ON PREMISES SOLUTIONS

Mobile device policies

Policy settings can be initially configured when creating the policy. Later on, you can change them as needed anytime you want.

To configure the settings of a policy:

  1. Go to the Policies page.

  2. Choose Mobile Devices from the views selector.

  3. Click the policy name. This will open the policy settings page.

  4. Configure the policy settings as needed. Settings are organized under the following categories:

    You can select the settings category using the menu from the left-side of the page.

  5. Click Save to save changes and apply them to the target mobile devices. To leave the policy page without saving changes, click Cancel.

General

The General category contains descriptive information regarding the selected policy.

Details

The Details page shows general policy details:

  • Policy name

  • User who created the policy

  • Date and time when the policy was created

  • Date and time when the policy was last modified

You can rename the policy by entering the new name in the corresponding field. Policies should have suggestive names so that you or other administrator can quickly identify them.

Note

By default, only the user who created the policy can modify it. To change that, the policy owner must check the option Allow other users to change this policy from the policy’s Details page.

Device management

Device management settings allows defining the security options for mobile devices, the screen locking with password and also several profiles for each mobile device policy.

The settings are organized into the following sections:

Security

In this section you can configure various security settings for mobile devices, including antimalware scans for Android devices, management of rooted or jailbroken devices or the action to be taken on non-compliant devices.

Important

The antimalware scanning is performed in the cloud, therefore the mobile devices must have Internet access.

policy-mds-2_1-security.png
Android security
  • Select Scan applications on install if you want to perform a scanning when new applications are installed on the managed mobile devices.

  • Select Scan storage on mount if you want to perform a scanning of each storage device when it’s mounted.

    Warning

    If malware is found, the user is prompted to remove it.

    If the user does not remove detected malware within one hour after detection, the mobile device is declared non-compliant and the selected non-compliance action is automatically applied (Ignore, Deny Access, Lock, Wipe or Unlink).

  • Select Require device encryption to prompt the user to activate the encryption feature available in the Android OS. Encryption protects the data stored on Android devices, including accounts, settings, downloaded applications, media and other files, from unauthorized access. Encrypted data can be accessed from external devices only by providing the unlock password.

    Important

    Device encryption is available for Android 3.0 or later. Not all device models support encryption. Check the Mobile Device Details window for encryption support information.

    Encryption might impact device performance.

    Warning

    Device encryption is irreversible and the only way to revert to the unencrypted state is to wipe the device.

    Users should back up their data before activating device encryption.

    Users must not interrupt the encryption process or they will lose some or all of their data.

    If you enable this option, GravityZone Mobile Client displays a persistent issue informing the user to activate encryption. The user must tap the Resolve button to proceed to the encryption screen and start the process. If encryption is not activated within seven days after the notification, the device will become non-compliant.

    To enable encryption on an Android device:

    • The battery must be above 80% charged.

    • The device must be plugged-in until encryption is completed.

    • The user must set an unlock password meeting the complexity requirements.

      Note

      Android devices use the same password for unlocking the screen and for unlocking encrypted content.

      Encryption requires password, PIN or FACE to unlock the device, disabling the other screen lock settings.

    The encryption process can take an hour or more, during which the device may restart several times.

    You can check the storage encryption status for each mobile device in the Mobile Device Details window.

  • Android devices in USB debugging mode can be connected to a PC through a USB cable, allowing advanced control over their apps and operating system. In this case, the mobile devices' security may be at risk.

    Enabled by default, the USB debugging protection option prevents using devices in the USB debugging mode. If the user activates USB debugging, the device automatically becomes non-compliant and the non-compliance action is taken. If the non-compliance action is Ignore, the user is notified about the unsafe setting.

    Nevertheless, you can disable this option for mobile devices that require working in USB debugging mode (such as mobile devices used for developing and testing mobile apps).

  • Select Web Security to enable web security features on Android devices.

    Web Security scans in-the-cloud each accessed URL, then returns a security status to GravityZone Mobile Client. The URL security status can be: clean, fraud, malware, phishing or untrusted.

    GravityZone Mobile Client can take a specific action based on the URL security status:

    • Block phishing web pages. When the user tries to access a phishing website, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.

    • Block web pages containing malware or exploits. When the user tries to access a website spreading malware or web exploits, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.

    • Block web pages used in scams or frauds. Extends protection to other types of scams besides phishing (for example fake escrows, fake donations, social media threats and so on). When the user tries to access a fraudulent web page, GravityZone Mobile Client blocks the corresponding URL, displaying instead a warning page.

    • Warn user about untrusted web pages. When the user is accessing a website that was previously hacked for phishing purposes or recently promoted through spam or phishing emails, a warning pop-up message will be displayed, without blocking the web page.

      Important

      Web Security features work only up to Android 5, and only with Chrome and the built-in Android browser.

OS changes

Considered a security risk for corporate networks, rooted or jailbroken devices are automatically declared non-compliant.

  • Select Allow management of rooted or jailbroken devices if you want to manage rooted or jailbroken devices from Control Center.

    Because such devices are by default non-compliant, they are automatically applied the selected non-compliance action as soon as they are detected. Therefore, to be able to apply them the policy security settings or to run tasks on them, you must set the non-compliance action to Ignore.

  • If you clear the Allow management of rooted or jailbroken devices check box, you automatically unlink rooted or jailbroken devices from the GravityZone network. In this case, the GravityZone Mobile Client application prompts a message stating the device is rooted / jailbroken.

    The user can tap the OK button, which redirects to the registration screen. As soon as the device is unrooted / unjailbroken, or the policy is set to allow the management of rooted / jailbroken devices, it can be re-enrolled (with the same token for Android devices / with a new token for iOS devices).

Compliance

You can configure specific actions to be taken automatically on devices detected as non-compliant based on device ownership (enterprise or personal).

Note

When adding a new device in Control Center, you are prompted to specify the device ownership (enterprise or personal). This will allow GravityZone to manage personal and enterprise mobile devices separately.

Non-compliance criteria

A device is declared non-compliant in the following situations:

  • Android devices

    • Device is rooted.

    • GravityZone Mobile Client is not Device Administrator.

    • Malware is not removed within one hour after detection.

    • Policy not satisfied:

      • The user does not set the lock screen password within 24 hours after the first notification.

      • The user does not change the lock screen password at the specified time.

      • The user does not activate device encryption within seven days after the first notification.

      • USB debugging mode is activated on the device while USB debugging protection policy option is enabled.

  • iOS devices

    • Device is jailbroken.

    • GravityZone Mobile Client is uninstalled from the mobile device.

    • Policy not satisfied:

      • The user does not set the lock screen password within 24 hours after the first notification.

      • The user does not change the lock screen password at the specified time.

Default action when the device is non-compliant

When a device is declared non-compliant, the user is prompted to fix the non-compliance issue.

The user must make the required changes within a specific time period, otherwise the selected action for non-compliant devices will be applied (Ignore, Deny access, Lock, Wipe or Unlink).

You can change the action for non-compliant devices in the policy at any time.

The new action is applied to non-compliant devices once the policy is saved.

Select from the menu corresponding to each device ownership type the action to be taken when a device is declared non-compliant:

  • Ignore.

    Only notifies the user that the device does not comply with the mobile device usage policy.

  • Deny Access.

    Blocks the device access to corporate networks by deleting the Wi-Fi and VPN settings, but keeping all the other settings defined in policy.

    Blocked settings are restored as soon as the device becomes compliant.

    Important

    When Device Administrator is disabled for GravityZone Mobile Client, the device becomes non-compliant and is automatically applied the Deny Access action.

  • Lock.

    Immediately locks the device screen.

    • On Android, the screen is locked with a password generated by GravityZone only if there is no lock protection configured on the device.

      This will not override an already configured lock screen option such as Pattern, PIN, Password, Fingerprint or Smart Lock.

    • On iOS, if the device has a lock screen password, it is asked in order to unlock.

  • Wipe.

    Restores the factory settings of the mobile device, permanently erasing all user data.

    Note

    Wipe does not currently erase data from mounted devices (SD cards).

  • Unlink.

    The device is immediately removed from the network.

    Note

    To re-enroll a mobile device to which the Unlink action has been applied, you must add the device again in Control Center.

    The device must then be re-registered with the new activation token.

    Before re-enrolling the device, make sure the conditions that lead to the device being unlinked are no longer present or change the policy settings so as to allow the management of the device.

Password

In this section you can choose to activate the screen locking with password feature available in the mobile devices OS.

policy-mds-2_2_0-password.png

If this feature has been enabled, an on-screen notification prompts the user to define a lock screen password. The user must enter a password that complies with the password criteria defined in the policy.

Once the password has been set by the user, all notifications regarding this issue are cleared. A message prompting to enter the password is displayed at each attempt to unlock the screen.

Note

If the user does not set a password when prompted, the device can be used without a lock screen password up to 24 hours after the first notification. During this time, a message asking the user to enter a lock screen password is prompted every 15 minutes on the screen.

Warning

If the user does not set a password within 24 hours after the first notification, the mobile device becomes non-compliant and the selected action for non-compliant devices will be applied.

To configure the lock screen password settings:

  1. Select the Screen locking with password check box.

  2. Click the password security level that best suits your needs (Aggressive, Normal or Permissive). Use the description on the right side of the scale to guide your choice.

  3. For advanced configuration, select the Custom protection level and then click the Settings link.

    policy-mds-2_2_1-password_settings.png

Note

To view the password configuration requirements of a predefined security level, select that level and click the Settings link. If you modify any option, the password security level will automatically change to Custom.

Custom options
  • Type

    You can require the password to be Simple or Complex. Password complexity criteria are defined within the mobile device OS.

    • On Android devices, complex passwords must contain at least one letter, one digit and one special character.

      Note

      Complex passwords are supported on Android 3.0 or later.

    • On iOS devices, complex passwords do not allow sequential or repeated characters (such as abcdef, 12345 or aaaaa, 11111).

    Depending on the selected option, when the user sets the lock screen password, the operating system checks and prompts the user if the required criteria are not met.

  • Require alphanumeric value

    Require the password to contain both letters and numbers.

  • Minimum length

    Require the password to contain a minimum number of characters, which you specify in the corresponding field.

  • Minimum number of complex characters

    Require the password to contain a minimum number of non-alphanumerical characters (such as @, # or $), which you specify in the corresponding field.

  • Expiration period (months)

    Force the user to change the lock screen password at a specified interval (in months).

    For example, if you enter 3, the user will be prompted to change the lock screen password every three months.

    Note

    On Android, this feature is supported in version 3.0 or later.

  • History restriction (previous passwords)

    Select or enter a value in the corresponding field to specify the number of last passwords that cannot be reused.

    For example, if you enter 4, the user cannot reuse a password that matches one of the last four used passwords.

    Note

    On Android, this feature is supported in version 3.0 or later.

  • Maximum number of failed attempts

    Specify how many times the user is allowed to enter an incorrect password.

    Note

    On iOS devices, when this number is greater than 6: after six failed attempts, a time delay is imposed before the user can enter the password again.

    The time delay increases with each failed attempt.

    Warning

    If the user exceeds the maximum number of failed attempts to unlock the screen, the device will be wiped (all data and settings will be erased).

  • Auto-lock after (min)

    Set the period of inactivity (in minutes) after which the device is automatically locked.

    Note

    The iOS devices have a predefined list for auto-lock time and do not allow custom values. When assigning a policy with an incompatible auto-lock value, the device enforces the next more restrictive time period available in the list. For example, if the policy has auto-lock set at three minutes, the device will automatically lock after two minutes of inactivity.

When you modify the policy, if you choose a higher security level for the lock screen password, users will be prompted to change the password according to the new criteria.

If you clear the Screen locking with password option, users will regain full access to the lock screen settings on their mobile device.

The existing password remains active until the user decides to change or remove it.

Profiles

In this section you can create, modify and delete usage profiles for mobile devices.

Usage profiles help you push Wi-Fi and VPN settings and enforce web access control on managed mobile devices.

policy-mds-2_3-0-profiles.png

You can configure one or several profiles, but only one can be active at a time on a device.

  • If you configure only one profile, that profile is automatically applied to all devices the policy is assigned to.

  • If you configure several profiles, the first in the list is automatically applied to all devices the policy is assigned to.

Mobile device users can view the assigned profiles and the settings configured for each profile in the GravityZone Mobile Client application. Users cannot modify existing settings in a profile, but they can switch between profiles if several are available.

Note

Profile switching requires Internet connectivity.

To create a new profile:

  1. Click the add.png Add button at the right side of the table. The profile configuration page is displayed.

  2. Configure the profile settings as needed. For detailed information, refer to:

  3. Click Save. The new profile is added to the list.

To delete one or several profiles, select their corresponding check boxes and click the delete.png Delete button at the right side of the table.

To modify a profile, click its name, change settings as needed and click Save.

Details

The Details page contains general information regarding the profile:

  • Name.

    Enter the desired profile name. Profiles should have suggestive names so that you or other administrator can quickly identify them.

  • Description.

    Enter a detailed profile description. This option may help administrators easily identify a profile from several others.

Networks

In this section you can specify the settings of one or several Wi-Fi and VPN networks. The VPN settings are available only for iOS devices.

policy-mds-profile-networks.png

Important

Before defining the Wi-Fi and VPN connections, make sure you have all the necessary information at hand (passwords, proxy settings etc.).

The mobile devices assigned with the corresponding profile will automatically connect to the defined network, when it is in range. You can set the priority when several networks are created, taking into account that only one network can be used at a time. When the first network is not available, the mobile device will connect to the second one, and so on.

To set the networks priority:

  1. Select the check box of the desired network.

  2. Use the priority buttons at the right side of the table:

    • Click the up.png Up button to promote the selected network.

    • Click the down.png Down button to demote it.

Wi-Fi

You can add as many Wi-Fi networks as you need.

To add a Wi-Fi network:

  1. In the Wi-Fi section, click the add.png Add button at the right side of the table.

    A configuration window is displayed.

  2. Under the General tab, you can configure the details of the Wi-Fi connection:

    • Name (SSID).

      Enter the name of the new Wi-Fi network.

    • Security.

      Select the option corresponding to the Wi-Fi network security level:

      • None.

        Choose this option when the Wi-Fi connection is public (no credentials required).

      • WEP.

        Choose this option to set a Wireless Encryption Protocol (WEP) connection. Enter the required password for this type of connection in the corresponding field displayed below.

      • WPA/WPA2 Personal.

        Choose this option if the Wi-Fi network is secured using Wi-Fi Protected Access (WPA). Enter the required password for this type of connection in the corresponding field displayed below.

  3. Under the TCP/IP you can configure the TCP/IP settings for the Wi-Fi connection.

    Each Wi-Fi connection can use IPv4 or IPv6 or both.

    • Configure IPv4.

      If you want to use the IPv4 method, select the IP assignment method from the corresponding menu:

      DHCP: if the IP address is assigned automatically by a DHCP server.

      If needed, provide the DHCP Client ID in the subsequent field.

      Disabled: select this option if you do not want to use the IPv4 protocol.

    • Configure IPv6.

      If you want to use the IPv6 method, select the IP assignment method from the corresponding menu:

      DHCP: if the IP address is assigned automatically by a DHCP server.

      Disabled: select this option if you do not want to use the IPv6 protocol.

    • DNS Servers.

      Enter the address of at least one DNS server for the network.

  4. Under the Proxy tab, configure the proxy settings for the Wi-Fi connection. Select the desired proxy configuration method from the Type menu:

    • Off.

      Choose this option if the Wi-Fi network has no proxy settings.

    • Manual.

      Choose this option to manually specify the proxy settings. Enter the hostname of the proxy server and the port on which it listens for connections. If the proxy server requires authentication, select the Authentication check box and provide the user name and the password in the subsequent fields.

    • Automatic.

      Choose this option to retrieve the proxy settings from a Proxy Auto-Configuration (PAC) file published in the local network. Enter the PAC file address in the URL field.

  5. Click Save.

    The new Wi-Fi connection is added to the list.

VPN for iOS

You can add as many VPNs as you need.

To add a VPN:

  1. In the VPN for iOS section, click the add.png Add button at the right side of the table. A configuration window is displayed.

  2. Define the VPN settings in the VPN Connection window:

  3. Click Save. The new VPN connection will be added to the list.

    • General:

      • Name

        Enter the name of the VPN connection.

      • Encryption

        The available authentication protocol for this connection type is IPSec, which requires user authentication by password and machine authentication by shared secret.

      • Server

        Enter the VPN server address.

      • User

        Enter the VPN user name.

      • Password

        Enter the VPN password.

      • Group Name

        Enter the group name.

      • Secret

        Enter the pre-shared key.

    • Proxy:

      In this section you can configure the proxy settings for the VPN connection. Select the desired proxy configuration method from the Type menu:

      • Off

        Choose this option if the VPN connection has no proxy settings.

      • Manual

        This option allows you to manually specify the proxy settings:

        • Server: enter the proxy host name.

        • Port: enter the proxy port number.

        • If the proxy server requires authentication, select the Authentication check box and provide the user name and the password in the subsequent fields.

      • Automatic

        Select this option to retrieve the proxy settings from a Proxy Auto-Configuration (PAC) file published in the local network. Enter the PAC file address in the URL field.

To delete one or several networks, select their corresponding check boxes and click the delete.png Delete button at the right side of the table. To modify a network, click its name, change settings as needed and click Save.

Web access

In this section you can configure the web access control for Android and iOS devices.

policy-mds-profile-webaccess.png
Web Access Control for Android

Enable this option to filter web access for Chrome and the built-in Android browser. You can set time restrictions on web access and also explicitly allow or block access to specific web pages.

The web pages blocked by Web Access Control are not displayed in the browser. Instead, a default web page is displayed informing the user that the requested web page has been blocked by Web Access Control.

You have three configuration options:

  • Select Allow to always grant web access.

  • Select Block to always deny web access.

  • Select Schedule to enable time restrictions on web access upon a detailed schedule.

Either if you choose to allow or block the web access, you can define exceptions to these actions for entire web categories or only for specific web addresses.

Click Settings to configure your web access schedule and exceptions as follows:

Scheduler

To restrict Internet access to certain times of day on a weekly basis:

  1. Select from the grid the time intervals during which you want Internet access to be blocked.

    You can click individual cells, or you can click and drag to cover longer periods. Click again in the cell to reverse the selection.

    policy-mds-profile-webaccess-scheduler.png

    To start a new selection, click Allow All or Block all, depending on the type of restriction you wish to implement.

  2. Click Save.

Web rules

You can also define web rules to explicitly block or allow certain web addresses, overriding the existing Web Access Control settings. Users will be able, for example, to access a specific webpage also when the web browsing is blocked by Web Access Control.

To create a web rule:

  1. Select Use Exceptions to enable web exceptions.

    policy-mds-profile-webaccess-webrules.png

    Note

    This feature is available only for accounts with management rights.

  2. Enter the address you want to allow or block in the Web Address field.

  3. Select Allow or Block from the Permission menu.

  4. Click the add_inline.png Add button at the right side of the table to add the address to the exceptions list.

  5. Click Save.

To edit a web rule:

  1. Click the web address you want to edit.

  2. Modify the existing URL.

  3. Click Save.

To remove a web rule:

  1. Move the cursor over the web address you want to remove.

  2. Click the delete_inline.png Delete button.

  3. Click Save.

Use wildcards to define web address patterns:

  • Asterisk (*) substitutes for zero or more characters.

  • Question mark (?) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters.

In the following table, you can find several sample syntaxes for specifying web addresses.

Syntax

Applicability

www.example*

Any website or web page starting with www.example (regardless of the domain extension).

The rule will not apply to the subdomains of the specified website, such as subdomain.example.com.

*example.com

Any website ending in example.com, including pages and subdomains thereof.

*string*

Any website or web page whose address contains the specified string.

*.com

Any website having the .com domain extension, including pages and subdomains thereof. Use this syntax to exclude from scanning the entire top-level domains.

www.example?.com

Any web address starting with www.example?.com, where ? can be replaced with any single character. Such websites might include: www.example1.com or www.exampleA.com.

Important

Web Access Control for Android works only up to Android 5, and only with Chrome and the built-in Android browser.

Web Access Control for iOS

Enable this option to centrally manage the settings of the built-in iOS browser (Safari).

Mobile device users will no longer be able to change the corresponding settings on their device.

  • Allow use of Safari.

    This option helps you control the use of Safari browser on mobile devices.

    Disabling the option removes the Safari shortcut from the iOS interface, thus preventing users from accessing the Internet via Safari.

  • Enable auto-fill.

    Disable this option if you want to prevent the browser from storing form entries, which may include sensitive information.

  • Force fraud warning.

    Select this option to ensure that users are warned when accessing fraudulent web pages.

  • Enable Javascript.

    Disable this option if you want Safari to ignore javascript on websites.

  • Block pop-ups.

    Select this option to prevent pop-up windows from opening automatically.

  • Accept cookies.

    Safari allows cookies by default.

    Disable this option if you want to prevent websites from storing browsing information.

Important

Web Access Control for iOS is not supported starting with iOS 13.