Mobile Device Management Workflow

Bitdefender GravityZone provides full visibility into organizations' overall security posture, global security threats, and control over its security services that protect virtual or physical desktops, servers and mobile devices. All Bitdefender's Enterprise Security solutions are managed within the GravityZone through a single console, Control Center, that provides control, reporting, and alerting services for various roles within the organization

GravityZone Security for Mobile Devices ensures the management of the enterprise-owned or personally -owned mobile devices used within the company. From the GravityZone Control Center, you can send remote tasks (lock, unlock, scan, locate and wipe), enforce security policies and get notifications regarding the security issues for each managed mobile device.

This article explains how the synchronization between GravityZone and managed mobile devices works. An overview on GravityZone Mobile Device Management components and prerequisites for using the Mobile Device Security service is also available.

Security for Mobile Devices Prerequisites

To manage mobile devices from GravityZone Control Center, the following conditions must be satisfied:

  • Configure Communication Server with a public (external) address
  • Add the iOS Management Certificates to the Control Center root account:
    • Communication Server Certificate, needed to secure communication between the Communication Server and iOS mobile devices.
    • Apple MDM Push certificate, required to ensure secure communication between the Communication Server and the Apple Push Notifications service (APNs) servers when sending push notifications.
    • iOS MDM Identity and Profile Signing certificate, used by the Communication Server to sign identity certificates and configuration profiles sent to mobile devices.
    • iOS MDM Trust Chain Certificates, needed to ensure that iOS mobile devices trust the Communication Server certificate and the iOS MDM Identity and Profile Signing certificate.
  • Add mobile devices to users in Control Center. Supported mobile devices:
    • Apple iPhones and iPad tablets (iOS 5.1+)
    • Google Android smartphones and tablets (2.2+)
  • Install and activate GravityZone Mobile Client on mobile devices.
  • Mobile devices must have a cellular data signal or Wi-Fi connection and connectivity with the Communication Server.
    Note: If your company uses a firewall that restricts the Internet traffic, it is required to configure it to allow connectivity with GCM / APN services.
  • iOS devices require a direct internet connection to receive push notifications from Apple's server. iOS devices cannot connect to Apple Push Notification service using a Wi-Fi network with a proxy server.
  • For Android devices to communicate with Google Cloud Messaging (GCM) service:
    • Google Play Store must be installed
    • Devices running a version lower than Android 4.0.4 must also have at least one logged in Google account
  • A number of ports must be open for sending push notifications.

Mobile Device Management Components

  1. GravityZone
    • Control Center. A web-based dashboard and unified management console that provides full visibility into organization's overall security posture, global security threats, and control over its security services.
    • Communication Server. GravityZone role that handles communication with managed mobile devices. Communication with iOS devices is performed via a dedicated plugin called MDM Server.
    • GravityZone Mobile Client, exclusively distributed via Apple App Store and Google Play.
  2. Mobile Device Notification Services
    • Google Cloud Messaging (GCM) service for Android devices.
    • Apple Push Notification Service (APNs) for iOS devices.
  3. Mobile Devices
    • Android devices.
    • iOS devices.

Communication Workflow

The following diagram describes the communication flow between Control Center and managed mobile devices:

GravityZone Mobile Device Management Workflow

Push notifications are synchronization requests, used to prompt devices to connect to GravityZone Communication Server to get policy updates and tasks. Push notifications do not include the policy update or task; they only inform the device that it must connect to GravityZone Control Center.

Normally, the synchronization of mobile devices with Communication Server is done automatically through the Push Notifications mechanism. The user can also manually synchronize the mobile device with Communication / MDM Server by tapping the Synchronize button in GravityZone Mobile Client.

If your company uses a firewall that restricts internet traffic, you will need to open the required ports to allow connectivity to Google / Apple notification services.

GravityZone Mobile Client can also start the synchronization with the Communication Server (without receiving any Push Notification) to communicate significant changes or events, in the following situations:

  • Manual profile change
  • Device administrator change
  • Accessing webpages blacklisted by policy (web security alert)
  • Lock screen password required by policy not changed on due date
  • Malware not removed after one hour
  • USB debugging status change
  • Manual scan results

Communication workflow for Android Devices

  1. A task or policy update is sent from Control Center to the mobile device.
  2. Communication Server sends a push notification to the device via Google Cloud Messaging service.
  3. When the notification arrives, the Android system informs GravityZone Mobile Client to synchronize with Communication Server.
    • GravityZone Mobile Client is not required to run to receive push notifications. The Android system wakes up GravityZone Mobile Client as soon as the notification arrives.
    • If the device is offline, it will receive notifications from GCM as soon as it gets back online.
  4. GravityZone Mobile Client connects to Communication Server to receive data.
  5. The device sends the task status to Communication Server.
  6. The task status is updated in Control Center. Any encountered errors are displayed in the task status.

Any change affecting the device compliance is immediately detected and sent to Communication Server by GravityZone Mobile Client. If the device is offline, GravityZone Mobile Client retries every minute to send the compliance changes information to Communication Server, until the device gets back online.
In addition to synchronizations triggered by push notifications, Mobile Client automatically synchronizes with the Communication Server every 3 hours. The automatic synchronization ensures all tasks and policy updates get applied even if some push notifications are lost.

Communication workflow for iOS Devices

  1. A task or policy update is sent from Control Center to the mobile device
  2. MDM server sends a push notification to the device via Apple Push Notification service.
  3. When the notification arrives, iOS is asked to synchronize with MDM Server.
    • GravityZone Mobile Client is not required to run to receive push notifications.
    • If the device is offline, it will receive notifications from Apple Push Notification service as soon as it gets back online.
  4. The device's operating system (iOS) connects to MDM server to receive data.
  5. The device sends the task status to MDM Server.
  6. The task status is updated in Control Center. Any encountered errors are displayed in the task status.

Note: In addition to synchronization requests following a task or policy update in Control Center, MDM server also sends synchronization requests automatically every three hours. The automatic synchronization ensures all tasks and policy updates get applied even if some push notifications are lost. Moreover, the periodic communication is used to perform password validity checks and application auditing (a future new functionality).


Rate this article:

Submit