Skip to main content
McAfee MVISION Cloud

Configure Managed Devices through Certificates

To configure Managed Devices through certificates:

  1. Login to MVISION Cloud and go to Policy > Access Control > Device Management.
    clipboard_eb3227e98f449aaf79cf92093cb48740e.png
  2. Under Establish Domain tab, enter the original domain as device.
    clipboard_e73f089a65b98ad223d1fc2989d5d61a2.png
  3. Under Device Certificates tab, configure the following:
  •  Activate the checkbox Enable Certificate Checks.
  • Upload the root certificate of the client device. If the single root certificate is uploaded, then the Maximum chain depth is 1.
  • The multiple certificate is uploaded when the customer environment has more than one certificate through multiple MDM's. For details on using multiple CA certificates, see Multiple Certificate Authorities.
    clipboard_e432242da93be823cfa622bea3f9a297f.png
  1. The root certificates have to be concatenated by preserving both the BEGIN and END of both certificates and upload it as a single certificate file in the MVISION Cloud. In this case, the maximum chain depth is 3.
  2. Click Save Changes. 

Configuring Access Controls

NOTE: It is important to understand the limitations of the service provider and it's associated applications that are supported by the reverse proxy. For example, Office 365 applications are not supported by Reverse Proxy but only the browser based applications works for reverse proxy. 

Configure the following access controls to cover the most common O365 use case:

  • An unmanaged device (no certificate), using a native application gets blocked with block message (rule 1 block unmanaged). For example, OneDrive app on Windows.
  • A managed device (with certificate), using a native application gets into O365 direct and no reverse proxy, it is possible to setup sync (rule 1 redirect managed). For example, OneDrive app on Windows.
  • An Unmanaged device (no certificate), using Chrome (browser based app) will get into O365 but redirected through reverse proxy (rule 2 proxy unmanaged), where downloads are blocked. (rule 4 block access)
  • A managed device (with certificate), using Chrome (browser based app) will get in O365 directly and there will be no reverse proxy controls. (rule 2 - redirect managed)
    clipboard_e4eed9afce67020bd8b96d8368dfc5332.png

Validate Office 365 Device Management

To verify the outcome of the managed device through certificates, perform the following validation scenarios:

Validate Managed Device

  1. From the trusted device, install the client certificate.

NOTE: If you are using Windows, make sure the certificate is stored in the user store and not in the machine store. If you open certmgr.msc, then you can see the certificate in the Current User > Personal folder.
clipboard_e4965a625c61560129cb0af33c08f5e11.png

If you see the certificate in the Local Computer store, then this is the wrong place.
clipboard_e8fd7ffe9e56a109b67601678c424f753.png

  1. Login to Office 365. (https://login.microsoftonline.com)
  2. Login with your demo SSO Office 365 account (CSP initiated). You are redirected to IDP for authentication.
  3. Once authenticated, you are redirected to the Office 365 Homepage.
  4. You are prompted to provide a client certificate, this validates your device is managed.
  5. If you are able to download a document, then your managed device has successfully passed through certificate.

Validate Unmanaged Device

  1. From the trusted device, install the client certificate.
  2. Login to Office 365. (https://login.microsoftonline.com)
  3. Login with your demo SSO Office 365 account (CSP initiated). You are redirected to IDP for authentication.
  4. Once authenticated, you are redirected to the Office 365 Homepage and you do not see any client certificate. 
  5. You cannot download any document as the downloads option is blocked. This shows your unmanaged device.
  • Was this article helpful?