How to enforce Android Device Trust with Scalefusion Veltar?

The way employees work has changed. Smartphones and tablets aren’t just supporting tools anymore, they are the main devices people use for messaging, collaboration, access to business apps, and handling sensitive data.

But as mobile usage increases, traditional network-perimeter security loses its value. Firewalls and VPNs can’t protect data when users connect from anywhere, on any device. Modern security now relies on one critical principle: never trust a device until it’s proven secure.

This is where Android Enterprise steps in. It provides built-in controls that continuously evaluate a device’s health and compliance before allowing access to corporate resources.

In this blog, we will explain what Android Device Trust means and how you can enforce it effectively using Scalefusion Veltar, extending Zero Trust principles across all your mobile endpoints.

What is Device Trust from Android Enterprise?

Device Trust refers to the process of checking a device’s security posture, including its OS version, patch level, encryption status, and overall compliance before granting access to company resources. These checks help confirm that the device meets your organization’s security requirements.

Device Trust is a core part of Android Enterprise’s security model. To understand why Device Trust is needed, here’s what it helps prevent:

• Outdated or unpatched devices
• Rooted or compromised devices
• Devices with weak or incorrect security settings
• Devices that fall out of compliance after enrollment

In Android Enterprise, Device Trust is a key component of the Zero Trust model. Zero Trust is based on the idea of “never trust, always verify,” meaning that access is never assumed to be safe.

Even if a device was previously approved, its posture must be continuously checked. If the device becomes non-compliant, access can be restricted instantly. This ensures that security decisions are always based on real-time device status.

Device Trust works consistently across all types of Android deployments:

• Fully managed corporate devices
• BYOD devices with Work Profile
• Unmanaged or lightly managed devices that still access company apps

This makes it ideal for mixed environments, field teams, contractors, and remote workers.

To determine whether a device can be trusted, Android Enterprise checks a set of security signals that reveal the device’s overall health and compliance status. These signals help the system confirm that the device is safe enough to access corporate data and applications.

Android Enterprise evaluates multiple factors, including:

• Verified device identity
• OS version and security patch level
• Encryption and lockscreen configuration
• Root or jailbreak detection
• Overall compliance with corporate security policies
• Integration with access control systems to allow or block access automatically

Together, these checks form a strong security layer that keeps data protected while allowing users to work without interruption.

How to enforce Android Device Trust using Scalefusion Veltar?

Scalefusion Veltar brings Android Device Trust into action by evaluating device posture in real time. It continuously checks whether a device meets your organization’s security requirements and adjusts access dynamically.

Pre-requisites

Before configuring Device Trust with Veltar, ensure the following items are set up on the Scalefusion Dashboard:

1. Devices should be enrolled with Scalefusion
2. Minimum Agent app versions: Android: v18.0.0
3. Device Profiles for Android should be created on Scalefusion Dashboard
4. Your account should have access to Compliance feature

Steps to deploy

Step 1: Create a Policy Group

Policy Groups allow you to bundle specific compliance benchmarks and their variants for efficient monitoring and remediation across your devices. To create Policy Group, follow these steps:

1. On Scalefusion Dashboard navigate to Veltar > Compliance
   
2. Under Compliance Policies, click on Create Policy Group

3. The Create Policy Group dialog will appear. Enter the following and click Next to proceed to the Select Variant screen.

• Name: Please enter a name for the Policy Group.
  
• Choose a Platform and a Benchmark to create a policy group. Choose the following:
  • Android
    
• Benchmarks: Select Device Trust from Android Enterprise

4. Select Variant(s): Choose the variant(s) to be a part of this policy group and click Next to proceed to the Select Mode screen. Each variant will show the following information:

• Variant Name
• The number of rules in that variant
• Last Updated Date

Note: For monitoring and remediation, the variant with the strictest rules will be considered where applicable.

5. Select Mode: Choose the Mode for the Policy Group and click on Finish

• Monitoring: In this mode, Scalefusion Veltar agent will simply monitor against the compliances and provide you with a summary.
• Monitor & Auto Remediation: In this mode, Scalefusion Veltar agent will continuously monitor against the compliances and attempt to automatically remediate.

6. The newly created Policy Group will be displayed on the dashboard under Compliance Policies. All the variants you have selected will be displayed on clicking the downward arrow in front of the policy group name.

Step 2: Define and Manage Variant Rules

Now view and edit the rules (if required) associated with a specific variant within a Policy Group in the Scalefusion Dashboard. To do so, follow these steps:

1. Under the Compliance Policies section, click on the Policy Group to view its details.

2. This provides a summary of the variants included within a specific Policy Group, offering insights into the enabled rules and their conformance with the original baseline. Following details with respect to each variant are displayed:

a. Variant Name: Displays the name of the specific variant within the Policy Group.

b. Enabled Rules: Shows the total number of individual rules that are currently enabled within this variant.

c. Total Rules: Indicates the total number of rules available in the original baseline from which this variant was created.

d. Baseline Conformance: Displays the percentage of rules enabled in this variant compared to the total rules in the baseline. For example, if a baseline contains 20 rules and 15 are enabled in the variant, the conformance will be 75%.

e. Actions: Clicking the three dots under Action will open a submenu with further options for managing this specific variant within the Policy Group.

• View: The View Rules page will be displayed. In View Rules mode, all rule information is read-only. You cannot make any changes to the rule configurations.
  
• Download: Clicking here will generate and download a PDF guide that includes comprehensive information on the rules and policies. This guide is beneficial if it has to be shared with auditors.
  
• Edit: The Edit Rules page will be displayed. You can modify the selection and configuration of individual rules within the variant. Components of Edit Rules window:

3. Enable All Rules: Clicking this checkbox will select or deselect all rules.

a. Search: Enter keywords to search for rules based on their titles within the currently selected category.

b. Rule Categories: These are available on the left hand menu

• All Categories: Displays all rules available for the benchmark.
• Other Available Categories: Lists the remaining categories of rules defined for the benchmark.
• Modified: Displays rules where the Rule Value (ODV) has been changed from the recommended value.
• Deselected: Displays rules that have been unchecked.

4. Severity: The severity level for certain rules can be customized to Low, Medium, or High, with the initial setting being the Scalefusion-defined severity. Note that rules with severities defined from CIS benchmarks are non-editable, whereas rules with Scalefusion-defined severities can be modified.

5. Rule Value (ODV – Organization Defined Value): Organization Defined Value (ODV) refers to a custom, organization-specific setting or value that you can configure for a particular compliance rule. On a few rules you can also provide a Rule Value.

6. Info Icon: Clicking on the i button opens the Rule Info dialog. The Rule Info dialog displays following:

• Rule Identifier: Displays Rule Identifier
• Rule Severity: Displays Rule Severity (as selected)
• Rule Description: Displays the rule description
• Supported Versions: The Android Versions on which the rule is supported
• Policy Key: Displays the Policy Key
• Document Reference: Link to the reference document

Step 3: Publish Policy Group

Once you have defined the rules for your Policy Group, you need to publish it to specific device profiles to apply the compliance settings. Follow these steps:

1. Locate the desired Policy Group in the list.

2. Under the Actions column for that Policy Group, click Publish.

3. The Publish Policy Group dialog will appear.

4. Select the specific device profiles to which you want to apply this Policy Group.

5. Click Publish to deploy the Policy Group to the selected profiles.

Managing Published Policy Groups:

In addition to publishing, you can also manage existing Policy Groups using the Actions menu:

• Delete: Removes the Policy Group entirely.
• Edit: Allows you to modify the rules and settings within the Policy Group.
• Unpublish: Removes the Policy Group from the device profiles it is currently applied to.

Step 4: Compliance Summary

Once a Policy Group is published to device profiles, the Compliance Summary section provides a detailed, device-centric view of compliance statuses. Here, you can monitor the overall compliance of your device inventory and access granular, rule-level details for individual devices via the Actions menu.

Filters to Report Compliance Status

The Compliance Summary page offers various filters and reporting options to help you analyze and manage device compliance effectively.

1. Platform: Displays list of platforms (iOS, macOS, Android, Windows)
2. Policy Group: Displays a dropdown list of all Policy Groups created within the Compliance Management section.
3. Compliance Status
   • All: Displays devices with any compliance status.
   • Compliant: Shows only devices that are currently compliant with the applied policies.
   • Non-Compliant: Shows only devices that are currently non-compliant with the applied policies.
   • Pending: Shows devices for which compliance status evaluation is in progress or has not yet been completed.
     
4. Risk Status
   • All: Displays devices with any risk status.
   • Safe: Shows devices with no identified compliance risks.
   • Low: Shows devices with low-level compliance risks.
   • Medium: Shows devices with medium-level compliance risks.
   • High: Shows devices with high-level compliance risks.
     
5. Page Count: Select the number of items (devices) to display per page (100, 200, or 300).
   
6. Search Bar: Enter keywords to search for devices by their name or by the name of the benchmark applied to them.
   
7. Clear Filter: This will remove all applied filters and reset the Compliance Status list to its default state. This button is visible only when one or more filters are currently applied.
   
8. Download Report: This will generate and download a report of the current Compliance Status view in CSV format. Example CSV: sample_compliance_status_report_updated.csv (This file will contain the compliance details of the devices based on the currently applied filters and displayed columns).

Overview

This section provides a visual summary of your device compliance risk status, dynamically updating based on any filters you have applied. The Overview section shows the following:

1. Total Devices Monitored (%): It is the No. of devices monitored / Total Devices
   
2. Compliant Devices (%): Compliant Devices are the devices that are 100% compliant and calculated as Compliant Devices / Monitored Devices
   
3. Average Compliance: Displays the average compliance percentage of the monitored devices

Risk Status

This visual breakdown allows you to quickly identify areas of concern and prioritize remediation efforts for devices posing the highest security risks. Please note that the data presented here dynamically reflects the devices that currently meet your applied filter criteria. Following are the components in this section:

1. Devices Need Attention: Displays the percentage of high and moderate-risk devices (Devices at risk out of Total devices)
   
2. Scan Now: This will immediately initiate a compliance scan on your desktop devices. For iOS devices, clicking this will fetch the latest compliance commands for evaluation.
   
3. Breakdown of Devices by Security Score:
   This section visually breaks down your device fleet based on their calculated security scores and associated risk levels, providing a clear understanding of your overall compliance posture.
   • High Risk (Security Score: 0 – 29): Displays the high-risk devices
   • Moderate Risk (Security Score: 30 – 69): Displays the moderate-risk devices
   • Low Risk (Security Score: 70 – 99): Displays the low-risk devices
   • Safe (Security Score: 100): Displays the safe devices

Compliance Status Table

The Compliance Summary page displays a table providing a comprehensive overview of the compliance posture of your managed devices. The columns and their descriptions are as follows:

1. Device Name: The name assigned to the managed device.
   
2. Policy Group: The name of the Policy Group that is currently applied to the device.
   
3. Variant: The name of the specific variant of the benchmark that is applied to the device through the Policy Group.
   
4. Compliance Percentage: The compliance percentage of the devices using Passed rules/Total rules
   
5. Risk Status: The calculated risk status of the device, as determined by the compliance evaluation process. If the risk evaluation is still pending, N/A will be displayed. Possible values include Safe, Low, Medium, and High.
   
6. Compliance Status: Displays the result of the most recent compliance scan performed on the device. Possible values are:
   • Compliant: The device meets all the requirements defined in the applied policy.
   • Non-Compliant: The device does not meet one or more of the requirements defined in the applied policy.
   • Pending: The compliance scan is currently in progress or has not yet been completed.
     
7. Last Scan Timestamp: The date and time when the last compliance scan was completed for the device. The timestamp will be displayed in the format DD-Month-YYYY HH:MMAM/PM (e.g., 30-July-2024 02:15PM).
   
8. Actions: Clicking the three dots under Actions will show the following option:
   
   • Rule-wise Summary: This will open the Rule-wise Summary dialog, providing a detailed breakdown of the device’s compliance status for each individual rule within the applied benchmark. This will be grayed out and unavailable if the Compliance Status is Pending or if the device has not yet been scored for compliance.

Strengthen your organization’s security posture with Scalefusion and Device Trust

Enforcing Android Device Trust through Scalefusion delivers multiple benefits beyond basic MDM. It acts as a dynamic security layer that keeps users productive while ensuring apps and data stay protected.

Here’s how Device Trust enhances your environment:

• Enhanced Android Management: Device Trust adds deeper, posture-aware controls to Scalefusion’s Android MDM. Only devices that meet your security standards are allowed to use corporate applications and services.
  
• Continuous Compliance: Instead of one-time checks, Veltar monitors devices continuously.  If a device becomes non-compliant, access can be restricted instantly.
  
• Automation and Efficiency: Compliance enforcement becomes hands-off. IT teams no longer need to manually review devices or chase down users for security updates.
  
• Better Security and Experience: Users stay productive with frictionless access. Security teams get stronger protection without disrupting workflows.
  
• Centralized Policy Enforcement: All trust signals, compliance statuses, and access decisions flow directly into a single Scalefusion Dashboard. This makes policy administration, auditing, and reporting much simpler.

With Device Trust enforced through Scalefusion Veltar, businesses benefit from:

• Higher security
• Lower operational risk
• Reduced IT overhead
• Consistent compliance across every device

With Scalefusion Veltar, Device Trust becomes a practical and scalable part of your mobile security strategy. 

FAQs

1. Does Android Device Trust affect battery life or device performance?

Device Trust checks are lightweight and run in the background, so users typically won’t see any impact on speed or battery usage. It is designed to run efficiently without slowing down everyday tasks like app usage or browsing.

2. Can Device Trust work without an internet connection?

Basic device policies still apply offline, but real-time trust validation and access decisions update once the device reconnects. This ensures devices are never fully unprotected, even when temporarily offline.

3. Is Device Trust required for personal apps on BYOD devices?

No. Device Trust only applies to work apps and data inside the managed profile, keeping personal apps private and untouched. Employees can use personal apps freely without company visibility or control.

4. Can Device Trust block access without wiping the device?

Yes. Access can be limited instantly without deleting data, locking the device, or disrupting the user’s personal usage. This makes it ideal for handling risk without affecting user productivity.

5. How often does Android re-evaluate device trust status?

Trust is reassessed automatically during key events like reboots, OS changes, policy updates, and app access attempts. This ensures access decisions are always based on the device’s current security state.