Professional Documents
Culture Documents
Sandblast Mobile Dashboard Admin Guide
Sandblast Mobile Dashboard Admin Guide
Sandblast Mobile Dashboard Admin Guide
SandBlast Mobile
Administration Guide
[Classification: Protected]
Table of Contents
Introduction to SandBlast Mobile .......................................................................... 6
Menu Bar................................................................................................................. 10
Devices ............................................................................................................................ 13
Policy ............................................................................................................................... 24
Rulebase ..................................................................................................................... 24
Anti-Phishing ................................................................................................... 36
Safe Browsing.................................................................................................. 37
Anti-Bot ............................................................................................................ 38
Zero-Phishing .................................................................................................. 38
Conditional Access.......................................................................................... 39
Forensics......................................................................................................................... 49
Network ...................................................................................................................... 55
Filtering .................................................................................................................... 62
Risk ....................................................................................................................... 63
Behaviors ................................................................................................................ 66
Network ................................................................................................................... 67
Installations............................................................................................................. 68
Application Permissions........................................................................................ 68
Settings ........................................................................................................................... 69
Audit Trail.................................................................................................................... 70
Customization ............................................................................................................ 71
Language ................................................................................................................. 72
SMTP Settings............................................................................................................. 74
Administrators ........................................................................................................... 84
Password Policy...................................................................................................... 87
Announcements ........................................................................................................ 90
Appendices ............................................................................................................. 91
SandBlast Mobile uses a variety of patent-pending algorithms and detection techniques to identify
mobile device risks, and triggers appropriate defense responses that protect business and personal
data.
Solution Architecture
Component Description
5 Behavioral Risk The cloud-based SandBlast Mobile Behavioral Risk Engine uses data it
Engine receives from the App about network, configuration, and operating system
integrity data, and information about installed apps to perform in-depth
mobile threat analysis.
The Engine uses this data to detect and analyze suspicious activity, and
produces a risk score based on the threat type and severity.
The risk score determines if and what automatic mitigation action is needed
to keep a device and its data protected.
No Personal Information is processed by or stored in the Engine.
Getting Started
This guide describes how to launch the Check Point SandBlast Mobile from the Check Point Infinity
Portal. It also describes the interface of the Check Point SandBlast Mobile, its main features and
menus, and how to start a deployment. This includes activation and protection of a new device,
malware detection and mitigation (including investigative flow).
General Workflow
1. Creating your security account. Register to the Check Point Infinity Portal
https://portal.checkpoint.com.
Note - Registration creates you an account on the Infinity Portal
but does not automatically log you in to any specific security
service. Use the "Try" function to log into the SandBlast Mobile
service.
2. Enabling your user account on the Infinity Portal.
3. Navigating the screens, adding and activating new users, apps, policies, devices.
4. Updating and managing your Global Settings.
Check Point Infinity Portal is a web-based interface for hosting the Check Point security SaaS services.
For more information, see Check Point Infinity Portal Admin Guide.
To open your SandBlast Mobile service from the Infinity Portal window:
1. Click the Menu button in the top left corner of the Infinity Portal window.
2. Select the SandBlast Mobile service from the dropdown list:
Menu Bar
The menu bar is permanently located on the left side of the SandBlast Mobile screen.
It displays the available options and menus on all of the dashboard pages and includes these
options:
Menu You can open the list of all the CloudGuard services available in
your system.
To work with the SandBlast Mobile, click the SandBlast Mobile
icon on the list.
Dashboard You can view both statistics and snapshot data based on
information supplied by the enrolled devices.
The information in the Global Settings contains the initial default values of the administrators'
profile settings that apply locally and impact the entire system.
Navigating the SandBlast Mobile
Services
Dashboard Main Screen
The Dashboard main screen displays both statistics and snapshot data based on information
supplied by the enrolled devices. Most of the graphical information presented on this screen has
clickable items, which direct you to a query based page adapted to the state.
Example:
On the Dashboard screen you can view statistics for the Device Risk, Device Status, Top Threats, and
Security Events by type.
When you click on the event, you are redirected to the relevant window where you manage this
event.
Area Description
Device Displays the number of devices in the organization that are currently at risk in
Risk these ways:
Total number of devices at risk
Number of devices at High risk
Number of devices at Medium risk
Number of devices at Low risk
Device risk over time (last 7 days)
Device Displays the number of devices registered in the dashboard and displayed in
Status these ways:
Total number of Devices
Active Devices – devices that have installed and activated the App
Provisioned & User Notified – devices where the user has been notified
on where and how to install and activate the App, or that the UEM has
added to the System
Disabled – devices that have uninstalled the App, or that the UEM has
reported that the App is no longer installed
Devices registered in the last day
Devices registered in the last week
Percent of devices on current agent version
Percent of devices on older agent versions
Security Displays the security events by their types (marked in colors) over time for the
Events last hour, day or month, as well as the total number of applications that were
by Type scanned from the devices that are attached to the dashboard.
You can select presentation of events over time for last hour, day, or month.
Devices
In the Devices window, the administrator can view and manage the organization’s devices.
Example:
The Devices window shows a list of all of the organization-protected devices with no filters. On this
screen, you can add, remove, edit devices, import and export their details, and activate them.
Item Description
Name Device name is given by the administrator when you send the registration
(Device link (or by UEM, if used for deployment).
Owner)
Device Device Number is also configured by the administrator or in UEM during the
Number app installation link creation. This is usually the phone number for the
device.
This number only helps to identify the device, and is not used by the system.
This field is optional.
Device Device type (OS) is determined by the information received from the device
Type upon the app installation. (iOS/Android/Android Enterprise)
OS OS Version is determined by the information received from the device post
Version the Protect installation.
Device Device details are determined by the information received from the device
Details post the Protect installation.
Client Client version indicates the SandBlast MobileProtect app version that is
Version currently installed on the device.
Last Last seen field indicates the last time the device communicated with
Seen SandBlast Mobile Servers.
You can also export the information from the table to CSV file, which will create
a comma separated values file that can be opened in spreadsheet applications such as
Microsoft Excel. Use filter to select the required information for the file.
You can set the number of the rows to list on the screen, and scroll to view previous items:
For customers who use Android Enterprise devices, please refer to the specific MDM integration
guide for further guidance on how to configure MDM to synch Android Enterprise devices with
SandBlast Mobile.
The invitation is sent to an email address which must be read from the device. The first part of the
email can be customized with customer specific message from Settings > Email customization.
iOS devices is redirected to install the app from the Apple App Store or to download the
Enterprise signed App from the dashboard – this will be determined by a dashboard settings
configured by Check Point. iOS installation consists of two steps in after the app is installed to
activate. You must download iOS agent from the Dashboard and the Enterprise app must be
trusted. After the installation process is completed, you must enter the server details and
registration code. You will find the registration information and instructions in the registration
email.
Android devices are redirected to Google Play Store to download the latest available SandBlast
Mobile Protect app. All registration information will be automatically entered by the system
when using the download link in the email from the device during the installation process.
Example:
2. Enter the device friendly Name, Group, Email Address, and phone number for the user in the
Add New Device properties.
3. Click Add.
An email is sent from the dashboard with an explanation about the SandBlast MobileProtect
app. The email contains a link for downloading the SandBlast MobileProtect app.
Example:
When the device is added to the dashboard, an entry appears under the devices with a unique device
ID. The device status will show as User Notified until the SandBlast MobileProtect app is installed
and the device has communicated with the dashboard.
Example:
When the App is successfully installed and run from the device, the registration screen appears. For
Android devices, the system enters the information automatically. On iOS devices, you must enter
the information manually.
A successful registration will trigger a full device scan which (if no malware or malicious
configurations are found) will result in the App screen appearing in full green (see below).
Example:
1. Go to Devices > Groups list > ADD at the bottom of the Groups.
Example:
Example:
3. Click ADD.
Devices and device groups are imported from the Device Management platform during the
integration with it. Options Add new device and Add groups are disabled.
URL Filtering
SandBlast Mobile URL Filtering feature prevents access to websites based on category inappropriate
for your organization’s corporate policies. This category allows the administrator to prohibit devices
from accessing particular URLs in a specific subject category, such as gambling, guns, and violence,
etc.
SandBlast Mobile URL Filtering technology allows businesses to blacklist and whitelist domains.
URL Filtering enforces polices on mobile devices across all browser apps and on all non-browser
specific apps, such as Facebook Messenger, Slack, WhatsApp and others.
When URL Filtering is coupled with On-device Network Protection > Always ON > Allow user to
suspend On-device Network Protection, the user can disable ONP for a specific amount of time
(5 minutes, 30 minutes, or 2 hours), so that they can access blocked websites/categories. This
capability allows a certain amount of flexibility in a BYOD environment.
However, the user is not able to suspend ONP if their device is at HIGH risk, and if during suspend
the device moves to at HIGH risk, Conditional Access is still enacted.
1. Go to Policy > select Policy Profile > On-device Network Protection > URL Filter
Categories.
2. Click Edit section.
Example:
3. In the pop-up window, select the categories to which you want to block access and click > to
move the selected categories to the block list on the right side.
Example:
4. Click OK.
Administrator can decide to block these categories, but not track when such events occur per
category. The company may decide to not track such events for user privacy concerns.
By default the URL filtering action applies a client device pop-up notification with a new event card in
the SandBlast Protect app ‘Events center’. In case the administrator un-checks the “Show events in
client” option per specific category, the end-user will only see the URL blocked page inside a browser
when accessed.
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection > Blacklisted Domain Names > New.
Example:
Example:
3. Click OK.
4. To remove an item from the list, select it and click Delete.
5. To import a list of domains, click Import and upload a .CSV file with a list of Domains and
Comments.
Note: The uploaded list replaces the existing list. This allows administrators to import a list of Domain
Names/Locations from other systems such as Firewall/Gateway into SandBlast Mobile On-device
Network Protection (ONP) policy settings.
The admin can configure this list to ensure that a self-service help desk site is always accessible from
user devices no matter their risk level.
To whitelist the Domain Names :
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection > Whitelisted Domain Names > New.
Example:
Example:
3. Click OK.
4. To remove an item from the list, select it and click Delete.
5. To import a list of domains, click Import and upload a .CSV file with a list of Domains and
Comments.
Note: The uploaded list replaces the existing list. This allows administrators to import a list of Domain
Names/Locations from other systems such as Firewall/Gateway into SandBlast Mobile On-device
Network Protection (ONP) policy settings.
Policy
On the Policy tab, you can configure Granular Policies.
With Granular Policies you can configure different polices for different groups of devices, for
example, enable more security controls for your VIPs.
See Adding a Device Group to create the groups listed in the rulebase table. You can also apply
policies to the devices individually, but using groups allows better scale.
Example:
Note - If your SandBlast Mobile Dashboard does not show this tab, refer
to Policy Settings.
Rulebase
When you first navigate to the Policy tab, you see a rulebase list with the default Global policy profile
already listed.
As you add new policy profiles, you will add them to the rulebase to apply them to the appropriate
groups of devices.
The rules are processed in order from top to bottom. Once a match for the device is made, that
policy is applied to the device. For example, if you create two policies and the device would match
both policies, the top-most matched policy will be applied to this device, and the rest of the rules will
be ignored for this device.
Best Practice - place the most specific policies higher in the list with the Global policy being at the bo
drag and drop by clicking the rule # up or down as appropriate.
Example:
2. Enter a Rule Name, select the devices or groups from the drop-down list, select the policy
profile from the drop-down list, and enter a comment (if needed).
3. Click the checkmark at the end of the rule to save that rule.
4. Click Save.
5. To move a rule, click the rule # up or down , drag and drop as appropriate.
6. Click Save, or click Discard to undo the changes.
Policy Profiles
Every Policy Profile that you create includes a pre-configured set of items to which the profiles apply:
Global Policy profile is the default policy for all devices. You can edit it.
Example:
To create a new policy profile:
Example:
Now you can edit the policy in the profile editing view, or edit it at any time on the Policy Profiles
list.
5. To copy an existing policy – click on the desired policy name and click the copy icon
6. Name the new policy, administrator can chose to copy the marked policy or another policy
from the drop down list, and finally add comments. Click OK to save.
Now you can edit the policy in the profile editing view, or edit it at any time on the Policy Profiles
list.
On the Device tab, you can set the Risk Level and time conditions for General, Android, and iOS
specific policies.
Example:
Example:
Application Policies
On the Application tab, you can configure the risk level associated with different application
classifications.
Hover over the [?] on the right to get a pop-up description of a selected application.
Example:
2. Click Save to save the policy changes.
On the On-device Network Protection tab you can enhance the SandBlast Mobile advanced
mobile threat protection and establish a new mobile security paradigm to prevent emerging Gen V
network attacks. You can configure the advanced on-device protections of Anti-Phishing, Safe
Browsing, Anti-Bot, Conditional Access, and URL Filtering.
You can set the On-Device Network Protection on your device to be:
Always On
Disabled
Example:
Example:
On-device Network Protection enables the user to configure different basic states, combined with the
advanced configuration. They are embedded in the Configure pop-up window which sets the overall
behavior of ONP:
1. From the drop-down window, select Always On (or Turn On when Device is at high Risk)
2. Click Configure.
Example:
Item Description
General Settings
On-Device Network Protection Set the Risk Levels:
not installed Global - Medium (Device alert)
High (Device Alert)
Medium (Device Alert)
Medium (No Device Alert)
Medium (Dismissive Device Alert)
Low
No Risk
Event Severity Level Set the Risk Levels of On-device Network Protection generated
Events:
Global - Critical
Critical
Warning
Information
Suspend Policy
Allow user to suspend On- User suspension is disabled when On-Device Network
device Network Protection protection is set to Turn On when Device is at high Risk:
On/Off
Automatic suspension Enabled only when Corporate resource is connected via VPN is
exceeded allowed period enabled:
Global - Medium (Device alert)
High (Device Alert)
Medium (Device Alert)
Medium (No Device Alert)
Medium (Dismissive Device Alert)
Low
No Risk
HTTPS Settings
HTTPS Inspection Extends On-Device Network Protection capabilities to HTTP
communication.
On/Off
4. Click OK.
5. Configure On-device Network Protection Parameter.
General Settings
On-device Network Protection (ONP) not installed’ defines the device risk state when
ONP is not installed.
Suspend Policy
Automatic suspend exceeded allowed period: user can configure if long time suspension
of ONP by SBM App itself is a risk, and the level of that risk. By default, SBM ONP App
counts if it is suspended over 20 hours in a time window of 24 hours. If this condition is
met, an alert with proper level is triggered.
User can configure Automatic Suspend policies to take place when a second VPN is
detected on the mobile device to avoid VPN clashes:
Never – keep ONP enabled and running even if other VPNs are detected.
Any VPN is Connected – automatically suspend ONP whenever an additional VPN is
detected. ONP shall resume after 2 hours, or earlier if other VPN is gone within
that time.
Corporate resource is connected – ONP shall suspend only if another VPN is
detected and the other VPN gains access to specific URL (representing corporate
resources). The user must enter the corporate URL here. If the configured URL is
accessible, ONP is suspended and resumes if the suspend condition is no longer
being met.
Feature Description
Feature Description
Content Inspection
Item Settings
Phishing ON / OFF
See Anti-Phishing.
Botnets ON / OFF
See Anti-Bot.
Zero-Phishing ON / OFF
See Zero-Phishing.
Anti-Phishing
SandBlast Mobile On-device Network Protection prevents phishing attacks on any email or
messaging app by instantly detecting and blocking malicious URLs on-click no matter how the URL
was delivered.
The Anti-Phishing capability is powered by ThreatCloud™, the industry’s largest collaborative network
and knowledge base that delivers real-time, dynamic security intelligence.
This category includes URLs that typically arrive in email or messaging apps and are established to
steal information from users.
These sites falsely represent themselves as legitimate websites to obtain users account credentials or
credit card information that can be used for fraudulent or illegal purposes.
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection.
2. Under Block connections to phishing & malicious sites section, enable Phishing.
Example:
Safe Browsing
SandBlast Mobile On-device Network Protection prevents access to malicious websites on any
browsing app by blocking access to the sites based on the dynamic security intelligence provided by
ThreatCloud™.
In addition, it also prevents users from unwittingly visiting malicious websites where their device can
be infected with drive-by malware.
This category includes URLs that may be reached during on-device browsing and are established to
steal information from users or install drive-by malware.
These sites falsely represent themselves as legitimate websites to obtain users' account credentials
or credit card information that can be used for fraudulent or illegal purposes.
These sites falsely represent themselves as legitimate websites to install malicious apps on the user's
device to root/jailbreak the device, take command-and-control of the device, and steal on-device
information.
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection.
2. Under Block connections to phishing & malicious sites section, enable Spyware /
Malicious Sites.
Example:
Anti-Bot
This category includes URLs, IP addresses, or domain names that use bots (zombies), including
command-and-control sites facilitating stealing on-device personal and corporate information, record
video or audio, and/or install other malicous code.
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection.
2. Under Block connections to phishing & malicious sites section, enable Botnets.
Example:
Zero-Phishing
SandBlast Mobile On-device Network Protection prevents phishing attacks on any email or
messaging app by instantly detecting and blocking malicious URLs on-click no matter how the URL
was delivered.
The Zero-Phishing is a Check Point technology to identify unknown phishing websites based on their
own characteristics and prevent phishing attacks.
This category includes URLs that typically arrive in email or messaging apps and are established to
steal information from users.
These sites falsely represent themselves as legitimate websites to obtain users account credentials or
credit card information that can be used for fraudulent or illegal purposes.
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection.
2. Under Block connections to phishing & malicious sites section, enable Zero-Phishing.
Example:
Conditional Access
When a compromised device accesses corporate resources, the data is immediately at risk.
The Conditional Access feature allows an organization to automatically control access to corporate
resources by compromised devices.
As a result, if a device is exposed to an attack, access to corporate networks or any on-premise and
cloud apps will be controlled.
The enforcement of this policy is independent of Unified Endpoint Management (UEM) solutions.
This category is a list of corporate IP addresses and/or FQDN hostnames that the user device at high
risk cannot access.
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection > Conditional Access.
Example:
2. Click [+] New.
Example:
3. In the pop-up window, enter the IP address with bitmask or a FQDN hostname that the user
device cannot access.
4. Click OK.
URL Filtering
SandBlast MobileURL Filtering feature prevents access to websites based on category inappropriate
for your organization’s corporate policies. This category allows the administrator to prohibit devices
from accessing particular URLs in a specific subject category, such as gambling, guns, and violence,
etc.
SandBlast MobileURL Filtering technology allows businesses to blacklist and whitelist domains.
URL Filtering enforces polices on mobile devices across all browser apps and on all non-browser
specific apps, such as Facebook Messenger, Slack, WhatsApp and others.
When URL Filtering is coupled with On-device Network Protection > Always ON > Allow user to
suspend On-device Network Protection, the user can disable ONP for a specific amount of time
(5 minutes, 30 minutes, or 2 hours), so that they can access blocked websites/categories. This
capability allows a certain amount of flexibility in a BYOD environment.
However, the user is not able to suspend ONP if their device is at HIGH risk, and if during suspend
the device moves to at HIGH risk, Conditional Access is still enacted.
1. Go to Policy > select Policy Profile > On-device Network Protection > URL Filter
Categories.
2. Click Edit section.
Example:
3. In the pop-up window, select the categories to which you want to block access and click > to
move the selected categories to the block list on the right side.
Example:
Each category has an explanation provided in the bottom of the screen.
4. Click OK.
Administrator can decide to block these categories, but not track when such events occur per
category. The company may decide to not track such events for user privacy concerns.
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection > Blacklisted Domain Names > New.
Example:
2. On the pop-up window, in the Domain, enter a domain (or subdomain).
Example:
3. Click OK.
4. To remove an item from the list, select it and click Delete.
5. To import a list of domains, click Import and upload a .CSV file with a list of Domains and
Comments.
Note: The uploaded list replaces the existing list. This allows administrators to import a list of Domain
Names/Locations from other systems such as Firewall/Gateway into SandBlast Mobile On-device
Network Protection (ONP) policy settings.
The admin can configure this list to ensure that a self-service help desk site is always accessible from
user devices no matter their risk level.
To whitelist the Domain Names :
1. Go to Policy > select Policy Profile > On-device Network Protection > Content
Inspection > Whitelisted Domain Names > New.
Example:
Example:
3. Click OK.
4. To remove an item from the list, select it and click Delete.
5. To import a list of domains, click Import and upload a .CSV file with a list of Domains and
Comments.
Note: The uploaded list replaces the existing list. This allows administrators to import a list of Domain
Names/Locations from other systems such as Firewall/Gateway into SandBlast Mobile On-device
Network Protection (ONP) policy settings.
Download Prevention
This category allows the administrator to blacklist locations from which the downloads come to the
user device.
To blacklist Locations:
1. Go to Policy > select Policy Profile > On-device Network Protection > Download
Prevention > Blacklisted Locations > New.
Example:
Example:
3. Click OK.
4. To remove an item from the list, select it and click Delete.
WiFi Network
You can set the URLs for the MITM detection and select the risk level for Wi-Fi Network Protection
settings.
Example:
2. Enter the SSL URL.
3. Click OK.
To set the device protection for various MITM attacks, in the WI-FI Network Protection Settings
select a risk level of the device (from High to No Risk):
SSL Stripping - used when MITM attack intercepts all network traffic redirection from HTTP to
HTTPS and "strips" the HTTP calls leaving the traffic as HTTP.
SSL Interception (Basic) - used when MITM attack intercepts HTTP traffic by using an invalid
certificate that does not exist on the device trusted certificates of not trusted by a root CA.
SSL Interception (Advanced) - used when MITM attack intercepts HTTP traffic by using a
valid certificate that does not match the certificate of the server.
To enable geo location capability, in the Geolocation Settings section click ON.
Example:
This only enables it from the Dashboard side. The user must still enable the SandBlast Mobile Protect
app to use Location on their device in order for Geo Location information to be gathered.
When checking for SSL interception attacks (SSL Bumping), the Solution checks if the destination site
SSL certificate is the one expected. If it is not, the Solution alerts that there may be an attack, even if
the received certificate is in the root CA list of the device.
However, many organizations inspect employee traffic and to the Solution it appears that this is
indeed an advanced SSL interception attack because:
1. The organization requires the organization’s certificate be installed on the device as a root CA
2. The SSL interception of the traffic in an organizational proxy
To avoid alerting on the organization’s own certificate, the organization can whitelist its own
certificates through this screen. This way the Solution will not alert an "attack" involving these
certificates.
Example:
2. Click OK.
Forensics
On the Forensics tab you can view all the security forensic data that was collected across the
Enterprise.
Example:
Events and Alerts
The Events & Alerts tab shows an audit trail of incidents and actions that occurred on the devices,
for example, Application installation, Profiles detected on devices, etc.
Example:
Item Description
Severity Critical – Indicates a malicious threat (such as a malware application) that has
level immediate impact on the device and sensitive corporate data. It requires
immediate action. This threat will trigger an alert to the user on the device to
remediate the threat (remove the malware, disconnect from the infected Wi-Fi
network, etc.). It sends an email/SMS alert to the administrators (if you define in
the dashboard settings).
Warning – Indicates a potential threat by a legitimate application, configuration
or company policy violation. For example, backup tools (Application) might be
legitimate for personal use but will risk the organization if extracts information to
unknown destinations. Enable USB Debugging on Android might also be
legitimate for developers but is a potential risk for regular users.
Information – Indicates that no further action is required. Appears most often
when an Application is removed.
Threat Specifies the threat factor for the event that occurred. Explains the reason for the severity
factor level.
Event Specifies the user or the action Ended
taken by the solution. Installed
Noncompliant Removed
Complaint Blocked
Policy changed Prevented
Active Enabled
Inactive Disabled
Disconnected
Detected
Event Additional details about the Event, such as name of application installed or removed Wi-
Details Fi SSID or Identifying information, and so on. Event Details can link to an iOS Profile
detail, Network detail, or App Analysis detail.
User Device user's email address is manually set by the Admin or automatically by UEM when
email the devices are provisioned.
OS Operating System is determined by the information received from the device when the
application is installed (iOS/Android/Android Enterprise).
You can also export the information from the table to CSV file, which will create
a comma separated values file that can be opened in spreadsheet applications such as
Microsoft Excel. Use filter to select the required information for the file.
You can set the number of the rows to list on the screen, and scroll to view previous items:
Device Risk
The Device Risk tab shows all the necessary risk information per device in the system, and the
number of the devices with a specific risk level.
Example:
The left pane of the screen shows the list of devices with their risk levels, and the number of devices.
In the pull-down window, you can sort the devices in the list according to their ID, Name, Device Type,
Risk, and Mitigation, in the Ascending or Descending order.
On the right pane, you can use a filter to select information that is presented in the table.
Filtering options include:
Risk Level
Device Type
Device Name
Device ID
Device Status
Threat Factor
Item Description
Device Name Device name is given by the administrator together with the registration link (or by your UEM
(DeviceOwner) deployment).
Mitigation Shows what method is used to reduce the level of threats and protect this device.
Groups Groups are used to distinguish between device groups inside the organization. In future diff
applied on different groups. Groups are imported from the UEM during integration.
The central part of the screen shows the list of the applications and the threats on the selected
device with links to more information. You can also view the removed threats and forensic
investigation.
Item Description
Device Device name is given by the administrator when sending the registration link (or by
Name your UEM, if used for deployment).
(Device
Owner)
Risk Device risk is determined by both the accumulative threats risk levels found on it and
different settings present on the device. (Debugging tools, Jailbreak, Developer Tools,
and so on).
Risk levels:
High – Indicates a device is in a malicious state and an immediate action is
needed.
Medium – Indicates a potential threat by a legitimate application or
configuration which contradicts the company policy.
Low – Indicates a device might present potential risky behavior caused by a
legitimate application or configuration. This might be caused by a legitimate
application which uses an unusual ad network or an application which has
access to the device contacts with no reasonable explanation but no potential
risk is applied.
None – Indicates a device has zero risk.
Mitigation Shows what method is used to reduce the level of threats and protect this device.
Groups Shows the name of the group the device belongs to.
OS and OS OS (Device type) is determined by the information received from the device upon the
Version application installation (iOS/Android/Android Enterprise)
Device Device HW type is determined by the information received from the device upon the
application installation.
ID Device ID is a unique ID that is generated for each device upon installation of the
SandBlast Mobile Protect App.
You can change the Show pull-down menu to All, Installed & Received, or Removed to accomplish
forensic accounting.
You can filter the devices by the active threat factors, for example, devices with the installed
malware, or devices with VPN protection disabled.
Use a Severity pull-down menu to select information that is presented in the table: - All, High, High
& Medium, Low, or None. You can view the Severity, Time, Status, User Action, Policy, Event of each
application on this device.
Example:
Click on the Application Name to view detailed App Analysis of the selected application to view the
entire analysis for the selected application.
Example:
For more information about the Apps see "App Analysis" on page 59 .
Network
The Network tab shows any network event reported. This tab provides a more granular view of
network events in the context of the network in which they occurred. These network events are
reported:
SSL Stripping – A third-party intercepted the traffic and downgraded it from HTTPS to HTTP
SSL Interception (Basic) – A third-party intercepted the traffic and posed as the original
requester to the target server while controlling the responses back to the requester.
SSL Interception (Advanced) – Similar to basic SSL Interception, however, in this case the
perpetrator responses were encrypted with an SSL certificate that was issued by a certificate
authority that is listed as trusted on the victim’s device. This can be gained by either deceiving
the certificate authority to issue an SSL certificate to the perpetrator or by injecting the
perpetrator’s certificate to the victim device’s trusted list. This attack requires advanced skills
and a higher level of sophistication.
Captive Portal Redirection – The traffic from the device is redirected to the network portal
for registration to the network. This is common with public networks, especially free networks,
such as those in airports, hotels, and cafes.
Example:
Item Description
Network
Details
Network The name assigned in the access point as the wireless network name.
Name (SSID)
Occurrences Number of times a network event was reported for a device in this organization’s
wireless network.
BSSID The MAC address of the access point. It is used to identify the network, no matter if
the Network Name was changed.
Previous If network name was changed, they are listed in this field.
Network
Names
(SSIDs)
Attack To receive Location, the user is required to enable location collection in the
location Dashboard Settings and to grant location collection permissions on their device. If
the device has geo-location enabled for the SandBlast MobileProtect app, the
location of the device is recorded when the device is connected to this network.
Event What type of Events were identified with this BSSID, such as SSL Stripping, SSL
Summary Interception, Captive Portal, etc.
Network For each network event reported on this wireless network these details are
Event provided:
Details Event Time – As recorded on the device.
Device Attack Time - When event was reported to the Dashboard
Event - SSL Stripping, SSL Interception, or Captive Portal Redirection
Risk Level – The determined risk level for the event. High, Medium, Low, No
Risk.
Device ID – The ID in the Dashboard of the device that reported the attack. If
the attack still exists in the Dashboard and has a risk associated with it, the
Device ID links to the device risk details of the device.
Certificate – The SSL certificate of the designated page. Not applicable for SSL
Stripping attacks. The value is the root authority at the root of the certificate
chain. Clicking on the value will pop-up the entire certificate chain.
ARP Poisoning - Indicates if the attack utilized ARP Poisoning
Note - The networks in the list are identified by their BSSID, which is the unique network identifier. Ho
purposes, the pronounced identifier is the network name (SSID). As a result, several networks of the s
list next to each other. In such a case, please make sure to refer to the network of the desired BSSID.
Click Filter button to filter the list of networks based on Network Name (SSID), BSSID,
Device ID (affected device), and Network Status.
iOS Profiles
iOS Profiles are unique to Apple iOS devices.To assist the mobile device admins, Apple developed a
tool called Profiles, which includes Network Configuration Profiles, Provisioning Profiles, and
Certificates. Network profiles are also used by the legitimate VPN applications. The shortcoming of
iOS Profiles is that it opens a security hole where an attacker can create and install a malicious
network configuration profile. It makes them act as a "Man In The Middle" and collect all the
information flowing from the device.
iOS Profiles window shows the Network Configuration Profiles. It allows the administrator to get a
clear view on the profiles installed on the devices in the organization.
Item Description
Profile Profile details indicated the information (properties) of the profile. Including remote
Details address, IP and servers.
Install Base Number of devices currently installed with this specific profile.
Policy Policy drop down menu allows the Administrator to set the alert level of a specific
profile in the dashboard.
The iOS Profiles tab also shows the Provisioning Profiles that are installed on the organization’s iOS
devices.
On the right side of the window, you can use a filter to select information that is presented in the
table. Filtering options include Device ID, Device Type, Device Name, Install Base, and Policy.
App Analysis
Apps Analysis window is the main screen for analyzing different applications installed on the
corporate devices. The applications are categorized to help the administrators understand the risk
level. Click on each category to find the corresponding risk level.
Click on an app name to reveal the app details and reasons for the assigned risk level. Click Show
Details to see free-test description of the application.
The left pane shows the list of all the apps installed in the system. You can arrange the list by Last
Updated, App Name, Install Base, Group by Name,
Each app has an assigned colored vertical line that represents the Risk Level of the app:
Risk
Line Color
Level
High Red
Medium Yellow
Risk
Line Color
Level
Low Orange
None Green
Item Description
Time Indicates the timestamp of the last threat reported by this device.
Status What is the status of the app (Installed/Removed)
Policy Lists the corporate policy set for this app, such as Black Listed,
White Listed, User Approval, or Default.
Filtering
On the right side of the window, you can use a filter to select information that is
presented in the table. Filtering options include:
Advanced Filtering
Select Advanced option(s) to view application with a selected Severity Level: Malicious, Warning,
Information, Sensitive Device Data, None.
Click Show / Hide the details for the available description. The description can include a brief
summary of the app, the reasons for its assigned risk level, the platform it affects, the install base,
and the assigned App policy.
Example:
You can export the App Analysis details to your server in two ways:
Risk
The Risk level of the analyzed application is indicated as one of the first entries in the App Analysis
Detail.
The install base tells the administrators the current count of this particular version of the app that is
currently installed within their environment.
At the bottom of the page you can locate information of where this app is installed in the
environment See Installations for a list of devices on which the app is installed.
Granular Policies
To edit the risk handling for this app, select Edit for the Granular Policy you want to edit.
Package Information
Package Information listed in this area includes detailed information about these:
Package Info
Binary Meta-Data
Market Data
Developer Certificate Data
Example:
Capabilities Summary
Example:
Capabilities Details
This panel provides additional details about the capabilities of this application.
Example:
Exploits
Exploits panel only displays if an app is using an exploit in the device OS. This section will only
appear on malicious apps which use and exploit the OS vulnerability. It displays detailed information
about the exploit and shows the risk level on a 1 to 10 scale.
Example:
This section displays a listing of any cloud services this app uses.
Example:
Behaviors
This section displays a collection of characteristics of the app called identifiers. Identifiers are used to
declare the current risk level of the app.
Example:
File System Access
This section displays all of the access permissions this app has to the device file system.
Example:
Network
In case the app is designed to use the network for specific reason such as send information to a
specific URL, this address will be shown in this section.
Example:
Installations
The Installation panel displays information on the app install base (organization wide) as a list of
devices where the app is currently installed.
Note - This list only occurs for High, Medium, or Low risk rated apps. This panel is not displayed wh
Privacy Mode is enabled. For more information see BYOD Privacy Mode.
Example:
Application Permissions
The Application permissions panel displays the app permissions and the risk level it implies.
Example:
MARS – Mobile Application Reputation Service
From App Analysis tab, administrator can click on ‘Upload’ icon to use MARS.
Mobile App Reputation Service is an application vetting service which allows SandBlast Mobile
administrators to upload an APK (Android App format) file into SBM Dashboard and receive a full app
analysis report after few minutes into their email box. Future releases of MARS will add support for
IPA (iOS App format).
To learn about an application, administrator should upload the APK file into SandBlast Mobile
Dashboard (under App Analysis tab).
Once uploaded, the App will be analyzed in the background by SandBlast Mobile MARS
service and will generate a full analysis report which includes the App’s behaviors,
capabilities, permissions, risks, connections, cloud hosting services, and more.
If the App is analyzed for the first time, it may take few minutes for SandBlast Mobile to
analyze the App, when done - administrator receives an email with a link to the full App
analysis report.
If the App was already analyzed by SandBlast Mobile, administrator can immediately
download the full App analysis.
After reading the App analysis report, administrators can make educated decisions based on
full App analysis before they distribute an App into their organization’s Mobile devices.
The App analysis report consists of the same data as described in ‘App Analysis Overview’
(p.62)
Settings
On the Settings tab you can view and manage the dashboard settings, customize the detailed view
of the private information for users, applications and devices.
Example:
Audit Trail
The audit log screen shows the logs for the system. You can search the audit logs by Time, Severity,
Admin User, Module, Category, Event, and Event data.
Example:
Select one or more drop-down search options to produce a report of specific log entries.
You can filter every column in the table:
You can also export the information from the table to CSV file, which will create
a comma separated values file that can be opened in spreadsheet applications such as
Microsoft Excel. Use filter to select the required information for the file.
You can set the number of the rows to list on the screen, and scroll to view previous items:
Customization
Email Customization
Navigate to Settings > Customization > Email Customization to change the form of the
registration email sent from the Infinity Portal to the user when they register their mobile device. This
lets organizations to customize their unique corporate message for device registration.
Example:
Logo Customization
Go to Settings > Customization > Logo Customization to change the logo that appears in the
upper right-hand corner of the Dashboard’s Menu bar. You can also change the logo that appears in
the upper left-hand corner of the SandBlast Mobile Protect app on user devices.
Example:
Language
Navigate to Settings > Customization > Language to change the default language of the
Dashboard from English to other language.
Example:
Privacy Settings
On Privacy Settings tab the administrator can enable BYOD Privacy Mode.
When BYOD Privacy Mode is enabled, administrators can only see that a malicious threat exists, but
they cannot see the user affected by it. This ensures the highest user privacy when needed.
Events & Alerts Tab
When BYOD Privacy Mode is disabled, the Events & Alerts tab shows the Device Owner and Device
Number fields as configured in the Devices tab.
Example:
When BYOD Privacy Mode is enabled, the Events & Alerts tab does not show the Device Owner and
Device ID Number field.
Example:
When BYOD Privacy Mode is disabled, the Device Details show the app(s) that put this device at high
risk.
Example:
When BYOD Privacy Mode is enabled, the Device Details does not show the app(s) that put this
device at high risk. The administrator will only see that the device is at risk, and its risk level, but not
the reason.
Example:
App Analysis Tab
When BYOD Privacy Mode is disabled, the drill-down into the App Analysis information about the App
at Risk displays the app Owner Details.
Example:
When BYOD Privacy Mode is enabled, the drill-down into the App Analysis information about the App
at Risk does not display the app Owner Details.
SMTP Settings
Go to Settings > SMTP Settings to configure the Dashboard to send emails from their local domain
instead of using the SandBlast Mobile email server.
1. Click Add.
Example:
2. Select SMTP or SMTPS.
3. Enter the required information and click Save.
Device Management
On the Device Management tab, in the Device Management Setting page, the administrator can
integrate SandBlast Mobile to an Unsupported MDM, or to these:
VMware Workspace ONE UEM UEM (Formerly AirWatch UEM)
MobileIron Core
MobileIron Cloud
IBM MaaS360
BlackBerry BES
BlackBerry UEM
Microsoft Intune
Citrix XenMobile
To adjust the default settings implemented for their UEM, see Device Management Advanced Settings.
Example:
Refer to our published UEM integration guides for your selected UEM platform for more information
on setup and usage.
Settings Page
On the Device Management >Settings page you can define the basic settings.
Example:
Go to Settings > Device Management Settings > MDM Services > and select the service from
the dropdown list.
None
If no UEM is configured, the Dashboard sends the registration email directly to the user device.
Unsupported UEM
Example:
This setting tells SandBlast Mobile not to install the Check Point MDIS profile.
This will affect iOS functionality because the app list cannot be retrieved by SandBlast
MobileDashboard, and therefore cannot be inspected for malicious apps. Android devices are
not affected.
Example:
You can define the action that the SandBlast Mobile system will or will not perform:
Daily registration limit # of The number of devices that can register within a
devices 24 hour period.
1. Go to Settings > Device Management > Advanced to adjust the default settings
implemented for their UEM.
2. Example:
Setting Description
Deletion Delay device deletion after sync – device will not be deleted if it
delay interval will be re-sync from UEM during the threshold interval.
Values: 0-48 hours
App sync Interval to retrieve the iOS app list from the UEM.
interval Values: 10-1440 minutes, in 10 minute intervals.
Syslog Page
On the Syslog tab, the administrator can set the Dashboard to send Syslog events to a Syslog,
RSyslog, or an ArcSight Server.
Go to Settings > Syslog >Syslog Settings and select an option from the dropdown window.
Example:
The SandBlast Mobile Dashboard must communicate to your Syslog server through your firewall. The
source IP addresses can be found in SandBlast Mobile Communication Information.
Syslog
Example:
To configure Syslog:
Setting Description
Facility Facility is used to specify the type of program that is logging the
message. Messages with different facilities may be handled
differently. Defaults to "user".
4. Click Verify.
5. Click Save.
RSyslog
Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for
forwarding log messages in an IP network. It implements the basic syslog protocol, extends it
with content-based filtering, rich filtering capabilities, flexible configuration options and adds
features such as using TCP for transport and SSL\TLS for encryption.
Example:
To configure RSyslog:
Setting Description
Protocol TLS
Setting Description
Audit TAG Because SandBlast Mobile can send 2 formats of logs, Event
logs and Audit logs, the receiving RSyslog system publishes 2
parsers for these types.
When SandBlast Mobile sends an Event type it will add the
Event Tag to the message.
When SandBlast Mobile sends an Audit type it will add the
Audit Tag to the message.
Event TAG Because SandBlast Mobile can send 2 formats of logs, Event
logs and Audit logs, the receiving RSyslog system publishes 2
parsers for these types.
When SandBlast Mobile sends an Event type it will add the
Event Tag to the message.
When SandBlast Mobile sends an Audit type it will add the
Audit Tag to the message.
4. Click Verify.
5. Click Save.
ArcSight
Example:
To configure ArcSight:
Setting Description
4. Click Verify.
5. Click Save.
Administrators
You can add, remove, or edit Administrators.
Go to Settings > Administrators > List View > administrators (Super User or Admin level).
When you add a new administrator, the Super User or Admin level Administrators can configure an
option for email or SMS notification about alerts / announcements.
Example:
2. Click [?] next to the Role button and select an administrator role from the list.
Note - (*) When you add a Group Security Manager, you can add
also Groups of Devices and Policies Profiles options.
Example:
Admin Roles Definition
To select and set the Administrator role permissions across the Dashboard, see this table.
Example:
Password Policy
The administrator can set a password policy for Administrator users. By default, a password policy is
not enabled.
To set a password policy for Administrator users go to Settings > Administrators > Password
Policy.
Name Description
Password If Force password change setting is ON, the number of days before the
expiration user is required to change their login password is enforced.
period (Days) Number of Days can be 30, 60, 90, 120, 180, and 360. Default = 90 days.
Number of If Force password history policy is ON, the number of passwords stored
reused can be set from 2 to 16. These stored passwords cannot be reused.
passwords Default = 6.
Example:
SSO Settings
You can enable Administrator accounts to work with your company Identity Provider.
Go to Settings > Administrators > SSO settings and follow the instructions on the screen.
Example:
Information Visible to the Organization’s Administrators on the
Dashboard
When the device is not at risk, you can view the user and device information in these tabs:
Devices
Device Risk
In the Devices tab, the user’s name, email address, and phone number as entered by the
organization are associated with a particular device ID. The details of the device are limited to device
OS type and version, device type, the version of the SandBlast MobileProtect app running on the
device, and the last time the device connected with the Gateway.
In this view, the Administrators can view a list of registered devices, but cannot view the list of apps
installed on a particular device.
When the device is viewed from the Device Risk tab, the device detail is similar to that of the
Devices tab.
From the App Analysis tab, the Administrator can view a comprehensive list of all the apps installed
across all the registered devices, but they cannot view on which devices the apps are installed when
the app is not identified as Malicious or Warning severity level.
Device at risk
If a device is at High or Medium risk level, the Administrators can view the same level of device
details as before, but with a list of apps that put the device at risk.
You can view more details about the Malicious or Warning severity level app by drilling-down on
the app from the Device Risk view, or by viewing the app from App Analysis tab. A Malicious or
Warning severity level app will include information about the app, such as fingerprint, store location,
capability, and more, and also will include the list of the affected devices (for example, the devices on
which the app is installed).
Announcements
Go to Settings > Announcements to view all system messages sent from Check Point.
Example:
Appendices
SandBlast Mobile Communication
Information
This table describes the networking rules required to configure your security systems in order to
allow the Solution's integration with your on premise systems (UEMs, syslog, and so on).
To prevent spam filters from blocking SandBlast Mobile's emails, this IP address must be allowed as a
sender: 167.89.59.134.
Best Practice - The best practice when enabling firewall access for SBM
is to use DNS based names. When it is not an option, use the IP
addresses provided for the specified DNS in the table below.
Security system configuration rules
Destination
Region Description Source Destination
Port
52.17.79.161
52.0.129.11
52.6.231.218
52.87.59.245
54.84.219.180
54.84.231.79
* Sandblast Mobile Dashboard FQDN – The Fully Qualified Domain Name of your SBM Dashboard,
unique per customer. (e.g. example-sbm.mt2.locsec.net)
Policy Profiles Description
Main features
Feature Description
Safe Browsing This category includes URLs that may be reached during on-
(See Safe Browsing). device browsing and are established to steal information from
users or install drive-by malware.
These sites falsely represent themselves as legitimate
websites to obtain users' account credentials or credit card
information that can be used for fraudulent or illegal
purposes.
These sites falsely represent themselves as legitimate
websites to install malicious apps on the user's device to
root/jailbreak the device, take command-and-control of the
device, and steal on-device information.
Parameter Configuration This category allows users to configure the basic On-device
Network Protection behavior (Disabled, Always on, Turn on
when device is at risk.)
This category also includes a Configure pop-up window that
allows to configure different parameters of On-device
Network Protection (General settings and suspending policy
for On-device Network Protection)