Requirement:How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
What is Airwatch MDM?
Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
Solution:Why we need to allow access to Airwatch MDM?
The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
Configuration:Below is the configuration
Configuration steps:
1. Create the following netdestinations
netdestination Airwatch
name *.awagent.com
name *.awmdm.com
name air-watch.com
netdestination Google-Play
name android.clients.google.com
name .ggpht.com
name gstatic.com
name accounts.google.com
name clients1.google.com
name clients2.google.com
name clients3.google.com
name clients4.google.com
name i.ytimg.com
name google-analytics.com
name .1e100.net
name android.l.google.com
name mtalk.google.com
name clients.l.google.com
name googleapis.com
name gvt1.com
netdestination BlackBerry
name *.blackberry.com
2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
ip access-list session Airwatch_Access
any alias Airwatch svc-http permit
any alias Airwatch svc-https permit
ip access-list session Google-Play-Store
any alias Google-Play any permit
ip access-list session BlackBerry-Access
any alias BlackBerry any permit
3. Now map the session ACLs to captive-portal pre-authentication Role as follows
user-role Guest-Pre-Auth-Role
access-list session Airwatch_Access
access-list session Google-Play-Store
access-list session BlackBerry-Access
access-list session logon-control
access-list session captiveportal
4. Now whitelist the list of domain names in the Captive Portal profle
aaa authentication captive-portal Airwatch-Captive-Portal-Profile
white-list Airwatch
white-list Google-Play ------------>Netdestinations where you defined the Domains.
white-list BlackBerry
VerificationNow the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.