Configuring Device Binding on the ISA Web Console Using Manual Device Registration Details (Windows Client)

Configuring Device Binding on the ISA Web Console Using Manual Device Registration Details (Windows Client)

This article describes the process of configuring Device Binding using manual Device Registration for a Microsoft Windows PC.

One method of Device Registration occurs when Instasafe Secure Access (ISA) automatically captures certain device identification details when an ISA User Agent connects to the ISA Controller.  

When a user's device information is auto-captured, the default status of the device is pending approval. Until approved or activated by the administrator, users with Device Binding enabled in their user group will be unable to connect using the ISA User Agent from the device. The ISA web portal administrator can manually activate, suspend, or delete the device.

However, this task can be daunting in the case of a large number of devices requiring approval or other status changes.  The Bulk Ops option on the Devices page automates this process by changing the statuses of a large number of devices at once. For more information on Bulk Ops, refer to the KB article Performing Bulk Operation on Device List.

Another method is to register devices manually.  Manual device registration is only required rarely.  Manual device registration requires the administrator to obtain the following information from the client OS:

  1. MAC Address of the physical network adapter
  2. Operating System Name
  3. BIOS Serial Number
  4. Universally Unique Identifier (UUID)

Using these parameters, it is possible to enforce Device Binding on users. Device Binding will ensure that the users are allowed to make connections only from those devices registered in the ISA web console.  This will eliminate attacks due to stolen or shared passwords. A user can be bound to multiple devices.

Manual Device Registration
  1. On the Windows client, open Windows PowerShell and enter the following command:
      1. Get-netadapter
      2. systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
      3. wmic bios get serialnumber
      4. wmic path win32_computersystemproduct get uuid
  2. Log into the ISA web console using admin credentials
  3. Navigate to the DEVICES & CHECKS > DEVICES page. 
  4. Click Add the button.
  5. On the Add Device window, enter the following information:
      1. Name: Enter a name for this device. The name must not have spaces.  Hyphens or underscores are allowed.
      2. OS: Select the OS name obtained from the command executed in PowerShell.
      3. MAC Address: Enter the MAC address of the physical network adapter that connects to the ISA Controller using the information obtained from the command executed in PowerShell.
      4. Serial Number: Enter the BIOS serial number obtained from the command executed in PowerShell.
      5. UUID: Enter the UUID obtained from the command executed in PowerShell.
  6. Click Save and Add New.
  7. The new device will be listed on the Devices page. The device is automatically activated and, under status, will be shown as enabled.
  8. Navigate to the USERS & GROUPS > Users page.
  9. On this page, click on the name of the user that requires binding. In this example, it is Jebb Tucker.
  10. In the edit user window, click on Edit and scroll down the window.
  11. Toggle the Device Binding button to enable it. 
  12. Click inside the Select devices box to list the device names. 
  13. Select the device name for the user. In this example, jebb_device_1
  14. Click on Update at the bottom to save this configuration. 
  15. A message at the bottom, User has been updated, indicates the configuration has been updated. Click on the “X” button to close this window. 
  16. Next, we will test Device Binding by connecting the user Jebb Tucker from a different device than the device the user is bound to.
Testing

In this example, we connect the user Jebb Tucker from an iOS device.

  1. On the iOS device, login to the ISA web console using the remote user’s credentials.
  2. Click on the iOS icon to download the ISA User Agent.
  3. From the Apps Store, download the ISA User Agent for iOS.
  4. In the User Agent app, enter the domain name assigned by InstaSafe and click Login.
  5. In the username and password window, enter the username and password for the user. In this example, the credentials for the user Ruby Kane have been entered.
  6. Click Sign In.
  7. The Agent will attempt to connect but will be blocked by the ISA Controller. The user will see the message “Error! Device not authorized”.
  8. On the ISA web console, navigate to the DEVICES & CHECKS > Devices page. On this page, although the User Agent was not successful in connecting, the device information would have been captured and a new  device will be listed. In this example, the information of the iOS device has been captured and a new device with the name jebb_device_2 has been created.  The ISA web console administrator may choose to add this device to the user’s Device Binding configuration. 

In the event you are unable to configure Device Binding by following these steps, please contact your organization's IT Team

If you are an administrator of the organization's ISA Account and need assistance, contact InstaSafe Support