Notification for any client being blocked?

NolanHerring
Kind of a big deal

Notification for any client being blocked?

Hi guys,

 

I have enabled 'Assign group policies by device type' to block mobile BYOD devices (iphone/android), so that they can't join when someone uses their AD credentials (they love to try).

 

This works well for the most part. However, every now and then, maybe a few times a week, an Apple Macbook Pro will be falsely detected as an iPhone, and the laptop with then automatically be placed into the BLOCKED mode and I have to change it to NORMAL so they can connect.  I only know this happens because I happen to check, or if they complain to service desk.


Until I migrate to EAP-TLS which will allow me to remove this group policy feature, I'm forced to do this. I was wondering if anyone know's of a way to get some sort of alert if a client becomes blocked (regardless if its auto or manual).

With the introduction of webhooks I thought maybe that might help, but I don't think it will. Looking at API the only option I see is 'Return the group policy that is assigned to a device in the network' but this requires I input the clients mac address, so this isn't helpful.

 

Any thoughts?

Nolan Herring | nolanwifi.com
TwitterLinkedIn
7 REPLIES 7
MacuserJim
A model citizen

As far as the API goes you can retrieve the clients connected to a device, which returns the MAC, you can then use those MACs to return the group policy. So if you are good with the API (it sounds like you are) you can have that all in one script.

 

I'm not sure of good way to send notifications to you though.

 

 

@NolanHerring this happens sometimes with the Dashboard incorrectly identifying a device type. What if you used tags instead of device type?

I don't see any option for using the TAGs, so I must be missing something. Not sure that would solve it though. I understand the false positives will happen, its not perfect. So I know I can't prevent it, but just want to take action when it does happen. I'm thinking there isn't any easy way to do this other than what I've been doing which is wait for a complaint or check it manually occasionally =( lol
Nolan Herring | nolanwifi.com
TwitterLinkedIn

This isn't what you are looking for, but what if you had it apply a group policy to move them to another "guest" VLAN that has internet access, but not access to company resources? That would at least allow legitimate users to do basic work, like email, log into SaaS applications, etc.

@MacuserJim Not a bad idea, however, I don't want it to function at all because I don't want any traffic from a BYOD device using the specific WAN connections for corporate use. So blocking 100% is the only choice to ensure this.

Nolan Herring | nolanwifi.com
TwitterLinkedIn

Sorry, I misread your question. I've had a good look through the alerts section and I cannot find anything that will work. For now I would just keep doing what your doing and submit a wish. 

PhilipDAth
Kind of a big deal
Kind of a big deal

If someone plugs their iPhone via USB into their notebook you may also find that the notebook gets falsely detected as an iPhone, as the iPhone will use Ethernet over USB and communication via that method.

Get notified when there are additional replies to this discussion.