What is the AeroFS Private Cloud "Device Restriction" Subsystem and how do I configure it?

The AeroFS Private Cloud Device Restriction Subsystem grants IT administrators fine-grained control over which users and devices are permitted to run AeroFS desktop clients. This is accomplished in a flexible way via the Device Restriction Endpoint which must be implemented and configured by the IT admin. The endpoint, once configured, will receive a request for authorization from the AeroFS appliance when a user is trying to install AeroFS on a given desktop device. The endpoint must return a boolean true/false indicating whether or not this user should be permitted to complete the installation. If false is returned, the installation is aborted.

This subsystem should not be confused with AeroFS' end-to-end encryption and private certificate authority, which is always enabled and cannot be configured. Read more.

Implementing your Device Restriction Endpoint

Your endpoint must implement a RESTful interface which is defined as follows:

POST /device/v1.0/user//authorized
{
"name": "",
// IP Address as seen by the AeroFS Appliance.
"ip": "",
"os": {
"family": "",
"name": ""
},
"interfaces" : [
// Includes IP addresses as seen by the device itself.
{"name": "",
"ips": ["", "", ... ],
"mac": "" },
...
],
// Future enhancements go here...
}

Note that the body of this POST request is JSON-formatted data which describes the device. As shown, the name of the device, operating system information, and a list of network interfaces and IP addresses are provided.

For example,

POST /device/v1.0/user/matt@acme.com/authorized
{
"name": "Matt Windows",
"ip": "192.168.1.100",
"os": {
"family": "Windows",
"name": "Windows XP Pro SP2"
},
"interfaces" : [
{"name": "en0",
"ips": ["192.168.1.100"],
"mac": "01:02:03:04:05:06" },
{"name": "lo0",
"ips": ["127.0.0.1", "0:0:0:0:0:0:0:1"],
"mac": "" },
],

This endpoint must return:

  • 204 No Content: when the device is authorized
  • 401 Not Authorized: when the device is not authorized

Configuring your Device Restriction Endpoint

The AeroFS Device Restriction Service can be enabled and configured via the Private Cloud Appliance web administration console.