Applying the Harmony Mobile Protect App Configuration and Policy Enforcement

If a device is at risk because of a malicious app or activity, the Harmony Mobile system notifies the user through the in-app notifications. It also updates the risk state and sets the appropriate risk_level extension attribute to Jamf Pro for the device. This device is added automatically to a Smart Mobile Device Group, with the criteria of an extension attribute. Jamf Pro must have a Configuration Profile that can apply a policy on a Mobile Device Group.

For example, if an administrator blocked a Waze app, then all the devices with Waze are identified as devices at High Risk (“risk_level”=”CHKP_Risk_High”). The Harmony Mobile Dashboard notifies the user and marks the device with “risk_level” set to ”CHKP_Risk_High” in Jamf Pro. This adds the device to the Smart Mobile Device Group “CHKP_Risk_High”. Then the Jamf Pro system enforces policy actions specified in the Configuration Profile. This mitigation process is described in Integration with Jamf Pro and Configuring Jamf Pro Integration Settings.

 

Configuring the Harmony Mobile Protect App Installation

If Harmony Mobile Protect App is not installed or is removed from the device, the device is marked as not protected.

To configure the Required/Automatic Installation:

  1. On Jamf Pro, go to Devices > Smart Device Groups > New.


  2. Configure settings in the Mobile Device Group section:

    In Display Name, enter the group name (recommended: “Not Protected Devices”).

  3. Configure settings in the Criteria section:

    1. Click Add.

    2. Click Show Advanced Criteria.

    3. Scroll down to the App Name option and click Choose.

    4. In the Operator field, select does not have.

    5. For Value, click the (…) on the right.

    6. Scroll-down to the Protect and click Choose.

    7. Click Save.

  4. Click Done.


 

Creating Smart Group for Devices with High Risk

  1. Go to Devices > Smart Device Groups > New.


  2. Configure the settings in the Mobile Device Group section:

    1. In Display Name, enter the group name (recommended: “CHKP_Risk_High”).

    2. Select the option Send email notification on membership change (recommended).

  3. Configure the settings in the Criteria section:

    1. Click Add.

    2. Click Show Advanced Criteria.

    3. Scroll-down to the risk_level option and click Choose.

    4. In the Operator field, select is.

    5. In the Value field, enter CHKP_Risk_High.

    6. Click Save.

  4. Click Done.

    Note - Check Point recommends that you create a separate Smart Group for each risk level and for each device status (active, inactive, and more).

Creating Configuration Profile for Compromised Devices

For compromised and unprotected devices, you must configure and apply a separate Configuration Profile.

  1. Go to Devices > Configuration Profiles > New.

  2. Configure the settings in the Options section.

    Note - In this example, the camera for the applied devices is blocked and is used as a Test App. But you can s example, removing apps, etc.

    • In the General tab, enter the Profile name, for example, Non-Compliant Devices.

    • In the Restrictions tab, click Configure.

    • In the iOS > Functionality section, clear the Allow use of camera option.


    • In the Scope > Targets section:

      1. In the Selected Deployment Targets row, click Add.

      2. Click the Mobile Device Groups tab.

      3. Click Add in the row of the Smart Group that you created for the devices at risk CHKP_Risk_High (see Creating Smart Group for Devices with High Risk).

      4. In the Not Protected Devices Smart Group row, click Add.

      5. Click Save.

  3. Click Done.