| Review MobileIron Core Server documentation and configuration settings to determine if the server blocks mobile devices that do not have required applications installed. |
Task 1: Verify the configuration of the app control alert
1. Log in to the MobileIron Core Admin Portal.
2. In the Admin Portal, go to Logs >> Event Settings.
3. Select the Policy Violation Event that has been set up for sending an alert.
4. Click Edit.
5. In the Security Policy Triggers section, look for the App Control – All Platforms heading.
6. Confirm that the app control alert “Required app not found” is selected.
7. In the Apply to Labels section, verify that the appropriate labels are in the Selected column. Note: need to specifically state the "appropriate labels". <-- The labels are admin defined... (this verifies the policy has been applied to the appropriate set of devices).
8. Click Cancel.
Task 2: Verify the custom compliance action
1. Go to Policies & Configs >> Compliance Actions.
2. Select the compliance action that was configured for when a required app is not installed.
3. Click Actions >> Edit.
4. In the Alert section, verify that “Send a compliance notification or alert to the user” is selected.
5. In the Block Access section, verify Block email access and AppConnect apps has been selected.
6. In the Quarantine section, verify the following are selected:
a. Quarantine the device
b. Remove All Configurations
c. Do not remove Wi-Fi settings for all devices (iOS and Android only)
7. Verify “Enforce Compliance Actions Locally on Devices” is selected.
8. Click Cancel.
Task 3: Verify the app control rule
1. In the Admin Portal, go to Apps >> App Control.
2. Select the App Control Rule that was configured for checking that the required app is installed.
3. Click the edit icon.
4. Verify that the selected Type option is Required: (iOS and Android only)
5. Under Rule Entries for App, verify that Identifier Equals is selected.
6. Verify that the correct app ID is in the App identifier/Name field.
7. Verify that the desired Device Platform (All) is selected
8. To verify each additional required app, repeat steps 4 through 6.
9. Click Cancel.
Task 4: Verify the app control rule in the security policy
1. In Admin Portal, go to Policies & Configs >> Policies.
2. Select the security policy you want to work with. Note: this needs more explanation.
3. Click Edit.
4. Scroll down to the Access Control section of the Modifying Security Policy dialog.
5. Under the For All Platforms heading, verify that the checkbox for the app control rules option which says “when a device violates following App Control rules:” is selected.
6. In the dropdown list, verify the custom compliance action that was created for this purpose was selected.
7. Under Rule Type: Required, verify that the app control rule created for this purpose is in the Enabled list.
8. Click Cancel.
9. Click More Actions >> Apply to Label.
10.Verify the appropriate labels are selected.
11.Close the Apply to Label dialog.
If on the MobileIron Core Admin Portal,
-For Task 1, if the app control alert “Required app not found” is not selected or the policy has not been applied to the appropriate set of devices (by labels), this is a finding.
-If the compliance action has not been configured as specified in Task 2, this is a finding.
-For Task 3, if all required apps are not listed in the App Control Rule and the App Control Rule is not a "Required" type, this is a finding.
-For Task 4, if the security policy does not map the custom app control rule (Task 3) to the custom compliance action (Task 2), this is a finding.