Check Point Harmony Mobile provides comprehensive mobile threat defense (MTD) for iOS and Android devices, protecting against malware, network attacks, and OS vulnerabilities. This guide covers deploying the Harmony Mobile Protect app across your organization using various enrollment methods.
Prerequisites
Before deploying Harmony Mobile, ensure you have:
- Check Point Infinity Portal account with Harmony Mobile license
- Mobile devices meeting minimum requirements (iOS 15.0+ or Android 11.0+)
- MDM/UEM solution (optional but recommended for enterprise deployment)
- Network access for devices to reach Check Point cloud services
- User communication plan for enrollment notifications
Understanding Deployment Methods
Harmony Mobile supports multiple deployment approaches:
| Method | Best For | User Interaction | Complexity |
|---|---|---|---|
| Zero-Touch (MDM) | Enterprise with MDM | None | Medium |
| MDM with Manual Activation | Mixed environments | Minimal | Medium |
| Email Invitation | BYOD environments | Moderate | Low |
| QR Code/Manual | Small deployments | Full | Low |
Step 1: Access Harmony Mobile Dashboard
- Sign in to https://portal.checkpoint.com
- Click the Menu icon in the top left
- Under Harmony, click Mobile
- The Harmony Mobile dashboard opens
Step 2: Configure Initial Settings
Set Up Your Organization
- Go to Settings in the left menu
- Click General Settings
- Configure:
- Organization Name: Your company name
- Contact Email: Admin email for notifications
- Time Zone: Your organization's time zone
- Click Save
Configure Device Management Integration
- Go to Settings > Device Management
- Select your MDM/UEM solution from the dropdown:
- Microsoft Intune
- VMware Workspace ONE
- BlackBerry UEM
- MobileIron
- Jamf Pro
- ManageEngine MDM Plus
- Hexnode UEM
- Follow the integration wizard for your selected MDM
Step 3: Deploy to iOS Devices
Option A: Zero-Touch Deployment with MDM
For Microsoft Intune:
-
Configure Intune Integration
- In Harmony Mobile, go to Settings > Device Management
- Select Microsoft Intune from the MDM dropdown
- Click Configure and sign in with Azure AD admin credentials
- Grant required permissions
-
Add Harmony Mobile App to Intune
- In Microsoft Endpoint Manager admin center
- Go to Apps > iOS/iPadOS > Add
- Select iOS store app
- Search for "Harmony Mobile Protect"
- Assign to your device groups
-
Create App Configuration Policy
- Go to Apps > App configuration policies > Add
- Select Managed devices and iOS/iPadOS
- Select the Harmony Mobile Protect app
- Add configuration settings:
<dict> <key>server</key> <string>your-tenant.checkpoint.com</string> <key>activationToken</key> <string>YOUR_ACTIVATION_TOKEN</string> </dict> - Assign to the same device groups
-
Deploy VPN Profile for Zero-Touch
- Create a VPN configuration profile
- Select Check Point Capsule VPN as the connection type
- Configure with Harmony Mobile server details
- This enables automatic activation without user interaction
Option B: Manual Enrollment for iOS
-
Generate Registration Credentials
- In Harmony Mobile dashboard, go to Devices
- Click Add Device > iOS
- Choose Email invitation or QR code
- Enter user email address (for email method)
-
User Installation Steps
- User receives email with registration link
- User downloads "Harmony Mobile Protect" from App Store
- User opens the app and either:
- Scans the QR code, or
- Enters server address and registration code
- User grants required permissions:
- VPN configuration
- Notifications
- Local network access (optional)
-
Verify Activation
- Device appears in Harmony Mobile dashboard
- Status changes from "User Notified" to "Active"
- Initial security scan completes automatically
Step 4: Deploy to Android Devices
Option A: Zero-Touch Deployment with MDM
Important: Android Enterprise is mandatory for Zero-Touch deployment on Android.
For Microsoft Intune:
-
Enable Android Enterprise
- Ensure Android Enterprise is configured in Intune
- Devices must be enrolled as Work Profile or Fully Managed
-
Add Harmony Mobile App
- In Endpoint Manager, go to Apps > Android
- Click Add > Managed Google Play app
- Search for "Harmony Mobile Protect"
- Approve and assign to device groups
-
Create Managed Configuration
- Go to Apps > App configuration policies
- Click Add > Managed devices
- Select Android Enterprise
- Configure settings:
Key Value server your-tenant.checkpoint.com activationToken YOUR_TOKEN autoActivation true
-
Configure Permissions
- Grant required runtime permissions via MDM:
- Device administrator
- Accessibility service
- VPN connection
- Notification access
- Grant required runtime permissions via MDM:
Option B: Manual Enrollment for Android
-
Generate Registration Credentials
- In Harmony Mobile dashboard, go to Devices
- Click Add Device > Android
- Choose your preferred method:
- Email invitation
- QR code
- Manual entry
-
User Installation Steps
- User downloads "Harmony Mobile Protect" from Google Play
- User opens the app
- User activates using one of these methods:
QR Code Method:
- Tap the QR code scanner icon
- Scan the QR code from the admin portal or email
Manual Entry Method:
- Enter the server address
- Enter the registration code
- Tap Activate
-
Grant Required Permissions
- User approves VPN connection
- User enables Device Administrator (if required by policy)
- User grants Accessibility service access (for advanced protection)
- User enables Notification access (optional)
-
Complete Activation
- App performs initial device scan
- Device appears as "Active" in dashboard
- Threat protection is now enabled
Step 5: Configure HTTPS Inspection (Optional)
For advanced network protection, configure HTTPS inspection:
Generate CA Certificate
- In Harmony Mobile, go to Policy > Network Protection
- Under HTTPS Settings, enable HTTPS Inspection
- Under Inspection CA, select Central CA for UEM Deployment
- Click Generate CA Certificate
- Download the certificate file
Deploy CA Certificate via MDM
For iOS:
- Create a Certificate profile in your MDM
- Upload the Check Point CA certificate
- Configure as a trusted root certificate
- Deploy to managed devices
For Android:
- Create a Certificate profile for Android Enterprise
- Upload the Check Point CA certificate
- Configure for VPN authentication
- Deploy to work profile devices
Step 6: Create Device Groups
Organize devices for policy management:
- Go to Devices in Harmony Mobile dashboard
- Click Groups > Create Group
- Enter a group name (e.g., "Executive Devices", "Sales Team")
- Add devices to the group:
- Select devices individually, or
- Import from MDM groups, or
- Use dynamic rules based on device attributes
- Click Save
Step 7: Verify Deployment
Check Device Status
- Go to Devices in the dashboard
- Review the device list:
- Active: Device is protected and communicating
- User Notified: Invitation sent, awaiting installation
- Inactive: Device hasn't communicated recently
- At Risk: Device has active security issues
Review Initial Scan Results
- Click on a device to view details
- Check Security Status:
- Protected: No threats detected
- At Risk: Active threats or vulnerabilities
- Review any detected issues in the Events tab
Test Threat Detection
- Trigger a test detection (safe testing):
- Visit a known test phishing URL (e.g., Check Point's test page)
- Attempt to connect to an unsecured WiFi network
- Verify the threat appears in the device's event log
- Confirm notification was sent to the user (if configured)
Troubleshooting Common Issues
App Won't Activate
Symptoms: Registration code rejected or activation fails.
Solutions:
- Verify the registration code hasn't expired (typically 7 days)
- Check device meets minimum OS requirements
- Ensure internet connectivity is available
- For MDM deployment, verify managed configuration is correct
- Generate a new registration code and retry
Device Shows as Inactive
Symptoms: Device was active but now shows inactive status.
Solutions:
- Check device has internet connectivity
- Verify the Harmony Mobile app is running (not force-stopped)
- Check battery optimization isn't killing the app
- Ensure VPN permissions are still granted
- Resend activation from the dashboard
VPN Won't Connect
Symptoms: Network protection features not working, VPN fails to establish.
Solutions:
- Verify VPN permissions are granted in device settings
- Check for conflicting VPN apps or profiles
- Ensure the CA certificate is properly installed (for HTTPS inspection)
- Verify network allows VPN connections
- Try switching between WiFi and cellular to test
MDM Integration Issues
Symptoms: Zero-touch deployment not working, app not auto-activating.
Solutions:
- Verify MDM integration is properly configured in Harmony Mobile
- Check activation token is correct in app configuration policy
- Ensure device is properly enrolled in MDM
- For Android, confirm Android Enterprise is enabled
- Review MDM logs for deployment errors
Best Practices
- Pilot before full deployment: Test with a small group first
- Communicate with users: Explain the app's purpose and benefits
- Use groups for policy management: Organize by department or risk level
- Enable gradual protection: Start with monitoring, then enable blocking
- Monitor compliance: Track deployment progress and address inactive devices
- Keep apps updated: Enable automatic updates in MDM
- Document exceptions: Track any devices that can't be enrolled and reasons
Next Steps
After deploying Harmony Mobile:
- Configure threat defense policies: Set up protection rules for network, app, and OS threats
- Enable conditional access: Integrate with MDM for compliance-based access control
- Set up alerts: Configure notifications for security events
- Review dashboards: Monitor threat trends across your mobile fleet
- Train users: Educate employees on responding to security alerts
Additional Resources
- Harmony Mobile Integration Guide
- iOS Protect App User Guide
- Microsoft Intune Integration
- Harmony Mobile Admin Guide
Need help securing your mobile workforce? Inventive HQ offers comprehensive mobile security solutions and MDM integration services. Contact us for expert deployment assistance.