ios Mobile: Setup Guide for Umbrella ios Mobile Devices

iOS Mobile:

Setup Guide for Umbrella

Overview

The Mobile App protects iOS mobile devices (e.g. smartphones, tablets) regardless of where they are in

the world or how they connect to the Internet. The solution works by enforcing a secure channel for all

Internet-bound traffic via an automatic or “on demand” VPN. The secure channel passes traffic

through one of our OpenDNS Global Network data centers distributed worldwide. The OpenDNS Global

Network uses Anycast routing to always connect your device to the easiest to reach datacenter for

optimal performance. All traffic regardless of application, protocol or port will be protected by the

OpenDNS Global Network and the acceptable use policy you assign. Umbrella protects your mobile

devices and sensitive data from becoming compromised. This guide explains how to use provisioning

profiles to connect your devices to the OpenDNS Global Network.

Prerequisites

To use the Mobile App you must have:

Supported Mobile Operating Systems and Devices

• Apple iOS 5.1.1, iOS 6.x., iOS 7.x

• Apple iPhones (3GS and above), iPad (all) and iPod Touch (4th generation and above).

!NOTE: Android OS and related devices will be supported in a later release.

!NOTE: Jailbroken devices are not supported.

Appropriate Network Permissions

While the main purpose of the solution is to protect mobile devices while connecting to the Internet

from third-party networks, use on your network is also possible. The solution utilizes standard IPSec

VPN and HTTP/S ports, which must be opened for both source and destination addresses:

o UDP 500

o For networks using NAT-T: UDP 4500

o IP Protocol 50/ESP

o TCP 80 and 443.

!NOTE: The Mobile App utilizes standard Apple iOS mobile provisioning profiles. It does not explicitly require an app to be deployed or installed, though one is available.

Step 1: Provision Profile

Provisioning uses a push model, pull model, or combination of the two.

The default and recommended option is

App Invitation

. In this option, you can invite users (via email)

to install an App from the Apple App Store that will enable them to register their devices to your

account within the Dashboard. Users simply have to click the link to install the App (from the App

Store), return to the email and click the Activate button to activate the app, then finally complete the

registration steps within the App itself. For devices in the field, this option provides a scalable model

for adding users. The App additionally provides help information and usage statistics to the end users.

Alternatively, when sending an email invitation, you can optionally select the

VPN Profile Only

by

checking the box in the lower right corner of the email entry field. In this case, users will be directly

sent a configuration file to apply to their iOS devices that will connect them to the OpenDNS Global

Network’s cloud-delivered network security. The Umbrella dashboard will help you track pending

installations to ensure that users follow up. For devices in the field, this option provides a scalable

model for adding users, in cases where you would prefer they did not use the App.

Finally, a pull model is available whereby the user installs the

“The Umbrella Mobile” App

from the

iTunes App Store, authenticates with an Umbrella account, and registers the device into Umbrella.

The app additionally provides help information and usage statistics. When IT or Help Desk staffs wish

to manually provision mobile devices, we recommend the mobile device app option, especially if

devices do not have email accounts available. A mixture can be used as well.

Push Provisioning: Invitation by Email

IT staffs can invite users via email to add an app, or alternatively just a VPN profile, to their iOS

devices that will connect them to Umbrella. The Umbrella dashboard will help you track pending

installations to ensure that users follow up. For devices in the field, this option provides a scalable

model for adding users.

1) Log into the Umbrella dashboard and navigate to Configuration > Identities > Mobile Devices

2) Click ‘add a new device’ and enter one or more email addresses for the devices you wish to provision. 3) Optionally, check ‘Send VPN-only profile invitations’ if you do not want users to have the Mobile App.

!IMPORTANT! Invitations CAN be re-used by multiple users and across multiple devices UNLESS the VPN-only option is utilized. If the VPN-Only option is selected, each provisioning profile is unique and should not be re-used.

!NOTE: If there is not a unique email address available per device you may re-generate multiple profiles to the same email address. And then move these additional profiles to additional

normal at this point for the ‘Last Request’ to be ‘Never’ with a warning icon. 5) From those mobile devices, open the invitation email.

a) Install the Mobile App via the iTunes link. After installation, return to the email and click the activation link. Then, follow the instructions in the app.

b) If VPN-only profile was checked in step 3, then the user will only click on the attached mobile provisioning profile.

Pull Provisioning: Installation Initiated from the App Store

IT staffs or end-users themselves can install the “Umbrella by OpenDNS” App from the iTunes App

Store and authenticate with your organization’s Umbrella account to register the device with Umbrella.

1. Download the app from iTunes: https://itunes.apple.com/us/app/umbrella-by-opendns/id557639276?ls=1&mt=8

2. Open the application and authenticate with your Umbrella credentials.

3. Follow the instructions in the app, such as registering the device using a different non-default name. Then, click ‘Install Profile’.

Step 2: Verify Operation

To check that the mobile device successfully connected to Umbrella:

1. On the device itself, check that the VPN icon appears in the top status bar of your device. For example:

!NOTE: It is normal for the VPN icon to turn off and on. It switches off when there is no network activity, and thus iOS temporarily terminates the connection to Umbrella. It will start back up automatically when needed. The VPN icon also sometimes appears on the right side depending on what operations are active on the device.

2. Navigate to Configuration > Identities > Mobile Devices

3. Check that the devices now appear in a ‘completed provision’ state indicated by and according to mode ((VPN Profile and/or Mobile App ). Also, the devices should indicate a recent ‘Last Request’.

!NOTE: After 24 hours (default, this can be modified) without Internet activity, a warning icon will appear in the ‘Last Request’ column. It does not necessarily mean that there is a problem, but it is likely that the user in question has either disabled the VPN or removed it entirely.

4. Optional: You may change the name of the device by selecting the table cell in the Umbrella dashboard containing the Name.

!NOTE: Devices provisioned by pull provisioning (downloading the Mobile App) will list a name entered by the user who registered the device and may not take the form of an email address. The default for this field is the iOS device name, which is commonly configured in iTunes during initial setup.

Step 3: Policy Configuration

Once verifying that the iOS Mobile Devices are operating successfully, define and apply security and

acceptable usage policies to them.

1. Navigate to Configuration > Policies, and click ‘add a new policy’ or click the name of an existing policy.

2. Check the ‘Mobile Devices’ box if you want to apply a single policy for all provisioned mobile devices, or check the box next to one or more specific devices via the identity picker. To remove a selected device, either uncheck its box via the identity picker or click the red X icon to the right of its name. Then click ‘next’.

3. Select the 'Policy Settings', then 'Block Page Settings' you would like enforced for this policy. Then click ‘next’.

!NOTE: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings' pages to do so.

4. Set a meaningful description for the policy, then click ‘save’.

!NOTE: The policy you created will be applied within 60-90 seconds to any new connections coming into Umbrella from the selected computers.

5. Click and hold the drag handle icon to re-order the policy above or below any other existing policies.

!NOTE: Policy execution follows a top-down, first-match order of operations. The first policy assigned to an identity is enforced. Any subsequent policies assigned to the same identity are ignored. There is an editable, but immutable, Default Policy always ordered last, which is a catchall for any identity.

Appendix A: iOS Settings App Help

End users may access the iOS Settings app to turn the VPN off/on or permanently remove it.

!NOTE: If an end user disables the VPN and fails to connect for a period of days (configurable with a default of 3 days), the Umbrella dashboard will indicate a warning next to the device listing. This can help IT or Help Desk staff to determine whether the end user has removed the solution.

!NOTE: It is possible to configure the VPN in an enforced mode so it cannot be disabled, provided the device is 'supervised' under Apple Configurator. Please contact [email protected] for more information about this.

Appendix B: De-Provisioning Devices

1. To de-provision a device, go to Settings > General > Profile via the iOS device and permanently remove the

VPN profile (refer to screenshots in Appendix A).

2. From the Umbrella dashboard, click the icon next to the mobile device you wish to de-provision. 3. Confirm that you wish to delete it forever by clicking ‘Delete’.

Appendix C: Known Issues

Apps Sometimes Hang

Description: Occasionally, when iOS attempts to re-establish the VPN connection after a period of network inactivity, the first app requesting Internet access doesn’t see an available network, and hangs. This issue is limited to iOS5

Frequency: Very Low.

Severity: App dependent. Safari and Mail behave well. Facebook and Maps tend to suffer from this fairly severely and often require resolution.

Resolution: The preferred resolution to upgrade to a later version of iOS.

VPN Session may terminate after an hour and 37 minutes

Description: The VPN session is terminated after 1:37 (an hour and 37 minutes) of continuous connectivity due to an iOS bug in IPSec VPN XAuth. Connectivity will be interrupted for 2 minutes, then automatically resume. In order to restore connectivity immediately, simply toggle the VPN to manual and back to automatic from Settings -> VPN.

Frequency: Always. Severity: Minor.

Resolution: No workaround, but his issue is being pursued both with Apple, and via a server-side fix from the OpenDNS service.

Umbrella is brought to

you by OpenDNS.

Trusted by millions around the world.

The easiest way to prevent malware and phishing

attacks, contain botnets, and make your Internet faster

and more reliable.

OpenDNS, Inc. • www.opendns.com • 1.877.811.2367

Copyright © 2012 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of OpenDNS, Inc. Information contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no responsibility for its use.