Skip to main content

Mobile Device Management workflow

Security for Mobile Devices prerequisites

To manage mobile devices from GravityZone Control Center, a series of conditions must be satisfied.

Mobile Device Management components

  1. GravityZone

    • Control Center. A web-based dashboard and unified management console that provides full visibility into organization's overall security posture, global security threats, and control over its security services.

    • Communication Server. GravityZone role that handles communication with managed mobile devices. Communication with iOS devices is performed via a dedicated plugin called MDM Server.

    • GravityZone Mobile Client, exclusively distributed via Apple App Store and Google Play.

  2. Mobile Device Notification Services

    • Firebase Cloud Messaging (FCM) service for Android devices.

    • Apple Push Notification Service (APNs) for iOS devices.

  3. Mobile Devices

    • Android devices.

    • iOS devices.

Communication workflow

The following diagram describes the communication flow between Control Center and managed mobile devices:

6904_1.png

Push notifications are synchronization requests, used to prompt devices to connect to GravityZone Communication Server to get policy updates and tasks. Push notifications do not include the policy update or task; they only inform the device that it must connect to GravityZone Control Center.

Normally, the synchronization of mobile devices with Communication Server is done automatically through the Push Notifications mechanism. The user can also manually synchronize the mobile device with Communication / MDM Server by tapping the Synchronize button in GravityZone Mobile Client.

If your company uses a firewall that restricts internet traffic, you will need to open the required ports to allow connectivity to Google / Apple notification services.

GravityZone Mobile Client can also start the synchronization with the Communication Server (without receiving any Push Notification) to communicate significant changes or events, in the following situations:

  • Manual profile change

  • Device administrator change

  • Accessing webpages blacklisted by policy (web security alert)

  • Lock screen password required by policy not changed on due date

  • Malware not removed after one hour

  • USB debugging status change

  • Manual scan results

Communication workflow for Android devices

Communication workflow for Android devices

  1. A task or policy update is sent from Control Center to the mobile device.

  2. Communication Server sends a push notification to the device via Firebase Cloud Messaging service.

  3. When the notification arrives, the Android system informs GravityZone Mobile Client to synchronize with Communication Server.

    • GravityZone Mobile Client is not required to run to receive push notifications. The Android system wakes up GravityZone Mobile Client as soon as the notification arrives.

    • If the device is offline, it will receive notifications from FCM as soon as it gets back online.

  4. GravityZone Mobile Client connects to Communication Server to receive data.

  5. The device sends the task status to Communication Server.

  6. The task status is updated in Control Center. Any encountered errors are displayed in the task status.

Any change affecting the device compliance is immediately detected and sent to Communication Server by GravityZone Mobile Client. If the device is offline, GravityZone Mobile Client retries every minute to send the compliance changes information to Communication Server, until the device gets back online.

In addition to synchronizations triggered by push notifications, Mobile Client automatically synchronizes with the Communication Server every 3 hours. The automatic synchronization ensures all tasks and policy updates get applied even if some push notifications are lost.

Communication workflow for iOS Devices

Communication workflow for iOS Devices

  1. A task or policy update is sent from Control Center to the mobile device

  2. MDM server sends a push notification to the device via Apple Push Notification service.

  3. When the notification arrives, iOS is asked to synchronize with MDM Server.

    • GravityZone Mobile Client is not required to run to receive push notifications.

    • If the device is offline, it will receive notifications from Apple Push Notification service as soon as it gets back online.

  4. The device's operating system (iOS) connects to MDM server to receive data.

  5. The device sends the task status to MDM Server.

  6. The task status is updated in Control Center. Any encountered errors are displayed in the task status.

Note

In addition to synchronization requests following a task or policy update in Control Center, MDM server also sends synchronization requests automatically every three hours. The automatic synchronization ensures all tasks and policy updates get applied even if some push notifications are lost. Moreover, the periodic communication is used to perform password validity checks and application auditing (a future new functionality).