Preventive Service Planning
Abstract
MaaS360 will begin implementing changes to the way that our product handles cert pinning that will impact clients who attempt to access services while connected to a proxy. This can be optionally enabled now by contacting our support teams.
Content
What is certificate pinning?
Cert pinning is a process by which MaaS360 apps can verify that the services they are communicating with are authentic for our product. It's a widely utilized industry practice wherein the MaaS360 apps "pin" a verifiable certificate from our services as a reference, so when a device enables an SSL handshake with our services, it knows that the connection is genuine, and that a malicious entity has not intercepted the communication - commonly referred to as "Man In The Middle" attacks (MITM) - and using it to gain improper access to resources.
Where does a proxy come in to this?
Many of our clients use proxies to handle communication between internal assets and external services, such as MaaS360. Our applications don't "know" whether or not the proxy itself belongs to an organization or individuals who could be malicious, we only know that our traffic is being relayed indirectly to our backend services to and from the apps. This is why MITM attacks are popular amongst threat actors - it is not difficult to fake being an official source.
Does MaaS360 use cert pinning today?
Yes, we do, however the checks and validations take place post-enrollment. Once enrollment is complete, the policy will pass down the information required to pin certs. If the traffic comes in via a proxy, this could result in a pop up message on devices, like the one pictured below.
Yes, we do, however the checks and validations take place post-enrollment. Once enrollment is complete, the policy will pass down the information required to pin certs. If the traffic comes in via a proxy, this could result in a pop up message on devices, like the one pictured below.
What are we changing?
MaaS360 is implementing more security features all the time to address the growing security needs of our clients. Certificate pinning is one small part of larger initiatives that make MaaS360 one of the most secure cloud-based UEM providers on the market.
The upcoming changes will prevent applications from even activating if the trust between the client and server can not be verified via pinned certs. This means that the MaaS360 app, browser, and various helper and maintenance agents we have for iOS and Android devices will not open on until trust can be established. This will have a high likelihood of impact on organizations that run a proxy. See the videos below for examples of the behavioral changes:
The upcoming changes will prevent applications from even activating if the trust between the client and server can not be verified via pinned certs. This means that the MaaS360 app, browser, and various helper and maintenance agents we have for iOS and Android devices will not open on until trust can be established. This will have a high likelihood of impact on organizations that run a proxy. See the videos below for examples of the behavioral changes:
Sample screen of a device attempting enrollment while connected to a proxy:
What needs to be done to ensure that services are not interrupted?
Proxy admins will need to ensure that MaaS360 services are enabled to bypass proxy services for enrollment and access. How this is accomplished will vary from service to service. A list of Allowed URLs rule needs to be created that will disable SSL intercept for the following MaaS360 URLs and these rules should be maintained at the top of the SSL intercept layer
- maas360.com (portal)
- m.dm (enrollment)
Adding the URLs to the allowlist and disable SSL intercept will allow MaaS360 traffic through unimpeded and ensure that enrollments continue to flow.
MaaS360 is currently running an open beta for clients who believe they could be impacted by these changes. Please reach out to MaaS360 customer support to be added to the beta program.
MaaS360 is currently running an open beta for clients who believe they could be impacted by these changes. Please reach out to MaaS360 customer support to be added to the beta program.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m0z000000070eAAA","label":"SETUP"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
24 June 2021
UID
ibm16464459