macAdress

The Wi-Fi MAC address.

String

Model

model

Model is automatically reported by the device during registration.

String

OperatingSystem

osVersion

OS version.

String

Ownership

ownership

Values: C, E, or S (Corporate, Employee, or Shared).

String

PhoneNumber

phoneNumber

Phone number entered during registration.

String

Platform

platform

Platform specified during registration.

String

SerialNumber

serialNumber

Serial number.

String

Udid

UDID

Unique device identifier.

String

UserEmailAddress

userEmail

E-mail address of device user.

String

UserName

userName

Name of device user.

String

Uuid

UUID

Universal unique identifier.

String

To configure the MDM:

  1. Enroll devices in the MDM using the methods supported by the MDM.
  2. Create a profile. The profile determines many MDM management options. The following configurations are key to this solution:
    1. Certificate template. Create a configuration that specifies the field and type of identifier for client device certificates. See Figure 39.

      The MDM configuration templates provide flexibility in how the device identifier can be placed in the device certificate’s subject or alternative subject. We recommend you include the user ID in the certificate, so the certificate can identify both the user and the device. For example:

      CN=<EnrollmentUser>, serialNumber=<DeviceUid>, o=Company

    1. Credential profile. Create a configuration that specifies the certificate authority and certificate template configuration. See Figure 40.
    2. VPN profile. Create a configuration that specifies the system VPN, security options, and the credential configuration. See Figure 41.
  1. Save and deploy the profile to devices registered with your organization. See Figure 42.
  2. Enable API access and generate the AirWatch API key (tenant code). The tenant code is part of the REST API configuration. The tenant code must be included in the system MDM server configuration. It is sent in the API call. See Figure 43.

Figure 39: AirWatch Certificate Template Configuration

Figure 40: AirWatch Profile Credential Configuration

Figure 41: AirWatch Profile VPN Configuration

Figure 42: Deploying a Profile to Your Organization’s Managed Devices

Figure 43: AirWatch API Tenant Code Configuration