Secure Mobile Access 12.4 Administration Guide

Collecting Equipment IDs from Unregistered Devices

Every Windows desktop and mobile device has a unique identifier, and you can use this identity in a device profile to ensure that only certain devices have access to protected resources. But before you can add equipment ID data to your directory server as a user attribute, you must first collect the data. You can do this in several ways:

When selected, the Match profile if user has no registered devices checkbox is applicable when the user has no devices registered in the back end AD or LDAP server and there are no hard coded devices in the device profile.

For example, consider the case where two attributes have been created for user test in the AD/LDAP server, and these attributes are mapped to two policy variables. A device profile is created containing these two variables and the equipment ID 4JV5DQH1. The checkbox is selected. This device profile is a part of a zone called std_desc. Unlike user test, user test1 has no representation in the backend LDAP/AD server.

User test logs in with a device that is registered in the backend server. The zone classification is std_desc. However, user test1 logs in with the same device and is classified into the default zone. The checkbox does not apply to user test1 in this case.

However, if you remove the device ID 4JV5DQH1 from the device profile, leaving just the two policy variables, you will see a different zone classification for user test1. In this case, user test logs in with a registered device and is classified into the std_desc zone. User test1 logs in and is also classified into the std_desc zone. The checkbox applies in this case because user test1 has no devices registered, the two policy variables in the device profile of the zone return with NULL values, and there isn't the third hard-coded device in the device profile.

If you are using mobile devices, you may already have the device identities entered into your database. In this case, you could simply refer to them in a profile. Users logging in from one of these devices will match this profile and qualify for the associated zone.

The device identifier is usually an attribute in the authentication directory represented by a variable; for example, {device_identity}. The format of the identifier differs, depending on the kind of device used:

  • For a Microsoft Windows device, the identifier is a unique hard-drive serial number; for example, WD-WMAM9SK79685.

  • For a macOS device, the Universal Unique Identifier (UUID) is used. A UUID is a 128-bit number that combines references to the network address of the host that generated the UUID, the timestamp, and a random number. An example of a UUID is: 951A240E-F502-5632-BDAB-D1ECA43FA371.

  • For a Linux device, the UUID is the device identifier.

  • For a Virtual Machine, the UUID is the device identifier.

  • For a Google Android device, the device serial number is the identifier.

  • For an Apple iPhone/iPad, the device serial number is the identifier.

  • In the case of the Apple iPhone, the device prepends Appl to its device ID/serial number when it communicates with Exchange servers. For example: Appl828315FLY7H.

Another method to get the correct device ID for a smart phone is to view the POST message in the AMC log after the phone attempts to connect to the appliance. Navigate to the Logging page, and select Web proxy audit log in the Log file drop-down menu on the View Logs tab. The POST message looks like this: one&Cmd=Sync

Use the DeviceId value in your database for profiles to refer to.

Your directory server may be set up with a different attribute for each of these types of identifiers, or you can store the data in a single attribute. In this example, a single attribute and variable is used.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.