TRM Configuration Options

The following TRM threat response policy options are available:

Table 2. TRM configuration options

Option by Column

Description

Enable

Click to enable

Enable or disable threat detections The Threat Management Console administrator has the option of disabling certain threat detections and, therefore, the collection of associated forensics. In the Severity column, you can disable the status of "Elevated" or "Lower" by clearing the radio button in the row of the event. This change is effective next time you click Deploy.

After deploying /syncing with MobileIron Cloud, when a threat is detected, the Threat Management Console instructs Cloud to move the device to the chosen custom attribute in the TRM. The workflow assigned to that custom attribute determines the action that Cloud takes on the device. The communication from the Threat Management Console to Cloud is performed securely through a MobileIron API call.

Severity

Select one of four levels

Severity threat levels Administrators have the option of changing the threat severity levels. This is useful for different business cases. The options are "Critical," "Elevated," "Low," and "Normal."

Threats

auto-populated

Threat classes detected The threats listed in the Threat column represent the classes of threats that MTD detects. Threat classes are recognized by MTD, which is able to determine when a malicious event is happening.

Set User Alert

Click the gear to open.

Enable or disable user alerts.

NOTE:

Administrators cannot manage MTD alerts through the Threat Management Console. In order to implement and localize MTD alerts, use the Show Notifications option in the MTD Local Actions configuration in MobileIron Cloud.

Device Action

Click the gear to open.

Select from these menu options to enable device actions on Threat Management Console:

Android:

Disconnect Wifi
Network Sinkhole
Disable Bluetooth

iOS

Network Sinkhole
Disable Bluetooth

Samsung Knox

Use Android Actions
Disable App
Uninstall App
Block App
Isolate from Network
Data Loss Prevention

MDM Action

Click the gear to open.

When an actionable threat is detected, you can define what actions to take, through the MobileIron Cloud Admin Console. The custom attributes you created in Creating MTD custom attributes will populate this column, but you can't modify them from Threat Management Console.

Mitigation Action

Select an option

When a threat that was detected by the Threat Management Console has been remediated and is no longer posing a threat to the device, you can define specific actions that can be taken.

For example, when a device is determined to be under a man-in-the-middle attack, it can be prevented from accessing various corporate resources. When the device is moved to a clean network, you can automatically allow the device to access those resources again.

The Mitigation Action column can be used to assign actions. To remove the action that was performed as a response to a threat that is now mitigated, choose Remove. This action removes the device from the group it was assigned to when the threat was detected.

Possible mitigation actions for a threat

Due to the nature of some threats, not all threat classifications can be mitigated. The following list provides possible mitigation actions for a threat when the trigger action occurs.

All man-in-the-middle attacks (MITM)—When the device connects to a different BSSID.
Root/Jailbroken—When the root flag on devices changes from true to false.
EOP, system tampering, abnormal process activity—No mitigation, the only mitigation is to flash the device because it has been compromised.
USB debugging—When USB debugging is enabled.

Notification
(Notify Me)

Click an icon

You can set up an email or SMS notification process for each specific threat. SMS notifications require the administrator’s telephone information to be set up in the User page of a given administrator. Each email or SMS contains an event summary and a link to the actual event that can be viewed in a browser after log-in.