Securepoint Mobile Security (MS) FAQ

Securepoint Mobile Security is a cloud service provided by Securepoint.
Android and Apple mobile devices communicate exclusively with Apple and Google servers, which are addressed by us.
No proprietary software or hardware is required or possible.

• Mobile Device Management (MDM) is device management, app installation, and setting the device settings
• Mobile Security (MobSec) is all this PLUS the VPN tunnel to our data center with encrypted communication & content filtering

All devices > Android 7 are officially supported. Securepoint cannot make a direct recommendation here due to the large variety of devices in the Android ecosystem. However, Google provides a collection of devices that have been certified for the API we use: https://androidenterprisepartners.withgoogle.com/devices/

No, this is not possible fir iOs or Android.

iOS:

• The corresponding device tile is selected via  Mobile Security iOS/iPadOS Devices and the   Wipe Data button is clicked in the Operations tab to reset the device.
• Then delete the corresponding tile when the device reports that it is logged out.

Android:

• Android devices are reseted by deleting the device tile.

No. MDM can only be used to control devices with the iOS, iPadOS, tvOS or Android operating systems. No Windows.

Basically yes, but the use of APK files on the devices is strongly discouraged. The following problems may occur:

• Device integrity is lost
• No real control over the device
• No update channel
• No integrity check of the app by the app store

If you still need to install APKs, you can find more information on this in the Wiki article on APKs.

Android: By default, apps are updated automatically if the following conditions are met:

• The device is connected to a WLAN.
• The device is charging.
• The device is inactive (i.e. not being actively used).
• The app to be updated is not running in the foreground. Google Play normally checks for app updates once a day. It can therefore take up to 24 hours for an app to be added to the update queue. It will then be updated automatically as soon as the above conditions are met.

iOS:

• Apps: Apps are installed automatically every day if the device is registered in the app store. If an installation command for an app is send to a device from the portal and this app is already installed, an app update is carried out immediately.
• VPP apps: VPP apps are automatically checked for updates every night and pushed to the devices regardless of the WWAN connection used by the devices. This can be deactivated globally    in the portal under  Mobile Security Settings Automatic app updates.

The integrated iOS devices do not establish independent contact with the portal by default. Contact in the device tile refers to the last time a command is send to the device from the portal and the device has confirmed receipt of the command.

Devices can be operated without AppleID without any problems. This requires the full integration of DEP & VPP. This is the operating mode recommended by Securepoint. Further instructions can be found in our Wiki.

• It must be ensured that the devices are switched on and connected to the Internet.
• If there is a connection to the Internet, please ensure that communication is not hindered or restricted.
  • If necessary, use an access point from a smartphone
• Check Apple Push certificate
  • Encrypts the connection between the portal and the devices
  • Must be renewed annually
  • If a new certificate is imported during renewal instead of renewing the old certificate, you will lose communication with the devices that use the old certificate.
  • Compare whether the Apple Push certificate in the portal and on the device are the same:
    •  Mobile Security Settings at  Apple Push Certificate click on the button  Update, there under 2. under Here is a list of your last uploads the certificates under UID
    • Device | Settings | General | VPN and device management | Securepoint MDM | More details | Mobile Device Management | Topic
    • These two values must be identical.
• If the values are not identical, a new certificate has been uploaded to the portal, which means that the devices can no longer be accessed. The old certificate must be renewed and uploaded again. Devices that have been enrolled with the new certificate must then be re-enrolled.
• If the devices cannot be reached despite the correct certificate:
  • Is the communication interrupted by a faulty VPN tunnel?
  • Is the firewall blocking the communication?
    • Hosts and networks that must be accessible: 17.0.0.0/8, portal.securepoint.cloud, dns-001.securepoint.de, ios.securepoint.cloud
    • Ports that must not be blocked: 53, 80, 123, 443, 2197, 5223

Mobile Security must be used for the statistics. The statistics count calls to the proxy. Data cached by the browser does not appear here.

Streaming services generally use IP-based geo-blocking to comply with the right to use the content.

If VPN is active, the actual IP address of the dial-in and thus the geographical assignment is not visible to the streaming provider.

This is why many streaming services also block the IPs of data centers.

The DEP profiles determine the dialogs that are displayed in the installation wizard when the iOS device is started up. To ensure that these are used correctly, they must be assigned before the device is initialized for the first time.

Both Apple and Google require users to be informed about the use of the data or to give their consent before a VPN service can be used.

• iOS: https://developer.apple.com/app-store/review/guidelines/#vpn-apps
• Android: https://support.google.com/googleplay/android-developer/answer/10144311

The primary purpose of tracking mobile devices is to determine their location in specific situations, such as in cases of loss or theft. User privacy interests were carefully considered in the design phase to prevent potential covert tracking, like creating movement profiles (Privacy by Design and Default). It is imporant to distinguish between:

a) Full Management: Devices are the property of the company, private apps and data are prohibited (COBO - company owned, business only)

• Mobile devices can generally, without exception, be located only if location tracking is activated by an administrator. Upon activation, only the specific location at the time of tracking is logged.
• For each tracking instance, users automatically and immediately receive a notification on the affected device, ensuring that covert tracking is not possible.

b) Partial Management: Devices are the property of the company, private apps and data are permitted (COPE - company owned, personal enabled)

• The same principles as under a) apply, with the exception that the user's consent on the end device is additionally required before location tracking can be activated via ther portal.

c) Private end devices with apps and data for work purposes (BYOD - Bring your own device)

• Tracking is not possible for private devices that are used for business purposes.

In-depth details on Lost Mode: Section in the Device Wiki Article