Jump to:navigation, search
Wiki



































































































































































}






















































Martin Müller | ttt-Point AG





























































De.png
Fr.png


Managing profiles for iOS or Android devices in the Mobile Security Portal

Last adaptation to the version: 1.5.1 (02.2020)



New

  • Android devices from version 10 (Q) are exclusively administered with Android Enterprise Profiles.


  • Preamble

    In a profile, permissions, restrictions, password requirements, e-mail settings and security settings are configured.

    Several users or user groups (roles) can be assigned to a profile.
    Many devices or device groups (devices designated by tags) can be assigned to a profile.
    For a large number of devices and users it is recommended to map the assignment via groups.


    Overview of profile management

    Overview of profile management

    In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles.


    General Options

    Filter displayed profiles
     Filter Search
    The search criteria can be filtered to specific areas:
    all
    Devices
    operating system
    tags
    roles
    used
    User
    Add profile
     Add profile
    Creates a new profile. The settings in the profile vary depending on the operating system. See Edit iOS / Edit Android
    Publish profile
      Publish profiles

    The transmission may take a few minutes.

    The changes to a profile must be published so that they can be transmitted to the devices.

    Import profile
      Import profiles
    Show details
    Show details
    List view / Grid view
    List view / Grid view
    /
    Switch between lists and grid view.
    Refresh
    Refresh the display



    Profile tile

    Profile tile
    Profile Options
    edit
    Export
    Copy
    Revoke
    delete

    The button at the top right of each profile tile provides the following options:

      Edit Editing the settings (see below)
      Export Exporting the settings
     Kopieren Copying the profile to the clipboard
      Revoke The profile is withdrawn, i.e. it is no longer available on the devices, but can be configured.
      Delete The profile is deleted.


    Details displayed in the profile tile:

    Updated Changes have been made to the profile that have not yet been published!

    PARTIALLY INSTALLED The transfer of the profile could not be completed completely.

      OS IOS bzw Android

      Roles Roles

      Users User

      Devices Devices

      Tags Tags

      Parts Restrictions | Security



    Copy & paste of profiles

    Click on the logo of the profile tile to mark it. In the general options, another field now appears under the filter mask:

    Action for selected items  Please choose Execute the selected action with Ok
     Copy Copies one or more selected profiles to the clipboard.
     Delete Deletes one or more selected profiles
    New button   Paste Inserts a copy of a profile from the clipboard.
    This also works from one tenant / customer to another as long as they are assigned to the same reseller account.   AnyIdeas GmbH

    iOS profile

    General iOS

    General



    Caption Values Description
    Platform IOS Device OS.
    When creating a new profile, ANDROID can also be selected here. tab and Functions differ depending on the selected operating system.
    Name Name Profilname
    Priority 5 The higher the number, the higher the priority. Is only used if a device is affected by multiple profiles.
    Roles Add roles Klick-Box: The profile will be assigned to all devices of all users with these roles
    Users Add users The profile will be assigned to all devices from these users
    Devices Add devices The profile will be assigned to these devices
    Tags Add tags The profile will be assigned to all devices with these Tags
    Comment Comment Kommentar

      Save



    Network

    Network
    Network configurations


    In this section, access profiles for WiFi networks can be configured and pushed to the device.

    Add a network configuration with   Konfiguration hinzufügen


    Caption Values Description
    Name Name Name of the configuration
    Type WiFi Configuration type (WiFi predefined)
    SSID SSID The SSID of the network
    Security
    no security None
    insecure WEP-PSK
    secure WPA-PSK
    Security Level
    no security
    insecure
    secure
    Passphrase Passphrase The networks passphrases
    Hidden SSID    Specifies whether the SSID of the network is visible (button off) or hidden (button on).
    Autoconnect    Enable to automatically connect the device to the network.


    Finish the configuration with   Save



    Restrictions

    Restrictions
    Restrictions


    Configuration by clicking on Activate restrictions   

    Numerous restrictions can be configured to control the behavior of a device.


       List of possible restrictions with default values and explanations

    The last column (SO) indicates if this function is only available in supervised mode (supervised only) .

    Restriction Default Explication (Supervised mode only) SOSO 
    Restrict App Usage (supervised only). (supervised only) Default: Allow all appsLink=
    Do not allow specific appsLink=
    Do allow only specific appsLink=
    Konfiguriert, ob für Apps keine Einschränkung,
    eine Blacklist oder
    eine Whitelist verwendet wird.
    Supervised mode only
    Blacklisted Apps
    Whitelisted Apps
    Clickbox for selecting apps Depending on the selection in the line above: Blacklisted Apps / Whitelisted Apps
    'Searches the entire app store for possible apps.
    Supervised mode only
    Allow App Removal Default:    Allows the user to remove apps (supervised only) Supervised mode only
    Allow Trusting Enterprise Apps Default:    Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple)
    Allow Explicit Content Default:    Allows the user to access explicit content. When activated, the SafeSearch function is switched off by search engines.
    Allow Screenshots and Screen Recording Default:    Allows the user to take screenshots or screen recordings
    Allow Remote Screen Observation Default:    Allows you to observe the screen in a classroom, for example. x
    Allow use of iMessage Default:    Allow use of iMessage (Supervised mode only) Supervised mode only
    Allow Bookstore Default:    If this value is set to false, the iBookstore will be disabled. (Supervised mode only). Supervised mode only
    Allow Bookstore Erotica Default:    If set to false, the user will not be able to download media from the iBookstore that is tagged as erotica. (Supervised mode only). Supervised mode only
    Allow Apple Music Default:    If set to false, Apple Music will be disabled in the Music app. x
    Allow iTunes Radio Default:    If set to false, iTunes Radio will be disabled in the Music app.
    Allow Shared Stream Default:    If set to false, the shared stream is disabled.
    Allow Wallet While Locked Default:    If set to false, Wallet notifications will not be shown on the lock screen.
    Allow UI Configuration Profile Installation    If set to false, the user is prohibited from installing configuration profiles and certificates interactively. (Supervised mode only). Supervised mode only
    Allow use of iTunes Default:    Allows the user to use iTunes
    Allow use of News Default:    Allows the user to access and use News
    Allow use of Safari Default:    Allows the user to use Safari
    Allow Game Center Default:    Allows the Game Center (Supervised mode only). Supervised mode only
    Allow Adding Game Center Friends Default:    Allows the user to add Friends on Game Center
    Allow modifying Bluetooth settings Default:    Allow modifying Bluetooth settings
    Allow Modifying Cellular Data Usage for Apps Settings Default:    Allows modifying cellular data usage for apps settings
    Allow Modifying Device Name Default:    Allows the user to change device names.
    Allow Modifying Wallpaper Default:    Allows you to change the background image. (Supervised mode only) Supervised mode only
    Allow Configuring Restrictions Default:    Allows the user to configure restrictions. (Supervised mode only) Supervised mode only
    Allow Automatic Sync While Roaming Default:    Allows automatic synchronization during roaming.
    Allow iCloud Sync for Managed Apps Default:    Allows iCloud synchronization for managed apps.
    Allow Enterprise Books Backup Default:    Allows Enterprise books to be backed up.
    Allow Enterprise Books Notes and Highlights Sync Default:    Allows Enterprise Books to synchronize notes and highlights.
    Allow In App Purchases Default:    Allows the user to make purchases within applications
    Allow Multiplayer Gaming Default:    Allows Multiplayer Gaming
    Allow voice dialing while device is locked Default:    Allows voice dialing while device is locked
    Force Encrypted Backups Default:    Forces encrypted backups
    Force Apple Watch Wrist Detection Default:    Forces Apple Watch Wrist Detection
    Allow Pairing With Apple Watch Default:    Allows Pairing With Apple Watch
    Allow Erase All Content and Settings Default:    If set to false, the user cannot choose the option "Erase All Content and Settings" in Settings → General → Reset (Supervised mode only) Supervised mode only
    Allow Internet results in Spotlight Default:    If set to false, search results from the web will not be shown in Spotlight.
    Allow iCloud Document Sync Default:    Allows document syncing with iCloud
    Allow user to accept untrusted TLS certificates Default:    Allows user to accept untrusted TLS certificates
    Allow Photo Stream Default:    Allows Photo Stream to be used on the device
    Allow iCloud Photo Library Default:    Allows iCloud Photo Library to be used on the device
    Allow iCloud Backup Default:    Allows backup using iCloud
    Require iTunes password for all purchases Default:    Require the user's iTunes password to be entered for every purchase
    Apps Ranking Number 1000Link= Ranking number for apps
    Movies Ranking Number 1000Link= Ranking number for movies
    TV Shows Ranking Number 1000Link= Ranking number for TV Shows
    Region Code Germany Two-character code for the region used to specify ratings }}
    Accept Cookies in Safari Klickbox Accepting cookies
    0
    – Never
    1
    – From current website only (iOS 8) or visited sites (pre-iOS 8),
    1.5
    From websites I visit
    2
    Alwys
    Allow AutoFill in Safari Default:    Allows autocomplete in Safari browser.
    Allow JavaScript Default:    AllowS JavaScript in Safari
    Allow Pop-ups Default:    AllowS Pop-ups in Safari
    Enable Fraud Warning Default:    Enables fraud warning in Safari
    Allow Predictive Keyboard Default:    Allows Predictive Keyboard (Supervised mode only) Supervised mode only
    Allow Keyboard Shortcuts Default:    Allows Keyboard Shortcuts (Supervised mode only) Supervised mode only
    Allow Auto Correction Default:    Allows Auto Correction (Supervised mode only) Supervised mode only
    Allow Spell Check Default:    Allows Spell Check (Supervised mode only) Supervised mode only
    Allow Define Default:    Allows Define(Supervised mode only) Supervised mode only
    Enable allow open from unmanaged to managed Default:    Allows managed apps to access unmanaged documents.
    Enable allow open from managed to unmanaged Default:    Allows unmanaged apps to access managed documents.
    Treat AirDrop as Unmanaged Destination Default:    When activated, protected (managed) data is prevented from leaving the device unauthorized by Airdrop.
    Allow Handoff Default:    If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device.
    Touch ID/Face ID zum Entsperren erlauben}} Default:    Allow Touch ID/Face ID to Unlock Device
    Allow Modifying Notifications Settings Default:    Allows Modifying Notifications Settings
    Allow incoming AirPlay requests Default:    Allows incoming AirPlay requests
    Allow pairing with Remote app Default:    Allows pairing with Remote app
    Allow dictation Default:    Allows dictation
    Allow Camera Use Default:    Allows the user to use the camera
    Video-Konferenz erlauben}} Default:    Allow Video Conferencing
    Allow Siri Default:    Allows Siri
    Allow Siri While Locked Default:    Allows Siri while device is locked
    Enable Siri Profanity Filter Default:    Enables Siri Profanity Filter (Supervised mode only) Supervised mode only
    Allow Siri User Generated Content Default:    When false, prevents Siri from querying user-generated content from the web.
    Allow App Installation from Apple Configurator and iTunes Default:    Allow only a connected Mac host to install applications
    Allow Automatic App Downloads Default:    Allows Automatic App Downloads (Supervised mode only)
    Allow Automatic App Downloads Default:    Allow the user to install applications
    Allow Modifying Passcode Default: Default:    The user is allowed to change the pass code. (Supervised mode only) Supervised mode only
    Allow Modifying Touch ID/Face ID Default:    The user is allowed to change the Touch ID/Face ID. Supervised mode only
    Allow diagnostic submission Default:    Send diagnostic and usage stats to Apple
    Allow modifying diagnostics settings Default:    The user is allowed to change the diagnostic settings.

      Save






    Passcode

    Passcode
    Settings Passcode

    Configuration by clicking on Activate Passcode   


    Operation Default Description
    Require Passcode on Device    Enforces the use of a passcode before using the device
    Set maximum number of failed attempts   

    Number of passcode entry attempts allowed before all data on device will be erased

      
    Maximum Number of Failed Attempts 11Link=

    Set auto-lock   

      

    The number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system

    Automatic lock after 15Link= minutes

    Set maximum passcode age   

      

    The number of days for which the passcode can remain unchanged 730Link=
    Restrict password complexity    Allows restricting password complexity
      
    Allow Simple Value    Permits the use of repeating, ascending, and descending character sequences
    Require Alphabetic Value    Require passcodes to contain at least one letter
    Minimum Number of Complex Characters 0Link= Smallest number of non-alphanumeric characters allowed
    Minimum Passcode Length 0Link= Smallest allowable number of characters in passcode
    Use Passcode History    Allows defining the number of different passcodes required between the reuse of passcodes
      
    Passcode History 1Link= Number of unique passcodes required between passcode reuse
    Use grace period for device lock    Allows defining the maximum time in minutes to unlock the phone
      
    Grace period for device lock -1Link= The maximum grace period, in minutes, to unlock the phone without entering a passcode.
    The default value -1Link= pretends iOS does not apply a time limit.





    Exchange ActiveSync

    Exchange ActiveSync
    Settings Exchange ActiveSync

    It is possible to retrieve emails via https connections.

    Configuration by clicking on Activate exchange   

    Operation Default Description
    Payload Certificate UUID Select certificate UUID of the certificate that is used for authentication.
    Exchange ActiveSync Host Enter host Host name or IP address of the Exchange server.
    Past Days of Mail to Sync 7Link= synchronization period
    Use SSL    Send all communication through Secure Socket layer
    Email Address Select Email Address The address of the account to be synchronized (e.g. "john@company.com").
    New The entry %device_email% reads the email address from the user settings of the user to whom the device is assigned.
    Domain\User Username Domain\user (e.g.: ttt-point.local\user ). The field must remain empty if the device is to ask.
    New The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.
    Password Password The password for the account
    Prevent Move    If set to true, messages may not be moved out of this email account into another account.
    Prevent App Sheet    If set to true, this account will not be available for sending mail in third party applications
    Allow Mail Drop    If set to true, this account is allowed to use Mail Drop.
    S/MIME Enabled    If set to true, this account will support S/MIME
    S/MIME Signing Enabled    If set to true, this account will enable message signing.
    S/MIME Encryption Enabled    If set to true, this account will support message encryption.
    S/MIME Enable Per-Message Switch    If set to true, enable the per-message encryption switch.
    Disable Mail Recents Syncing    If set to true, this account is excluded from address Recents syncing.

      Save



    Email

    Email
    Settings Email

    A mail profile can be configured in the Email Settings.
    These settings affect IMAP or POP3 accounts.
    Settings for Exchange ActiveSync must be made in the corresponding tab!

    Configuration by clicking on Activate Email   


    Operation Default Description
    Account Description Account Description The display name of the account (e.g. "Company Mail Account")
    Account Name Account Name The display name of the user (e.g. "John Appleseed")
    New The display name can be combined with the variable %device_user_name%. The variable reads from the user settings of the user to whom the respective device is assigned the fields first name and last name. e.g.: {ic
    Email Address Email Address The address of the account (e.g. "john@company.com")
    New The entry %device_email% reads the email address from the user settings of the user to whom the device is assigned.
    Prevent Move    If set to true, messages may not be moved out of this email account into another account.
    Disable Mail Recents Syncing    If set to true, this account is excluded from address Recents syncing.
    Allow Mail Drop    If set to true, this account is allowed to use Mail Drop.
    Prevent App Sheet    If set to true, this account will not be available for sending mail in third party applications
    S/MIME Enabled    If set to true, this account will support S/MIME
    S/MIME Signing Enabled    If set to true, this account will enable message signing.
    S/MIME Encryption Enabled    If set to true, this account will support message encryption.
    S/MIME Enable Per-Message Switch    If set to true, enable the per-message encryption switch.

    Incoming mails
    Operation Default Description
    Mailserver Mailserver Hostname or IP Address
    Port 993Link= Port number for incoming mail
    Account Type IMAP

    POP
    The protocol for accessing the email account
    Username Select user The username used to connect to the server for incoming mail
    New The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.
    Path Prefix Path Prefix Path prefix for IMAP mail server
    Incoming Mail Server Authentification authentication method The authentication method for the incoming mail server
    None
    Password
    CrammD5
    NTLM
    HTTPMD5
    Password Password The password for the incoming mail server
    Use SSL    Send outgoing mail through Secure Socket Layer

    Outgoing mails
    Operation Default Description
    Mail Server Mail Server Hostname or IP address for outgoing mail
    Port 587Link= The port number for outgoing mail
    Username Select user The username used to connect to the server for outgoing mail.
    New The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.
    authentication type authentication method The authentication method for the outgoing mail server
    Password
    CrammD5
    NTLM
    HTTPMD5
    Outgoing Password Same As Incoming    SMTP authentication uses the same password as POP/IMAP
      
    Password Password The password for the outgoing mail server
    Use SSL    end outgoing mail through Secure Socket Layer


      Save



    Security iOS

    Security
    Settings Security







































    Numerous settings are configured, that control the security of web applications.

    Configuration by clicking on Activate security   


    Aktion Default Beschreibung
    Region Germany / EU Geographical assignment of the VPN endpoint
    Protocol TCP Protocol used for VPN tunnel. TCP or UDP
    Portfilter Type Filter network traffic based on network ports.
    Open all ports are open
    Closed Only port 80 (http) and 443 (https) are enabled.
    Selection Port filter rule selection: Specify which port collections are open for network traffic:























    Port-Collection Port Protocol Application
    Administrative Tools 21 TCP ftp
    3389 TCP ms-rdp
    23 TCP telnet
    5900 TCP vnc
    22 TCP ssh
    5938 TCP/UDP teamviewer
    Communication 3478-3481 UDP Skype
    49152-65535 UDP
    49152-65535 TCP
    5222 TCP Google Push-Notifications
    5223 UDP
    5228 TCP
    VOIP 5060 UDP SIP/RTP
    7070-7089 UDP
    VPN 1194 TCP OpenVPN
    1194 UDP
    500 UDP IPSec
    4500 UDP & ESP
    1701 UDP L2TP
    Mail 25 TCP smtp
    587 TCP
    465 TCP smtps
    110 TCP pop3
    995 TCP
    143 TCP imap
    993 TCP
    SSL interception Default Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.
    Content-Filter-Whitelist Add entries Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter
    Content-Filter-Blacklist Add entries Click box: Websites that are to be added to a blacklist.
    Disable for SSIDs Add SSIDs Enter WLAN SSIDs for which the security features shall be disabled.
    Disable for IP addresses Add IPs IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.
    Allow Suspend Always-On-VPN    Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.

    Appconfiguration
    Allow other VPN profiles    Allows adding other VPN profiles in addition to the security profile


      Save


    Android Profile

    General android

    General
    Settings general

    In addition to the name and the platform, the assignment to groups, users or devices can also be configured in the general settings.

    Caption Values Description
    Platform ANDROID Device OS.
    When creating a new profile, iOS can also be selected here. tab and Functions differ depending on the selected operating system.
    Name Name Profilname
    Priority 5 The higher the number, the higher the priority. Is only used if a device is affected by multiple profiles.
    Roles Add roles Klick-Box: The profile will be assigned to all devices of all users with these roles
    Users Add users The profile will be assigned to all devices from these users
    Devices Add devices The profile will be assigned to these devices
    Tags Add tags The profile will be assigned to all devices with these Tags
    Comment Comment Kommentar

      Save



    Networks Android

    Network
    Network configurations

    In this section, access profiles for WiFi networks can be configured and pushed to the device.

    Add a network configuration with   Konfiguration hinzufügen


    Caption Values Description
    Name Name Name of the configuration
    Type WiFi Configuration type (WiFi predefined)
    SSID SSID The SSID of the network
    Security
    no security None
    insecure WEP-PSK
    secure WPA-PSK
    Security Level
    no security
    insecure
    secure
    Passphrase Passphrase The networks passphrases
    Hidden SSID    Specifies whether the SSID of the network is visible (button off) or hidden (button on).
    Autoconnect    Enable to automatically connect the device to the network.


    Finish the configuration with   Save



    Restrictions Android

    Restrictions
    Settings Restrictions

    Configuration by clicking on Activate restrictions   

    Restriction Default Explication
    Enable Camera Restrictions    After setting this, no applications will be able to access any cameras on the device.
    Enable Storage Encryption    This profile controls encryption of the secure (application data) storage area. Data written to other storage areas may or may not be encrypted, and this profile does not require or control the encryption of any other storage areas. Important Note: On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require a password.

    Due to Google requirements, it is no longer possible to switch off Bluetooth and WLAN connections!   Save



    Passcode Android

    Passcode
    Settings Passcode

    Configuration by clicking on Activate Passcode   

    Operation Default Description
    Minimum password length No password requiredLink= Attention Attention The current password remains until the user sets a new one. The change therefore does not take effect immediately. (Values from 4 to 30 are possible)
    Password Quality Unspecified After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set.   Attention   Note that the current password will remain until the user has set a new one, so the change does not take place immediately. Quality constants are ordered so that higher values are more restrictive; thus the highest requested quality constant (between the profile set here, the user's preference, and any other considerations) is the one that is in effect.
    SomethingLink=
    NumericLink=
    Numeric Complex
    AlphabeticLink=
    AlphanumericLink=
    ComplexLink=
    Maximum Failed Passwords For Wipe    Setting this to a value greater than zero enables a built-in profile that will perform a device wipe after too many incorrect device-unlock passwords have been entered.

      Save


    Security Android

    Security
    Settings Security







































    Numerous settings are configured, that control the security of web applications.

    Configuration by clicking on Activate security   


    Aktion Default Beschreibung
    Region Germany / EU Geographical assignment of the VPN endpoint
    Protocol TCP Protocol used for VPN tunnel. TCP or UDP
    Portfilter Type Filter network traffic based on network ports.
    Open all ports are open
    Closed Only port 80 (http) and 443 (https) are enabled.
    Selection Port filter rule selection: Specify which port collections are open for network traffic:























    Port-Collection Port Protocol Application
    Administrative Tools 21 TCP ftp
    3389 TCP ms-rdp
    23 TCP telnet
    5900 TCP vnc
    22 TCP ssh
    5938 TCP/UDP teamviewer
    Communication 3478-3481 UDP Skype
    49152-65535 UDP
    49152-65535 TCP
    5222 TCP Google Push-Notifications
    5223 UDP
    5228 TCP
    VOIP 5060 UDP SIP/RTP
    7070-7089 UDP
    VPN 1194 TCP OpenVPN
    1194 UDP
    500 UDP IPSec
    4500 UDP & ESP
    1701 UDP L2TP
    Mail 25 TCP smtp
    587 TCP
    465 TCP smtps
    110 TCP pop3
    995 TCP
    143 TCP imap
    993 TCP
    SSL interception Default Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.
    Content-Filter-Whitelist Add entries Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter
    Content-Filter-Blacklist Add entries Click box: Websites that are to be added to a blacklist.
    Disable for SSIDs Add SSIDs Enter WLAN SSIDs for which the security features shall be disabled.
    Disable for IP addresses Add IPs IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.
    Allow Suspend Always-On-VPN    Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.

    Appconfiguration
    Allow other VPN profiles    Allows adding other VPN profiles in addition to the security profile


      Save