For additional guidance, check out our community articles detailing the process of migrating from your current platform to Carbonio CE.
Allow/Block/Quarantine (ABQ) is one of the Zextras Mobile security features which allows the administrators to easily manage and keep track of which mobile devices connect to their server. Previously, Zextras mobile ABQ feature provided a set of tools to control which mobile devices are allowed to finalize synchronization with the server, it also provides the administrators with more refined access control of mobile devices simply by defining some specific rules based on the mobile device IDs. An administrator can allow, block, or quarantine specific DeviceIDs based on a set of personalized rules. These rules follow some patterns using regular expressions to better identify the employee’s mobile devices.
The ABQ feature first, checks the DeviceID status (allowed or blocked) globally and for the account, then it checks if the DeviceID matches any rule at the domain and global level and then applies the ABQ mode.
Here we take a look at this feature to find out how useful the Zextras Mobile ABQ feature is. We also provide you with some examples to better understand its usage. To learn more about this feature please refer to Zextras Suite ABQ feature Documentation.
Status
To check the ABQ service status run
zxsuite mobile getServices
To start or stop the ABQ service run
zxsuite mobile doStartService abq
zxsuite mobile doStopService abq
Modes
As soon as a mobile device tries to synchronize with the server, the ABQ feature is activated based on the mode it has been set to. There are four possibilities, Permissive, Interactive, Strict, and Disabled.
- Permissive – After authenticating the user and checking their account status for safety reasons, the synchronization will continue, unless the device has been blocked.
- Interactive – After authenticating the user and checking their account status for safety reasons, the synchronization will continue unless the device is not in the allowed list, and the connection status will be set to Quarantine.
- Strict – After authenticating the user and checking their account status for safety reasons, the synchronization will continue unless the device is not in the allowed list, and the connection status will be set to Block.
- Disabled – ABQ is disabled, no checks are triggered and no policies are enforced.
To check the current ABQ mode run
zxsuite config global get attribute abqMode
To change the current ABQ mode run
zxsuite config global set attribute abqMode value [Permissive|Interactive|Strict|Disabled]
Components
The ABQ feature is composed of three components in its core, the ABQ List, the Authorization Engine, and the CLI Toolset.
- ABQ List – Also known as Device Control List contains the information of the allowed devices within the NG config engine.
- Authorization Engine – Sets the allow/block/quarantine status of a device to the appropriate value based on the ABQ List.
- CLI Toolset – Enables the administrators to manage the ABQ feature, such as displaying the ABQ List, quarantined, and blocked devices, adding devices to the ABQ List, changing the device status between quarantine, allowed, and blocked, changing the synchronization status of a device.
ABQ CLI Toolset
There are several ABQ commands in the CLI Toolset that enables the administrators to manage the ABQ feature, including list
, add
/ import
, allow
, block
, set
, delete
, setNotificationInterval
, setRule
, deleteRule
, listRules
.
You can find a short description of these commands and their usage by
zxsuite mobile ABQ
or specifically calling the commands to find more details, for example,
$ zxsuite mobile abq list
List devices.
Syntax:
zxsuite mobile ABQ list [attr1 value1 [attr2 value2...] ]
PARAMETER LIST
NAME TYPE EXPECTED VALUES
status(O) String Allowed|Blocked|Quarantined
(M) = mandatory parameter, (O) = optional parameter
In the following, you will find more information including examples of using these commands.
- list – Lists all the devices ABQ status.
zxsuite mobile ABQ list [attr1 value1 [attr2 value2...] ]
For example,
zxsuite mobile ABQ list
devices
device_id androidc133785981
status Quarantined
device_id androidc1024711770
status Blocked
device_id SAMSUNG1239862958
status Allowed
- add / import – Imports a list of device IDs from a file, and sets their status.
zxsuite mobile ABQ import {Path to file} {Allowed|Blocked|Quarantined}
For example,
[zimbra@mail ~]$ zxsuite mobile abq import /tmp/list Allowed
3 devices added
[zimbra@mail ~]$ cat /tmp/list
androidc133785981
androidc1024711770
SAMSUNG1239862958/user@domain.com
which, allows the androidc133785981
and androidc1024711770
devices to sync regardless of the account, while the SAMSUNG1239862958
device is allowed to sync only the user@domain.com
account.
- allow – Sets the status for a quarantined device to Allowed.
zxsuite mobile ABQ allow {device_id} [attr1 value1 [attr2 value2...]]
- block – Sets the status for a quarantined device to blocked.
zxsuite mobile ABQ block {device_id} [attr1 value1 [attr2 value2...]]
- set – Sets the status for a device to any value.
zxsuite mobile ABQ set {device_id} {Allowed|Blocked|Quarantined} [attr1 value1 [attr2 value2...]]
- delete – Deletes a device from all lists.
zxsuite mobile ABQ delete {device_id} [attr1 value1 [attr2 value2...]]
- setNotificationInterval – Sets the notification interval for new quarantined devices.
zxsuite mobile ABQ setNotificationInterval {45m|6h|1d}
For example,
zxsuite mobile abq setNotificationInterval 45m
which sets the notification of new quarantined devices every 45 minutes.
zxsuite mobile ABQ allow {device_id} [attr1 value1 [attr2 value2...]]
- listRules – List all the ABQ rules.
zxsuite mobile ABQ listRules [attr1 value1 [attr2 value2...]]
For example,
zxsuite mobile ABQ listRules
- setRule – Adds an ABQ rule.
zxsuite mobile ABQ setRule {regex} {Allowed|Blocked|Quarantined} {order} [attr1 value1 [attr2 value2...]]
For example,
zxsuite mobile ABQ setRule "android.*" Blocked 10
With the setRule
command, you can also specify a domain as an optional parameter otherwise, the default value would set the rule for all domains. You can assign the rule to a specific domain using domain
parameter.
For example,
zxsuite mobile ABQ setRule "android.*" Blocked 10 domain example.com
- deleteRule – Deletes an ABQ rule.
zxsuite mobile ABQ deleteRule {regex} [attr1 value1 [attr2 value2...]]
For example,
zxsuite mobile ABQ deleteRule "android.*" domain example.com
To learn more about this feature please refer to Zextras Suite ABQ feature Documentation.