Device Classification for iOS
Device Classification for iOS
You can classify iOS devices based on these criteria:
- Minimum OS version
- Passcode required
- Device not compromised
Go to Settings > Manage > Device Classification and select iOS on the New Device Classification dropdown list, and then follow these steps to classify your iOS device. Select options and enter the requested parameters.
-
Rule Name: Enter a name for this classification rule.
-
Device Classification: From the options displayed in the dropdown menu, choose the desired label you want to assign to this rule. You cannot assign more than one label to a rule.
-
Classification Criteria: Checks for All or Any of the criteria selected.
-
For Devices Installed with iOS Client (for NPA):
-
Minimum OS Version: Select an OS version from the dropdown list or create a custom OS version.
-
Require Passcode: Passcode check is an API call that validates if the device has configured any unlock code. The check fails for devices with no unlock code. No parameters required.
-
Device Not Compromised: To check if the critical system files in iOS devices are compromised such as Jailbreaking or rooting. No parameters required.
-
-
Certificate: To look for certificates on the device. To upload a new certificate, click Select File, and then upload your certificate. If you have multiple certificates to upload, you need to create multiple device classification rules for each certificate. For example, to upload certificate a and certificate b, create separate device classification rules: dc_cert_rule_a with certificate a and dc_cert_rule_b with certificate b. The new certificate added in each rule do not replace the previously added certificates in other rules. However, if you choose to replace an existing certificate, the new certificate replaces the previous one within the same rule.
- The Certificate check does not apply to the iOS Client for NPA.
- If you already uploaded your certificates for this device on the MDM Distribution page, the certificate name is shown here.
The certificate file must have a specific structure and be in PEM format. The Intermediate and Root certificates need to be combined into a single PEM file. The order of those two certs in that PEM file must be Intermediate first, and then Root below it.
The Netskope Client looks for certificates in the Login Keychain. If the certificates are stored in the System Keychain, export the certificates and import them to the Login Keychain. -
When finished, click Save.
After creating a device classification rule, you can use it in a Real-time Protection policy.
-
To use this Device Classification in a Real-time Protection policy, click Policies > Real-time Protection in the Netskope UI. Select an existing policy or click New Policy and choose a policy type.
-
For Source, select the Users for this policy, and then click Add Criteria to specify. If you created a Private Apps policy, for Access Method, select Client. Otherwise, you will need to click Add Criteria to add this Access Method.
Private Apps for iOS requires that the Access Method be set to Client.
Click Device Classification, and then select label from Custom Device Management and Managed or Unmanaged from Device Classification, based on the devices you just classified.
-
Managed means the device is managed; the device posture information sent by the Client matches at least one of the device classification checks configured for that Client’s OS.
-
Unmanaged means the device is unmanaged; the device posture information sent by the Client matches none of the device classification checks configured for that Client’s OS.
-
-
Click Add Criteria, select OS, and then select iOS. Click Add Criteria again, select Device Classification, and then select your iOS Device Classification rule.
-
Choose a Destination, like Private App, and then select a destination.
-
Choose Profiles and Actions, like using the Allow Action for specified applications. Finish creating or updating this policy to establish this device classification in a policy.
-
When finished, click Save and then Apply Changes.
-
After the policy has been created, perform the process for which the policy was created. Next go to Skope IT > Application Events and click the magnifying icon for an event to open the Application Event Details panel. In the User section you’ll see a Device Classification field, which shows one of these device classifications.