Symantec Mobile Threat Defense: Why Deployment Can Make or Break Your Mobile Security ROI

With the sheer number of enterprise security solutions available today, organizations often go through a careful evaluation process to determine which products are best for them. In mobile threat defense (MTD), like in other product categories, security and mobility teams naturally put the most weight on a solution’s hard-core security capabilities. They evaluate detection technology, anti-malware efficacy, protection actions, threat intel, and other features designed to mitigate security risk. Then they may look at features related to operational overhead – deployment, maintenance and support load. We argue that the latter are critical for maintaining an MTD solution’s long-term effectiveness and value.

Beyond security features, deployment and adoption enablers are a critical factor when gauging MTD products. What value can the best security features provide if end users don’t widely adopt or properly run an MTD solution? Along those lines, how can security teams expect high adoption rates if end-users perceive the solution to interfere with their privacy and productivity? Lastly, how can organizations ensure strong adoption across both managed and BYO devices, with the latter posing a greater challenge as mobility and security teams often have little visibility over unmanaged devices?

Over the years, we’ve introduced multiple components in Symantec Endpoint Protection Mobile (SEP Mobile), our MTD solution, to help make our customers’ deployments successful and sustainable over time. These components, as well as deployment best practices, were born out of close collaboration with our customers – actual security practitioners and mobility operations teams across companies of all sizes, industries, and geos – to balance enterprise mobile security and productivity needs. We share some of these key enablers below and look at how they help our customers achieve an optimal return on their MTD investment.

High-level overviews for better actionability

• Dashboard summary
• Recommended Actions

Tools for efficient troubleshooting

• Installation Health tab
• Device audit log

Customizable settings to fit each company’s policies

• Deployment options
• App configurations
• End-user communication
• Localization

High-level overviews for better actionability

1. Dashboard “Installation Health” summary

Every device with SEP Mobile has a “health status” that indicates whether the MTD solution is installed and running properly. The SEP Mobile dashboard features a section on Installation Health, summarizing the status of MTD installation across devices in an organization. Admins can easily see how many devices are enrolled in SEP Mobile, including how many were activated per day, the health status of SEP Mobile on enrolled devices, top health issues affecting the environment, and other metrics. This information helps mobility teams understand where users are getting stuck so they can take action to mitigate any obstacles.

Admins can also drill down per device into health status and Mobile Device Management (MDM) status, just as they are able to see risk and compliance status per device. They can see exactly which health issues are affecting a device, enabling more informed actions for remediation.

2. Recommended Actions

Admins can rely on SEP Mobile Recommended Actions to maximize the value of the MTD solution. The Recommended Actions list effectively prioritizes actions in SEP Mobile, so admins don’t necessarily need to be MTD experts to extract the best ROI from the solution.

The list includes recommendations for improving protection, reducing risk, and increasing deployment health. Under the latter, admins can see specific actions associated with the health status of SEP Mobile across their organization. Clicking on an action redirects admins to the appropriate place in the Management Console where they can remediate the issue.

Tools for efficient troubleshooting

1. Installation Health tab

Beyond the health status summary provided in the SEP Mobile dashboard, the Installation Health tab in the Management Console provides full visibility and on-demand remediation of devices with open health issues. This information allows security teams to focus on the specific devices that need to improve their status.

Admins can see SEP Mobile installation status across an organization, as well as the status of enrolled devices based on their MDM and activation status. The latter is broken down by pre-activation and post-activation. Each of these groups show devices that have the related open health issues on them. For example, devices that do not have SEP Mobile installed on them or have not launched the SEP Mobile app yet, will appear in the pre-activation group. Devices that do not have protection set up properly or have a deprecated version of the SEP Mobile app will appear in the post-activation group.

Admins have the ability to remediate most open issues directly from the details pane for each issue. They can choose to send a push notification or email to all end users who have devices impacted by a specific health warning. For example, users who began installation but abandoned it can be notified to resume installation. Each health warning has a risk rating allowing admins to prioritize remediation by high-risk issues. These actions enable organizations to improve installation health across mobile devices, ensuring the proper functioning of SEP Mobile over time.

2. Device log for troubleshooting

Within the aforementioned device details pane, admins can also see an audit log showing activities occurring on a device. This includes activation events, security events, health status changes and more, enabling troubleshooting and investigation of open issues.

Customizable settings to fit each company’s policies

1. Deployment options

SEP Mobile offers multiple options for the mass rollout of its mobile apps, on both managed and BYO devices.

If deployment is done via an integration with an MDM, an organization can sync specific user/device groups to push the app out to end-users gradually, or all at once. The MDM updates SEP Mobile on new devices that require the app, or retired devices that should automatically be removed.

For BYO/unmanaged devices, organizations can rely directly on SEP Mobile for deployment:

• An email can be sent to end users with simple instructions for installing and activating the SEP Mobile app.
• Admins can configure self-enroll domains in the Management Console. All end users installing the SEP Mobile app directly from the public app stores, and logging into the app using an email address from one of the configured domains, will automatically be added to the organization’s environment.

Additionally, a “hybrid” mode exists to support both managed and BYO devices in the same environment.

The various deployment options offered by SEP Mobile ensure that “no device gets left behind,” for optimal MTD coverage across the organization.

Whichever deployment options an organization chooses, we recommend rolling out SEP mobile in waves. Security teams should begin with a few teams in the organization and then extend deployment exponentially. We also recommend the use of SEP Mobile enforcement actions to achieve a high level of adoption, with minimum friction. Admins can inform employees ahead of time that from a specific date they will not have access to corporate resources if they do not activate SEP Mobile and comply with the mobile security policy. When using an MDM integration, SEP Mobile can report non-compliance and the MDM can automatically block employees from accessing their corporate email. 

2. App configurations

The SEP Mobile app can be configured to have a varying impact on end users’ privacy and productivity, if the organization chooses.

From the Management Console, admins can control most permissions to match the organization’s privacy guidelines. Organizations can choose whether to make specific permissions mandatory or optional, although SEP Mobile recommends requiring all permissions to provide optimal protection against threats. Based on the defined permissions policy, SEP Mobile provides a health warning for devices that don’t have all mandatory permissions granted.

Customers can also decide to have the SEP Mobile app run in “non-interactive” mode on end-user devices. When this option is enabled, all security features will operate as usual and security incidents and forensics will be available in the Management Console, but end users will not have any visible alerts inside the SEP Mobile app. Instead, if end users voluntarily go into the app, they will see a fully-customizable screen with a message that their device is protected. This is valuable in cases where organizations want to mitigate any friction from end users regarding the SEP Mobile app. While most customers value security education and transparency, for some, it may be more important to remove any concerns or anxiety their employees may have when they receive security alerts on their device.

Additionally, organizations can choose to communicate certain messages to employees via a custom information page displayed in the SEP Mobile app. The page provides another opportunity for security teams to be transparent about their intended use of SEP Mobile and assure end-users that their privacy and productivity are not being infringed upon.

SEP Mobile also provides different ways to verify end users who are manually logging into the app. For example, verification can be done by email, by text message, or by using a single verification code.

3. End-user communications

One of the most important enablers for MTD adoption is communication. SEP Mobile provides customizable notifications and emails that organizations can use to facilitate trust among employees in the onboarding process and provide clear instructions for smooth deployment. Admins can customize email templates, including branding, sender and reply-to details. Once they are set up, communications can be automated for streamlined management and actionability. For example, a SEP Mobile installation email containing an “Install SEP Mobile” button can be sent to end users. Clicking the button will automatically trigger the MDM APIs to push the SEP Mobile app to devices. Communications also include clear recommendations to end users so they can self-troubleshoot as much as possible and overcome any obstacles in the deployment process.

Among our customers, we’ve seen that sending an initial awareness message about SEP Mobile deployment helps to ensure that the solution will be properly deployed, while building trust within the organization and mitigating end-user concerns. Here is an example of an awareness message that is sent before deployment begins:

Admins can also set up daily/weekly/monthly email notifications that report on all “unhealthy” devices in the organization. Once notifications are set up, admins will get pushed updates on the status of the installation without needing to manually log in and monitor the status.

4. Localization

Lastly, end users can go through deployment in a language most comfortable for them, thereby increasing adoption. SEP Mobile supports 14 languages (English, Czech, French, German, Italian, Japanese, Korean, Polish, Portuguese, Russian, Simplified Chinese, Spanish, Traditional Chinese, and Turkish) across its iOS and Android apps, end-user notifications, and Management Console.

The language can be set based on the environment or on the device locale. Different languages can be used for different admins and end-users.

Winning hearts and minds for MTD sustainability

Gaining user trust and adoption of MTD is key for sustainable, effective protection against a growing range of mobile threats that affect enterprise today. No matter how powerful an MTD solution’s security capabilities are, incomplete deployment and low adoption rates can still leave organizations vulnerable to attacks. To address MTD adoption challenges, we’ve worked over the years to add deployment enablers to SEP Mobile, and more features are continuously being added as the needs of our customers evolve. The enablers discussed in this article are just a few core examples that have helped our customers achieve sustainable value from SEP Mobile over time. To conclude, mobility teams need robust tools that ensure the successful rollout of an MTD solution across an organization, while also supporting end-user awareness of the value of mobile security.