Configuration Profiles

From Securepoint Wiki














































































































































}















































































































De.png
En.png
Fr.png


Managing profiles for iOS or Android devices in the Mobile Security Portal

Last adaptation to the version: 1.4.8 (09.2019)


New:
  • Copy & paste of profiles (from v.1.4.8 09.2019)
  • WLAN profiles can be pushed in the Networks tab (from v.1.4.7 07.2019)
  • The region can be defined for Switzerland in the Security tab. (from v.1.4.7 07.2019)
  • Android devices from version 10 (Q) are exclusively administered with Android Enterprise Profiles. 

Preamble

In a profile, permissions, restrictions, password requirements, e-mail settings and security settings are configured.

Several users or user groups (roles) can be assigned to a profile.
Many devices or device groups (devices designated by tags) can be assigned to a profile.
  For a large number of devices and users it is recommended to map the assignment via groups.  

Overview of profile management

Overview of profile management

In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles.


General Options

Filter displayed profiles
  Filter   Search
The search criteria can be filtered to specific areas:
all
Devices
operating system
tags
roles
used
User
Add profile
 Add profile
Creates a new profile. The settings in the profile vary depending on the operating system. See Edit iOS / Edit Android
Publish profile
  Publish profiles

The transmission may take a few minutes.

  The changes to a profile must be published so that they can be transmitted to the devices.  

Import profile
  Import profiles
Show details
Show details
List view / Grid view
List view / Grid view
/
Switch between lists and grid view.
Refresh
Refresh the display



Profile tile

Profile tile
Profile Options
edit
Export
Copy
Revoke
delete

The button at the top right of each profile tile provides the following options:

  Edit Editing the settings (see below)
  Export Exporting the settings
 Kopieren New   Copying the profile to the clipboard
  Revoke The profile is withdrawn, i.e. it is no longer available on the devices, but can be configured.
  Delete The profile is deleted.


Details displayed in the profile tile:

Updated Changes have been made to the profile that have not yet been published!

PARTIALLY INSTALLED The transfer of the profile could not be completed completely.

  OS IOS bzw Android

  Roles Roles

  Users User

  Devices Devices

  Tags Tags

  Parts Restrictions | Security



Copy & paste of profiles

Click on the logo of the profile tile to mark it. In the general options, another field now appears under the filter mask:

Action for selected items  Please choose Execute the selected action with Ok
 Copy Copies one or more selected profiles to the clipboard.
 Delete Deletes one or more selected profiles
New button   Paste Inserts a copy of a profile from the clipboard.
This also works from one tenant / customer to another as long as they are assigned to the same reseller account.   AnyIdeas GmbH

iOS profile

General iOS

General



Caption Values Description
Platform IOS Device OS.
When creating a new profile, ANDROID can also be selected here. tab and Functions differ depending on the selected operating system.
Name Name Profilname
Priority 5 The higher the number, the higher the priority. Is only used if a device is affected by multiple profiles.
Roles Add roles Klick-Box: The profile will be assigned to all devices of all users with these roles
Users Add users The profile will be assigned to all devices from these users
Devices Add devices The profile will be assigned to these devices
Tags Add tags The profile will be assigned to all devices with these Tags
Comment Comment Kommentar

  Save



Network

Network
Network configurations


In this section, access profiles for WiFi networks can be configured and pushed to the device.

Add a network configuration with   Konfiguration hinzufügen


Caption Values Description
Name Name Name of the configuration
Type WiFi Configuration type (WiFi predefined)
SSID SSID The SSID of the network
Security
no security None
insecure WEP-PSK
secure WPA-PSK
Security Level
no security
insecure
secure
Passphrase Passphrase The networks passphrases
Hidden SSID    Specifies whether the SSID of the network is visible (button off) or hidden (button on).
Autoconnect    Enable to automatically connect the device to the network.


Finish the configuration with   Save



Restrictions

Restrictions
Restrictions


Configuration by clicking on Activate restrictions   

Numerous restrictions can be configured to control the behavior of a device.


   List of possible restrictions with default values and explanations

The last column (SO) indicates if this function is only available in supervised mode (supervised only) .

Restriction Default Explication (Supervised mode only) SOSO 
Restrict App Usage (supervised only). (supervised only) Default: Allow all apps Link=
Do not allow specific apps Link=
Do allow only specific apps Link=
Konfiguriert, ob für Apps keine Einschränkung,
eine Blacklist oder
eine Whitelist verwendet wird.
Supervised mode only
Blacklisted Apps
Whitelisted Apps
Clickbox for selecting apps Depending on the selection in the line above: Blacklisted Apps / Whitelisted Apps
'Searches the entire app store for possible apps.
Supervised mode only
Allow App Removal Default:    Allows the user to remove apps (supervised only) Supervised mode only
Allow Trusting Enterprise Apps Default:    Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple)
Allow Explicit Content Default:    Allows the user to access explicit content. When activated, the SafeSearch function is switched off by search engines.
Allow Screenshots and Screen Recording Default:    Allows the user to take screenshots or screen recordings
Allow Remote Screen Observation Default:    Allows you to observe the screen in a classroom, for example. x
Allow use of iMessage Default:    Allow use of iMessage (Supervised mode only) Supervised mode only
Allow Bookstore Default:    If this value is set to false, the iBookstore will be disabled. (Supervised mode only). Supervised mode only
Allow Bookstore Erotica Default:    If set to false, the user will not be able to download media from the iBookstore that is tagged as erotica. (Supervised mode only). Supervised mode only
Allow Apple Music Default:    If set to false, Apple Music will be disabled in the Music app. x
Allow iTunes Radio Default:    If set to false, iTunes Radio will be disabled in the Music app.
Allow Shared Stream Default:    If set to false, the shared stream is disabled.
Allow Wallet While Locked Default:    If set to false, Wallet notifications will not be shown on the lock screen.
Allow UI Configuration Profile Installation    If set to false, the user is prohibited from installing configuration profiles and certificates interactively. (Supervised mode only). Supervised mode only
Allow use of iTunes Default:    Allows the user to use iTunes
Allow use of News Default:    Allows the user to access and use News
Allow use of Safari Default:    Allows the user to use Safari
Allow Game Center Default:    Allows the Game Center (Supervised mode only). Supervised mode only
Allow Adding Game Center Friends Default:    Allows the user to add Friends on Game Center
Allow modifying Bluetooth settings Default:    Allow modifying Bluetooth settings
Allow Modifying Cellular Data Usage for Apps Settings Default:    Allows modifying cellular data usage for apps settings
Allow Modifying Device Name Default:    Allows the user to change device names.
Allow Modifying Wallpaper Default:    Allows you to change the background image. (Supervised mode only) Supervised mode only
Allow Configuring Restrictions Default:    Allows the user to configure restrictions. (Supervised mode only) Supervised mode only
Allow Automatic Sync While Roaming Default:    Allows automatic synchronization during roaming.
Allow iCloud Sync for Managed Apps Default:    Allows iCloud synchronization for managed apps.
Allow Enterprise Books Backup Default:    Allows Enterprise books to be backed up.
Allow Enterprise Books Notes and Highlights Sync Default:    Allows Enterprise Books to synchronize notes and highlights.
Allow In App Purchases Default:    Allows the user to make purchases within applications
Allow Multiplayer Gaming Default:    Allows Multiplayer Gaming
Allow voice dialing while device is locked Default:    Allows voice dialing while device is locked
Force Encrypted Backups Default:    Forces encrypted backups
Force Apple Watch Wrist Detection Default:    Forces Apple Watch Wrist Detection
Allow Pairing With Apple Watch Default:    Allows Pairing With Apple Watch
Allow Erase All Content and Settings Default:    If set to false, the user cannot choose the option "Erase All Content and Settings" in Settings → General → Reset (Supervised mode only) Supervised mode only
Allow Internet results in Spotlight Default:    If set to false, search results from the web will not be shown in Spotlight.
Allow iCloud Document Sync Default:    Allows document syncing with iCloud
Allow user to accept untrusted TLS certificates Default:    Allows user to accept untrusted TLS certificates
Allow Photo Stream Default:    Allows Photo Stream to be used on the device
Allow iCloud Photo Library Default:    Allows iCloud Photo Library to be used on the device
Allow iCloud Backup Default:    Allows backup using iCloud
Require iTunes password for all purchases Default:    Require the user's iTunes password to be entered for every purchase
Apps Ranking Number 1000 Link= Ranking number for apps
Movies Ranking Number 1000 Link= Ranking number for movies
TV Shows Ranking Number 1000 Link= Ranking number for TV Shows
Region Code Germany Two-character code for the region used to specify ratings }}
Accept Cookies in Safari Klickbox Accepting cookies
0
– Never
1
– From current website only (iOS 8) or visited sites (pre-iOS 8),
1.5
From websites I visit
2
Alwys
Allow AutoFill in Safari Default:    Allows autocomplete in Safari browser.
Allow JavaScript Default:    AllowS JavaScript in Safari
Allow Pop-ups Default:    AllowS Pop-ups in Safari
Enable Fraud Warning Default:    Enables fraud warning in Safari
Allow Predictive Keyboard Default:    Allows Predictive Keyboard (Supervised mode only) Supervised mode only
Allow Keyboard Shortcuts Default:    Allows Keyboard Shortcuts (Supervised mode only) Supervised mode only
Allow Auto Correction Default:    Allows Auto Correction (Supervised mode only) Supervised mode only
Allow Spell Check Default:    Allows Spell Check (Supervised mode only) Supervised mode only
Allow Define Default:    Allows Define(Supervised mode only) Supervised mode only
Enable allow open from unmanaged to managed Default:    Allows managed apps to access unmanaged documents.
Enable allow open from managed to unmanaged Default:    Allows unmanaged apps to access managed documents.
Treat AirDrop as Unmanaged Destination Default:    When activated, protected (managed) data is prevented from leaving the device unauthorized by Airdrop.
Allow Handoff Default:    If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS on another device.
Touch ID/Face ID zum Entsperren erlauben}} Default:    Allow Touch ID/Face ID to Unlock Device
Allow Modifying Notifications Settings Default:    Allows Modifying Notifications Settings
Allow incoming AirPlay requests Default:    Allows incoming AirPlay requests
Allow pairing with Remote app Default:    Allows pairing with Remote app
Allow dictation Default:    Allows dictation
Allow Camera Use Default:    Allows the user to use the camera
Video-Konferenz erlauben}} Default:    Allow Video Conferencing
Allow Siri Default:    Allows Siri
Allow Siri While Locked Default:    Allows Siri while device is locked
Enable Siri Profanity Filter Default:    Enables Siri Profanity Filter (Supervised mode only) Supervised mode only
Allow Siri User Generated Content Default:    When false, prevents Siri from querying user-generated content from the web.
Allow App Installation from Apple Configurator and iTunes Default:    Allow only a connected Mac host to install applications
Allow Automatic App Downloads Default:    Allows Automatic App Downloads (Supervised mode only)
Allow Automatic App Downloads Default:    Allow the user to install applications
Allow Modifying Passcode Default: Default:    The user is allowed to change the pass code. (Supervised mode only) Supervised mode only
Allow Modifying Touch ID/Face ID Default:    The user is allowed to change the Touch ID/Face ID. Supervised mode only
Allow diagnostic submission Default:    Send diagnostic and usage stats to Apple
Allow modifying diagnostics settings Default:    The user is allowed to change the diagnostic settings.

  Save






Passcode

Passcode
Settings Passcode

Configuration by clicking on Activate Passcode   


Operation Default Description
Require Passcode on Device    Enforces the use of a passcode before using the device
Set maximum number of failed attempts   

Number of passcode entry attempts allowed before all data on device will be erased 

  
Maximum Number of Failed Attempts 11 Link=

Set auto-lock   

  

The number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system

Automatic lock after 15 Link= minutes

Set maximum passcode age   

  

The number of days for which the passcode can remain unchanged 730 Link=
Restrict password complexity    Allows restricting password complexity
  
Allow Simple Value    Permits the use of repeating, ascending, and descending character sequences
Require Alphabetic Value    Require passcodes to contain at least one letter
Minimum Number of Complex Characters 0 Link= Smallest number of non-alphanumeric characters allowed
Minimum Passcode Length 0 Link= Smallest allowable number of characters in passcode
Use Passcode History    Allows defining the number of different passcodes required between the reuse of passcodes
  
Passcode History 1 Link= Number of unique passcodes required between passcode reuse
Use grace period for device lock    Allows defining the maximum time in minutes to unlock the phone
  
Grace period for device lock -1 Link= The maximum grace period, in minutes, to unlock the phone without entering a passcode.
The default value -1 Link= pretends iOS does not apply a time limit.





Exchange ActiveSync

Exchange ActiveSync
Settings Exchange ActiveSync

It is possible to retrieve emails via https connections.

Configuration by clicking on Activate exchange   

Operation Default Description
Payload Certificate UUID Select certificate UUID of the certificate that is used for authentication.
Exchange ActiveSync Host Enter host Host name or IP address of the Exchange server.
Past Days of Mail to Sync 7 Link= synchronization period
Use SSL    Send all communication through Secure Socket layer
Email Address Select Email Address The address of the account to be synchronized (e.g. "john@company.com").
Domain\User Username Domain\user (e.g.: ttt-point.local\user ). The field must remain empty if the device is to ask.
If the domain is to be entered automatically, this can be configured on the server side.
Password Password The password for the account
Prevent Move    If set to true, messages may not be moved out of this email account into another account.
Prevent App Sheet    If set to true, this account will not be available for sending mail in third party applications
Allow Mail Drop    If set to true, this account is allowed to use Mail Drop.
S/MIME Enabled    If set to true, this account will support S/MIME
S/MIME Signing Enabled    If set to true, this account will enable message signing.
S/MIME Encryption Enabled    If set to true, this account will support message encryption.
S/MIME Enable Per-Message Switch    If set to true, enable the per-message encryption switch.
Disable Mail Recents Syncing    If set to true, this account is excluded from address Recents syncing.

  Save



Email

Email
Settings Email

A mail profile can be configured in the Email Settings.
These settings affect IMAP or POP3 accounts.
Settings for Exchange ActiveSync must be made in the corresponding tab!

Configuration by clicking on Activate Email   


Operation Default Description
Account Description Account Description The display name of the account (e.g. "Company Mail Account")
Account Name Account Name The display name of the user (e.g. "John Appleseed")
Email Address Email Address The address of the account (e.g. "john@company.com")
Prevent Move    If set to true, messages may not be moved out of this email account into another account.
Disable Mail Recents Syncing    If set to true, this account is excluded from address Recents syncing.
Allow Mail Drop    If set to true, this account is allowed to use Mail Drop.
Prevent App Sheet    If set to true, this account will not be available for sending mail in third party applications
S/MIME Enabled    If set to true, this account will support S/MIME
S/MIME Signing Enabled    If set to true, this account will enable message signing.
S/MIME Encryption Enabled    If set to true, this account will support message encryption.
S/MIME Enable Per-Message Switch    If set to true, enable the per-message encryption switch.

Incoming mails
Operation Default Description
Mailserver Mailserver Hostname or IP Address
Port 993 Link= Port number for incoming mail
Account Type IMAP

POP
The protocol for accessing the email account
Username Select user The username used to connect to the server for incoming mail
Path Prefix Path Prefix Path prefix for IMAP mail server
Incoming Mail Server Authentification authentication method The authentication method for the incoming mail server
None Link=
Password Link=
CrammD5 Link=
NTLM Link=
HTTPMD5 Link=
Password Password The password for the incoming mail server
Use SSL    Send outgoing mail through Secure Socket Layer

Outgoing mails
Operation Default Description
Mail Server Mail Server Hostname or IP address for outgoing mail
Port 587 Link= The port number for outgoing mail
Username Select user The username used to connect to the server for outgoing mail
authentication type authentication method The authentication method for the outgoing mail server
Password
CrammD5Link=
NTLMLink=
HTTPMD5Link=
Outgoing Password Same As Incoming    SMTP authentication uses the same password as POP/IMAP
  
Password Password The password for the outgoing mail server
Use SSL    end outgoing mail through Secure Socket Layer


  Save



Security iOS

Security
Settings Security





















Numerous settings are configured, that control the security of web applications.

Configuration by clicking on Activate security   


Aktion Default Beschreibung
Region Germany / EU Geographical assignment of the VPN endpoint
Protocol TCP Protocol used for VPN tunnel. TCP or UDP
Portfilter Type Filter network traffic based on network ports.
Open all ports are open
Closed Only port 80 (http) and 443 (https) are enabled.
Selection Port filter rule selection: Specify which port collections are open for network traffic:





Port-Collection Port Protocol Application
Administrative Tools 21 TCP ftp
3389 TCP ms-rdp
23 TCP telnet
5900 TCP vnc
22 TCP ssh
5938 TCP/UDP teamviewer
Communication 3478-3481 UDP Skype
49152-65535 UDP
49152-65535 TCP
5222 TCP Google Push-Notifications
5223 UDP
5228 TCP
VOIP 5060 UDP SIP/RTP
7070-7089 UDP
VPN 1194 TCP OpenVPN
1194 UDP
500 UDP IPSec
4500 UDP & ESP
1701 UDP L2TP
Mail 25 TCP smtp
587 TCP
465 TCP smtps
110 TCP pop3
995 TCP
143 TCP imap
993 TCP
SSL interception Default Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.
Content-Filter-Whitelist Add entries Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter
Content-Filter-Blacklist Add entries Click box: Websites that are to be added to a blacklist.
Disable for SSIDs Add SSIDs Enter WLAN SSIDs for which the security features shall be disabled.
Disable for IP addresses Add IPs IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.
Allow Suspend Always-On-VPN    Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.

Appconfiguration
Allow other VPN profiles    Allows adding other VPN profiles in addition to the security profile


  Save


Android Profile

General android

General
Settings general

In addition to the name and the platform, the assignment to groups, users or devices can also be configured in the general settings.

Caption Values Description
Platform ANDROID Device OS.
When creating a new profile, iOS can also be selected here. tab and Functions differ depending on the selected operating system.
Name Name Profilname
Priority 5 The higher the number, the higher the priority. Is only used if a device is affected by multiple profiles.
Roles Add roles Klick-Box: The profile will be assigned to all devices of all users with these roles
Users Add users The profile will be assigned to all devices from these users
Devices Add devices The profile will be assigned to these devices
Tags Add tags The profile will be assigned to all devices with these Tags
Comment Comment Kommentar

  Save



Networks Android

Network
Network configurations

In this section, access profiles for WiFi networks can be configured and pushed to the device.

Add a network configuration with   Konfiguration hinzufügen


Caption Values Description
Name Name Name of the configuration
Type WiFi Configuration type (WiFi predefined)
SSID SSID The SSID of the network
Security
no security None
insecure WEP-PSK
secure WPA-PSK
Security Level
no security
insecure
secure
Passphrase Passphrase The networks passphrases
Hidden SSID    Specifies whether the SSID of the network is visible (button off) or hidden (button on).
Autoconnect    Enable to automatically connect the device to the network.


Finish the configuration with   Save



Restrictions Android

Restrictions
Settings Restrictions

Configuration by clicking on Activate restrictions   

Restriction Default Explication
Enable Camera Restrictions    After setting this, no applications will be able to access any cameras on the device.
Enable Storage Encryption    This profile controls encryption of the secure (application data) storage area. Data written to other storage areas may or may not be encrypted, and this profile does not require or control the encryption of any other storage areas. Important Note:  On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require a password.
Enable WIFI Restrictions    After setting this, WIFI will be disabled permanently.
Enable Bluetooth Restrictions    After setting this, Bluetooth will be disabled permanently.

  Save



Passcode Android

Passcode
Settings Passcode

Configuration by clicking on Activate Passcode   

Operation Default Description
Minimum password length No password requiredLink= Attention   Attention   The current password remains until the user sets a new one. The change therefore does not take effect immediately. (Values from 4 to 30 are possible)
Password Quality Unspecified After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set.   Attention   Note that the current password will remain until the user has set a new one, so the change does not take place immediately. Quality constants are ordered so that higher values are more restrictive; thus the highest requested quality constant (between the profile set here, the user's preference, and any other considerations) is the one that is in effect.
Something Link=
Numeric Link=
Numeric Complex
Alphabetic Link=
Alphanumeric Link=
Complex Link=
Maximum Failed Passwords For Wipe    Setting this to a value greater than zero enables a built-in profile that will perform a device wipe after too many incorrect device-unlock passwords have been entered.

  Save


Security Android

Security
Settings Security





















Numerous settings are configured, that control the security of web applications.

Configuration by clicking on Activate security   


Aktion Default Beschreibung
Region Germany / EU Geographical assignment of the VPN endpoint
Protocol TCP Protocol used for VPN tunnel. TCP or UDP
Portfilter Type Filter network traffic based on network ports.
Open all ports are open
Closed Only port 80 (http) and 443 (https) are enabled.
Selection Port filter rule selection: Specify which port collections are open for network traffic:





Port-Collection Port Protocol Application
Administrative Tools 21 TCP ftp
3389 TCP ms-rdp
23 TCP telnet
5900 TCP vnc
22 TCP ssh
5938 TCP/UDP teamviewer
Communication 3478-3481 UDP Skype
49152-65535 UDP
49152-65535 TCP
5222 TCP Google Push-Notifications
5223 UDP
5228 TCP
VOIP 5060 UDP SIP/RTP
7070-7089 UDP
VPN 1194 TCP OpenVPN
1194 UDP
500 UDP IPSec
4500 UDP & ESP
1701 UDP L2TP
Mail 25 TCP smtp
587 TCP
465 TCP smtps
110 TCP pop3
995 TCP
143 TCP imap
993 TCP
SSL interception Default Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.
Content-Filter-Whitelist Add entries Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter
Content-Filter-Blacklist Add entries Click box: Websites that are to be added to a blacklist.
Disable for SSIDs Add SSIDs Enter WLAN SSIDs for which the security features shall be disabled.
Disable for IP addresses Add IPs IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.
Allow Suspend Always-On-VPN    Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.

Appconfiguration
Allow other VPN profiles    Allows adding other VPN profiles in addition to the security profile


  Save