Add a Compliance Policy

Adding a compliance policy is a process comprising of four segments: Rules, Actions, Assignment, and Summary. Workspace ONE UEM bases all platform-specific options on the initial platform choice, so the console never presents an option that your device cannot use.

Note: Windows Rugged compliance is only supported on Motorola devices (Enterprise Reset action enforces compliance).

Configure the compliance engine with profiles and automated escalations by completing the Compliance Policy tabs.

  1. Navigate to Devices > Compliance Policies > List View and select Add.

  2. Select a platform from the Add Compliance Policy page on which to base your compliance policy.

  3. Detect conditions by configuring the Rules tab by first matching Any or All of the rules.

    • Add Rule – Select to add additional rules and parameters. For more information, see Compliance Policy Rules and Actions.
    • Previous and Next – Select to go back to the previous step or advance to the next step, Actions, respectively.

  4. Define the consequences of noncompliance within of your policy by completing the Actions tab.

    Available actions are platform-dependent. Some actions prohibit the receipt of profiles until a compliant status is reported back. For more information, see Compliance Policy Rules and Actions.

  5. Specify Actions and Escalations that occur.

    An Escalation is an automatic action taken when the prior Action does not cause the user to take corrective steps to make their device compliant.

    Select the options and types of actions.

    Actions and Escalations

    Setting Description
    Mark as Not Compliant check box Enables you to perform actions on a device without marking it as non-compliant. The compliance engine accomplishes this task by observing the following rules.
    - The Mark as Not Compliant check box is enabled (checked) by default for each newly added Action.

    - If one action has the Mark as Not Compliant option enabled (checked), then all subsequent actions and escalations are also marked as not compliant (checked). These subsequent check boxes cannot be edited.

    - If an action has the Mark as Not Compliant option deactivated (not checked), then the next action/escalation has the option enabled by default (checked). This check box can be edited.

    - If an action/escalation has the Mark as Not Compliant option deactivated and the device does not pass the compliance rule, the device is officially 'compliant'. The prescribed action is then run.

    - A device's status remains 'compliant' unless it encounters an action/escalation with the Mark as Not Compliant check box enabled. Only then is the device non-compliant.
    Application Block or remove a managed application.
    You can enforce application compliance by establishing an allowlist, denylist, or required list of applications.
    Command Initiate a device check-in or run an enterprise wipe.
    Email Block the user from email.
    If you are using Mobile Email Management together with the Email compliance engine, then the 'Block Email' action applies. Access this option by navigating to Email > Compliance Policies > Email Policies. This action lets you use Device Compliance policies such as denylisted apps with any Email compliance engine policies you configure. With this Action selected, email compliance is triggered with a single device policy update if the device falls out of compliance.
    Notify Notify someone about the compliance violation. You have the following options to send a notification.
    - Send Email to User.
    - Send SMS to Device.*

    *In order for SMS notifications to work with your device fleet, you must have an account with a 3rd party Gateway provider and configure the Gateway settings. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > SMS and complete the options described in SMS Settings.
    - Send Push Notification to Device. **

    **When selecting "Send Push Notification to Device" Notify action, App Catalog settings must be enabled for the respective device platform when hub services are configured.
    - Send Email to Administrator.
    You can insert multiple emails into the accompanying CC text box provided they are separated by commas. You can also CC the user's manager by inserting a lookup value, click the plus sign next to the CC text box and select {UsersManager} from the drop-down menu. For details, see Lookup Values.

    For all Notify actions, you have the option of using a message template. Use this option by deselecting the Default Template check box, which displays a drop-down menu enabling you to select a message template.

    There is also a link that, when selected, displays the Message Template page in a new window. This page enables you to create your own message template.
    Profile Install, Remove, or Block a specific Device Profile, Device Profile type, or Compliance Profile.
    Compliance profiles are created and saved in the same manner as Auto and Optional device profiles. Navigate to Resources > Profiles & Baselines > Profiles, then select Add, then Add Profile. Select a platform, and in the General profile tab, select 'Compliance' in the Assignment Type drop-down setting. Compliance profiles are applied in the Actions tab of the Add a Compliance Policy page to be used when an end user violates a compliance policy. Select Install Compliance Profile from the drop-down and then select the previously saved compliance profile.

    Escalations Only

    Setting Description
    Add Escalation button Creates an escalation. When adding escalations, it is a best practice to increase the security of actions with each additional escalation.
    After time Interval... You can delay the escalation by minutes, hours, or days.
    ...Perform the following actions Repeat – Enable this check box to repeat the escalation a selected number of times before the next scheduled action begins.

    For macOS, you can only perform the following actions:

    • Device Wipe
    • Send Email to Administrator
    • Enterprise Wipe
    • Block/Remove Profile
    • Send Email to User
    • Block/Remove Profile Type
    • Send Push Notification to Device
    • Block/Remove All Profiles

  6. Determine which devices are subjected to (and excluded from) the compliance policy by completing the Assignment and Summary tabs of the Add Compliance Policy page. Name, finalize, and activate the policy with the Summary tab.

    Setting Description
    Managed By Select the organization group by which this compliance policy is managed.
    Assigned Groups Assign to this policy one or more groups. For more information, see the topic Assignment Groups.
    Exclusions If you want to exclude groups, select Yes. Next, select from the available listing of groups in the Excluded Groups text box. For more information, see the topic, Exclude Groups in Profiles and Policies.
    View Device Assignment button See a listing of devices affected by this compliance policy assignment.

    While Platform is a criterion within a smart group, the platform configured in the device profile or compliance policy always takes precedence over the smart group's platform. For instance, if a device profile is created for the iOS platform, the profile is only assigned to iOS devices even if the smart group includes Android devices.

  7. After you determine the Assignment of this policy, select Next. The Summary tab displays.

  8. Provide a Name and a useful Description of the compliance policy.

  9. Select one of the following options.

    • Finish – Save your compliance policy without activating it to the assigned devices.
    • Finish and Activate – Save and apply the policy to all affected devices.
  • View Device Assignment, Compliance Policy
    Select View Device Assignment on the Assignment tab while configuring a compliance policy to display the View Device Assignment page. This page confirms devices affected (or unaffected) by the compliance policy assigned.

Parent topic: Compliance Policies

check-circle-line exclamation-circle-line close-line
Scroll to top icon