How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
What is Airwatch MDM?
Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
Why we need to allow access to Airwatch MDM?
The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
Below is the configuration
1. Create the following netdestinations
2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
ip access-list session Airwatch_Access
any alias Airwatch svc-http permit
any alias Airwatch svc-https permit
ip access-list session Google-Play-Store
any alias Google-Play any permit
ip access-list session BlackBerry-Access
any alias BlackBerry any permit
3. Now map the session ACLs to captive-portal pre-authentication Role as follows
access-list session Airwatch_Access
access-list session Google-Play-Store
access-list session BlackBerry-Access
access-list session logon-control
access-list session captiveportal
4. Now whitelist the list of domain names in the Captive Portal profle
aaa authentication captive-portal Airwatch-Captive-Portal-Profile
Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.