Compliance policy rules enable you to construct a solid foundation for your policy as the component parts of a policy. The actions, escalations, and assignments that follow are all built upon these rules.

Setting Description
Application List

Detect specific denylisted apps that are installed on a device, or detect all apps that are not allowlisted. You can prohibit certain apps (such as social media apps) and apps denylisted by vendors, or permit only the apps you specify.

Due to the way application status is reported on iOS devices, an app achieves 'Installed' status only after the installation process is fully completed. For this reason, if you are making a compliance rule that measures the application list of iOS devices, consider enforcing an action that avoids the destruction of data. For example, enterprise wipe or device wipe.

Antivirus Status Detect whether or not an antivirus app is running. The compliance policy engine monitors the Action Center on the device for an antivirus solution. Windows supports all third-party antivirus solutions.
Cell Data/Message/Voice Use

Detect when end-user devices exceed a particular threshold of their assigned telecom plan.

Workspace ONE UEM can only provide notification of when usage exceeds a predetermined threshold, UEM cannot limit the actual usage.

In order for this policy rule to function correctly, you must enable Advanced telecom and assign that telecom plan to the device.

Compliance Attribute Compare attribute keys in the device against third-party endpoint security, which returns a Boolean value representing device compliance. Only available for Windows Desktop devices.
Compromised Status

Detect if the device is compromised. Prohibit the use of jailbroken or rooted devices that are enrolled with Workspace ONE UEM.

Jailbroken and rooted devices strip away integral security settings and can introduce malware in your network and provide access to your enterprise resources. Monitoring for compromised device status is especially important in BYOD environments where employees have various versions of devices and operating systems.

Device Last Seen Detect if the device fails to check in within an allotted time window.
Device Manufacturer Detect the device manufacturer allowing you to identify certain Android devices. You can specifically prohibit certain manufacturers or permit only the manufacturers you specify.
Encryption Detect whether or not encryption is enabled on the device. Windows supports all third-party encryption solutions.
Firewall Status Detect whether or not a firewall app is running. The compliance policy engine checks the Action Center on the device for a firewall solution. Windows supports all third-party firewall solutions.
Free Disk Space Detect the available hard disk space on the device.
iBeacon Area Detect whether your iOS device is within the area of an iBeacon Group.
Interactive Certificate Profile Expiry Detect when an installed profile on the device expires within the specified length of time.
Last Compromised Scan Detect if the device has not reported its compromised status within the specified schedule.
MDM Terms of Use Acceptance Detect if the end user has not accepted the current MDM Terms of Use within a specified length of time.
Model Detect the device model. You can specifically prohibit certain models or permit only the models you specify.
OS Version Detect the device OS version. You can prohibit certain OS versions or permit only the operating systems and versions you specify.
Passcode Detect whether a passcode is present on the device.
Roaming* Detect if the device is roaming.
Roaming Cell Data Use* Detect roaming cell data use against a static amount of data measured in MB or GB.
Security Patch Version Detect the date of the Android device's most recent security patch from Google. Applicable only to Android version 6.0 and later.
SIM Card Change* Detect if the SIM card has been replaced.
System Integrity Protection Detect the status of macOS's proprietary protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when run by the root user or a user with root privileges.
Windows Automatic Update Status Detect whether Windows Automatic Update has been activated. The compliance policy engine monitors the Action Center on the device for an Update solution. If your third-party solution does not display in the action center, it reports as not monitored.
Windows Copy Genuine Validation Detect whether the copy of Windows currently running on the device is genuine.

* Only available for Telecom Advanced Users.