Mobile Access to IP-Restricted Instances
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2024 11:22 PM
🌟 Mobile Access to IP-Restricted Instances 🌟
At times, customers face a challenge where they have IP restrictions on their ServiceNow instance, but they also want their employees to be able to access it through their personal devices for approving requests, etc. Guess what? ServiceNow does have an answer to this problem!
I've spoken about Adaptive Authentication 🔐 in the past, and once again, it's here to help us. Here’s how you can set it up:
𝐒𝐭𝐞𝐩-𝐛𝐲-𝐒𝐭𝐞𝐩 𝐆𝐮𝐢𝐝𝐞 𝐭𝐨 𝐄𝐧𝐚𝐛𝐥𝐞 𝐌𝐨𝐛𝐢𝐥𝐞 𝐀𝐜𝐜𝐞𝐬𝐬 𝐟𝐨𝐫 𝐈𝐏-𝐑𝐞𝐬𝐭𝐫𝐢𝐜𝐭𝐞𝐝 𝐈𝐧𝐬𝐭𝐚𝐧𝐜𝐞𝐬✨
Start by enabling the following properties:
𝐠𝐥𝐢𝐝𝐞.𝐚𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐞.𝐚𝐮𝐭𝐡.𝐩𝐨𝐥𝐢𝐜𝐲.𝐞𝐧𝐚𝐛𝐥𝐞𝐝
𝐠𝐥𝐢𝐝𝐞.𝐚𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐞.𝐩𝐫𝐞𝐚𝐮𝐭𝐡.𝐚𝐥𝐥𝐨𝐰.𝐭𝐫𝐮𝐬𝐭𝐞𝐝.𝐝𝐞𝐯𝐢𝐜𝐞
Create an IP Filter Criteria ✅
Go to the Adaptive Authentication module and create an IP Filter criteria for your organization's allowed IPs.
Configure the Pre-Authentication Policy✅
Open Pre-Authentication Policy Context.
Set the Default Policy to Allow Policy.
Open the Allow Policy record and add:
The IP Filter criteria you created earlier.
The out-of-the-box criteria called Trusted Mobile App.
Set Policy Conditions✅
Under the Policy Conditions tab, set the following conditions:
Trusted Mobile App is true OR
IP Criteria (the one created in step 2) is true.
Register Trusted Mobile Devices✅
Employees need to navigate to their user profile and click the related link "Register a Trusted Mobile Device." Once this is done, they will be able to access the instance through their registered mobile device, even outside the allowed IP network.
𝐖𝐡𝐚𝐭 𝐢𝐟 𝐚 𝐃𝐞𝐯𝐢𝐜𝐞 𝐢𝐬 𝐋𝐨𝐬𝐭?
If an employee loses their device, an admin can navigate to the Device Registration table and mark that user's device as inactive. This step prevents any unauthorized access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2024 08:07 AM
I have set this up but continue to get 403 errors. Support is telling me that my mobile device needs to be inside of the allowed IP range which doesn't make sense because the entire point is to allow trusted devices outside of the IP restriction. Any ideas as to why I would still be getting a 403?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2024 02:47 PM
I'm dealing with the same problem, SN HI support calls Requirement of Trusted Mobile App access from non-Trusted IP Range a "customization".
It's what the OOTB documentation says it will do! Very frustrating.
We are currently trying to figure out how to enforce 'Trusted Mobile Device' pre-auth context policy BEFORE 'Trusted IP'. No successful configuration yet..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2024 03:05 PM
The advice I received recently from ServiceNow is that you can register any mobile as a trusted device regardless of whether it is managed by MDM or MAM or not at all.
The registration process requires the user to have the Now app installed and scan a QR code which generates a shared secret on the device and records the relationship on the instance. Adaptive Auth has a pre-authentication context for IP Filter and Trusted Device, so as long as the device has been registered this way it will pass the pre-auth test so you then get directed to authenticate and login.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2024 03:35 PM
Andrew,
Thanks for responding; currently my 'IP Address Access Controls ['ip_access.list'] features hundreds of records with 'Type' field value of "Allow" for specific trusted IPs. These "Allow" records are punching holes in the sole record of 'Type' field value of "Deny", which is a range starting 0.0.0.0 and ending 255.255.255.255 ;
Our configuration is following the OOTB docs such as what you shared ;
The current issue our Trusted Mobile App users are currently experiencing is: just as the Doc states at the beginning, "You must be in the trusted network to perform the trusted device registration.", anyone whose mobile device is not on an explicitly "Allowed" IP cannot ping the instance despite their "Trusted Mobile App".
This is why we are currently attempting to implement a methodology of configuring the 'Policy Conditions' of our instance 'Pre-Authentication Policy Context' so that the "Trusted Mobile App" is checked BEFORE the "Trusted IP" check. There is indeed an 'order' field on the Policy Conditions' table, but we have so far had no luck with this.
Any recommendations or guidance is greatly appreciated here.
Thanks.
