Skip to content

How To configure the device ID access control policy on HySecure Server

Device ID Access control - Overview

Device ID based Access Controls can be used to lock down access to HySecure from a desired set of machines, say corporate machines only. It supports the flexibility to allow one or specified number of machines per user from where s/he can log in.

Device ID based Authentication can be used for following purposes:

  1. Restrict users to login from corporate machines or tablets.

  2. Restrict users to login from one or specified no. of machines.

  3. Restrict user logins only from specific locations like branch offices of home offices.

  4. Restrict user logins from certain countries or locale.

  5. Detect real location of the user and restrict access if the user is using Internet proxy.

  6. Restrict user access from certain tablets.

Important Terms / Actions

Device ID

A device ID is a per device unique signature that is created by HySecure Gateway for each device that connects to it. The HySecure Portal and Client collects the hardware details of the user device and sends it to the Gateway. The Gateway then stores the information and registers the device if the policy is set to allow that.

A device ID can be formed using following parameters:

  1. IMEI (only for tables/smartphones with SIM card)
  2. Serial No. (only for tablets and smartphones)
  3. CPU ID
  4. Motherboard ID
  5. HDD ID
  6. MAC Addresses
  7. IP Addresses
  8. Default Gateway
  9. Regional Settings
  10. Locale
  11. Detected and Received WAN IP Address
  12. Device Type
  13. Browser ID
  14. Browser Type 15 And more..

Administrators can chose the above list and include in the device ID. Some of the parameters when included in the device signature, can effect user's mobility.

Device Registration Process

The registration process is completely automated. Device ID can be enabled based on user groups. So if a user logs in and device ID is enabled for any of the group this user belongs tothe device signature gets registered for the device, the user is using on the HySecure Gateway. If the administrator has setup "Auto approval" to On, the user can start working immediately. If "Auto approval" is Off, the user device is registered and user is denied access to the applications until the administrator reviews the registered device and approves the device for the user. If SMTP is configured on HySecure server then administrator will get email notification for device registration.

Manage Registered Devices

HySecure administrator can login into HySecure and review, approval, block or manage the device registrations.

Configuring Device ID

Following section explains how to configure them.

Steps to configure Device id policy into ThinspaceHySecure Gateway.

  1. Create an Access Control with Group Policy for Active Directory User group.
    • Here you need to enter following details: Access Control Name, Access Control Description.
    • Then select "Active Directory Server" as Authorization Server which has been configured on the gateway.
    • Select "Application" as Access control type.
    • Then select User Group on which Device ID Policy is to be applied.
    • Select Application group.
    • Click on submit button.
  2. Create another Access Control with Device ID policy for the same Active Directory user group.
    • Enter Access Control name and Access Control Description.
    • Select "Active Directory Server" as Authorization Server which has been configured on the Gateway.
    • Select "Device ID" as Access control type.
    • Select same Active Directory user group which was selected while crea ting Group Policy Access Control.
    • Enter "Per user device id signatures" i.e. the number of devices/mach ines using which single user is allowed to login.
    • Check "Automatically approve devices" box if you want your device get approved automatically and if you want administrator to approve every de vice through which user is trying to get access then leave it unchecked.
    • Select device id parameters which you want to be collected from every machine in order to enroll that device in the Gateway.
    • Click on Submit.
  3. Go to option "Client Setting" which is under "HOST CONFIGURATION" in HySecure management console Here you need to enable check box for "Enable collection of device fingerprint details from user device"
  4. Device ID Based Access Controls Administrators can create Device ID based Access controls from ThinspaceHySecureManagement Console | Access Management | Access controls | Create access controls | Select access control type as "Device ID". When users logins in to ThinspaceHySecure gateway for first time, HySecure client will scan device finger prints and will send them to server. HySecure Administrator can select single or multiple Device ID parameters for creating access control. Administrator can also mention number of per user device ID signatures. For instance, if administrator selected 3 device ID signatures, User can login into HySecure Gateway from maximum of three different End user machines/devices.

Approve devices

Administrator can control allowing device access by manual process or automatically. All Scanned Device ID details are stored in database and administrators can allow or deny access. Captured Device ID details can be found under Management console > End point Protection >Device Managenemt.

HowTo's

Following section explains some of the HowTos

  1. What parameters should be included to enable most compatible Device ID.
    Some of the parameters are static like CPU ID, Motherboard ID, HDD ID, etc and some parameters are dynamic and may change based on user's location or other reasons; like IP Address, default gateway, regional settings, WAN IP address, etc. For a very basic and most compatible device ID. please include following parameters: CPU ID, Mother board ID, HDD ID, Device Serial No. (for smart phones), IMEI (for smartphones), MAC Address.
  2. How to restrict a user to only one device.
    Create a device ID policy for the group of the user and set the no. of allowed devices to 1.
  3. How to allow the user to login from the same device and work from any location.
    Create a device ID policy but do not include WAN IP address, Received WAN IP address and default gateway in the device ID
  4. How to restrict the user to login from known location.
    Create a device ID policy for the user's group and include the WAN IP address and Received WAN IP Address in the policy. It is advised to turn off Auto-enrollment.
  5. How to restrict the user to login from a specified country.
    Create a device ID policy for the user's group and include regional settings and locate in the Device ID. Auto-enrollment is advised to be turned off. Generally firewalls provide feature to detect user's location using IP Address geo-location techniques. This feature of the firewall should be used.
  6. How to ensure user is not faking its location and protect the endpoint when connected to HySecure.
    Create a Device ID policy which includes the WAN IP Address and Received WAN IP Address. If the two does not match in the device signature, then the user is trying to fake its location. Such devices should be blocked from the management console. Create an end point protection policy also the block Internet access when the user is connected to HySecure.