FAQ: Mobile Access Gateway (MAG)

What is the Mobile Access Gateway (MAG)?

The Mobile Access Gateway is a network relay that provides a secure and effective method for individual applications to access corporate resources. When your employees access internal content from their mobile devices, the MAG ensures a secure transfer between the device and enterprise system. The MAG is able to authenticate and encrypt traffic from individual applications on compliant devices to the back-end system they are trying to reach.


Does MAG replace EIS?

As of AirWatch v6.4, the AirWatch Enterprise Integration Service (EIS) has been divided into two products – ACC and MAG. Previously, EIS performed both the integration with back-end systems and access to corporate resources functions. Now, the ACC handles back-end enterprise system integration while the MAG handles device services requests for internal content. By separating the two, AirWatch can develop better enhancements for the device services perspective independent of other enterprise integration. Both products can be used separately, yet complement each other when used together. However, neither one can be used with EIS.


What are the use cases for MAG?

The MAG addresses some of the security deficiencies posed by conventional technology solutions such as SSL-VPNs, which give devices full access to enterprise resources regardless of the application they are accessed from. By ensuring a protected connection between individual applications and back-end resources, the MAG increases secure access to:

• Internal document repositories and content through AirWatch Secure Content Locker (SCL).

• Internal websites, web proxies, and web applications through AirWatch Browser.

• Other enterprise systems from your business applications through AirWatch App Tunneling.


Who is affected by MAG?

Administrators configure the MAG via the AirWatch Admin Console after it is installed. For end-users, the overall experience is seamless thanks to app wrapping, app tunneling, and in-app certificate-based authentication.


How do you use the MAG to configure an application for approved access?

Once you have configured the MAG, you can create an App Wrapping Profile via Applications > Settings and Policies (under Configuration) > Profiles > Add Profile > App Wrapping Profile.

Click the Proxy payload, and your MAG settings should be populated automatically. Save the Profile and, when adding a new application, click the App Wrapping tab and select Enable App Wrapping.

Select the App Wrapping Profile you created and any other profiles/certificates, as needed. Save & Publish. The AirWatch Browser and AirWatch Secure Content Locker can also be configured to leverage the MAG to provide secure access to intranet sites and internal content repositories, respectively.

For the AirWatch Browser, navigate to System Configuration > Apps > AirWatch Browser, select the Browser Settings tab, and select either a Shared iOS or Android SDK Profile (Default) or Legacy SDK Profile (Custom). Shared profiles will use the Settings and Policies settings, and Custom profiles will let you select "Enable Mobile Access Gateway" from this page.

For the Secure Content Locker, navigate to System Configuration > Content > Content Management > Content Repository > Add. When adding a new repository, you can select Access via EIS / MAG to force connections through your configured MAG.


What is App Wrapping?

App Wrapping is the process of empowering applications with a number of configuration and security capabilities without any code changes. With the MAG enabled, you can proxy all traffic through the MAG and to a back-end resource in a process known as App Tunneling.


What happens to the application file (for example, .IPA) when sent for wrapping, and how is it secured and protected?

When the IPA file is uploaded, it is sent to the AirWatch App Wrapping service over HTTPS and authenticated with the customer ID. The wrapping service extracts the IPA, injects wrapping binaries, provisions entitlements, and resigns with the certificate. The re-signed IPA is sent back to the AirWatch Admin Console for distribution to assigned devices. The wrapping service is a stateless REST API service and nothing is persisted on the service side.


 What does the AirWatch server store after performing App Wrapping?

The AirWatch Admin Console stores the wrapped binary (IPA) file. The wrapping service does not store anything.


What is App Tunneling?

Application Tunneling is the process of establishing a direct, secure connection between your business applications and internal corporate systems. By enabling the App Tunnel for only select business applications, you can be certain that unauthorized, personal or malicious apps do not have access to your network.


What are in-app certificate authentication and encryption?

After you wrap and application for corporate access through the MAG, AirWatch automatically deploys a unique X.509 certificate to wrapped applications on enrolled devices. This certificate authenticates the connection between the application and the MAG. Applications on the device receive a unique certificate signed by a tenant level root (device root). MAG trusts the root at tenant level based chain trust, and MAG verifies the signature of incoming devices using the public key of the device certificate. The AirWatch Admin Console sends the public key of each device certificate to the MAG so that it can validate incoming device signatures based on that. Applications store the identity certificate encrypted using a symmetric key (AES-256 bit). The key is derived from either the user pin using PBKDF2 key derivation.


If the hashed CMS/Cert Thumbprint certificate is used by the application to authenticate to the MAG, what certificates are used to create the VPN tunnel? In addition, what is their origin and storage location?

The application MAG identity certificate is stored on the device. Only the public key exists with the server. This public key is communicated to the MAG for that device and application, so that MAG can whitelist the app coming with this certificate. MAG itself is stateless and gets details about device credentials (certificate public key, enrollment status, compliance status, etc.) from the AirWatch Admin Console it is connected to.


How does the MAG work with existing AirWatch apps?

You can use the MAG in conjunction with the AirWatch Browser to provide secure internal browsing to intranet sites and web apps that reside within a corporate network. You can also use the MAG with the AirWatch Secure Content Locker to allow users to securely access content from an internal repository such as SharePoint or an internal file share. As files are added and updated within these content repositories, users will be granted access based on the existing access control lists for those areas.


How does the MAG enhance BYOD deployments?

The MAG enables you to enforce app tunneling on an app-by-app basis, which makes it a vital component for BYOD deployments. You can allow end-users with personal devices to launch business applications to access enterprise systems while keeping their personal applications separate by preventing enterprise access.


How does the MAG help admins track enterprise resource usage?

Administrators can view mobile access information from the AirWatch Admin Console, which enables them to identify at-risk devices and manage exceptions.


Does the MAG require its own server?

The MAG can be installed on a VM or physical server. It can also share the same server as the AirWatch Cloud Connector (ACC), so long as they use different ports.


Have more questions? Submit a request


Article is closed for comments.