Anti-Phishing for Android and Android Enterprise devices

This section covers anti-phishing protection functionality for Android and Android Enterprise devices.

MobileIron tries to establish itself as the default URL interceptor to provide phishing protection so that it can scan the URL and block the URL if it is unsafe. On Android devices managed in MobileIron Core, phishing protection cannot be provided if the end-user types-in the URL in a browser directly.

NOTE:

Although MobileIron clients implement phishing protection, if a third-party app opens a URL in its in-app browser, the MobileIron client cannot provide the phishing protection.

Before you begin 

• Be sure that Android Enterprise is installed on Core. See "Setting up MobileIron Core for Android enterprise" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.

• An understanding about deployment models for Android devices and modes is necessary.

  • For information about Android deployment devices, see "Android Deployment Models" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.
  • For information about modes for Android enterprise devices, see "Android enterprise overview" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.

How MobileIron Phishing Protection for Android works

1. In the Admin portal, you create an MTD anti-phishing policy to ensure that device users will be blocked from malicious URLs.

2. Device users enable MobileIron Phishing Protection.

   1. Android native and Android Knox: A notification is sent to users' devices stating that the MobileIron Phishing Protection has been enabled and the device user is invited to activate it on the device. During this process, the device user is asked to select a default browser. It is recommended the device user selects Mobile@Work as the default browser. The user's choice of browser is saved in the device.

      NOTE:

      If the device user does not enable MobileIron Phishing Protection or the device is considered non-compliant, the end user will not be asked to set Mobile@Work as the default browser.

   2. Android Enterprise: MobileIron Phishing Protection is silently enabled on the user device with Mobile@Work set as the default browser.

      NOTE:

      To verify if a device user enabled MobileIron Phishing Protection, see Device Details page in MobileIron Core.

3. When the device user taps on a URL, MobileIron Phishing Protection is triggered. The default browser intercepts the URL, scans it, and if malicious, blocks it. Otherwise, the URL opens in an installed browser. Mobile@Work passes it on to a installed browser (if there is only one browser on the device) or a list of browsers displays (if there are multiple browsers on the device). The user's choice of browser is saved in the device.

4. Refer to the table for a list of Android versions for default browser.

   NOTE:

   For Android 5.x devices, there is no default browser app settings.

   Device Mode	How to select MobileIron client as the default browser
   Device Admin mode	Android 7.0+: User will be guided to select MobileIron client as the default browser app from the default apps settings. Android 6.x: User will be guided to select MobileIron client as the default browser from the main Settings by searching and navigating from the default apps settings. Android 5.x: User has to select MobileIron client from the list of browsers displayed by Android.
   Work Profile (Profile Owner) (Android 5.0 through the latest version as supported by MobileIron) Managed Device (Device Owner) (Android 5.0 through the latest version as supported by MobileIron)	Android Enterprise: MobileIron client will be set as the default browser. Only if it gets cleared from Settings, user will be prompted to set MobileIron client as the default browser.
   Managed Device with Profile Owner (Android 8.0 through the latest version as supported by MobileIron)	For both device side and profile side, MobileIron client will be set as the default browser in Settings, except in Samsung devices. In Samsung devices, user has to explicitly choose MobileIron client as the default browser in the device Settings and work Settings. The work settings and device settings for the browser app are not in the same Settings page.
   AppConnect (Android 5.0 through the latest version as supported by MobileIron)	MobileIron recommends distributing MobileIron Web@Work and enabling the following in the Global AppConnect policy for anti-phishing protection: Allow Web - If enabled, an unsecured browser can attempt to display a web page when a device user taps the page’s URL in a secure app. Allow non-AppConnect apps to launch URL using Web@Work - This will ensure that on URL clicks inside and outside the container, MobileIron client can intercept the URL for phishing protection and use the installed Web@Work to display the safe URLs. For more information, see the AppConnect section in the MobileIron Core product documentation. MobileIron Support credentials are required to access documentation in the Support Community.

After MobileIron client has been set or selected as the default browser to provide phishing protection:

Kiosk (Samsung devices from Android 5 to 8 and non-Samsung devices from Android 5 to 7) and Kiosk Android enterprise Device Owner mode (Android 5.0 through the latest version as supported by MobileIron): When URL clicks are inside the kiosk, if the URL is safe, it will display with browsers available in the kiosk mode. Kiosk mode remains active and functional if the phishing protection was enabled outside the kiosk and then removed while the device is in kiosk mode. Exiting in and out of kiosk mode keeps the phishing protection functional inside and outside the kiosk.

NOTE:

Once the user selects "Always" through the MobileIron client's list of browsers, the user cannot change the default browser for rendering safe URLs. As a workaround, install a new browser. On clicking the next safe URL, the user will be again shown a list of browsers, including the new browser.