Manualshelf

Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H
81828384858687888990
GlobalProtect Administrator’s Guide 83
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies
The way you choose to manage and configure to the mobile devices depends on the particular requirements in
your company and the sensitivity of the resources to which the configurations provide access. For details on
setting up HIP notification messages, see Define HIP Objects and HIP Profiles.
Mobile Security Manager Policy Best Practices
Before defining the configuration profiles, provisioning profiles, and device restrictions to push to managed
devices, consider the following best practices:
Create a default
policy rule that
checks for device
vulnerabilities
Because of their
utility, mobile
devices—even
those that are
corporate owned—
are used for a variety of uses beyond business, which can leave them open to vulnerabilities and theft. Just
as you would want to ensure that the laptops and computers that access your network are properly
maintained and secured, so should you ensure that the mobile devices accessing your corporate systems are
free from known vulnerabilities. By using HIP profiles that check for device compliance to the standards
you define, you can ensure that configuration profiles that enable access to your corporate resources are only
pushed based on whether or not the device has known vulnerabilities, such as whether or not it is
jailbroken/rooted or whether it contains apps that are known to have malware. The best way to do this is to
create a default policy rule that matches devices that contain a vulnerability, based on HIP match. For devices
that match the rule, the policy would either deliver an empty profile (that is, you would not attach any profiles
to it) or deliver a profile that contains a password requirement only (in case the vulnerable device contains
any corporate data or has access to corporate systems). In this case you would also want to make sure to
create a HIP Match notification to inform users as to why they are not receiving their account settings.
Require complex passcodes and data encryption
Due to their portable nature, mobile devices are easy to
lose and easy to steal. If a device without a passcode gets
into the wrong hands, any corporate systems that are
accessible from the device are then at risk. Therefore, you
should always require a passcode on the devices you manage. In addition, because Android devices do not
automatically encrypt data upon setting a passcode like iOS devices do, you should also always require
managed Android devices to have data encryption enabled. Although there are a couple of ways to enforce
these requirements, the easiest way is to include the passcode and encryption requirements in every
configuration profile you push. Including the device requirements within the configuration profiles that
enable access to your corporate resources—such as email, VPN, or Wi-Fi— forces the mobile device user
to set a passcode that meets your requirements and to enable data encryption before the profile is installed,
which prevents the end users from accessing the corresponding account until the device is in compliance.