iPass Help
 
 
 

Endpoint Security and Restrictions

Available for: Windows clients.

Endpoint security and restrictions enables you to set policies for applications to run when connected by Open Mobile. These policies can either require an application to run, or prohibit one from running, when Open Mobile connects to the Internet. For example, you could set a requirement for users to be protected by a selected anti-virus application when connected. Another policy could prevent users from using a specific file sharing application when Open Mobile is connected.

There are two important features of endpoint security:

  • Pre-Connect: If the designated application is not running when the user attempts to connect to the Internet, Open Mobile will attempt to launch it, and will not connect to the Internet without the application running.
  • Automatic Teardown: An Internet connection may only be maintained if the designated application is running. If the application is stopped for any reason while the user is connected to the Internet, the Internet connection is automatically torn down.

You can configure enforcement through a command-line executable if the designated applications are in violation of policy.

In addition, you can configure the user notifications that will be displayed if the designated applications are in violation.

Endpoint Security Checks for Windows 1.x Clients

When setting up endpoint security for a profile, you can enforce the use of a qualified anti-virus, firewall, or other application when the user is connected to the Internet. A qualified application is one that is listed in the user’s local Windows Security Center (in Windows 7, the Action Center) for anti-virus or firewall protection.

Enforcement Policies for Windows 1.x Clients

An enforcement policy ensures that a qualified application is running before network connections are permitted.

To enable an enforcement policy for Windows 1.x clients:

  1. Select Enable Endpoint Security Checks.
  2. To enforce an anti-virus solution, select Enforce the use of qualified anti-virus software as determined by Windows Security Center.
  3. Under Require that this application runs, indicate the following:
    • Whether Pre-Connect will be required.
    • Whether Auto-Teardown will be enabled.
  4. Repeat Steps 1 through 3 for a firewall application, if desired.
  5. Additional applications can be included in an enforcement policy, if desired. To include a new application, click Add New Application. Then, under Required Application:
  6. Enter the application name.
  7. In Executable File Name, click Browse, and then browse to the executable file name.
  8. Under This application is required to run, indicate the following:
    • Before connecting to the Internet
    • Continuously after a connection is established to the Internet
  9. Click Save.
  10. Add additional applications by repeating steps i-iv.
  11. If you want a custom executable to enforce the policy in your environment, select Try to enforce this policy through a custom executable (such as a .bat file). Then, in Command, enter the syntax of the custom executable.
  12. Configure the method by which Open Mobile will interact with the user if in violation of the Pre-Connect or Auto-Teardown policies. You can choose one of the following options for each:
    • Show the end user a message in a pop-up dialog box. If selected, enter your message in the Message box.
    • Show the end user a message in a tooltip. If selected, enter your message in the Message box.
    • Prompt the end user for confirmation to continue. If selected, the user is prompted to acknowledge the enforcement of the policy.
  13. Click Save.

Restriction Policies for Windows 1.x Clients

You can restrict the usage of designated applications when connected to the Internet. Open Mobile will automatically shut down the restricted application process when detected.

To enable a restriction policy for Windows 1.x clients:

  1. Select Enable Endpoint Application Restrictions.
  2. Click Add New Application. Then, under Restricted Application:
    • Enter the application name.
    • In Executable File Name, click Browse, and then browse to the executable file name.
  3. Click Save.
  4. Select the method by which Open Mobile will interact with the user if in violation of the restriction policy. You can choose one of the following options for each:
    • Show the end user a message in a pop-up dialog box. If selected, enter your message in the Message box.
    • Show the end user the following message in a tooltip. If selected, enter your message in the Message box.
    • Prompt the end user for confirmation to continue. If selected, your users will be prompted to acknowledge the enforcement of the policy.
  5. Click Save.

Endpoint Security for Windows 2.x Clients

For Windows 2.x clients, you can configure two types of application policy:

  • Required applications must be running when the user attempts to connect.
  • Restricted applications may not be running when the user attempts to connect.

You can set the actions taken by Open Mobile when either one of these policies is violated.

Required Applications

For Required applications, you can configure:

  • A qualified anti-virus, firewall, or other application. A qualified application is one that is listed in the user’s local Windows Security Center (in Windows 7, the Action Center) for anti-virus, firewall, or anti-spyware protection.
  • A specific antivirus, firewall, or anti-spyware application certified from the OPSWAT library. (OPSWAT certification is a security software interoperability certification program for a variety of application types.)
  • For firewalls, the Windows built-in Firewall.
  • A custom security application that you can specify. You can also specify a remediation action for the application to repair the executable if it stops running. The remediation action can be a command or batch file.
  • In addition, you can set a security level for each security category to control Open Mobile behavior and connection experience.

You can select a security level for anti-virus, firewall, spyware, and other security applications. The table below shows the behavior for each security level if the designated application is not running at the time of the user connection.

Security Level If the application is not running at connection time…
Off Open Mobile will take no action.
1: Prompt to Continue The user will be prompted to continue making a connection.
2: Block VPN Connection The VPN connection will be blocked.
3: Block Internet and VPN Connections Internet and VPN connections are blocked.
4: Block All Connections and Disconnect VPN All connections are blocked. If the application stops running during the connection, any connected VPN is disconnected.
5: Block and Disconnect all Connections All connections are blocked. If the application stops running during the connection, the connection is terminated completely.

For example, a policy sets a Security Level 1 for the Windows Firewall. If the user attempts to connect when Windows Firewall is disabled, Open Mobile will prompt the user before attempting to connect.

Another policy sets a Security Level 4 for an anti-virus application listed in the user’s Windows Security Center. If the anti-virus is not running at connection time, the connection is blocked. In addition, if the user later disables the anti-virus application during the connection, Open Mobile will immediately disconnect any VPN connection. Further, it will block the reconnection until the anti-virus application is re-started.

To designate a Required application:

  1. Next to Endpoint Security and Restrictions, click Configure.
  2. Click the Required Applications tab.
  3. Optionally, click Configure Alerts to customize the alerts shown to users. Then, set messages for:
    • Prompt to continue message: shown to users when Security Level 1 is set.
    • Block connection message: shown to users when a connection is blocked.
    • Disconnect message: shown to users when being disconnected.
  4. Select one or more application types for security. (None of these types are required. Only choose the types you need for your policy.)
    • Anti-Virus: Using the slider, select a security level for anti-virus applications. Then, select the type of application:
      • Anti-virus application in Windows Security Center or Windows Action Center: If chosen, any qualified anti-virus application will be used to validate the security level.
      • Select Anti-Virus applications from the OPSWAT Library: If chosen, using the arrow controls, move 1 or more of the listed applications from the Available Applications to the Selected Applications column.
      • Optionally, click Customize Message to create the custom message shown to users when the application is not running.
    • Firewall: Using the slider, select a security level for firewall applications. Then, select the type of application:
      • Firewall application in Windows Security Center or Windows Action Center: If chosen, any qualified firewall application will be used to validate the security level.
      • Windows Built-in Firewall Application: If chosen, the Windows Firewall will used to validate the security level.
      • Select Firewall applications from the OPSWAT Library: If chosen, using the arrow controls, move 1 or more of the listed applications from the Available Applications to the Selected Applications column.
      • Optionally, click Customize Message to create the custom message shown to users when the application is not running.
    • Anti-Spyware: Using the slider, select a security level for anti-spyware applications. Then, select the type of application:
      • Select Anti-Spyware applications from the OPSWAT Library: If chosen, using the arrow controls, move 1 or more of the listed applications from the Available Applications to the Selected Applications column.
      • Optionally, click Customize Message to create the custom message shown to users when the application is not running.
    • Add New Application: Click Add New Application to add any additional security application. Then, under Add Application, enter the following:
      • Application Name: Name of the selected application (up to 25 characters in length).
      • Executable File Name: enter or browse to the location of the executable on the user’s machine.
      • Remediation Action: the path name, plus any parameters needed, of the command or batch file to be executed if the executable stops running.
      • Enforcement Level: use the slider to select a security level for this application
      • Customize Message: create a custom message to show users when the application is not running.
  5. Click Save.

Note: in Windows 1.4.x clients, a single message is configured for all required endpoint applications. However, Windows 2.x clients enable individual control over such messages. If a Windows 1.4.x client is migrated to Windows 2.x, the single message will be used as the default for all required applications. This can result in a confusing user experience as the same message is displayed multiple times. As a result, when migrating from 1.4.x clients, make sure to configure different messages for each required application.

Restricted Applications

You can designate any application as Restricted. Restricted applications may not be running when the user attempts to connect, or Open Mobile will take the action you specify depending on the restriction level.

Restriction Level If the application is running at connection time…
Prompt to Continue Open Mobile will prompt the user with the specified message.
Terminate Application The application process will be ended.

To designate a restricted application:

  1. Next to Endpoint Security and Restrictions, click Configure.
  2. Click the Restricted Applications tab.
  3. Click Add New Restriction.
  4. On the Add Restriction dialog, in Application Name, enter the name of the restricted application.
  5. In Executable File Name, click Browse, and then select the application path.
  6. In Restriction Level, use the slider to select the restriction level for the application.
  7. In Customize Message, enter the message shown to users, or use the default.
  8. Click Submit.

Go to: Create a New Profile > Configuration Settings > Integration

,


 

©2015 iPass Inc. All rights reserved. Terms of Use