Re: Restrict MRA Jabber to Only Corporate-owned Mobile Devices

matt.esch · ‎02-15-2019

Hiall , we are running Jabber over MRA. We use Jabber internally on their computer devices, but also use Jabber on our corporate-provided cell phones connecting in via MRA. We have some users that are installing Jabber on their personal cell phones, and connecting in via MRA. Because we don't manage the personal cell phones and the data on those phones, we want to prevent users from being able to connect in with personal phones via MRA. Is there a way that we can only permit Jabber over MRA from corporate-owned devices?

Thanks!
Matt

Jaime Valencia · ‎02-15-2019

You would need SSO and an MDM so only devices registered in the MDM could login.

HTH

java

if this helps, please rate

Jonathan Schulenberg · ‎02-16-2019

Adding to Jaime’s response here: you’re looking at a fairly complicated problem. Jabber and Expressway have no understanding of what is a company-owned asset. Your SSO IdP doesn’t know this either, at least not intrinsically. The only way to convey that knowledge is by having MDM issue a client certificate to the mobile device that can authenticate to SSO on behalf of the user. You then configure the IdP to *only* accept those MDM-issued certificates, not username and password. Of course, you also have to configure your MDM platform to not let users self-enroll devices. With all of that in place, Jabber/Expressway still doesn’t know what’s company-owned but it doesn’t matter because the IdP won’t issue the client a SAML cookie.