Mobile device policies
Policy settings can be initially configured when creating the policy. Later on, you can change them as needed anytime you want.
To configure the settings of a policy:
Go to the Policies page.
Choose Mobile Devices from the views selector.
Click the policy name. This will open the policy settings page.
Configure the policy settings as needed. Settings are organized under the following categories:
You can select the settings category using the menu from the left-side of the page.
Click Save to save changes and apply them to the target mobile devices. To leave the policy page without saving changes, click Cancel.
General
The General category contains descriptive information regarding the selected policy.
Details
The Details page shows general policy details:
Policy name
User who created the policy
Date and time when the policy was created
Date and time when the policy was last modified
You can rename the policy by entering the new name in the corresponding field. Policies should have suggestive names so that you or other administrator can quickly identify them.
Note
By default, only the user who created the policy can modify it. To change that, the policy owner must check the option Allow other users to change this policy from the policy’s Details page.
Device management
Device management settings allows defining the security options for mobile devices, the screen locking with password and also several profiles for each mobile device policy.
The settings are organized into the following sections:
Security
In this section you can configure various security settings for mobile devices, including antimalware scans for Android devices, management of rooted or jailbroken devices or the action to be taken on non-compliant devices.
Important
The antimalware scanning is performed in the cloud, therefore the mobile devices must have Internet access.
Android security
Select Scan applications on install if you want to perform a scanning when new applications are installed on the managed mobile devices.
Select Scan storage on mount if you want to perform a scanning of each storage device when it’s mounted.
Warning
If malware is found, the user is prompted to remove it.
If the user does not remove detected malware within one hour after detection, the mobile device is declared non-compliant and the selected non-compliance action is automatically applied (Ignore, Deny Access, Lock, Wipe or Unlink).
Select Require device encryption to prompt the user to activate the encryption feature available in the Android OS. Encryption protects the data stored on Android devices, including accounts, settings, downloaded applications, media and other files, from unauthorized access. Encrypted data can be accessed from external devices only by providing the unlock password.
Important
Device encryption is available for Android 3.0 or later. Not all device models support encryption. Check the Mobile Device Details window for encryption support information.
Encryption might impact device performance.
Warning
Device encryption is irreversible and the only way to revert to the unencrypted state is to wipe the device.
Users should back up their data before activating device encryption.
Users must not interrupt the encryption process or they will lose some or all of their data.
If you enable this option, GravityZone Mobile Client displays a persistent issue informing the user to activate encryption. The user must tap the Resolve button to proceed to the encryption screen and start the process. If encryption is not activated within seven days after the notification, the device will become non-compliant.
To enable encryption on an Android device:
The battery must be above 80% charged.
The device must be plugged-in until encryption is completed.
The user must set an unlock password meeting the complexity requirements.
Note
Android devices use the same password for unlocking the screen and for unlocking encrypted content.
Encryption requires password, PIN or FACE to unlock the device, disabling the other screen lock settings.
The encryption process can take an hour or more, during which the device may restart several times.
You can check the storage encryption status for each mobile device in the Mobile Device Details window.
Android devices in USB debugging mode can be connected to a PC through a USB cable, allowing advanced control over their apps and operating system. In this case, the mobile devices' security may be at risk.
Enabled by default, the USB debugging protection option prevents using devices in the USB debugging mode. If the user activates USB debugging, the device automatically becomes non-compliant and the non-compliance action is taken. If the non-compliance action is Ignore, the user is notified about the unsafe setting.
Nevertheless, you can disable this option for mobile devices that require working in USB debugging mode (such as mobile devices used for developing and testing mobile apps).
Select Web Security to enable web security features on Android devices.
Web Security scans in-the-cloud each accessed URL, then returns a security status to GravityZone Mobile Client. The URL security status can be: clean, fraud, malware, phishing or untrusted.
GravityZone Mobile Client can take a specific action based on the URL security status:
Block phishing web pages. When the user tries to access a phishing website, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Block web pages containing malware or exploits. When the user tries to access a website spreading malware or web exploits, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Block web pages used in scams or frauds. Extends protection to other types of scams besides phishing (for example fake escrows, fake donations, social media threats and so on). When the user tries to access a fraudulent web page, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Warn user about untrusted web pages. When the user is accessing a website that was previously hacked for phishing purposes or recently promoted through spam or phishing emails, a warning pop-up message will be displayed, without blocking the web page.
Important
Web Security features work only up to Android 5, and only with Chrome and the built-in Android browser.
OS changes
Considered a security risk for corporate networks, rooted or jailbroken devices are automatically declared non-compliant.
Select Allow management of rooted or jailbroken devices if you want to manage rooted or jailbroken devices from Control Center.
Because such devices are by default non-compliant, they are automatically applied the selected non-compliance action as soon as they are detected. Therefore, to be able to apply them the policy security settings or to run tasks on them, you must set the non-compliance action to Ignore.
If you clear the Allow management of rooted or jailbroken devices check box, you automatically unlink rooted or jailbroken devices from the GravityZone network. In this case, the GravityZone Mobile Client application prompts a message stating the device is rooted / jailbroken.
The user can tap the OK button, which redirects to the registration screen. As soon as the device is unrooted / unjailbroken, or the policy is set to allow the management of rooted / jailbroken devices, it can be re-enrolled (with the same token for Android devices / with a new token for iOS devices).
Compliance
You can configure specific actions to be taken automatically on devices detected as non-compliant based on device ownership (enterprise or personal).
Note
When adding a new device in Control Center, you are prompted to specify the device ownership (enterprise or personal). This will allow GravityZone to manage personal and enterprise mobile devices separately.
A device is declared non-compliant in the following situations:
Android devices
Device is rooted.
GravityZone Mobile Client is not Device Administrator.
Malware is not removed within one hour after detection.
Policy not satisfied:
The user does not set the lock screen password within 24 hours after the first notification.
The user does not change the lock screen password at the specified time.
The user does not activate device encryption within seven days after the first notification.
USB debugging mode is activated on the device while USB debugging protection policy option is enabled.
iOS devices
Device is jailbroken.
GravityZone Mobile Client is uninstalled from the mobile device.
Policy not satisfied:
The user does not set the lock screen password within 24 hours after the first notification.
The user does not change the lock screen password at the specified time.
When a device is declared non-compliant, the user is prompted to fix the non-compliance issue.
The user must make the required changes within a specific time period, otherwise the selected action for non-compliant devices will be applied (Ignore, Deny access, Lock, Wipe or Unlink).
You can change the action for non-compliant devices in the policy at any time.
The new action is applied to non-compliant devices once the policy is saved.
Select from the menu corresponding to each device ownership type the action to be taken when a device is declared non-compliant:
Ignore.
Only notifies the user that the device does not comply with the mobile device usage policy.
Deny Access.
Blocks the device access to corporate networks by deleting the Wi-Fi and VPN settings, but keeping all the other settings defined in policy.
Blocked settings are restored as soon as the device becomes compliant.
Important
When Device Administrator is disabled for GravityZone Mobile Client, the device becomes non-compliant and is automatically applied the Deny Access action.
Lock.
Immediately locks the device screen.
On Android, the screen is locked with a password generated by GravityZone only if there is no lock protection configured on the device.
This will not override an already configured lock screen option such as Pattern, PIN, Password, Fingerprint or Smart Lock.
On iOS, if the device has a lock screen password, it is asked in order to unlock.
Wipe.
Restores the factory settings of the mobile device, permanently erasing all user data.
Note
Wipe does not currently erase data from mounted devices (SD cards).
Unlink.
The device is immediately removed from the network.
Note
To re-enroll a mobile device to which the Unlink action has been applied, you must add the device again in Control Center.
The device must then be re-registered with the new activation token.
Before re-enrolling the device, make sure the conditions that lead to the device being unlinked are no longer present or change the policy settings so as to allow the management of the device.
Password
In this section you can choose to activate the screen locking with password feature available in the mobile devices OS.
If this feature has been enabled, an on-screen notification prompts the user to define a lock screen password. The user must enter a password that complies with the password criteria defined in the policy.
Once the password has been set by the user, all notifications regarding this issue are cleared. A message prompting to enter the password is displayed at each attempt to unlock the screen.
Note
If the user does not set a password when prompted, the device can be used without a lock screen password up to 24 hours after the first notification. During this time, a message asking the user to enter a lock screen password is prompted every 15 minutes on the screen.
Warning
If the user does not set a password within 24 hours after the first notification, the mobile device becomes non-compliant and the selected action for non-compliant devices will be applied.
To configure the lock screen password settings:
Select the Screen locking with password check box.
Click the password security level that best suits your needs (Aggressive, Normal or Permissive). Use the description on the right side of the scale to guide your choice.
For advanced configuration, select the Custom protection level and then click the Settings link.
Note
To view the password configuration requirements of a predefined security level, select that level and click the Settings link. If you modify any option, the password security level will automatically change to Custom.
Type
You can require the password to be Simple or Complex. Password complexity criteria are defined within the mobile device OS.
On Android devices, complex passwords must contain at least one letter, one digit and one special character.
Note
Complex passwords are supported on Android 3.0 or later.
On iOS devices, complex passwords do not allow sequential or repeated characters (such as abcdef, 12345 or aaaaa, 11111).
Depending on the selected option, when the user sets the lock screen password, the operating system checks and prompts the user if the required criteria are not met.
Require alphanumeric value
Require the password to contain both letters and numbers.
Minimum length
Require the password to contain a minimum number of characters, which you specify in the corresponding field.
Minimum number of complex characters
Require the password to contain a minimum number of non-alphanumerical characters (such as @, # or $), which you specify in the corresponding field.
Expiration period (months)
Force the user to change the lock screen password at a specified interval (in months).
For example, if you enter 3, the user will be prompted to change the lock screen password every three months.
Note
On Android, this feature is supported in version 3.0 or later.
History restriction (previous passwords)
Select or enter a value in the corresponding field to specify the number of last passwords that cannot be reused.
For example, if you enter 4, the user cannot reuse a password that matches one of the last four used passwords.
Note
On Android, this feature is supported in version 3.0 or later.
Maximum number of failed attempts
Specify how many times the user is allowed to enter an incorrect password.
Note
On iOS devices, when this number is greater than 6: after six failed attempts, a time delay is imposed before the user can enter the password again.
The time delay increases with each failed attempt.
Warning
If the user exceeds the maximum number of failed attempts to unlock the screen, the device will be wiped (all data and settings will be erased).
Auto-lock after (min)
Set the period of inactivity (in minutes) after which the device is automatically locked.
Note
The iOS devices have a predefined list for auto-lock time and do not allow custom values. When assigning a policy with an incompatible auto-lock value, the device enforces the next more restrictive time period available in the list. For example, if the policy has auto-lock set at three minutes, the device will automatically lock after two minutes of inactivity.
When you modify the policy, if you choose a higher security level for the lock screen password, users will be prompted to change the password according to the new criteria.
If you clear the Screen locking with password option, users will regain full access to the lock screen settings on their mobile device.
The existing password remains active until the user decides to change or remove it.
Profiles
In this section you can create, modify and delete usage profiles for mobile devices.
Usage profiles help you push Wi-Fi and VPN settings and enforce web access control on managed mobile devices.
You can configure one or several profiles, but only one can be active at a time on a device.
If you configure only one profile, that profile is automatically applied to all devices the policy is assigned to.
If you configure several profiles, the first in the list is automatically applied to all devices the policy is assigned to.
Mobile device users can view the assigned profiles and the settings configured for each profile in the GravityZone Mobile Client application. Users cannot modify existing settings in a profile, but they can switch between profiles if several are available.
Note
Profile switching requires Internet connectivity.
To create a new profile:
Click the
Add button at the right side of the table. The profile configuration page is displayed.Configure the profile settings as needed. For detailed information, refer to:
Click Save. The new profile is added to the list.
To delete one or several profiles, select their corresponding check boxes and click the 
Delete button at the right side of the table.
To modify a profile, click its name, change settings as needed and click Save.
Details
The Details page contains general information regarding the profile:
Name.
Enter the desired profile name. Profiles should have suggestive names so that you or other administrator can quickly identify them.
Description.
Enter a detailed profile description. This option may help administrators easily identify a profile from several others.
Networks
In this section you can specify the settings of one or several Wi-Fi and VPN networks. The VPN settings are available only for iOS devices.
Important
Before defining the Wi-Fi and VPN connections, make sure you have all the necessary information at hand (passwords, proxy settings etc.).
The mobile devices assigned with the corresponding profile will automatically connect to the defined network, when it is in range. You can set the priority when several networks are created, taking into account that only one network can be used at a time. When the first network is not available, the mobile device will connect to the second one, and so on.
To set the networks priority:
Select the check box of the desired network.
Use the priority buttons at the right side of the table:
Click the
Up button to promote the selected network.Click the
Down button to demote it.
You can add as many Wi-Fi networks as you need.
To add a Wi-Fi network:
In the Wi-Fi section, click the
Add button at the right side of the table.A configuration window is displayed.
Under the General tab, you can configure the details of the Wi-Fi connection:
Name (SSID).
Enter the name of the new Wi-Fi network.
Security.
Select the option corresponding to the Wi-Fi network security level:
None.
Choose this option when the Wi-Fi connection is public (no credentials required).
WEP.
Choose this option to set a Wireless Encryption Protocol (WEP) connection. Enter the required password for this type of connection in the corresponding field displayed below.
WPA/WPA2 Personal.
Choose this option if the Wi-Fi network is secured using Wi-Fi Protected Access (WPA). Enter the required password for this type of connection in the corresponding field displayed below.
Under the TCP/IP you can configure the TCP/IP settings for the Wi-Fi connection.
Each Wi-Fi connection can use IPv4 or IPv6 or both.
Configure IPv4.
If you want to use the IPv4 method, select the IP assignment method from the corresponding menu:
DHCP: if the IP address is assigned automatically by a DHCP server.
If needed, provide the DHCP Client ID in the subsequent field.
Disabled: select this option if you do not want to use the IPv4 protocol.
Configure IPv6.
If you want to use the IPv6 method, select the IP assignment method from the corresponding menu:
DHCP: if the IP address is assigned automatically by a DHCP server.
Disabled: select this option if you do not want to use the IPv6 protocol.
DNS Servers.
Enter the address of at least one DNS server for the network.
Under the Proxy tab, configure the proxy settings for the Wi-Fi connection. Select the desired proxy configuration method from the Type menu:
Off.
Choose this option if the Wi-Fi network has no proxy settings.
Manual.
Choose this option to manually specify the proxy settings. Enter the hostname of the proxy server and the port on which it listens for connections. If the proxy server requires authentication, select the Authentication check box and provide the user name and the password in the subsequent fields.
Automatic.
Choose this option to retrieve the proxy settings from a Proxy Auto-Configuration (PAC) file published in the local network. Enter the PAC file address in the URL field.
Click Save.
The new Wi-Fi connection is added to the list.
You can add as many VPNs as you need.
To add a VPN:
In the VPN for iOS section, click the
Add button at the right side of the table. A configuration window is displayed.Define the VPN settings in the VPN Connection window:
Click Save. The new VPN connection will be added to the list.
General:
Name
Enter the name of the VPN connection.
Encryption
The available authentication protocol for this connection type is IPSec, which requires user authentication by password and machine authentication by shared secret.
Server
Enter the VPN server address.
User
Enter the VPN user name.
Password
Enter the VPN password.
Group Name
Enter the group name.
Secret
Enter the pre-shared key.
Proxy:
In this section you can configure the proxy settings for the VPN connection. Select the desired proxy configuration method from the Type menu:
Off
Choose this option if the VPN connection has no proxy settings.
Manual
This option allows you to manually specify the proxy settings:
Server: enter the proxy host name.
Port: enter the proxy port number.
If the proxy server requires authentication, select the Authentication check box and provide the user name and the password in the subsequent fields.
Automatic
Select this option to retrieve the proxy settings from a Proxy Auto-Configuration (PAC) file published in the local network. Enter the PAC file address in the URL field.
To delete one or several networks, select their corresponding check boxes and click the Delete button at the right side of the table. To modify a network, click its name, change settings as needed and click Save.
Web access
In this section you can configure the web access control for Android and iOS devices.
Enable this option to filter web access for Chrome and the built-in Android browser. You can set time restrictions on web access and also explicitly allow or block access to specific web pages.
The web pages blocked by Web Access Control are not displayed in the browser. Instead, a default web page is displayed informing the user that the requested web page has been blocked by Web Access Control.
You have three configuration options:
Select Allow to always grant web access.
Select Block to always deny web access.
Select Schedule to enable time restrictions on web access upon a detailed schedule.
Either if you choose to allow or block the web access, you can define exclusions to these actions for entire web categories or only for specific web addresses.
Click Settings to configure your web access schedule and exclusions.
To restrict Internet access to certain times of day on a weekly basis:
Select from the grid the time intervals during which you want Internet access to be blocked.
You can click individual cells, or you can click and drag to cover longer periods. Click again in the cell to reverse the selection.
To start a new selection, click Allow All or Block all, depending on the type of restriction you wish to implement.
Click Save.
You can also define web rules to explicitly block or allow certain web addresses, overriding the existing Web Access Control settings. Users will be able, for example, to access a specific webpage also when the web browsing is blocked by Web Access Control.
To create a web rule:
Select Use exclusions to enable web exclusions.
Note
This feature is available only for accounts with management rights.
Enter the address you want to allow or block in the Web Address field.
Select Allow or Block from the Permission menu.
Click the
Add button at the right side of the table to add the address to the exclusions list.Click Save.
To edit a web rule:
Click the web address you want to edit.
Modify the existing URL.
Click Save.
To remove a web rule:
Move the cursor over the web address you want to remove.
Click the
Delete button.Click Save.
Use wildcards to define web address patterns:
Asterisk (*) substitutes for zero or more characters.
Question mark (?) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters.
In the following table, you can find several sample syntaxes for specifying web addresses.
Syntax | Applicability |
|---|---|
| Any website or web page starting with The rule will not apply to the subdomains of the specified website, such as |
| Any website ending in |
| Any website or web page whose address contains the specified string. |
| Any website having the |
| Any web address starting with |
Important
Web Access Control for Android works only up to Android 5, and only with Chrome and the built-in Android browser.
Enable this option to centrally manage the settings of the built-in iOS browser (Safari).
Mobile device users will no longer be able to change the corresponding settings on their device.
Allow use of Safari.
This option helps you control the use of Safari browser on mobile devices.
Disabling the option removes the Safari shortcut from the iOS interface, thus preventing users from accessing the Internet via Safari.
Enable auto-fill.
Disable this option if you want to prevent the browser from storing form entries, which may include sensitive information.
Force fraud warning.
Select this option to ensure that users are warned when accessing fraudulent web pages.
Enable Javascript.
Disable this option if you want Safari to ignore javascript on websites.
Block pop-ups.
Select this option to prevent pop-up windows from opening automatically.
Accept cookies.
Safari allows cookies by default.
Disable this option if you want to prevent websites from storing browsing information.
Important
Web Access Control for iOS is not supported starting with iOS 13.