Zextras Suite ABQ Feature

Allow/Block/Quarantine (ABQ) is one of the Zextras Mobile security features which allows the administrators to easily manage and keep track of which mobile devices connect to their server. Previously, Zextras mobile ABQ feature provided a set of tools to control which mobile devices are allowed to finalize synchronization with the server, it also provides the administrators with more refined access control of mobile devices simply by defining some specific rules based on the mobile device IDs. An administrator can allow, block, or quarantine specific DeviceIDs based on a set of personalized rules. These rules follow some patterns using regular expressions to better identify the employee’s mobile devices.

The ABQ feature first, checks the DeviceID status (allowed or blocked) globally and for the account, then it checks if the DeviceID matches any rule at the domain and global level and then applies the ABQ mode.

Here we take a look at this feature to find out how useful the Zextras Mobile ABQ feature is. We also provide you with some examples to better understand its usage. To learn more about this feature please refer to Zextras Suite ABQ feature Documentation.

Status

To check the ABQ service status run

 zxsuite mobile getServices

To start or stop the ABQ service run

zxsuite mobile doStartService abq
 zxsuite mobile doStopService abq

Modes

As soon as a mobile device tries to synchronize with the server, the ABQ feature is activated based on the mode it has been set to. There are four possibilities, Permissive, Interactive, Strict, and Disabled.

  • Permissive – After authenticating the user and checking their account status for safety reasons, the synchronization will continue, unless the device has been blocked.
  • Interactive – After authenticating the user and checking their account status for safety reasons, the synchronization will continue unless the device is not in the allowed list, and the connection status will be set to Quarantine.
  • Strict – After authenticating the user and checking their account status for safety reasons, the synchronization will continue unless the device is not in the allowed list, and the connection status will be set to Block.
  • Disabled – ABQ is disabled, no checks are triggered and no policies are enforced.

To check the current ABQ mode run

zxsuite config global get attribute abqMode

To change the current ABQ mode run

zxsuite config global set attribute abqMode value [Permissive|Interactive|Strict|Disabled]

Components

The ABQ feature is composed of three components in its core, the ABQ List, the Authorization Engine, and the CLI Toolset.

  • ABQ List – Also known as Device Control List contains the information of the allowed devices within the NG config engine.
  • Authorization Engine – Sets the allow/block/quarantine status of a device to the appropriate value based on the ABQ List.
  • CLI Toolset – Enables the administrators to manage the ABQ feature, such as displaying the ABQ List, quarantined, and blocked devices, adding devices to the ABQ List, changing the device status between quarantine, allowed, and blocked, changing the synchronization status of a device.

ABQ CLI Toolset

There are several ABQ commands in the CLI Toolset that enables the administrators to manage the ABQ feature, including list, add / import, allow, block, set, delete, setNotificationInterval, setRule, deleteRule, listRules.

You can find a short description of these commands and their usage by

zxsuite mobile ABQ

or specifically calling the commands to find more details, for example,

$ zxsuite mobile abq list
List devices.

Syntax:
   zxsuite mobile ABQ list [attr1 value1 [attr2 value2...] ]


PARAMETER LIST

NAME        TYPE    EXPECTED VALUES
status(O)   String  Allowed|Blocked|Quarantined

(M) = mandatory parameter, (O) = optional parameter

In the following, you will find more information including examples of using these commands.

  • list – Lists all the devices ABQ status.
zxsuite mobile ABQ list [attr1 value1 [attr2 value2...] ]

For example,

zxsuite mobile ABQ list

        devices

                device_id   androidc133785981
                status      Quarantined

                device_id   androidc1024711770
                status      Blocked

                device_id   SAMSUNG1239862958
                status      Allowed
  • add / import – Imports a list of device IDs from a file, and sets their status.
zxsuite mobile ABQ import {Path to file} {Allowed|Blocked|Quarantined}

For example,

[zimbra@mail ~]$ zxsuite mobile abq import /tmp/list Allowed
3 devices added

[zimbra@mail ~]$ cat /tmp/list
androidc133785981
androidc1024711770
SAMSUNG1239862958/user@domain.com

which, allows the androidc133785981 and androidc1024711770 devices to sync regardless of the account, while the SAMSUNG1239862958 device is allowed to sync only the user@domain.com account.

  • allow – Sets the status for a quarantined device to Allowed.
zxsuite mobile ABQ allow {device_id} [attr1 value1 [attr2 value2...]]
  • block – Sets the status for a quarantined device to blocked.
zxsuite mobile ABQ block {device_id} [attr1 value1 [attr2 value2...]]
  • set Sets the status for a device to any value.
zxsuite mobile ABQ set {device_id} {Allowed|Blocked|Quarantined} [attr1 value1 [attr2 value2...]]
  • delete Deletes a device from all lists.
zxsuite mobile ABQ delete {device_id} [attr1 value1 [attr2 value2...]]
  • setNotificationInterval Sets the notification interval for new quarantined devices.
zxsuite mobile ABQ setNotificationInterval {45m|6h|1d}

For example,

zxsuite mobile abq setNotificationInterval 45m

which sets the notification of new quarantined devices every 45 minutes.

zxsuite mobile ABQ allow {device_id} [attr1 value1 [attr2 value2...]]
  • listRules List all the ABQ rules.
zxsuite mobile ABQ listRules [attr1 value1 [attr2 value2...]]

For example,

zxsuite mobile ABQ listRules
  • setRule Adds an ABQ rule.
zxsuite mobile ABQ setRule {regex} {Allowed|Blocked|Quarantined} {order} [attr1 value1 [attr2 value2...]]

For example,

zxsuite mobile ABQ setRule "android.*" Blocked 10

With the setRule command, you can also specify a domain as an optional parameter otherwise, the default value would set the rule for all domains. You can assign the rule to a specific domain using domain parameter.

For example,

zxsuite mobile ABQ setRule "android.*" Blocked 10 domain example.com
  • deleteRule Deletes an ABQ rule.
zxsuite mobile ABQ deleteRule {regex} [attr1 value1 [attr2 value2...]]

For example,

zxsuite mobile ABQ deleteRule "android.*" domain example.com

To learn more about this feature please refer to Zextras Suite ABQ feature Documentation.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Zextras Auth
Zextras Suite 3.1.8 - Added features to ABQ