Adding a compliance policy is a process comprising of four segments: Rules, Actions, Assignment, and Summary. Not all features and options presented in this guide are available for all platforms. The AirWatch Console bases all available options on the initial platform choice, so the console never presents an option that your device cannot use.

Note:

Windows Rugged compliance is only supported on Motorola devices (Enterprise Reset action enforces compliance).

Configure the compliance engine with profiles and automated escalations by completing the Compliance Policy tabs.

  1. Navigate to Devices > Compliance Policies > List View and select Add.
  2. Select a platform from the Add Compliance Policy page on which to base your compliance policy.
  3. Detect conditions by configuring the Rules tab by first matching Any or All of the rules.

  4. Define the consequences of noncompliance within of your policy by completing the Actions tab. Available actions are platform-dependent. For more information, see Compliance Policies Actions by Platform.

  5. Specify Actions and Escalations that occur. An Escalation is simply an automatic action taken when the prior Action does not cause the user to take corrective steps to make their device compliant.

    Select the options and types of actions to perform.

    Setting Description
    Actions and Escalations
    Mark as Not Compliant check box

    Enables you to perform actions on a device without marking it as non-compliant. The compliance engine accomplishes this task by observing the following rules.

    • The Mark as Not Compliant check box is enabled (checked) by default for each newly added Action.
    • If one action has the Mark as Not Compliant option enabled (checked), then all subsequent actions and escalations are also marked as not compliant (checked). These subsequent check boxes cannot be edited.
    • If an action has the Mark as Not Compliant option disabled (not checked), then the next action/escalation has the option enabled by default (checked). This check box can be edited.
    • If an action/escalation has the Mark as Not Compliant option disabled and the device does not pass the compliance rule, the device is officially 'compliant'. The prescribed action is then run.
    • A device's status remains 'compliant' unless it encounters an action/escalation with the Mark as Not Compliant check box enabled. Only then is the device considered non-compliant.
    Application

    Block or remove a managed application.

    You can enforce application compliance by establishing a whitelist, blacklist, or required list of applications. For more information on establishing a robust Mobile Application Management (MAM) plan, See Build an Application Compliance Policy.

    Command Initiate a device check-in or run an enterprise wipe.
    Email

    Block the user from email.

    If you are using Mobile Email Management together with the Email compliance engine, then the 'Block Email' action applies. Access this option by navigating to Email > Compliance Policies > Email Policies. This action lets you use Device Compliance policies such as blacklisted apps with any Email compliance engine policies you configure. With this Action selected, email compliance is triggered with a single device policy update if the device falls out of compliance.

    Notify

    Notify someone about the compliance violation.

    You have the following options to send a notification.

    • Send Email to User
    • Send SMS to Device
    • Send Push Notification to Device
    • Send Email to Administrator

    Multiple emails may be inserted into the accompanying CC text box provided they are separated by commas. You can also CC the user's manager by inserting a lookup value; click the plus sign next to the CC text box and choose {UsersManager} from the drop-down list.

    For all Notify actions, you have the option of using a message template. Make use of this option by deselecting the Default Template check box, which displays a drop-down menu enabling you to select a message template.

    There is also a link that, when selected, displays the Message Template page in a new window. This page enables you to create your own message template.

    Profile

    Install, Remove, or Block a specific Device Profile, Device Profile type, or Compliance Profile.

    Compliance profiles are created and saved in the same manner as Auto and Optional device profiles. Navigate to Devices > Profiles & Resources > Profiles, then select Add, then Add Profile. Select a platform, and in the General profile tab, select 'Compliance' in the Assignment Type drop-down setting. Compliance profiles are applied in the Actions tab of the Add a Compliance Policy page to be used when an end user violates a compliance policy. Select Install Compliance Profile from the drop-down and then select the previously saved compliance profile.

    Escalations Only
    Add Escalation button Creates an escalation. When adding escalations, it is a best practice to increase the security of actions with each additional escalation.
    After time Interval... You may delay the escalation by minutes, hours, or days.
    ... Perform the following actions Repeat – Enable this check box to repeat the escalation a selected number of times before the next scheduled action begins.
                  • Determine which devices are subjected to (and excluded from) the compliance policy by completing the Assignment and Summary tabs of the Add Compliance Policy page.

                    You can then name, finalize, and activate the policy with the Summary tab.

                    Setting Description
                    Managed By Select the organization group by which this compliance policy is managed.
                    Assigned Groups Assign to this policy one or more groups. For more information, see Assignment Groups.
                    Exclusions If you want to exclude groups, select Yes. Next, select from the available listing of groups in the Excluded Groups text box. See Exclude Smart Groups in Compliance Policies for details .
                    View Device Assignment button See a listing of devices affected by this compliance policy assignment.

                    While Platform is a criterion within a smart group, the platform configured in the device profile or compliance policy always takes precedence over the smart group's platform. For instance, if a device profile is created for the iOS platform, the profile is only assigned to iOS devices even if the smart group includes Android devices.

                  • After you determine the Assignment of this policy, select Next. The Summary tab displays.

                    • Provide a Name and a useful Description of the compliance policy.
                    • Select one of the following:
                      • Finish – Save your compliance policy without activating it to the assigned devices.
                      • Finish and Activate – Save and apply the policy to all affected devices.