When users enroll their devices, samples containing data used to evaluate compliance are sent on a scheduled basis. The evaluation of this sample data ensures that the device meets the compliance rules set by the administrator in the Workspace ONE UEM (UEM) console. If the device goes out of compliance, corresponding actions configured in the UEM console are taken.

The VMware Identity Manager service includes an access policy option that can be configured to check the Workspace ONE UEM server for device compliance status when users sign in from the device. The compliance check ensures that users are blocked from signing in to an application or using single sign-in to the Workspace ONE portal if the device goes out-of-compliance. When the device is compliant again, the ability to sign in is restored.

The Workspace ONE Intelligent Hub app automatically signs out and blocks access to the applications if the device is compromised. If the device was enrolled through adaptive management, an enterprise wipe command issued through the UEM console unenrolls the device and removes the managed applications from the device. Unmanaged applications are not removed.

For more information about Workspace ONE UEM compliance policies, see the VMware Workspace ONE UEM Mobile Device Management Guide, in the VMware Workspace ONE UEM Documentation pages.