Security
In this section you can configure various security settings for mobile devices, including antimalware scans for Android devices, management of rooted or jailbroken devices or the action to be taken on non-compliant devices.
Important
The antimalware scanning is performed in the cloud, therefore the mobile devices must have Internet access.
Android security
Select Scan applications on install if you want to perform a scanning when new applications are installed on the managed mobile devices.
Select Scan storage on mount if you want to perform a scanning of each storage device when it’s mounted.
Warning
If malware is found, the user is prompted to remove it.
If the user does not remove detected malware within one hour after detection, the mobile device is declared non-compliant and the selected non-compliance action is automatically applied (Ignore, Deny Access, Lock, Wipe or Unlink).
Select Require device encryption to prompt the user to activate the encryption feature available in the Android OS. Encryption protects the data stored on Android devices, including accounts, settings, downloaded applications, media and other files, from unauthorized access. Encrypted data can be accessed from external devices only by providing the unlock password.
Important
Device encryption is available for Android 3.0 or later. Not all device models support encryption. Check the Mobile Device Details window for encryption support information.
Encryption might impact device performance.
Warning
Device encryption is irreversible and the only way to revert to the unencrypted state is to wipe the device.
Users should back up their data before activating device encryption.
Users must not interrupt the encryption process or they will lose some or all of their data.
If you enable this option, GravityZone Mobile Client displays a persistent issue informing the user to activate encryption. The user must tap the Resolve button to proceed to the encryption screen and start the process. If encryption is not activated within seven days after the notification, the device will become non-compliant.
To enable encryption on an Android device:
The battery must be above 80% charged.
The device must be plugged-in until encryption is completed.
The user must set an unlock password meeting the complexity requirements.
Note
Android devices use the same password for unlocking the screen and for unlocking encrypted content.
Encryption requires password, PIN or FACE to unlock the device, disabling the other screen lock settings.
The encryption process can take an hour or more, during which the device may restart several times.
You can check the storage encryption status for each mobile device in the Mobile Device Details window.
Android devices in USB debugging mode can be connected to a PC through a USB cable, allowing advanced control over their apps and operating system. In this case, the mobile devices' security may be at risk.
Enabled by default, the USB debugging protection option prevents using devices in the USB debugging mode. If the user activates USB debugging, the device automatically becomes non-compliant and the non-compliance action is taken. If the non-compliance action is Ignore, the user is notified about the unsafe setting.
Nevertheless, you can disable this option for mobile devices that require working in USB debugging mode (such as mobile devices used for developing and testing mobile apps).
Select Web Security to enable web security features on Android devices.
Web Security scans in-the-cloud each accessed URL, then returns a security status to GravityZone Mobile Client. The URL security status can be: clean, fraud, malware, phishing or untrusted.
GravityZone Mobile Client can take a specific action based on the URL security status:
Block phishing web pages. When the user tries to access a phishing website, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Block web pages containing malware or exploits. When the user tries to access a website spreading malware or web exploits, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Block web pages used in scams or frauds. Extends protection to other types of scams besides phishing (for example fake escrows, fake donations, social media threats and so on). When the user tries to access a fraudulent web page, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.
Warn user about untrusted web pages. When the user is accessing a website that was previously hacked for phishing purposes or recently promoted through spam or phishing emails, a warning pop-up message will be displayed, without blocking the web page.
Important
Web Security features work only up to Android 5, and only with Chrome and the built-in Android browser.
OS changes
Considered a security risk for corporate networks, rooted or jailbroken devices are automatically declared non-compliant.
Select Allow management of rooted or jailbroken devices if you want to manage rooted or jailbroken devices from Control Center.
Because such devices are by default non-compliant, they are automatically applied the selected non-compliance action as soon as they are detected. Therefore, to be able to apply them the policy security settings or to run tasks on them, you must set the non-compliance action to Ignore.
If you clear the Allow management of rooted or jailbroken devices check box, you automatically unlink rooted or jailbroken devices from the GravityZone network. In this case, the GravityZone Mobile Client application prompts a message stating the device is rooted / jailbroken.
The user can tap the OK button, which redirects to the registration screen. As soon as the device is unrooted / unjailbroken, or the policy is set to allow the management of rooted / jailbroken devices, it can be re-enrolled (with the same token for Android devices / with a new token for iOS devices).
Compliance
You can configure specific actions to be taken automatically on devices detected as non-compliant based on device ownership (enterprise or personal).
Note
When adding a new device in Control Center, you are prompted to specify the device ownership (enterprise or personal). This will allow GravityZone to manage personal and enterprise mobile devices separately.
Non-compliance criteria
A device is declared non-compliant in the following situations:
Android devices
Device is rooted.
GravityZone Mobile Client is not Device Administrator.
Malware is not removed within one hour after detection.
Policy not satisfied:
The user does not set the lock screen password within 24 hours after the first notification.
The user does not change the lock screen password at the specified time.
The user does not activate device encryption within seven days after the first notification.
USB debugging mode is activated on the device while USB debugging protection policy option is enabled.
iOS devices
Device is jailbroken.
GravityZone Mobile Client is uninstalled from the mobile device.
Policy not satisfied:
The user does not set the lock screen password within 24 hours after the first notification.
The user does not change the lock screen password at the specified time.
Default action when the device is non-compliant
When a device is declared non-compliant, the user is prompted to fix the non-compliance issue.
The user must make the required changes within a specific time period, otherwise the selected action for non-compliant devices will be applied (Ignore, Deny access, Lock, Wipe or Unlink).
You can change the action for non-compliant devices in the policy at any time.
The new action is applied to non-compliant devices once the policy is saved.
Select from the menu corresponding to each device ownership type the action to be taken when a device is declared non-compliant:
Ignore.
Only notifies the user that the device does not comply with the mobile device usage policy.
Deny Access.
Blocks the device access to corporate networks by deleting the Wi-Fi and VPN settings, but keeping all the other settings defined in policy.
Blocked settings are restored as soon as the device becomes compliant.
Important
When Device Administrator is disabled for GravityZone Mobile Client, the device becomes non-compliant and is automatically applied the Deny Access action.
Lock.
Immediately locks the device screen.
On Android, the screen is locked with a password generated by GravityZone only if there is no lock protection configured on the device.
This will not override an already configured lock screen option such as Pattern, PIN, Password, Fingerprint or Smart Lock.
On iOS, if the device has a lock screen password, it is asked in order to unlock.
Wipe.
Restores the factory settings of the mobile device, permanently erasing all user data.
Note
Wipe does not currently erase data from mounted devices (SD cards).
Unlink.
The device is immediately removed from the network.
Note
To re-enroll a mobile device to which the Unlink action has been applied, you must add the device again in Control Center.
The device must then be re-registered with the new activation token.
Before re-enrolling the device, make sure the conditions that lead to the device being unlinked are no longer present or change the policy settings so as to allow the management of the device.