Managing security risks with the Risk Rule Configurator

You can view all the rules that identify risk incidents for the User Risk Management feature. Each rule identifies a condition for a risk incident. When the defined condition in the risk rule is met, a corresponding risk incident with a severity and a score is generated against the device and the user who is assigned to that device.

Accessing the Risk Rule Configurator from the MaaS360 Portal

From the MaaS360 Portal Home page, go to the Security Management section and select Security > Risk Rule Configurator. By default, all rule sets in the Risk Rule Configurator are enabled. Administrators have the flexibility to disable or enable any of the rule sets and also enable or disable particular rule description under a rule name. You can define the severity of the risk rule as low, medium, and high for individual rule description under a rule name.

Example of the Risk Rule Configurator screen

In the following example, a rule is defined in the Risk Rule Configurator with a High severity and an if app compliance state on device is out of compliance precondition. If any device is out of compliance, the precondition for the app compliance state is true. A risk incident with a high severity is created against the device and the user who is assigned that device.

Risk Rule Configurator screen

Predefined risk rules in the Risk Rule Configurator

You can configure the following 18 predefined risk rules in the Risk Rule Configurator to identify the risk score of devices and users in the customer account.
Predefined risk rule Description Applicable Services Enabled by Default
Antivirus inactive This rule checks the inactive status of antivirus software that is installed on a Windows device.

A Windows device might have various antivirus software programs that are installed on the device. If all the antivirus software programs that are installed on the device are in an inactive state, the default severity is High.

If one of the antivirus software programs that is installed on the device is in an active state, the risk score and risk incident that is associated with this risk rule is removed from the security dashboard.
Note: This risk rule does not evaluate Windows devices that do not have antivirus software programs installed on the device.
URM, TM, MTD Yes
Application compliance state This rule checks the application compliance status on a device. The application compliance status becomes out of compliance when the restricted app is detected on the user's device or when the required app is found missing on the user's device.
To define the restricted apps and required apps on the device, configure the Application Compliance settings in the following device MDM policies:
URM, TM, MTD Yes
Blocked URL access (Secure Browser) This rule checks the number of times blocked URLs are accessed on the device from the Secure Browser.

You can define blocked URLs in the URL filter settings for Secure Browser (WorkPlace Persona policy) at Browser > URL Filtering.

URM, TM, MTD Yes
Critical security patch missing This rule checks if a critical security patch is missing on the Windows device.

The higher the number of critical security patches that are missing on the device, the higher the risk score, and severity. The defined severity is based on 1 - 2 security patches missing, 3 - 5 security patches missing, or more than five security patches missing on the Windows device.

URM, TM, MTD Yes
Device encryption This rule checks the encryption status on the device.

This rule checks whether the device is partially encrypted or unencrypted on all enrolled and activated devices. If the encryption status is partially encrypted, the default severity is Medium. If the encryption status is unencrypted, the default severity is High.

URM, TM, MTD Yes
Device inactivity This rule checks when the device last reported to MaaS360. The amount of time from the last reported check-in determines the risk level of the device. The higher the number of days since the device last checked in, the higher the risk level. URM, TM, MTD No
Old version of OS This rule checks how old the operating system version on the device is compared to the latest operating system version that is available for the device. The higher the older version of the operating system on the device compared to the latest available operating system version, the higher the risk level.
This rule applies to Android, iOS, macOS, and Windows 10+ devices. The following operating system versions are used in the risk rule to compare to the operating system version on devices:
  • Android 11.0
  • iOS 13.6
  • macOS 10.15.6
  • Windows 10.0.19041
URM, TM, MTD No
Device jailbroken or rooted This rule checks if the device is jailbroken (iOS) or rooted (Android). Jailbreaking and rooting are the processes of gaining un-authorized access or elevated privileges on a system. This status is determined for all enrolled and activated devices. URM, TM, MTD Yes
Device passcode not compliant This rule checks if the passcode status on the device is compliant according to the defined passcode requirements.
To define the passcode requirements, configure the Passcode settings in the following device MDM policies:
URM, TM, MTD Yes
Devices not managed This rule checks the managed status of the device. If the managed status of the device is in an unenrolled state, the risk increases for these types of devices. Also, if the device is in User Removed Control or Pending MDM Control Removal state, it would be considered a violation. URM, TM, MTD Yes
Malware detected This rule checks the status of the IBM Security Trusteer Malware product. If this status is true, a risk incident occurs against the device.
To define the Trusteer Threat Management settings, enable Trusteer Threat Management in the following device MDM policies:
URM, TM, MTD Yes
Mobile data usage limit exceeded This rule checks whether the device exceeded the limit for network data usage or roaming data usage.
This limit is based on the mobile plan that is defined in the MaaS360 Portal at Expense > Manage Plans.
Note: You must enable the Mobile Expense Management (MEM) module setting on the Services page for this rule check to work as intended.
URM, TM, MTD Yes
Older version of MaaS360 app This rule checks how old the MaaS360 app version on the device (Android and iOS) is when compared to the latest available MaaS360 app version. This rule applies to all enrolled and activated devices with the installed MaaS360 app.

The older the MaaS360 app version on the Android and iOS device, the higher the risk score and severity. The defined severity is based on MaaS360 app that is one minor release old, two minor releases old, or three minor releases old.

URM, TM, MTD No
Out of compliance (OOC) events This rule checks for the number of times a device is out of compliance. This rule checks against compliance rules that are defined at Security > Compliance Rules (for more information, see Applying compliance rules to devices).

The higher the frequency of out-of-compliance events, the higher the risk score and severity. The defined severity is based on 1 - 2 times, 3 - 5 times, or more than five times where the device is out of compliance.

URM, TM, MTD Yes
SIM change detected on device This rule checks if a SIM card change action occurred on the device. If a SIM change is detected on the device, a Medium severity is applied by default. The SIM card change rule applies to devices that are Corporate-Owned or Corporate Third Party only. URM, TM, MTD Yes
Usage policy acceptance This rule checks the status of the usage acceptance policy on the device.

You can define the user acceptance policy from the Services settings (WorkPlace Persona policy).

You can define the severity of the rule based on the status of the usage acceptance policy (expired, not accepted, or pending):
  • If the defined usage acceptance policy is expired on the device, the status is set to expired.
  • If the usage acceptance policy is not accepted on the device, the status is set to not accepted.
  • If the usage acceptance policy is pending on the device, the status is set to pending.
Note: You must enable the EULA Management Service on the Services page at End user license agreement self-serviceability for this rule check to work as intended.
URM, TM, MTD Yes
Devices with USB debugging enabled This rule checks if USB debugging is enabled on the device. If enabled, device can accept commands from a computer when plugged into a USB connection. URM, TM, MTD Yes
Devices with Developer mode enabled This rule checks for the devices on which the Developer mode is enabled. URM, TM, MTD Yes
Devices with Device attestation failed This rule checks for the devices that failed device attestation. URM, TM, MTD Yes
Insecure Wi-Fi This rule checks the number of times a device was connected to an insecure Wi-Fi network, not protected by encryption or authentication protocols, and is open to attackers. TM,MTD Yes
Malicious email received This rule checks the devices that received emails with malicious URLs in their MaaS360 Secure Email client. TM,MTD Yes
Malicious SMS received This rule checks for the devices that received SMS messages with malicious URLs. TM,MTD Yes
Malicious URLs Access This rule checks the number of times malicious URLs were accessed via an app or a browser. TM,MTD Yes
Risky URLs Access This rule checks the number of times a Risky URL was accessed. A Risky URL is a URL deemed to be a risk, but not flagged malicious. TM,MTD Yes
Risky apps with Device Admin Permissions This rule checks for applications having device admin permissions on Android devices. TM,MTD Yes
Malicious Local Users detected This rule checks for local user accounts that are well known to enable malicious activity. TM,MTD Yes
Windows privileges violations This rule checks for standard user accounts with administrator privileges on Windows 10/11 devices. TM,MTD Yes
Malicious Data Transfers detected This rule checks whether a device has transferred data that violate DLP policy. TM Yes
Abnormal Process Activity This rule checks for abnormal activity on device. Device is being monitored for any attacks. MTD Yes
Android Debug Bridge (ADB) Apps Not Verified This rule checks if apps installed via Android Debug Bridge are not verified. MTD Yes
Android Debug Bridge (ADB) Wi-Fi Enabled This rule checks if Wireless developer options is enabled on device. Wireless developer options is intended for development purpose. If enabled, user can change advanced settings compromising device security. MTD Yes
App Debug Enabled This rule checks if debug mode is enabled on device. MTD Yes
Captive Portal This rule checks if the device is connected to a Captive Portal which networks route traffic through a single proxy (portal), potentially opening up the traffic to monitoring MTD Yes
Compromised Access Point Connected This rule checks if the device is connected to a Wi-Fi network where malicious attacks are observed or marked rogue previously. MTD Yes
Compromised Access Point Nearby This rule checks if the device is near a Wi-Fi network where malicious attacks are observed or marked rogue previously. MTD Yes
Device Compromised This rule checks if device is compromised with Blueborne attack, Daemon anomaly, or other types of attacks. It also detects if device is not tested to be compatible with Android, or possible tempering on Android devices, or if security-enhanced Linux is disabled on device. MTD Yes
Download apps from unknown Sources Enabled This rule checks if downloading apps from unknown sources are enabled. MTD Yes
Elevation of Privileges This rule checks if the privileges are elevated. MTD Yes
File System Changed This rule checks if file system is changed for device. Modifications made to files in the file system may sometimes lead to a malicious event.
Note: The different device manufacturers affect this threat event's behavior.
MTD Yes
Google Play Protect Disabled This rule checks if Google Play protect is disabled for the device. Google Play Protect helps protect the device from malicious apps and needs to be re-enabled. MTD Yes
Man in the Middle(MITM) attack This rule checks if the device is under Man-in-the-middle(MITM) attack, where a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device. MTD Yes
Over-the-air OS updates disabled This rule checks if Over-the-air(OTA) updates have been disabled for the device. OTA updates help keep a device's software up to date and more secure. MTD Yes
Protocol Scan This rule checks for the network protocol scans like TCP scan,IP scan or ARP scan, which indicates a malicious attempt by attacker searching for a device vulnerable to a network attack. MTD Yes
Proxy Change This rule checks if proxy configuration is changed on the device which can send network traffic to unintended destination. MTD Yes
Sideloaded App(s) This rule checks if sideloaded apps are installed independently of an official app store which can present a security risk. MTD Yes
Suspicious Malware/spyware for Apps or Extentions This rule checks if the device is compromised with suspicious malware, spyware or one or more apps that is tampered. MTD Yes
System Tampering This rule checks for the system tampering on device. System tampering is a process of removing security limitations that are in place by the device manufacturer, and it indicates that the device is fully compromised and can no longer be trusted. MTD Yes
Tag Tracker Detected This rule checks if tag tracker is detected. Tag is used to track user's location. MTD Yes
Access to bluetooth information denied for MaaS360 MTD app This rule checks if Bluetooth permission is required by the app to detect unknown tag trackers that can track the device's location. MTD Yes
Access to local network information denied for MaaS360 MTD app This rule checks if local network access is required by the app to enable the protection of devices from sophisticated Wi-Fi-based network attacks. MTD Yes
Access to location information denied for MaaS360 MTD app This rule checks if location permission is required by the app to protect devices from sophisticated network attacks. MTD Yes
Access to storage information denied for MaaS360 MTD app This rule checks if storage permission is required by the app to scan the device's local storage to identify risky or malicious apps that might steal personal or sensitive information. MTD Yes
Activation pending for MaaS360 MTD app This rule checks if App activation for the Mobile Threat Defense (MTD) application is not complete. MTD Yes
App always on VPN This rule checks if an app is configured as always-on VPN on this device. The app can monitor all device communications with the Internet. MTD Yes
Battery optimization permission denied for MaaS360 MTD app This rule checks if the app requires battery optimization permission to allow it to stay active when running in the background and ensure continuous protection on the device. MTD Yes
Device admin permission missing This rule checks if device admin permission is required by the app to enable Samsung Knox functionality to protect devices from mobile threats. MTD Yes
Notifications disabled for MaaS360 MTD app This rule checks if the Notification permission is required by the app for users to receive on-device alerts about mobile security. MTD Yes
Safari link verification disabled This rule checks if the Link verification using the Safari browser extension is disabled on the device. MTD Yes
VPN configurations denied for MaaS360 MTD app - Secure Web This rule checks if VPN permission is required to keep devices safe from risky websites. MTD Yes
VPN configurations denied for MaaS360 MTD app - Secure Wi-Fi This rule checks if VPN permission is required by the app to protect network data in the event of a malicious network attack. MTD Yes
Application security This rule checks the application security posture of a device, which is determined based on the threats and exposures detected in the installed apps. Risk Based Application Patching Yes