Configuring mobile security policies

Procedure

1. Go to Mobile Security → Mobile Security Policies.
2. On the Android or iOS/PadOS tab, click Create.
3. Under General, specify the policy name and description, set the priority of the policy, and click Next.
   The Priority has two options:

   • Highest: Select this to make the policy a top priority. It will be evaluated before all other policies.
   • Lowest: Select this if the policy should be a lower priority. It will be evaluated after all other policies, with the exception of the default policy. The default policy is always the last to be evaluated regardless of other settings. If you set a policy to Lowest, the policy will be evaluated just before the default policy.

   Tip After the policy is created, you can change the priority by dragging the policy up or down the policy list.

4. Under Security Settings, configure Malware Detection, Wi-Fi Protection, and Web Reputation settings, and click Next.
   The security settings for Android devices differ slightly from those for iOS and iPadOS devices.

   Section	Setting
   Malware Detection	Choose if you want Mobile Security to scan just the mobile apps on your devices, or if you want it to scan both mobile apps and Android Application Package (APK) files. Note Scanning APK files requires your users to turn on the Storage permission on their devices. Configure malware scan criteria. Malware Unofficially modified app content or data (For Android only) Transmission of personal data without consent (For Android only) System or app vulnerabilities (For Android only) Each type of threat is assigned a risk level as defined by the risk level profile. The overall risk level of the targeted device is then calculated by considering the risk levels of all selected threat types.
   Wi-Fi Protection	Turn on the toggle for Wi-Fi Protection. Configure Wi-Fi scan criteria. Automatic decryption of HTTPS traffic The Wi-Fi network traffic is decrypted, which may result in data leakage. Unsafe access point The device is connected to an insecure Wi-Fi network. Each type of threat is assigned a risk level as defined by the risk level profile. The overall risk level of the targeted device is then calculated by considering the risk levels of all selected threat types.
   Web Reputation	Trend Micro Web Reputation technology assigns websites a "reputation" based on an assessment of the trustworthiness of a URL, derived from an analysis of the domain. Turn on the toggle for Web Reputation. Select Enforce on all devices that the policy applies to. This setting enforces Web Reputation on all targeted devices by automatically setting up local VPN on the devices. Select Enable and log access to all websites. This setting permits your users to access potentially blocked websites and records each access in Mobile Detection Logs. Select a security level. To automatically approve or block certain websites, specify the websites in the following formats and add them to the allow list or to the block list: URL FQDN Both URLs and FQDNs support the following wildcard character: *
   Non-required Permissions	Important Device permission options are available for Android devices only. Select the permissions that you do not want to prompt users to grant upon installation of the Mobile Security for Business app. Do not require phone number access permission Do not require phone battery access permission Users will later be prompted to grant these permissions on their devices when they need to use the related functions.
   Deepfake Detector	Important Deepfake Detector is currently only available for iOS 14 and later. Select whether to enable detection of synthesized images in video calls using advanced AI. For more information, see Deepfake Detector.
   Proxy settings	To use Service Gateway as a proxy to connect managed devices to Trend Vision One services and other internet resources, select Send Mobile Agent traffic through the Service Gateway proxy service. This feature helps you control mobile device access within your company. For this feature to work, make sure that you have deployed Service Gateway in your network with the Forward Proxy Service enabled and properly configured to allow connection to destination services. If you have deployed multiple Service Gateways in the network, the Mobile Agent will connect to any Service Gateway based on availability. Important The Mobile Agent uses a local VPN to connect to the Service Gateway. Make sure that your end users have enabled the local VPN in their Mobile Agents for the traffic to be forwarded to Service Gateway. Compared with Service Gateway, Zero Trust Secure Access (ZTSA) provides more powerful Internet access control functionality. If your network is using ZTSA with Internet Access and AI Service Access enabled, Mobile Agents in the network will send traffic to ZTSA instead of the Service Gateway proxy service.

5. Under Assignment tab, assign the policy to your assignment groups by selecting one or more groups and clicking Save.
   The users or devices targeted by your policy are evaluated for security when they check in with Mobile Security.