Sandblast Mobile Dashboard Admin Guide

25 May 2020
SandBlast Mobile
Administration Guide
[Classification: Protected]
Table of Contents
Introduction to SandBlast Mobile .......................................................................... 6
Solution Architecture ...................................................................................................... 6
Getting Started ......................................................................................................... 8
General Workflow ........................................................................................................... 8
Launching the SandBlast Mobile .................................................................................. 8
Menu Bar................................................................................................................. 10
Navigating the SandBlast Mobile Services.......................................................... 11
Dashboard Main Screen ............................................................................................... 11
Devices ............................................................................................................................ 13
Adding a New Device ................................................................................................ 15
Adding a Device Group ............................................................................................. 17
URL Filtering ................................................................................................................... 18
URL Filtering Categories ........................................................................................... 18
Blacklisted Domain Names ...................................................................................... 20
Whitelisted Domain Names ..................................................................................... 21
Policy ............................................................................................................................... 24
Rulebase ..................................................................................................................... 24
Policy Profiles ............................................................................................................. 25
Device Policies ........................................................................................................ 27
Application Policies ................................................................................................ 27
On-device Network Protection Policies .............................................................. 28
Content Inspection ............................................................................................. 36
Anti-Phishing ................................................................................................... 36
Safe Browsing.................................................................................................. 37
Anti-Bot ............................................................................................................ 38
Zero-Phishing .................................................................................................. 38
Conditional Access.......................................................................................... 39
URL Filtering .................................................................................................... 40
URL Filtering Categories ........................................................................................... 41
Blacklisted Domain Names ...................................................................................... 42
Whitelisted Domain Names ..................................................................................... 43
Download Prevention ........................................................................................ 45
Blacklisted Locations ...................................................................................... 46
WiFi Network .......................................................................................................... 46
Man-in-the-Middle URLs Settings..................................................................... 47
Enable Geo Location .......................................................................................... 48
Whitelisting Corporate Certificates .................................................................. 48
Forensics......................................................................................................................... 49
Events and Alerts ....................................................................................................... 50
Device Risk .................................................................................................................. 51
Network ...................................................................................................................... 55
iOS Profiles ................................................................................................................. 57
App Analysis ............................................................................................................... 59
Filtering .................................................................................................................... 62
Advanced Filtering .............................................................................................. 62
App Analysis Overview .......................................................................................... 63
Risk ....................................................................................................................... 63
Install Base .......................................................................................................... 64
Granular Policies ................................................................................................ 64
Package Information ............................................................................................. 64
Capabilities Summary ........................................................................................... 65
Capabilities Details ................................................................................................ 65

Exploits .................................................................................................................... 66
Cloud Hosting Services.......................................................................................... 66
Behaviors ................................................................................................................ 66
File System Access ................................................................................................. 67
Network ................................................................................................................... 67
Installations............................................................................................................. 68
Application Permissions........................................................................................ 68
Settings ........................................................................................................................... 69
Audit Trail.................................................................................................................... 70
Customization ............................................................................................................ 71
Email Customization .............................................................................................. 71
Logo Customization ............................................................................................... 71
Language ................................................................................................................. 72
Privacy Settings .......................................................................................................... 72
BYOD Privacy Mode ............................................................................................... 72
Events & Alerts Tab ............................................................................................ 73
Device Risk Tab ................................................................................................... 73
App Analysis Tab ................................................................................................ 74
SMTP Settings............................................................................................................. 74
Device Management ................................................................................................. 75
Settings Page .......................................................................................................... 77
Syslog Page ................................................................................................................. 79
Administrators ........................................................................................................... 84
Admin Roles Definition ......................................................................................... 87
Password Policy...................................................................................................... 87
SSO Settings ............................................................................................................ 88
Information Visible to the Organization’s Administrators on the Dashboard89
Announcements ........................................................................................................ 90
Appendices ............................................................................................................. 91
SandBlast Mobile Communication Information ....................................................... 91
Policy Profiles Description ........................................................................................... 94

Introduction to SandBlast Mobile
Check Point SandBlast Mobile is the most complete threat defense solution designed to prevent
emerging fifth generation cyber attacks and allow workers to safely conduct business. Its technology
protects against threats to the OS, apps, and network, scoring the industry’s highest threat catch rate
without impacting performance or user experience.
SandBlast Mobile delivers threat prevention technology that:
 Performs advanced app analysis to detect known and unknown threats

 Prevents man-in-the-middle attacks on both cellular and WiFi networks
 Blocks phishing attacks on all apps: email, messaging, social media
 Prevents infected devices from sending sensitive data to botnets
 Blocks infected devices from accessing corporate applications and data
 Mitigates threats without relying on user action or mobile management platforms
SandBlast Mobile uses a variety of patent-pending algorithms and detection techniques to identify
mobile device risks, and triggers appropriate defense responses that protect business and personal
data.
The SandBlast Mobile solution ("the Solution") includes these components:
 SandBlast Mobile Behavioral Risk Engine ("the Engine")

 SandBlast Mobile Gateway ("the Gateway")
 SandBlast Mobile Management Dashboard ("the Dashboard")
 SandBlast Mobile Protect app ("the App") for iOS and Android
Solution Architecture
Component Description
2 UEM/EMM/MDM  Enterprise Mobility Management / Mobile Device Management

 Device Management and Policy Enforcement System.
3 SandBlast  The cloud-based Check Point SandBlast Mobile Gateway is a multi-tenant

Mobile Gateway architecture to which mobile devices are registered.
 The Gateway handles all Solution communications with enrolled mobile
devices and with the customer’s (organization’s) Dashboard instance.
4 Dashboard  The cloud-based web-GUI Check Point SandBlast Mobile Management

Dashboard enables administration, provisioning, and monitoring of devices
and policies and is configured as a per-customer instance.
 The SandBlast Mobile Dashboard can be integrated with an existing Mobile
Device Management (MDM)/Enterprise Mobility Management (EMM) solution
for automated policy enforcement on devices at risk.
 When this integration is used, MDM/EMM serves as a repository with which
the SandBlast Mobile Dashboard syncs enrolled devices and identities.
5 Behavioral Risk  The cloud-based SandBlast Mobile Behavioral Risk Engine uses data it
Engine receives from the App about network, configuration, and operating system
integrity data, and information about installed apps to perform in-depth
mobile threat analysis.
 The Engine uses this data to detect and analyze suspicious activity, and
produces a risk score based on the threat type and severity.
 The risk score determines if and what automatic mitigation action is needed
to keep a device and its data protected.
 No Personal Information is processed by or stored in the Engine.
Getting Started
This guide describes how to launch the Check Point SandBlast Mobile from the Check Point Infinity
Portal. It also describes the interface of the Check Point SandBlast Mobile, its main features and
menus, and how to start a deployment. This includes activation and protection of a new device,
malware detection and mitigation (including investigative flow).
General Workflow
1. Creating your security account. Register to the Check Point Infinity Portal
https://portal.checkpoint.com.
Note - Registration creates you an account on the Infinity Portal
but does not automatically log you in to any specific security
service. Use the "Try" function to log into the SandBlast Mobile
service.
2. Enabling your user account on the Infinity Portal.
3. Navigating the screens, adding and activating new users, apps, policies, devices.
4. Updating and managing your Global Settings.
Launching the SandBlast Mobile

Your Check Point SandBlast Mobile is managed from the Check Point Infinity Portal.
Check Point Infinity Portal is a web-based interface for hosting the Check Point security SaaS services.
For more information, see Check Point Infinity Portal Admin Guide.
Note - SandBlast Mobile is dependent on a purchased software license.

For more information about licensing, contact your Check Point Sales
representative, or check for updates at Check Point User Community.
To open your SandBlast Mobile service from the Infinity Portal window:
1. Click the Menu button in the top left corner of the Infinity Portal window.
2. Select the SandBlast Mobile service from the dropdown list:
Menu Bar
The menu bar is permanently located on the left side of the SandBlast Mobile screen.
It displays the available options and menus on all of the dashboard pages and includes these
options:
Icon Item Description
Menu You can open the list of all the CloudGuard services available in
your system.
To work with the SandBlast Mobile, click the SandBlast Mobile
icon on the list.
Dashboard You can view both statistics and snapshot data based on
information supplied by the enrolled devices.
Devices You can view and manage the organization’s devices.
Policy You can configure granular policies
Forensics You can review the security forensic data, including:

 Events & Alerts
 Device Risk
 App Analysis
 Network
 iOS profiles
Settings You can view and manage dashboard settings.
The information in the Global Settings contains the initial default values of the administrators'
profile settings that apply locally and impact the entire system.
Navigating the SandBlast Mobile
Services
Dashboard Main Screen
The Dashboard main screen displays both statistics and snapshot data based on information
supplied by the enrolled devices. Most of the graphical information presented on this screen has
clickable items, which direct you to a query based page adapted to the state.
Example:
On the Dashboard screen you can view statistics for the Device Risk, Device Status, Top Threats, and
Security Events by type.
When you click on the event, you are redirected to the relevant window where you manage this
event.
Area Description
Device Displays the number of devices in the organization that are currently at risk in
Risk these ways:
 Total number of devices at risk
 Number of devices at High risk
 Number of devices at Medium risk
 Number of devices at Low risk
 Device risk over time (last 7 days)
Device Displays the number of devices registered in the dashboard and displayed in
Status these ways:
 Total number of Devices
 Active Devices – devices that have installed and activated the App
 Provisioned & User Notified – devices where the user has been notified
on where and how to install and activate the App, or that the UEM has
added to the System
 Disabled – devices that have uninstalled the App, or that the UEM has
reported that the App is no longer installed
 Devices registered in the last day
 Devices registered in the last week
 Percent of devices on current agent version
 Percent of devices on older agent versions
Top Displays the top threats encountered. It categorizes threats by:

Threats  Malicious apps
 Network attacks
 Unsecure device settings
and other Types of threats

The panel is not real-time, so the page must be refreshed to see any updates.
Security Displays the security events by their types (marked in colors) over time for the
Events last hour, day or month, as well as the total number of applications that were
by Type scanned from the devices that are attached to the dashboard.
You can select presentation of events over time for last hour, day, or month.
Devices
In the Devices window, the administrator can view and manage the organization’s devices.
Example:
The Devices window shows a list of all of the organization-protected devices with no filters. On this
screen, you can add, remove, edit devices, import and export their details, and activate them.
The Devices window settings
Item Description
ID A unique ID that is generated for each device upon installation of the

Protect app. It is used by the system as a reference to the device (instead of
the device actual details for privacy). Device IDs with a status that requires
attention are clickable. Click on a Device ID to navigate to the Device Risk
screen with specific filters for the device.
Name Device name is given by the administrator when you send the registration
(Device link (or by UEM, if used for deployment).
Owner)
Email Email is an identifier. The registration email is sent to the device.

When adding new devices, an email is sent to the email address defined in
the wizard. Users logged on to devices with this email receive a registration
request and are directed to download the App (Google Play store for
Android or The Dashboard for iOS).
Note -The registration email is a one-time registration code. In
case the user email is used on more than one device, the first
mobile device that installs the app will be the only one registered.
A new registration email will need to be sent for multiple devices
logged on with the same user.
Device Device Number is also configured by the administrator or in UEM during the
Number app installation link creation. This is usually the phone number for the
device.
This number only helps to identify the device, and is not used by the system.
This field is optional.
Device Device type (OS) is determined by the information received from the device
Type upon the app installation. (iOS/Android/Android Enterprise)
OS OS Version is determined by the information received from the device post
Version the Protect installation.
Device Device details are determined by the information received from the device
Details post the Protect installation.
Client Client version indicates the SandBlast MobileProtect app version that is
Version currently installed on the device.
Last Last seen field indicates the last time the device communicated with
Seen SandBlast Mobile Servers.
Status Status indicates the device current state:

 Processing – A temporary state that occurs between adding the device
manually and the Registration Invitation has been sent.
 User Notified – A Registration Invitation was sent, device has not yet
registered.
 Provisioned – Device was added via UEM, device has not yet
registered.
 Active – SandBlast MobileProtect app is installed, the device was
successfully registered, and the device was successfully scanned.
 Inactive – SandBlast MobileProtect app was installed, the device was
registered with SandBlast MobileDashboard, and then SandBlast
MobileProtect app was removed, or the device has not connected to
the Dashboard in over X days.
 You can filter every column in the table:
1. Click Filter above the table.

2. On the Filters pane on the right side of the window, adjust information you want to
view.
 You can also export the information from the table to CSV file, which will create
a comma separated values file that can be opened in spreadsheet applications such as
Microsoft Excel. Use filter to select the required information for the file.
 You can set the number of the rows to list on the screen, and scroll to view previous items:
 You can import information about devices from your computer.

 You can also send activation code to the selected devices, and view their registration code.
(This is the Drop-down text)

Adding a New Device
Devices are invited to install the SandBlast MobileProtect app and register themselves in the
Dashboard through an invitation email generated from the Dashboard under the Devices tab.
Devices can be added through UEM sync as well. For customers who use UEM solutions such as
BlackBerry, VMware, or MobileIron, refer to the specific integration guide for more details.
For customers who use Android Enterprise devices, please refer to the specific MDM integration
guide for further guidance on how to configure MDM to synch Android Enterprise devices with
SandBlast Mobile.
The invitation is sent to an email address which must be read from the device. The first part of the
email can be customized with customer specific message from Settings > Email customization.
 iOS devices is redirected to install the app from the Apple App Store or to download the
Enterprise signed App from the dashboard – this will be determined by a dashboard settings
configured by Check Point. iOS installation consists of two steps in after the app is installed to
activate. You must download iOS agent from the Dashboard and the Enterprise app must be
trusted. After the installation process is completed, you must enter the server details and
registration code. You will find the registration information and instructions in the registration
email.
 Android devices are redirected to Google Play Store to download the latest available SandBlast
Mobile Protect app. All registration information will be automatically entered by the system
when using the download link in the email from the device during the installation process.
Adding a new device - procedure
1. Go to Devices > New.
Example:
2. Enter the device friendly Name, Group, Email Address, and phone number for the user in the
Add New Device properties.
3. Click Add.
An email is sent from the dashboard with an explanation about the SandBlast MobileProtect
app. The email contains a link for downloading the SandBlast MobileProtect app.
Example:
When the device is added to the dashboard, an entry appears under the devices with a unique device
ID. The device status will show as User Notified until the SandBlast MobileProtect app is installed
and the device has communicated with the dashboard.
Example:
When the App is successfully installed and run from the device, the registration screen appears. For
Android devices, the system enters the information automatically. On iOS devices, you must enter
the information manually.
A successful registration will trigger a full device scan which (if no malware or malicious
configurations are found) will result in the App screen appearing in full green (see below).
If the registration is successful, a full device scan is performed automatically. If no malware or

malicious configurations are found, the App status appears in full green. If the communication with
the Dashboard is successful, the device entry changes from User Notified to Active, and the device
details will be updated.
Example:
Adding a Device Group

You can assign devices to appropriate group when you add them to the system. You can also assign a
group to the existing device.
Adding a device to a group - procedure
1. Go to Devices > Groups list > ADD at the bottom of the Groups.
Example:
2. In the pop-up window, enter a group name.
Example:
3. Click ADD.
Devices and device groups are imported from the Device Management platform during the
integration with it. Options Add new device and Add groups are disabled.
URL Filtering
SandBlast Mobile URL Filtering feature prevents access to websites based on category inappropriate
for your organization’s corporate policies. This category allows the administrator to prohibit devices
from accessing particular URLs in a specific subject category, such as gambling, guns, and violence,
etc.
SandBlast Mobile URL Filtering technology allows businesses to blacklist and whitelist domains.
URL Filtering enforces polices on mobile devices across all browser apps and on all non-browser
specific apps, such as Facebook Messenger, Slack, WhatsApp and others.
When URL Filtering is coupled with On-device Network Protection > Always ON > Allow user to
suspend On-device Network Protection, the user can disable ONP for a specific amount of time
(5 minutes, 30 minutes, or 2 hours), so that they can access blocked websites/categories. This
capability allows a certain amount of flexibility in a BYOD environment.
However, the user is not able to suspend ONP if their device is at HIGH risk, and if during suspend
the device moves to at HIGH risk, Conditional Access is still enacted.
URL Filtering Categories

To enable URL Filtering Categories:
1. Go to Policy > select Policy Profile > On-device Network Protection > URL Filter
Categories.
2. Click Edit section.
Example:
3. In the pop-up window, select the categories to which you want to block access and click > to
move the selected categories to the block list on the right side.
Example:
Each category has an explanation provided in the bottom of the screen.
4. Click OK.
Administrator can decide to block these categories, but not track when such events occur per
category. The company may decide to not track such events for user privacy concerns.
By default the URL filtering action applies a client device pop-up notification with a new event card in
the SandBlast Protect app ‘Events center’. In case the administrator un-checks the “Show events in
client” option per specific category, the end-user will only see the URL blocked page inside a browser
when accessed.
Blacklisted Domain Names

This category allows the administrator to blacklist domains from access from the user device, no
matter the subject category or risk level of the device.
To blacklist the Domain Names :
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection > Blacklisted Domain Names > New.
Example:
2. On the pop-up window, in the Domain, enter a domain (or subdomain).
Example:
3. Click OK.
4. To remove an item from the list, select it and click Delete.
5. To import a list of domains, click Import and upload a .CSV file with a list of Domains and
Comments.
Note: The uploaded list replaces the existing list. This allows administrators to import a list of Domain
Names/Locations from other systems such as Firewall/Gateway into SandBlast Mobile On-device
Network Protection (ONP) policy settings.
Whitelisted Domain Names

This category allows the administrator to whitelist domains that are always accessible from the user
device, no matter the subject category or risk level of the device.
The admin can configure this list to ensure that a self-service help desk site is always accessible from
user devices no matter their risk level.
To whitelist the Domain Names :
Inspection > Whitelisted Domain Names > New.
Example:
Example:
3. Click OK.
Comments.
Policy
On the Policy tab, you can configure Granular Policies.
With Granular Policies you can configure different polices for different groups of devices, for
example, enable more security controls for your VIPs.
See Adding a Device Group to create the groups listed in the rulebase table. You can also apply
policies to the devices individually, but using groups allows better scale.
Example:
Note - If your SandBlast Mobile Dashboard does not show this tab, refer
to Policy Settings.
Rulebase
When you first navigate to the Policy tab, you see a rulebase list with the default Global policy profile
already listed.
As you add new policy profiles, you will add them to the rulebase to apply them to the appropriate
groups of devices.
The rules are processed in order from top to bottom. Once a match for the device is made, that
policy is applied to the device. For example, if you create two policies and the device would match
both policies, the top-most matched policy will be applied to this device, and the rest of the rules will
be ignored for this device.
Best Practice - place the most specific policies higher in the list with the Global policy being at the bo
drag and drop by clicking the rule # up or down as appropriate.
To activate a policy and apply it to a group of devices:
1. Click New button.
A new line is added to the top of the rulebase list.
Example:
2. Enter a Rule Name, select the devices or groups from the drop-down list, select the policy
profile from the drop-down list, and enter a comment (if needed).
For more information see "Policy Profiles" on page 25.
3. Click the checkmark at the end of the rule to save that rule.
4. Click Save.
5. To move a rule, click the rule # up or down , drag and drop as appropriate.
6. Click Save, or click Discard to undo the changes.
Policy Profiles
Every Policy Profile that you create includes a pre-configured set of items to which the profiles apply:
 Device. See Device Policies.

 Application. See Application Policies.
 On-device Network Protection. See On-device Network Protection Policies.
 WiFi Network Policies. See WiFi Network Policies.
Global Policy profile is the default policy for all devices. You can edit it.
Example:
To create a new policy profile:
1. Go to Policy > Policy Profiles.
2. Click on the [+] mark .
A New Policy window opens.
Example:
3. Enter a unique name and a description of the new policy.

4. Click OK.
Now you can edit the policy in the profile editing view, or edit it at any time on the Policy Profiles
list.
To activate the policy, see "Rulebase" on page 24.
5. To copy an existing policy – click on the desired policy name and click the copy icon
6. Name the new policy, administrator can chose to copy the marked policy or another policy
from the drop down list, and finally add comments. Click OK to save.
Now you can edit the policy in the profile editing view, or edit it at any time on the Policy Profiles
list.
To activate the policy, see "Rulebase" on page 24.

Device Policies
On the Device tab, you can set the Risk Level and time conditions for General, Android, and iOS
specific policies.
You can also whitelist a proxy server IP addresses.
Example:
To add a new Proxy to the Whitelist:
1. Click [+] button.
A Proxy IP window opens.
Example:
2. Enter the Proxy IP and click OK.

3. Click Save to save policy changes.
Application Policies
On the Application tab, you can configure the risk level associated with different application
classifications.
Hover over the [?] on the right to get a pop-up description of a selected application.
1. Select a risk level from the drop-down window.
Example:
2. Click Save to save the policy changes.
On-device Network Protection Policies
On the On-device Network Protection tab you can enhance the SandBlast Mobile advanced
mobile threat protection and establish a new mobile security paradigm to prevent emerging Gen V
network attacks. You can configure the advanced on-device protections of Anti-Phishing, Safe
Browsing, Anti-Bot, Conditional Access, and URL Filtering.
You can set the On-Device Network Protection on your device to be:
Always On
Disabled
Turn On when the device is at High Risk
Example:
This window has two tabs:
 "Content Inspection" on page 36

 "Download Prevention" on page 45
Example:
On the upper part of the window you can disable your protection policy or select it to be Always On
or Turn On when Device is at high Risk.
Example:
On-device Network Protection enables the user to configure different basic states, combined with the
advanced configuration. They are embedded in the Configure pop-up window which sets the overall
behavior of ONP:
 Disabled: here On-device Network Protection is completely disabled.

 Always ON: On-device Network Protection is enabled by default. The advanced configuration
under the ‘Configure’ window will dictate all the behavior.
 Turn ON: When a device is at HIGH risk: in this state, ONP is automatically enabled when the
device goes into HIGH risk and it automatically disables once the device goes back to normal
state.
To apply the set of conditions for activating the On-device Network protection policy:
1. From the drop-down window, select Always On (or Turn On when Device is at high Risk)
2. Click Configure.
The Configure On-Device Network Protection window Opens.
Example:
3. Select these parameters.
Item Description
General Settings
On-Device Network Protection Set the Risk Levels:
not installed  Global - Medium (Device alert)
 High (Device Alert)
 Medium (Device Alert)
 Medium (No Device Alert)
 Medium (Dismissive Device Alert)
 Low
 No Risk
Show device notifications Show notification on device if a network resource is blocked:

On/Off
Event Severity Level Set the Risk Levels of On-device Network Protection generated
Events:
 Global - Critical
 Critical
 Warning
 Information
Suspend Policy
Allow user to suspend On- User suspension is disabled when On-Device Network
device Network Protection protection is set to Turn On when Device is at high Risk:
On/Off
Automatically suspend when:  Never

 Any VPN is connected
 Corporate resource is connected via VPN - URL or
corporate resource available only on VPN
Automatic suspension Enabled only when Corporate resource is connected via VPN is
exceeded allowed period enabled:
 Global - Medium (Device alert)
 High (Device Alert)
 Medium (Device Alert)
 Medium (No Device Alert)
 Medium (Dismissive Device Alert)
 Low
 No Risk
HTTPS Settings
HTTPS Inspection Extends On-Device Network Protection capabilities to HTTP
communication.
On/Off
4. Click OK.
5. Configure On-device Network Protection Parameter.
 General Settings
On-device Network Protection (ONP) not installed’ defines the device risk state when
ONP is not installed.
 Suspend Policy
Automatic suspend exceeded allowed period: user can configure if long time suspension
of ONP by SBM App itself is a risk, and the level of that risk. By default, SBM ONP App
counts if it is suspended over 20 hours in a time window of 24 hours. If this condition is
met, an alert with proper level is triggered.
 Automatic ONP Suspend policy
User can configure Automatic Suspend policies to take place when a second VPN is
detected on the mobile device to avoid VPN clashes:
 Never – keep ONP enabled and running even if other VPNs are detected.
 Any VPN is Connected – automatically suspend ONP whenever an additional VPN is
detected. ONP shall resume after 2 hours, or earlier if other VPN is gone within
that time.
 Corporate resource is connected – ONP shall suspend only if another VPN is
detected and the other VPN gains access to specific URL (representing corporate
resources). The user must enter the corporate URL here. If the configured URL is
accessible, ONP is suspended and resumes if the suspend condition is no longer
being met.
Feature Description
Feature Description
Content Inspection
On the Content Inspection tab, you can set these parameters:
Item Settings
Block Connections to Phishing & Malicious Sites
Phishing ON / OFF
See Anti-Phishing.
Spyware/Malicious Sites ON / OFF

See Safe Browsing.
Botnets ON / OFF
See Anti-Bot.
Zero-Phishing ON / OFF
See Zero-Phishing.
Conditional Access A list of Network Addresses / host

See Conditional Access names
URL Filter Categories A list of filtered URLs

See URL Filtering.

See Blacklisted Domain Names.

See Whitelisted Domain Names.
Anti-Phishing
SandBlast Mobile On-device Network Protection prevents phishing attacks on any email or
messaging app by instantly detecting and blocking malicious URLs on-click no matter how the URL
was delivered.
The Anti-Phishing capability is powered by ThreatCloud™, the industry’s largest collaborative network
and knowledge base that delivers real-time, dynamic security intelligence.
This category includes URLs that typically arrive in email or messaging apps and are established to
steal information from users.
These sites falsely represent themselves as legitimate websites to obtain users account credentials or
credit card information that can be used for fraudulent or illegal purposes.
To enable Anti-Phishing protection:
Inspection.
2. Under Block connections to phishing & malicious sites section, enable Phishing.
Example:
Safe Browsing
SandBlast Mobile On-device Network Protection prevents access to malicious websites on any
browsing app by blocking access to the sites based on the dynamic security intelligence provided by
ThreatCloud™.
In addition, it also prevents users from unwittingly visiting malicious websites where their device can
be infected with drive-by malware.
This category includes URLs that may be reached during on-device browsing and are established to
steal information from users or install drive-by malware.
These sites falsely represent themselves as legitimate websites to obtain users' account credentials
or credit card information that can be used for fraudulent or illegal purposes.
These sites falsely represent themselves as legitimate websites to install malicious apps on the user's
device to root/jailbreak the device, take command-and-control of the device, and steal on-device
information.
To enable safe browsing:
Inspection.
2. Under Block connections to phishing & malicious sites section, enable Spyware /
Malicious Sites.
Example:
Anti-Bot
SandBlast MobileAnti-Bot feature extends Check PointAnti-Bot technology to mobile devices. By

detecting bot-infected devices and automatically blocking all communication to command and
control (C&C) servers and other malicious servers, organizations can prevent exfiltration of sensitive
data.
This category includes URLs, IP addresses, or domain names that use bots (zombies), including
command-and-control sites facilitating stealing on-device personal and corporate information, record
video or audio, and/or install other malicous code.
To enable Anti-Bot protection:
Inspection.
2. Under Block connections to phishing & malicious sites section, enable Botnets.
Example:
Zero-Phishing
SandBlast Mobile On-device Network Protection prevents phishing attacks on any email or
messaging app by instantly detecting and blocking malicious URLs on-click no matter how the URL
was delivered.
The Zero-Phishing is a Check Point technology to identify unknown phishing websites based on their
own characteristics and prevent phishing attacks.
This category includes URLs that typically arrive in email or messaging apps and are established to
steal information from users.
These sites falsely represent themselves as legitimate websites to obtain users account credentials or
credit card information that can be used for fraudulent or illegal purposes.
To enable Zero-Phishing protection:
Inspection.
2. Under Block connections to phishing & malicious sites section, enable Zero-Phishing.
Example:
Conditional Access
When a compromised device accesses corporate resources, the data is immediately at risk.
The Conditional Access feature allows an organization to automatically control access to corporate
resources by compromised devices.
As a result, if a device is exposed to an attack, access to corporate networks or any on-premise and
cloud apps will be controlled.
The enforcement of this policy is independent of Unified Endpoint Management (UEM) solutions.
This category is a list of corporate IP addresses and/or FQDN hostnames that the user device at high
risk cannot access.
To enable Conditional Access:
Inspection > Conditional Access.
Example:
2. Click [+] New.
Example:
3. In the pop-up window, enter the IP address with bitmask or a FQDN hostname that the user
device cannot access.
4. Click OK.
URL Filtering
SandBlast MobileURL Filtering feature prevents access to websites based on category inappropriate
for your organization’s corporate policies. This category allows the administrator to prohibit devices
from accessing particular URLs in a specific subject category, such as gambling, guns, and violence,
etc.
SandBlast MobileURL Filtering technology allows businesses to blacklist and whitelist domains.
URL Filtering enforces polices on mobile devices across all browser apps and on all non-browser
specific apps, such as Facebook Messenger, Slack, WhatsApp and others.
When URL Filtering is coupled with On-device Network Protection > Always ON > Allow user to
suspend On-device Network Protection, the user can disable ONP for a specific amount of time
(5 minutes, 30 minutes, or 2 hours), so that they can access blocked websites/categories. This
capability allows a certain amount of flexibility in a BYOD environment.
However, the user is not able to suspend ONP if their device is at HIGH risk, and if during suspend
the device moves to at HIGH risk, Conditional Access is still enacted.
URL Filtering Categories

To enable URL Filtering Categories:
1. Go to Policy > select Policy Profile > On-device Network Protection > URL Filter
Categories.
2. Click Edit section.
Example:
3. In the pop-up window, select the categories to which you want to block access and click > to
move the selected categories to the block list on the right side.
Example:
Each category has an explanation provided in the bottom of the screen.
4. Click OK.
Administrator can decide to block these categories, but not track when such events occur per
category. The company may decide to not track such events for user privacy concerns.

This category allows the administrator to blacklist domains from access from the user device, no
To blacklist the Domain Names :
Inspection > Blacklisted Domain Names > New.
Example:
Example:
3. Click OK.
Comments.

This category allows the administrator to whitelist domains that are always accessible from the user
device, no matter the subject category or risk level of the device.
The admin can configure this list to ensure that a self-service help desk site is always accessible from
user devices no matter their risk level.
To whitelist the Domain Names :
Inspection > Whitelisted Domain Names > New.
Example:
Example:
3. Click OK.
Comments.
Download Prevention
On the Download Prevention tab you can set these parameters:
Feature Description Settings
Download  iOS Configuration Profile - Prevents unauthorized,  Off

Prevention potentially malicious profiles from download and  Allow
Settings installation on an iOS device.  Block risky
 iOS Application Prevents unauthorized, potentially downloads
malicious applications from download and installation on
an iOS device.
 Android Application - Prevents unauthorized,
potentially malicious Android Application from download
and installation on an Android device.
Blacklisted See Blacklisted Locations.

Locations
Whitelisted See Whitelisted Locations.

Locations
Blacklisted Locations
This category allows the administrator to blacklist locations from which the downloads come to the
user device.
To blacklist Locations:
1. Go to Policy > select Policy Profile > On-device Network Protection > Download
Prevention > Blacklisted Locations > New.
Example:
2. On the pop-up window, in the Address, enter a location.
Example:
3. Click OK.
WiFi Network
On the WiFi Network tab you can do these:
 Set risk level for Wi-Fi Network Protection settings.

 Add additional servers to be used for MitM detection.
 Enable Geolocation collection.
 Set the Man in The Middle Detection URLs.
 Upload SSL certificates for your whitelist.
Example:
Man-in-the-Middle URLs Settings
You can set the URLs for the MITM detection and select the risk level for Wi-Fi Network Protection
settings.
1. In the Man-In-The-Middle section, click [+New] to add the Site URL.
Example:
2. Enter the SSL URL.
3. Click OK.
To set the device protection for various MITM attacks, in the WI-FI Network Protection Settings
select a risk level of the device (from High to No Risk):
 SSL Stripping - used when MITM attack intercepts all network traffic redirection from HTTP to
HTTPS and "strips" the HTTP calls leaving the traffic as HTTP.
 SSL Interception (Basic) - used when MITM attack intercepts HTTP traffic by using an invalid
certificate that does not exist on the device trusted certificates of not trusted by a root CA.
 SSL Interception (Advanced) - used when MITM attack intercepts HTTP traffic by using a
valid certificate that does not match the certificate of the server.
Enable Geo Location
Geolocation - enables collection of GPS location of a device if a Network attack is detected.
To enable geo location capability, in the Geolocation Settings section click ON.
Example:
This only enables it from the Dashboard side. The user must still enable the SandBlast Mobile Protect
app to use Location on their device in order for Geo Location information to be gathered.
This information is used to provide map detail on the Network tab.
Whitelisting Corporate Certificates
When checking for SSL interception attacks (SSL Bumping), the Solution checks if the destination site
SSL certificate is the one expected. If it is not, the Solution alerts that there may be an attack, even if
the received certificate is in the root CA list of the device.
However, many organizations inspect employee traffic and to the Solution it appears that this is
indeed an advanced SSL interception attack because:
1. The organization requires the organization’s certificate be installed on the device as a root CA
2. The SSL interception of the traffic in an organizational proxy
To avoid alerting on the organization’s own certificate, the organization can whitelist its own
certificates through this screen. This way the Solution will not alert an "attack" involving these
certificates.
To add a certificate to the whitelist:
1. In the SSL Certificates Whitelist section, browse for the Certificate.
Example:
2. Click OK.
Forensics
On the Forensics tab you can view all the security forensic data that was collected across the
Enterprise.
Example:
Events and Alerts
The Events & Alerts tab shows an audit trail of incidents and actions that occurred on the devices,
for example, Application installation, Profiles detected on devices, etc.
Example:
Information about the Events & Alerts:
Item Description
Time Displays the time when the event occurred.
Severity  Critical – Indicates a malicious threat (such as a malware application) that has
level immediate impact on the device and sensitive corporate data. It requires
immediate action. This threat will trigger an alert to the user on the device to
remediate the threat (remove the malware, disconnect from the infected Wi-Fi
network, etc.). It sends an email/SMS alert to the administrators (if you define in
the dashboard settings).
 Warning – Indicates a potential threat by a legitimate application, configuration
or company policy violation. For example, backup tools (Application) might be
legitimate for personal use but will risk the organization if extracts information to
unknown destinations. Enable USB Debugging on Android might also be
legitimate for developers but is a potential risk for regular users.
 Information – Indicates that no further action is required. Appears most often
when an Application is removed.
Attack Specifies the nature of the  OS Exploits

vector Event/Alert:  Text message
 Application  WiFi network
 Cellular network  iOS profiles
 Device
 Network Security
Threat Specifies the threat factor for the event that occurred. Explains the reason for the severity
factor level.
Event Specifies the user or the action  Ended
taken by the solution.  Installed
 Noncompliant  Removed
 Complaint  Blocked
 Policy changed  Prevented
 Active  Enabled
 Inactive  Disabled
 Disconnected
 Detected
Event Additional details about the Event, such as name of application installed or removed Wi-
Details Fi SSID or Identifying information, and so on. Event Details can link to an iOS Profile
detail, Network detail, or App Analysis detail.
Device The device ID within the SandBlast MobileDashboard.

ID
User Device user's email address is manually set by the Admin or automatically by UEM when
email the devices are provisioned.
OS Operating System is determined by the information received from the device when the
application is installed (iOS/Android/Android Enterprise).
 You can filter events by the Group to which they belong.

view.
Device Risk
The Device Risk tab shows all the necessary risk information per device in the system, and the
number of the devices with a specific risk level.
Example:
The left pane of the screen shows the list of devices with their risk levels, and the number of devices.
In the pull-down window, you can sort the devices in the list according to their ID, Name, Device Type,
Risk, and Mitigation, in the Ascending or Descending order.
On the right pane, you can use a filter to select information that is presented in the table.
Filtering options include:
 Risk Level
 Device Type
 Device Name
 Device ID
 Device Status
 Threat Factor
Information about Devices at Risk:
Item Description
Device Name Device name is given by the administrator together with the registration link (or by your UEM
(DeviceOwner) deployment).
Connected Last Time the device was connected to the Dashboard
Risk Device Type (represented by Apple or Android symbol)
Filter Pull-down window: ID, Name, Device type, Risk, Mitigation
Mitigation Shows what method is used to reduce the level of threats and protect this device.
Groups Groups are used to distinguish between device groups inside the organization. In future diff
applied on different groups. Groups are imported from the UEM during integration.
The central part of the screen shows the list of the applications and the threats on the selected
device with links to more information. You can also view the removed threats and forensic
investigation.
Item Description
Device Device name is given by the administrator when sending the registration link (or by
Name your UEM, if used for deployment).
(Device
Owner)
Connected Last Time Device communicated with the Dashboard
Risk Device risk is determined by both the accumulative threats risk levels found on it and
different settings present on the device. (Debugging tools, Jailbreak, Developer Tools,
and so on).
Risk levels:
 High – Indicates a device is in a malicious state and an immediate action is
needed.
 Medium – Indicates a potential threat by a legitimate application or
configuration which contradicts the company policy.
 Low – Indicates a device might present potential risky behavior caused by a
legitimate application or configuration. This might be caused by a legitimate
application which uses an unusual ad network or an application which has
access to the device contacts with no reasonable explanation but no potential
risk is applied.
 None – Indicates a device has zero risk.
Mitigation Shows what method is used to reduce the level of threats and protect this device.
Groups Shows the name of the group the device belongs to.
Email Email address used during registration
Phone Phone numbered entered during registration
OS and OS OS (Device type) is determined by the information received from the device upon the
Version application installation (iOS/Android/Android Enterprise)
Agent Version of the SandBlast MobileProtect app running on this device.

Version
Device Device HW type is determined by the information received from the device upon the
application installation.
ID Device ID is a unique ID that is generated for each device upon installation of the
SandBlast Mobile Protect App.
You can change the Show pull-down menu to All, Installed & Received, or Removed to accomplish
forensic accounting.
You can filter the devices by the active threat factors, for example, devices with the installed
malware, or devices with VPN protection disabled.
Use a Severity pull-down menu to select information that is presented in the table: - All, High, High
& Medium, Low, or None. You can view the Severity, Time, Status, User Action, Policy, Event of each
application on this device.
Example:
Click on the Application Name to view detailed App Analysis of the selected application to view the
entire analysis for the selected application.
Example:
For more information about the Apps see "App Analysis" on page 59 .
Device Risk – Export CSV

With this option, administrator can export a CSV file of all mobile devices which match the filter
criteria of Device Risk tab. Administrator can search according to multiple criteria and then export the
list of matching devices with their associated details such as user name, email address, phone
number and more. Later administrator can use those details to approach end-users and instruct them
how to remove the risk off their mobile devices, or other related actions.
Network
The Network tab shows any network event reported. This tab provides a more granular view of
network events in the context of the network in which they occurred. These network events are
reported:
 SSL Stripping – A third-party intercepted the traffic and downgraded it from HTTPS to HTTP
 SSL Interception (Basic) – A third-party intercepted the traffic and posed as the original
requester to the target server while controlling the responses back to the requester.
 SSL Interception (Advanced) – Similar to basic SSL Interception, however, in this case the
perpetrator responses were encrypted with an SSL certificate that was issued by a certificate
authority that is listed as trusted on the victim’s device. This can be gained by either deceiving
the certificate authority to issue an SSL certificate to the perpetrator or by injecting the
perpetrator’s certificate to the victim device’s trusted list. This attack requires advanced skills
and a higher level of sophistication.
 Captive Portal Redirection – The traffic from the device is redirected to the network portal
for registration to the network. This is common with public networks, especially free networks,
such as those in airports, hotels, and cafes.
Example:
Information about reported events in the Network:
Item Description
Network
Details
Network The name assigned in the access point as the wireless network name.
Name (SSID)
Occurrences Number of times a network event was reported for a device in this organization’s
wireless network.
BSSID The MAC address of the access point. It is used to identify the network, no matter if
the Network Name was changed.
Previous If network name was changed, they are listed in this field.
Network
Names
(SSIDs)
Attack To receive Location, the user is required to enable location collection in the
location Dashboard Settings and to grant location collection permissions on their device. If
the device has geo-location enabled for the SandBlast MobileProtect app, the
location of the device is recorded when the device is connected to this network.
Event What type of Events were identified with this BSSID, such as SSL Stripping, SSL
Summary Interception, Captive Portal, etc.
Network For each network event reported on this wireless network these details are
Event provided:
Details  Event Time – As recorded on the device.
 Device Attack Time - When event was reported to the Dashboard
 Event - SSL Stripping, SSL Interception, or Captive Portal Redirection
 Risk Level – The determined risk level for the event. High, Medium, Low, No
Risk.
 Device ID – The ID in the Dashboard of the device that reported the attack. If
the attack still exists in the Dashboard and has a risk associated with it, the
Device ID links to the device risk details of the device.
 Certificate – The SSL certificate of the designated page. Not applicable for SSL
Stripping attacks. The value is the root authority at the root of the certificate
chain. Clicking on the value will pop-up the entire certificate chain.
 ARP Poisoning - Indicates if the attack utilized ARP Poisoning
Note - The networks in the list are identified by their BSSID, which is the unique network identifier. Ho
purposes, the pronounced identifier is the network name (SSID). As a result, several networks of the s
list next to each other. In such a case, please make sure to refer to the network of the desired BSSID.
Click Filter button to filter the list of networks based on Network Name (SSID), BSSID,
Device ID (affected device), and Network Status.
iOS Profiles
iOS Profiles are unique to Apple iOS devices.To assist the mobile device admins, Apple developed a
tool called Profiles, which includes Network Configuration Profiles, Provisioning Profiles, and
Certificates. Network profiles are also used by the legitimate VPN applications. The shortcoming of
iOS Profiles is that it opens a security hole where an attacker can create and install a malicious
network configuration profile. It makes them act as a "Man In The Middle" and collect all the
information flowing from the device.
Information about iOS Profiles:
iOS Profiles window shows the Network Configuration Profiles. It allows the administrator to get a
clear view on the profiles installed on the devices in the organization.
Item Description
Type Displays the type of profile – Wi-Fi configuration, VPN, etc.
Name Profile name as it appears on the iOS device.
Profile Profile details indicated the information (properties) of the profile. Including remote
Details address, IP and servers.
Install Base Number of devices currently installed with this specific profile.
Policy Policy drop down menu allows the Administrator to set the alert level of a specific
profile in the dashboard.
The iOS Profiles tab also shows the Provisioning Profiles that are installed on the organization’s iOS
devices.
On the right side of the window, you can use a filter to select information that is presented in the
table. Filtering options include Device ID, Device Type, Device Name, Install Base, and Policy.
App Analysis
Apps Analysis window is the main screen for analyzing different applications installed on the
corporate devices. The applications are categorized to help the administrators understand the risk
level. Click on each category to find the corresponding risk level.
Click on an app name to reveal the app details and reasons for the assigned risk level. Click Show
Details to see free-test description of the application.
The left pane shows the list of all the apps installed in the system. You can arrange the list by Last
Updated, App Name, Install Base, Group by Name,
Each app has an assigned colored vertical line that represents the Risk Level of the app:
Risk
Line Color
Level
High Red
Medium Yellow
Risk
Line Color
Level
Low Orange
None Green
Click on the application to view its details.
Item Description
App This Application name is clickable to drill-down into the App

Name Analysis information detail.
Severity  Malicious – Indicates a malicious application (such as a

Level malware application) that has immediate impact on the
device and sensitive corporate data, it requires immediate
action. This will trigger an alert to the user on the device to
remediate the threat (remove the malware, disconnect
from the infected Wi-Fi network, and so on) as well as send
an email/SMS alert to the administrators (if defined in the
dashboard settings).
 Warning – Indicates a potential threat by a legitimate
application, configuration or company policy violation. For
example, backup tools (Application) might be legitimate for
personal use but will risk the organization by extracting
information to unknown destinations. Enable USB
Debugging on Android might also be legitimate for
developers but is a potential risk for regular users.
 Info – Indicates a legitimate application whose behavior
might put the organization data at risk. This might be
caused by a legitimate game which uses an unusual ad
network or an application which has access to the device
contacts with no reasonable explanation, but no potential
risk is applied.
 Sensitive device data - Indicates an application that can
cause harm to your device.
 None – Indicates that no further action is needed.
To determine an App Severity level, base on parameters such as:

Popularity declared vs actual capabilities, developer reputation,
and more. Each app is examined by multiple scan engines and
techniques, such as Sandbox, Static and Dynamic analysis
engines, that determine its severity level.
Time Indicates the timestamp of the last threat reported by this device.
Status What is the status of the app (Installed/Removed)
User Whether the user took action to mitigate the threat.

action
Policy Lists the corporate policy set for this app, such as Black Listed,
White Listed, User Approval, or Default.
Event Event details, such as Suspicious Package Detected or Suspicious

Package Removed
Filtering
On the right side of the window, you can use a filter to select information that is
presented in the table. Filtering options include:
 Platform (iOS, Android, and All)

 Install base (Installed, Not Installed, and All)
 Risk level (High, High & Medium, Medium, Low, No Risk, and All)
 Application policy (Default, Black Listed, White Listed, User Approval, and All)
 App Name
 SHA256 fingerprint
 You can also enable Advanced Filtering by clicking "Show advanced" link on the top right
corner.
 Version
 Package Name
Advanced Filtering
Select Advanced option(s) to view application with a selected Severity Level: Malicious, Warning,
Information, Sensitive Device Data, None.
Application Risk Levels list:
 Malicious – Indicates a malicious application (such as a malware application) that has

immediate impact on the device and sensitive corporate data, it requires immediate action.
This will trigger an alert to the user on the device to remediate the threat (remove the
malware, disconnect from the infected Wi-Fi network, and so on) as well as send an email/SMS
alert to the administrators (if defined in the dashboard settings).
 Warning – Indicates a potential threat by a legitimate application, configuration or company
policy violation. For example, backup tools (Application) might be legitimate for personal use
but will risk the organization by extracting information to unknown destinations. Enable USB
Debugging on Android might also be legitimate for developers but is a potential risk for regular
users.
 Info – Indicates a legitimate application whose behavior might put the organization data at
risk. This might be caused by a legitimate game which uses an unusual ad network or an
application which has access to the device contacts with no reasonable explanation, but no
potential risk is applied.
 Sensitive device data - Indicates an application that can cause harm to your device.
 None – Indicates that no further action is needed.
App Analysis Overview
Click Show / Hide the details for the available description. The description can include a brief
summary of the app, the reasons for its assigned risk level, the platform it affects, the install base,
and the assigned App policy.
Example:
You can export the App Analysis details to your server in two ways:
 To PDF File: click the button.
 To .CSV File: click the Export button.
Risk
The Risk level of the analyzed application is indicated as one of the first entries in the App Analysis
Detail.
There are four risk levels:
 High – Indicates that the app is malicious or contradicts company policy.

 Medium – Indicates a potential threat by a legitimate application or configuration which
contradicts the company policy.
 Low – Indicates the app might perform potentially risky behavior. This might be caused by a
legitimate app which uses an unusual ad network or an app which has access to the device
contacts with no reasonable explanation, but no potential risk is applied.
 No Risk – Indicates an app is legitimate or complies with company policy.
Install Base
The install base tells the administrators the current count of this particular version of the app that is
currently installed within their environment.
At the bottom of the page you can locate information of where this app is installed in the
environment See Installations for a list of devices on which the app is installed.
Granular Policies
To edit the risk handling for this app, select Edit for the Granular Policy you want to edit.
The app risks on the Application Policy pop-up menu:
 Default – Risk level as determined by the Behavioral Risk Engine.

 White Listed – Apps which are marked as white listed will switch their behavior from
whatever it was to "No Risk" and will be marked under the white list tab in apps analysis. This
app will no longer trigger a mitigation nor pop-up event on the device. The common reason for
white listing an app might be if an app is known to the organization and the administrator
would like to clear its’ presence from the dashboard alerts.
 Black Listed – Apps which are marked as black listed will switch their behavior from whatever
it was to "High Risk" and will be marked under the black list tab in apps analysis. A black listed
app will trigger an on device mitigation and pop-up. A common reason for black listing an app
would be if an app which was determined by Behavioral Risk Engine analysis as being a Low
risk, but the administrator considers it as banned by the organization, such as Rough Backup
apps, Rooting tools, etc.
 User Approval – Upon installation of the app, the user will be prompted about the risk and
will be able to either white list or blacklist the app specifically for their device. The user decision
will not affect other users installing the same app. These other users installing the app will be
asked to decide for their own device.
Package Information
Package Information listed in this area includes detailed information about these:
 Package Info
 Binary Meta-Data
 Market Data
 Developer Certificate Data
Example:
Capabilities Summary
This panel provides an overview of what this application can do.
Example:
Capabilities Details
This panel provides additional details about the capabilities of this application.
Example:
Exploits
Exploits panel only displays if an app is using an exploit in the device OS. This section will only
appear on malicious apps which use and exploit the OS vulnerability. It displays detailed information
about the exploit and shows the risk level on a 1 to 10 scale.
Example:
Cloud Hosting Services
This section displays a listing of any cloud services this app uses.
Example:
Behaviors
This section displays a collection of characteristics of the app called identifiers. Identifiers are used to
declare the current risk level of the app.
Example:
File System Access
This section displays all of the access permissions this app has to the device file system.
Example:
Network
In case the app is designed to use the network for specific reason such as send information to a
specific URL, this address will be shown in this section.
Example:
Installations
The Installation panel displays information on the app install base (organization wide) as a list of
devices where the app is currently installed.
Note - This list only occurs for High, Medium, or Low risk rated apps. This panel is not displayed wh
Privacy Mode is enabled. For more information see BYOD Privacy Mode.
Example:
Application Permissions
The Application permissions panel displays the app permissions and the risk level it implies.
Example:
MARS – Mobile Application Reputation Service
From App Analysis tab, administrator can click on ‘Upload’ icon to use MARS.
Mobile App Reputation Service is an application vetting service which allows SandBlast Mobile
administrators to upload an APK (Android App format) file into SBM Dashboard and receive a full app
analysis report after few minutes into their email box. Future releases of MARS will add support for
IPA (iOS App format).
 To learn about an application, administrator should upload the APK file into SandBlast Mobile
Dashboard (under App Analysis tab).
 Once uploaded, the App will be analyzed in the background by SandBlast Mobile MARS
service and will generate a full analysis report which includes the App’s behaviors,
capabilities, permissions, risks, connections, cloud hosting services, and more.
 If the App is analyzed for the first time, it may take few minutes for SandBlast Mobile to
analyze the App, when done - administrator receives an email with a link to the full App
analysis report.
 If the App was already analyzed by SandBlast Mobile, administrator can immediately
download the full App analysis.
 After reading the App analysis report, administrators can make educated decisions based on
full App analysis before they distribute an App into their organization’s Mobile devices.
 The App analysis report consists of the same data as described in ‘App Analysis Overview’
(p.62)

Settings
On the Settings tab you can view and manage the dashboard settings, customize the detailed view
of the private information for users, applications and devices.
Example:
Audit Trail
The audit log screen shows the logs for the system. You can search the audit logs by Time, Severity,
Admin User, Module, Category, Event, and Event data.
Example:
Select one or more drop-down search options to produce a report of specific log entries.

view.
Customization
Email Customization
Navigate to Settings > Customization > Email Customization to change the form of the
registration email sent from the Infinity Portal to the user when they register their mobile device. This
lets organizations to customize their unique corporate message for device registration.
Example:
Logo Customization
Go to Settings > Customization > Logo Customization to change the logo that appears in the
upper right-hand corner of the Dashboard’s Menu bar. You can also change the logo that appears in
the upper left-hand corner of the SandBlast Mobile Protect app on user devices.
Example:
Language
Navigate to Settings > Customization > Language to change the default language of the
Dashboard from English to other language.
Example:
Privacy Settings
On Privacy Settings tab the administrator can enable BYOD Privacy Mode.
BYOD Privacy Mode
When BYOD Privacy Mode is enabled, administrators can only see that a malicious threat exists, but
they cannot see the user affected by it. This ensures the highest user privacy when needed.
Events & Alerts Tab
BYOD Privacy Mode Disabled
When BYOD Privacy Mode is disabled, the Events & Alerts tab shows the Device Owner and Device
Number fields as configured in the Devices tab.
Example:
BYOD Privacy Mode Enabled
When BYOD Privacy Mode is enabled, the Events & Alerts tab does not show the Device Owner and
Device ID Number field.
Example:
Device Risk Tab
When BYOD Privacy Mode is disabled, the Device Details show the app(s) that put this device at high
risk.
Example:
When BYOD Privacy Mode is enabled, the Device Details does not show the app(s) that put this
device at high risk. The administrator will only see that the device is at risk, and its risk level, but not
the reason.
Example:
App Analysis Tab
When BYOD Privacy Mode is disabled, the drill-down into the App Analysis information about the App
at Risk displays the app Owner Details.
Example:
When BYOD Privacy Mode is enabled, the drill-down into the App Analysis information about the App
at Risk does not display the app Owner Details.
SMTP Settings
Go to Settings > SMTP Settings to configure the Dashboard to send emails from their local domain
instead of using the SandBlast Mobile email server.
There are two transport settings: SMTP and SMTPS.
To configure SMPT Settings:
1. Click Add.
The SMTP Settings pop-up window appears.
Example:
2. Select SMTP or SMTPS.
3. Enter the required information and click Save.
Note - You must configure the Firewall settings on the Enterprise’s

firewall to allow SMTP or SMTPS from SandBlast Mobile to the
enterprise’s SMTP server. The allowed IP addresses are listed in
SandBlast Mobile Communication Information.
Device Management
On the Device Management tab, in the Device Management Setting page, the administrator can
integrate SandBlast Mobile to an Unsupported MDM, or to these:
 VMware Workspace ONE UEM UEM (Formerly AirWatch UEM)
 BlackBerry Dynamics (formerly Good Dynamics)
 MobileIron Core
 MobileIron Cloud
 IBM MaaS360
 BlackBerry BES
 BlackBerry UEM
 Microsoft Intune
 Citrix XenMobile
To adjust the default settings implemented for their UEM, see Device Management Advanced Settings.
Example:
Refer to our published UEM integration guides for your selected UEM platform for more information
on setup and usage.
Settings Page
On the Device Management >Settings page you can define the basic settings.
Example:
Device Management Settings
Go to Settings > Device Management Settings > MDM Services > and select the service from
the dropdown list.
 None
If no UEM is configured, the Dashboard sends the registration email directly to the user device.
 Unsupported UEM
If you select Unsupported MDM
Example:
This setting tells SandBlast Mobile not to install the Check Point MDIS profile.
This will affect iOS functionality because the app list cannot be retrieved by SandBlast
MobileDashboard, and therefore cannot be inspected for malicious apps. Android devices are
not affected.
Notify User when device was added by MDM
Example:
You can define the action that the SandBlast Mobile system will or will not perform:
Setting Value Description
Registration email On/Off Sending Registration email to iOS devices.

(iOS)
Registration email On/Off Sending Registration email to Android devices.

(Android)
Registration sms (iOS) On/Off Sending Registration SMS to iOS devices.
Registration sms On/Off Sending Registration SMS to Android devices.

(Android)
Daily registration limit # of The number of devices that can register within a
devices 24 hour period.
Click Save to implement the changes.

Device Management Advanced Settings
1. Go to Settings > Device Management > Advanced to adjust the default settings
implemented for their UEM.
2. Example:
Setting Description
Device sync Interval to connect with UEM to sync devices.

Interval Values: 10-1440 minutes, in 10 minute intervals.
Device Percentage of devices allowed for deletion after UEM device

deletion sync.
threshold 100% for no threshold
Deletion Delay device deletion after sync – device will not be deleted if it
delay interval will be re-sync from UEM during the threshold interval.
Values: 0-48 hours
App sync Interval to retrieve the iOS app list from the UEM.
interval Values: 10-1440 minutes, in 10 minute intervals.
3. Click Save to implement changes.
Syslog Page
On the Syslog tab, the administrator can set the Dashboard to send Syslog events to a Syslog,
RSyslog, or an ArcSight Server.
Go to Settings > Syslog >Syslog Settings and select an option from the dropdown window.
Example:
The SandBlast Mobile Dashboard must communicate to your Syslog server through your firewall. The
source IP addresses can be found in SandBlast Mobile Communication Information.
Available Syslog services:
 Syslog
Example:
To configure Syslog:
1. Go to Settings > Syslog.

2. From the Syslog Service dropdown list, select Syslog.
3. In the pop-up window, enter these values:
Setting Description
Host Host name or IP Address of Syslog server

Name
Protocol UDP or TCP

Setting Description
Port Port that the Syslog server is listening on.
Syslog Severity level of events to send to the server.

level Acceptable Values are:
 Info
 Warn
 Error
 Debug
Facility Facility is used to specify the type of program that is logging the
message. Messages with different facilities may be handled
differently. Defaults to "user".
4. Click Verify.
5. Click Save.
 RSyslog
Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for
forwarding log messages in an IP network. It implements the basic syslog protocol, extends it
with content-based filtering, rich filtering capabilities, flexible configuration options and adds
features such as using TCP for transport and SSL\TLS for encryption.
Example:
To configure RSyslog:

2. From the Syslog Service dropdown list, select RSyslog.
Setting Description
Host Host name or IP Address of RSyslog server

Name
Protocol TLS
Setting Description
Port Port that the RSyslog server is listening on.

Default SSL port: 443.
Syslog Severity level of events to send to the server.

level Acceptable Values are:
 Info
 Warn
 Error
 Debug
Facility Facility is used to specify the type of program that is logging

the message. Messages with different facilities may be
handled differently. Defaults to "user".
Audit TAG Because SandBlast Mobile can send 2 formats of logs, Event
logs and Audit logs, the receiving RSyslog system publishes 2
parsers for these types.
When SandBlast Mobile sends an Event type it will add the
Event Tag to the message.
When SandBlast Mobile sends an Audit type it will add the
Audit Tag to the message.
Event TAG Because SandBlast Mobile can send 2 formats of logs, Event
logs and Audit logs, the receiving RSyslog system publishes 2
parsers for these types.
When SandBlast Mobile sends an Event type it will add the
Event Tag to the message.
When SandBlast Mobile sends an Audit type it will add the
Audit Tag to the message.
Chain The RSyslog server needs to publish unique certificates to

certificate establish the secure connection from SandBlast Mobile.
The chain certificate is the X.509 certificate used to secure the
RSyslog server. The root CA of the RSyslog system to which we
are going to send logs.
Certificate The RSyslog server needs to publish unique certificates to

establish the secure connection from SandBlast Mobile.
This is the certificate used for the TLS handshake. It is
obtained from the RSyslog system that was generated
specifically for the integration with SandBlast Mobile.
Setting Description
Key The RSyslog server needs to publish unique certificates to

certificate establish the secure connection from SandBlast Mobile.
This the Private Key certificate used for the TLS handshake. It
is obtained from the RSyslog system that was generated
specifically for the integration with SandBlast Mobile.
4. Click Verify.
5. Click Save.
 ArcSight
Example:
To configure ArcSight:

2. From the Syslog Service dropdown list, select ArcSight.
Setting Description
Host Host name or IP Address of ArcSight

Name server
Protocol UDP or TCP
Port Port that the ArcSight server is listening

on.
4. Click Verify.
5. Click Save.
Administrators
You can add, remove, or edit Administrators.
Go to Settings > Administrators > List View > administrators (Super User or Admin level).
When you add a new administrator, the Super User or Admin level Administrators can configure an
option for email or SMS notification about alerts / announcements.
To add a new administrator:
1. Enter this information about the new user:

Column Description
First Name Enter info
Last Name Enter info
Email Enter info
Title Enter info
Role Select from the list
Limit to device groups(*) Add one or more

groups
Limit to policy profile(*) Add one or more

groups
Mobile Number Enter a mobile number
Locale Select a language
Send SMS on alerts ON/OFF
Send email on alerts ON/OFF
Send email on ON/OFF

announcements
Schedule report ON/OFF
Two factor authentication ON/OFF
Example:
2. Click [?] next to the Role button and select an administrator role from the list.
Note - (*) When you add a Group Security Manager, you can add
also Groups of Devices and Policies Profiles options.
Example:
Admin Roles Definition
To select and set the Administrator role permissions across the Dashboard, see this table.
Example:
Password Policy
The administrator can set a password policy for Administrator users. By default, a password policy is
not enabled.
To set a password policy for Administrator users go to Settings > Administrators > Password
Policy.
Name Description
Force ON/OFF, Default = OFF

password
change
Name Description
Password If Force password change setting is ON, the number of days before the
expiration user is required to change their login password is enforced.
period (Days) Number of Days can be 30, 60, 90, 120, 180, and 360. Default = 90 days.
Force ON/OFF, Default = OFF

password
history policy
Number of If Force password history policy is ON, the number of passwords stored
reused can be set from 2 to 16. These stored passwords cannot be reused.
passwords Default = 6.
Example:
SSO Settings
You can enable Administrator accounts to work with your company Identity Provider.
Go to Settings > Administrators > SSO settings and follow the instructions on the screen.
Example:
Information Visible to the Organization’s Administrators on the
Dashboard
Device not at Risk
When the device is not at risk, you can view the user and device information in these tabs:
 Devices
 Device Risk
In the Devices tab, the user’s name, email address, and phone number as entered by the
organization are associated with a particular device ID. The details of the device are limited to device
OS type and version, device type, the version of the SandBlast MobileProtect app running on the
device, and the last time the device connected with the Gateway.
In this view, the Administrators can view a list of registered devices, but cannot view the list of apps
installed on a particular device.
When the device is viewed from the Device Risk tab, the device detail is similar to that of the
Devices tab.
From the App Analysis tab, the Administrator can view a comprehensive list of all the apps installed
across all the registered devices, but they cannot view on which devices the apps are installed when
the app is not identified as Malicious or Warning severity level.
Device at risk
If a device is at High or Medium risk level, the Administrators can view the same level of device
details as before, but with a list of apps that put the device at risk.
You can view more details about the Malicious or Warning severity level app by drilling-down on
the app from the Device Risk view, or by viewing the app from App Analysis tab. A Malicious or
Warning severity level app will include information about the app, such as fingerprint, store location,
capability, and more, and also will include the list of the affected devices (for example, the devices on
which the app is installed).
Announcements
Go to Settings > Announcements to view all system messages sent from Check Point.
Example:
Appendices
SandBlast Mobile Communication
Information
This table describes the networking rules required to configure your security systems in order to
allow the Solution's integration with your on premise systems (UEMs, syslog, and so on).
If you do not know your Dashboard's region, contact mtp-alm@checkpoint.com.
To prevent spam filters from blocking SandBlast Mobile's emails, this IP address must be allowed as a
sender: 167.89.59.134.
Best Practice - The best practice when enabling firewall access for SBM
is to use DNS based names. When it is not an option, use the IP
addresses provided for the specified DNS in the table below.
Security system configuration rules
Destination
Region Description Source Destination
Port
EU Connection to customer's 52.30.229.13 Customer UEM 443

UEM (EU). 52.31.98.20 and/or UDM BES UEM only:
52.51.47.83 18084 (default)
52.51.115.5 Citrix XenMobile
only: 4443
(default)
US Connection to customer's 52.0.129.11 Customer UEM 443

UEM (US). 52.6.231.218 and/or UDM BES UEM only:
52.71.46.86 18084 (default)
52.202.99.13 Citrix XenMobile
52.203.42.126 only: 4443
(default)
54.84.219.180
54.84.231.79
EU Connection to Customer's 52.30.229.13 Customer Protocol and

ArcSight/Syslog (EU). 52.31.98.20 ArcSight/Syslog port as
52.51.47.83 configured in the
Dashboard
52.51.115.5
(Settings->Syslog)
US Connection to Customer's 52.0.129.11 Customer Protocol and
ArcSight/Syslog (US). 52.6.231.218 ArcSight/Syslog port as
52.71.46.86 configured in the
Dashboard
52.202.99.13
(Settings->Syslog)
52.203.42.126
54.84.219.180
54.84.231.79
EU SandBlast Mobile Customer Sandblast 443

Connector to SandBlast SandBlast Mobile
Mobile (EU). Mobile Dashboard
Connector FQDN*
server
52.17.79.161
52.30.229.13
52.31.98.20
52.51.47.83
52.51.115.5
US SandBlast Mobile Customer Sandblast 443

Connector to SandBlast SandBlast Mobile
Mobile (US). Mobile Dashboard
Connector FQDN*
server
52.0.129.11
52.6.231.218
52.71.46.86
52.87.59.245
52.202.99.13
52.203.42.126
54.84.219.180
54.84.231.79
ANY SandBlast Mobile Customer 52.87.59.245 443

Connector. SandBlast us-
Mobile relay.locsec.net
Connector
server
ANY SandBlast Mobile Customer Customer 443

Connector to Customer SandBlast UEM BES UEM only:
UEM. Mobile 18084 (default)
Connector Citrix XenMobile
server only: 4443
(default)
EU UDM connection to Customer Sandblast 443
SandBlast Mobile (EU). Connector Mobile
server Dashboard
FQDN*
52.17.79.161
US UDM connection to Customer Sandblast 443

SandBlast Mobile (US). Connector Mobile
server Dashboard
FQDN*
52.0.129.11
52.6.231.218
52.87.59.245
54.84.219.180
54.84.231.79
Any Connection to the 52.1.198.108 Customer SMTP port

customer's SMTP server if 52.7.158.188 SMTP server configured in the
configured in Dashboard 52.71.46.86 Dashboard
(Settings->SMTP settings). (Settings > SMTP)
52.202.99.13
52.203.42.126
Any Connection to customer's Customer's Any 443

SBM Dashboard. internal
network
Any Connection of devices to Customer's 52.87.59.245 443

SBM from corporate internal
network. network
* Sandblast Mobile Dashboard FQDN – The Fully Qualified Domain Name of your SBM Dashboard,
unique per customer. (e.g. example-sbm.mt2.locsec.net)
Policy Profiles Description
Main features
Feature Description
Anti-Phishing  This category includes URLs that typically arrive in email or

(See Anti-Phishing). messaging apps and are established to steal information from
users.
 These sites falsely represent themselves as legitimate
websites to obtain users' account credentials or credit card
information that can be used for fraudulent or illegal
purposes.
Safe Browsing  This category includes URLs that may be reached during on-
(See Safe Browsing). device browsing and are established to steal information from
users or install drive-by malware.
websites to obtain users' account credentials or credit card
information that can be used for fraudulent or illegal
purposes.
websites to install malicious apps on the user's device to
root/jailbreak the device, take command-and-control of the
device, and steal on-device information.
Conditional Access  This category is a list of corporate IP addresses and/or FQDN

(See Conditional Access). hostnames that the user's device cannot access while at high
risk.
Anti-Bot  This category includes URLs, IP addresses, or domain names

(see Anti-Bot). that use bots (zombies), including command-and-control sites
facilitating stealing on-device personal and corporate
information, record video or audio, and/or install other
malicous code.
Feature Description
URL Filtering  This category allows the administrator to prohibit devices

(See URL Filtering) from accessing particular URLs in a specific subject category,
such as gambling, guns, and violence, etc.
 This category also allows the administrator to blacklist
domains from being able to accessed by the user's device no
 In addition, this category also allows the administrator to
whitelist domains that are always accessible to the user's
device no matter the subject category or risk level of the
device.
Parameter Configuration  This category allows users to configure the basic On-device
Network Protection behavior (Disabled, Always on, Turn on
when device is at risk.)
 This category also includes a Configure pop-up window that
allows to configure different parameters of On-device
Network Protection (General settings and suspending policy
for On-device Network Protection)

Sandblast Mobile Dashboard Admin Guide

Uploaded by

Copyright:

Available Formats

You might also like

Sandblast Mobile Dashboard Admin Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sandblast Mobile Dashboard Admin Guide

Uploaded by

Copyright:

Available Formats

25 May 2020

Solution Architecture ...................................................................................................... 6

Getting Started ......................................................................................................... 8

General Workflow ........................................................................................................... 8

Launching the SandBlast Mobile .................................................................................. 8

Navigating the SandBlast Mobile Services.......................................................... 11

Dashboard Main Screen ............................................................................................... 11

Adding a New Device ................................................................................................ 15

Adding a Device Group ............................................................................................. 17

URL Filtering ................................................................................................................... 18

URL Filtering Categories ........................................................................................... 18

Blacklisted Domain Names ...................................................................................... 20

Whitelisted Domain Names ..................................................................................... 21

Policy Profiles ............................................................................................................. 25

Device Policies ........................................................................................................ 27

Application Policies ................................................................................................ 27

On-device Network Protection Policies .............................................................. 28

Content Inspection ............................................................................................. 36

URL Filtering .................................................................................................... 40

URL Filtering Categories ........................................................................................... 41

Blacklisted Domain Names ...................................................................................... 42

Whitelisted Domain Names ..................................................................................... 43

Download Prevention ........................................................................................ 45

Blacklisted Locations ...................................................................................... 46

WiFi Network .......................................................................................................... 46

Man-in-the-Middle URLs Settings..................................................................... 47

Enable Geo Location .......................................................................................... 48

Whitelisting Corporate Certificates .................................................................. 48

Events and Alerts ....................................................................................................... 50

Device Risk .................................................................................................................. 51

iOS Profiles ................................................................................................................. 57

App Analysis ............................................................................................................... 59

Advanced Filtering .............................................................................................. 62

App Analysis Overview .......................................................................................... 63

Install Base .......................................................................................................... 64

Granular Policies ................................................................................................ 64

Package Information ............................................................................................. 64

Capabilities Summary ........................................................................................... 65

Capabilities Details ................................................................................................ 65

Cloud Hosting Services.......................................................................................... 66

File System Access ................................................................................................. 67

Email Customization .............................................................................................. 71

Logo Customization ............................................................................................... 71

Privacy Settings .......................................................................................................... 72

BYOD Privacy Mode ............................................................................................... 72

Events & Alerts Tab ............................................................................................ 73

Device Risk Tab ................................................................................................... 73

App Analysis Tab ................................................................................................ 74

Device Management ................................................................................................. 75

Settings Page .......................................................................................................... 77

Syslog Page ................................................................................................................. 79

Admin Roles Definition ......................................................................................... 87

SSO Settings ............................................................................................................ 88

Information Visible to the Organization’s Administrators on the Dashboard89

SandBlast Mobile Communication Information ....................................................... 91

Policy Profiles Description ........................................................................................... 94

SandBlast Mobile delivers threat prevention technology that:

 Performs advanced app analysis to detect known and unknown threats