Secure Mobile Access 12.4 Administration Guide

Creating a Device Zone

Device zones are evaluated after Deny zones. You could create a device profile, for example, named Windows firewall that would require that a personal firewall be running. When this End Point Control policy is in place, any device that is a match is placed in a zone of trust.

To define a Device zone

  1. In the AMC, navigate to User Access > End Point Control.

    The End Point Control page displays.

  2. In the Zones and Profiles section, click Edit next to Zones.

  3. Click the + (New) icon and select Device zone from the dropdown list.

    The Add Device Zone page displays.

  4. In the Name field, type a meaningful name for the zone (for example, Windows firewall required). If a zone will be referenced by mobile device users, keep the name short so that all of it is visible on the mobile device.
  5. (Optional) In the Description field, type a descriptive comment about the zone.

  6. In the All Device Zone Profiles list, select the checkbox for any device profiles that you want to require in the zone, and then click the check mark icon. Only one of the profiles in the In Use list needs to match for the device to be placed in the zone you are creating.

  7. If there are no device profiles previously configured, click + (New) icon to add one. See Defining Device Profiles for a Zone for more information on creating profiles.

  8. In the Access method restrictions area, select which access methods, if any, will not be allowed for clients that are classified into this zone.

  9. Specify whether a Data protection agent is required. Cache Cleaner provides enhanced protection on all platforms except Linux platforms.

  10. Check the top checkbox in the Device Authorization area to require users to authorize their personal device before a VPN connection is established. By default, this checkbox is always unchecked (disabled).

  11. To change the authorization terms that users must agree to, type the desired authorization terms in the Terms section of the Device Authorization area.

    The Device Authorization checkbox must be checked to edit the terms.

  12. By default, a user authorization expires 180 days after the device was last used. When device authorization is enabled, you can disable zone authorization expiration by unchecking the expiration checkbox or change the number of days before expiration by typing the desired number of days.

  13. Expand the Client security area.
  14. In the Persistent Session Information group, enable Allow storage of persistence session information on client system if you want persistent information to be stored with local applications running on the client system.
  15. By default, user connections to a device zone are not dropped when the connection is inactive. However, a inactivity timer can be set In the Inactivity timer area to end the connection after a set period of inactivity. The inactivity timer interval can be set from 3 minutes to 24 hours. By default, in a Zone Inactivity timeout is set to Never.

    In earlier releases, the Inactivity Timer was part of Community attributes.

  16. In the Recurring EPC area, you can select how often EPC checks are done:

    • Check endpoint at login (default) – only once (at login)

    • Check endpoint at login and then every <n> minutes for the duration of the session

    See Performing Recurring EPC Checks: Example for a description of a scenario where the appliance repeatedly checks for the presence of a USB device: when the check fails, the session ends. By default, the end point is checked at login.

  17. The connection between devices and the appliance can handle interruptions—such as suspending a session and later resuming it, or temporarily losing connectivity—without requiring that users reauthenticate, as long as the device is using the same IPv4 or IPv6 IP address.

    To allow users to resume sessions from a different IP address—for example, when roaming from one IP subnet to another by plugging into another part of your network—select the Allow user to resume session from multiple IP addresses checkbox in the Advanced area.

  18. Click Save.

For information on how to copy or delete an EPC zone, see Adding, Editing, Copying, and Deleting Objects in AMC.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.