Configuring mobile policies for iOS/iPadOS devices

Procedure

1. On the Trend Vision One console, go to Mobile Security → Mobile Policy.
2. Click the iOS/iPadOS tab.
3. Click Create or click the name of an existing policy.
4. On the General Settings screen, specify a policy name and select the protection strength that best suits your needs, or click Custom to customize your own policy.

   Important The protection strength selected in the General Settings screen provides predefined settings accordingly in subsequent steps. You can modify the predefined settings during later configuration. If you modify the predefined settings, the protection strength changes to Custom.

5. Configure proxy settings.
   To use Service Gateway as a proxy to connect managed devices to Trend Vision One services and other internet resources, select Send Mobile Agent traffic through the Service Gateway proxy service. This feature helps you control mobile device access within your company.

   For this feature to work, make sure that you have deployed Service Gateway in your network with the Forward Proxy Service enabled and properly configured to allow connection to destination services. If you have deployed multiple Service Gateways in the network, the Mobile Agent will connect to any Service Gateway based on availability.

   Important The Mobile Agent uses a local VPN to connect to the Service Gateway. Make sure that your end users have enabled the local VPN in their Mobile Agents for the traffic to be forwarded to Service Gateway. Compared with Service Gateway, Zero Trust Secure Access (ZTSA) provides more powerful Internet access control functionality. If your network is using ZTSA with Internet Access and AI Service Access enabled, Mobile Agents in the network will send traffic to ZTSA instead of the Service Gateway proxy service.

6. Configure Malware Detection settings.

   Note This feature is not available when you integrate with Google Workspace or Microsoft Entra ID, or with other MDMs through managed configuration.

   1. Click Malware Detection.
   2. Choose the scan scope.
   3. Configure malware scan criteria.
      • Malware
      • Unofficially modified app content/data
      • Transmission of personal data without consent
      • System/App vulnerabilities
7. Configure Wi-Fi Protection settings.
   1. Click Wi-Fi Protection.
   2. Configure Wi-Fi scan criteria.
      • Automatic decryption of HTTPS traffic
        The Wi-Fi network traffic is decrypted, which may result in data leakage.
      • Unsafe access point
        The device is connected to an insecure Wi-Fi network.
8. Configure Configuration Manager settings.

   Note This feature is not available when you integrate with an MDM through managed configuration.

   1. Click Configuration Manager.
   2. Configure configuration scan criteria.

      Criteria	Description
      Jailbroken device	The device is jailbroken.
      Lock screen disabled	The device is not locked with a passcode, Touch ID, or Face ID.
      Outdated OS	The device operating system is out of date.
      Vulnerable OS	The device operating system is vulnerable. Note This option is available only when you integrate with Microsoft Endpoint Manager (Intune).

9. Configure Web Reputation settings.
   Trend Micro Web Reputation technology assigns websites a "reputation" based on an assessment of the trustworthiness of a URL, derived from an analysis of the domain.
   1. Click Web Reputation.
   2. Select a security level.
   3. To automatically approve or block certain websites, specify the websites in the following formats based on device platforms and add them to the allow list or to the block list.

      Item	Format
      Website format	URL FQDN
      Wildcard character support	*

      Tip * : Matches any number of characters ? : Matches a single character in a specific position

10. Configure policy targets.
    1. Click Targets.
    2. Specify one or more groups, assignment groups, or organizational units.

       Note Specifying a group, assignment group, or organizational unit that is on the target list of another policy removes it from the previous policy. The previous policy no longer affects the group, assignment group, or organizational unit.

11. Configure advanced settings to schedule Mobile Security scanning by selecting Scheduled scan and specifying the scan frequency.

    Note This feature is not available when you integrate with an MDM through managed configuration.

12. Click Save.
13. (Optional) Click Continue if you are prompted to confirm the policy changes.

    Note This step is required only if you have added or deleted policy targets when editing a policy.