Understanding URL Handler

You can configure URL Handler anti-phishing protection for Android and Android Enterprise devices with or without the anti-phishing VPN option. Ivanti Mobile Threat Defense tries to establish itself as the default URL interceptor to provide phishing protection, so that it can scan the URL and block the URL if it is unsafe.

On Android devices managed in Ivanti EPMM, URL Handler cannot provide anti-phishing protection if the end user types the URL into a browser manually.

  • An understanding of deployment models for Android devices and modes is necessary.

    • For information about Android deployment devices, see "Android Deployment Models" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
    • For information about modes for Android Enterprise devices, see "Android Enterprise overview" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
  1. In Ivanti EPMM, you create an Ivanti Mobile Threat Defense anti-phishing policy to ensure that device users will be blocked from malicious URLs.

  2. Device users enable Ivanti Mobile Threat Defense URL Handler phishing protection.

    1. Android native and Android Knox: A notification is sent to users' devices stating that the Ivanti Mobile Threat Defense phishing protection has been enabled and the device user is invited to activate it on the device. During this process, the device user is asked to select a default browser. It is recommended the device user select Ivanti Mobile@Work client as the default browser. The user's choice of browser is saved in the device.

      If the device user does not enable Ivanti Mobile Threat Defense phishing protection or the device is considered non-compliant, the end user will not be asked to set Ivanti Mobile@Work client as the default browser.

    2. Android Enterprise: Ivanti Mobile Threat Defense phishing protection is silently enabled on the user device with Ivanti Mobile@Work client as the default browser. Verify this in the Ivanti EPMMDevice Details page.

  3. When the device user taps on a URL, MTD phishing protection is triggered. The default browser intercepts the URL, scans it, and if malicious, blocks it. Otherwise, the URL opens in an installed browser. Ivanti Mobile@Work client passes it on to a installed browser (if there is only one browser on the device) or a list of browsers displays (if there are multiple browsers on the device). The user's choice of browser is saved in the device.

    Refer to the following table for a list of Android versions for default browser.

    Table 12.  Default browser action by Android release
    Device Mode How to select MTD client as the default browser

    Device Admin mode

    Android 7.0 and newer versions: The user is guided to select Ivanti Mobile@Work client as the default browser app from the default apps settings.

    Work Profile (Profile Owner) (Android 5.0 and newer versions)

    Managed Device (Device Owner) (Android 5.0 and newer versions)

    Android Enterprise: Ivanti Mobile@Work client is set as the default browser. The user is only prompted to set the client as the default browser if the setting becomes disabled.

    Managed Device with Profile Owner (Android 8.0 and newer versions)

    For both device side and profile side, Ivanti Mobile@Work client will be set as the default browser in Settings, except in Samsung devices.

    In Samsung devices, user has to explicitly choose Ivanti Mobile@Work client as the default browser in the device Settings and work Settings. The work settings and device settings for the browser app are not in the same Settings page.

    AppConnect (Android 5.0 and newer versions)

    Ivanti recommends distributing Ivanti Web@Work and enabling the following in the Global AppConnect policy for anti-phishing protection:

    • Allow Web - If enabled, an unsecured browser can attempt to display a web page when a device user taps the page’s URL in a secure app.
    • Allow non-AppConnect apps to launch URL using Ivanti Web@Work - This will ensure that on URL clicks inside and outside the container, Ivanti Mobile Threat Defense client can intercept the URL for phishing protection and use the installed Ivanti Web@Work to display the safe URLs.

See the following table for expected behavior after the Ivanti Mobile Threat Defense client has been set or selected as the default browser to provide phishing protection.

Table 13.  Expected Client behavior by Android release
Device Mode Description Expected behavior

Kiosk

Samsung devices from Android 5.0 to 8.0 and non‑Samsung devices from Android 5.0 to 7.0.

When URL clicks are inside the kiosk, if the URL is safe, it will display with browsers available in the kiosk mode. Kiosk mode remains active and functional if the phishing protection was enabled outside the kiosk and then removed while the device is in kiosk mode. Exiting in and out of kiosk mode keeps the phishing protection functional inside and outside the kiosk.

When a user taps a URL:

  • If the URL is not safe, it will be blocked.
  • If the URL is safe, Ivanti Mobile@Work client will render the URL with the browser available or display a list of browsers for end user to choose to display URLs “Just Once” or “Always”.
    • Just OnceIvanti Mobile@Work client will continue to show a list of browsers if there are multiple browsers.
    • AlwaysIvanti Mobile@Work client will save the selected browser. Next time, the saved browser package is used to render safe URLs.

Once the user selects "Always" through the Ivanti Mobile@Work client's list of browsers, the user cannot change the default browser for rendering safe URLs. As a workaround, install a new browser. On clicking the next safe URL, the user will be again shown a list of browsers, including the new browser.

Kiosk Android Enterprise Device Owner

Android 5.0 and newer versions.