The IBM MaaS360 Customer Success team recently hosted an Ask Me Anything about the MaaS360 Cloud Extender. You can expect more Ask Me Anything's in the future, with our next one planned for July 17, 2024, register here! Have an idea for a topic, comment below or send a suggestion to the IBM MaaS360 Customer Success team at csmaas@us.ibm.com
Topics in the May 15, 2024 Ask Me Anything:
- MaaS360 Cloud Extender architecture and feature refresher
- Cloud Extender maintenance tips and best practices
- Check your Cloud Extender versions and Windows OS
- You must be on Windows Server 2016 or later
- Upgrade to Cloud Extender 3.000.700 or later by June 30, 2024 for Enhanced Messaging Service**
**IMPORTANT UPDATE: New versions (3.000.750/800) of the Cloud Extender Core Agent, Configuration Utility, Realtime Action Module, Cloud Extender Base Module, and Email Notification Module are planned GA for the week of June 3rd that address the following vulnerability. If you have not already completed the required Enhanced Messaging Service upgrades to the Cloud Extender, we suggest you wait for this latest release. If you have already completed the Enhanced Messaging Service upgrades, we thank you for getting that done and you should plan to apply this latest release.
Link to Presentation and Replay
If you have any additional questions, post them as a reply to this blog or you can also reach out to your account representative or you can contact the IBM MaaS360 Customer Success team by emailing csmaas@us.ibm.com.
For reference here are the answers to your questions that you posed during the session and a link to the presentation and replay. Thanks to all who joined us, we had a great discussion!
General Cloud Extender questions:
Q: We are using MaaS360 on mobile to receive Exchange email without Cloud Extender. Are there any key security or user features we are missing by not using the Cloud Extender?
A: The only time you would have impact to user features would be if users have iOS devices and they are using MaaS360 Secure Mail which is the containerized email inside the MaaS360 app. The Cloud Extender’s Email notifications module enables real time notifications to MaaS360 Secure Mail users on iOS devices. Otherwise, the users would have to go into the Maas360 app and refresh mail.
A: For security features, there are additional features that the Cloud Extender provides. Because the Cloud Extender can talk to Exchange, Traveler, or Office365 you are going to have those actions available to you that you would normally have to log into those tools to perform. Blocking email flow, approving a blocked user, or quarantining device access can be automated or a one click action in the MaaS360 portal. Quarantining is a fantastic feature that we have fleshed out very well over the years. If devices are not enrolled or if devices are not getting their mail settings through MaaS360, they can be quarantined not allowing them to connect to mail and they can wait for approval automatically when they are enrolled or if the administrator approves them.
The block workflow is great for managing compliance. Once you have a Cloud Extender configured, communicating with Exchange, you're going to gain access to additional actions that can be taken at the device level and inside your compliance rule itself. For example, you can set a Block action to be taken if the device is not at the required OS level that you set or if there is a restricted app on the device. The block removes access to email, and the after they come back into compliance, the block is removed and they can access mail again.
Q: We have on premise AD and on premise Exchange, we have mobile mail without using the Cloud Extender but the slide seems to indicate we need Cloud Extender for mail access?
A: You only need the Cloud Extender Exchange module if you want to use the Block, Approve, Quarantine security features and or visibility into all devices with mailboxes from within the MaaS360 portal. The Cloud Extender Exchange module is not part of the mail delivery flow from Exchange to the mobile device.
Q: If we have AD Sync set up with Azure AD do we need Cloud Extender to take advantage of Single Sign on?
A: No, if you have integrated MaaS360 with Azure using our cloud to cloud integration in the portal under Setup> Azure integration, you do not need Cloud Extender. https://www.ibm.com/docs/en/maas360?topic=setup-integrating-azure-ad-maas360
Q: Should we be using MaaS360 Cloud Extender Certificate Integration?
A: This depends on your environment. If you are using a Certificate Authority and you want to leverage identity certificate based authentication for accessing corporate Wi Fi, accessing corporate email, applications or VPN, it eliminates the need for user password entry and therefore the Cloud Extender would be used to deliver the cert to the device.
If you only need to provide a root certificate that’s the same certificate for everyone across your environment those can be handled right inside your MDM policy and do not need the Cloud Extender.
Q: Can the Cloud Extender help with managing our Apple IDs if we try to integrate with our Active Directory?
A: If you are using Managed Apple IDs and User Enrollment mode or Shared mode through DEP, you would first have to integrate within Apple Business Manager. Then once you have users imported into your portal and if the Apple IDs are identical to the emails of the user records in the portal, there is an option in the portal to automatically use the users email address as their managed apple id under Settings> User Settings>Basic, select User Email Address as Managed Apple ID.
If your email address does not match the Apple ID, you can use the Cloud Extender User Visibility module to map attributes in Active Directory to specific attributes outside of MaaS360 to specific attributes inside of MaaS360. You must use the LDAP mode of the Cloud Extender User Visibility module and Advanced Settings to configure.
Q: Are there log files within Maas360 Cloud Extender to verify account logins of devices and bad credentials?
A: If the user authentication module is configured , there are no specific separate logs giving that info. But authentication logs are captured in Cloud Extender generic logs which can tell that auth request failed due to bad credential etc.
Q: We use Maas360 for our cell phones through Verizon to just be able to locate the phones, find lost phones, erase lost phones or fired employees, erase passwords for phone access, basically just to see the phones and protect them when lost. I am lost on this Cloud Extender, does this Cloud Extender update even affect that type of usage?
A: You don't have to use Cloud Extender unless you want to integrate with your corporate on premise directory service, access behind the firewall resources, need a VPN service, integrate with a Certificate Authority, have MaaS360 Secure Mail on iOS devices and want Real time notifications, or integrate with your on prem or cloud mail service for additional visibility and security features.
Q: When will the Cloud Extender modules be available that address the recent vulnerability notification?
A: The GA versions of the updates should be available the week of May 27th 2024.
Q: In my environment, we cannot use Cloud Extender Auto Updates, how can we upgrade modules?
A: You have two options:
- You can enable Auto Updates in the Cloud Extender Configuration Utility under Settings and then disable it once the modules are updated. It can take up to 30 minutes for the latest modules to be downloaded and updated. Note that the Core Agent, MaaS360 VPN and MaaS360 Mobile Enterprise Gateway must be updated manually.
- Contact IBM Technical Support and we can work with you to update the modules manually.
Cloud Extender 3.000.700+ Upgrade questions:
Note: Detailed upgrade steps can be found here: https://www.ibm.com/docs/en/maas360?topic=modules-upgrading-cloud-extender-use-enhanced-messaging-service
Q: When will the banner in the portal disappear? After I’ve completed all the steps to confirm connectivity, upgrade the modules and core agent? Or after the Enhanced Messaging Service has been enabled by support?
A: In an ideal scenario, the banner should go away after you have confirmed connectivity, upgraded the 3 modules and the core agent to 3.000.700 or later. If the banner is still showing after you have completed all the upgrades, there could be a networking issue which is not visible. In that case you should open a support ticket by using the headset icon in the upper right of the portal.
Q: Am I good to go for June 30 since I don't see the portal banner anymore and the core agent and the module versions are updated as noted?
A: Yes, we are doing batch enablement of the Enhanced Messaging Service in the background on portals that have completed all the upgrade tasks as noted in the documentation here. That batch enablement is being done incrementally. As part of that batch enablement, all your prerequisites are checked prior to enabling the Enhanced Messaging Service.
EXCEPTION: Customers who have 5000+ devices or that have been working with a lab advocate, might be excluded from automated enablement. These customer should reach out to their IBM Customer Success Manager or csmaas@us.ibm.com to determine their status and schedule enablement.
Q: In the case of a hybrid environment of both on prem and Azure and Cloud Extenders not online, how is it going to impact them?
A: Any communication that needs to use the MaaS360 Cloud Extender is impacted. So for example, if your Cloud Extender is still being used for a portion of your users (maybe not all have been migrated to Azure User Vis and User Auth) or your keeping Cloud Extender for Certificate delivery, iOS email notifications, Exchange visibility and security, Mobile Enterprise Gateway or VPN then those functions will be impacted if you do not upgrade.
Q: The MaaS360 VPN module is still showing as 3.000.400 but there is no yellow flag in the Cloud Extender?
A: The VPN module does not impact this upgrade path. Required modules can be found here
Q: How do you pull up the Cloud Extender Configuration Tool again?
A: On the Windows Server, All Programs> IBM> Cloud Extender Config Tool