Use Policy Escalation with Custom Messaging
ouMES policy escalation (available in MES Advanced and Premium editions) gives users extra time to handle a detected threat. This is especially useful when a user is involved in some activity and cannot afford to be distracted at that moment.
Policy escalation lets administrators gently nudge users to address an issue over a reasonable amount of time, sending reminders and gradually elevating the urgency with custom messaging at appropriate intervals. Policy escalation is intended for compliance-related issues such as out-of-date OS and
out-of-date patch threats which have a rather low security risk. Machine-in-the-middle type threats present a higher security risk and users must handle them immediately. A grace period is not appropriate in these cases.
To set up a policy escalation, follow this example procedure that gradually escalates the out-of-date OS classification.
- In the MES Administration Console, click Protections.This shows the Default Group policy classifications.
- Choose the group from the Manage settings for: dropdown menu where you want to set up a policy escalation.
- Scroll down to the OS Out-Of-Date policy classification.
The default settings are Medium Risk and Alert Device. On detecting a threat, Lookout notifies the device user of the threat, directs the user ro upgrade the OS to a compliant version, and logs the issue in the Issues module. Lookout also sends an email to an administrator provided Medium Risk Device Issue Notifications are enabled.
Here is where you can give users a grace period and avoid emailing an administrator and logging an issue
- On the OS Out-Of-Date policy classification,click the Risk Level dropdown, and choose Advisory.If the classification was inheriting its settings from the Default group, notice that it is now listed near the top of the policy classification listing in the UNIQUE POLICIES FOR THIS DEVICE GROUP category.
Advisory is a risk level that can notify the device user that a security issue needs their attention. Threats in the Advisory level, whether resolved or active, are not synced with MDM, nor included in the email alerts configuration for the administrators. It does not notify the administrator, is not synced with your MDM, and is not included in the admin email alert. Here is where you use custom messaging to set the notification that users will see.
- Click the custom message (page) icon at the far right of the OS Out-Of-Date policy classification.In this example we give the user 21 days to update their device OS to the latest version. We do this in stages (escalations):
- In the custom message dialog, uncheck the Inherit parent custom message checkbox.
- In the Lookout Description, enter something like ‘Please update your device OS to the latest version.’
- In the How to fix this issue section enter the information you want your users to see.For example:
Your corporate policy requires you to follow these security notifications. You have 21 days to update your device operating system.
Use your device software update settings to get started.
You can use the Default custom message link at the top of the dialog to enter information you want to include in all security notifications
- Click Save on the dialog.The dialog closes.
- Scroll down and click Save Changes on the Protections module lower right corner.
Now you can set up an escalation.
- Click in the Escalation column to the left of the Advisory risk level.Then click + Add Escalation.
- Choose After 7 days from the waiting period dropdown to wait before issuing an escalation notification.
- Choose Low from the Risk Level dropdown (if it’s not already selected by default), This triggers an email to the administrator if they have set email preferences to be notified of Low Risk device notifications.
- Choose Alert Device from the Response dropdown (if it’s not already selected by default),
- Click the custom message icon
, uncheck the Inherit parent custom messagecheckbox, and enter remediation steps like these:
Custom Message Section Custom Message Lookout Description Please update your device OS to the latest version. How to fix this issue Your corporate policy requires you to follow these security notifications. You have 14 days to update your device operating system.
Use your device software update settings to get started.
- Click Save on the custom message dialog.
- Scroll down and click Save Changes on the Protections module lower right corner.
- Add another escalation with a 7-day waiting period.This sets the Risk level to Medium.
- Leave the Response at Alert Device.
- Add the same set of custom messages but state ‘You have 7 days to update your device operating system."
- Click Save. Scroll down and click Save Changes on the Protections module lower right corner.
Now you can prepare for the final escalation, setting a response that blocks users from accessing a specific domain including your company domain and any subdomains, or blocking internet access entirely.
- If not the Response dropdown (for escalations) does not have options to Block domains and alert or Block internet and alert, follow these steps to enable On-Device Threat Protection.
Setting Block internet and alert will prevent your users from remediating this issue without Admin assistance.
- Click Protections in the navigation panel.Then click the On-Device Threat Protection
tab.
- Slide the Enable On-Device Threat Protection toggle to On.
- To add the internet blocking options, do one of the following:
- To Block internet and alert, click save.
- To Block domains and alert, click Add a blocked domain and enter domains you want to block. Then click Save Changes.
- Click the Policies tab and choose your test group from the Manage settings for:
dropdown menu.
- Click Protections in the navigation panel.
- In the OS Out-Of-Date policy classification, click 2 ESCALATIONS to the left of the Advisory risk level.This displays the existing escalations. Then do the following:
- Click + Add escalation.
- Choose After 7 days from the waiting period dropdown.The risk level is fixed at High.
- Set the Response to Block domains and alert or Block internet and alert as appropriate for your organization.
Block domains and alert will allow the user to update their device OS.
Block internet and alert will require administrator assistance to fix the issue.
- Add appropriate custom messaging stating they are blocked from specific internet domains or blocked entirely from the Internet and, if blocked from the internet, they will need administrator assistance to fix the issue.
- Click Save. Scroll down and click Save Changes on the Protections module lower right When a policy response blocks a user from the Internet, they cannot update their device operating system without administrator intervention.
Administrator Assisted Remediation when Internet Access is blocked
- In the MES Administration console, navigate to the Issues module.
- Find the issue reported by the user in the issues list.Select the checkbox to the left of the issue.
- Click Ignore just above the Issues list.This sets the device to its previous state as though no issue is present.
- The user can now update their device operating system.