Skip to main content

Configure Mobile Threat Defense Profile (Android)

IT administrators have the capability to remotely activate Mobile Threat Defense (MTD) profiles on enrolled devices, integrating proactive protection with real-time Device Trust Evaluation. Beyond standard features like scheduled device scans and Anti-Virus protection, this framework continuously monitors critical Device Trust Signals—including OS integrity, patch levels, network security, and encryption status.

By evaluating these signals in real-time, the system automatically categorizes devices as "Clean" or "Risky." This allows administrators to proactively enhance the security posture of enrolled devices, ensuring that only those meeting the defined trust thresholds can access corporate resources, thereby safeguarding the organization against sophisticated threats and malicious activities.

To initiate the Mobile Threat Defense profile on the enrolled device(s), follow these steps:

1. Log into the SureMDM console.

2. Navigate to Profiles.

3. Click Android > Add > Primary Profile > Mobile Threat Defense > Configure

4. Configure the required settings and click Save.

SettingsDescription
Anti-virus ProtectionUse this option to schedule a scan of the device for potentially harmful apps installed, adware, fake apps, and PUA (potentially unwanted apps) at a specific time or on specific days of the week.
Enable MTD ScanUse this option to allow MTD scanning.
Scan ModeSelect a Scan Mode from the following options:
  • Basic - Only installed applications are scanned. 
  • Full - Comprehensive scanning covers all apps, including system apps.
    • Scan ActionSelect an appropriate Scan Action. 
  • Delete Threat - Remove the selected threats from the device.
  • Skip Threat - This option will detect and skip the threats, but no action will be performed.
    • App Exclusions SettingsThis settings will help in excluding enterprise apps from the app scan. This feature is only compatible with SureMDM Agent version >=27.35.00
    App ExclusionsAdd the enterprise apps to exclude them from the app scan. Ensure thorough security scrutiny of the apps before adding them to the exclusion list. Once an app is excluded from the scan, no security analysis will be conducted.
    Scan & Trust Evaluation ScheduleConfigure the schedule for Mobile Threat Defense scans and Device Trust Evaluation on your Android devices.
    DaysUse this option to schedule a scan on all or specific days of the week.
    TimeUse this option to set a time at which the scan will be initiated.
    Network TypeSelect a Network Type from the following options:
  • Any Network – Scans the device on any available network, including mobile data and Wi-Fi.
  • Wi-Fi Network – Scans the device only when connected to a Wi-Fi network.
    • Device Trust EvaluationDevice Trust Evaluation is a comprehensive security framework that continuously monitors and validates the health, integrity, and compliance of mobile devices. This real-time classification determines whether a device is safe to access corporate resources or if it should be quarantined for remediation.
    Note: Device Trust Evaluation is supported on Android devices with SureMDM Agent version 28.55.11 or above.
    Screen Lock Complexity
  • Enable Secure Screen Lock Verification : When enabled, the system verifies that the device has a secure screen lock (e.g., PIN, password, pattern) enabled. Devices without any lock screen or using insecure methods (e.g., swipe or none) will be marked non-compliant.
  • Minimum Screen Lock Complexity : Allows enforcement of a minimum screen lock complexity level for devices. Trust Signal data on lock complexity will be matched against the selected threshold. Devices not meeting the minimum level will be flagged as non-compliant, based on policy configuration.
    • Device Management State
  • Enable Device Management Mode Enforcement : When enabled, this setting validates whether a device is actively enrolled and operating under the expected Android Enterprise management mode. Devices not matching the expected mode will be marked as non-compliant.
  • Allowed Management Mode: When a mode is selected (e.g., Fully Managed, Work Profile), only devices operating under the specified Android Enterprise management mode will be considered compliant. Any deviation will trigger non-compliance.
    • Device Model and Brand
  • Enable Device Model and Brand Verification: Restricts access to devices that match an approved list of device models and brands. Devices outside the allowed list will be flagged as non-compliant.
  • Allowed Brand(s): Administrators can specify one or more allowed brands. The system compares the device’s reported brand with the allowed list. When kept blank, it ignores this rule.
  • Allowed Device Model(s): Administrators can specify one or more allowed device models. The system compares the device’s reported model with the allowed list. When kept blank, it ignores this rule.
    • OS Version
  • Enable Android OS Version Range Enforcement: Ensures that only devices running Android OS versions within a defined range are considered compliant. Devices running versions below the minimum or above the maximum will be marked as non-compliant.
  • Minimum Version: Specifies the lowest supported Android version for compliance.
  • Maximum Version: Specifies the highest allowed Android version.
    • Device Security Patch Level
  • Enable Latest Security Patch Level Check: Verifies that the device has installed the latest available Android security patches. The system compares the device's installed patch level against the most recently published patch versions for: SYSTEM, KERNEL, and SYSTEM_MODULES. If any component is outdated, the device will be marked as non-compliant.
    • Network Type
  • Enable Required Network Type: Verifies the network type being used. Devices not meeting the expected network type will be marked non-compliant.
  • Required Network Type: Specifies which network transport type(s) (e.g., Wi-Fi, Cellular) are acceptable for trusted access. Devices using unsupported network types (e.g., tethered hotspots or offline mode) will be flagged non-compliant.
    • Wi-Fi Security Level
  • Enable Minimum Wi-Fi Security Level : Verifies the minimum security level of the connected Wi-Fi network. Devices not meeting the expected level will be marked non-compliant.
  • Minimum Wi-Fi Security Level: Sets the minimum acceptable security level for connected Wi-Fi networks. Devices connected to insecure or public Wi-Fi (e.g., OPEN networks) will be considered non-compliant.
    • DNS over TLS
  • Enable DNS Over TLS Validation: Validates that DNS queries are encrypted to prevent eavesdropping or tampering.
  • DNS State: Allows selection of the required DNS over TLS state for compliance.
    • Google Play Protect
  • Enable Google Play Protect: Verifies the Google Play Protect state on the device.
  • Play Protection Type: Specifies the required Google Play Protect state. Any deviation (e.g., if Play Protect is disabled when ‘Enabled’ is chosen) will trigger non-compliance. This option is grayed out when ‘Enable Google Play Protect’ is unchecked.
    • Critical App Details
  • Enable Critical App Details Validation: Monitors the integrity, source, and version status of specific critical applications installed on the device using Device Trust Signals. The validation ensures the app is: installed, signed by a trusted certificate (SHA256 fingerprint), up to date, and installed from a valid source (Play Store or MDM).
  • Application Package: Specify the app package name(s) to be monitored.
    • Permitted WebView Package
  • Enable WebView Engine Validation: Verifies that the device is using a designated, trusted WebView package and that it is up to date. Devices with an unapproved or outdated WebView engine will be marked as non-compliant.
  • Required WebView Package: Allows administrators to specify the package name of the required WebView engine (e.g., com.google.android.webview). Devices using a different or unapproved engine will be considered non-compliant.
    • Disk Encryption
  • Enable Disk Encryption Validation: Verifies that the device storage is encrypted to protect data at rest. Devices that do not have encryption enabled will be marked as non-compliant.
  • Disk Encryption State: Allows administrators to define the required disk encryption state for managed devices.
    • SeverityAllows administrators to specify the risk level associated with this trust signal. When a device fails the specific compliance check and becomes non-compliant, it is automatically marked with the corresponding level of risk (e.g., Low, Medium, or High). This helps prioritize remediation efforts.

    5.  Name the profile and click Save.

         The newly created profile will be listed in the Profiles section.

    6.  Go back to the Home tab and select the Android device(s) or group(s).

    7.  Click Apply to launch the Apply Job/Profile To Device prompt.

    8.  On the Apply Job/Profile To Device prompt, select the created profile and click Apply.

    Once the profile is applied, scanning will be initiated on the device(s).