Knowledge base
Managing mobile devices
Posted by Štěpán Horký, Last modified by Dana Balaštíková on 19 May 2020 08:53 AM

Safetica Mobile helps you manage and secure user devices with anti-theft features, policies, and app management. The features can be configured in different parts of WebSafetica. 

Safetica Mobile can work in two modes:

  1. Device Admin – Safetica manages the whole device.
  2. Work profile – company apps, accounts and data are separated from private ones via a work profile which is protected by Safetica. Learn more in the Safetica Knowledge Base.

Mobile device overview 

This is the primary view for mobile device management. It can be found in WebSafetica in Data security > Mobiles.

The Security state column offers a quick overview of possible security problems. Clicking individual rows leads to Device detail with more information. To go back to the Mobiles page, just click the back arrow in your browser. 

The Last connection column monitors device activity. If there is no activity for more than 7 days, security state switches to Warning. After 30 days of inactivity, the device state changes to Critical

Other columns enable better identification or easier filtering and overview of managed devices.  

 

Device detail 

Every mobile device has its own Device detail page with more information about the device itself, its security state, applied policies, installed apps and anti-theft operations. The administrator usually opens Device detail in case of security issues or other problems with devices. 

 

Anti-theft operations 

Anti-theft features secure a stolen or lost device. They are used as the last resort in case of problems and are heavily dependent on the internet connection of the device. 

  • Locate device finds and displays device GPS coordinates (with a certain inaccuracy). For Android: if the device GPS is turned off, the feature waits for 20 minutes and then it tries to get the coordinates again. For iOS: if the device doesn’t return coordinates, the operation is stopped. 
  • Lock device remotely locks the device screen with a password within a few seconds. 
  • Remove lock password works only for devices with Android 6 or 5 and without encrypted memory. This will remotely remove screen lock. 
  • Reset factory defaults works only for company devices. This operation remotely wipes a device and deletes all data. If you want to re-enroll a wiped device, you must manually delete its record from WebSafetica.
  • Delete work profile works only for personal devices with work profile activated. This operation remotely deletes the work profile and wipes all company data and apps contained there. Without activated work profile, a personal device cannot be wiped remotely. 

Install apps on Android devices

You can remotely send files with apps to be installed on Android devices. In Device detail, click the INSTALL APPLICATION button. 

  1. In file explorer, select your .apk file and click Open
  2. App is uploaded on server and sent to the device. 
  3. User is notified about the new app waiting to be installed.
  4. User can also check pending installs in Safetica Mobile app.

Note: If the mobile device uses a work profile, you should force app installations via the Managed Apps feature described below.

Change device user 

To change the user of a device, go to Device detail and in General information find the row User. Click the pencil icon on the right and choose a new user. 

Note: If you move the device to a user in a different user tree section, new policies will apply. 

Policies for mobile devices

Policies for mobile devices can be found in Policies > Mobile devices. They help you create a secured workspace to prevent data loss and manage mobile settings in the whole company. Every policy is applied to a node in the user tree which contains a group of users and devices. You can easily recognize which policy is applied by its icon next to the node. Only one policy of each type can be active on a user tree node. 

Password policies

Here you can enforce screen lock on devices. For Android devices, you can secure either the whole device or only the work profile. You can choose an easy password by selecting the Allow simple value checkbox, or a more sophisticated password by determining your personal requirements in the policy window. 

Once a policy is set, all relevant devices are notified (if they do not fulfill the new settings). iOS devices enforce password change in one hour or less. Android devices do not allow users to lower the security of their passwords and keep notifying them until they change their settings. 

Wi-Fi 

Here you can enforce Wi-Fi settings for user devices. You can add several Wi-Fi networks into one policy. If you are not sure which Security type your Wi-Fi uses, choose WPA-PSK. 

When the policy is set, devices will be able to connect to Wi-Fi networks as if they were saved manually. You can’t, however, force a device to connect exclusively to your pre-configured Wi-Fi networks (if it knows others as well). 

Restrictions 

Restrictions allow the administrator to disable some of the device apps or features.

For iOS: By disabling App Store, you make your iOS device dependent on pre-installed apps or apps installed by the administrator using Managed apps.

For Android: Many restrictions are available for securing the work profile. After installation, restrictions Disable debugging feature and Disable install from unknown sources are enforced by default. 

Managed apps

With the Managed apps feature, the administrator can remotely install and configure apps from Google Play and App Store and also set permissions and policies for them.

For iOS: Insert the Apple App Store or iTunes URL of the app. If you choose Protect managed apps data in Restrictions, apps installed by this feature will be unable to share data with unmanaged apps.  

Note: You can only add one app at a time, otherwise the other apps will not be installed.

For Android: The Managed apps feature can only be used in the work profile. Click Manage under the Android apps picture. You can approve apps for use in the work profile and set their installation policies (whether they should be blocked or allowed for users in Google Play or whether their installation should be enforced). Approved apps are listed in the column on the left.

Approved apps can be configured by clicking on the pencil icon. In the Permissions view, the administrator can set permissions for individual approved apps. In the Configuration view, preconfigured values for users can be set using variables (e.g. email address that the user will use in Gmail or Outlook). Available variables: $email$ - email from invitation; $username$ - name from invitation; $fullname$ - login name from Microsoft Active Directory.

Available modes:

  • Default – uses permission settings from Management > General > Safetica Mobile Settings > Default permissions for managed apps.
  • Ask user – asks user to grant the permission.
  • Grant – permission is automatically granted.
  • Deny – permission is automatically denied. 

File Audit 

This feature can be used on Android 8 or higher and you can configure it in Management > General > SAFETICA MOBILE SETTINGS. You can choose whether to audit files only on company devices or whether to extend the audit also to personal devices. Company devices detect all files, while personal devices (including the work profile) skip multimedia files like pictures, videos, or sound. File Audit detects new files downloaded or created on mobile devices from the moment you enable it. It does not scan the mobile depository or read the content of any detected files 

All detected files can be seen in Data security > Dataflow > All dataflow after filtering Destination type as Mobile.

(2 vote(s))
Helpful
Not helpful