Support Center > Search Results > SecureKnowledge Details
POC Best Practices - Harmony Mobile Technical Level


By default security functions such as On-Device Network Protection are not enabled as its configuration depends on several characteristics such as network environment, VPNs, regulations and integration with MDMs/UEMs, so all the recommended settings must be carefully reviewed before being applied.

Harmony Mobile by default includes the best balance between security and usability. The purpose of the information below provide guidance to adjust the policy to increase visibility of mobile devices configurations and security events, and also to augment the network protections.
Security controls such as: Secure Browsing, Anti-bot, Anti-phishing and URL filtering require that ONP (On device Network Protection) first be activated in the Harmony Mobile dashboard. Also, some applications are categorized as not risky, fact that can negatively affect running POC and testing.

Default policies can be also reinforced by increasing the risk of applications, based on their capabilities and behavior (For example: hacking applications could be used to enumerate internal services).

To improve device visibility, during a POC, it is also recommended to change the default device status, and especially in Android, to look for special indicators that might hint security events

Proceed as follows:

1)      Go to Policy – Global – Device, then modify the policy according the image


Device 2

2)      Go to Application tab

Applications tab

3)      Go to ON-device Network Protection, and then change policy to “Always ON”, next click the “Configure Button”

Adjust the settings according to the image below.

It is recommended to contact your Check Point’s engineering resource to verify if HTTPS Inspection should be enabled, as it requires extra steps to be followed in the MDM/EMM configuration or by the users. Also, HTTPS inspection might increase CPU usage as it will encrypt/decrypt data on-the-fly. Please keep this option OFF until you get confirmation.



Go to the Download Prevention tab, and enable “Allow only from Safe Domains”


4)      Go to WIFI Network tab inside the same policy





This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document