Mcafee Mvision Mobile Console 1809: Product Guide

McAfee MVISION Mobile Console 1809
Product Guide
September 11, 2018

COPYRIGHT
Copyright © 2018 McAfee, LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee MVISION Mobile Console Product Guide 2

Contents
Preface .......................................................................................................................................................... 5
Audience ....................................................................................................................................................... 5
Related Documentation ................................................................................................................................ 5
Introduction to Mobile Threat Protection .................................................................................................... 6
Objective ................................................................................................................................................... 6
About the Threat Detection Engine .......................................................................................................... 6
About SIEM and MDM Systems ................................................................................................................ 6
Software Requirements ................................................................................................................................ 7
About the Architecture ................................................................................................................................. 8
MDM Integration ...................................................................................................................................... 8
Ad hoc MDM Synchronization .................................................................................................................. 9
SIEM Integration ..................................................................................................................................... 10
MVISION Mobile Console Group Configuration ..................................................................................... 10
MVISION Mobile Console Overview ........................................................................................................... 11
UI Functions ............................................................................................................................................ 11
Apps ............................................................................................................................................................ 12
App Inventory ......................................................................................................................................... 13
Application Analysis ................................................................................................................................ 13
App Sample Detection Dates .................................................................................................................. 14
iOS Profiles .................................................................................................................................................. 15
Managing Users .......................................................................................................................................... 16
Creating a Single User ............................................................................................................................. 16
Creating Multiple Users .......................................................................................................................... 17
About the CSV File to Add Users ............................................................................................................. 17
Updating and Deleting a User ................................................................................................................. 18
MVISION Mobile Threat Detection Application Activation......................................................................... 19
On-Boarding with Activation Links .......................................................................................................... 19
On-Boarding with Domain Name ............................................................................................................ 19
MDM Activation ...................................................................................................................................... 19

Threat Response Policy/Matrix (TRM) ........................................................................................................ 21
Enable...................................................................................................................................................... 21
Severity ................................................................................................................................................... 21
Threat ...................................................................................................................................................... 21
Set User Alerts......................................................................................................................................... 22
Action/Protection ................................................................................................................................... 22
Device Action ...................................................................................................................................... 23
MDM Action ........................................................................................................................................ 24
Mitigation Action .................................................................................................................................... 24
Notifications ............................................................................................................................................ 24
Manage ....................................................................................................................................................... 25
General Settings ...................................................................................................................................... 25
Privacy Settings ....................................................................................................................................... 27
MDM Settings ......................................................................................................................................... 28
VPN Settings ............................................................................................................................................ 31
Network Sinkhole Settings ...................................................................................................................... 31
About Audit Logs ..................................................................................................................................... 31
Role Definitions ....................................................................................................................................... 31
Message Templates ................................................................................................................................ 34
Appendix A – Threat Classifications ............................................................................................................ 36
Appendix B - MDM Capabilities Matrix ....................................................................................................... 37
Appendix C – Google Android for Work Implementation with MVISION Mobile Threat Detection
Application .................................................................................................................................................. 38
Appendix D – Table of MVISION Mobile Threat Detection Application Threat Variables .......................... 39

Preface
This guide explains the capabilities of the MVISION Mobile Console management interface and
configuration options for achieving your business goals. It also contains a high-level overview of other
features, integration, and capabilities.
Audience
The intended audience for this guide is an MVISION Mobile Console administrator. The MVISION Mobile
Console application provides threat protection to mobile devices, and the system administrator sets
policies for threats, and monitors and manages threats detected.
Related Documentation
For more information and specific configuration information about MDM, SIEM, and iOS, Android
Platforms, see the following documents in the McAfee documentation set:
 MVISION Mobile Threat Detection Application Android Platform Guide (PD27930)
Provides detailed information about how to configure and install MVISION Mobile Threat
Detection Application on Android platforms.
 MVISION Mobile Threat Detection Application iOS Platform Guide (PD27931)
Provides detailed information about how to configure and install MVISION Mobile Threat
Detection Application on iOS platforms.
 McAfee MVISION Mobile AirWatch Integration Guide (PD27932)
Provides detailed information about how to integrate with AirWatch MDM.
 McAfee MVISION Mobile MobileIron Integration Guide (PD27933)
Provides detailed information about how to integrate with MobileIron MDM.
 McAfee MVISION Mobile Microsoft Intune Integration Guide (PD27934)
Provides detailed information about how to integrate with Microsoft Intune MDM/MAM.
 McAfee MVISION Mobile IBM MaaS360 Integration Guide (PD27935)
Provides detailed information about how to integrate with IBM MaaS360.
 McAfee MVISION Mobile BlackBerry Integration Guide (PD27936)
Provides detailed information about how to integrate with BlackBerry UEM and Dynamics.
 McAfee MVISION Mobile Citrix Integration Guide (PD27937)
Provides detailed information about how to integrate with Citrix MDM.
 McAfee MVISION Mobile Silverback MDM Administrator Guide (PD27938)
Provides detailed information about how to integrate with Silverback MDM.
 McAfee MVISION Mobile SIEM-syslog Integration Guide (PD27939)
Provides detailed information about how to integrate with SIEMs.
 McAfee McAfee MVISION Mobile Console Threat Reference Guide (PD27940)
Provides detailed information about the list of threats and which are supported on Android and
iOS.
These documents are located in the McAfee document Portal at https://docs.mcafee.com

Introduction to Mobile Threat Protection
Objective
Mobile devices are found everywhere today. They represent an opportunity for malicious actors who
are looking to find new ways to gain access to corporate environments. Although corporate
environments might have protection from viruses and malware on servers, desktops and laptops,
mobile devices are increasingly the new frontier colonized by hackers.
About the Threat Detection Engine

McAfee provides Mobile Threat Defense capability for detecting and taking actions when a malicious
hacker tries to attack a mobile device. All mobile devices can be equally affected by a threat. The Threat
Detection engine of McAfee MVISION Mobile Threat Detection App is a revolutionary cyber-attack
defense engine that uses heuristics to dynamically detect advanced host and network-based attacks on
mobile devices, such as iPhones, Androids, and iPads. The Engine provides unparalleled coverage and
visibility into advanced threats. Most importantly, it provides new insights into what attacks are
occurring on mobile devices – an unknown territory until now.
The Engine monitors the whole device for malicious behavior regardless of the entry vector (not just
scanning mobile apps) without reliance on signatures (AV technology). This approach is immune to
evasion techniques such as the following:
● Polymorphic malware
● Virtual machine awareness
● Download and execute techniques or binary obfuscation
This approach allows us to find and protect against both known and unknown threats.
The engine mobile sensors alert the Security Officer to mobile attacks happening both inside and
outside of the corporate network, like tsunami buoys that alert on an oncoming tidal wave. This
prevents a single compromised mobile device from turning into a wider outbreak across the business
enterprise.
About SIEM and MDM Systems

In detecting a malicious event, we collect the needed forensics information and metadata to send to the
McAfee MVISION Mobile Console. Depending on its configuration, this information is shared by your
corporate Security Information and Event Management (SIEM) system. Security events can be pulled
from the MVISION Mobile Console and are returned in syslog or JSON format that allows any SIEM to
parse and generate appropriate entries. MVISION Mobile Console can also send events via syslog over
the Internet as needed.
Integration points are also provided with Mobile Device Management (MDM) providers to allow the
MDM to take actions as needed and defined by the MDM/Security Administrator. This is provided by
allowing the MVISION Mobile Console to contact the MDM server via secure Application Program
Interface (API) calls. If your MDM vendor supports API connectivity from outside sources, it can be
integrated. If you are using an MDM provider that is not on the list below, they can be added within a
reasonable time period if they provide API access.

Software Requirements
Supported Browsers (Requires HTML 5) Minimum Version
Chrome Current Version
Internet Explorer 10
Safari Current Version (not tested)
Firefox Current Version (not tested)
MDM Systems
AirWatch MDM 7.3
BlackBerry Dynamics BlackBerry Dynamics 1.0
BlackBerry UEM MDM (BES) 12.4 UEM - 12.6 UEM needed for iOS App Configuration
Citrix MDM 10.4

Microsoft Intune SaaS based (The current version is always supported)
MobileIron MDM Core 8 - Cloud (current available version)
Silverback MDM Temporarily not supported
SIEM
Syslog Any SIEM that has a JSON Syslog input capability

About the Architecture
MVISION Mobile product has following key components:
● An MVISION Mobile Threat Detection Application that resides on mobile devices.
● MVISION Mobile Threat Detection Application is configured from a central management server
called MVISION Mobile Console.
● A McAfee MVISION Mobile ePO Extension that presents the dashboard, devices, and threats in
your McAfee ePO server for centralized visibility across your network. See “MVISION Mobile
ePO Extension Product guide” available at https://docs.mcafee.com .
All communication between MVISION Mobile Threat Detection Application and the MVISION Mobile
Console is automatically set up to allow for new updates to be pushed or pulled as needed and to verify
connectivity.
The back-end Cloud servers then communicate to integrated systems (such as MDM, SIEM, and IAM) via
system APIs and other connectors. MVISION Mobile Console and all back-end servers are based in our
cloud environment which provides for security, redundancy, and scalability. Customers typically are
implemented in this shared cloud environment with logical security in place to protect customer data
from leaking to other customers. If necessary, a customer can be implemented in a dedicated cloud
environment with as much protection and capabilities.
MDM Integration
Integration with MDM servers provide the ability to synchronize:
● Devices with MVISION Mobile Console and ePO
● Users with MVISION Mobile Console
● Define groups to be used in policy and other configuration items
● Provide granular protection mechanisms in addition to the protections built in to MVISION
Mobile Threat Detection Application
All MDM vendors have different integration capabilities that range from simple application pushes to
performing actions. These levels of integration are defined in the table below with an explanation of
what can be obtained for each level.
Level Description
MVISION Mobile Threat Detection Application deployment: Uses the MDM to push the MVISION
1
Mobile Threat Detection Application to enrolled MDM devices.
(A) Synchronize users, devices, and applications (can be via groups or full inventory): MVISION Mobile
Console synchronizes users and devices enrolled in MDM. This allows the administrator to
manage users in a single location, the MDM server.
(B) Auto-activation: Automatically identify the user and device on startup. No user intervention is
required, if the MDM supports ad hoc MDM sync or the device details have been synchronized
with the MDM, MVISION Mobile Threat Detection Application starts protecting the device right
away. This is configured differently per platform and per MDM:
2
 iOS: Using the MDM feature to push Managed Application Configuration values to the device.
MVISION Mobile Threat Detection Application understands this form of configuration on iOS
and uses the values assigned to activate the device with the MVISION Mobile Console. The
method for this integration differs per MDM and is defined in the individual MDM guides.
 Android: When Android MVISION Mobile Threat Detection Application starts, it uses the MDM
identifier from the MVISION Mobile Console activation link URL (the part for the MDM_ID). It
uses the MDM_ID parameter as the common identifier that the server also knows. The device

pushes the identifier to the MVISION Mobile Console to activate the device. If there is no
MDM integration, an Android identifier is used provided uniquely by Android.
3 Basic protection actions such as Wi-Fi disconnect.
Granular protection actions defined by the MDM Administrator: Using API features of the MDM
provider, assign the device to a specific compliance or protection policy, and protect corporate data
on the device. For example, if the device becomes the target of suspicious application activity, put the
4
device into a group that automatically removes access to corporate email. The action can be different
for each threat classification. A group might send a push or SMS or email message to the user/device
about an issue, or provide more severe protection, such as to unenroll the device from the MDM.
When integrated with an MDM, MVISION Mobile Console can synchronize the entire inventory or a
subset of groups as defined by the MDM. For example:
● Smart groups (AirWatch)
● User Groups (BlackBerry)
● Delivery Groups (Citrix)
● Labels (MobileIron)
Devices in the selected groups enrolled in MDM synchronize to the MVISION Mobile Console and all
moves, adds, changes to devices in those groups are then handled by the MDM administrator. Any
changes detected by MVISION Mobile Console during the regularly scheduled synchronization are
mimicked in the MVISION Mobile Console as well. See the MDM Configuration guides in the customer
portal for more information and Appendix B - MDM Capability Matrix for a complete list of capabilities
for each MDM supported.
For more information about MDM activation links, see “MDM Activation” in this guide.
This table lists the supported features by platform.
MDM NO MDM
Feature
iOS Android iOS Android
Disable Wi-Fi ✘ ✔ ✘ ✔
Disconnect SSID ✔ (1) ✘ ✘ ✘
Assign to MDM
Label/SmartGroup/
✔ ✔ ✘ ✘
Delivery Group/
Service Group
On Device VPN ✔ ✘ ✔ ✘
(1) AirWatch MDM Only
Ad hoc MDM Synchronization
The MDM synchronization of users and devices occurs when the initial setup is implemented and then
following every four hours. Due to the four-hour synchronization window, at times a new MDM user has
MVISION Mobile Threat Detection Application pushed down to their device and tries to start it before
the device actually being synchronized from the MDM. MVISION Mobile Console handles this by doing
an ad hoc synchronization. MVISION Mobile Console gets the identification information from MVISION
Mobile Threat Detection Application used for the authentication and matches it up with the proper
customer for authentication. Once that happens, MVISION Mobile Console retrieves that device and

user information from the MDM configured for that customer. MVISION Mobile Threat Detection
Application on that device is now authenticated and allowed to continue. For this to work correctly,
MVISION Mobile Threat Detection Application must be deployed as follows:
 iOS: Associate a plist file with the MVISION Mobile Threat Detection Application that pushes down
required parameters for auto log on to the MVISION Mobile Threat Detection Application. This is
described in detail in the specific MDM configuration guides for MDMs that support application
configurations. Additional plist entries needed for this to work are tenant ID and default channel.
 Android: Ad Hoc is supported for Android with purpose-built MVISION Mobile Threat Detection
Application apps for each customer that requires this on Android. Contact your McAfee Customer
Support for more information.
SIEM Integration
Security events can be securely pulled from the MVISION Mobile Console using the script defined in the
“MVISION Mobile SIEM Integration Guide.” This guide contains a bash script, which can be run as part of
a crontab where it accesses the Cloud server at regular intervals over HTTPS and retrieve the events in a
JSON format. These events are then saved as files locally on the customer computer from which the
bash script is executed. The files can then be imported into the customer’s SIEM system using the SIEM
native JSON capabilities or syslog. The advantage of this approach is that it does not require the
customer to perform any networking changes or expose any secure resources to the network. The script
is a starting point and it can be updated as needed. But, if an inbound syslog connection is preferred,
this can be configured as well.
MVISION Mobile Console Group Configuration

MVISION Mobile Console provides a mechanism to apply configurations to groups of users/devices for
the Threat Response Policy and the Privacy Settings. In addition, Administration Roles can be associated
with specific groups, allowing for greater control of administrator rights.
Groups can be used in the MVISION Mobile Console when an MDM integration is implemented with an
MDM vendor that supports groups. During the MDM setup process, MVISION Mobile Console recognizes
when an MDM supports groups and provide the Administrator an opportunity to set up one or more
MVISION Mobile Console groups that correspond to the MDM groups. This screen is used to provide a
hierarchy of which group to use in MVISION Mobile Console when a user/device is in more than one
group being used for synchronization.
Any users added locally to MVISION Mobile Console are defined in the ‘Default Group’ group. Currently,
this cannot be changed.

MVISION Mobile Console Overview
The MVISION Mobile Console management interface is used to configure Threat Response Matrix (TRM)
policies and view events and forensics that are associated with those events. When an administrator
logs into the MVISION Mobile Console, the displayed Dashboard screen summarizes your inventory of
protected devices, and recent events with the associated security intelligence. To access this console,
follow the “configuration” SSO link from your MVISION Mobile page on ePO.
UI Functions
Each page in the MVISION Mobile Console has been standardized to provide
consistent behavior and display capabilities. Once in the Dashboard, Administrators
can navigate to other pages by clicking one of these navigation options:
● The icons on the left
● From the Admin Profile selection by clicking the down arrow on the right
side of the page
Interact with the filters at the top of most of the pages to control the data
displayed. Each page has a similar filter but varies slightly to pertain to that page. By
choosing different filters, the Administrator can change the data shown and easily
find relevant information.
The filters can be changed by clicking the icon described in the table below.
Item Action
Most columns provide a sort mechanism. Clicking the column header on a column where sorting is
or
available displays one of these icons to sort ascending or descending. If the icon does not display,
the column chosen cannot be sorted. Only one column can be sorted at a time.
Click this icon in a column header to filter the content based on this column. Multiple filters can be
enabled per page header.
A column with an active filter is displayed with this icon. Clicking the icon allows the admin to
change the filter.
This figure is a sample filter set on the title bar.

Apps
The MVISION Mobile Console APPS page provides the Administrator with an at-a-glance view into the
classification and risk analysis of all apps in your organization's device inventory. This includes the
following information:
● The classification if the app Legitimate or Malicious
● The Privacy Risk rating of the app (the Privacy Risk ratings are included in the z3A license)
● The Security Risk rating of the app (the Security Risk ratings are included in the z3A license)
The table describes the columns included in the Apps page filter.
Column Description
Classification Display Apps that are classified as Legitimate or Malicious.
App Name Display Apps that match the chosen App names.
Package Name Display Apps that match the derived package names.
Version Sort by app version.
Device Count Sort by the number of devices in your environment per app.
Privacy Risk Sort by the Privacy Risk Rating.
Security Risk Sort by the Security Risk Rating.
Updated On Sort by the date/time the apps were updated.
Type Display apps that are iOS, and Android.
Allowed/Denied Display apps that are Allowed, Denied, or None.
This table provides additional information about the Privacy Risk and Security Risk column values.
Risk Column Display Process State Values Description
Low
Medium Available The report is available.
High
Report request submitted to z3a. Report is

Processing Unknown
processing.
Encrypted - z3a could not process the app (for instance, it
Unable to Process might be encrypted)
Unsupported
Not Executable - App could not be executed.
Paid - z3a cannot process paid apps.
Unavailable Unavailable No report record found for the app.

App Inventory
Before performing either app classification or risk analysis of the apps installed on your devices, the
solution must get an inventory of your apps from across the devices that have MVISION Mobile Threat
Detection Application installed on them. This process of acquiring the app inventory is performed
differently depending on the mobile platform and implementation.
 iOS application discovery and scanning is handled via both on-device scanning and MDM
integration. Apps are scanned when MVISION Mobile Threat Detection Application is first
activated on the device and each time a new app is installed. In addition, at each MDM
synchronization interval, cloud servers request a list of applications for each iOS device and
perform a scan on the application metadata to verify if there are any malicious apps. MVISION
Mobile Threat Detection Application uses a local signature database and If needed, can reach out
to the cloud for more information so that application files that have not been identified locally can
be identified and classified. If a malicious application is found, MVISION Mobile Threat Detection
Application on that device is alerted and the configured policy action in the Threat Response
Policy/Matrix on the device is applied for a Suspicious iOS Application.
 Android application discovery and scanning is handled via on-device scanning, when an app is
downloaded and when an app is installed. MVISION Mobile Threat Detection Application uses a
local signature database and If needed, can reach out to the cloud for more information so that
application files that have not been identified locally can be identified and classified. If an
application is found to be malicious, MVISION Mobile Threat Detection Application on that device
is alerted and the configured policy action in the TRM on the device is applied for a Suspicious
Android Application.
On Android MVISION Mobile Threat Detection Application, when a new app is detected that has
not yet been analyzed, it is uploaded to cloud for further processing when the MVISION Mobile
Threat Detection Application user is connected to a Wi-Fi network. This can be disabled by
deselecting ‘Application Binaries’ in the Policy Settings for a specific group or all groups.
 To evaluate apps that have not been detected yet, the
MVISION Mobile Console Administrator can upload apps
to be scanned using the UPLOAD APP button on the upper right corner of the Apps page in
MVISION Mobile Console. Once clicked, you can upload an app directly or provide an iTunes URL
for retrieval.
 To export the list of apps in your environment and their associated classifications, click the Export
CSV button, shown above to the right. This export produces a CSV file downloaded via the
browser.
Application Analysis
Each application in a customer’s environment is evaluated in the following ways:
1) Legitimate/Malicious: The application is evaluated to see if it is malicious. We look at multiple

characteristics such as:
○ Application reputation
○ Author of the app
○ Anti-virus vendors that have marked the application as malicious

This data is used to see if the application meets our threshold for being Malicious. Otherwise, it
is rated as Legitimate. An MVISION Mobile Console administrator can override this malicious vs.
legitimate decision by clicking the three horizontal dots on the line with the application in the
list. The last option provides a way to set the application as allowed or denied. When the ‘Allow
/ Deny’ option is checked the administrator can allow or deny the app using the exact version or
all versions of the application.
Choose the option wanted and click Save.
2) Privacy Risk: Rating based on the privacy aspects of the application using a scale from Low –
Medium – High. Identifies aspects of the application that are deemed privacy risks such as the
ability to access the calendar or the microphone as examples.
3) Security Risk: Rating based on secure/coding aspects of the application using a scale from Low –
Medium – High. Identifies aspects of the application that are deemed unsafe such as OWASP
Mobile top 10 issues, SSL Certificate validation, or Vulnerabilities as examples.
Note: An additional z3A license is needed for items (2) and (3) above.
Reports are generated for each application based on their Privacy and Security issues. At this time, the
Privacy rating and the Security rating of an app do not have a bearing on whether the app is malicious or
legitimate. To view these reports, click the three horizontal dots to see the report options:
● Executive PDF Report: A high-level overview of the Privacy and Security issues for the
application selected in PDF format.
● Technical PDF Report: A detailed reason for the Privacy and Security issues listed in the
Executive Report in PDF format.
● JSON Report: The raw data behind the reports in JSON format.
Click the report required for this application and it is downloaded.
App Sample Detection Dates

When MVISION Mobile Threat Detection Application processes
an app for the first time, it is added to the customer app
database for quicker identification. This section allows
Administrators to see new additions to the local/customer app
database. The date the app is discovered is added to the app
information.
The columns in the APPS page can be hidden as required by
clicking the gearbox on the upper right corner and selecting the
columns to show and deselecting which columns to hide.

iOS Profiles
We collect managed and unmanaged profiles through the MDM integration (only certain MDM‘s
provide this information). These profiles are displayed in the Profiles page and any unmanaged profiles
are defined as Suspicious.
The Profiles page filter contains the following:

Column Description
Status Display profiles that match the selected status of Trusted, Untrusted, Suspicious
Type Display profiles that match the selection of Managed, Unmanaged
Name Sort profiles based on their name
Detected On Sort profiles by date/time that they were detected
Device Count Sort profiles by number of devices they are installed on
The administrator can change the profile to either Trusted or Distrusted. The lifecycle of an unmanaged
profile detected by MVISION Mobile Threat Detection Application is:
1. After an MDM synchronization, qualify any new profiles.

2. Define which are MDM Managed and which are Unmanaged.
3. Set any Unmanaged Profiles to be suspicious and send an alert as defined in the Threat
Response Policy.
4. The Admin can then go to the Profiles page to find this
unmanaged Profile. Click the three dots to the right of
the profile and select either Trust or Distrust. If Distrust
is selected a new MVISION Mobile Threat Detection
Application alert is created and the Threat Response
Policy is chosen.

Managing Users
We use user ID’s associated with devices to authenticate and optionally to send alerts/notifications to
them when those devices experience a gap in communications to cloud. Through the use of predefined
roles, MVISION Mobile Console can distinguish who is allowed to access and what they are allowed to
do. Most users only have access to activate MVISION Mobile Threat Detection Application and have no
access to the MVISION Mobile Console.
To add users to the MVISION Mobile Console:
● Create users manually. All users defined can activate MVISION Mobile Threat Detection
Application.
● Create users through an MDM integration. Users are automatically assigned the default role of
‘End User’. When a user is added in this way, an administrator can then change the following:
○ Contact Phone
○ Role
○ Delete the User
The Users page provides the ability to add users and display the users defined in the MVISION Mobile
Console and their associated role. When manually adding users to the MVISION Mobile Console, you
must assign them to the proper role. This role defines what a user can and cannot do in MVISION Mobile
Console.
Administrators can edit roles and change access as needed via the Manage page. Available roles are
detailed in the following table:
Role Description
An Administrator on MVISION Mobile Console who has full privileges/access to
System Admin
all items.
Mobility Admin Administrators that can add or change MDM settings.
Incident Response and Operations teams with ability to view and take actions
Security Admin
on threats.
L2 Support Level 2 Help Desk employees that handle escalations from Level 1 Support.
Risk/Compliance View only access to MVISION Mobile Console for auditing and compliance.
Level 1 Help Desk employees that have read access to users, devices and
L1 Support
threats.
Able to activate MVISION Mobile Threat Detection Application and but not able
End User
to login to the MVISION Mobile Console.
To add one or more users manually, choose from the following:

● Add a single user
● Add a group of users in bulk
Creating a Single User

For adding a single user, choose the Create User request from the Actions drop down and fill out the
rest of the fields ensuring the proper role is selected for this user.
This figure shows the add new user screen for a Super Admin role.

Click the Create User button to persist this user. If ‘Send welcome email’ is checked, an email is sent to
the user telling them that they now have access to MVISION Mobile Threat Detection Application and
where to download it. The text can be changed via the Message Templates in the Manage page.
The user can then download MVISION Mobile Threat Detection Application to their device by clicking
the proper link while on their device.
Creating Multiple Users

To upload multiple users, click the Upload Users request on the Actions drop down. Select the
appropriate role for the users. You then browse to your CSV file or drag a CSV file to add the users in the
file.
Any password information is ignored for users when the End User role is selected. The figure also shows
the informational message displayed when you request to upload user with the role of End User.
About the CSV File to Add Users

To add multiple users, you can create a CSV file with the format described in this section. For some
uploads there are common settings for all users as follows:

 Password: To set a common password instead of individual passwords, administrators can leave
the password empty in the CSV file and set the common password for all users on the page.
Note that passwords do not apply to users with the ‘End User’ role.
 Role: This field defines the access permissions for the new users.
Email, First Name, Last Name, Password

user1@mcafee.com, John1, Doe1, zPassword1234
If the ‘Send welcome email’ checkbox is checked, then an email is sent to the users telling them that
they now have access to MVISION Mobile Threat Detection Application. You can change this email
message text from ‘Message Templates’ on the Manage page.
Users synchronized via an MDM integration appear in the listing with the ‘End User’ role. Most MDM
integrations support an auto-activation when MVISION Mobile Threat Detection Application starts up.
See the specific MDM Integration guides in the Customer Portal for more information. Also see “MDM
Activation” section in this guide.
Updating and Deleting a User

To update or delete a user, select the Users page in the MVISION Mobile Console. Then, click the expand
icon, and the user information is displayed with buttons to either Delete or Save. You can do the
following within this page:
● Change attributes about a user

● View the expiration date on the activation link
● Reload a new activation link
● Copy the activation link to the clipboard to send it to the user
● Reset Two Factor Authentication (See “Two Factor Authentication” section for more
information.)
● Delete the user
Note: The activation link expires seven days from when it was generated. The MVISION Mobile
Console displays the date the link expires.

MVISION Mobile Threat Detection Application Activation
For all devices, the MVISION Mobile Threat Detection Application on-boarding is done with an activation
link or a domain name login.
On-Boarding with Activation Links

An activation link is a URL that activates one or more devices.
● Devices can be activated within device groups or individually associated to a user.

● With MDM integration, users can be activated individually. See the “MDM Activation” section
for more information.
The activation link from a device group can be distributed to users. The link activates the MVISION
Mobile Threat Detection Application on a limited number of devices. The default expiration for the
device group activation link is one year.
The activation link for a user can be distributed to a specific user. The link activates the MVISION Mobile
Threat Detection Application and associates the device to the user. By default, a maximum of ten
activations can be used for a single user. The default expiration for the user activation link is seven days.
On-Boarding with Domain Name

An alternative for some customers is to enter their domain name, such as “example.com” on the startup
of MVISION Mobile Threat Detection Application. Domain-based logins can be used by customers that
have an integration with a supported identity provider. If the domain name is known by the MVISION
Mobile Threat Detection Application, then activation proceeds using the single sign-on activation flow.
MDM Activation
For customers activating devices with an MDM, the Manage page has additions for the MDM settings.
On the MDM tab, there is an activation link provided for managed devices. This activation link is used
along with appending the MDM device identifier. The default expiration of this activation link is one year
from when the activation link was generated. The MVISION Mobile Console page displays the expiration
date and time.
Initially, a partial MDM activation link is provided and has the format:
https://activation.mcafee.com/activation?token=<token>
where <token> is the generated token from the MVISION Mobile Console.
The final MDM activation link needs the MDM device identifier appended and has the format:
https://activation.mcafee.com/activation?token=<token>&MDM_ID=<MDM Device Identifier>
where:
• <token> is the generated token from the MVISION Mobile Console.
• <MDM Device Identifier> is the device identifier as known by the MDM system.
Note: You must add the text “&MDM_ID=” preceding the MDM device identifier value.

This table provides the specific device identifier needed for the different MDM systems.
MDM System MDM Device Identifier Variable

AirWatch MDM
{DeviceUid}
iOS: %IOSUDIdentifier%
BlackBerry UEM MDM (BES)
Android: %DeviceIMEI%
Citrix MDM $device.id
Core: $DEVICE_UDID$
MobileIron MDM
Cloud: ${devicePK}
Note: The BlackBerry Dynamics MDM and Microsoft Intune MDM are not listed because they do not use
activation link enrollment. The BlackBerry UEM %IOSUDIdentifier% value is for iOS only, and for Android
the IMEI needs to be used (BlackBerry UEM does not yet support UDID value for Android).
The administrator sends the concatenated activation link by email, text, or a push notification to users
along with instructions to accept the MVISION Mobile Threat Detection Application app being pushed to
them.

Threat Response Policy/Matrix (TRM)
The Threat Response Policy, also referred to as Threat Response Matrix (TRM), defines the actions that
MVISION Mobile Threat Detection Application is to take upon detecting an event. Among the options
are; enable or disable detection of a specific threat classification, alert the user or not, the text of the
alert, the protection actions to take -- either local at the device or MDM related, and if an email, SMS
text or both are to be sent to the logged in Administrator. When done changing these options, click
Deploy to send the new TRM to the currently logged in MVISION Mobile Threat Detection Application
devices. When integrated with an MDM, each group used for integration is created as a MVISION Mobile
Console group with its own TRM. Select which TRM to change at the top of the page in the ‘Selected
Group’ selection box. Only the users/devices in the selected MVISION Mobile Console Group receive the
changed TRM.
A sample TRM shows these options:
Enable
The MVISION Mobile Console administrator has the option of disabling certain threat detections and
therefore the collection of the associated forensics. Event severities of Elevated or lower can be disabled
by unchecking the radio button in the row of the event to be disabled under the Enable column. This is
effective after TRM deployment to the MVISION Mobile Threat Detection Application clients.
The default for a new tenant has all threats enabled. For newly introduced threats, for instance a new
release with an existing MVISION Mobile Console, the default is a disabled threat. This way an
administrator can add these in when needed.
Severity
The administrator has the option of changing the threat severity levels. This is useful for different
business cases. Options are; Critical, Elevated, Low and Normal.
Threat
The threats listed in the Threat column represent the classes of threats that MVISION Mobile Threat
Detection Application detects. Since MVISION Mobile Threat Detection Application is based on the
behavioral engine, there is no concept of defining what a threat looks like via signature. Instead threat
classes are recognized by MVISION Mobile Threat Detection Application, which is able to determine in

real time when a malicious event is happening. See “Appendix A - Threat Classifications” for the full list
of threats.
Set User Alerts

User alerts can be enabled or disabled for all event severities by clicking the radio button checked
(enabled) or unchecked (disabled) in the Set User Alert column in the row of the threat to be changed. If
the User is to be alerted, the MVISION Mobile Console administrator has the option of choosing which
languages to define and the text to use.
Multiple languages can be setup at the same time. The language defined on the device is the one that is
used in the alert to the user. Select the language to add, and the text to be displayed for this event. The
Button Label provides a button that the user can press to be taken to a website or to dial a number. To
set up a link, enter a valid URL in the Button Link such as: http://helpdesk.mycorp.com or,
tel://9735551212 to have the phone dial that number when pressed.
MVISION Mobile Threat Detection Application supports the optional use of variables within the user
alert messages displayed to the user. These variables can be inserted into the user alert text specified on
the Policy page of the MVISION Mobile Console as shown in the table. See “Appendix D - Table of
MVISION Mobile Threat Detection Application Threat Variables” for the list of threat variables.
This example shows a user alert message for a MITM network attack which uses one of these variables:
MVISION Mobile Threat Detection Application detected a network attack. The

communication between your device and the network named [wifi_ssid] was
intercepted. The attacker can hijack traffic and steal credentials or deliver malware to
your device.
Action/Protection
The protection actions can be applied on device or via MDM integration if one is configured. On-device
actions include Disable Wi-Fi (Android Only) and VPN (iOS Only). MDM actions allow the MDM to
enforce actions on the device or whatever the MDM administrator has set up. Multiple MDM Protection
items can be used in the TRM depending on the threat severity level and use case.

Device Action
Device Actions do not require integration with an MDM (except for the iOS
Disconnect Wi-Fi action). The following actions are available from Android and iOS
MVISION Mobile Threat Detection Application:
Android:
 Disable Bluetooth: Disable the Bluetooth adaptor and disconnect any current
Bluetooth connections.
 Disconnect Wi-Fi: Disable the Wi-Fi adaptor and fall back to cell data (3G/4G) if
enabled. The user can then enable the Wi-Fi adapter when they are safe.
 Isolate From Network (KNOX): This disables any network communications
from apps that are malicious but not yet uninstalled. (Requires MVISION
Mobile Threat Detection Application to be a Device Admin app).
 Network Sinkhole: If Network Sinkhole Settings are configured in the Manage
page, this option displays here. The action either blocks or allows defined
network ranges/domains based on an IP network/mask and domains configured. Further
information is available in the Network Sinkhole Settings section of this document.
iOS:
 Disable Bluetooth: Disable the Bluetooth adaptor and disconnect any current Bluetooth
connections.
 Enable VPN: If VPN Settings have been configured in the Manage page, this option displays here.
Choose this option to bring up the defined VPN in response to a threat.
 Network Sinkhole: If Network Sinkhole Settings are configured in the Manage page, this option
displays here. The action either blocks or allows defined network ranges/domains based on an IP
network/mask and domains configured. Further information is available in the Network Sinkhole
Settings section of this document.
 (Optional) Disconnect Wi-Fi: A Disconnect Wi-Fi option for iOS is displayed if there is an AirWatch
integration functioning. AirWatch is the only solution that supports the ‘Disconnect Wi-Fi’ option at
this time. When selected, a Wi-Fi profile is pushed down to the device through the MDM that
effectively disconnects from the currently connected SSID. The Wi-Fi on the device then falls over to
the next available SSID or cell data (3G/4G) if no SSIDs are available.

MDM Action
To enable an MDM action item, on the same row as the threat to be
configured, pull down the list under the MDM Action column and choose the
group to be applied to the device when this particular threat is detected.
MVISION Mobile Console securely communicates with the MDM API and
makes the assignment as defined in the selection. To remove an MDM action
from occurring for a threat classification, change the threat MDM Action to
“No Action”.
Mitigation Action
When a threat that was detected by McAfee MVISION MTD has been
remediated, and is no longer posing a threat to the device, the administrator
can define specific actions that can be taken on the customer’s MDM.
For example, when a device is detected to be under an ARP MITM attack, it

can be prevented from accessing various corporate resources. When the device is moved to a clean
network, the administrator can automatically allow the device to access those resources again.
The Mitigation Action column can be used for this function. To remove the action that was performed as
a response to a threat that is now mitigated, choose ‘Remove’. This action removes the device from the
group it was assigned to when the threat was detected. The Administrator can also move the device to
another group available on the MDM.
Due to the nature of some threats, not all threat classifications can be mitigated. The table provides
possible mitigation actions for a threat.
Threat Mitigation when the following event/s occur

Application Closed by user, Dormant When MVISION Mobile Threat Detection Application is started
App again
All MITMs When the device connects to a different BSSID
When the root flag We use to display on devices changes from true
Root/Jailbroken
to false.
EOP, system tampering, Abnormal No mitigation, the only mitigation is to flash the device since it has
Process Activity been compromised.
USB Debugging When USB debugging is disabled.
Notifications
The currently logged in administrator can set up an email or SMS notification process for each specific
threat. SMS notifications require the administrator telephone information to be set up in the User page
of a given Administrator. Each email/SMS contains an Event summary and a link to the actual event that
can be viewed in a browser after logon.

Manage
The Manage page provides a way for the MVISION Mobile Console administrator to configure privacy,
MDM, and VPN settings for the environment, and a view to the audit logs that collect all activity on the
MVISION Mobile Console including MDM connections.
General Settings
The General tab provides basic information about the environment and an alternate location for
changing the language selected for the MVISION Mobile Console. It also provides the option to change
the password of the currently logged in administrator.
Configuration elements for the General tab:

 Preferred Language: Choose the language used for MVISION Mobile Console. Current options
are: English, Japanese, Hebrew.
 Options for MVISION Mobile Threat Detection Application with root access:
○ Process Termination: This is a special option for when MVISION Mobile Threat Detection
Application is built into the firmware of a device on Android and has root access. When
‘Enable Process termination policy’ is selected, the ‘Terminate Process’ option appears
under the Device Actions column in the Policy page. This policy allows MVISION Mobile
Threat Detection Application with root access
to stop an abnormal process from running.
○ Switching detection: This does not depend on
MVISION Mobile Threat Detection Application
having root access and applies to both iOS and
Android. When the ‘Enable switching detection on/off’ is selected, MVISION Mobile Threat
Detection Application detection can be disabled from the console and the device status
changes to ‘Not Detecting’. When MVISION Mobile Threat Detection Application detection is
disabled, it shows up with a red background in the Devices page of MVISION Mobile
Console.
 Danger Zone:

When the option to ‘Enable the Danger Zone feature in MVISION Mobile Threat Detection
Application’ is selected, the MVISION Mobile Threat Detection Application app provides an
option in the user interface to display the Danger Zone map globally in the customer's
environment. When not selected, this option is removed from MVISION Mobile Threat
Detection Application. Danger Zone is disabled by default.
 Site Insight:
When the option to ‘Enable the Site Insight feature in MVISION Mobile Threat Detection
Application’ is selected, the Android MVISION Mobile Threat Detection Application app
intercepts URL requests from non-browser apps to validate they are not malicious. If a malicious
URL is found, the user is alerted, and proper actions are taken according to the settings in the
Threat Response Policy/Matrix.
 Password Policy:
Define the password requirements for MVISION Mobile Console
users.
○ Minimum password length

○ Required password elements
○ Maximum repeating characters
○ Verify that the new password was not used in the past “X”
passwords
○ Define how often the password must be changed
○ Define how many failed attempts before triggering an account
lock
○ Define the account lock out time in minutes
 Device Inactivity Configuration:

This configuration controls how long to wait before determining
that a device is dormant:
○ Allowed Inactivity Time: The maximum time a device can be inactive before the device is
entered into the warning timer aka Grace Period. Enter a valid number in the left box and
choose Seconds/Minutes/Hours in the right box.
○ Warning Interval (Grace Period): After the device exceeds the Allowed Inactivity Timer, it
enters the grace period when it receives warnings. If more than one warning is required, this
is the interval in between warnings. Enter a valid number in the left box and choose
Seconds/Minutes/Hours in the right box.
○ Max Warnings: The number of warnings that can be sent to the device in the grace period.
An entry of “0” disables the grace period.

Privacy Settings
We value privacy and provides a granular approach to allowing an MVISION Mobile Console
administrator to decide what information to collect when an event occurs.
In the Privacy page, the MVISION Mobile Console administrator has the option of configuring what type
of forensics data is collected when an event occurs for each MVISION Mobile Console Group defined.
The following forensics data templates are included: High, Medium, Low, and GDPR. A fourth option,
Custom, allows the administrator to completely control what data gets collected. Select which Group
the privacy settings apply to and then select the template: High, Medium, Low, or GDPR.
To change the Custom template, select Custom as the template and then click Settings to manage the
configuration.
When a new setting is selected, click Deploy to ensure that the update reaches the MVISION Mobile
Threat Detection Application. To verify that the settings have been downloaded, Users can navigate to
the Advanced Details page from any page in MVISION Mobile Threat Detection Application by tapping
the menu option list, located in the top right corner, and then pressing the About MVISION Mobile
Threat Detection Application option for 1–2 seconds. Information is collected for the following time
frames:
 At Login: Forensics reported when the user starts MVISION Mobile Threat Detection
Application.
 Threat: Forensics reported when a threat is detected.
 Periodic: Forensics reported each time MVISION Mobile Threat Detection Application checks in
to the MVISION Mobile Console. This also includes events that are reported when the Wi-Fi is
toggled OFF/ON on an Android device and when the screen is locked and then unlocked on an
iOS device.

Default entries and availability include:
Collect at: Template Device OS
Item Login Threat Periodic High Medium Low GDPR iOS Android
Location: Street Y Y Y Y N N N Y Y
Location: City Y Y Y N Y N N Y Y
Location:
Y Y Y N N Y N Y Y
Country
Application
Y n/a Y Y Y N N N Y
Binaries
Network Y Y Y Y Y Y Y Y Y
Device Y n/a n/a Y Y Y Y Y Y
Application
Y Y Y Y N N N N Y
Forensics
Carrier
Y n/a n/a Y Y Y Y Y Y
Information
User Details Y n/a n/a Y Y N N Y Y
Running
N n/a n/a Y Y Y Y N Y
Processes
Attackers
N Y N Y Y Y Y Y Y
Network
MDM Settings
The MVISION Mobile Console environment can synchronize with multiple MDM instances. Each MDM
vendor is unique and requires slightly different parameters for integration, which are detailed in the
vendor-specific MDM Configuration Guides located in the Customer Support Portal. Only AirWatch,
Microsoft Intune, MobileIron, and UEM Dynamics are currently supported for the new multiple MDM
functionality.

To configure an MDM integration, navigate to the Manage page and click the MDM tab. This figure
shows the windows that displays.
Click the Add MDM button and choose the MDM to use:
Follow the instructions to complete the MDM integration in the specific vendor-related MDM guide in
the Customer Support Portal. In general, after the MDM has been selected and the basic parameters
have been provided, the next screen allows the administrator to select which groups to use for
synchronization.
To select a group for synchronization, click the green plus sign in the left column next to the group to be
used. This moves that group to the ‘Selected MVISION Mobile Console Groups’. It can be removed by
clicking the red minus sign. Then, if more than one group has been selected, set the order of priority by
dragging and dropping groups from highest to lowest priority. In the screenshot shown below, the
groups ‘BB Protected Integrated’ and ‘BB Protected MVISION Mobile Threat Detection Application’ are
used for synchronizing users/devices. If a user is in more than one of these groups, the user is associated
with the top-most group (where they are a member) for the policy and privacy settings in MVISION
Mobile Console.
If the option to remove an MDM configuration is selected, a pop-up message appears to ensure the
administrator knows when an MDM is removed, all devices and users are removed as well. They can
choose to continue or cancel the action.

To add another MDM integration, click Add MDM and enter the parameters for that MDM. The groups
used for integration appear with the vendor name appended to the group name being used for
synchronization.
To change the groups used for synchronization or other parameters, you can click Edit for that MDM
integration. Also, to perform a manual synchronization, click Sync Now for the specific MDM
integration.
When you add or edit an MDM several options are provided. For instance, the URL of the MDM
provider, username, and password are required. In addition, you can set the email values described in
this table.
Option Description
By enabling this option, MVISION Mobile Console sends an
Send Device Activation Email for iOS
activation email to a user for each iOS device that is synced
Devices
from the MDM.
By enabling this option, MVISION Mobile Console sends an
Send Device Activation Email for
activation email to a user for each Android device that is synced
Android Devices
from the MDM.
These email options support sending activation links for the MVISION Mobile Threat Detection
Application app. If you did not enable these email options when the MDM was created, and later enable
these options during an edit, the email is sent for all synchronized devices (matching the iOS and
Android selections). At the device level, an invitation email can also be requested again.
In addition, an administrator can change the activation email text to customize this message.
When multiple MDM integrations are configured, MVISION Mobile Console groups take on the form of
the MDM Name ‘-’ and then the group name from the MDM. The MDM name is configurable when the
MDM integration is set up. Using the default MDM Names, the figure shows sample groups.
Groups Under the Manage Page and Privacy Tab
Each MVISION Mobile Console Group has its own Privacy policy and can be changed by selecting the
group in the ‘Selected MVISION Mobile Console Group’ input box.

VPN Settings
iOS devices can have VPN configurations defined by the MVISION Mobile Threat Detection Application
that runs on the device. This VPN can be enabled when an event occurs which in turn allows the device
to be protected from all network-based threats. To configure the VPN, add the user name, password,
server address, shared secret, group name, and a short description in this page. The only currently
supported VPN type is IPSEC.
When the VPN is configured, the action shows in the policy page under Device Action.
Network Sinkhole Settings

For iOS and Android devices, an action can be enabled in the Threat Response Policy/Matrix to sinkhole
network routes or domains. This is set up on the Manage page by choosing the Network Sinkhole
Settings tab and choosing one of two options shown below:
 To ONLY allow access to a set of destination networks or domains.

 To BLOCK all access to a set of destination networks or domains.
Choose the option for your use case and add the affected networks using the network and mask entries.
About Audit Logs

Activity is monitored and logged in the Audit Log. For instance, activities include the following:
 Admin Account creation and login and times/dates

 MVISION Mobile Console admin account login times/dates
 Policy change/deployment activity
 MDM Sync Activity (see below for more information about MDM sync logs)
 Malware activity
 Privacy settings activity
 Events activity
More detail can be retrieved for MDM Sync Event information by clicking the More button for the
appropriate synchronization. Each time an MDM synchronization occurs, MVISION Mobile Console
records statistics for the event and if there was an issue with the event, what the issue was. The
screenshot on the left shows a successful MDM synchronization event and the screenshot on the right
shows a typical failure. This information can be used to determine the root cause the MDM
synchronization failure.
Role Definitions
The default Role definitions are listed below and can be changed by a System Admin by navigating to the
Manage page and clicking the Roles tab. Once there, select the Role to edit and a new window displays
with options for that Role. Note the following rules:
 Roles are effective at user login. If a change is made that affects a user's role and the user is
logged into MVISION Mobile Console at the time of the change, then the user needs to log out
and log back in for the new role information to be effective.

 Admins with lesser permission roles cannot change their roles to be that of a higher permission
role. For instance, an L1 Support Role person cannot change their role to be a System Admin.
To change, navigate to Manage menu and then the Roles tab. The figure below shows the resulting
screen.
Find the Role to be changed and click the pencil icon to the right for that Role. Deselect or check items in
the View and Edit columns and then click Save. Some of the role settings are shown in the following
figures:
Set 1 Set 2 Set 3

The following table provides the default role settings.
System Mobility Security L2 Risk/ End

Access L1 Support
Admin Admin Admin Support Compliance User
MVISION Mobile
Threat Detection Yes Yes Yes Yes Yes Yes Yes
Application
Dashboard View/Edit View only View/Edit View/Edit View Only View only None
Threat Log View/Edit View only View/Edit View/Edit View Only View only None
Apps View/Edit View only View/Edit View only View Only None None
Devices View/Edit View only View/Edit View only View Only View only None
Profiles View/Edit View only View/Edit View only View Only View only None
Users View/Edit View only View/Edit View only View Only View only None
Policy View/Edit View only View/Edit View only View Only None None
OS Risk View/Edit View only View/Edit View only View Only View only None
Manage View/Edit View only View only None View Only None None
Info View/Edit View only View only None View Only None None
Privacy Settings View/Edit None None None View Only None None
MDM Settings View/Edit View/Edit View only None View Only None None
VPN Settings View/Edit None View/Edit None View Only None None
Audit Log View/Edit View only View only None View Only None None
Roles View/Edit None None View Only None None

Message Templates
MVISION Mobile Console provides a way for the Administrator to change the messages sent to users
during the user lifecycle. To verify or change the messages, navigate to the ‘Manage’ page and then
‘Message Templates’ tab. The following message templates can be viewed or changed:
 Threat Notification
 Change Password Confirm
 CSV Export
 Pending Activation
 Inactive Device
 Forgot Password
 Invite User
 MDM Device Activation Link
 Welcome After Invite
This figure shows the list of available message templates.
To view or change a template, click the pencil icon to the right of the template and an editor appears
with the current template content. Content in the messages can contain system variables that are
replaced with the user-specific information when sent to the user. Images can also be dragged into the
message to as needed.
An HTML edit option is available by clicking the </> symbol. This action displays the current message as
HTML and links to images and other items that can be added along with other HTML content.

Message Template Variables
Variable Name Description
name Displays the full name of the user.
admin_login Used in a conditional statement in the template to show certain text

in email only if the user has admin access to the console.
dashboard_name Displays a URL link to the MVISION Mobile Console.
user_email Displays the user's email address.

Appendix A – Threat Classifications
The threat classification information moved to a separate document. See “MVISION Mobile Console
Threat Reference Guide” for the list of threats.

Appendix B - MDM Capabilities Matrix
BlackBerry
AirWatch BlackBerry Microsoft
Control Citrix MobileIron
VMware UEM Intune
Server
Minimum CORE 8.0/

7.3 12.4(1) 1.0 10.4 Current SaaS
Version Cloud
NA (use
MVISION
Deploy iOS Mobile Threat
Y Y(1) Y Y Y
app with plist Detection
Application for
BlackBerry)
iOS Wi-Fi
Disconnect Y N N N N N
Profile
Sync Device Y (Smart Y (User All Enrolled Y (Delivery Y (Labels)/ Device

Y (AD groups)
groups Groups) Groups) Users Groups) groups
Support Ad
Hoc MDM Y Y Y N Y Y
Sync
MDM Action
Fixed (Lock
(Fixed or Fixed (lock or
Fixed (lock or or remove Send device risk
configurable Configurable wipe Configurable
wipe device) managed posture to Intune
by assigning containers)
apps)
to group)
Retrieve
managed
Y N N N N Y
profiles from
iOS
Retrieve
unmanaged
N N N N N Y
profiles from
iOS
Mitigation
Y N N N Y Y
Actions
Notes:
(1) BES 12.6 is required to push app configuration information to iOS MVISION Mobile Threat Detection
Application

Appendix C – Google Android for Work Implementation with MVISION
Mobile Threat Detection Application
Google Android for Work provides an environment to separate your business app data from your
personal app data. Applications in the Work profile of Android for Work run in a separate protected
workspace vs the personal side of the device. For example, the Android for Work ‘Contacts’ app has
different contacts than the personal ‘Contacts’ app. Applications running in the work profile can only see
other applications and processes in the work profile.
When implementing MVISION Mobile Threat Detection Application on a device with Android for Work,
there are three supported configurations:
1) Running MVISION Mobile Threat Detection Application in the Work profile of the device.
a. Monitor apps installed in the Work profile.
b. Monitor Network behavior on the device.
c. Monitor abnormal behavior on the device.
2) Running MVISION Mobile Threat Detection Application in the Personal profile of the device.
a. Monitor apps installed in the Personal profile.
3) Running MVISION Mobile Threat Detection Application in the Work profile and MVISION Mobile Threat
Detection Application in the Personal profile. This provides the best protection.
a. Monitor apps installed in both the Personal and Work profile.
MVISION Mobile Threat Detection Application has been specifically designed to work best using option
(3) above.

Appendix D – Table of MVISION Mobile Threat Detection Application
Threat Variables
MVISION Mobile Console supports the optional use of variables within the user alert messages displayed
to the user. These variables can be inserted into the user alert text specified on the Policy page. This
figure shows the user message configuration screen.
The following table lists the variables and their definition.
Variable Definition
The name of the Wi-Fi network the device was connected to during the
[wifi_ssid]
detected attack.
[date] Date of the attack.
[ip] IP address of DNS, gateway, or network proxy.
[app_name] Name of detected malicious application.
[host_app_name] The host app name.
[profile_name] The profile name.
[os_version] The operating system version.
[blocked_domain] The blocked domain name.
The following is an example of a user alert message for a MITM network attack that uses one of these
variables:
MVISION Mobile Threat Detection Application detected a network attack.

The communication between your device and the network named [wifi_ssid]
was intercepted. The attacker can hijack traffic and steal credentials
or deliver malware to your device.

Mcafee Mvision Mobile Console 1809: Product Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mcafee Mvision Mobile Console 1809: Product Guide

Uploaded by

Copyright:

Available Formats

McAfee MVISION Mobile Console 1809

September 11, 2018

McAfee MVISION Mobile Console Product Guide 2

McAfee MVISION Mobile Console Product Guide 3

McAfee MVISION Mobile Console Product Guide 4

McAfee MVISION Mobile Console Product Guide 5

About the Threat Detection Engine

About SIEM and MDM Systems

McAfee MVISION Mobile Console Product Guide 6

Supported Browsers (Requires HTML 5) Minimum Version

Chrome Current Version

Safari Current Version (not tested)

Firefox Current Version (not tested)

AirWatch MDM 7.3

BlackBerry Dynamics BlackBerry Dynamics 1.0

Citrix MDM 10.4

McAfee MVISION Mobile Console Product Guide 7

McAfee MVISION Mobile Console Product Guide 8

McAfee MVISION Mobile Console Product Guide 9

MVISION Mobile Console Group Configuration

McAfee MVISION Mobile Console Product Guide 10

This figure is a sample filter set on the title bar.

McAfee MVISION Mobile Console Product Guide 11

Risk Column Display Process State Values Description

Report request submitted to z3a. Report is

McAfee MVISION Mobile Console Product Guide 12

1) Legitimate/Malicious: The application is evaluated to see if it is malicious. We look at multiple

McAfee MVISION Mobile Console Product Guide 13

App Sample Detection Dates

McAfee MVISION Mobile Console Product Guide 14

The Profiles page filter contains the following:

1. After an MDM synchronization, qualify any new profiles.

McAfee MVISION Mobile Console Product Guide 15

To add one or more users manually, choose from the following:

Creating a Single User

McAfee MVISION Mobile Console Product Guide 16

Creating Multiple Users

About the CSV File to Add Users

McAfee MVISION Mobile Console Product Guide 17

Email, First Name, Last Name, Password

Updating and Deleting a User

● Change attributes about a user

McAfee MVISION Mobile Console Product Guide 18

On-Boarding with Activation Links

● Devices can be activated within device groups or individually associated to a user.

On-Boarding with Domain Name

https://activation.mcafee.com/activation?token=<token>&MDM_ID=<MDM Device Identifier>

McAfee MVISION Mobile Console Product Guide 19

MDM System MDM Device Identifier Variable

McAfee MVISION Mobile Console Product Guide 20

McAfee MVISION Mobile Console Product Guide 21

Set User Alerts

MVISION Mobile Threat Detection Application detected a network attack. The

McAfee MVISION Mobile Console Product Guide 22

McAfee MVISION Mobile Console Product Guide 23

For example, when a device is detected to be under an ARP MITM attack, it

Threat Mitigation when the following event/s occur

McAfee MVISION Mobile Console Product Guide 24

Configuration elements for the General tab:

McAfee MVISION Mobile Console Product Guide 25

○ Minimum password length

 Device Inactivity Configuration:

McAfee MVISION Mobile Console Product Guide 26