Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
5
Helpful
1
Replies

Mobile Device Policies / Last Seen

itguy1024
Level 1
Level 1

‎02-09-2023 10:57 AM

Can someone help explain how mobile devices (android / ios) are handled with AMP? We have a small batch of test devices with secure endpoint installed and policies assigned. A few issues / questions:

- The polices have almost no options to do tasks like scheduled scans or exclusions?
- There's no way to initiate a scan from the amp portal?
- The device only checks in (last seen) when the secure endpoint app is opened?

1 person had this problem
Labels:
1 Reply 1

Shikhar Prakash
Cisco Employee
Cisco Employee

‎02-21-2023 08:47 PM

Hello,

 

To answer your queries.

 

Q. The polices have almost no options to do tasks like scheduled scans or exclusions?

A. A policy for the Secure Endpoint iOS connector or Android connector contains fewer options due to the nature of the device. Many settings for the connector are handled through the Mobile Device Manager (MDM).

 

Secure Endpoint Android Connector does real-time scanning when new apps are installed.

Under android policy you have

Outbreak Control:

The Custom Detections - An Android Custom Detection list is similar to a Simple Custom Detection list except that the device user is warned about the unwanted app and must uninstall it themselves. You can add new malicious apps to an Android Custom Detection list as well as apps that you do not want your users installing on their devices.

Advanced Settings:

The Heartbeat Interval is the frequency with which the connector calls home to see if there are any policies, retrospective events or tasks to pick up.

 

With IOS Clarity you can gain visibility into network traffic on iOS devices and block connections to malicious sites, wherever users go.

https://www.cisco.com/c/m/en_us/products/security/security-connector.html

See the documentation for your MDM for instructions on removing apps from managed devices.

Under IOS Policy you have

Modes and Engines:

Conviction Modes specify how the Clarity module of the Secure Endpoint iOS connector responds to suspicious network activity. There are three modes available:

• Active Block checks that the traffic is not destined to a malicious or blocked address before allowing the connection. This provides the highest level of security but there will also be latency with each network connection. IMPORTANT! Even in Active Block mode connections will eventually be allowed if the device is unable to reach the Cisco cloud to check the disposition of the destination address.

• Block allows network connections while simultaneously checking if the destination address is malicious or blocked. The initial connection will be allowed but all subsequent connections to a malicious or blocked site will be blocked.

• Audit will allow all connections but any connections to malicious or blocked sites will be logged.

Outbreak Control:

If there are IP-allowed or blocked lists available, you can click Select Lists to choose the ones you want to add to the policy. Fill the checkboxes of all the lists you want to add from the drop-down menu. You can add multiple IP lists to a single policy; however, IP-allowed list entries will override IP-blocked list entries. See IP Blocked & Allowed Lists for details on creating these lists.

 

 

Q. There's no way to initiate a scan from the amp portal?

A. AMP does live scanning on mobile devices. Scheduled or initiate scan options for these are not available at the moment

 

 

Q. The device only checks in (last seen) when the secure endpoint app is opened?

A. If given appropriate permissions, the app will connect regularly as and when required to check the app/network traffic disposition.

If it's showing as not seen, it is possible that either it has no activity or cloud connectivity is broken.

Common causes for this can be:

-The mobile Settings app allows users to configure the ability to enable and disable cellular data usage on the device as a whole and for each app. If cellular data usage is disabled for the Secure Endpoint iOS connector it is unable to provide any protection when the device is using a cellular network for data instead of wifi.

-Mobile devices may set Battery Optimization for certain apps running in the background. If the device has enabled Battery Optimization for the Cisco Secure Endpoint app, the operating system will prevent the application from running in the background after a period of time. This will prevent real-time scanning when new apps are installed. To make sure all apps are scanned, you must disable optimization for the Cisco Secure Endpoint app in your device settings.

 

Please refer to this document:

https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf

-----------------------------------------

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Endpoint through our live Ask the Experts (ATXs) session. Check out Cisco Endpoint Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

-----------------------------------------

0 Helpful
Customers Also Viewed These Support Documents