MVISION Mobile for Android

Platform Guide

Release 4.19.x
August 2021
 COPYRIGHT
Copyright © 2021 McAfee, LLC

TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan
are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be
claimed as the property of others.

LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH
SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF
LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A
FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO
NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE
PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

1
 Table of Contents
Preface 4
Related Documentation 4
Audience 4
New Features 4
System Requirements 4
Introduction 5
Detection Engine Overview 5
MVISION Mobile Communicating with the Server 6
Threat Policy and Updates 6
Modes Checking for Suspicious Apps 6
MVISION Mobile Deployment 7
Overview 7
MDM Integration 7
Without MDM Integration 7
MVISION Mobile Installation 9
About Initializing MVISION Mobile 9
Activation 9
About Runtime Permission Settings 10
Device Storage Permission 10
Location Permission 10
VPN Permission 11
Network Sinkhole Device Action 11
Phishing Policy Enabled for a Local VPN 11
Device Admin Permission 11
Camera Permission 12
Background Permission 12
MVISION Mobile Integration with Samsung Knox 13
Advanced Detection and Remediation 13
MVISION Mobile Functionality 14
About the Dashboard 14
Device Safety 15

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

2
 Network Safety 16
Apps Safety 16
Application Scanning 17
Package Installer 17
Accessibility Enhancements for Visual Impairment 17
TalkBack Feature 17
Changing Font Size 17
Activity Monitor 18
Danger Zone 19
Alerts for Danger Zone 19
Enabling Danger Zone 19
Threat Policy and Severity 20
Phishing Policy 20
VPN Secure Wi-Fi 21
Full Threat Log 22
On-Device App Risk Lookup 22
Threat Loss Prevention 22
Advanced Details 23
Invoking Advanced Details 23
About Debug Logs 23
Local Device Actions 23
Samsung Knox Device Actions 24
Chrome OS Device Actions 24
Appendix A – Google’s Android Enterprise Implementation with MVISION Mobile 25
Overview 25
Supported Configurations 25
MVISION Mobile Running in Work and Personal Profiles 25
Appendix B – Site Insight within Phishing Policy 27
Appendix C – Chromebook Support 28

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

3
Preface
This document is a guide for deploying and configuring the MVISION Mobile application on an Android
device.

Related Documentation
McAfee support documentation is found on the Customer Support Portal at the website:

https://docs.mcafee.com

Audience
The intended audience for this guide is a MVISION Mobile administrator or end user. The MVISION
Mobile application provides threat protection to mobile devices. The system administrator for MVISION
Mobile console sets policies for threats, and monitors and manages the detected threats. See the
“McAfee MVISION Mobile Console Configuration Guide” for more information.

New Features
Refer to the “McAfee MVISION Mobile Android Release Notes” document for the list of new features in
this release.

System Requirements
● Android version 5.0 or later is required.
● The local on-demand VPN functionality requires Android 6 and higher.
● For full Knox device action support, Android version 7 and Knox version 2.7 or later are required.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

4
Introduction
The MVISION Mobile Android application provides continuous detection and remediation of suspicious,
and potentially malicious events affecting devices running the Android platform. This is done through
real-time forensic data analysis by a machine learning detection engine that is continuously trained as
the threat landscape changes. A central console is used to configure policies and manage threats.
Administration of the console is further documented in the “McAfee MVISION Mobile Console
Configuration Guide.” See the “Related Documentation” section in this guide for the location of the
documents.

While a user can interact with MVISION Mobile to see current device security status, health and
previous events, there is no requirement for any interaction.

Remediation can be performed by the MVISION Mobile Android application, and through MDM
integration with one of the McAfee supported MDM vendors. The type of remediation that can be
performed is determined by the MDM integration configured and can range from a simple user
notification to a wipe of all company data from the device.

This guide provides the following:

● Details on how the application is deployed.

● How to interact with the application.
● Configuration options that exist from the central MVISION Mobile console.

You can download additional documentation from the Customer Support Portal that details the
configuration and use of the MVISION Mobile console, and specific MDM integrations.

Requirement Minimum Version

Android Version Version 5.0

Detection Engine Overview

MVISION Mobile includes a combination of behavioral analysis and malware scanning to detect multiple
layers of attacks from network and host-based threats without needing any special privileges on the
device. Our security experts developed a revolutionary cyber-attack detection engine that uses
statistical models to dynamically detect advanced host and network-based attacks on mobile devices.
Unlike other threat detection systems, the detection engine monitors the whole device for malicious
behavior (not just scanning apps) without reliance on signatures. This approach allows McAfee to find
and protect against both known and unknown threats in real-time, regardless of how they are delivered
to the device.

In addition, the malware engine scans for suspicious applications installed on the device, and scans
applications prior to being installed on the device to offer continuous protection. Malware scanning is
on the device so that malware can be detected, and action can be taken to remove a suspicious
MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021
5
application even if the device has no network connectivity. If an internet connection is available,
MVISION Mobile performs additional malware scanning analysis against McAfee's proprietary database.
This database is built using data from McAfee’s Labs research team as well as other sources.

The behavioral detection engine runs on the device, within the MVISION Mobile application, to detect
threats without any need for Internet connectivity or special privileges. This unique approach protects
the end-user’s privacy and prevents excessive battery drain that occurs when data is sent to the cloud.
All decisions are made on the device.

MVISION Mobile Communicating with the Server

Each MVISION Mobile application communicates to a central server periodically to confirm that it is
running and to see if there are any updates to the policy that need to be incorporated. When MVISION
Mobile is initially started, it requests the latest version of the detection engine from the McAfee server.
At this point the latest Threat Policy is also downloaded.

The Android version of MVISION Mobile contacts the server every eight hours or when an event occurs
to upload certain device information and to see if there are any updates to policies that need to be
incorporated. The information passed up to MVISION Mobile console is configured with the privacy
template on the MVISION Mobile console.

Threat Policy and Updates

The threat policy contains rules for the actions to take when certain threats are identified. You can view
the policy on the Policy page of MVISION Mobile console. The threat policy is updated in these ways:

● MVISION Mobile console sends a notification that a new threat policy is available. Then,
MVISION Mobile pulls the updated policy information.
● MVISION Mobile polls MVISION Mobile console to see if there is an updated threat policy
available to download. The time interval for this polling is currently configured by McAfee.

Modes Checking for Suspicious Apps

MVISION Mobile checks for suspicious applications in the following modes:

● Manual mode: On the App Safety page, click the Run Manual Scan button to manually check for
suspicious applications at any time. If malware is found, an event is sent to the MVISION Mobile
console, and an alert displays with an option to uninstall the application.
● Automatic mode (1): When the user downloads an application from the browser, email, or any
other client (which saves the file on the SDCARD) MVISION Mobile scans it. MVISION Mobile
then alerts the user if the application is suspicious before the application is installed and offers a
button to delete the suspicious application from the device.
● Automatic mode (2): When a new application is installed MVISION Mobile scans it. If it is
suspicious, an event is sent to the MVISION Mobile console, and an alert displays with an option
to uninstall the application.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

6
MVISION Mobile Deployment
Overview
The MVISION Mobile Android application can be deployed using one of the following modes:

● The first mode is with an MDM (Enterprise MVISION Mobile). If a customer has an MDM
solution, it is strongly suggested that it be used to distribute the application. These steps are
described in separate MDM Integration Guides specific to the supported MDM, located in the
Customer Support Portal.
● The second mode is without an MDM. Without an MDM implementation, the user can be
instructed to download the MVISION Mobile application from the Google Play Store and install
it.

When adding the MDM in MVISION Mobile console, the administrator can check a box for Android
devices that sends a user an email for each new device. The email contains a MVISION Mobile activation
link for each new device that is synchronized from the MDM. See the “McAfee MVISION Mobile console
Configuration Guide” for more information.

MDM Integration
An enterprise device is defined as a device managed by an enterprise’s MDM. If MDM integration is
enabled and MVISION Mobile has been pushed to an Android Enterprise device from the MDM, then the
device can sometimes be transparently activated without the user having to manually activate it. If the
Android device is not an Android Enterprise device for instance, then it must be activated by the user
with an activation link.

In both cases, a device identifier is used to match up with the synchronized device identifier from the
MDM. Once a match has been found, then that device is associated with MVISION Mobile in the correct
MVISION Mobile console environment.

Note: Variables in activation links need to be substituted with the actual device
identifiers, either manually, or through message templates where the variable
can be substituted by an MDM or the MVISION Mobile console. Also, integration
with Microsoft Endpoint Manager (formerly Intune) requires the user to
authenticate with their Azure AD credentials. See the “McAfee MVISION Mobile
console Configuration Guide” for more information.

For more information about the activation topic, see the MVISION Mobile activation topic in the
“McAfee MVISION Mobile console Configuration Guide.”

Without MDM Integration

If there is no MDM integration, the device displays the End User License Agreement (EULA). After the
agreement is accepted, the activation request page displays. The user activates MVISION Mobile with
the method provided by the administrator. If Security Assertion Markup Language (SAML)
authentication is enabled for the domain entered, then MVISION Mobile reaches out to the configured

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

7
SAML server to continue with the authentication. They are then matched up with the environment
where the user activation has been defined and activated if the link is valid.

For more information about the activation topic, see the MDM activation topic in the “McAfee MVISION
Mobile Console Configuration Guide.”

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

8
MVISION Mobile Installation
About Initializing MVISION Mobile
When MVISION Mobile is pushed down to the device, it must be launched by the user at which point an
initial set of installation screens are displayed. The user can get started by tapping on the MVISION
Mobile icon that shows up in the device’s home screen.

Activation
There are numerous different methods of MVISION Mobile activation. If MDM integration is enabled,
then the device activation is transparent. In some MDM integrations, click an MDM activation link.

Before activation, the device displays the End User License Agreement (EULA) and requests the user to
accept it. After the agreement is accepted, the activation request page displays. The user can activate
MVISION Mobile in one of the following ways:

● Clicking on the activation link (URL).


● Scanning a QR code with the camera of the device.

● Entering a domain name.

● Automatic activation for the Android’s personal profile when using Android Enterprise. See the
MDM Integration Guides and “Appendix A – Google’s Android Enterprise Implementation with
MVISION Mobile” section for more information.

The administrator provides the information for activation. Once activated, the device is then matched
up with the correct environment for the activation link. For more information on activation links, see the
MVISION Mobile activation topic in the “McAfee MVISION Mobile Console Configuration Guide.”

Note: Users can view the EULA on the McAfee website.

For some customers, the activation option exists to enter their domain name, such as “example.com” on
the startup of MVISION Mobile. Domain-based activations can be used by customers that have an
integration with a supported identity provider. If the domain name is known by the MVISION Mobile
application, then activation proceeds using the single sign-on activation flow. Upon successful
installation and activation, the dashboard is displayed.

The figures show the activation images for the following:

● Domain entry options

● Prompt to read a QR code
● A sample QR code

For devices where the administrator wants to use a different activation link on an already activated
device, the user must confirm to use the new activation link. The figure shows the confirmation given.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

9
About Runtime Permission Settings
For Android 6 and higher, users receive one or more Android runtime permission requests for these
topics:

● Device storage access

● Location access
● VPN configuration
● Device admin privileges
● Camera access
● Background Permission - Battery optimization
The specific permissions requested depend on the policy configuration in MVISION Mobile console and
the type of activation chosen.

The following sections cover the different types of permissions that are requested. For more
information on data privacy, refer to “McAfee Data Privacy Guide.”

Device Storage Permission

To protect the device against malware, MVISION Mobile needs to have permission to read the device
storage. This helps prevent malware from harming the user’s device and accessing private data.

The MVISION Mobile screen that describes this permission and then requests access to device storage.
Click the Allow Access to Manage All Files slider to protect your devices against malware on the device
storage.

Location Permission
To access Wi-Fi details, MVISION Mobile needs location permissions. MVISION Mobile requires these
Wi-Fi details to protect the device and data from sophisticated network attacks.

The location permission is required to get the SSID and BSSID of the current Wi-Fi connection. The
location is not stored in the MVISION Mobile app. Also, if location is turned off in the Privacy Policy,
location information:

● Is not stored in the MVISION Mobile app.

● Is not reported to the server.
● Does not leave the device.

Note: With Android 10, the location permission is required to detect an

unsecured Wi-Fi threat.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

10
VPN Permission
An administrator has the option to configure MVISION Mobile to set up a Virtual Private Network (VPN)
connection in response to threats. If this is requested, then during the installation of MVISION Mobile, a
VPN profile is installed on the device. MVISION Mobile has screens to request this permission from the
user. These screens guide the user when installing the application or when policies change for the
device. Screens prompt the user to allow the VPN configuration.

This permission is requested for Network Sinkhole device action selections, or a Phishing Policy being
enabled.

Network Sinkhole Device Action

When a Network Sinkhole device action is configured for at least one threat type in the MVISION Mobile
console Policy page, the user is prompted with the screens in the following figures to indicate
acceptance. The VPN permission screens do not display if the administrator did not configure a VPN on
the MVISION Mobile console with phishing or Network Sinkhole settings.

Perform the following steps if prompted for the VPN connection if Network Sinkhole is enabled and
phishing is not enabled:

1. MVISION Mobile sends notifications to alert the user, when the administrator configures the
application for this protection. Tap Continue to give permission.
2. Tap Continue again to indicate a local VPN can be requested.
3. Tap OK to the device’s connection request to allow MVISION Mobile to set up the VPN
protection.

Note: The confirmation screen above is the standard Android message that
mentions monitoring of traffic occurs, but no monitoring of network traffic is
performed.

Phishing Policy Enabled for a Local VPN

When phishing is enabled on the MVISION Mobile console Policy page, the user is prompted with this
screen instead of the Network Sinkhole Settings permissions given above. This is displayed whether the
Network Sinkhole Settings are enabled or not. The VPN permission screens do not display if the
administrator did not configure a local VPN on the MVISION Mobile console for phishing or Network
Sinkhole settings.

Note: The confirmation screen above is the standard Android message that mentions
monitoring of traffic occurs, but no monitoring of network traffic is performed.

For more information on phishing functionality, see the “Phishing Policy” section.

Device Admin Permission

In certain policy configurations, for instance when Samsung Knox permissions are enabled, MVISION
Mobile needs device admin privileges for the device.
MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021
11
Camera Permission
To activate MVISION Mobile using a QR code, MVISION Mobile needs permission to access the camera
and read the image.

Note: MVISION Mobile does not take or save any pictures.

Background Permission
To allow adding the MVISION Mobile app to the Android battery optimization exemption list, select
Allow to ensure devices are protected while the app is running in the background. This permission
prompt is controlled by the administrator’s settings on MVISION Mobile console. See the “McAfee
MVISION Mobile console Configuration Guide” for more information.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

12
MVISION Mobile Integration with Samsung
Knox
With Release 13, MVISION Mobile integration with Samsung Knox MTD combines the Knox Platform for
Enterprise (KPE) hardware-based capabilities with MVISION Mobile machine learning detection to
provide users with the most advanced protection available. This provides advanced detection, more
detailed forensics, and on-device detection and remediation.
Advanced Detection and Remediation
With the advanced integration and communication between MVISION Mobile and the Samsung KNOX
MTD, there is faster identification and detection of potential threats, more efficient policy definition,
and greater prevention of data loss than ever before. The three main areas that this integration
leverages more efficiently include:

● Advanced Detections: MVISION Mobile leverages the KPE for MTD API framework to facilitate
lower-level detections than what is accomplished on other platforms. For example, MVISION
Mobile for Samsung Knox can identify additional system anomalies, elevation of privilege
attempts, and suspicious network connections made by apps or processes.
● Enhanced Group-based Remediations: MVISION Mobile for Samsung Knox combines MVISION
Mobile’ granular, group-based policy advantages with KPE for MTD’s enhanced remediations.
For example, MVISION Mobile for Samsung Knox applies customized data leakage prevention
(DLP) actions to prevent unauthorized data exfiltration (for example, restricting Bluetooth
sharing, preventing SD card transfers, limiting access to the clipboard, disabling screen capture).
● Unparalleled Forensic Detail: For all threats detected, including the advanced threats, Samsung
Knox MTD leverages the KPE for MTD API to provide the highest granular and detailed threat
forensics available today.

Note: Samsung Knox for MTD capabilities requires purchase of Samsung Knox
MTD licenses from McAfee. In addition, Samsung Knox MTD support requires
Knox version 3.3 and later, and KNOX API level 29 and greater, on the device.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

13
MVISION Mobile Functionality
Users do not need to interact with MVISION Mobile for proper detection and prevention of malicious
activities. However, users can access MVISION Mobile to determine the following:

● If the application is set up correctly.

● If the application has found any suspicious activity.
● To view recommendations on how to decrease the risk of device attacks.

About the Dashboard

The dashboard screen displays after activation. It displays a general status of the device and a status for
all threat vectors:

● Device
● Network
● Applications

The status ‘No Threats Detected’ is displayed if there are no risks or critical threats detected on the
device as defined by the Threat Policy. The green check mark for each of the categories indicates no
risks or critical threats have been detected.

Once a risk or critical threat is detected, the dashboard title bar turns orange or red and changes to a
‘Risk Detected’ or ‘Threat Detected!’ display. The icons indicate the following:

● Red X Mark ‘X’ - A critical threat is detected.

● Orange Exclamation Mark ‘!’ - A risk is detected.
● Green Check Mark ‘✓’ - No risks or critical threats are detected.

The dashboard displayed in the figure shows a critical threat detected in the ‘Device Safety’ category
and the detection of a risk under the ‘Apps Safety’ category. The risks or threats can be viewed by
tapping on the status bar. This takes the user to a listing of the active issues detected.

The three categories displayed in the dashboard represent the three possible vectors for threats
entering the device: Device, Network and Apps. Each category can be tapped and provides additional
details about that category.

Tapping on the menu option list (three horizontal lines) in the upper corner of the dashboard takes the
user to a page with the following options:
● Full Threat Log
● Tutorial for Phishing
● About MVISION Mobile

Information about the current version of MVISION Mobile can be viewed by tapping on About MVISION
Mobile.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

14
Device Safety
From the dashboard, the Device Safety category displays the status of the device. Threats that show up
in this category include:

● Rooted
● Elevation of Privilege
● System Tampering

Once a risk or critical threat is detected as defined by the Threat Policy, the status in the dashboard
changes to reflect the status of the device.

Tapping this category takes you to the Device Safety page displayed in the figure. The total number of
issues are displayed at the top. If there are any risks or threats, the title bar color changes. Orange
indicates a risk, and red indicates a critical threat. The Device Safety page displays an overview of the
device with topics such as vulnerable MVISION Mobile version, compromised and rooted.

If any of the detections display ‘Yes’, then a recommendation can be accessed by tapping the down
arrow to get more information on the item. Tap the up arrow to retract the recommendation.

This table defines the description of the items in the Device Safety page.

Device Detection Description

The device is running a version of Android known to have vulnerabilities.

Vulnerable Android
Version Note: This threat is never identified when the device does not have any
MVISION Mobile security patch information.

Device Rooting The device has been rooted and therefore cannot be trusted.

Compromised The device has a critical issue.

Stagefright Vulnerable The device is vulnerable to Stagefright attacks.

The device is vulnerable to the BlueBorne attack, which is executed via the
BlueBorne Vulnerable
Bluetooth stack.

USB Debug Mode USB debugging mode is enabled.

Google Play Protect The device had Google’s malware protection for Android enabled.

Developer Mode Developer mode is enabled.

3rd Party App Store Applications can be installed from anywhere on the Internet.

Device Encryption The device’s disk is encrypted.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

15
Screen Lock The device requires a pin or pattern to unlock the screen.

The device has MVISION Mobile enabled and it is detecting risks and
Device Protection
threats.

Network Safety
From the dashboard, the Network Safety category displays the current state of the network or Wi-Fi
connection. Critical threats that show up in this category include:

● ARP MITM
● ICMP MITM
● Fake SSL Certificate
● SSL Strip
● Rogue Access Point

The banner at the top indicates similarly to the dashboard, whether the device is clear of threats, a risk
is detected, or if a critical threat is detected as defined by the Threat Policy.

Tapping on this category takes the user to the Network Safety page and shows the connected Wi-Fi. An
overview of the device network configuration including the device’s IP address, and the currently
connected SSID and BSSID are displayed. The ‘Network Protection’ section shows that MVISION Mobile
is protecting the device.

If there are any events, the title bar color changes, and the text changes to indicate if a risk or critical
threat is detected.

Apps Safety
From the dashboard, the ‘Apps Safety’ category displays the status of the device for the applications
installed. Tapping on this category takes the user to the Apps Safety screen. If there are any critical
threats or risks, the title bar shows the status.

On the Apps Safety screen, it displays the last known signature date and time along with the status
indicated by a green, orange, or red banner with text indicating if no threats are detected, if risks are
detected, or if threats are detected. It also shows the date and time of the last scan. The type of threats
that show up in this category include the following:

● Suspicious Apps: Suspicious apps are apps that are installed and are high risk. The have the
potential to compromise the device.
● Out of Compliance (OOC) Apps: Out of compliance apps are apps that have characteristics that
do not comply with the administrator’s privacy and security policies.
● Sideloaded Apps: Sideloaded apps are apps that were installed outside of the Google Play Store.
Apps installed outside of Google Play have not been officially validated and are considered risky.

The critical threats are defined by the Threat Policy. Any detected suspicious, OOC or sideloaded apps
are listed by their name and the user is given the recommendation.
MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021
16
Application Scanning
Android MVISION Mobile automatically scans the device for suspicious and sideloaded apps when it is
first installed. Apps are also scanned when downloaded and installed. The user can initiate a manual
scan from the ‘Apps Safety’ screen with the Run Manual Scan button at the bottom of the display.

If a suspicious, OOC or sideloaded app is found, the screen provides the user with information on the
application and a recommendation of how to proceed.

Package Installer
Once MVISION Mobile is installed and operational, any request to install an application is handled by the
MVISION Mobile Package Installer feature. There are no settings or configurations needed to enable
this. MVISION Mobile registers itself as a Package Installer on the Android device. When an application is
installed, Android asks the user to choose which Package Installer to use. The user should choose
MVISION Mobile and Always. MVISION Mobile then verifies the application is not suspicious and installs
it on the device. If it is found to be suspicious, the screen alerts the user to delete the file.

Accessibility Enhancements for Visual Impairment

MVISION Mobile includes two major enhancements added for users with visual Impairments:

● TalkBack Feature
● Change Font Size

TalkBack Feature
The TalkBack feature provides an audible description of what is shown on the device’s screen which
allows visually impaired users to use their device more efficiently and with greater ease. The TalkBack
features utilizes audible feedback, vibration, and other techniques to let the user know what they are
touching on the screen, what else is on the screen, and what actions they can take.

The TalkBack feature is automatically installed on the device as part of the Google Android application
suite. It is frequently updated to add new functionality and improvements through Google Play.

For visually impaired users, they can slide their fingers across the screen of the device, and any element
- including text - is audibly read back. For text, the screen reader service actually reads the text in an
audible voice - and it even identifies characters which are emoticons that are included in the text.

There are several gestures which are used with the TalkBack feature, and various gestures are used to
turn TalkBack on. To find out about the other helpful tools and how to efficiently use this feature the
Android support website at androidcentral.com is a great source for more information on this helpful
tool for visually impaired users.

Changing Font Size

The Change Font Size feature allows the visually impaired user to increase the size of the font or the
display size so that the text is easier to read for visually impaired users to more easily navigate through
the apps and functionality of the device. The areas in which the font size can be changed includes:
MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021
17
 ● Email
● Calendar
● Phone
● Apps such as MVISION Mobile that support larger font and zoom settings

The fonts are easily changed in the Settings and the Accessibility area. The slider can be dragged across
the screen to select a larger font size while in the Accessibility menu for either the Font size or the
Display size. If the font size makes the text too large that it becomes difficult for the user to work with
the functions, the size can just as easily be adjusted to a smaller font to tap the buttons or use the apps
more conveniently.

The Android Accessibility guide provides additional instructions including gestures and different
techniques of changing the Font Size to make the device easier to use for the visually impaired user and
is found in the Google support website at support.google.com.

Activity Monitor
The Activity Monitor page displays statistics regarding security tests performed on the device and
threats detected by MVISION Mobile over seven days or 30 days.

Any threats detected in the chosen timeframe are displayed numerically. The user can tap on the red
right arrow icon to display the log page for the chosen threat vector and view the issues in more detail.
The active threats display at the top of the threat list. Mitigated threats are displayed after all active
threats, in reverse chronological order.

The right arrow symbol (‘>’) has a different meaning depending on the color of the background and is
described in the table.

Color Description

Verifications have been made and

Green
there are no issues found.

Risks were detected during this

Orange
time, but none are critical.

There are critical threats detected

Red
during this time.

There are no issues for this vector

Grey
during this time.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

18
Danger Zone
While roaming/traveling, it is common to look and connect to available Wi-Fi networks to access the
internet for business or pleasure. But many open Wi-Fi networks are traps, where malicious attackers
prey upon victims looking to connect to any available access point in order to gain access to the victim’s
information.

Danger Zone provides information to the user if nearby available networks should be avoided (high-risk
networks). Before the user decides which network to connect to, the user can open the MVISION Mobile
app and tap on Danger Zone. The user is presented with a map showing the markers of high risk (red
icons) networks nearby.

If MVISION Mobile is not checked before connecting to a network and it connects to a high-risk network,
an alert is sent warning that the user is connecting to a high-risk network with recommendations of
what are the next actions, for instance to disconnect from the high-risk access point.

The screenshots below show the map initially displayed, based on the current device’s location. The red
icons with numbers on them represent the number of threats detected on high-risk access points. The
user can zoom using two-finger actions on the screen to zoom in and out. Tapping on an icon provides
additional detail about the location chosen and eventually to the SSID for nearby or unsecured Wi-Fi
networks.

Alerts for Danger Zone

If the user connects to a known high-risk access point, the alert is displayed when the policy is
configured for alerts. The device provides an alert to the user that they are connected to a known high-
risk network, along with the following information:

● The name of the high-risk network

● A recommendation to disconnect from that network

An optional configuration alerts the user when the user is not connected to a Wi-Fi network and near a
known high-risk network. Nearby networks are only evaluated while Wi-Fi is enabled and not connected.
MVISION Mobile scans nearby networks and alerts on any that are known to be high-risk.

If MVISION Mobile discovers a nearby network that is a known high-risk network, the user is then
alerted and provided a list of known nearby networks. MVISION Mobile continues to check for risky
networks after the device has moved greater than 500 meters and after 10 minutes.

Enabling Danger Zone

The MVISION Mobile console Administrator has an option to enable or disable ‘Danger Zone’ and all its
features for their environment via the MVISION Mobile console Manage page. A change to this setting
does not take effect on currently running MVISION Mobile apps. By default, the Danger Zone
functionality is disabled. To enable the danger zone functionality, enable the following:

● The Danger Zone feature on the MVISION Mobile console Manage page.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

19
 ● The desired threats in the MVISION Mobile console Policy page.

The MVISION Mobile console administrator can customize which alerts are sent for Danger Zone
functionality. The alert text displays are configured with settings in the MVISION Mobile console Policy
page, just as other threats are managed. In addition, on their device, the user can indicate that a
particular network should be trusted and then they are not prompted again. For more information on
these settings, refer to the “McAfee MVISION Mobile Console Configuration Guide.”

Threat Policy and Severity

Behavior on the device is different based on the severity level set on each threat. These threat severity
levels are set by the administrator and the policy configuration is useful for different use cases. The
severity options are the following:

● Critical
● Elevated
● Low
● Normal

Threat information can be displayed in a variety of ways on the device:

● Dashboard: This is the initial screen on the MVISION Mobile app and shows the different topic
areas of Device, Network, and Apps (if configured), with each having three possible states of no
threats detected (green), risk detected (orange) and threat detected(red). See the “About the
Dashboard” section in this guide for more information.
● Threat Log: This shows a log of all the threats or events encountered, other than threats with
the severity of ‘Normal’. For threats classified as ’Low’ severity, the user does not receive
notification other than an entry in the threat log. See ‘Full Threat Log’ section in this guide for
more information.
● Badge Notifications: This badge is in the corner of the app icon display.
● User Alerts: This is a pop-up display message that can be enabled by the administrator per
threat.

The dashboard shows ‘Elevated’ severity threats as risks detected, and ‘Critical’ severity threats as
threats detected. The dashboard displays the total number of active issues (risks and threats). The app’s
badge notification also indicates either that MVISION Mobile is running in the background or there are
active issues reported.
The administrator enables or disables user alerts for each threat on the threat policy. Setting a user alert
causes a message to display for the device user to be warned.

Phishing Policy
The phishing policy allows an administrator to warn and protect users from accessing harmful websites
and links. An administrator can set up these functionalities on a device with MVISION Mobile:

● Enable URL Sharing: This feature allows the user to optionally use the device sharing feature
when a web link (URL) is encountered. The user can perform a long press on a link to share it
MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021
20
 with MVISION Mobile which then analyzes the URL for a phishing risk and responds back if the
link is good or risky.
● Enable a local Virtual Private Network (VPN): This feature allows MVISION Mobile to check the
safety of web links.
● Site Insight Phishing Protection: This feature allows the user the choice to enable or disable the
Site Insight phishing protection and use of the local VPN on their own device.
● Enable local VPN: This feature allows the user to select between the following options when
phishing links are detected if a local VPN is enabled:
○ Warn the user
○ Block the web links
● Enable Remote Server: This feature allows the user to enable a remote server check of the URL
in addition to the on-device check.

Perform these steps to enable the phishing protection on the Android devices:

1. When this phishing protection opens, click the Continue button and the next screen opens.

2. Click the Continue button to turn on the VPN protection.

MVISION Mobile has a tutorial on how to use the URL Sharing feature when the menu option list is
selected. See the “About the Dashboard” section for more information on the tutorial.

Note: When you use a corporate VPN, the MVISION Mobile VPN, used for phishing
protection, turns off since a device cannot have two VPNs running simultaneously. If the
MVISION Mobile VPN is disabled by starting a corporate VPN, the MVISION Mobile VPN
restarts following the corporate VPN turning off.

VPN Secure Wi-Fi

Based on the phishing policies that the administrator sets on the MVISION Mobile console, the device
can show options to the user with different protection settings. For instance, when the user accesses a
communications channel that is not secure, a VPN can open to ensure that data is sent over a secure
channel.

On the Site Insight menu option, the device shows the protection for insecure (HTTP) connections
because MVISION Mobile opened a secure VPN for transmitting data. You can also check a link for
phishing risk by:
● Using copy and paste.
● Typing a link.
● Scanning a QR code. For this option, the user must give permission to use the camera.

When the user accesses a communications channel that is not secure, a VPN opens to ensure that data
is sent over a secure channel.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

21
These steps are shown on the Android device to notify the user:

1. A notification is shown on the Android device to inform the user that MVISION Mobile is going
to create a local VPN on the device to protect the network data. The first screen that displays
tells the user to allow MVISION Mobile to be activated. Tap on Continue.

2. The next step is to allow MVISION Mobile to add the VPN to the device. Click OK.

3. The VPN configuration is now set up on the device. When the device encounters an attempt to
access an unsecured Wi-Fi network, a notice is given to the user.

4. MVISION Mobile automatically connects the device to a secured VPN to tunnel the insecure
(HTTP) traffic over the unsecured Wi-Fi connection.

Full Threat Log

The Full Threat Log page provides a listing of all issues detected on the device. Users can navigate to this
page from any page in MVISION Mobile by tapping on the menu option list and then Full Threat Log. The
active threats display at the top of the threat list. Mitigated threats are displayed after all active threats
in reverse chronological order.

Along with the threat list, the Full Threat Log page also displays a description of the threat, the date it
occurred, and a recommendation of possible actions to take. The user can scroll through the log by
pulling the screen up.

Once a threat is mitigated it moves to the bottom of the list and is displayed with a grey color and can
be cleared by swiping left. Another option is using the trash can icon to remove all the resolved threats.

On-Device App Risk Lookup

When users want to install an App on their device, but want insurance that the App is safe, the On-
Device App Risk Lookup feature allows the users to look up the App from a comprehensive database to
determine if the app poses a threat to the device. MVISION Mobile provides a method allowing the user
to lookup an Android app to display the summarized privacy and security rating of the app to indicate
the Privacy or Security risk of the specified app.

Threat Loss Prevention

With the Samsung KNOX Advanced features threat loss prevention has assured the Samsung devices are
protected. When coupled with machine learning that allows constant observation of the behavior of the
device, patterns of abnormal behavior of the device can be identified in real-time and can ensure
immediate action be taken on the device. Some of the actions include:

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

22
 ● Preventing the Near Field Communication (NFC): This feature prevents data, pictures, contacts,
or other data from being transmitted off the device to another nearby device through high
frequency wireless communications,
● Restricting Bluetooth Sharing: This feature prevents apps on the device from sharing data
through a Bluetooth connection. This prevents data loss even when the app is not in use.
● Disable Bluetooth Interface: This feature simply disables all Bluetooth communication until the
threat is remediated, and the device is deemed safe.
● Disable Beam Interface: This feature prohibits the ability to share large data files, movies, or
other information over a Wi-Fi connection until the threat is remediated and the threat to the
device is resolved.
● Restrict Capture: This option disables the screen capture function until the threat is remediated
and the device is safe again.

Advanced Details
Invoking Advanced Details
The Advanced Details page is available from the About MVISION Mobile button. The user navigates to
this page from any page in MVISION Mobile by tapping on the menu option list and then by pressing the
About MVISION Mobile option for one to two seconds. This screen provides help in debugging
information for the application.

About Debug Logs

The user can view and share the MVISION Mobile application log information. After invoking the
Advanced Details screen, tap on the share icon at the top on the title bar. No personal information is
collected or shared through these logs.

Local Device Actions

The MVISION Mobile console administrator has options that can be performed locally on the device
when there is a threat detected. For instance, these actions can be selected as part of the Threat Policy
on MVISION Mobile console:

● Disconnect Wi-Fi: When this item is selected in the Threat Policy, MVISION Mobile disables the
Wi-Fi network interface in response to the selected threat(s). The user can enable the Wi-Fi
network interface when they are in a safe location.

Note: Because of an Android update, the device action Disconnect Wi-Fi requires
MVISION Mobile Release 4.14 or earlier.

● Network Sinkhole: If a threat is detected with the ‘Network Sinkhole’ action, MVISION Mobile
either allows or blocks network CIDRs as defined by the MVISION Mobile console administrator.
During this time, the VPN indicator is shown in the status line of the Android device.
● Disable Bluetooth: When this item is selected in the Threat Policy, MVISION Mobile disables the
Bluetooth interface in response to the selected threat(s). The user can enable the Bluetooth
interface when they are in a safe location.
MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021
23
Samsung Knox Device Actions
The Standard Samsung Knox Device Actions include the following:

● Disable App
● Uninstall App
● Block App
● Isolate App from Network

Note: Built-in apps, for instance Chrome, cannot be uninstalled.

The Advanced Samsung Knox MTD device actions include:

● Data Loss Prevention: The settings for the Data Loss Prevention device action are configured on
the Samsung Knox MTD Policy tab on the Policies page.

Note: The Samsung Knox for MTD Data Loss Prevention actions require
purchase of Samsung Knox MTD licenses from McAfee. In addition, Samsung
Knox MTD support requires Knox version 3.3 and later, and KNOX API level 29
and greater, on the device.

Chrome OS Device Actions

The device actions which are supported on Chrome OS devices are as follows:

● Disconnect Wi-Fi is supported on Chrome OS devices.

● VPN Network Sinkhole support is supported on Chrome OS devices.
● Disable Bluetooth is not supported on Chrome OS devices.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

24
Appendix A – Google’s Android Enterprise
Implementation with MVISION Mobile
Overview
Google’s Android Enterprise provides an environment to separate the business app data from the user’s
personal app data. Applications in the work profile of Android Enterprise run in a separate protected
workspace vs the personal side of the device. For example, the Android Enterprise ‘Contacts’ app has
different contacts then the personal ‘Contacts’ app. Applications running in the work profile can only see
other applications and processes in the work profile.

Supported Configurations
When implementing MVISION Mobile on a device with Android Enterprise, there are the following
supported configurations:

● Running MVISION Mobile only in the work profile of the device.

○ Monitors apps installed in the work profile.
○ Monitors network behavior on the device.
○ Monitors abnormal behavior on the device.
● Running MVISION Mobile only in the Personal profile of the device.
○ Monitors apps installed in the personal profile.
○ Monitors network behavior on the device.
○ Monitors abnormal behavior on the device.
● Running MVISION Mobile in both the work and personal profiles. This configuration provides the
best protection.
○ Monitors apps installed in both the personal and work profile.
○ Monitors network behavior on the device.
○ Monitors abnormal behavior on the device.
○ For information on how to have the personal profile auto-activate, select an MDM Guide
and review the configuration keys for this setup.

Regardless of which deployment option is used, MVISION Mobile detects device and network threats.
The detection and evaluation of applications is done by MVISION Mobile on apps that are installed in
the same container as MVISION Mobile (work, personal, or both depending on the deployment model).

MVISION Mobile Running in Work and Personal Profiles

When MVISION Mobile is running within both the work and personal profiles, the MVISION Mobile
console shows it as one device. This configuration uses one license. MVISION Mobile console displays
the two profiles within the device as two applications.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

25
The two MVISION Mobile applications coordinate together so threat notifications are not duplicated.
Because it is one device, the same threat policies apply to both instances of the MVISION Mobile
application.

The work profile MVISION Mobile application can be configured to install on the device. The personal
profile application must be manually installed by the user. In the configuration with MVISION Mobile in
both profiles, the auto-activation functionality works the same as when a single MVISION Mobile
application is installed.

Note: Knox security is supported the same way MVISION Mobile

supports Android Enterprise.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

26
Appendix B – Site Insight within Phishing Policy
As a part of phishing protection, MVISION Mobile provides Site Insight functionality. This is a safety
check to validate URLs are not malicious when tapped in non-browser apps such as email or text apps.
Essentially, when a link is presented to a user in an email message or a text message as examples and
the user taps it, the URL is directed to MVISION Mobile to validate it and MVISION Mobile ensures it is
not malicious. if it is not malicious, the URL is then opened in the browser.

These threats are part of Site Insight:

● Site Insight - Link Tapped

● Site Insight - Link Visited

If a link is determined to be malicious, a threat is logged in the MVISION Mobile console and a
notification is displayed to the user. When the feature is first activated at the device, the user is
presented with an option to use MVISION Mobile or a browser to go to the link.

The user can select Just Once or Always for MVISION Mobile validation. If a URL is determined to be
malicious, the user is alerted. The figure gives an example of an alert.

This feature can be enabled from the Policy page of the MVISION Mobile console and is further detailed
in the “McAfee MVISION Mobile console Configuration Guide.” For more information on this topic, see
the “Phishing Policy” section.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

27
Appendix C – Chromebook Support
MVISION Mobile for Android support for Chromebook requires the Chromebook to support Android
apps and the Google Play Store. A list of Chromebook devices which support Android apps are found at
the following link:

https://sites.google.com/a/chromium.org/dev/chromium-os/chrome-os-systems-supporting-android-
apps

MVISION Mobile running on Chromebook supports detections across apps, devices, networks, and
phishing vectors. See the Threat Reference Guide for the list of specific threats that are supported on
Chromebook.

MVISION Mobile running on Chromebook supports the following local device actions in response to
detected threats:

● Disconnect Wi-Fi network

● Network sinkhole using local VPN

MVISION Mobile running on Chromebook supports the following for local VPN phishing protection:

● Machine-Learning (ML) classifier is supported on local VPN phishing.

● Local or remote lookups are supported.
● The ability to block or allow phishing links is supported on local VPN fishing.
● URL Sharing phishing and URL Handler phishing are not supported in Chromebook for local VPN
phishing.

See the Threat Reference Guide for the list of specific threats that are reported on the apps, devices,
networks, and phishing vectors.

MVISION Mobile Android Platform Guide, Release 4.19.x, August 2021

28