Compliance Policies Rules and Actions
You can enforce rules and take action when devices do not comply with your policies. This list is platform agnostic.
To find out which rules and actions apply to a specific device, navigate to Devices > Compliance Policies > List View, select the Add button, and then select the platform to see all the rules and actions you can take specific to that platform.
Rules
| Setting | Description |
|---|---|
| Application List | Detect specific denylisted apps that are installed on a device, or detect all apps that are not allowlisted. You can prohibit certain apps (such as social media apps) and apps denylisted by vendors, or permit only the apps you specify. iOS: Due to the way application status is reported on iOS devices, an app achieves ‘Installed’ status only after the installation process is fully completed. For this reason, if you are making a compliance rule that measures the application list of iOS devices, consider enforcing an action that avoids the destruction of data. For example, enterprise wipe or device wipe. macOS: For macOS devices, ensure the following steps are taken to use the native MDM sample that contains a list of installed apps. 1. Configure privacy settings. Navigate to Settings > Devices & Users > General > Privacy and under “Personal Applications” select either Collect and Display or Collect Do Not Display for the assigned devices. 2. Enter the correct “Application Bundle ID” when defining the policy. Navigate to Compliance Policies > List View > Add. Under the Rules tab, the text box to the far right, “Application Identifier”, must contain the native “App ID” for the target application, not the Workspace ONE-generated bundle ID used when deploying the app, which you can identify by its syntax com.vmw.macos.{Package_Name}. Do not use this bundle ID if you want to apply the Application List compliance policy for macOS devices. Instead, populate this text box on the Rules tab with the native App ID, which you can find by navigating to Device Details on a targeted macOS device, click Apps, locate the app name from the list and click it once to display app information, then use the “App ID” displayed. You can also get this App ID by inspecting the application on a macOS device. |
| Antivirus Status | Detect whether an antivirus app is running. The compliance policy engine monitors the Action Center on the device for an antivirus solution. Windows supports all third-party antivirus solutions. |
| Automatic Updates | Detect whether Windows Automatic Update has been activated. The compliance policy engine monitors the Action Center on the device for an Update solution. If your third-party solution does not display in the action center, it reports as not monitored. |
| Cell Data/Message/Voice Use | Detect when end-user devices exceed a particular threshold of their assigned Telecom plan. Workspace ONE UEM can only provide notification of when usage exceeds a predetermined threshold, UEM cannot limit the actual usage. In order for this policy rule to function correctly, you must enable Advanced Telecom and assign that Telecom plan to the device. |
| Compliance Attribute | Compare attribute keys in the device against third-party endpoint security, which returns a Boolean value representing device compliance. Only available for Windows Desktop devices. |
| Compromised Status | Detect if the device is compromised. Prohibit the use of jailbroken or rooted devices that are enrolled with Workspace ONE UEM. Jailbroken and rooted devices strip away integral security settings and can introduce malware in your network and provide access to your enterprise resources. Monitoring for compromised device status is especially important in BYOD environments where employees have various versions of devices and operating systems. |
| Copy of Windows | Detect whether the copy of Windows currently running on the device is genuine. |
| Device Last Seen | Detect if the device fails to check in within an allotted time window. |
| Device Manufacturer | Detect the device manufacturer allowing you to identify certain Android devices. You can specifically prohibit certain manufacturers or permit only the manufacturers you specify. |
| Encryption | Detect whether encryption is enabled on the device. Windows supports all third-party encryption solutions. |
| Firewall Status | Detect whether a firewall app is running. The compliance policy engine checks the Action Center on the device for a firewall solution. Windows supports all third-party firewall solutions. |
| Free Disk Space | Detect the available hard disk space on the device. |
| iBeacon Area | Detect whether your iOS device is within the area of an iBeacon Group. |
| Interactive Certificate Profile Expiry | Detect when an installed profile on the device expires within the specified length of time. |
| Last Compromised Scan | Detect if the device has not reported its compromised status within the specified schedule. |
| MDM Terms of Use Acceptance | Detect if the end user has not accepted the current MDM Terms of Use within a specified length of time. |
| Model | Detect the device model. You can specifically prohibit certain models or permit only the models you specify. |
| OS Version | Detect the device OS version. You can prohibit certain OS versions or permit only the operating systems and versions you specify. |
| Passcode | Detect whether a passcode is present on the device. |
| Roaming | Detect if the device is roaming. Only available for Telecom Advanced Users. |
| Roaming Cell Data Use | Detect roaming cell data use against a static amount of data measured in MB or GB. Only available for Telecom Advanced Users. |
| Security Patch Version | Detect the date of the Android device’s most recent security patch from Google. Applicable only to Android version 6.0 and later. |
| SIM Card Change | Detect if the SIM card has been replaced. Only available for Telecom Advanced Users. |
| System Integrity Protection | Detect the status of macOS’s proprietary protection of system-owned files and directories against modifications by processes without a specific “entitlement”, even when run by the root user or a user with root privileges. |
Actions
Application
- Block/Remove Managed App
-
Block/Remove All Managed Apps
When the Block/Remove App action is applied to a noncompliant device, the Workspace ONE UEM console removes the indicated app(s) and begins a 2 hour timer before the next possible device sync. Each time the device sync runs, it calculates which apps to add and remove, taking into account the active compliance policies. When the device sync runs after the two hour timer, and the same app is discovered, the app is removed.
During this two hour time period, however, the end user can attempt to go around the compliance action and reinstall the blocked apps. For instance, if they sideload the APK file or install a public app from the Play Store, the compliance action might not be triggered. Consider making a device profile to prevent the end user from installing apps.
There are two ways to do this when you make a device profile at Resources > Profiles & Baselines > Profiles.
- Android only – Add an Application Control payload to deactivate access to denied apps. In order for this payload to work, you must create a Denylist app group in Resources > Apps > Settings > App Groups and assign it to the device in question.
- Add a Restrictions payload, disabling the slider for Allow Installing Applications.
Command
- Change Roaming Settings
- Enterprise Wipe - This prevents the delivery of profiles until the device reports back a compliant status.
- Enterprise Reset
- OS Updates - Available to devices with iOS versions 9 through 10.2.1 if they are supervised and DEP-enrolled. Devices with iOS 10.3 and later need only be supervised.
- Request Device Check-In
-
Revoke Azure Tokens - This action affects all devices for a given user, disabling any app that relies upon the Azure token.
- This action requires ‘Azure AD Integration’ enabled and ‘Use Azure AD For Identity Services’ enabled, both found in Settings > System > Enterprise Integration > Directory Services under the Server tab.
-
In order for Azure token revocation to work, User Principal Name is a mandatory user account field, so use one of the following methods to make sure it has the correct value.
- Navigate to Accounts > Users > List View and edit the targeted user account’s User Principal Name (under the Advanced tab) with the same email address they use to log into their Azure account.
OR 1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services, select the User tab and select the Advanced drop down section. 2. Scroll down to User Principal Name and enter the lookup value that corresponds to the email address they use to log into their Azure account.
- Block Email
Notify
- Send Email to User - Includes option to CC the user’s manager.
- Send SMS to Device
- Send Push Notification to Device
- Send Email to Administrator
Profile
- Install Compliance Profile.
- Block/Remove Profile
- Block/Remove Profile Type
- Block/Remove All Profiles - This prevents the delivery of profiles until the device reports back a compliant status.
