Configuring the zConsole Mobile Threat Response Policy

The Threat Response Matrix (TRM) defines the actions that Zimperium management console (zConsole) takes upon detecting an event. Among the options are:

• Enable or disable detection of a specific threat classification
• Alert the user
• Define the text of the alert
• Set protection actions

Before you begin 

• If you are setting up Server-initiated mitigation and multi-tier compliance be sure you have completed the procedures listed in Creating compliance policy rules and groups
• If you are setting up Mitigation and compliance using Local Actionsbe sure you have completed the procedure in Creating optional additional compliance policies on zConsole.

After you modify these options, click Deploy to send, or sync, the new TRM to the devices currently logged in. When integrated and synced with MobileIron Core, each group used for integration is created as a group with its own TRM. Select which TRM to modify with the pull-down menu next to the Selected Group field. Only users and devices in the selected group receive the modified TRM. See below for a sample TRM.

Figure 1. Example Threat Response Matrix

NOTE:

You must manually sync (deploy) zConsole with MobileIron Core. This aligns the labels in Core with the TRM settings.

Enable

The zConsole administrator has the option of disabling certain threat detections and, therefore, the collection of associated forensics. In the Severity column, you can disable the status of "Elevated" or "Lower" by clearing the radio button in the row of the event. This change is effective after selecting the Deploy button again.

After deploying / syncing with MobileIron Core, when a threat is detected, zConsole instructs Core to move the device to the chosen label in the Threat Response Policy / Matrix. The workflow assigned to that label determines the action that Core takes on the device. The communication from zConsole to Core is performed securely through a MobileIron API call.

Severity

The administrator has the option of changing the threat severity levels. This is useful for different business cases. The options are "Critical," "Elevated," "Low," and "Normal.

Threat

The threats listed in the Threat column represent the classes of threats that MobileIron Threat Defense detects. Threat classes are recognized by MTD, which is able to determine when a malicious event is happening.

Set User Alerts

Administrators cannot manage MTD alerts through zConsole. In order to implement and localize MTD alerts, please use Local Actions policy in Core. See Mitigation and compliance using Local Actions.

Set Device Action

Administrators can deploy device actions for Android and iOS devices on zConsole.

Procedure 

1. From the MTD zConsole, navigate to the Policy > Threat Policy page.
2. Use the pull-down menu in the Selected Group field to display your configuration group.
3. Select the policy you want to modify.

4. From the Device Action column, click the settings icon for the selected row, and select an action. zConsole securely communicates with Core and applies the action.

   

5. To remove the device action, uncheck the action and click OK.

MDM Action

Administrators can enable server-enforced mobile device management (MDM) action items on the zConsole policies page.

Procedure 

1. From the zConsole, navigate to the Policy > Threat Policy page.
2. Use the pull-down menu in the Selected Group field to display your Core configuration group.
3. Select the policy you want to modify.
4. From the MDM Action column, click the drop-down arrow on the selected row, and select an action. zConsole securely communicates with Core and applies the action.
5. To remove an action from occurring for a threat classification, change the threat MDM Action to No Action.

Mitigation Action

When a threat that was detected by zConsole has been remediated and is no longer posing a threat to the device, you can define specific actions that can be taken. For example, when a device is determined to be under a Man-in-the-Middle attack, it can be prevented from accessing various corporate resources. When the device is moved to a clean network, you can automatically allow the device to access those resources again.

The Mitigation Action column can be used to assign actions. To remove the action that was performed as a response to a threat that is now mitigated, choose Remove. This action removes the device from the group it was assigned to when the threat was detected.

Due to the nature of some threats, not all threat classifications can be mitigated. The following table provides possible mitigation actions for a threat.

table 1. Possible Mitigation Actions for a Threat

Threat	Mitigation when the following events occur
All man-in-the-middle (MITM) threats	When the device connects to a different basic service set identifier (BSSID).
Root/Jailbroken	When the root flag on devices changes from true to false
EOP, system tampering, abnormal process activity	No mitigation, the only mitigation is to flash the device since it has been compromised
USB debugging	When USB debugging is enabled

Notifications

You can set up an email or SMS notification process for each specific threat. SMS notifications require the administrator’s telephone information to be set up in the User page of a given administrator. Each email or SMS contains an Event summary and a link to the actual event that can be viewed in a browser after login.

In this procedure, you configure the notifications and mitigation actions that apply to both iOS and Android devices.

Procedure 

1. In the zConsole portal, select Policy. The Mobile Threat Response Policy page displays.
2. Use the pull-down menu in the Selected Group field to display your Core configuration group.

3. Click the Deploy button to deploy the policy on your devices.

   • The Threat column displays the supported threat that can be detected by the client.
   • The Device Action column displays the action taken after a threat is detected. This is an optional configuration.

Related topics 

Configuring zConsole