Understanding URL Handler

You can configure URL Handler anti-phishing protection for Android and Android Enterprise devices with or without the anti-phishing VPN option. Ivanti tries to establish itself as the default URL interceptor to provide phishing protection, so that it can scan the URL and block the URL if it is unsafe.

On Android devices managed in Cloud, URL Handler cannot provide anti-phishing protection if the end user types the URL into a browser manually.

  1. In Cloud, you create an MTD anti-phishing configuration to ensure that device users will be blocked from malicious URLs.

  2. Device users enable Ivanti URL Handler phishing protection.

    1. Android native and Android Knox: A notification is sent to users' devices stating that the Ivanti Phishing Protection has been enabled and the device user is invited to activate it on the device. During this process, the device user is asked to select a default browser. It is recommended the device user select Go as the default browser. The user's choice of browser is saved in the device.

      If the device user does not enable Ivanti Phishing Protection or the device is considered non-compliant, the end user will not be asked to set Go as the default browser.

    2. Android Enterprise: Ivanti Phishing Protection is silently enabled on the user device with Go as the default browser.

      To verify if a device user enabled Ivanti Phishing Protection, see the Device Details page in Cloud.

  3. When the device user taps on a URL, Ivanti Phishing Protection is triggered. The default browser intercepts the URL, scans it, and if malicious, blocks it. Otherwise, the URL opens in an installed browser. Go passes it on to a installed browser (if there is only one browser on the device) or a list of browsers displays (if there are multiple browsers on the device). The user's choice of browser is saved in the device.

  4. Refer to the table for a list of Android versions for default browser.

    Table 1. Default browser action by Android release

    Device Mode

    How to select Ivanti client as the default browser

    Device Admin mode

    Android 7.0 through the latest version as supported by Ivanti: User are guided to select Ivanti client as the default browser app from the default apps settings.

    Work Profile (Profile Owner) (Android 5.0 through the latest version as supported by Ivanti)

    Managed Device (Device Owner) (Android 5.0 through the latest version as supported by Ivanti)

    Android Enterprise: Ivanti client is set as the default browser. The user is only prompted to set MobileIron client as the default browser if the setting becomes disabled.

    Managed Device with Profile Owner (Android 8.0 through the latest version as supported by Ivanti)

    For both device side and profile side, Ivanti client will be set as the default browser in Settings, except in Samsung devices.

    In Samsung devices, user has to explicitly choose Ivanti client as the default browser in the device Settings and work Settings. The work settings and device settings for the browser app are not in the same Settings page.

    AppConnect (Android 5.0 through the latest version as supported by Ivanti)

    Ivanti recommends distributing Ivanti Web@Work and enabling the following in the Global AppConnect policy for anti-phishing protection:

    • Allow Web - If enabled, an unsecured browser can attempt to display a web page when a device user taps the page’s URL in a secure app.
    • Allow non-AppConnect apps to launch URL using Web@Work - This will ensure that on URL clicks inside and outside the container, Ivanti client can intercept the URL for phishing protection and use the installed Web@Work to display the safe URLs. For more information, see the AppConnect section in the Ivanti product documentation under MobileIron Cloud.

See the following table for expected behavior after the Ivanti client has been set or selected as the default browser to provide phishing protection.

Table 2. Expected Client behavior by Android release

Device Mode

Description

Expected behavior

Kiosk

Samsung devices from Android 5.0 to 8.0 and non‑Samsung devices from Android 5.0 to 7.0.

When URL clicks are inside the kiosk, if the URL is safe, it will display with browsers available in the kiosk mode. Kiosk mode remains active and functional if the phishing protection was enabled outside the kiosk and then removed while the device is in kiosk mode. Exiting in and out of kiosk mode keeps the phishing protection functional inside and outside the kiosk.

When a user taps a URL:

  • If the URL is not safe, it will be blocked.
  • If the URL is safe, Ivanti client will render the URL with the browser available or display a list of browsers for end user to choose to display URLs “Just Once” or “Always”.
    • Just OnceIvanti will continue to show a list of browsers if there are multiple browsers.
    • AlwaysIvanti client will save the selected browser. Next time, the saved browser package is used to render safe URLs.

Once the user selects "Always" through the Ivanti client's list of browsers, the user cannot change the default browser for rendering safe URLs. As a workaround, install a new browser. On clicking the next safe URL, the user will be again shown a list of browsers, including the new browser.
Kiosk Android Enterprise Device Owner

Android 5.0 through the latest version as supported by Ivanti.