We are looking to provide Junos Pulse access via the SA box for our mobile users - primarily iPads. One element missing from our current setup is any method of device authentication. With our windows laptops we use host checkero to check for some bespoke policies, but we can't do that on the iPad. Is there any way of locking down access so that users can access the system via a corporate iPad but not their own iPad?
As per my understanding hostchecker will be supported in mobile device including IOS and android devices from pulse 3.0 version , this is not yet released. In pulse 2.0 this is not supported.
Host Checker is supported only with Junos Pulse client 3.0 for mobile devices , Supported Policies are OS version check, MSS check, Rooting/Jail Breaking check however I am not sure whether this matches your requirement.
Hope this helps.
As noted, it is not possible to perform Host Checking on the iOS devices.
In order to restrict this to corporate devices, as much as possible, you would need to perform certificate authentication and install the certificate manually on the approved devices using a .mobileconfig file created using the iPhone Configuration Utility with the certificate. This will prevent users from installing the certificate an any device plus allow you to use, if desired, VPN on Demand functionality.
You are welcome.
For the SA side with enabling cert auth, refer to the admin guide and enabling/creating a certificate server instance http://www.juniper.net/support/products/sa/
Hi. I've spent the last 4months on this stuff so have a fairly good grasp. The only way we could verify users as being corportate ipads/iphones was through the use of certificates (which have already been mentioned). We use mobile iron to enroll users using SCEP to an internal PKI server. Mobile iron enables policy control on mobile devices like app restrictions and password policies. On the Juniper I check for particular certs and do both cert only authentication and mixed mode auth where users also need to type in their AD creds (for more secure apps).
Just playing with on demand VPN at the moment - works a treat but I dont think you can do mixed mode auth. I'm about to put a thread on here to see if it's possible as I'm hesitant to use certs only as you can export them from a device and put them somewhere else.