Skip to main content
Skip table of contents

Allowing compromised devices and apps to access the gateway

You can configure the gateway to allow certain users to connect to the gateway even with a compromised device (jailbroken or rooted) or with an app that has been tampered with. 

For configuring the client to block apps when detecting compromised devices or apps, see the Integrity and Posture policy in the integration platform documentation.

Allowing jailbroken devices to access the gateway

By default, the gateway is configured to not allow jailbroken devices to connect to the gateway. However, the gateway can be configured to allow such devices if the user is a member of a local group that has such privileges. To configure this, use two command lines: one command to set the jailbreak-permitted attribute on that group, and another command to add a user to that group.

To allow jailbroken devices to connect to the gateway, use these templates:

BASH
% set aaa auth-provider local group groupname jailbreak-permitted true 
% set aaa auth-provider local user username password string group groupname


Example

BASH
% set aaa auth-provider local group wheel jailbreak-permitted true 
% set aaa auth-provider local user jbrown password Secret group wheel

Data configured:

BASH
% show aaa auth-provider local
local {
  user admin {
    password $6$ySv5tll1$nyQbuLqlMSWJVmKY4CR1HrazReS5C3/ib6RgnmsmoKs2al0oyqRtSvdKlYDLNJI5.Q5VPLArV3CFSd4sHiL.6.;
    group    wheel;
  }
  group wheel {
    administrator       true;
    jailbreak-permitted true;
  }
  user jbrown {
    password $6$VFleH/fO$v1Ps4x1VjZNxW/2.xO2BfJFbNj5r1V.XslIEWUc8cxye3kxHDOd7tHGrVRLWBc9QuWXkLk3c.hN9wDPwrDjE80;
    group    wheel;
  }
}

Allowing tampered apps to connect to the gateway

BLUE CEDAR ENFORCE ACCELERATOR ONLY

If the Integrity and Posture policy is not configured to block devices on tamper detection, it reports the tampered files to the gateway and allows it to make a decision about whether or not the client is allowed to proceed with authentication.

By default, the gateway is configured to disallow apps from connecting to the gateway if they have been tampered with after securing. However, the gateway can be configured to allow such apps if the user is a member of a local group that has such privileges. To configure this, use two command lines: one command to set the tampered-apps-permitted attribute on that group, and another command to add a user to that group.

To allow tampered apps to connect to the gateway, use these templates:

BASH
% set aaa auth-provider local group groupname tampered-apps-permitted true 
% set aaa auth-provider local user username password string group groupname

The gateway can also check the signing certificate used to calculate integrity. At connection time, the injectable sends a thumbprint (a SHA-512 hash of the key in the Integrity and Posture policy). The gateway can compare the value from the client to the expected value to help protect against offline attacks in which the key is changed.

To set this thumbprint on the gateway, run this command in configuration mode. The integration platform provides this command with the value of this key on the Integrity and Posture policy details screen. 

BASH
% set aaa auth-group default integrity-key-thumbprint hash-value-of-key-from-console



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.