Allow/Block/Quarantine (ABQ) is one of the Zextras Mobile security features which allows the administrators to easily manage and keep track of which mobile devices connect to their server. Previously, Zextras mobile ABQ feature provided a set of tools to control which mobile devices are allowed to finalize synchronization with the server, however, in the upcoming Zextras Suite 3.1.8, the ABQ feature also provides the administrators with more refined access control of mobile devices simply by defining some specific rules based on the mobile device IDs. An administrator can allow, block, or quarantine specific DeviceIDs based on a set of personalized rules. These rules follow some patterns using regular expressions to better identify the employee’s mobile devices.
Prior to the Zextras Suite 3.1.8, the procedure ABQ feature followed was, only checking the DeviceID status (allowed or blocked) globally and for the account, then applying the ABQ mode. The new procedure after checking the DeviceID status also checks if the DeviceID matches any rule at the domain and global level.
Here we take a look at the added features, to find out how useful the upcoming enhancement for the Zextras Mobile ABQ feature is. We also provide you with some examples to better understand its usage.
To learn more about the existing features, please refer to Zextras Suite ABQ Feature.
What’s New
Previously, ABQ CLI Toolset included several ABQ commands that enable the administrators to manage the ABQ feature, including list, add / import, allow, block, set, delete, setNotificationInterval. The new Zextras Suite 3.8.1 release includes three additional commands for the ABQ CLI Toolset, setRule, deleteRule, listRules which provide the administrators with more refined access control of mobile devices via defining some rules based on the mobile DeviceIDs.
- listRules – List all the ABQ rules.
zxsuite mobile ABQ listRules [attr1 value1 [attr2 value2...]]For example,
zxsuite mobile ABQ listRules- setRule – Adds an ABQ rule.
zxsuite mobile ABQ setRule {regex} {Allowed|Blocked|Quarantined} {order} [attr1 value1 [attr2 value2...]]For example,
zxsuite mobile ABQ setRule "android.*" Blocked 10With the setRule command, you can also specify a domain as an optional parameter otherwise, the default value would set the rule for all domains. You can assign the rule to a specific domain using domain parameter.
For example,
zxsuite mobile ABQ setRule "android.*" Blocked 10 domain example.com- deleteRule – Deletes an ABQ rule.
zxsuite mobile ABQ deleteRule {regex} [attr1 value1 [attr2 value2...]]For example,
zxsuite mobile ABQ deleteRule "android.*" domain example.comAs we previously said, there a few enhancements in Zextras ABQ feature, coming with the Zextras Suite 3.1.8. The setRule, deleteRule, and listRules commands are a part of this enhancement for managing DeviceID rules. These rules can be handy when you want to specify a large number of DeviceIDs following some patterns. For example, a large enterprise can easily specify a pattern using regular expressions to identify a group of DeviceIDs without the need to use the import command adding a list of all possible evaluations of the expression. Let’s take a closer look at defining the personalized rules.
In the new three commands with the following syntaxes, the regex field specifies the pattern using regular expressions, and the order field indicates the order of evaluation.
zxsuite mobile ABQ listRules [attr1 value1 [attr2 value2...]]
zxsuite mobile ABQ deleteRule {regex} [attr1 value1 [attr2 value2...]]
zxsuite mobile ABQ setRule {regex} {Allowed|Blocked|Quarantined} {order} [attr1 value1 [attr2 value2...]]For example, the DeviceID could be defined using regex as a pattern of 2 uppercase letters, 4 digits, the year between 2020 and 2021, and a fixed string in this format [A-Z][A-Z]-\d\d\d\d-202[0-1]-XYZ.
Order of Evaluation
Regular expressions are evaluated in the order specified in the order field. When a DeviceID matches a rule, the evaluation stops. For example, consider these rules
zxsuite mobile ABQ setRule '[A]' Quarantined 5
zxsuite mobile ABQ setRule '[ABC]' Allowed 10
zxsuite mobile ABQ setRule '[A-Z]' Blocked 20
zxsuite mobile ABQ setRule '[DFG]' Allowed 30For client A first [A] is evaluated first since it has the lowest order value 5, which means client A should be quarantined. The evaluation stops here and won’t check the second regex since it found a match. Then for clients B and C, there is no match in [A] so the next regex [ABC] with the next lowest order value is evaluated, which allows clients B and C and the evaluation stops. For clients D, E, F, G, … the evaluation stops at [A-Z], which blocks all. Therefore clients D, F, and G are blocked although in the next rule [DFG] are allowed, it won’t be checked since after finding the first match in [A-Z] the evaluation has been stopped.
Now consider a group of commands including set and setRule together.
zxsuite mobile ABQ set 'ABC' Quarantined
zxsuite mobile ABQ setRule '[ABC].*' Allowed 10
zxsuite mobile ABQ setRule '[A-Z].*' Blocked 20
zxsuite mobile ABQ setRule '[DFG].*' Allowed 30The order of evaluation is first checking set, then the regular expressions based on their order value. Therefore, client ABC is quarantined. Then the client B is allowed, although in the next rule [A-Z] are blocked, it won’t be checked since after finding the first match in [ABC] the evaluation has been stopped. Client D is Blocked although in the next rule [DFG] are allowed, it won’t be checked since after finding the first match in [A-Z] the evaluation has been stopped.
The order of evaluation can be summarized as
setat the account levelsetat the global levelsetRuleat the domain levelsetRuleat the global levelDefaultat the global level
Let’s take a look at two scenarios to better understand the usage,
1 – When the administrator wants to allow devices with a specific DeviceID pattern and another device CustomABCD.
zxsuite config global set attribute abqMode value Strict
zxsuite mobile ABQ setRule '[A-Z][A-Z]-\d\d\d\d-202[0-1]-XYZ' Allowed 10
zxsuite mobile ABQ set 'CustomABCD' Allowedwhich allows all the clients with matching regex to connect and sync. The CustomABCD device is also able to connect.
2 – When the administrator wants to allow devices with a specific DeviceID pattern except for the device AA-001-20201-XYZ.
zxsuite config global set attribute abqMode value Strict
zxsuite mobile ABQ setRule '[A-Z][A-Z]-\d\d\d\d-202[0-1]-XYZ' Allowed 10
zxsuite mobile ABQ set 'AA-001-20201-XYZ' Blockedwhich allows all the clients with matching regex to connect and sync. The AA-001-20201-XYZ device is not able to connect.
To learn more about this feature please refer to Zextras Suite ABQ feature Documentation.