This article provides an overview of approved installation methods and guidelines for deploying the MaaS360 Control Service, Mobile Service and Visibility Service from a disk image. Failure to follow these guidelines will result in failed authentications, improper billing and/or inaccurate MaaS360 reporting. Be sure to check the latest product Release Notes for updated information not included in this technical brief.

Important: Never copy an image after a successful connection (authentication) with MaaS360 Control and Mobile Services. To do so, the product will not work as designed.

Requirements

  • Extend360 2.1 and higher/  2.9 and higher/ Mobile Service 2.9.010 and higher/ Visibility Service 1.20 and higher.
  • Supported Windows Operating System (refer to the respective product Release Notes for a current list).
  • Administrative privileges are required to install MaaS360 Services.

There are four approved installation methods:

  1. Install  Maas360 into an image using the accepted imaging procedure, then deploy the image with a sector-level based imaging tool, such as UNIX dd, that retains the volume serial number
  2. Install Maas360 into an image using the accepted imaging procedure then deploy the image with a filesystem-aware imaging tool, such as Symantec Ghost, that retains the volume serial number.
  3. Distribute Maas360 on CD/DVD/USB media to every user and have each user install the agent themselves.
  4. Deploy the Maas360 installation package using SMS, Tivoli, Radia, ZenWorks or other software distribution tools, then launch the install process individually on each machine.

Accepted Disk Imaging Procedure

Definitions

Source system The computer with the operating system and application installations from which the disk image is derived and created from.

Target system A computer that the disk image is deployed to by using a disk imaging tool.

Procedure

  1. Install MaaS360 on the source system.
  2. If you are connected to the Internet, the EEA client may register itself to Fiberlink’s EEA server and write registry keys and files to the source laptops hard drive after registration. These registry keys and files will need to be removed if this occurs. Follow the instructions in the EEA Imaging Instructions section below to disable any Internet connectivity.
  3. Create a disk image from the source system.
  4. Deploy the source system image onto a target system to test the image.
  5. If the target system connects successfully, then you can deploy the source system disk image to all target systems.

Note:    The Maas360 installation on the source system image should never be used to authenticate or make a connection.

EEA Imaging Instructions

The following steps will prevent the EEA agent from registering with its server.

  1. Disconnect any existing broadband, wireless, or other connections to the Internet. There should be no connectivity to the Internet before the next step.
  2. Disable and stop the EEA Service from the Services MMC. The EEA Service will have a display name of “BES Client” or “Extend360 Enforcement Agent.” When disabled, MaaS360 will not restart this service.
  3. Remove the registry values “RegCount,” “ReportSequenceNumber,” and “ComputerID” (if they exist) from this location: “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions.”
  4. Delete the “__BESData” folder in the BES Client installation folder. The default BES Client installation folder is:
    “C:\Program Files\BigFix Enterprise\BES Client”
  5. Set the EEA Client service to Automatic start, you may start the MaaS360 service at this time
  6. The EEA Client is now in a state where it can be included as part of the source image and successfully deployed to target systems.

Note:    If the computer is restarted or if the EEA Client is started for any reason while you have an Internet connection, the EEA Client will re-register and you will need to perform the steps above again.

Known Limitations

The following scenarios are not supported:

  1. Using a file-based disk imaging tool, such as Microsoft ImageX File-based disk image formats, will not retain the volume serial number which is critical to decrypting the Maas360 database.
  2. Installing Mobile Service, Control Service or Visibility Service on the source system, connecting with that software installation to receive updates, capturing the source system image, and then deploying the source system image to target systems.
  3. Copying whole directories from a source system to a target system after installation has occurred.
  4. Creating an archive file of the MaaS360 Service directory and all its subdirectories from the source system, and then uncompressing the archive file to the target system.

Technical Background Information

MaaS360 Policy Database Encryption Technical Background

The MaaS360 service stores all policy values and configuration settings in a client-side database. All contents within the MaaS360 database are stored in encrypted form. This section provides background information on this subject.

MaaS360 Package Creation

When a customer order is submitted, Fiberlink builds an agent installation package. The package creation process includes configuring customer policy settings using the MaaS360 Customer Policy Manager. Once customer policies have been defined, an instance of the client-side database can be created. Once the agent database is included, it is added to the customer installation package.

Because the agent database contains potentially sensitive information, Fiberlink is concerned about distributing agent installation packages containing a clear text agent policy database. As a result Fiberlink encrypts the agent database prior to adding the agent database to the installation package. The agent database is encrypted using a common key for all customers and policy groups. This ensures that an unauthorized user who examines the contents of the installation package is unable to easily access the contents of the policy database.

While the key is shared, the database is encrypted using Blowfish and a 448-bit key. Therefore a brute force attack (theoretically possible with any encryption method) would be computationally expensive.

MaaS360 Package Installation

Because Fiberlink is concerned about the compromise of a shared key leading to compromise of policy database contents, a solution has been implemented for further securing the agent database once installed.

When the agent is first installed, the installation process utilizes the laptop hardware information to create a key that is specific to that laptop. Because every laptop hardware information is different, this results in a different hash, hence a different agent database encryption key for every agent installation.[1]

One aspect of the agent installation process involves reading the contents of the install package database using the generic key, and re-writing the contents of the installed database using the localized key. The result at the conclusion of the installation process is that every instance of the agent has a policy database whose contents were encrypted using a different key[2].

As Installed Operation

When the agent database is opened the decryption key is required. The agent database manager itself has no idea whether the decryption key included in the SQL query is valid or invalid. It simply retrieves the requested value(s) from the data repository, feeds the values and the supplied key into the Blowfish algorithm and returns the output of the decryption process to the requesting application. If an incorrect key is supplied, the value(s) returned when MaaS360 code queries the agent database will be incorrectly decrypted cipher text (i.e., garbage) that is unusable by the agent.

The agent start up process includes retrieving the laptop hardware information. Once obtained, the laptop hardware information is used to regenerate the agent database decryption key. This same key is used as long as the agent session manager is active.

MaaS360 Software ID Issuance Process

When MaaS360 is used to connect to the Internet, it will send an update request to the MaaS360 update server.

The update request includes the following items:

  1. Agent software ID.

Note: When the agent is first installed, it has no agent software ID. Thus, the first agent update request contains a blank agent ID.

  1. Customer realm defined in policy for that agent.
  2. User Internet login ID of the user logging in at that time.
  3. Agent software version.
  4. MaaS360 Hardware ID (motherboard and BIOS information).

When the MaaS360 update server receives an update request containing a blank agent ID, the update server:

  1. Generates a new, globally unique agent serial number or agent software ID.
  2. Examines the customer realm included in the update request, looks up the customer realm in the DNA platform and retrieves a corresponding Fiberlink Customer ID.
  3. Creates a new record in the MaaS360 platform, containing the following items:
    1. Agent software ID
    2. User login ID
    3. User realm
    4. Fiberlink customer ID
    5. Agent software version
    6. MaaS360 Hardware ID
    7. Agent ID issue date
  4. Retrieves any necessary phonebook, policy and software updates as appropriate for that user.
  5. Returns the updates to the agent, along with the newly issued agent software ID.
  6. When the agent receives the response to its first update request, MaaS360 stores the just-received agent software ID in the agent policy database. This agent software ID will be included in subsequent update requests the Fiberlink agent submits to the Fiberlink update server.

MaaS360 Installation Considerations: Software ID

The agent software ID is used for the following reasons:

  1. Authentication:
    1. Inclusion in the credentials encryption process and the NAI
    2. Used to detect and reject Internet authentication replay attacks
    3. Used in billing reports analysis to separate out CDR records
  2. Accounting, Billing and Usage Reporting: Inclusion in the Internet authentication request causes the agent ID to be included in RADIUS accounting messages and CDR. This data is used to determine whether high volumes of usage traffic for a single user ID are coming from a single agent or multiple agents.
  3. Agent Updates: Inclusion in update requests sent from the agent to the update server. Specifically for reporting on the update history of a particular agent ID and knowing when the last time a given agent received an update.
  4. Agent License Tracking: For those customers that purchase agent licenses, the agent ID is used to identify unique instances of the agent and billable transactions associated with individual agents.
  5. MaaS360 Connectivity Reporting: Inclusion of agent ID makes it possible to show in MaaS360 Connectivity Reporting when multiple connections event ostensibly associated with the same user and occurring at the same time are actually connections from multiple different agent instances.

If the agent ID is duplicated across different instances of the agent, the ability to uniquely identify the agent in internal and customer-facing management reports is clearly compromised.

More importantly, since the agent ID and session counters are used to detect and reject Internet authentication replay attacks, the appearance of duplicate agent IDs may result in an Internet authentication failure. For example, if agent A with ID 1000 connects and their current session ID is100, the Fiberlink authentication platform will reject authentication requests from any Fiberlink agents purporting to have agent ID 1000 unless the session ID is at least 101. If Agent B also has D 1000 and connects with session ID of 100, the Fiberlink authentication platform will reject the authentication request.

For these reasons, the MaaS360 service must be deployed in a way that ensures there are no duplicate agent IDs.

[1] Technically this cannot be guaranteed to be globally unique, as there is no guarantee that volume IDs are globally unique. Volume IDs are randomly generated, hence there is a theoretical chance of two different hard drives generating the same volume ID

[2] Once installed, there is no further change to the client encryption key. Also, there is no mechanism at this time to change the

Share
Delicious