topic Re: Prohibit Capsule and Mobile access connections for Apple devices only. in Mobile

Prohibit Capsule and Mobile access connections for Apple devices only.

mirnick — Thu, 12 Oct 2023 09:19:28 GMT

Can you please tell me if there is a way to restrict access and reset RemoteAcceses connections from Apple hardware?
I need to disable connections to Capsule and Mobile access only for Apple devices (MacBook and iPhone - iOS, macOS) and leave access from other devices, including Android.
The following solutions were found:
1. SCV check. But this method as far as I know does not work on macOS and is intended only for Windows devices.
2. Using the Compliance blade. Compliance on macos is the Compliance blade in Harmony Endpoint. Compliance on ios/android is Harmony Mobile. However. we do not have any Harmony products available.
3. Mobile Device Management (MDM). As a result of testing the solution described in sk107207, I was unable to correctly block connections from Apple devices only. Perhaps someone has had experience in configuring this method.

Please advise if it is possible to organize this restriction in Checkpoint? Perhaps this restriction can be implemented using mac-addresses in some way, but I have not been able to find something suitable.

Re: Prohibit Capsule and Mobile access connections for Apple devices only.

PhoneBoy — Thu, 12 Oct 2023 17:10:28 GMT

Have you configured MDM Cooperative Enforcement per: https://support.checkpoint.com/results/sk/sk98201?
Otherwise, sk107207 won't work.

I don't believe there is another option at present.

Re: Prohibit Capsule and Mobile access connections for Apple devices only.

mirnick — Fri, 13 Oct 2023 07:25:37 GMT

Yes, in order for this sk to work, I initially performed the following global options:
enabled - 1
monitor_only - 0
fail_open - I tried to use both 1 and 0.

However, I was not able to block connections only from Apple devices and all devices were blocked or allowed.
Could you please tell me if you have any experience in configuring MDM?

Re: Prohibit Capsule and Mobile access connections for Apple devices only.

G_W_Albrecht — Fri, 13 Oct 2023 08:58:40 GMT

Which MDM do you use ?

Re: Prohibit Capsule and Mobile access connections for Apple devices only.

mirnick — Fri, 13 Oct 2023 12:20:48 GMT

This field was not modified and the default value was used:
active_vendor (Fiberlink)

Re: Prohibit Capsule and Mobile access connections for Apple devices only.

G_W_Albrecht — Fri, 13 Oct 2023 12:57:38 GMT

You can not use it without MDM.

Re: Prohibit Capsule and Mobile access connections for Apple devices only.

PhoneBoy — Fri, 13 Oct 2023 21:57:51 GMT

The feature in question is called MDM Cooperative Enforcement.
It requires the use of a Mobile Device Management solution.

From the SK:

The Mobile Device Management (MDM) cooperative enforcement feature allows integration of Check Point Mobile VPN clients (Check Point Capsule Workspace, Check Point Capsule VPN, Check Point Capsule Connect) with third party MDM vendors. When the feature is enabled and properly configured - only devices that comply with a (third-party) MDM vendor’s policy will be allowed to connect to a Remote Access gateway. The benefit of this feature is increased security, preventing non-compliant, and potentially security-compromised mobile devices from accessing company resources over VPN.