cancel
Showing results for 
Search instead for 
Did you mean: 

iPad / IPhone / Mac Host Checker

New Contributor

iPad / IPhone / Mac Host Checker

Hi,

I want to be able to allow users to connect via network connect on iPad's / IPhone's / Mac's and Windows machines but ideallIy also want to enable host checker.

Everything works fine on the windows machines but iPad's / IPhone's / Mac's fail to logon with a an error of Browser on host is not supported for Host Checker or Cache Cleaner.

Is there a way to skip host checker for unsupported browsers or somehow skip the check for iPad's / IPhone's / Mac's devices.

Without host checker all iPad's / IPhone's / Mac's and Windows machines work fine.

Some of my users have access to multiple devices.

Thanks.

15 REPLIES 15
Frequent Contributor

Re: iPad / IPhone / Mac Host Checker

Hi,

My suggestion is to map users to roles based on useragent.

This way I blocked iPhone/iPad/Android devices from my Network Connect roles.

New Contributor

Re: iPad / IPhone / Mac Host Checker

Thanks for the reply,

Could you give me a bit more info on this?

I want to be able to have the same user use network connect on a PC with host checker but also on their Mac/iphone/iPad without host checker as the browser is not supported.

Would creating different realms be the answer?

Thanks again.

Frequent Contributor

Re: iPad / IPhone / Mac Host Checker

Create a custom expression to role map users to a specific iOS role, like userAgent = "JunosPulse*". I do not know how you role map your users today but this could be a start.

If you are using ADgroups for role mapping, your custom expression could look like this:

userAttr@<nameofAD>.memberof ='<groupname>' AND userAgent = "JunosPulse*"

edit:

You cannot enforce your Host Check policies on realm level with this solution..

Respected Contributor

Re: iPad / IPhone / Mac Host Checker

Hi peter.charles,

Yes, you can create a new realm for this segregation. You can also use user-agents as mentioned previously.

Another option would be to have different URLs for the different device types (hostname- or path-based).

Not applicable

Re: iPad / IPhone / Mac Host Checker

Hey Lilja,

Your custom expression actually would fit our situation here aswell.

However, can you elaborate a bit more on the expression itself?

When i try and create a custom expression using your method i get an error saying that i am using an illegal opperator.

Illegal operator
userAttr@.memberof ='' AND userAgent = "JunosPulse*"
^

My expression looks like:

userAttr@<ourdomain>.memberof ='<IOSusergroup>' AND userAgent = "JunosPulse*"

What fits the domain box is this the top level domain (ie. domain.local) or something else?

Hope someone can give us a hand.

Frequent Contributor

Re: iPad / IPhone / Mac Host Checker

I think I actually had to change this into 2 separate expressions..

customexpression1

userAttr@<ourdomain>.memberof ='<IOSusergroup>'

# <ourdomain> is the name of your LDAP server where your users are located.

customexpression2

userAgent = "JunosPulse*"

Highlighted
Occasional Contributor

Re: iPad / IPhone / Mac Host Checker

I think I've got this working - host-checking for Windows PCs, and non-host-checking for iPhones/iPads. What I've done is as follows:

1. Create a realm called Non-iphones and configure it up for host-checking as per normal.

2. In that realm, under "Authentication Policy | Browser" configure it to "Only allow users matching the following User-agent policy"

3. In the matching list, configure *iPhone* and deny that. Do the same for *iPad*. Last in the list, put just a * and allow that.

4. Create a second realm called iPhones and don't configure host-checking.

5. Repeat steps 2 and 3 but do it the other way around - permit *iPhone* and *iPad* and deny *.

Hope that helps....


Andrew

Respected Contributor

Re: iPad / IPhone / Mac Host Checker

Hi amullheim,

 

Thank you for sharing how you have it working for you.

New Contributor

Re: iPad / IPhone / Mac Host Checker

Another way is to use a client certicate on the IPAD, and have the SA check for it's presence at the REALM level

dc