TRM Configuration Options

The following TRM threat response policy options are available:

Table 12.  TRM configuration options

Option by Column

Description
Enable

Click to enable

Enable or disable threat detections The MTD console administrator has the option of disabling certain threat detections and, therefore, the collection of associated forensics. In the Severity column, you can disable the status of "Elevated" or "Lower" by clearing the radio button in the row of the event. This change is effective next time you click Deploy.

After deploying /syncing with Ivanti Neurons for MDM, when a threat is detected, the MTD console instructs Ivanti Neurons for MDM to move the device to the chosen custom attribute in the TRM. The workflow assigned to that custom attribute determines the action that Ivanti Neurons for MDM takes on the device. The communication from the MTD console to Ivanti Neurons for MDM is performed securely through a MTD API call.

Severity

Select one of four levels

Severity threat levels Administrators have the option of changing the threat severity levels. This is useful for different business cases. The options are "Critical," "Elevated," "Low," and "Normal."

Threats

auto-populated

Threat classes detected The threats listed in the Threat column represent the classes of threats that MTD detects. Threat classes are recognized by MTD, which is able to determine when a malicious event is happening.

Set User Alert

Click the gear to open.

Enable or disable user alerts.

Administrators cannot manage MTD alerts through the MTD console. In order to implement and localize MTD alerts, use the Show Notifications option in the MTD Local Actions configuration in Ivanti Neurons for MDM.

Device Action

Click the gear to open.

Select from these menu options to enable device actions on MTD console:

Android:

  • Disconnect Wifi
  • Network Sinkhole
  • Disable Bluetooth

iOS

  • Network Sinkhole
  • Disable Bluetooth

Samsung Knox

  • Use Android Actions
  • Disable App
  • Uninstall App
  • Block App
  • Isolate from Network
  • Data Loss Prevention
MDM Action

Click the gear to open.

When an actionable threat is detected, you can define what actions to take, through the Ivanti Neurons for MDM administrator console. The custom attributes you created in Creating Ivanti Mobile Threat Defense custom attributes will populate this column, but you can't modify them from MTD console.

Mitigation Action

Select an option

When a threat that was detected by the MTD console has been remediated and is no longer posing a threat to the device, you can define specific actions that can be taken.

For example, when a device is determined to be under a man-in-the-middle attack, it can be prevented from accessing various corporate resources. When the device is moved to a clean network, you can automatically allow the device to access those resources again.

The Mitigation Action column can be used to assign actions. To remove the action that was performed as a response to a threat that is now mitigated, choose Remove. This action removes the device from the group it was assigned to when the threat was detected.

Possible mitigation actions for a threat

Due to the nature of some threats, not all threat classifications can be mitigated. The following list provides possible mitigation actions for a threat when the trigger action occurs.

  • All man-in-the-middle attacks (MITM)—When the device connects to a different BSSID.
  • Root/Jailbroken—When the root flag on devices changes from true to false.
  • EOP, system tampering, abnormal process activity—No mitigation, the only mitigation is to flash the device because it has been compromised.
  • USB debugging—When USB debugging is enabled.
Notification

(Notify Me)

Click an icon

You can set up an email or SMS notification process for each specific threat. SMS notifications require the administrator’s telephone information to be set up in the User page of a given administrator. Each email or SMS contains an event summary and a link to the actual event that can be viewed in a browser after log-in.