Manage your Application Groups and Compliance

You can use application groups (app groups) and compliance policies to protect resources in your Workspace ONE UEM environment. Application groups identify permitted and restricted applications so that compliance policies can act on devices that do not follow protective standards.

You can configure app groups for several platforms but you cannot combine all of them with compliance polices. For those platforms that you cannot combine with compliance policies, apply an application control profile.

App Group Platform	Works with Compliance Policies	Works with Application Control Profiles
Android	Yes	Yes
Apple iOS	Yes	No
Windows Phone	No	Yes

You are not required to configure application groups. However, application groups enhance the efficacy and reach of your compliance policies with minimal configurations.

Relationships Between Application Groups and Compliance Policies

Application Group	Description	Compliance Policy	Action
Allowlist	Managed devices can install these applications from the AirWatch Catalog. If an application is not on the list, it is not permitted on managed devices.	Contains Non-allowlisted Apps	The compliance engine identifies applications not in the allowlisted app group installed on the device and applies the actions that are configured in the compliance rule.
Denylist	Managed devices do not install these applications from the AirWatch Catalog. If an application is on this list, it is not allowed on managed devices.	Contains denylisted Apps	The compliance engine identifies applications from the denylisted app group on the device and applies the actions that are configured in the compliance rule.
Required	Managed devices are required to install these applications from the AirWatch Catalog. If an application is on this list, it is required device users install it on managed devices.	Does Not Contain Required Apps	The compliance engine identifies applications from the required app group missing on the device and applies the actions that are configured in the compliance rule.

Note: An application that is set for auto deployment mode in the UEM console does not automatically deploy under the following conditions:

Adding the application to the denylist app group that assigned to the device.
Excluding the application in the allowlist app group that is assigned to the device.

Impact of Privacy Settings on Application List Compliance and Application Control profile

In the Workspace ONE UEM console, if you configure the Privacy settings of the Personal Application as Do Not Collect the system does not collect the personal app information from the devices. That is, the end user’s personal application information is not transmitted from their devices.

The Privacy settings however have the following caveats that impact the Application List Compliance and Application Control profile settings:

The compliance policy for the Application List checks to verify that a device has the appropriate applications (denylist, whitelist, or required). If the system does not query for the Application List, it might not check for these applications. As a result, the devices that contain certain applications in the denylist group are not marked as ‘non-compliant’. Similarly the devices that do contain certain ‘required’ (personal) applications is marked as ‘non- compliant’.
Application control profile with the action on ‘denylist’ apps is not applied to the devices whose personal app privacy is set to Do Not Collect and is applied only on the devices for which we collect the personal app information.

If you want to take actions on your end-user’s personal applications list, keep a track of the personal app privacy configuration for the concerned device ownership type at all OGs, and verify the following:

Ensure that the configuration is not set to Do Not Collect. If you want to ensure privacy of your end-users and detect any malicious applications, set the privacy configuration to Collect but do not display.
Ensure that your end-user devices have the entitlements to receive the applications, that you intend to take actions on, from Workspace ONE UEM.

Configure your Application Group

Configure application groups, or app groups, so that you can use the groups in your compliance policies. Take set actions on devices that do not comply with the installing, updating, or removing applications.You assign application groups to organization groups. When you assign the application group to a parent organization group, the child organization groups inherit the application group configurations.

Navigate to Resources > Apps > Settings > App Groups.
Select Add Group.

Complete options on the List tab.

Settings	Description
Type	Select the type of application group you want to create depending on the desired outcome: allow applications, block applications, or require application installations. If your goal is to group custom MDM applications, select MDM Application. You must enable this option for it to display in the menu.
Platform	Select the platform for the application group.
Name	Enter a display name for the application group in the Workspace ONE UEM console.
Add Application	Display text boxes that enable you to search for applications to add to the application group.
Application Name	Enter the name of an application to search for it in the respective app store.
Application ID	Review the string that automatically completes when you use the search function to search for the application from an app store.
Add Publisher - Windows Phone	Select for Windows Phone to add multiple publishers to application groups. Publishers are organizations that create applications. Combine this option with Add Application entries to create exceptions for the publisher entries for detailed allowlists and denylists on Windows Phone.

Select Next to navigate to an application control profile. You must complete and apply an application control profile for Windows Phone. You can use an application control profile for Android devices.

Complete settings on the Assignment tab.

Settings	Description
Description	Enter the purpose of the application group or any other pertinent information.
Device Ownership	Select the type of devices to which the application group applies.
Model	Select device models to which the application group applies.
Minimum Operating System	Select the operating systems to which the application group applies.
Managed By	View or edit the organization group that manages the application group.
Organization Group	Add more organization groups to which the application group applies.
User Group	Add user groups to which the application group applies.

Select Finish to complete configurations.

Edit your App Groups and Application Control Profile

You can edit your App Groups and Application Control Profile. When you edit app groups for Android and Windows phone, edit the app group first, then the application profile.

Edit the app group first.
Edit the application profile to create a new version of it.
Save and publish the new version of the application profile to devices. The system does not reflect the changes to the app group unless the new version of the application control profile deploys to devices.

Create Required Lists for the AirWatch Catalog

You can use app groups to push application notifications to app catalogs you require devices to install.

Navigate to Resources > Apps > Settings > App Groups.
Add or edit an app group.
On the List tab, select Type as Required.
On the Assignment tab, select the applicable organization groups and user groups that include the devices you want to push required applications to.

Enable Custom MDM Applications for your Application Groups

Custom MDM applications are a type of app group and they are custom-made to track device information, such as location and jailbreak status. Enable Workspace ONE UEM to recognize custom MDM applications so you can assign them to special app groups to gather information, troubleshoot, and track assets. Workspace ONE UEM supports custom MDM applications made for the Android and Apple iOS platforms. Upload them as internal applications.

Enable the Use Custom MDM Applications so that you can select the option in the application group menu in Workspace ONE UEM. Workspace ONE UEM does not remove custom MDM applications after the compliance engine detects them on devices. These applications are for auditing, tracking, and troubleshooting.

Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment.
Select Customization.
Enable Use Custom MDM Applications.

Compliance Policies for your Application

Compliance policies enable you to act upon devices that do not comply with set standards. For example, you can create compliance policies that detect when users install forbidden applications. Then configure the system to act automatically on devices with the non-compliance status.

You can create compliance policies for single applications using the Compliance List View, or for lists of applications using application groups. Although you are not required to use application groups, these groups enable you to take preventive actions on large numbers of non-compliant devices.

Example of Compliance Policy Actions: The compliance engine detects a user with a game-type application, which is one of the applications in a blacklisted app group list. You can configure the compliance engine to take several actions.

Send a push notification to the user prompting them to remove the application.
Remove certain features such as Wi-Fi, VPN, or email profiles from the device.
Remove specific managed applications and profiles.
Send a final email notification to the user copying IT Security and HR.

You can configure an application list compliance policy for several platforms that acts on non-compliant devices.

Supported Platforms for Compliance Policies and Applications:

Android
Apple iOS
macOS

Build an Application Compliance Policy

Add compliance policies that work with app groups to add a layer of security to the mobile network. Policy configurations enable the Workspace ONE UEM compliance engine to take set actions on non-compliant devices.

Navigate to Devices > Compliance Policies > List View. Select Add.
Select the platform, Android, Apple iOS, or Apple macOS.
Select Application List on the Rules tab.

Select the options that reflect your desired compliance goals.

Setting	Description
Contains	Add the application identifier to configure the compliance engine to monitor for its presence on devices. If the engine detects the application is installed on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.
Does Not Contain	Add the application identifier to configure the compliance engine to monitor for its presence on devices. If the engine detects the application is not installed on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.
Contains Denied Apps	If the engine detects applications listed in denylist app groups on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.
Contains Non-Allowed Apps	If the engine detects applications not listed in whitelisted app groups on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.
Does Not Contain Required Apps	If the engine detects that devices assigned to the Compliance Rule are missing applications in required app groups, the engine performs the actions configured in the rule.
Does Not Contain Version	Add the application identifier and the application version the compliance engine monitors device to ensure the correct version of the application is installed on devices. If the engine detects the wrong version of the application is installed on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.

You can get the Application Identifier from an app store or from its record in the Workspace ONE UEM console. Navigate to Resources > Apps > List View > Internal or Public. Select View from the actions menu for the application and then look for the Application ID information.

Select the Actions tab to set escalating actions to perform if a user does not comply with an application-based rule. The first action is immediate but is not compulsory to configure. Use it or delete it. You can augment or replace the immediate action with further delayed actions with the Add Escalations feature.

Settings	Description
Mark as Not Compliant	Select the check box to tag devices that violate this rule, but once the device is tagged non-compliant and depending on escalation actions, the system might block the device from accessing resources and might block admins from acting on the device. Deselect this option when you do not want to quarantine the device immediately.
Application	Select to remove the managed application.
Command	Select to configure the system to command the device to check in to the console, to perform an enterprise wipe, or to change roaming settings.
Email	Select to block email on the non-compliant device.
Notify	Select to notify the non-compliant device with an email, SMS, or push notification using your default template. You can also send a note to the admin concerning the rule violation.
Profile	Select to use Workspace ONE UEM profiles to restrict functionality on the device.

Select the Assignment tab to assign the Compliance rule to smart groups.

Setting	Description
Managed By	View or edit the organization group that manages and enforces the rule.
Assigned Groups	Type to add smart groups to which the rule applies.
Exclusions	Select Yes to exclude groups from the rule.
View Device Assignment	Select to view the devices affected by the rule.

Select the Summary tab to name the rule and give it a brief description.
Select Finish and Activate to enforce the newly created rule.