Mobile Security
Overview
Understanding Compliance Status for mobile devices
This section explains how mobile devices become non-compliant against GravityZone security rules and the actions you can take in such situations.
Once the GravityZone Mobile Client application has been activated on a mobile device, Control Center checks if the corresponding device meets all the security compliance requirements.
Mobile devices can have the following security statuses:
Without Security Issues, when all compliance requirements are satisfied.
With Security Issues, when at least one of the compliance requirements is not satisfied.
Non-compliance criteria
A device is declared non-compliant in the following situations:
Android devices:
Device is rooted.
GravityZone Mobile Client is not Device Administrator.
USB Debugging is enabled.
Malware is not removed within one hour after detection.
Policy is not satisfied:
The user does not set the lock screen password within 24 hours after the first notification.
The user does not change the lock screen password at the specified time.
The user does not activate device encryption within seven days after the first notification.
iOS devices:
Device is jailbroken.
GravityZone Mobile Client is uninstalled from the mobile device.
Policy is not satisfied:
The user does not set the lock screen password within 24 hours after the first notification.
The user does not change the lock screen password at the specified time.
Default action when the device is non-compliant
When a device is declared non-compliant, the user is prompted to fix the non-compliance issue. The user must make the required changes within a specific time period, otherwise the selected action for non-compliant devices will be applied (Ignore, Deny access, Lock, Wipe or Unlink). You can change the action for non-compliant devices in the policy at any time. The new action is applied to non-compliant devices once the policy is saved.
From the menu corresponding to each device ownership type select the action to be taken when a device is declared non-compliant:
Ignore. Only notifies the user that the device does not comply with the mobile device usage policy.
Deny Access. Blocks the device access to corporate networks by deleting the Wi-Fi and VPN settings, but keeping all the other settings defined in policy. Blocked settings are restored as soon as the device becomes compliant.
Lock. Immediately locks the device screen.
On Android, the screen is locked with a password generated by GravityZone. If the user already has a lock screen password, this will be automatically changed.
On iOS, if the device has a lock screen password, it is asked in order to unlock.
Wipe. Restores the factory settings of the mobile device, permanently erasing all user data.
Unlink. The device is immediately removed from the network.
Configuration
Adding an Apple MDM Push certificate in Control Center
This section explains how you can obtain and add an Apple MDM Push certificate in Control Center.
Introduction
Apple requires an MDM Push certificate to ensure secure communication between the Communication Server and the Apple Push Notifications service (APNs) when sending push notifications. Push notifications are used to prompt devices to connect to the Communication Server when new tasks or policy changes are available.
The Apple MDM Push certificate is valid for one year only. When the certificate is about to expire, you must renew it and import the renewed certificate in Control Center. If you allow the certificate to expire, you must create a new one and reactivate all your devices.
You need an Apple ID to obtain and manage the certificate. If you do not have an Apple ID, you can create one on My Apple ID webpage. Use a generic and not an employee's email address to register for the Apple ID, as you will need it later to renew the certificate.
Note
Apple website does not work properly on Internet Explorer. We recommend using the latest versions of Safari or Chrome.
Adding the Apple MDM Push certificate
Control Center provides a wizard to help you easily obtain and import the required Apple MDM Push certificate. Follow these steps:
Log in to Control Center using a Company Administrator account or a custom account with Manage Solution right.
Go to the Configuration > Certificates page.
Click the certificate name and follow the wizard as described below:
Step 1 - Obtain a Certificate Signing Request signed by Bitdefender
Select the appropriate option:
I need to generate a certificate signing request signed by Bitdefender(Recommended)
Enter your company name, your full name and email address in the corresponding fields.
Click Generate to download the CSR file signed by Bitdefender.
I already have a certificate signing request and I need to get it signed by Bitdefender
Upload your CSR file and the associated private key by clicking the Add button next to their fields.
The Communication Server needs the private key when authenticating with the APNs servers.
Specify the password protecting the private key, if any.
Click the Sign button to download the CSR file signed by Bitdefender.
Step 2 - Request a push certificate from Apple
Click the Apple Push Certificates Portal link and sign in using your Apple ID and password.
Click the Create a Certificate button and accept the Terms of Use.
Click Choose file, select the CSR file and then click Upload.
Note
You may find the Choose file button with a different name such as Choose or Browse, depending on the browser you use.
From the confirmation page, click the Download button to receive your MDM Push certificate.
Go back to the wizard from Control Center.
Step 3 - Import the Apple push certificate
Click the Add Certificate button to upload the certificate file from your computer. You may check the certificate details in the field below.
Click Save.
Related articles
Creating a Certificate Signing Request (CSR) on Windows Server and Mac
This section explains how to create a Certificate Signing Request on Windows Server and Mac, and how to obtain the private key associated to the CSR.
Apple requires an MDM Push certificate to ensure secure communication between the GravityZone Communication Server and the Apple Push Notifications service (APNs) when sending push notifications to iOS devices.
To obtain an Apple MDM Push certificate, you need a Certificate Signing Request (CSR) that you can create on Windows Server or on Mac.
To create a CSR on Windows Server:
Go to Start > Administrative Tools > Internet Information Services (IIS) Manager.
Select the server name from the left-side panel.
In the center panel, double-click Server Certificates.
In the Actions menu from the right-side, click Create Certificate Request.
In the Distinguished Name Properties window, complete the following fields:
Common name – the fully qualified domain name (FQDN) or the URL for which you want to use the certificate.
Organization – the name under the company is legally registered. Example: MyCompany, Ltd.
Organizational unit – the department of the company for which you use the certificate. Example: IT.
City/locality – the full name of the city where the company is located. Do not abbreviate.
State/province – the full name of the state or province where your company is located.
Country/region – the two-letter ISO-format country code where your company is located. Examples: US (United States of America), GB (United Kingdom), DE (Germany) etc.
Click Next.
In the Cryptographic Service Provider Propertieswindow, select the following:
Cryptographic service provider: Microsoft RSA SChannel
Bit length: 2048
Click Next.
In the File Name window, select the location for saving the CSR and enter a name.
Click Finish.
Your CSR is created as a .txt file.
Next, you need to obtain the private key associated to the CSR:
Open the Microsoft Management Console (mmc).
Go to File > Add/Remove Snap-in.
Double-click Certificates in the list of snap-ins.
Select Computer account and click Next.
Select Local computer and click Finish.
Click OK to populate the snap-in.
Go to Console Root > Certificates > Certificate Enrollment Requests.
Right-click the desired CSR and click All Tasks > Export.
In the Certificate Export Wizard, click Next.
Choose Yes, export the private key and click Next.
Select Personal Information Exchange – PKCS #12 and click Next.
Enter a password to protect your private key and click Next.
Choose where to save the private key and click Next.
Click Finish.
The private key is exported as a .pfx file.
To create a CSR on Mac:
Go to Applications > Utilities > Keychain Access.
Select login from the left sidebar and Certificates from the category.
In the Keychain Access menu, go to Certificate Assistant > Request a Certificate from a Certificate Autority.
Enter an email address and name for the certificate and select Saved to disk.
Note
You do not need a CA Email address for the Saved to disk option.
Click Continue.
Select a location for the CSR file and click Save.
Your CSR is created as a .certSigningRequest file.
Next, you need to obtain the private key associated to the CSR:
Go to Applications > Utilities > Keychain Access.
Select login from the left sidebar and Certificates from the category.
In the list, click to expand the left arrow for the desired certificate. You will see the associated private key.
Right-click the private key and select Export.
Save the file in the .p12 format.
Enter a password to protect the private key and click OK.
The private key is exported as a .p12 file, which is the same format as .pfx.
Once you have the CSR, you can get it signed by Bitdefender and add the Apple MDM Push certificate in the GravityZone Control Center. For details, refer to Adding an Apple MDM Push certificate in Control Center.
Renewing the Apple MDM Push certificate
This section explains how you can renew the Apple MDM Push certificate and update it in Control Center.
To renew the Apple MDM certificate and update it in Control Center:
Log in to Control Center using a Company Administrator account or a custom account with Manage Solution right.
Go to the Configuration > Certificates page.
Click the certificate name to open the import wizard.
First, you need to obtain a Certificate Signing Request (CSR) signed by Bitdefender. Select the appropriate option and follow the corresponding steps:
I need to generate a certificate signing request signed by Bitdefender(Recommended)
Enter your company name, your full name and email address in the corresponding fields.
Click Generate to download the CSR file signed by Bitdefender.
I already have a certificate signing request and I need to get it signed by Bitdefender
Upload your CSR file and the associated private key by clicking the Add button next to their fields.
The Communication Server needs the private key when authenticating with the APNs servers.
Specify the password protecting the private key, if any.
Click the Sign button to download the CSR file signed by Bitdefender.
Click the Apple Push Certificates Portal link and sign in with the same Apple ID used to create the certificate.
Note: Apple website does not work properly on Internet Explorer. We recommend using the latest versions of Safari or Chrome.
Locate the MDM Push certificate for Bitdefender and click the corresponding Renew button.
If you have several certificates for Bitdefender, to make sure you renew the right certificate:
Go to Control Center and close the wizard.
Select the Apple MDM Push certificate and copy the Common Name to a text file.
Go back to Apple Push Certificates Portal.
For each certificate from Bitdefender, click the
Certificate info icon and compare the CN with the Common Name copied from Control Center.
Click Choose file, select the CSR file and then click Upload.
Note: You may find the Choose file button with a different name such as Choose or Browse, depending on the browser you use.
Click Download to save the certificate to your computer.
Go back to the wizard from Control Center and click the Add Certificate button to upload the certificate file from your computer.
You may check the certificate details in the field below.
Click Save.
To verify the certificate renewal, run a Lock task on a managed Apple device.
Related articles
Operation
Mobile device policies
Policy settings can be initially configured when creating the policy. Later on, you can change them as needed anytime you want.
To configure the settings of a policy:
Go to the Policies page.
Choose Mobile Devices from the views selector.
Click the policy name. This will open the policy settings page.
Configure the policy settings as needed. Settings are organized under the following categories:
You can select the settings category using the menu from the left-side of the page.
Click Save to save changes and apply them to the target mobile devices. To leave the policy page without saving changes, click Cancel.
General
The General category contains descriptive information regarding the selected policy.
The Details page shows general policy details:
Policy name
User who created the policy
Date and time when the policy was created
Date and time when the policy was last modified
You can rename the policy by entering the new name in the corresponding field. Policies should have suggestive names so that you or other administrator can quickly identify them.
Note
By default, only the user who created the policy can modify it. To change that, the policy owner must check the option Allow other users to change this policy from the policy’s Details page.
Device management
Device management settings allows defining the security options for mobile devices, the screen locking with password and also several profiles for each mobile device policy.
The settings are organized into the following sections:
In this section you can configure various security settings for mobile devices, including antimalware scans for Android devices, management of rooted or jailbroken devices or the action to be taken on non-compliant devices.
Important
The antimalware scanning is performed in the cloud, therefore the mobile devices must have Internet access.
Select Scan applications on install if you want to perform a scanning when new applications are installed on the managed mobile devices.
Select Scan storage on mount if you want to perform a scanning of each storage device when it’s mounted.
Warning
If malware is found, the user is prompted to remove it.
If the user does not remove detected malware within one hour after detection, the mobile device is declared non-compliant and the selected non-compliance action is automatically applied (Ignore, Deny Access, Lock, Wipe or Unlink).
Select Require device encryption to prompt the user to activate the encryption feature available in the Android OS. Encryption protects the data stored on Android devices, including accounts, settings, downloaded applications, media and other files, from unauthorized access. Encrypted data can be accessed from external devices only by providing the unlock password.
Important
Device encryption is available for Android 3.0 or later. Not all device models support encryption. Check the Mobile Device Details window for encryption support information.
Encryption might impact device performance.
Warning
Device encryption is irreversible and the only way to revert to the unencrypted state is to wipe the device.
Users should back up their data before activating device encryption.
Users must not interrupt the encryption process or they will lose some or all of their data.
If you enable this option, GravityZone Mobile Client displays a persistent issue informing the user to activate encryption. The user must tap the Resolve button to proceed to the encryption screen and start the process. If encryption is not activated within seven days after the notification, the device will become non-compliant.
To enable encryption on an Android device:
The battery must be above 80% charged.
The device must be plugged-in until encryption is completed.
The user must set an unlock password meeting the complexity requirements.
Note
Android devices use the same password for unlocking the screen and for unlocking encrypted content.
Encryption requires password, PIN or FACE to unlock the device, disabling the other screen lock settings.
The encryption process can take an hour or more, during which the device may restart several times.
You can check the storage encryption status for each mobile device in the Mobile Device Details window.
Android devices in USB debugging mode can be connected to a PC through a USB cable, allowing advanced control over their apps and operating system. In this case, the mobile devices' security may be at risk.
Enabled by default, the USB debugging protection option prevents using devices in the USB debugging mode. If the user activates USB debugging, the device automatically becomes non-compliant and the non-compliance action is taken. If the non-compliance action is Ignore, the user is notified about the unsafe setting.
Nevertheless, you can disable this option for mobile devices that require working in USB debugging mode (such as mobile devices used for developing and testing mobile apps).
Select Web Security to enable web security features on Android devices.
Web Security scans in-the-cloud each accessed URL, then returns a security status to GravityZone Mobile Client. The URL security status can be: clean, fraud, malware, phishing or untrusted.
GravityZone Mobile Client can take a specific action based on the URL security status:
Block phishing web pages. When the user tries to access a phishing website, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Block web pages containing malware or exploits. When the user tries to access a website spreading malware or web exploits, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Block web pages used in scams or frauds. Extends protection to other types of scams besides phishing (for example fake escrows, fake donations, social media threats and so on). When the user tries to access a fraudulent web page, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Warn user about untrusted web pages. When the user is accessing a website that was previously hacked for phishing purposes or recently promoted through spam or phishing emails, a warning pop-up message will be displayed, without blocking the web page.
Important
Web Security features work only up to Android 5, and only with Chrome and the built-in Android browser.
Considered a security risk for corporate networks, rooted or jailbroken devices are automatically declared non-compliant.
Select Allow management of rooted or jailbroken devices if you want to manage rooted or jailbroken devices from Control Center.
Because such devices are by default non-compliant, they are automatically applied the selected non-compliance action as soon as they are detected. Therefore, to be able to apply them the policy security settings or to run tasks on them, you must set the non-compliance action to Ignore.
If you clear the Allow management of rooted or jailbroken devices check box, you automatically unlink rooted or jailbroken devices from the GravityZone network. In this case, the GravityZone Mobile Client application prompts a message stating the device is rooted / jailbroken.
The user can tap the OK button, which redirects to the registration screen. As soon as the device is unrooted / unjailbroken, or the policy is set to allow the management of rooted / jailbroken devices, it can be re-enrolled (with the same token for Android devices / with a new token for iOS devices).
You can configure specific actions to be taken automatically on devices detected as non-compliant based on device ownership (enterprise or personal).
Note
When adding a new device in Control Center, you are prompted to specify the device ownership (enterprise or personal). This will allow GravityZone to manage personal and enterprise mobile devices separately.
A device is declared non-compliant in the following situations:
Android devices
Device is rooted.
GravityZone Mobile Client is not Device Administrator.
Malware is not removed within one hour after detection.
Policy not satisfied:
The user does not set the lock screen password within 24 hours after the first notification.
The user does not change the lock screen password at the specified time.
The user does not activate device encryption within seven days after the first notification.
USB debugging mode is activated on the device while USB debugging protection policy option is enabled.
iOS devices
Device is jailbroken.
GravityZone Mobile Client is uninstalled from the mobile device.
Policy not satisfied:
The user does not set the lock screen password within 24 hours after the first notification.
The user does not change the lock screen password at the specified time.
When a device is declared non-compliant, the user is prompted to fix the non-compliance issue.
The user must make the required changes within a specific time period, otherwise the selected action for non-compliant devices will be applied (Ignore, Deny access, Lock, Wipe or Unlink).
You can change the action for non-compliant devices in the policy at any time.
The new action is applied to non-compliant devices once the policy is saved.
Select from the menu corresponding to each device ownership type the action to be taken when a device is declared non-compliant:
Ignore.
Only notifies the user that the device does not comply with the mobile device usage policy.
Deny Access.
Blocks the device access to corporate networks by deleting the Wi-Fi and VPN settings, but keeping all the other settings defined in policy.
Blocked settings are restored as soon as the device becomes compliant.
Important
When Device Administrator is disabled for GravityZone Mobile Client, the device becomes non-compliant and is automatically applied the Deny Access action.
Lock.
Immediately locks the device screen.
On Android, the screen is locked with a password generated by GravityZone only if there is no lock protection configured on the device.
This will not override an already configured lock screen option such as Pattern, PIN, Password, Fingerprint or Smart Lock.
On iOS, if the device has a lock screen password, it is asked in order to unlock.
Wipe.
Restores the factory settings of the mobile device, permanently erasing all user data.
Note
Wipe does not currently erase data from mounted devices (SD cards).
Unlink.
The device is immediately removed from the network.
Note
To re-enroll a mobile device to which the Unlink action has been applied, you must add the device again in Control Center.
The device must then be re-registered with the new activation token.
Before re-enrolling the device, make sure the conditions that lead to the device being unlinked are no longer present or change the policy settings so as to allow the management of the device.
In this section you can choose to activate the screen locking with password feature available in the mobile devices OS.
If this feature has been enabled, an on-screen notification prompts the user to define a lock screen password. The user must enter a password that complies with the password criteria defined in the policy.
Once the password has been set by the user, all notifications regarding this issue are cleared. A message prompting to enter the password is displayed at each attempt to unlock the screen.
Note
If the user does not set a password when prompted, the device can be used without a lock screen password up to 24 hours after the first notification. During this time, a message asking the user to enter a lock screen password is prompted every 15 minutes on the screen.
Warning
If the user does not set a password within 24 hours after the first notification, the mobile device becomes non-compliant and the selected action for non-compliant devices will be applied.
To configure the lock screen password settings:
Select the Screen locking with password check box.
Click the password security level that best suits your needs (Aggressive, Normal or Permissive). Use the description on the right side of the scale to guide your choice.
For advanced configuration, select the Custom protection level and then click the Settings link.
Note
To view the password configuration requirements of a predefined security level, select that level and click the Settings link. If you modify any option, the password security level will automatically change to Custom.
Type
You can require the password to be Simple or Complex. Password complexity criteria are defined within the mobile device OS.
On Android devices, complex passwords must contain at least one letter, one digit and one special character.
Note
Complex passwords are supported on Android 3.0 or later.
On iOS devices, complex passwords do not allow sequential or repeated characters (such as abcdef, 12345 or aaaaa, 11111).
Depending on the selected option, when the user sets the lock screen password, the operating system checks and prompts the user if the required criteria are not met.
Require alphanumeric value
Require the password to contain both letters and numbers.
Minimum length
Require the password to contain a minimum number of characters, which you specify in the corresponding field.
Minimum number of complex characters
Require the password to contain a minimum number of non-alphanumerical characters (such as @, # or $), which you specify in the corresponding field.
Expiration period (months)
Force the user to change the lock screen password at a specified interval (in months).
For example, if you enter 3, the user will be prompted to change the lock screen password every three months.
Note
On Android, this feature is supported in version 3.0 or later.
History restriction (previous passwords)
Select or enter a value in the corresponding field to specify the number of last passwords that cannot be reused.
For example, if you enter 4, the user cannot reuse a password that matches one of the last four used passwords.
Note
On Android, this feature is supported in version 3.0 or later.
Maximum number of failed attempts
Specify how many times the user is allowed to enter an incorrect password.
Note
On iOS devices, when this number is greater than 6: after six failed attempts, a time delay is imposed before the user can enter the password again.
The time delay increases with each failed attempt.
Warning
If the user exceeds the maximum number of failed attempts to unlock the screen, the device will be wiped (all data and settings will be erased).
Auto-lock after (min)
Set the period of inactivity (in minutes) after which the device is automatically locked.
Note
The iOS devices have a predefined list for auto-lock time and do not allow custom values. When assigning a policy with an incompatible auto-lock value, the device enforces the next more restrictive time period available in the list. For example, if the policy has auto-lock set at three minutes, the device will automatically lock after two minutes of inactivity.
When you modify the policy, if you choose a higher security level for the lock screen password, users will be prompted to change the password according to the new criteria.
If you clear the Screen locking with password option, users will regain full access to the lock screen settings on their mobile device.
The existing password remains active until the user decides to change or remove it.
In this section you can create, modify and delete usage profiles for mobile devices.
Usage profiles help you push Wi-Fi and VPN settings and enforce web access control on managed mobile devices.
You can configure one or several profiles, but only one can be active at a time on a device.
If you configure only one profile, that profile is automatically applied to all devices the policy is assigned to.
If you configure several profiles, the first in the list is automatically applied to all devices the policy is assigned to.
Mobile device users can view the assigned profiles and the settings configured for each profile in the GravityZone Mobile Client application. Users cannot modify existing settings in a profile, but they can switch between profiles if several are available.
Note
Profile switching requires Internet connectivity.
To create a new profile:
Click the
Add button at the right side of the table. The profile configuration page is displayed.Configure the profile settings as needed. For detailed information, refer to:
Click Save. The new profile is added to the list.
To delete one or several profiles, select their corresponding check boxes and click the 
Delete button at the right side of the table.
To modify a profile, click its name, change settings as needed and click Save.
The Details page contains general information regarding the profile:
Name.
Enter the desired profile name. Profiles should have suggestive names so that you or other administrator can quickly identify them.
Description.
Enter a detailed profile description. This option may help administrators easily identify a profile from several others.
In this section you can specify the settings of one or several Wi-Fi and VPN networks. The VPN settings are available only for iOS devices.
Important
Before defining the Wi-Fi and VPN connections, make sure you have all the necessary information at hand (passwords, proxy settings etc.).
The mobile devices assigned with the corresponding profile will automatically connect to the defined network, when it is in range. You can set the priority when several networks are created, taking into account that only one network can be used at a time. When the first network is not available, the mobile device will connect to the second one, and so on.
To set the networks priority:
Select the check box of the desired network.
Use the priority buttons at the right side of the table:
Click the
Up button to promote the selected network.Click the
Down button to demote it.
You can add as many Wi-Fi networks as you need.
To add a Wi-Fi network:
In the Wi-Fi section, click the
Add button at the right side of the table.A configuration window is displayed.
Under the General tab, you can configure the details of the Wi-Fi connection:
Name (SSID).
Enter the name of the new Wi-Fi network.
Security.
Select the option corresponding to the Wi-Fi network security level:
None.
Choose this option when the Wi-Fi connection is public (no credentials required).
WEP.
Choose this option to set a Wireless Encryption Protocol (WEP) connection. Enter the required password for this type of connection in the corresponding field displayed below.
WPA/WPA2 Personal.
Choose this option if the Wi-Fi network is secured using Wi-Fi Protected Access (WPA). Enter the required password for this type of connection in the corresponding field displayed below.
Under the TCP/IP you can configure the TCP/IP settings for the Wi-Fi connection.
Each Wi-Fi connection can use IPv4 or IPv6 or both.
Configure IPv4.
If you want to use the IPv4 method, select the IP assignment method from the corresponding menu:
DHCP: if the IP address is assigned automatically by a DHCP server.
If needed, provide the DHCP Client ID in the subsequent field.
Disabled: select this option if you do not want to use the IPv4 protocol.
Configure IPv6.
If you want to use the IPv6 method, select the IP assignment method from the corresponding menu:
DHCP: if the IP address is assigned automatically by a DHCP server.
Disabled: select this option if you do not want to use the IPv6 protocol.
DNS Servers.
Enter the address of at least one DNS server for the network.
Under the Proxy tab, configure the proxy settings for the Wi-Fi connection. Select the desired proxy configuration method from the Type menu:
Off.
Choose this option if the Wi-Fi network has no proxy settings.
Manual.
Choose this option to manually specify the proxy settings. Enter the hostname of the proxy server and the port on which it listens for connections. If the proxy server requires authentication, select the Authentication check box and provide the user name and the password in the subsequent fields.
Automatic.
Choose this option to retrieve the proxy settings from a Proxy Auto-Configuration (PAC) file published in the local network. Enter the PAC file address in the URL field.
Click Save.
The new Wi-Fi connection is added to the list.
You can add as many VPNs as you need.
To add a VPN:
In the VPN for iOS section, click the
Add button at the right side of the table. A configuration window is displayed.Define the VPN settings in the VPN Connection window:
Click Save. The new VPN connection will be added to the list.
General:
Name
Enter the name of the VPN connection.
Encryption
The available authentication protocol for this connection type is IPSec, which requires user authentication by password and machine authentication by shared secret.
Server
Enter the VPN server address.
User
Enter the VPN user name.
Password
Enter the VPN password.
Group Name
Enter the group name.
Secret
Enter the pre-shared key.
Proxy:
In this section you can configure the proxy settings for the VPN connection. Select the desired proxy configuration method from the Type menu:
Off
Choose this option if the VPN connection has no proxy settings.
Manual
This option allows you to manually specify the proxy settings:
Server: enter the proxy host name.
Port: enter the proxy port number.
If the proxy server requires authentication, select the Authentication check box and provide the user name and the password in the subsequent fields.
Automatic
Select this option to retrieve the proxy settings from a Proxy Auto-Configuration (PAC) file published in the local network. Enter the PAC file address in the URL field.
To delete one or several networks, select their corresponding check boxes and click the Delete button at the right side of the table. To modify a network, click its name, change settings as needed and click Save.
In this section you can configure the web access control for Android and iOS devices.
Enable this option to filter web access for Chrome and the built-in Android browser. You can set time restrictions on web access and also explicitly allow or block access to specific web pages.
The web pages blocked by Web Access Control are not displayed in the browser. Instead, a default web page is displayed informing the user that the requested web page has been blocked by Web Access Control.
You have three configuration options:
Select Allow to always grant web access.
Select Block to always deny web access.
Select Schedule to enable time restrictions on web access upon a detailed schedule.
Either if you choose to allow or block the web access, you can define exclusions to these actions for entire web categories or only for specific web addresses.
Click Settings to configure your web access schedule and exclusions.
To restrict Internet access to certain times of day on a weekly basis:
Select from the grid the time intervals during which you want Internet access to be blocked.
You can click individual cells, or you can click and drag to cover longer periods. Click again in the cell to reverse the selection.
To start a new selection, click Allow All or Block all, depending on the type of restriction you wish to implement.
Click Save.
You can also define web rules to explicitly block or allow certain web addresses, overriding the existing Web Access Control settings. Users will be able, for example, to access a specific webpage also when the web browsing is blocked by Web Access Control.
To create a web rule:
Select Use exclusions to enable web exclusions.
Note
This feature is available only for accounts with management rights.
Enter the address you want to allow or block in the Web Address field.
Select Allow or Block from the Permission menu.
Click the
Add button at the right side of the table to add the address to the exclusions list.Click Save.
To edit a web rule:
Click the web address you want to edit.
Modify the existing URL.
Click Save.
To remove a web rule:
Move the cursor over the web address you want to remove.
Click the
Delete button.Click Save.
Use wildcards to define web address patterns:
Asterisk (*) substitutes for zero or more characters.
Question mark (?) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters.
In the following table, you can find several sample syntaxes for specifying web addresses.
Syntax | Applicability |
|---|---|
| Any website or web page starting with The rule will not apply to the subdomains of the specified website, such as |
| Any website ending in |
| Any website or web page whose address contains the specified string. |
| Any website having the |
| Any web address starting with |
Important
Web Access Control for Android works only up to Android 5, and only with Chrome and the built-in Android browser.
Enable this option to centrally manage the settings of the built-in iOS browser (Safari).
Mobile device users will no longer be able to change the corresponding settings on their device.
Allow use of Safari.
This option helps you control the use of Safari browser on mobile devices.
Disabling the option removes the Safari shortcut from the iOS interface, thus preventing users from accessing the Internet via Safari.
Enable auto-fill.
Disable this option if you want to prevent the browser from storing form entries, which may include sensitive information.
Force fraud warning.
Select this option to ensure that users are warned when accessing fraudulent web pages.
Enable Javascript.
Disable this option if you want Safari to ignore javascript on websites.
Block pop-ups.
Select this option to prevent pop-up windows from opening automatically.
Accept cookies.
Safari allows cookies by default.
Disable this option if you want to prevent websites from storing browsing information.
Important
Web Access Control for iOS is not supported starting with iOS 13.
Troubleshooting
GravityZone policy and tasks not getting applied on iOS
This section helps troubleshoot the issue with the Bitdefender GravityZone configuration policy/profile and tasks not getting applied on iOS devices.
Overview
The issue can be noticed with managed iOS devices, immediately after installing and activating GravityZone Mobile Client or sometimes at a later time, and manifests as follows:
GravityZone Mobile Client displays an issue about the currently assigned policy not being active on the iOS device.
In GravityZone Control Center, in the Mobile Device Details window of the iOS device, the policy is marked as pending, even though the device is connected to the Internet and should be able to receive the policy.
Tasks run from Control Center on iOS devices do not work, even though the devices are connected to the Internet and should be able to receive tasks.
Troubleshooting
The issue is usually related to the Apple Push Notifications system. Whenever there's a new policy update or task to be applied to an iOS device, the GravityZone MDM system sends a push notification to the device, via the Apple Push Notifications servers, to trigger synchronization. Upon receiving the push notification, the device synchronizes with the GravityZone MDM server to receive the latest policy or task. If the push notification cannot be sent or is lost, the policy/task does not get applied.
Refer to the following table for information on troubleshooting the issue.
Possible cause | Solution |
Apple Push Notifications service (APNs) certificate has not been configured, has expired or is invalid. Consequently, Control Center is unable to send push notifications via the APNs servers. | Check APNs certificate status in Control Center > Configuration > Certificates (company administrator privilege is required). If everything seems ok with the certificate, but none of the subsequent solutions work, you might want to generate a new APNs certificate. |
The ports used to communicate with APNs (2195, 2196, 5223) are blocked by a firewall or gateway. NotePorts 2195 and 2196 are used by the Communication Server to communicate with the APNs servers. Port 5223 is used by managed iOS devices to communicate with the APNs servers over Wi-Fi in specific conditions. For more information, refer to this Apple KB article. | Make sure the APNs ports are allowed. NotePorts 2195 and 2196 must be open for outgoing connections. |
An issue with the APNs system might cause the push notification to get lost or delayed. Note that sometimes the APNs server might be busy, resulting in push notifications being delayed. | Check again after a few hours to see if the issue still occurs. |
Profile Installation Failed error when activating iOS devices
This section helps troubleshoot the issue with the Bitdefender MDM enrollment profile failing to install on iOS devices during GravityZone Mobile Client activation.
Overview
When activating GravityZone Mobile Client on iOS devices, you are prompted to install a Bitdefender MDM Enrollment Profile. Installation of this profile is required to allow the Bitdefender GravityZone MDM system to manage the iOS device remotely.
In particular situations, the "Profile Installation Failed" error message is displayed when trying to install the profile.
Troubleshooting
If the error occurs on any new iOS device that you try to activate, it indicates a problem with the Communication Server certificate or trust chain configured in Control Center (usually noticeable during initial deployment or after changing the certificate). If the error only affects a few devices, those devices probably have an MDM profile already installed or an incorrect time setting.
Refer to the following table for detailed information on troubleshooting the issue.
Possible cause | Solution |
The Communication Server SSL certificate is missing, expired, corrupted or misconfigured. | Check the Communication Server certificate status in Control Center > Configuration > Certificates (company administrator privilege is required). Make sure the certificate is not expired and the common name is correct. The common name must match the IP address or domain name used by mobile devices to reach the Communication Server (as displayed in Control Center > Network > Mobile Device Details > Overview > Activation Details, without port number or https prefix). In many cases, the certificate is issued for the server's IP address, but the mobile devices are configured to connect using the server's domain name (or vice versa). |
The device does not trust the Communication Server certificate (the trust chain is misconfigured or missing). NoteThis is only applicable for self-signed certificates or for certificates issued using your internal PKI system. Certificates issued by a public Certificate Authority (CA), such as Thawte or Verisign, are automatically trusted. | Make sure you have correctly configured and uploaded the trust chain file in Control Center > Configuration > Certificates (company administrator privilege is required). |
The device date & time setting is incorrect (the device time precedes certificate issuance time). | Check the date & time setting on the affected iOS device (Settings > General > Date & Time). |
The device is already enrolled with a different token or to another MDM system. | Check for and remove the existing Mobile Device Management (MDM) profile on the affected iOS device (Settings > General > Profiles). |
Note
If none of the above solutions work, try with a new Communication Server certificate.
Troubleshooting certificate warnings in GravityZone Mobile Client for Android v1.3.2
This section addresses certificate warnings and errors received by end users when activating or after updating to GravityZone Mobile Client v1.3.2 on Android devices.
GravityZone Security for Mobile provides a unified enterprise-grade management of iPhone, iPad and Android devices connected to a corporate network by real-time scanning and enforcing organization’s security policies on any number of devices. Security for Mobile provides the services through GravityZone Mobile Client, available in the official Apple and Google app stores.
Overview
Starting with version 1.3.2, GravityZone Mobile Client validates the Communication Server security certificate, warning the users whenever the server provides an invalid certificate. This validation enhances communication security and prevents man-in-the-middle attacks.
The certificate is verified in the following situations:
When activating GravityZone Mobile Client.
Every time GravityZone Mobile Client initiates communication with Control Center.
If the user changes the Communication Server settings.
In case the GravityZone Communication Server certificate is invalid:
For new activations -Users trying to activate the app will receive a certificate warning, prompting them to explicitly trust the certificate or Cancel activation. No other warnings will be presented for that certificate once trusted by the user.
For existing installations - After update, users will see an issue next time Mobile Client tries to communicate with GravityZone, asking them to trust the certificate. Mobile Client will no longer communicate with GravityZone until the user explicitly accepts the certificate (without admin notification).
A certificate may be invalidated for various reasons:
It was not issued by a public/trusted Certificate Authority (for example, selfsigned certificates). Note: The default GravityZone security certificate falls also under this category.
It is expired or is not valid yet.
It was issued for a different server address.
Solution
To establish or restore communication with GravityZone:
You can obtain a certificate from a trusted Certificate Authority.
Existing users that updated the app, must follow these steps:
Open the app.
Open the Current Issues screen.
Tap Resolve for the Server Certificate Error message.
Tap Trust when prompted.
New users trying to activate the app, must tap Trust on the screen displaying the warning and then tap Activate once again.
Managing GravityZone certificates for mobile devices after upgrade to iOS 13
This section describes what GravityZone administrators and iOS users should do to comply with the security certificate requirements from Apple.
Starting with iOS 13, Apple introduced new requirements for trusted security certificates. Devices that do not meet these requirements will fail to connect to network, to access websites and run certain applications.
This change likely affects most GravityZone installations configured prior to iOS 13 release, depending on how the MDM certificates were issued or configured.
Symptoms
After upgrading to iOS 13, Apple devices will stop communicating with the GravityZone Control Center if the security certificates do not meet the new Apple requirements.
Right after upgrade, in the Network section of Control Center, devices will not display any particular status icon informing there would be an issue. Only after 24 hours these devices will display the status icon "Mobile, unmanaged, no issues".
However, if you try to modify the policy or to run tasks from GravityZone Control Center, any of your actions will remain in pending state. Locally, the GravityZone Mobile Client will display a message informing the users that the policy is not active on their devices and a server synchronization is needed.
How Android devices are affected
After adding new self-signed certificates in GravityZone Control Center, GravityZone Mobile Client may inform Android users about a server certificate error.
To fix this issue, Android users must trust the new certificate on their devices.
