Configuring mobile policies for ChromeOS devices

Views:

Configure mobile policies for ChromeOS devices in your organization based on your security requirements.

Important

A group, assignment group, or organizational unit can only be on the target list of one policy at a time.
In Google Workspace, one user can only be assigned to one organizational unit.
If a user is the member of multiple groups and the groups are targets of different policies, only the highest priority policy affects the user.

Note

ChromeOS policies are not available when you integrate with an MDM through managed configuration.

Procedure

On the Trend Vision One console, go to Mobile Security → Mobile Policy.
Click the ChromeOS tab.
Click Create or click the name of an existing policy.

On the General Settings screen, specify a policy name and select the protection strength that best suits your needs, or click Custom to customize your own policy.

Important

The protection strength selected in the General Settings screen provides predefined settings accordingly in subsequent steps. You can modify the predefined settings during later configuration.

If you modify the predefined settings, the protection strength changes to Custom.

Configure Malware Detection settings.
1. Click Malware Detection.
2. Choose the scan scope.
3. Configure malware scan criteria.
  - Malware
  - Unofficially modified app content/data
  - Transmission of personal data without consent
  - System/App vulnerabilities
Configure Configuration Manager settings.
1. Click Configuration Manager.
2. Configure configuration scan criteria.
  
  Criteria
  
  Description
  
  Rooted device
  
  The device is rooted.
  
  Developer mode enabled
  
  The developer mode is enabled.
  
  USB debugging enabled
  USB debugging is enabled.
Configure Web Reputation settings.

Trend Micro Web Reputation technology assigns websites a "reputation" based on an assessment of the trustworthiness of a URL, derived from an analysis of the domain.
1. Click Web Reputation.
2. Select a security level.
3. To automatically approve or block certain websites, specify the websites in the following formats based on device platforms and add them to the allow list or to the block list.
  Item
  
  Format
  
  Website format
  
  URL
  
  FQDN
  
  IP address
  
  CIDR block
  
  Wildcard character support
  
  *
  
  ?
  Tip
  
  * : Matches any number of characters
  
  ? : Matches a single character in a specific position

Criteria	Description
Rooted device	The device is rooted.
Developer mode enabled	The developer mode is enabled.
USB debugging enabled	USB debugging is enabled.

Item	Format
Website format	URL FQDN IP address CIDR block
Wildcard character support	* ?

Configure policy targets.

Click Targets.

Specify one or more groups, assignment groups, or organizational units.

Note

Specifying a group, assignment group, or organizational unit that is on the target list of another policy removes it from the previous policy. The previous policy no longer affects the group, assignment group, or organizational unit.

Configure advanced settings to schedule Mobile Security scanning by selecting Scheduled scan and specifying the scan frequency.
Click Save.
(Optional) Click Continue if you are prompted to confirm the policy changes.

Note

This step is required only if you have added or deleted policy targets when editing a policy.