Skip to main content

IBM MaaS360 integration guide

Integrations with Mobile Device Management (MDM) servers and the Mobile Security console provide the ability to:

  • Synchronize users and devices from the MDM.

  • Provide transparent user access to the GravityZone MTD.

  • Define groups to be used in policies and other configuration items.

  • Provide granular protection mechanisms in addition to the protections built-in the GravityZone MTD.

  • Auto-activate the apps through an application configuration push from the MDM and verify the device identifier and user.

To integrate Bitdefender Mobile Security console with IBM MaaS360 you must use a connection between the Mobile Security console and the IBM MaaS360 API server.

This is accomplished with the Internet using SSL.

Prerequisites

Item

Specifics

IBM MaaS360 MDM Enrolled Device

Release 7.2 and above

API Administrator Account in IBM MaaS360 Management Console

Proper role defined.

IBM MaaS360 Web Service Access

You must have web service access to your IBM MaaS360 environment.

Python Access

Access to Python for optional initial setup of IBM MaaS360.

MDM Password

Do not use a colon (:) in the MDM access password field, or use `password` as a password value.

The MDM and Mobile Security console communication

The Mobile Security console has been set up to enable API access for sharing data with the IBM MaaS360 console.

Upon detection of an event, the GravityZone MTD refers to the existing Threat Policy on the device. If a particular Mobile Device Management (MDM) action is specified, it is subsequently transmitted to the Mobile Security console.

Subsequently, the console establishes communication with the appropriate IBM MaaS360 API Server and transmits the requisite directives to execute the specified operation.

In the event that a user is removed, they will be removed from the console as well. The changes made do not entail the elimination of any of the events linked to the said user or device.

Full MDM synchronization

After the original full synchronization during the MDM integration setup, a scheduled synchronization process runs every four hours.

On demand MDM synchronization

Due to the four-hour MDM synchronization window, there are times when a new MDM user has the mobile app pushed to their device and tries to start it before the device has been synced from the MDM.

This is taken care of by the Mobile Security console which does an on-demand device connection when the app tries to start up but there is no information for it yet.

For verification, the mobile security console gets the customer's identification information from the app and matches it with the right customer.

Once that happens, the mobile security console gets the information about the device and person from the MDM that was set up for that customer.

Now the device's mobile app is authorized and may proceed.

Setting up device application deployment

API access

MaaS360 requires these details to generate an authentication token to access their REST APIs.

  • Billing Id

  • App Id

  • App Version

  • Platform Id

  • App Access Key

Initial configuration

An optional Python script can be used to perform an initial configuration in the IBM MaaS360 environment. This script configures iOS and Android GravityZone MTD from the public store, custom attributes, and several device groups.

  1. Download the GravityZone MTD file with the scripts and Readme file from here.

  2. After logging in, this link allows you to download a ZIP file similar to the name: BitdefenderIntegrationScriptForMaaS360_version.zip where version is the version of the script and ZIP collection.

  3. The ZIP file contains the ReadMe_v2.0.pdf file. This document gives the details of running the script.

    Note

    Before running the Runner.py script you need to have the requests python package installed.

    Use pip install requests to install it on your platform in order to run this script on. You can also use other similar commands that would install this package in your python environment.

  4. The script in the ZIP file sets up the integration in the IBM MaaS360 environment and must only be run once.

  5. To publish the GravityZone MTDlication from the public application store, create a new public application and search the appropriate store for app. At this point, the application is now published and installed on the assigned devices. Your users can now activate the application.

mobile-security-mdm-integrtaion-ibm-360.png

MDM configuration

To set up device synchronization, create an IBM MaaS360 administrator with the proper access:

  1. Navigate to Setup > Roles > Add Role.

  2. Enter a name and description for the new role.

  3. Select the Service Administrator role as the template.

    Manage Custom Attributes

    Ability to add, change, or delete Custom Attributes.

    Selective Wipe

    Ability to selectively wipe corporate data from the device.

    Set Custom Attribute Value

    Ability to set custom attributes.

    User - Read-only

    View-only access to a user’s view.

    View installed apps

    Ability to view installed apps on a device.

    View Private groups

    Ability to view Private Device groups for all admins.

API access and device groups

To set up API access and create device groups:

  1. Contact IBM Customer Support to get the REST API Key.

  2. If required, create one or more Device Groups that contain the devices to be protected. If you do not want to use the predefined group, the Mobile Security console can use the Device Group(s) to synchronize devices and their associated users.

Set Up User and Device Synchronization in Bitdefender Mobile Security console

To set up the MDM integration in Mobile Security Console:

  1. Log in to Mobile Security console.

  2. Go to the Manage page.

  3. Select Integrations.

  4. Click on Add MDM and select the MDM integration you want to use.

    Mobile_security_dashboard_add_MDM_step_1.png

  5. Enter information pertinent to the UEM integration list in the table, and click Next.

    Item

    Specifics

    URL

    URL of the IBM MaaS360 API Server.

    Username

    IBM MaaS360 Administrator created with the API role access.

    Password

    The password for the IBM MaaS360 Administrator.

    MDM Name

    This document specifies the nomenclature utilized in the Mobile Security console for denoting the MDM integration. The term "name" is utilized as a prefix to concatenate with the group name, resulting in the formation of the Mobile Security console group name.

    Background Sync

    Check this box to ensure users/devices are synchronized with the IBM MaaS360 Device Groups. You can choose the groups on the next page.

    Mask Imported Users

    Information

    Check this box to mask personally identifiable information about the user when displayed, such as name or email address.

    App Access Key

    The app access key value from this MDM provider. You get the API key value from IBM after enabling the web services.

    Billing ID

    The app access key value from this MDM provider.

    App ID

    The app identifier from this MDM provider.

    App Version

    The app version from this MDM provider.

    Platform ID

    The platform id from this MDM provider.

    Send Device Activation email via the Mobile Security console for iOS Devices

    Check this box to send an email to the user for every iOS device synced with the MDM.

    Send Device Activation email via the Mobile Security console for Android Devices

    Check this box to send an email to the user for every Android device synced with the MDM.

    mobile-security-mdm-IBM.png

  6. Click Next and choose the User Group(s) to synchronize. The available groups show up in the Available Device Groups list and can be moved to the Selected Mobile Security Console Groups list by clicking on the plus sign (‘+’). This can be reversed by clicking on the minus sign (‘-’).

  7. Click Next.

  8. Specify the MDM alerts if you want to be notified when there are MDM sync errors. If you want more than one email address, separate them by a comma.

  9. Click Finish to save the configuration and start the first synchronization by clicking Sync Now.

Configuring device application auto-activation

iOS

The iOS GravityZone MTDlication makes use of the Managed Application Configuration when the app is pushed down to the device. This provides the best user experience, allowing the user to startup iOS GravityZone MTD without having to enter any credentials. The Managed Application configuration pre-programs iOS GravityZone MTD with the required information.

  1. Configure the PLIST values and use these values also in the PLIST XML.

    Configuration Key

    Value Type

    Configuration Value

    Additional Notes

    MDMDeviceID

    String

    %csn%

    tenantid

    String

    Retrieve from Mobile Security Console

    Copy the value from the Tenant ID field on the Mobile Security Console Manage page under the General tab.

    defaultchannel

    String

    Retrieve from Mobile Security Console

    Copy the value from the Default Channel field on the Mobile Security ConsoleManage page under the General tab.

    tracking_id_1

    String

    Use the desired identifier

    (Optional) This is a tracking identifier.

    tracking_id_2

    String

    Use the desired identifier

    (Optional) This is a tracking identifier.

    display_eula

    String

    no

    (Optional) If this key is not used, the default displays the End User License Agreement (EULA).

  2. Choose Config XML File(Manual) or Key/Value for the App Config Source.

  3. If you select the XML file option, the XML file has this example content for GravityZone MTD.

  4. If you select the key-value pair option, you can enter the values without having to create a file.

Android

Android Enterprise users can continue to use the managed app configuration for activations. You need to make sure you are passing the right device ID value for the configuration parameter.

For native Android devices, activations require the use of activation URLs. These can be sent to end-users through the Mobile Security Console or the MDM.

Clicking on GravityZone MTD without the link does not activate GravityZone MTD for Android devices. When a user runs the app with the activation URL link, it activates and downloads the proper Threat Policy.

To access activation links, navigate to Mobile Security Console Manage and Integrations for MDMs.

After the MDM is added, the activation link is provided for devices. This activation link is used along with appending the MDM device identifier. The Mobile Security Console page displays the expiration date and time, and if needed, the link can be regenerated.

The administrator sends the concatenated activation link by email or text to users, along with instructions to accept the GravityZone MTD being pushed to them.

Use the values in the table for configuration:

Configuration Key

Value Type

Configuration Value

Additional Notes

MDMDeviceID

String

%deviceid%

tenantid

String

Retrieve from Mobile Security Console

Copy the value from the Tenant ID field on the Mobile Security Console Manage page under the General tab.

defaultchannel

String

Retrieve from Mobile Security Console

Copy the value from the Default Channel field on the Mobile Security Console Manage page under the General tab.

tracking_id_1

String

Use the desired identifier

(Optional) This is a tracking identifier.

tracking_id_2

String

Use the desired identifier

(Optional) This is a tracking identifier.

display_eula

String

no

(Optional) If this key is not used, the default displays the End User License Agreement (EULA).

In this section: