Skip to main content

Activating the GravityZone MTD

The onboarding process for the GravityZone MTD on all devices can be completed either by using an activation link or by logging in with a domain name.


Android devices require the Location - While using the app or Location - Allow all the time permission to mitigate certain network threats, such as Unsecured WiFi. The permissions option's verbiage depends on your device.

On-Boarding with Activation Links and QR Codes

There are two ways in which you can activate the GravityZone MTD.

  • The activation link - a URL that initiates the activation process for one or more devices.

  • The QR code - an image representation of an activation URL, serving an identical purpose, that can also initiate the activation of one or more devices.

The availability of URL activation options is determined by the enabling of anonymous user access. Enabling anonymous user functionality prevents the system from generating activation URLs for individual end-users. The table presents details on the features available for different settings for anonymous users.

Anonymous Users Enabled

Activation URL Functionality


  • Devices are activated within device groups. In the Mobile Security console, activation URLs and QR codes are created within local device groups for numerous users.

  • End users are anonymous.

  • With MDM integration, users can be activated individually. See the Activations for Integrated MDMs section for more information.


  • Devices are activated within device groups. In Mobile Security console, activation URLs are created within device groups for numerous users.

  • Activation URLs can be created for end-users.

  • With MDM integration, users can be activated individually. See the Activations for Integrated MDMs section for more information.

Users can receive the activation link and QR code from a local device group. The hyperlink triggers the activation of the GravityZone MTD on a specified quantity of devices. The process facilitates the dissemination of the link and QR code to individual users.

On-Boarding with Domain Name

Customers have the option to input their domain name, such as "," when starting Mobile Security. Customers with integration to a supported identity provider can utilize domain-based logins. If the GravityZone MTD has knowledge of the domain name, activation will be initiated using the single sign-on activation flow.

Auto-Activation of Any MDM for a Local Device Group

The Mobile Device Management (MDM) system can configure the MTD configuration key to automatically activate Mobile Threat Defense on iOS and Android platforms.

To access the Local Device Groups tab, navigate to the Devices page in the v4 Mobile Security console. An activation link can be generated to enable Mobile Security functionality.

This feature enables the automatic activation of the GravityZone MTD with MDM vendors, whether they are directly integrated with the Mobile Security console or not.

This activation method can be used with any Mobile Device Management (MDM) system that supports using a device identifier as a variable. Some Mobile Device Management (MDM) solutions provide support for additional variables and tracking IDs that can be used.

Use the given set of unique and optional configuration keys and values to enable the automated activation procedure of an iOS or Android device.


These configuration keys are not additional to other MDM configuration keys and are used instead of other configuration options. If you use a different configuration option the activation_link key must be blank.

Configuration Key

Value type

Configuration Value

Additional notes



Retrieve from the Mobile Security console

Copy the value from the Activation Link field on the Mobile Security console Devices page under the Local Device Groups tab for a specific group.



Use the desired identifier

This is a needed tracking identifier. You can use an MDM device identifier to track the device, or any identifier you choose. Note: If you do not use some tracking identifier value, you cannot track the device in Mobile Security console.



This is an additional tracking identifier.

Activations for Integrated MDMs

To access the Manage page, follow these steps:

  1. Click on the Integrations tab.

  2. Look for the Manage page within the tab.

  3. On the Manage page, you will find activation URLs for customers.

  4. Additionally, you can choose to regenerate and copy the activation link for devices that are being activated with an MDM.

The activation link is used to replace the MDM device identifier with a variable. This enables the device to connect with the corresponding Mobile Security console. The activation link has a default expiration period of one year from its generation. The user has the option to modify the default setting or set it to zero for indefinite expiration. The webpage displays the expiration date and time.

A full MDM activation link is provided and can now be used to activate integrated MDMs.

https://{{subdomain-portion}}[token]&{{token}}&mdm_id={{MDM Device Identifier}}  

MDM Device Identifier Variables

The device identifier variable, which is linked to the device, can be utilized in certain MDM email notifications where it is set. To manually use the link copied from the Mobile Security console, the user needs to replace the variable with the device identifier. After substituting the device ID value, the activation link becomes valid. The table presents the required MDM device identifier variable for various MDM systems.

MDM System

MDM Device Identifier Variable

VMWare Workspace ONE UEM MDM

{DeviceSerialNumber} (used on VMWare Workspace ONE UEM site) {DeviceUid} (used in Mobile Security console) Note: The VMWare Workspace ONE UEM MDM link includes the device serial number when using the link on the VMWare Workspace ONE UEM site. The VMWare Workspace ONE UEM site has a UDID value but does not support this value as a variable in their templates. The emails that come from Mobile Security console use the device UDID and can be used by the Mobile Security console administrator.

Business Concierge Device Management



For Business Concierge, the device identifier is communicated to the device automatically and an auto-activation occurs, so no device identifier is needed.

BlackBerry’s UEM MDM


Citrix MDM


Microsoft Intune Manager MDM


MobileIron MDM

$DEVICE_UUID$ (for Core) ${deviceGUID} (for Cloud)

IBM MaaS360

%csn% (for iOS) %deviceid% (for Android)

SOTI MobiControl



Blackberry Dynamics is not listed as it does not use activation link enrollment. The Blackberry UEM %IOSUDIdentifier% value can be used for Android.

If there is an issue, then try for Android the IMEI value ‘%DeviceIMEI%’ (Blackberry UEM does not yet support a specific UDID value for Android).

MDM Sample Activation Links

This table gives some sample MDM activation URLs for various MDMs with the variables. It shows the activation URL including the MDM Device Identifier variable already appended.

MDM System

Full activation

VMWare Workspace ONE UEM MDM

Business Concierge Device Management

Note: For Business Concierge, the device identifier is communicated to the device automatically and an auto-activation occurs. No MDM activation link is needed.

BlackBerry’s UEM dentifier%

Citrix MDM$devi

Microsoft Intune Manager MDM


MobileIron MDM${devic ePK}

Mobilelron Core$DEVIC E_UUID$ SOTI

SOTI MobiControl Identifier%

EULA Display Options

MDM deployments can have the End User License Agreement (EULA) on initial activation suppressed by using the GravityZone MTD configuration addition below. If this display_eula variable is missing, then the behavior defaults to yes. This then displays the EULA on Mobile Security activation.





Regenerating MDM Activation Links

This figure shows the MDM tab for MobileIron Cloud on the Mobile Security console Manage page as an example where the administrator can reset the expiry and regenerate a new activation link.

These steps describe an example process to manage devices:

  1. Add the desired MDM with the selected Mobile Security console groups.

  2. Copy the activation link URL for managed devices.

  3. Use the activation link URL in these ways:

    1. Substitute the variable with a value having the actual device identifier value and send it directly to a user for activation. Refer to the table above with the MDM Device Identifier variables.

    2. Keep the variable itself (as in the examples in the above table) and use the activation link URL, for instance in the MDM welcome email on device enrollment. In this usage, the variable is evaluated by the MDM in the email that is sent out.

  4. Click Regenerate Link to receive the Activation Link URL. The administrator sends the activation link by email, text, or any notification to users along with instructions to accept the GravityZone MTD being pushed to them.

MDM Validations

These validation checks exist for MDM integrations:

  • Groups cannot overlap from one MDM configuration to another. If you select a group that is already defined in another MDM configuration with the same credentials, you get an error notifying you of the overlap.

  • You can be notified of this overlap of groups from one MDM configuration to another, for instance, when updating a password, because this is new validation.

  • If you find overlapping groups, you need to remove the overlapping group from one of the MDM configuration instances. You may need to modify a separate MDM integration instance, remove the group there, and then complete your original MDM configuration modification.

Zero-Touch Activation for iOS and Android

This feature allows an administrator to activate the GravityZone MTD protection on managed devices without the end-user being required to click on the installed application.

In the list below you will find described the items set up for zero-touch activation and threat reporting:

  • The MDM has a group and a VPN Profile for the devices.

    • The device is registered with the MDM.

    • The MTD is pushed to the device.

    • The VPN Profile is initially pushed to the device.

  • The Mobile Security console has the MDM defined as an integration.

  • The Mobile Security console has the MDM Action and Mitigation Action set for the “App Pending Activation” threat.