Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mirnick
Explorer

Prohibit Capsule and Mobile access connections for Apple devices only.

Can you please tell me if there is a way to restrict access and reset RemoteAcceses connections from Apple hardware?
I need to disable connections to Capsule and Mobile access only for Apple devices (MacBook and iPhone - iOS, macOS) and leave access from other devices, including Android.
The following solutions were found:
1. SCV check. But this method as far as I know does not work on macOS and is intended only for Windows devices.
2. Using the Compliance blade. Compliance on macos is the Compliance blade in Harmony Endpoint. Compliance on ios/android is Harmony Mobile. However. we do not have any Harmony products available.
3. Mobile Device Management (MDM). As a result of testing the solution described in sk107207, I was unable to correctly block connections from Apple devices only. Perhaps someone has had experience in configuring this method.

Please advise if it is possible to organize this restriction in Checkpoint? Perhaps this restriction can be implemented using mac-addresses in some way, but I have not been able to find something suitable.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Have you configured MDM Cooperative Enforcement per: https://support.checkpoint.com/results/sk/sk98201?
Otherwise, sk107207 won't work.

I don't believe there is another option at present.

0 Kudos
mirnick
Explorer

Yes, in order for this sk to work, I initially performed the following global options:
enabled - 1
monitor_only - 0
fail_open - I tried to use both 1 and 0.

However, I was not able to block connections only from Apple devices and all devices were blocked or allowed.
Could you please tell me if you have any experience in configuring MDM?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Which MDM do you use ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mirnick
Explorer

This field was not modified and the default value was used:
active_vendor (Fiberlink)

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You can not use it without MDM.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

The feature in question is called MDM Cooperative Enforcement.
It requires the use of a Mobile Device Management solution.

From the SK

The Mobile Device Management (MDM) cooperative enforcement feature allows integration of Check Point Mobile VPN clients (Check Point Capsule Workspace, Check Point Capsule VPN, Check Point Capsule Connect) with third party MDM vendors. When the feature is enabled and properly configured - only devices that comply with a (third-party) MDM vendor’s policy will be allowed to connect to a Remote Access gateway. The benefit of this feature is increased security, preventing non-compliant, and potentially security-compromised mobile devices from accessing company resources over VPN.

0 Kudos
Upcoming Events

    CheckMates Events